# Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Ch.9 Cryptography The Graduate Center, CUNY! CSc Theoretical Computer Science Konstantinos Vamvourellis

2 Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography exploits results from Complexity theory to guarantee the security of its schemes.

3 Why is Modern Cryptography part of a Complexity course? It seems that we want to be able to say something of the form: a scheme is (t,ɛ)-secure if every attacker running in time at most t succeeds in breaking the scheme with probability at most ɛ. e.g. when the cryptographic key has length n, an attacker that runs in time t can break the scheme with prob t/2 n. Using a typical key length of n=128 we can say that NO adversary running a super-computer for up to 200 years can break the scheme with prob Such an approach is difficult to analyze and does not scale well. We can do better

4 Why is Modern Cryptography part of a Complexity course? An better approach is the Asymptotic Approach, which is directly related to Complexity Theory. Note that the Asymptotic Approach is a mere generalization of the first case we considered. In asymptotic approach we view the running time of the attacker and the his success probability as functions of some parameter n (which is called the security parameter and usually represents the length of the secret key). We consider feasible or efficient any process that takes poly(n) time and negligible any probability that is 1/poly(n). The reasoning behind these principles are rooted in Complexity Theory.

5 Modern Cryptography A scheme is a secure if a every attacker that runs in polynomial time succeeds in breaking the scheme with only negligible probability. e.g. an attacker that runs in n 3 minutes can succeed in breaking the scheme with probability n 1/poly(n). For small values of n, say n 40, the attacker can break the scheme with prob. 1 when running for up to 6 weeks. But because of the asymptotic relation of the probability with the runing time, we can gradually increase the value n until the corresponding running time of a non-negligible success probability is extremely long. Consider n=500, the attacker running for more than 200 years would break the scheme with prob which is incredibly small, so small we can neglect it.

6 Modern Cryptography and Complexity P=NP P NP & A. No One-Way A. NO Crypto B. Secret Key Crypto C. Public Key Crypto Functions B. One-Way Functions & NO Public Key Crypto C. Public Key Crypto

7 Cryptography is concerned with the construction of schemes that can withstand malicious attempts to abuse the scheme. e.g. Alice (Sender) wants to communicate secretly with Bob (Receiver). How can their communication protocol guarantee the security of the conversion?

8 Cryptography is concerned with the construction of schemes that can withstand malicious attempts to abuse the scheme. e.g. Alice wants to communicate secretly with Bob. How can their communication protocol guarantee the security of the conversion? A. Demand that is impossible for any attacker (that watches the communication channel) to learn any secrets. B. Demand that is infeasible for any attacker (that watches the communication channel) to learn any secrets, unless with extremely low probability.

9 Cryptography is concerned with the construction of schemes that can withstand malicious attempts to abuse the scheme. e.g. Alice wants to communicate secretly with Bob. How can their communication protocol guarantee the security of the conversion? A. Information Theoretic Security B. Computational Security

10 Cryptography is concerned with the construction of schemes that can withstand malicious attempts to abuse the scheme. e.g. Alice wants to communicate secretly with Bob. How can their communication protocol guarantee the security of the conversion? A. Shannon showed the first negative result and introduced the study of Cryptography. B. The focus of Modern Cryptography for which, however, we need strong computational assumptions that imply NP P.

11 Transitioning towards of Modern Cryptography Before After A scheme is secure if the enemy hasn t managed to break it A scheme is secure if no efficient algorithm can ever* be constructed that will break it with non-negligible prob. *Complexity theorists have strong reasons to believe that no such algorithms will ever be found, no matter how human ingenuity grows. These are the computational assumptions upon which Modern Cryptography is based.

12 Shannon s Impossibility Result[ 49] In an information secure Encryption Scheme the private-key must be longer than the total entropy of the plain texts to be sent using that key.! The shared secret must be longer than the message to be sent using that secret.

13 Theorem: Consider a scheme that is information theoretic secure, where the message space M is and the key space K. Then K M Proof. Information theoretic security means that for any distribution over M and any m M it holds that Pr[M=m C=c]=Pr[M=m]. Assume K < M and let every message appear with the uniform probability, Pr[M=m]=1/ M. Let M(c) M be the possible decryptions of ciphertext c. Clearly M(c) K (for each key k, we can get a new encryption of m). Hence M(c) K M, which means that m M(c) with Pr[M=m ] 0. Hence we found m s.t. Pr[M=m C=c]=0 Pr[M=m ], which contradicts the security condition.

14 Information Theoretic Security NO Encryption Scheme NO Public Key Cryptography NO Pseudorandom Generators NO for most Cryptographic Protocols

15 Modern Cryptography and Complexity P=NP P NP & A. No One-Way A. NO Crypto B. Secret Key Crypto C. Public Key Crypto Functions B. One-Way Functions & NO Public Key Crypto C. Public Key Crypto

16 =? Prof. Grouse Carl Friedrich Gauss (100+1)*50

17 I wish I knew a way to humiliate Carl in front of the whole class. if only I could find a Prof. Grouse problem I could solve and he couldn t no matter how hard he tried

18 Prof. Grouse in a Computational Complexity Class!

19 A 3SAT instance? hmmm. Prof. Grouse Carl Friedrich Gauss But is that good enough? Prof. Grouse can t solve 3SAT either

20 What Prof. Grouse is looking for is a One-Way Function easy x f(x) Prof. Grouse HARD Carl Friedrich Gauss

21 Impagliazzo s Possible Worlds [ 95] 1. P=NP 2. P NP in some cases* 3. P NP and OWF do NO exist 4. P NP and OWF exist, but NO PKC 5. P NP and PKC *There exist hard problems but generating such a problem is a hard problem itself. The complexity of a problem is a function of the time it took to sample an instance of this hard problem.

22 Impagliazzo s Possible Worlds [ 95] 1. P=NP Grouse has no chance against Gauss. For any problem that the class can verify its solution, Gauss can find the solution fast. 2.P NP in some cases Grouse is still disadvantaged. He has to work hard, maybe for years, to create a problem that can withstand Gauss solving abilities for more than a month. 3.P NP and OWF do not exist Grouse is hopeless. There are hard problems, which Gauss cannot solve, but Grouse cannot solve those either. 4. P NP and OWF exist, but no PKC Grouse finally succeeds. He can create a problem to which, he knows the solution, but Gauss cannot solve. 5. P NP and PKC Grouse s paradise! He can publicly communicate with his class so that in the end everyone knows the solution except from poor Gauss.

23 Impagliazzo s Possible Worlds [ 95] 1. P=NP 2. P NP in some cases* 3. P NP and OWF do NO exist 4. P NP and OWF exist, but NO PKC (MiniCrypt) 5. P NP and PKC (CryptoMania) *There exist hard problems but generating such a problem is a hard problem itself. The complexity of a problem is a function of the time it took to sample an instance of this hard problem.

24 One-Way Function x f(x) [Open Problem]: Prove that such a function exists unconditionally. Corollary: P NP Currently we can only conjecture that OWF exist, assuming that certain computational assumptions hold. Most computer scientist believe that OWF exist.

25 OWF Crypto (MiniCrypt) Assuming OWF exists we can construct a lot of cryptographic protocols. A. Secure Private-Key Encryption B. Pseudorandom Generators C. Digital Signatures D. Non-trivial Zero-Knowledge Proofs E. Many more However OWF Public Key Cryptography (CryptoMania). It has been shown that PKC cannot be proven by black-box access to a OWF. For that we need even stronger assumptions*. *This assumptions tend to be less well understood. However, one sufficient assumption is the existence of Trapdoor One-Way Functions. The RSA function is conjectured to be such a function. Another equivalent assumptions is a the existence of a Key-Exchange protocol.

26 OWF Crypto Conversely most cryptographic protocol require the existence of OWF functions. A. Secure Private-Key Encryption [IL 89] B. Pseudorandom Generators [L 87] C. Digital Signatures [R 90] D. Non-trivial Zero-Knowledge Proofs [OW 93] E. Various Basic Protocols [IL 89]

27 OWF give rise to Cryptography. OWF Crypto P NP

28 OWF give rise to more Complexity theoretic constructions with scope outside Cryptography. OWF Crypto Pseudo-randomness P NP Derandomization * *It is possible to achieve weaker notions of Pseudo-randomness, and hence Dereandomization without assuming the existence of OWF.

29 Pseudorandomness via OWF Before A string is random if it passes a certain statistical test, that is taken as the norm. After A string is pseudorandom if no efficient algorithm will ever* be able to distinguish it from a truly random string. *Complexity theorists have strong reasons to believe that no such algorithms will ever be found, no matter how human ingenuity grows. These are the computational assumptions upon which Modern Cryptography is based.

30 OWF give rise to more Complexity theoretic constructions with scope outside Cryptography. OWF Crypto Pseudo-randomness Probabilistic Proofs P NP Derandomization

31 So let s study One-Way Functions x f(x) i.see the definition of OWFs and at equivalent notions ii. Look at a candidate function that is believed to be one-way.

32 One-Way Functions A function f:{0,1} * {0,1} * is called one-way if - easy direction: there is an efficient algorithm which on input x outputs f(x). - hard direction: given f(x), where x is uniformly selected, it is infeasible to find with non-negligible probability, a preimage of f(x). That is, any feasible algorithm which tries to invert f may succeed only with negligible probability taken over the choices of x and the algorithm s internal randomness.

33 Hard Problem Generator Consider a language L NP (a language where membership can be efficiently verified). Then G is a Hard Problem Generator if it can efficiently find (a1,a2) L and at the same time f(a)={b : (a,b) L} is a OWF. This means that given the first component a1 it s easy to find the second a2 s.t. (a1,a2) L, but given the second component a2 it s hard to find the first a1 s.t. (a1,a2) L.

34 Pseudorandom Generator Let : N N be so that (n)>n n. A pseudorandom generator, with stretch function, is an efficient (deterministic) algorithm which on input a random n-bit seed outputs a (n)-bit sequence which is computationally indistinguishable from a uniformly chosen (n)-bit sequence. If Xn and Yn are two probability ensemble of equal length n, we say that X and Y are computationally indistinguishable if for every feasible algorithm A the difference Pr[A(Xn)=1] - Pr[A(Yn)=1] is negligible function in n.

35 Candidate One-Way Functions The following functions are believed to be one-way and are heavily used in modern cryptographic protocols: Discrete Logarithm: Let G=<g> be a cyclic group of size p. Then f(a)=g a is easily done in time O( p 3 ). However, as of today there is no known poly-time algorithm that can calculate f -1 =log(x) where x G. Factoring: Choose two large primes p & q of equal length and output N=pq which can be done efficiently. However, no known poly-time algorithm exists that can factor a given N. Rabin Function: If N=pq is as above, it is easy to calculate f(x)=x 2 mod N, but no known poly-time algorithm exists that can find a square root of y mod N.

36 LE FIN

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a

### Yale University Department of Computer Science

Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Michael S. Paterson Ewa Syta YALEU/DCS/TR-1466 October

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### SFWR ENG 4C03 - Computer Networks & Computer Security

KEY MANAGEMENT SFWR ENG 4C03 - Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Computational Complexity: A Modern Approach

i Computational Complexity: A Modern Approach Draft of a book: Dated January 2007 Comments welcome! Sanjeev Arora and Boaz Barak Princeton University complexitybook@gmail.com Not to be reproduced or distributed

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Digital Signatures. Good properties of hand-written signatures:

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Introduction to Cryptography

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

### The Complexity of Online Memory Checking

The Complexity of Online Memory Checking Moni Naor Guy N. Rothblum Abstract We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted,

### 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008

MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing Yury Lifshits July 10, 2005 Abstract The goal of the paper is to construct mathematical abstractions of different aspects of real

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### 1 Domain Extension for MACs

CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Security usually depends on the secrecy of the key, not the secrecy of the algorithm (i.e., the open design model!)

1 A cryptosystem has (at least) five ingredients: 1. 2. 3. 4. 5. Plaintext Secret Key Ciphertext Encryption algorithm Decryption algorithm Security usually depends on the secrecy of the key, not the secrecy

### Kleptography: The unbearable lightness of being mistrustful

Kleptography: The unbearable lightness of being mistrustful MOTI YUNG Google Inc. / Columbia University Joint work with Adam Young Background: -The time is the Mid 90 s: Cryptography is the big Equalizer

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### 2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Enhancing privacy with quantum networks

Enhancing privacy with quantum networks P. Mateus N. Paunković J. Rodrigues A. Souto SQIG- Instituto de Telecomunicações and DM - Instituto Superior Técnico - Universidade de Lisboa Abstract Using quantum

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Provably Secure Cryptography: State of the Art and Industrial Applications

Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services French-Japanese Joint Symposium on Computer Security Outline

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Asymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin

Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetric-key crypto Intuition for El Gamal and RSA And intuition for attacks Digital

### a Course in Cryptography

a Course in Cryptography rafael pass abhi shelat c 2010 Pass/shelat All rights reserved Printed online 11 11 11 11 11 15 14 13 12 11 10 9 First edition: June 2007 Second edition: September 2008 Third edition:

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Cryptography and Network Security

Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 7: Public-key cryptography and RSA Ion Petre Department of IT, Åbo Akademi University 1 Some unanswered questions

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Asymmetric cryptography in the random oracle model. Gregory Neven IBM Zurich Research Laboratory

Asymmetric cryptography in the random oracle model Gregory Neven IBM Zurich Research Laboratory Overview Provable security: the concept Digital signatures and the Random Oracle Model Public-key encryption

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins

MA2C03 Mathematics School of Mathematics, Trinity College Hilary Term 2016 Lecture 59 (April 1, 2016) David R. Wilkins The RSA encryption scheme works as follows. In order to establish the necessary public

### Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

### On-Line/Off-Line Digital Signatures

J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research On-Line/Off-Line Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,

### Prime Numbers The generation of prime numbers is needed for many public key algorithms:

CA547: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Number Theory 2 7.1 Prime Numbers Prime Numbers The generation of prime numbers is needed for many public key algorithms: RSA: Need to find p and q to compute

### Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Digital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?

Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetric-key cryptography. Distinguish

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Chapter 9 Public Key Cryptography and RSA

Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key Private-Key Cryptography traditional private/secret/single

### Prime numbers for Cryptography

Prime numbers for Cryptography What this is going to cover Primes, products of primes and factorisation How to win a million dollars Generating small primes quickly How many primes are there and how many

### Lecture Notes on Cryptography

Lecture Notes on Cryptography Shafi Goldwasser 1 Mihir Bellare 2 July 2008 1 MIT Computer Science and Artificial Intelligence Laboratory, The Stata Center, Building 32, 32 Vassar Street, Cambridge, MA

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### Asymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University

Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem

### Public-Key Cryptography. Oregon State University

Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

### CSA E0 235: Cryptography (29/03/2015) (Extra) Lecture 3

CSA E0 235: Cryptography (29/03/2015) Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Mayank Tiwari Review From our discussion of perfect secrecy, we know that the notion of perfect secrecy has

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### Secure Computation Without Authentication

Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com

### Public-Key Encryption (Asymmetric Encryption)

Public-Key Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (Private-Key Crypto) Alice establish secure

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### Lecture 11: The Goldreich-Levin Theorem

COM S 687 Introduction to Cryptography September 28, 2006 Lecture 11: The Goldreich-Levin Theorem Instructor: Rafael Pass Scribe: Krishnaprasad Vikram Hard-Core Bits Definition: A predicate b : {0, 1}

### Proofs in Cryptography

Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

### PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

### Contents. Foundations of cryptography

Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key