# 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Save this PDF as:

Size: px
Start display at page:

Download "1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6."

## Transcription

2 where k Z n and the Euler function ϕ(n) is defined as follows: Definition For n N, the Euler function ϕ(n) counts the number of integers in Z n relatively prime to n: ϕ(n) = # {k Z n : gcd(k, n) = 1}. Equivalently, ϕ(n) is the number of invertible elements in Z n : To compute Euler s function, ϕ(n) = # {k Z n : kl = 1 for some l Z n }. p e p e 1, ϕ(n) = j ϕ(p ei i ), i=1 n = p e for prime p n = pe1 1 pej j for distinct primes p i. When n = p e, it is easy to count the number of integers modulo n that p does not divide. Extending ϕ to a composite integer n = p e1 1 pej j falls from the fact that ϕ is multiplicative on relatively prime integers: ϕ(mn) = ϕ(m)ϕ(n) when gcd(m, n) = 1. This can be shown by proving Z mn = Z m Z n using the Chinese Remainder Theorem. We are interested in the special case where n is the product of two large primes p and q. The multiplicative group Z n = {a Z n : gcd(a, n) = 1} consists of ϕ(n) = (p 1)(q 1) elements. In order for the above protocol to be effective (i.e. for Bob and no one else to know d), take e to be a prime such that 1 e ϕ(n) and gcd(e, ϕ(n)) = 1. Then the eth power map E : Z n Z n, defined by x x e mod n is invertible. In particular, when ed 1 mod ϕ(n), the dth power map D inverts E. If Bob choses e and ϕ(n) carefully, he can easily recover d using the Euclidean algorithm. It is clear that the strength of this technique lies primarily in Bob s choice of n. If p and q are obvious, any interested party can compute ϕ(n) and therefore d. Likewise, given n and ϕ(n), one can compute d. This implies that finding eth roots in Z n relies on the factorization of n. Since the factorization problem is believed to be hard, the RSA function appears to be difficult to invert in polynomial-time. This then constitutes a one-way function. The RSA assumption states that it is hard to invert the RSA function. 1.2 RSA Digital Signatures After its introduction, the security of the RSA signature scheme was argued in the Full-Domain Hash setting and was proven to be secure in the Random Oracle Model based on the RSA assumption. In general, a hash function is a mapping that takes a message of arbitrary length and returns an element of bounded size. The ideal hash function should be easily computable, noninvertible, and behave like an injection in the sense that it is extremely unlikely for two messages, no matter how similar to map to the same string or hash. In this section, we will assume our hash function H to be ideal with the range where {0, 1} = k=0 {0, 1}k. In the RSA signature scheme, H : {0, 1} Z n, 2

3 The key generation algorithm Gen: First choose two random primes p and q such that p = q = λ. Compute n = pq and ϕ(n) = (p 1)(q 1). Second, choose a random prime e < ϕ(n) such that gcd(e, ϕ(n)) = 1 and compute d e 1 mod ϕ(n). The verification key is (n, e) and the signing key is d. A full-domain hash function H is available to all parties. The signing key Sign: Given d and a message M, output the digital signature σ = H(M) d mod n. The verification algorithm Verify: Given (n, e) and (M, σ), verify that σ e = H(M) mod n. If equality holds, the result is True; otherwise the result is False. We call it a collision when two messages have the same signature under a hash function. These instances produce forgeries. For example, if (M, σ) is a valid message-signature pair and m is a message such that H(M) = H(M ), then (M, σ) is also a valid message-signature pair. In order for the RSA assumption to hold, H must satisfy some form of collision resistance. This is proved in the so called Random Oracle Model. A random oracle is a function that produces a random looking output for each query it receives. It must be consistent with its replies: if a question is repeated, the random oracle must return the same answer. The absence of any concrete structure in random oracles makes them useful in cryptographic applications when abstracting a hash function. If a scheme is secure assuming the adversary views some function as a random oracle, it is said to be secure in the Random Oracle Model. Figure 3 illustrates how a hash function H is modeled as a random oracle. Given M / History, choose t r Z n and enter (M, t) in History. Return t. Given M such that (M, t) History for some t, return t. Figure 1: A random oracle, where History represents the set of all (input,output) pairs previously served by the oracle. We will prove that the RSA signature scheme is secure in the Random Oracle Model under the RSA assumption. Theorem Under the Random Oracle Model, any PPT forgery adversary that attacks the RSA digital signature scheme and finds a forged signature with probability α can be transformed into an algorithm that finds eth roots with probability at least 1 q H (α 1 2 λ ), where λ is the security parameter and q H is the number of queries made to the random oracle H. Proof. Let A be an adversary that finds a forged signature with probability α. We will create an algorithm B that solves the RSA problem. Say B is given inpute n, e, y, where n and e are obtained through the RSA key generation algorithm Gen and y is chosen at random from Z n. B s goal is to find z Z n such that z = y 1/e mod n. To do this, B forms the verification key (n, e) and gives it to A. A will make both signing and random oracle queries, both of which B must answer. We assume B knows q H. This is not a problem as A is polynomial-time bounded and q H is smaller than the number of steps in the execution of A. Figure 2 illustrates how B operates when given access to A. First suppose A does not invoke the signing algorithm Sign, so A produces (M, σ) after making q H queries to the random oracle H. B answers these queries by simulating H as in Figure 3. By 3

4 < Crypto: Primitives and Protocols < n,e,y Attacker on RSA B ( n,e) H ( M) Forgery Attacker A ( M, ) Sign( sk,m) z=y 1/e mod n Figure 2: The attacker B must simulate H and Sign to use attacker A. our assumption, σ is a valid forged signature for M with probability α. Assume it is valid, so σ = H(M) d mod n. If H(M) = y, then σ = H(M) d = y d mod n and σ is an eth root of y (since d e 1 mod ϕ(n)). Observe that the above is highly unlikely, as the chances H(M) = y are minuscule. This is because there is no relation between the random oracle simulation by B and the value y. In order to obtain this result with some reasonable likelihood, B deviates from Figure 3 when answering the random oracle queries. B chooses a random number j in {1,..., q H } and attempts to answer the jth random oracle query with y: H(M) = y. In particular, the random oracle is modified to be parameterized by j, y and operates as follows: Maintain a query counter. Given M / History: if this is the jth query, set t = y, else choose t r Z n. Enter (M, t) in History. Return t. Given M such that (M, t) History for some t, return t. Figure 3: A modified random oracle simulation as used by algorithm B to plug-in a challenge y into the oracle s responses. In what follows we denote the output forged message of the adversary by M, and the queries to the signing oracle by M 1,..., M qs. As discussed above, we initially assume q S = 0, i.e., there are no queries to the signing oracle. Consider the event E, that m History, and the event E, the complement. Also let S be the event that the adversary A successfully produces a forged signature (i.e., the verification algorithm is executed on M, σ and outputs 1). Based on the theorem statement we know that Prob[S] = α. On the other hand, observe that Prob[S E] 1/ϕ(n) 2 λ. This is the case since in the conditional space E, the adversary has not asked M to H and thus the value of H(M) is undetermined until the verification algorithm is invoked. Since the adversary has already produced σ, the chances that H(M) e = σ in Z n are 1/ϕ(n) 2 λ. Now in the conditional space on E, there is a 1/q H chance the random oracle will correctly guess the query on which M is asked. We call this the event G. If G occurs, it follows that H(M) = y, i.e., y would be plugged into the right location. In such an occasion, the algorithm B would have successfully recovered the eth root of y. We call this the event V. We next provide a lower bound on V. First we have that Prob[S E] 2 λ, therefore Based on this we obtain the lower bound Prob[S E] = Prob[S E] Prob[ E] 2 λ. Prob[S E] α 2 λ. 4

5 Next we split the probability space according to E and calculate the probability of V as follows: Prob[V ] = Prob[V E] Prob[E] + Prob[V E] Prob[S G E] Prob[E]. Due to the independence of the events S, G in the conditional space E, we have that Prob[V ] Prob[S E] Prob[G E] Prob[E] = Prob[S E] Prob[G E] = α 2 λ q H. This completes the argument in the case q S = 0. We next consider the general case where q S is a polynomial in λ. In addition to making random oracle queries, A now asks B to sign a message M i. B must answer in a way that is consistent with the random oracle queries: if B returns σ i, it holds that σ i = H(M i ) d mod n, so σi e = H(M i) mod n. This implies (M i, σi e ) is in History. We can accommodate this by again modifying the simulation of H performed by B as seen in Figure 4. Maintain a query counter. Given M / History: if this is the jth query, set t = y, ρ =, else choose ρ r Z n and set t = ρ e mod n. Enter (M, t, ρ) in History. Return t. Given M such that (M, t, ρ) History for some t, return t. Figure 4: A second modified random oracle simulation as used by algorithm B to plug-in a challenge y into the oracle s responses while keeping the pre-images of the oracles responses under the eth power map. Now when asked to sign M i, B can first ask its random oracle subroutine for M i and then consult the History table it maintains for a record of the form (M i, t i, ρ i ). Unless ρ i = it can then proceed to answer the signing query with ρ i. Observe that the signing oracle simulation is perfect as long as ρ i, since ρ e i = t i mod n, i.e., ρ i is an eth root of t i = H(M i ) in Z n. Here we are not overly concerned with the case ρ i = as it means that the guess of B for M is mistaken (due to the condition that a successful forgery must be on a message that A does not query to the signing oracle) and thus the simulation is already doomed. To finish the proof we need to ensure that the adversary A cannot detect any difference in the random oracle responses as defined in Figure 4. Indeed observe that now the values returned to the adversary are of the form ρ e mod n, as opposed to random values t selected uniformly from Z n. This nevertheless turns out to not be an issue since the RSA function is a bijection on Z n and as a result, ρ e mod n is a random variable that is uniformly distributed over Z n under the assumption that ρ is uniformly distributed. Notes by S. Pehlivanoglu, J. Todd, & H.S. Zhou 5

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Digital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem

Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

### MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### DIGITAL SIGNATURES 1/1

DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob \$100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob \$100 scan

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Software Tool for Implementing RSA Algorithm

Software Tool for Implementing RSA Algorithm Adriana Borodzhieva, Plamen Manoilov Rousse University Angel Kanchev, Rousse, Bulgaria Abstract: RSA is one of the most-common used algorithms for public-key

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### Practice Questions. CS161 Computer Security, Fall 2008

Practice Questions CS161 Computer Security, Fall 2008 Name Email address Score % / 100 % Please do not forget to fill up your name, email in the box in the midterm exam you can skip this here. These practice

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Cryptography Lecture 8. Digital signatures, hash functions

Cryptography Lecture 8 Digital signatures, hash functions A Message Authentication Code is what you get from symmetric cryptography A MAC is used to prevent Eve from creating a new message and inserting

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### 8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA

8th ACM Conference on Computer and Communications Security 2001 5-8 November 2001 Philadelphia - Pennsylvania - USA Twin Signatures: an Alternative to the Hash-and-Sign Paradigm David Naccache (Gemplus,

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### On the Security of One-Witness Blind Signature Schemes

On the Security of One-Witness Blind Signature Schemes Foteini Baldimtsi and Anna Lysyanskaya foteini,anna@cs.brown.edu Computer Science Department, Brown University Abstract. Blind signatures have proved

### The RSA Algorithm. Evgeny Milanov. 3 June 2009

The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### 9 Digital Signatures: Definition and First Constructions. Hashing.

Leo Reyzin. Notes for BU CAS CS 538. 1 9 Digital Signatures: Definition and First Constructions. Hashing. 9.1 Definition First note that encryption provides no guarantee that a message is authentic. For

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### Introduction. Chapter 1

Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/crypto-book/ The copyright

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### CRYPTOGRAPHY IN NETWORK SECURITY

ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### RSA and Primality Testing

and Primality Testing Joan Boyar, IMADA, University of Southern Denmark Studieretningsprojekter 2010 1 / 81 Correctness of cryptography cryptography Introduction to number theory Correctness of with 2

### Security Arguments for Digital Signatures and Blind Signatures

Journal of Cryptology, Volume 13, Number 3. Pages 361 396, Springer-Verlag, 2000. 2000 International Association for Cryptologic Research Security Arguments for Digital Signatures and Blind Signatures

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### Fast Batch Verification for Modular Exponentiation and Digital Signatures

An extended abstract of this paper appears in Advances in Cryptology Eurocrypt 98 Proceedings, Lecture Notes in Computer Science Vol. 1403, K. Nyberg ed., Springer-Verlag, 1998. This is the full version.

### One-Way Encryption and Message Authentication

One-Way Encryption and Message Authentication Cryptographic Hash Functions Johannes Mittmann mittmann@in.tum.de Zentrum Mathematik Technische Universität München (TUM) 3 rd Joint Advanced Student School

### The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Appears in Advances in Cryptology Eurocrypt 96 Proceedings, Lecture Notes in Computer Science Vol. 1070, U. Maurer ed., Springer-Verlag, 1996. The Exact Security of Digital Signatures How to Sign with

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### On Factoring Integers and Evaluating Discrete Logarithms

On Factoring Integers and Evaluating Discrete Logarithms A thesis presented by JOHN AARON GREGG to the departments of Mathematics and Computer Science in partial fulfillment of the honors requirements

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### Proactive Two-Party Signatures for User Authentication

Proactive Two-Party Signatures for User Authentication Antonio Nicolosi, Maxwell Krohn, Yevgeniy Dodis, and David Mazières NYU Department of Computer Science {nicolosi,max,dodis,dm}@cs.nyu.edu Abstract

### Public Key Cryptography Overview

Ch.20 Public-Key Cryptography and Message Authentication I will talk about it later in this class Final: Wen (5/13) 1630-1830 HOLM 248» give you a sample exam» Mostly similar to homeworks» no electronic

### Computer Science 308-547A Cryptography and Data Security. Claude Crépeau

Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)

### ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES. Daniela Bojan and Sidonia Vultur

ACTA UNIVERSITATIS APULENSIS No 13/2007 MATHEMATICAL FOUNDATION OF DIGITAL SIGNATURES Daniela Bojan and Sidonia Vultur Abstract.The new services available on the Internet have born the necessity of a permanent

### Lecture 13. Lecturer: Yevgeniy Dodis Spring 2012

CSCI-GA.3210-001 MATH-GA.2170-001 Introduction to Cryptography April 18, 2012 Lecture 13 Lecturer: Yevgeniy Dodis Spring 2012 This lecture is dedicated to constructions of digital signature schemes. Assuming

### Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Lecture 13: Factoring Integers

CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

### Public-Key Cryptanalysis

To appear in Recent Trends in Cryptography, I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Public-Key Cryptanalysis Phong Q. Nguyen Abstract. In 1976, Diffie and Hellman introduced the

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Digital signatures. Informal properties

Digital signatures Informal properties Definition. A digital signature is a number dependent on some secret known only to the signer and, additionally, on the content of the message being signed Property.

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

### The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Number Theory and Cryptography using PARI/GP

Number Theory and Cryptography using Minh Van Nguyen nguyenminh2@gmail.com 25 November 2008 This article uses to study elementary number theory and the RSA public key cryptosystem. Various commands will

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### 7! Cryptographic Techniques! A Brief Introduction

7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures