Chapter 11 : Private-Key Encryption
|
|
- Christine Moore
- 5 years ago
- Views:
Transcription
1 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1
2 Chapter 11 Public-Key Encryption Apologies: all numbering still refers to first edition of book Public-Key Encryption An Overview 10.2 Definitions Security against Chosen-Plaintext Attacks Multiple Encryptions 10.3 Hybrid Encryption 10.4 RSA Encryption Plain RSA and its Insecurity Attacks on Plain RSA Padded RSA 10.5 The El Gamal Encryption Scheme 10.6 Security Against Chosen-Ciphertext Attacks 10.7 * Trapdoor Permutations
3 Asymmetric Encryption (Public-Key Cryptography) Encryption K e P C K d Decryption Complexity Theoretical Security
4 10.2 Definitions DEFINITION 10.1 A public-key encryption scheme is a tuple of PPT algorithms (Gen,Enc,Dec) s.t. : 1. The key generation algorithm Gen takes as input the security parameter 1 n and outputs a pair of keys (pk,sk). We refer to the first of these as the public key and the second as the private key. We assume for convenience that pk and sk each have length at least n, and that n can be determined from pk, sk.
5 Definitions 2. The encryption algorithm Enc takes as input a public key pk and a message m from some underlying plaintext space. It outputs a ciphertext c, and we write this as c Encpk(m). 3. The decryption algorithm Dec takes as input a private key sk and a ciphertext c, and outputs a message m or a special symbol denoting failure. We assume without loss of generality that Dec is deterministic, and write this as m Decsk(c).
6 Definitions It is required that there exists a negligible function negl such that for every n, every (pk,sk) output by Gen(1 n ), and every message m in the appropriate underlying plaintext space, it holds that Pr[ Decsk(Encpk(m)) m ] negl(n).
7 Security against Chosen-Plaintext Attacks The eavesdropping indistinguishability experiment PubK e A a, v Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk, and outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)
8 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.
9 Security against Chosen-Plaintext Attacks DEFINITION 10.3 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions in the presence of an eavesdropper if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK e A a, v Π(n) = 1 ] ½ + negl(n).
10 Security against Chosen-Plaintext Attacks CPA indistinguishability experiment PubK c A p, a Π(n): 1. Gen(1 n ) is run to obtain keys (pk,sk). 2. Adversary A is given pk as well as oracle access to Encpk( ). The adversary outputs a pair of messages m0,m1 of the same length. (These messages must be in the plaintext space associated with pk.)
11 Security against Chosen-Plaintext Attacks 3. A random bit b {0,1} is chosen, and then a ciphertext c Encpk(mb) is computed and given to A. We call c the challenge ciphertext. 4. A continues to have access to Encpk( ), and outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise.
12 Security against Chosen-Plaintext Attacks DEFINITION 10.4 A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-plaintext attack (or is CPA secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that: Pr[ PubK c A p, a Π(n) = 1 ] ½ + negl(n).
13 Security against Chosen-Plaintext Attacks PROPOSITION 10.5 If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π also has indistinguishable encryptions under a chosen-plaintext attack.
14 Insecurity of Deterministic Public-Key Encryption THEOREM 10.6 No deterministic public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper.
15 Multiple Encryptions THEOREM If a public-key encryption scheme Π has indistinguishable encryptions in the presence of an eavesdropper, then Π has indistinguishable multiple encryptions in the presence of an eavesdropper.
16 Encrypting Arbitrary- Length Messages Say Π = (Gen,Enc,Dec) is an encryption scheme where the plaintext space is {0,1}. We can construct a new scheme Π = (Gen,Enc,Dec ) with plaintext space {0,1} by defining Enc as follows: Enc pk(m) = Encpk(m1),...,Encpk(mt), where m = m1... mt. The decryption algorithm Dec is modified in the obvious way.
17 Encrypting Arbitrary- Length Messages PROPOSITION Let Π and Π be as above. If Π has indistinguishable encryptions in the presence of an eavesdropper, then so does Π.
18 10.3 Hybrid Encryption
19 Hybrid Encryption To encrypt a message m: 1. The sender first chooses a random secret key k, and encrypts k using the public key of the receiver. Call the resulting ciphertext c1. The receiver will be able to recover k by decrypting c1, yet k will remain unknown to an eavesdropper (by security of the public-key encryption scheme), and so this has the effect of establishing a shared secret between the sender and the receiver.
20 Hybrid Encryption 2. The sender then encrypts the message m using a private-key encryption scheme (Gen,Enc,Dec ) and the secret key k that has just been shared. This results in a ciphertext c2 that can be decrypted by the receiver using k.
21 Hybrid Encryption
22 Hybrid Encryption THEOREM If Π is a CPA-secure public-key encryption scheme and Π is a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper, then Π hy as in Construction is a CPA-secure public-key encryption scheme.
23 10.4 RSA Encryption Public inventors Private inventors Ellis, Cocks, Williamson
24 RSA Encryption Ron Rivest, Adi Shamir and Len Adleman
25 RSA Encryption
26 RSA Encryption In Cocks variation, e=n and therefore d=n -1 mod φ(n).
27 7.2.4 The RSA Assumption The RSA problem can be described informally as follows: given a modulus N, an integer (exponent) e > 0 that is relatively prime to φ(n), and an element y Z * N, compute e y mod N; Given N,e,y find x such that x e = y mod N.
28 7.2.4 The RSA Assumption The RSA experiment RSA-invA,GenRSA(n): 1. Run GenRSA(1 n ) to obtain (N,e,d). 2. Choose y Z * N. 3. A is given N,e,y, and outputs x Z * N. 4. The output of the experiment is defined to be 1 if y = x e mod N, and 0 otherwise.
29 7.2.4 The RSA Assumption DEFINITION 7.46 We say that the RSA problem is hard relative to GenRSA if for all probabilistic polynomial-time algorithms A there exists a negligible function negl such that Pr[ RSA-invA,GenRSA(n) = 1 ] negl(n).
30 RSA vs Factoring The RSA assumption implies that φ(n) is unknown. Theorem: Knowledge of N and φ(n) factors N. Proof: N=pq, φ(n)=(p-1)(q-1)=n-p-q+1. p+q=n-φ(n)+1 p+n/p=n-φ(n)+1 or p 2 -(N-φ(N)+1)p+N=0. p and q are the two solutions of this quadratic equation.
31 RSA vs Factoring The RSA assumption implies that d is unknown. Knowledge of N,e,d factors N. Proof: use algorithm from next slide: RSA-FACTOR(N,e,d). Success probability ½.
32 RSA vs Factoring
33 RSA Implementation Issues Encoding binary strings as elements of Z * N. Let l = N. Any binary string m of length l 1 can be viewed as an element of ZN in the natural way. It is also possible to encode strings of varying lengths as elements of ZN by padding using some unambiguous padding scheme.
34 RSA Implementation Issues: Choice of e There does not appear to be any difference in the hardness of the RSA problem for different exponents e and, as such, different methods have been suggested for selecting e. One popular choice is to set e = 3, since then computing e th powers modulo N (as done when encrypting in the Plain RSA scheme) requires only two multiplications. If e is to be set equal to 3, then p and q must be chosen to satisfy p,q 1 mod 3 so that gcd(e,φ(n )) = 1.
35 RSA Implementation Issues: Choice of d Note that choosing d to be small in order to speed up decryption (that is, changing GenRSA so that a small d is chosen first and then computing e) is a bad idea. If d is chosen in a small range (say, d < 2 16 ) then a brute-force search for d is easy to carry out. Even if d is chosen so that d N ¼, (and so bruteforce attacks are ruled out) there are other attacks that can be used to recover d from the public key.
36 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. For example, say e = 3 and the message m is such that m < N ⅓ ( or m < N /3 ) but m is otherwise unknown to an attacker. In this case, encryption of m does not involve any modular reduction since the integer m 3 is less than N.
37 Attacks on Plain RSA Encrypting short messages using small e. If e is small then the encryption of small messages is insecure when using plain RSA encryption. This means that given the ciphertext c = m 3 mod N an attacker can determine m by computing m c ⅓ over the integers, a computation that can be easily carried out.
38 Attacks on Plain RSA The above attack shows that short messages can be recovered easily from their encryption if plain RSA with small e is used. Here, we extend the attack to the case of arbitrarylength messages as long as the same message is sent to multiple receivers.
39 Attacks on Plain RSA Let e = 3 as before, and say the same message m is sent to three different parties holding public keys pk1 = (N1,3), pk2 = (N2,3), and pk3 = (N3,3), resp.. Then an eavesdropper sees c1 = m 3 mod N1 and c2 = m 3 mod N2 and c3 = m 3 mod N3.
40 Attacks on Plain RSA Let N = N1 N2 N3. An extended version of the Chinese remainder theorem says that there exists a unique non-negative value c < N such that: c c1 mod N1, c c2 mod N2 and c c3 mod N3.
41 Padded RSA
42 Padded RSA THEOREM If the RSA problem is hard relative to GenRSA then Construction with l(n) is O(log n) has indistinguishable encryptions under a chosen-plaintext attack.
43 PKCS #1 v1.5 A widely-used and standardized encryption scheme, RSA Laboratories Public-Key Cryptography Standard (PKCS) #1 version 1.5, utilizes what is essentially padded RSA encryption. For a public key pk = [N,e] of the usual form, let k denote the length of N in bytes; i.e., k is the integer satisfying 2 8(k 1) N < 2 8k.
44 PKCS #1 v1.5 Messages m to be encrypted are assumed to be a multiple of 8 bits long, and can have length up to k 11 bytes. Encryption of a message m that is D-bytes long is computed as ( r m) e mod N, where r is a randomly-generated string of (k D 3) bytes, with none of these bytes equal to 0.
45 PKCS #1 v1.5 PKCS #1 v1.5 is believed to be CPA-secure, although no proof solely based on the RSA assumption has ever been shown. Subsequent to the introduction of PKCS #1 v1.5, a chosen-ciphertext attack on this scheme was demonstrated. This motivated a change in the standard to a newer scheme called OAEP (for Optimal Asymmetric Encryption Padding).
46 10.5 The Elgamal Encryption Scheme Taher Elgamal
47 The Elgamal Encryption Scheme
48 The Elgamal Encryption Scheme THEOREM If the DDH problem is hard relative to G, then the Elgamal encryption scheme has indistinguishable encryptions under a chosenplaintext attack.
49 Elgamal Implementation Issues Encoding binary strings. Let p be a strong (or Sophie Germain) prime, i.e., q = (p 1)/2 is also prime. Then the set of quadratic residues modulo p forms a group G of order q = (p 1)/2 under x modulo p.
50 Elgamal Implementation Issues We can map the integers ṁ {1,...,(p 1)/2} to the set of quadratic residues modulo p by squaring: that is, the integer ṁ is mapped to the quadratic residue m = ṁ 2 mod p. This encoding is one-to-one and efficiently reversible. ( When extracting square roots mod p take the smaller square root x (p 1)/2. )
51 Elgamal Implementation Issues Given the above, we can map a string w of length q 1 to an element m G in the following way: given a string w {0,1} q 1, interpret it as an integer in the natural way and add 1 to obtain an integer ṁ with 1 ṁ q. Then take m = ṁ 2 mod p.
52 10.6 Security vs Chosen- Ciphertext Attacks
53 Security vs Chosen- Ciphertext Attacks DEFINITION A public-key encryption scheme Π = (Gen,Enc,Dec) has indistinguishable encryptions under a chosen-ciphertext attack (or is CCA-secure) if for all probabilistic polynomial-time adversaries A there exists a negligible function negl such that Pr[ PubK cc A, a Π(n) = 1 ] ½ + negl(n).
54 Examples of Chosen- Ciphertext Attacks Plain RSA encryption. Say an adversary A intercepts the ciphertext c = m e mod N. Then the adversary can choose a random r Z * N and compute the ciphertext c r e c mod N. Given the decryption m of this ciphertext, A can recover m m r 1 mod N.
55 Examples of Chosen- Ciphertext Attacks Elgamal encryption. Say an adversary A intercepts a ciphertext c c1,c2 that is an encryption of the (encoded) message m with respect to the public key pk = G,q,g,h. This means that c1 = g y and c2 = h y m for some y Zq unknown to A. Nevertheless, if the adversary computes c2 c2 m then it is easy to see that the ciphertext c c1,c2 is an encryption of the message m m.
56 Examples of Chosen- Ciphertext Attacks One might object that the receiver will become suspicious if it receives two ciphertexts c,c that share the same first component. However, this is easy for the adversary to avoid.
57 Examples of Chosen- Ciphertext Attacks Letting c1,c2,m,m be as above, A can choose a random y Zq and set c1 c1 g y and c2 c2 h y m. Then c1 = g y g y = g y+y and c2 = h y m h y m = h y+y mm, and so the ciphertext c = c1,c2 is an encryption of m m but with a completely random first component.
58 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 58
59 NIB Approximate Integer GCD based crypto
60 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p 0 p 2p 3p 4p 5p q 1 p q 2 p q 3 p q 4 p GCD(q1p,q2p,q3p,q4p) = p
61 NIB Approximate Integer GCD 0 p 2p 3p 4p 5p x1 x2 x3 x4 q 1 p q 2 p q 3 p q 4 p 0 p 2p 3p 4p 5p z1 q 1 p±2e 1 z2 q 2 p±2e 2 z3 q 3 p±2e 3 z4 q 4 p±2e 4 GCD(x1,x2,x3,x4) = p AIGCD : find p from z1,z2,z3,z4?
62 Approximate Integer GCD z1 z2 z3... zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 1 i k si {0,1} NIB
63 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 sixi mod x0 1 i k 1 i k si {0,1} ±2(ke0+ ei) 1 i k NIB
64 Approximate Integer GCD z1... z2 z3 zk-1 zk z0 0 p 2p 3p 4p 5p sizi mod z0 - ( siqi mod q0) p 1 i k 1 i k si {0,1} 4k emax NIB
65 NIB Approximate Integer GCD Ω(s)= sizi mod z0 1 i k s {0,1} n emax p/8k Ω(s)-p[Ω(s)/p] = small even error
66 NIB AIGCD encryption SK : p (x0, x1, x2,..., xk) PK : z0, z1, z2,..., zk,, enc(b) = sizi mod z0+2e+b where p/8k p/2 and ei U [-...+ ] s U {0,1} n e U [-...+ ] dec(c) = c-p[c/p] mod 2 = parity of error
67 NIB AIGCD encryption SK : p (x0, x1, x2,..., xk) PK : z0, z1, z2,..., zk,, enc(b) = sizi mod z0+2e+b where p/8k p/2 and ei U [-...+ ] s U {0,1} n e U [-...+ ] enc(a) + enc(b) mod z0 = enc(a(+)b) enc(a) * enc(b) mod z 0 = enc(a/\b)
68 COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 68
Applied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationRelaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationHash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6
Hash Functions, Public-Key Encryption CMSC 23200/33250, Autumn 2018, Lecture 6 David Cash University of Chicago Plan 1. A few points about hash functions 2. Introducing Public-Key Encryption 3. Math for
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationPublic Key Cryptography
graphy CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L07, Steve/Courses/2011/S2/CSS322/Lectures/rsa.tex,
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationAsymmetric Primitives. (public key encryptions and digital signatures)
Asymmetric Primitives (public key encryptions and digital signatures) An informal, yet instructive account of asymmetric primitives Timeline of the invention of public-key cryptography 1970-1974 British
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationRSA Cryptography in the Textbook and in the Field. Gregory Quenell
RSA Cryptography in the Textbook and in the Field Gregory Quenell 1 In the beginning... 2 In the beginning... Diffie and Hellman 1976: A one-way function can be used to pass secret information over an insecure
More informationASYMMETRIC CRYPTOGRAPHY
ASYMMETRIC CRYPTOGRAPHY CONTENT: 1. Number Theory 2. One Way Function 3. Hash Function 4. Digital Signature 5. RSA (Rivest-Shamir Adleman) References: 1. Applied Cryptography, Bruce Schneier 2. Cryptography
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 4 Markus Bläser, Saarland University Message authentication How can you be sure that a message has not been modified? Encyrption is not
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationChapter 3 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 3 : Private-Key Encryption 1 Private-Key Encryption 3.1 Computational Security 3.1.1 The
More informationGreat Theoretical Ideas in Computer Science. Lecture 27: Cryptography
15-251 Great Theoretical Ideas in Computer Science Lecture 27: Cryptography What is cryptography about? Adversary Eavesdropper I will cut his throat I will cut his throat What is cryptography about? loru23n8uladjkfb!#@
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationPublic-Key Cryptanalysis
http://www.di.ens.fr/ pnguyen INRIA and École normale supérieure, Paris, France MPRI, 2010 Outline 1 Introduction Asymmetric Cryptology Course Overview 2 Textbook RSA 3 Euclid s Algorithm Applications
More informationIntroduction to Cryptography and Security Mechanisms. Abdul Hameed
Introduction to Cryptography and Security Mechanisms Abdul Hameed http://informationtechnology.pk Before we start 3 Quiz 1 From a security perspective, rather than an efficiency perspective, which of the
More informationRSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.
RSA (material drawn from Avi Kak (kak@purdue.edu) Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto. protocols The RSA algorithm is based on the following property
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationPublic Key Algorithms
Public Key Algorithms CS 472 Spring 13 Lecture 6 Mohammad Almalag 2/19/2013 Public Key Algorithms - Introduction Public key algorithms are a motley crew, how? All hash algorithms do the same thing: Take
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationPublic Key Encryption
Public Key Encryption A case study THE RSA CRYPTOSYSTEM Public 31/05/14 Key Encryption 2 Rivest Shamir Adleman (1978) Key generation 1. Generate two large, distinct primes p, q (100 200 decimal digits)
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationOverview. Public Key Algorithms I
Public Key Algorithms I Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State
More informationLecture 9: Public-Key Cryptography CS /05/2018
Lecture 9: Public-Key Cryptography CS 5430 3/05/2018 Crypto Thus Far Key pairs Instead of sharing a key between pairs of principals......every principal has a pair of keys public key: published for the
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationTuesday, January 17, 17. Crypto - mini lecture 1
Crypto - mini lecture 1 Cryptography Symmetric key cryptography (secret key crypto): sender and receiver keys identical Asymmetric key cryptography (public key crypto): encryption key public, decryption
More informationRSA (algorithm) History
RSA (algorithm) RSA is an algorithm for public-key cryptography that is based on the presumed difficulty of factoring large integers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationSome Stuff About Crypto
Some Stuff About Crypto Adrian Frith Laboratory of Foundational Aspects of Computer Science Department of Mathematics and Applied Mathematics University of Cape Town This work is licensed under a Creative
More informationRSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.
RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È. Let Ò Ô Õ. Pick ¾ ½ ³ Òµ ½ so, that ³ Òµµ ½. Let ½ ÑÓ ³ Òµµ. Public key: Ò µ. Secret key Ò µ.
More informationLECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)
Department of Software The University of Babylon LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY (One-Way Functions and ElGamal System) By College of Information Technology, University of Babylon, Iraq Samaher@itnet.uobabylon.edu.iq
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Misconceptions Concerning Public-Key Encryption Public-key encryption is more secure from
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationRSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.
RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È. Let Ò Ô Õ. Pick ¾ ½ ³ Òµ ½ so, that ³ Òµµ ½. Let ½ ÑÓ ³ Òµµ. Public key: Ò µ. Secret key Ò µ.
More informationChapter 3 Public Key Cryptography
Cryptography and Network Security Chapter 3 Public Key Cryptography Lectured by Nguyễn Đức Thái Outline Number theory overview Public key cryptography RSA algorithm 2 Prime Numbers A prime number is an
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationSecurely Combining Public-Key Cryptosystems
Securely Combining Public-Key Cryptosystems Stuart Haber Benny Pinkas STAR Lab, Intertrust Tech. 821 Alexander Road Princeton, NJ 08540 {stuart,bpinkas}@intertrust.com Abstract It is a maxim of sound computer-security
More informationPublic Key Encryption. Modified by: Dr. Ramzi Saifan
Public Key Encryption Modified by: Dr. Ramzi Saifan Prime Numbers Prime numbers only have divisors of 1 and itself They cannot be written as a product of other numbers Prime numbers are central to number
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationSECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY
SECURE AND ANONYMOUS HYBRID ENCRYPTION FROM CODING THEORY Edoardo Persichetti University of Warsaw 06 June 2013 (UNIVERSITY OF WARSAW) SECURE AND ANONYMOUS KEM 06 JUNE 2013 1 / 20 Part I PRELIMINARIES
More informationPart VI. Public-key cryptography
Part VI Public-key cryptography Drawbacks with symmetric-key cryptography Symmetric-key cryptography: Communicating parties a priori share some secret information. Secure Channel Alice Unsecured Channel
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 9: Identity based encryption (IBE), Cocks scheme. Benny Pinkas page 1 1 Related papers Lecture notes from MIT http://crypto.csail.mit.edu/classes/6.876/lecture-notes.html
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography
More informationEncryption Details COMP620
Encryption Details COMP620 Encryption is a powerful defensive weapon for free people. It offers a technical guarantee of privacy, regardless of who is running the government It s hard to think of a more
More informationPUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by
More informationChapter 7 Public Key Cryptography and Digital Signatures
Chapter 7 Public Key Cryptography and Digital Signatures Every Egyptian received two names, which were known respectively as the true name and the good name, or the great name and the little name; and
More informationPublic Key Cryptography and the RSA Cryptosystem
Public Key Cryptography and the RSA Cryptosystem Two people, say Alice and Bob, would like to exchange secret messages; however, Eve is eavesdropping: One technique would be to use an encryption technique
More informationFrom semantic security to chosen ciphertext security
Graduate Theses and Dissertations Graduate College 2010 From semantic security to chosen ciphertext security Sahnghyun Cha Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/etd
More informationReminder: Homework 4. Due: Friday at the beginning of class
Reminder: Homework 4 Due: Friday at the beginning of class 1 Cryptography CS 555 Topic 33: Digital Signatures Part 2 2 Recap El-Gamal/RSA-OAEP Digital Signatures Similarities and differences with MACs
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. 1 General One-Way and Trapdoor Functions In this section, we will
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationGoals for Today. Substitution Permutation Ciphers. Substitution Permutation stages. Encryption Details 8/24/2010
Encryption Details COMP620 Goals for Today Understand how some of the most common encryption algorithms operate Learn about some new potential encryption systems Substitution Permutation Ciphers A Substitution
More informationSide-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck What is RSA? As we all know, RSA (Rivest Shamir Adleman) is a really secure algorithm for public-key cryptography.
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 2 Basics 2.2 Public Key Cryptography Encryption/Decryption using Public Key Cryptography
More informationMcEliece Cryptosystem in real life: security and implementation
McEliece Cryptosystem in real life: security and implementation SECRET - INRIA Rocq. Some numbers! scheme key gen enc cycle dec cycle Ntru 203983313 894427 1617090 RSA1-1024 188582730 225593 6240622 RSA1-2048
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationPublic Key Cryptography and RSA
Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationThe Beta Cryptosystem
Bulletin of Electrical Engineering and Informatics Vol. 4, No. 2, June 2015, pp. 155~159 ISSN: 2089-3191 155 The Beta Cryptosystem Chandrashekhar Meshram Department of Mathematics, RTM Nagpur University,
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationNew Public Key Cryptosystems Based on the Dependent RSA Problems
New Public Key Cryptosystems Based on the Dependent RSA Problems David Pointcheval LIENS CNRS, École Normale Supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France. David.Pointcheval@ens.fr http://www.dmi.ens.fr/
More informationApplied Cryptography and Network Security
Applied Cryptography and Network Security William Garrison bill@cs.pitt.edu 6311 Sennott Square Lecture #8: RSA Didn t we learn about RSA last time? During the last lecture, we saw what RSA does and learned
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can
More information