Practical Aspects of Modern Cryptography

1
Practical Aspects of Modern Cryptography

• Josh Benaloh
• Brian LaMacchia
• John Manferdelli

2
Cryptography is ...

• Protecting Privacy of Data
• Authentication of Identities
• Preservation of Integrity
• basically any protocols designed to operate in
  an environment absent of universal trust.

3
Characters
Alice
4
Characters
Bob
5
Basic Communication
Alice talking to Bob
6
Another Character
Eve
7
Basic Communication Problem
Eve listening to Alice talking to Bob
8
Two-Party Environments
Alice Bob
9
Remote Coin Flipping

• Alice and Bob decide to make a decision by
  flipping a coin.
• Alice and Bob are not in the same place.

10
Ground Rule

• Protocol must be asynchronous.
• We cannot assume simultaneous actions.
• Players must take turns.

11
Is Remote Coin Flipping Possible?
12
Is Remote Coin Flipping Possible?

• Two-part answer

13
Is Remote Coin Flipping Possible?

• Two-part answer
• NO I will sketch a formal proof.

14
Is Remote Coin Flipping Possible?

• Two-part answer
• NO I will sketch a formal proof.
• YES I will provide an effective protocol.

15
A Protocol Flow Tree
A
B
A
B
16
A Protocol Flow Tree
A
B
B
B
B
A
B
A
A
A
B
B
B
B
A
B
A
B
B
A
B
B
A
B
A
17
Pruning the Tree
A
A
A
A
B
B
B
B
18
Pruning the Tree
A
A
A
?
?
B
B
?
B
?
19
A Protocol Flow Tree
A
B
B
B
B
A
B
A
A
A
B
B
B
B
A
B
A
B
B
A
B
B
A
B
A
20
A Protocol Flow Tree
A
B
B
B
B
A
B
A
A
A
B
B
B
B
B
A
B
A
B
A
B
A
21
A Protocol Flow Tree
A
B
B
B
B
A
B
A
A
A
B
B
B
B
B
B
A
B
A
B
22
A Protocol Flow Tree
A
B
B
B
A
B
A
B
A
A
B
B
B
B
B
A
B
A
B
23
A Protocol Flow Tree
A
B
B
B
A
B
A
A
B
A
A
B
B
B
B
A
B
24
A Protocol Flow Tree
A
B
B
B
A
B
A
A
A
B
A
A
B
B
B
B
25
A Protocol Flow Tree
A
B
B
B
A
B
A
A
A
B
A
B
A
B
26
A Protocol Flow Tree
A
B
B
B
A
A
A
B
A
B
A
B
27
A Protocol Flow Tree
A
B
A
B
B
A
B
A
B
A
B
28
A Protocol Flow Tree
A
B
A
B
B
B
A
B
A
B
29
A Protocol Flow Tree
A
B
A
B
B
B
A
B
30
A Protocol Flow Tree
A
A
B
A
B
31
A Protocol Flow Tree
A
32
Completing the Pruning

• When the pruning is complete one will end up with
  either

33
Completing the Pruning

• When the pruning is complete one will end up with
  either
• a winner before the protocol has begun, or

34
Completing the Pruning

• When the pruning is complete one will end up with
  either
• a winner before the protocol has begun, or
• a useless infinite game.

35
Conclusion of Part I

• Remote coin flipping is utterly impossible!!!

36
How to Remotely Flip a Coin
37
How to Remotely Flip a Coin

• The INTEGERS

38
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16

39
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17

40
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18

41
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18
• 3 7 11
  15 19

42
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18
• 3 7 11
  15 19

Even
43
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18
• 3 7 11
  15 19

4n 1
4n - 1
44
How to Remotely Flip a Coin

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18
• 3 7 11
  15 19

Type 1
Type -1
45
How to Remotely Flip a Coin

• Fact 1
• Multiplying two (odd) integers of the same type
  always yields a product of Type 1.
• (4p1)(4q1) 16pq4p4q1 4(4pqpq)1
• (4p1)(4q1) 16pq4p4q1 4(4pqpq)1

46
How to Remotely Flip a Coin

• Fact 2
• There is no known method (other than factoring)
  to distinguish a product of two Type 1
  integers from a product of two Type 1 integers.

47
How to Remotely Flip a Coin

• Fact 3
• Factoring large integers is believed to be much
  harder than multiplying large integers.

48
How to Remotely Flip a Coin
49
How to Remotely Flip a Coin

• Alice

• Bob

50
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.

• Bob

51
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.

• Bob

52
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.

• Bob

53
How to Remotely Flip a Coin
Alice Bob
N
54
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.

• Bob

55
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

56
How to Remotely Flip a Coin
Alice Bob
b
57
How to Remotely Flip a Coin

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

58
How to Remotely Flip a Coin

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.

Bob wins if and only if he correctly guesses the
value of b.
59
How to Remotely Flip a Coin

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.
• After receiving b from Bob, reveal P and Q.

Bob wins if and only if he correctly guesses the
value of b.
60
How to Remotely Flip a Coin
Alice Bob
P,Q
61
How to Remotely Flip a Coin

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.
• After receiving b from Bob, reveal P and Q.

Bob wins if and only if he correctly guesses the
value of b.
62
Lets Play

• The INTEGERS
• 0 4 8 12
  16
• 1 5 9 13
  17
• 2 6 10 14
  18
• 3 7 11
  15 19

Type 1
Type -1
63
How to Remotely Flip a Coin

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

• Alice
• Randomly select a bit b??1 and two large
  integers P and Q both of type b.
• Compute N PQ.
• Send N to Bob.
• After receiving b from Bob, reveal P and Q.

Bob wins if and only if he correctly guesses the
value of b.
64
How to Remotely Flip a Coin

• Bob
• After receiving N from Alice, guess the value of
  b and send this guess to Alice.

• Alice
• Randomly select a bit b??1 and two large primes
  P and Q both of type b.
• Compute N PQ.
• Send N to Bob.
• After receiving b from Bob, reveal P and Q.

Bob wins if and only if he correctly guesses the
value of b.
65
Checking Primality

• Basic result from group theory
• If p is a prime, then for integers a such that 0
  lt a lt p, then a p - 1 mod p 1.
• This is almost never true when p is composite.

66
How are the Answers Reconciled?
67
How are the Answers Reconciled?

• The impossibility proof assumed unlimited
  computational ability.

68
How are the Answers Reconciled?

• The impossibility proof assumed unlimited
  computational ability.
• The protocol is not 50/50 Bob has a small
  advantage.

69
Applications of Remote Flipping

• Remote Card Playing
• Internet Gambling
• Various Fair Agreement Protocols

70
Bit Commitment

• We have implemented remote coin flipping via bit
  commitment.
• Commitment protocols can also be used for
• Sealed bidding
• Undisclosed contracts
• Authenticated predictions

71
One-Way Functions

• We have implemented bit commitment via one-way
  functions.
• One-way functions can be used for
• Authentication
• Data integrity
• Strong randomness

72
One-Way Functions
73
One-Way Functions

• Two basic classes of one-way functions

74
One-Way Functions

• Two basic classes of one-way functions
• Mathematical

75
One-Way Functions

• Two basic classes of one-way functions
• Mathematical
• Multiplication ZXY

76
One-Way Functions

• Two basic classes of one-way functions
• Mathematical
• Multiplication ZXY
• Modular Exponentiation Z YX mod N

77
One-Way Functions

• Two basic classes of one-way functions
• Mathematical
• Multiplication ZXY
• Modular Exponentiation Z YX mod N
• Ugly

78
The Fundamental Equation

• ZYX mod N

79
The Fundamental Equation

• ZYX mod N
• When Z is unknown, it can be efficiently computed.

80
The Fundamental Equation

• ZYX mod N
• When X is unknown, the problem is known as the
  discrete logarithm and is generally believed to
  be hard to solve.

81
The Fundamental Equation

• ZYX mod N
• When Y is unknown, the problem is known as
  discrete root finding and is generally believed
  to be hard to solve...

82
The Fundamental Equation

• ZYX mod N
• unless the factorization of N is known.

83
The Fundamental Equation

• ZYX mod N
• The problem is not well-studied for the case when
  N is unknown.

84
Implementation

• ZYX mod N

85
How to compute YX mod N
86
How to compute YX mod N

• Compute YX and then reduce mod N.

87
How to compute YX mod N

• Compute YX and then reduce mod N.
• If X, Y, and N each are 1,000-bit integers, YX
  consists of 21010 bits.

88
How to compute YX mod N

• Compute YX and then reduce mod N.
• If X, Y, and N each are 1,000-bit integers, YX
  consists of 21010 bits.
• Since there are roughly 2250 particles in the
  universe, storage is a problem.

89
How to compute YX mod N
90
How to compute YX mod N

• Repeatedly multiplying by Y (followed each time
  by a reduction modulo N) X times solves the
  storage problem.

91
How to compute YX mod N

• Repeatedly multiplying by Y (followed each time
  by a reduction modulo N) X times solves the
  storage problem.
• However, we would need to perform 2900 32-bit
  multiplications per second to complete the
  computation before the sun burns out.

92
How to compute YX mod N
93
How to compute YX mod N

• Multiplication by Repeated Doubling

94
How to compute YX mod N

• Multiplication by Repeated Doubling
• To compute X Y,

95
How to compute YX mod N

• Multiplication by Repeated Doubling
• To compute X Y,
• compute Y, 2Y, 4Y, 8Y, 16Y,

96
How to compute YX mod N

• Multiplication by Repeated Doubling
• To compute X Y,
• compute Y, 2Y, 4Y, 8Y, 16Y,
• and sum up those values dictated by the binary
  representation of X.

97
How to compute YX mod N

• Multiplication by Repeated Doubling
• To compute X Y,
• compute Y, 2Y, 4Y, 8Y, 16Y,
• and sum up those values dictated by the binary
  representation of X.
• Example 26Y 2Y 8Y 16Y.

98
How to compute YX mod N
99
How to compute YX mod N

• Exponentiation by Repeated Squaring

100
How to compute YX mod N

• Exponentiation by Repeated Squaring
• To compute YX,

101
How to compute YX mod N

• Exponentiation by Repeated Squaring
• To compute YX,
• compute Y, Y2, Y4, Y8, Y16,

102
How to compute YX mod N

• Exponentiation by Repeated Squaring
• To compute YX,
• compute Y, Y2, Y4, Y8, Y16,
• and multiply those values dictated by the
  binary representation of X.

103
How to compute YX mod N

• Exponentiation by Repeated Squaring
• To compute YX,
• compute Y, Y2, Y4, Y8, Y16,
• and multiply those values dictated by the
  binary representation of X.
• Example Y26 Y2 Y8 Y16.

104
How to compute YX mod N

• We can now perform a 1,000-bit modular
  exponentiation using 1,500 1,000-bit modular
  multiplications.
• 1,000 squarings y, y2, y4, , y21000
• 500 ordinary multiplications

105
Sliding Window Method

• One way to speed up modular exponentiation is by
  precomputation of many small products.
• For instance, if you have y, y2, y3, , y15
  computed in advance, you can multiply by (for
  example) y13 without having to multiply
  individually by y, y4, and y8.

106
Large-Integer Operations

• Addition and Subtraction
• Multiplication
• Division and Remainder (Mod N)
• Exponentiation

107
Large-Integer Addition

108
Large-Integer Addition

109
Large-Integer Addition

110
Large-Integer Addition

111
Large-Integer Addition

112
Large-Integer Addition

113
Large-Integer Addition

• In general, adding two large integers each
  consisting of n small blocks requires O(n)
  small-integer additions.
• Large-integer subtraction is similar.

114
Large-Integer Multiplication
?
115
Large-Integer Multiplication
?
116
Large-Integer Multiplication
?
117
Large-Integer Multiplication
?
118
Large-Integer Multiplication
?
119
Large-Integer Multiplication
?
120
Large-Integer Multiplication

• In general, multiplying two large integers each
  consisting of n small blocks requires O(n2)
  small-integer multiplications and O(n)
  large-integer additions.

121
Large-Integer Squaring
?
122
Large-Integer Squaring
?
123
Large-Integer Squaring
?
124
Large-Integer Squaring

• Careful bookkeeping can save nearly half of the
  small-integer multiplications (and nearly half of
  the time).

125
Recall computing YX mod N

• About 2/3 of the multiplications required to
  compute YX are actually squarings.
• Overall, efficient squaring can save about 1/3 of
  the small multiplications required for modular
  exponentiation.

126
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD

127
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

128
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

129
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

130
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

131
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

132
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition

133
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD

134
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC

135
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

136
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

137
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

138
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

139
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

140
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

141
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

142
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

143
Karatsuba Multiplication

• (AxB)(CxD) ACx2 (ADBC)x BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

144
Karatsuba Multiplication

• This can be done on integers as well as on
  polynomials, but its not as nice on integers
  because of carries.
• The larger the integers, the larger the benefit.

145
Karatsuba Multiplication

• (A2kB)(C2kD)
• AC22k (ADBC)2k BD
• 4 multiplications, 1 addition
• (AB)(CD) AC AD BC BD
• (AB)(CD) AC BD AD BC
• 3 multiplications, 2 additions, 2 subtractions

146
Chinese Remaindering

• If X A mod P and XB mod Q then (as long as P
  and Q have no common factors) X can be derived
  as
• X AQ(Q-1 mod P) BP(P-1 mod Q).

147
Chinese Remaindering

• If N PQ, then a computation mod N can be
  accomplished by performing the same computation
  mod P and again mod Q and then using Chinese
  Remaindering to derive the answer to the mod N
  computation.

148
Chinese Remaindering

• Since modular exponentiation of n-bit integers
  requires O(n3) time, performing two modular
  exponentiations on half size values requires only
  about one quarter of the time of a single n-bit
  modular exponentiation.

149
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is slow and cumbersome.

150
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is disgusting.

151
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is slow and cumbersome.

152
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is dreadful.

153
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is slow and cumbersome.

154
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is wretched.

155
Modular Reduction

• Generally, computing (AB) mod N requires much
  more than twice the time to compute AB.
• Division is slow and cumbersome.

156
The Montgomery Method

• The Montgomery Method performs a domain transform
  to a domain in which the modular reduction
  operation can be achieved by multiplication and
  simple truncation.
• Since a single modular exponentiation requires
  many modular multiplications and reductions,
  transforming the arguments is well justified.

157
Montgomery Multiplication

• Let A, B, and M be n-block integers represented
  in base x with 0 ? M ? x n.
• Let R x n. GCD(R,M) 1.
• The Montgomery Product of A and B modulo M is the
  integer ABR1 mod M.
• Let M? M1 mod R and S ABM? mod R.
• Fact (ABSM)/R ? ABR1 (mod M).

158
Using the Montgomery Product

• The Montgomery Product ABR1 mod M can be
  computed in the time required for two ordinary
  large-integer multiplications.
• Montgomery transform A?AR mod M.
• The Montgomery product of (AR mod M) and (BR mod
  M) is (ABR mod M).

159
One-Way Functions

• ZYX mod N

160
One-Way Functions

• Informally, F X ? Y is a one-way if
• Given x, y F(x) is easily computable.
• Given y, it is difficult to find any x for
  which y F(x).

161
One-Way Functions

• The family of functions
• FY,N(X) YX mod N
• is believed to be one-way for most N and Y.

162
One-Way Functions

• The family of functions
• FY,N(X) YX mod N
• is believed to be one-way for most N and Y.
• No one has ever proven a function to be one-way,
  and doing so would, at a minimum, yield as a
  consequence that P?NP.

163
One-Way Functions

• When viewed as a two-argument function, the
  (candidate) one-way function
• FN(Y,X) YX mod N
• also satisfies a useful additional property which
  has been termed quasi-commutivity
• F(F(Y,X1),X2) F(F(Y,X2),X1)
• since YX1X2 YX2X1.

164
Diffie-Hellman Key Exchange

• Alice

• Bob

165
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send A
  Ya mod N.

• Bob
• Randomly select a large integer b and send B
  Yb mod N.

166
Diffie-Hellman Key Exchange
Alice Bob
A
B
167
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send A
  Ya mod N.

• Bob
• Randomly select a large integer b and send B
  Yb mod N.

168
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send A
  Ya mod N.
• Compute the key K Ba mod N.

• Bob
• Randomly select a large integer b and send B
  Yb mod N.
• Compute the key K Ab mod N.

169
Diffie-Hellman Key Exchange

• Alice
• Randomly select a large integer a and send A
  Ya mod N.
• Compute the key K Ba mod N.

• Bob
• Randomly select a large integer b and send B
  Yb mod N.
• Compute the key K Ab mod N.

Ba Yba Yab Ab
170
Diffie-Hellman Key Exchange
171
Diffie-Hellman Key Exchange

• What does Eve see?

172
Diffie-Hellman Key Exchange

• What does Eve see?
• Y, Ya , Yb

173
Diffie-Hellman Key Exchange

• What does Eve see?
• Y, Ya , Yb
• but the exchanged key is Yab.

174
Diffie-Hellman Key Exchange

• What does Eve see?
• Y, Ya , Yb
• but the exchanged key is Yab.
• Belief Given Y, Ya , Yb it is difficult to
  compute Yab .

175
Diffie-Hellman Key Exchange

• What does Eve see?
• Y, Ya , Yb
• but the exchanged key is Yab.
• Belief Given Y, Ya , Yb it is difficult to
  compute Yab .
• Contrast with discrete logarithm assumption
  Given Y, Ya it is difficult to compute a .

176
More on Quasi-Commutivity

• Quasi-commutivity has additional applications.
• decentralized digital signatures
• membership testing
• digital time-stamping

177
One-Way Trap-Door Functions

• ZYX mod N

178
One-Way Trap-Door Functions

• ZYX mod N
• Recall that this equation is solvable for Y if
  the factorization of N is known, but is believed
  to be hard otherwise.

179
RSA Public-Key Cryptosystem

• Alice

• Anyone

180
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.

• Anyone

181
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.
• Publish the product NPQ.

• Anyone

182
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.
• Publish the product NPQ.

• Anyone
• To send message Y to Alice, compute ZYX mod N.

183
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.
• Publish the product NPQ.

• Anyone
• To send message Y to Alice, compute ZYX mod
  N.
• Send Z and X to Alice.

184
RSA Public-Key Cryptosystem

• Alice
• Select two large random primes P Q.
• Publish the product NPQ.
• Use knowledge of P Q to compute Y.

• Anyone
• To send message Y to Alice, compute ZYX mod
  N.
• Send Z and X to Alice.

185
RSA Public-Key Cryptosystem

• In practice, the exponent X is almost always
  fixed to be X 65537 216 1.

186
Some RSA Details

• When NPQ is the product of distinct primes,
• YX mod N Y
• whenever
• X mod (P-1)(Q-1) 1 and 0 ?Y?N.

187
Some RSA Details

• When NPQ is the product of distinct primes,
• YX mod N Y
• whenever
• X mod (P-1)(Q-1) 1 and 0 ?Y?N.
• Alice can easily select integers E and D such
  that ED mod (P-1)(Q-1) 1.

188
Some RSA Details

• Encryption E(Y) YE mod N.
• Decryption D(Y) YD mod N.
• D(E(Y))
• (YE mod N)D mod N
• YED mod N
• Y

189
RSA Signatures
190
RSA Signatures

• An additional property

191
RSA Signatures

• An additional property
• D(E(Y)) YED mod N Y

192
RSA Signatures

• An additional property
• D(E(Y)) YED mod N Y
• E(D(Y)) YDE mod N Y

193
RSA Signatures

• An additional property
• D(E(Y)) YED mod N Y
• E(D(Y)) YDE mod N Y
• Only Alice (knowing the factorization of N) knows
  D. Hence only Alice can compute D(Y) YD mod N.

194
RSA Signatures

• An additional property
• D(E(Y)) YED mod N Y
• E(D(Y)) YDE mod N Y
• Only Alice (knowing the factorization of N) knows
  D. Hence only Alice can compute D(Y) YD mod N.
• This D(Y) serves as Alices signature on Y.

195
Public Key Directory
196
Public Key Directory
(Recall that E is commonly fixed to be
E65537.)
197
Certificate Authority
Alices public modulus is NA
331490324840 -- signed CA.
198
Trust Chains

• Alice certifies Bobs key.
• Bob certifies Carols key.
• If I trust Alice should I accept Carols key?

199
Authentication
200
Authentication

• How can I use RSA to authenticate someones
  identity?

201
Authentication

• How can I use RSA to authenticate someones
  identity?
• If Alices public key EA, just pick a random
  message m and send EA(m).

202
Authentication

• How can I use RSA to authenticate someones
  identity?
• If Alices public key EA, just pick a random
  message m and send EA(m).
• If m comes back, I must be talking to Alice.

203
Authentication

• Should Alice be happy with this method of
  authentication?
• Bob sends Alice the authentication string y
  I owe Bob 1,000,000 - signed Alice.
• Alice dutifully authenticates herself by
  decrypting (putting her signature on) y.

204
Authentication

• What if Alice only returns authentication queries
  when the decryption has a certain format?

205
RSA Cautions

• Is it reasonable to sign/decrypt something given
  to you by someone else?
• Note that RSA is multiplicative. Can this
  property be used/abused?

206
RSA Cautions

• D(Y1) D(Y2) D(Y1 Y2)
• Thus, if Ive decrypted (or signed) Y1 and Y2,
  Ive also decrypted (or signed) Y1 Y2.

207
The Hastad Attack

• Given
• E1(x) x3 mod n1
• E2(x) x3 mod n2
• E3(x) x3 mod n3
• one can easily compute x.

208
The Bleichenbacher Attack

• PKCS1 Message Format
• 00 01 XX XX ... XX 00 YY YY ... YY

random non-zero bytes
message
209
Man-in-the-Middle Attacks
210
The Practical Side
211
The Practical Side

• RSA can be used to encrypt any data.

212
The Practical Side

• RSA can be used to encrypt any data.
• Public-key (asymmetric) cryptography is very
  inefficient when compared to traditional
  private-key (symmetric) cryptography.

213
The Practical Side
214
The Practical Side

• For efficiency, one generally uses RSA (or
  another public-key algorithm) to transmit a
  private (symmetric) key.

215
The Practical Side

• For efficiency, one generally uses RSA (or
  another public-key algorithm) to transmit a
  private (symmetric) key.
• The private session key is used to encrypt any
  subsequent data.

216
The Practical Side

• For efficiency, one generally uses RSA (or
  another public-key algorithm) to transmit a
  private (symmetric) key.
• The private session key is used to encrypt any
  subsequent data.
• Digital signatures are only used to sign a digest
  of the message.