# Ronald L. Rivest, Adi Shamir, and DavidA.Wagner. Rehovot, Israel. U.C. Berkeley

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Time-lock puzzles and timed-release Crypto Ronald L. Rivest, Adi Shamir, and DavidA.Wagner Revised March 10, 1996 MIT Laboratory for Computer Science 545 Technology Square, Cambridge, Mass Weizmann Institute of Science Applied Mathematics Department Rehovot, Israel Computer Science Department U.C. Berkeley Berkeley, California Introduction Our motivation is the notion of \timed-release crypto," where the goal is to encrypt a message so that it can not be decrypted by anyone, not even the sender, until a pre-determined amount of time has passed. The goal is to \send information into the future." This problem was rst discussed by Timothy May[6]. What are the applications of \timed-release crypto"? Here are a few possibilities (some due to May): A bidder in an auction wants to seal his bid so that it can only be opened after the bidding period is closed. A homeowner wants to give his mortgage holder a series of encrypted mortgage payments. These might be encrypted digital cash with dierent decryption dates, so that one payment becomes decryptable (and thus usable by the bank) at the beginning of each successive month. An individual wants to encrypt his diaries so that they are only decryptable after fty years.

2 A key-escrow scheme can be based on timed-release crypto, so that the government can get the message keys, but only after a xed period (say one year). There are presumably many other applications. There are two natural approaches to implementing timed-release crypto: Use \time-lock puzzles"{computational problems that can not be solved without running a computer continuously for at least a certain amount oftime. Use trusted agents who promise not to reveal certain information until a specied date. Using trusted agents has the obvious problem of ensuring that the agents are trustworthy secret-sharing approaches can be used to alleviate this concern. Using time-lock puzzles has the problem that the CPU time required to solve a problem can depend on the amount and nature of the hardware used to solve the problem, as well as the parallelizabilityofthe computational problem being solved. In this note we explore both approaches. (We note that Tim May has suggested an approach based on the use of trusted agents.) 2 Time-lock puzzles We rst explore an approach based on computational complexity: we study the problem of creating computational puzzles, called \time-lock puzzles," that require a precise amount of time to solve. The solution to the puzzle reveals a key that can be used to decrypt the encrypted information. This approach has the obvious problem of trying to make \CPU time" and \real time" agree as closely as possible, but is nonetheless interesting. The major dicultytobeovercome, as noted above, is that those with more computational resources might beabletosolve the time-lock puzzle more quickly, by using large parallel computers, for example. Our goal is thus to design time-lock puzzles that, to the greatest extent possible, are \instrinsically sequential" in nature, and can not be solved substantially faster with large investments in hardware. In particular, we want our puzzles to have the property that putting computers to work together in parallel doesn't speed up nding the solution. (Solving the puzzle should be likehaving a baby: two women can't have ababy in 4.5 months.) We propose an approach to building puzzles that appears to be intrisically sequential in the desired manner. Of course, our approach yields puzzles with a solution time that is only approximately controllable, since dierent computers work at dierent speeds. For example, the underlying technology may be dierent: gallium arsenide gates are faster than silicon gates. If precise timing of the information release is essential, an approach based on the use of trusted agents is preferable. We also note that with our approach, the puzzle doesn't automatically become solvable at a given time rather, a computer needs work continuously on the puzzle until it is solved. A ten-year puzzle needs some dedicated workstation working away for ten years to solve it. If the computing doesn't start until ve years after the puzzle was made, then the 2

3 solution won't be found until ten years after that (perhaps a bit less if technology has improved in the meantime). Our approach therefore requires much more in the way of computational resources than an approach based on trusted agents, and thus maybebest suited for relatively simple puzzles (with time-to-solution under a month, say). Nonetheless, we feel that our approach has sucient utility to merit this exposition. An unworkable approach We begin by presenting an approach that doesn't work well. Let M denote the information to be encrypted for a period of time. Let S denote the speed of a workstation measured in decryptions per second. Then to encrypt M to be decryptable after T seconds, we choose a conventional cryptosystem (say RC5 [9]) with a key size of approximately k = lg(2st) bits and encrypt M with a k-bit key. Wesave the ciphertext and throw away thekey. By using exhaustive search of the key space, a workstation will take about T seconds, on the average, to nd the key. We note that Merkle [7] was the rst to suggest this method of designing puzzles, and was also the rst to introduce the notion of a \puzzle," in research that ultimately led to the invention of the concept of public-key cryptography. There are two problems with this way of building a time-lock puzzle by encrypting M with a conventional cipher: A brute-force key-search is trivially parallelizable, so that N computers make the computation run N times faster. The computation time estimate of T seconds is only an expected running time the actual running time could be signicantly larger or smaller, depending on the order in which the keys are examined. These problems are xed in the proposal given next. 2.1 Creating a time-lock puzzle We now show a method for creating time-lock puzzles based on repeated squaring. Our approach can also be viewed as an application of the \random-access" property ofthe Blum-Blum-Shub \x 2 mod n" pseudo-random number generator [3]. (We actually propose ascheme that is a variation on the x 2 mod n generator, but the dierences are nonessential, and the original scheme could have been used as well here.) An early version of our paper suggested a dierent approach based on superencryption in RSA [10, 12, 8, 13, 2] the current approach is considerably simpler. Here is our approach. Suppose Alice has a message M that she wants to encrypt with a time-lock puzzle for a period of T seconds. She generates a composite modulus n = pq (1) as the product of two large randomly-chosen secret primes p and q. She also computes (n) =(p ; 1)(q ; 1) : (2) 3

4 She computes t = TS (3) where S is the number of squarings modulo n per second that can be performed by the solver. She generates a random key K for a conventional cryptosystem, such as RC5. This key is long enough (say 160 bits or more) that searching for it is infeasible, even with the advances in computing power expected during the lifetime of the puzzle. She encrypts M with key K and encryption algorithm RC5, to obtain the ciphertext C M = RC5(K M) : (4) She picks a random a modulo n (with 1 <a<n), and encrypts K as To do this eciently, she rst computes C K = K + a 2t (mod n) : (5) e =2 t (mod (n)) (6) and then computes b = a e (mod n) : (7) She produces as output the time-lock puzzle(n a t C K C M ), and erases any other variables (such as p, q) created during this computation. (We add as a technical footnote here the remark that p, q, and a can be chosen carefully, so that 2 is guaranteed to have a large order modulo (n), and so that a is guaranteed to have a large order modulo n. See Blum, Blum, and Shub [3] for some relevant discussion. However, choosing p, q, and a randomly should give the desired level of diculty with overwhelming probability, so that these precautions are not expected to be necessary in practice. Indeed, in practice choosing a xed value a = 2 should be safe with high probability. Since there are other risks in the whole approach (e.g. an adversary could just guess K), aiming for perfection in the number-theory is probably overkill.) 2.2 Solving the puzzle By design, searching for the RC5 key K directly is infeasible, so the fastest known approach to solving the puzzle is to determine b = a 2t (mod n) (8) somehow. Knowing (n) enables 2 t to be reduced eciently to e, modulo (n), so that b can be computed eciently by equation (7). However, computing (n) from n is provably as hard as factoring n, so that once Alice publishes the puzzle and throws away the key (throws 4

7 the encryption of share y j of K with the secret s ij t of agent i j that will be revealed at time t. This request should be encrypted with the public key of the agent, and the reply should be encrypted and signed as described earlier. The agents in this scheme are extremely simple: they only need to produce an unpredictable sequence of secrets satisfying equation (9)), to decrypt a message of the form (y t (e n)) encrypted with the public key of the agent, to encrypt values y under the secret s it to be revealed by the agent at time t, to return the resulting ciphertext, signed by the agent and then encrypted with the public key (e n) of the requestor, and to publish a signed version of s it at time t. Since such a simple agent could be built into a small tamper-proof device quite easily, one can produce implementations of such agents that are highly secure. The fact that the scheme is based on secret-sharing with a threshold gives robustness, both against the possible corruption of one or more agents (who might sell future values of their secrets) or the death or disappearance of one or more agents. As long as agents are still around at time t, the message M will be reconstructable at time t (and at any later time). As long as fewer than agents have been corrupted, the message M will not be revealed before time t. This scheme is not \veriable" in the sense that an observer who sees the published material of equation (10) can not verify that it is the proper encryption of anything particular. Only when the secrets of time t are published can he decrypt the shares r j to obtain the corresponding y j values that allow him to reconstruct K, andthus obtain M. Standard \veriable" secret-sharing techniques aren't particularly applicable here, since the message M could be junk, even if K was veriably shared. (We note that in principle, it is possible, albeit dicult, to prove certain properties of M to a verier without having to reveal K or M.) Because the agent includes the current time t 0 in his signed reply to an encryption request, he acts as a simple \time-stamping" service (e.g. [5]). A user can give the agent the cryptographic hash value h(m) of some message M, and ask the agent to sign and encrypt it with s it for some value of t. The signed hash value becomes decryptable at time t, thus proving (assuming that the agent is trustworthy) that the document M existed at time t 0. Normally one might have t = t 0, but a user might choose t>t 0 in some cases. For example, in an auction it may be required that the bids be submitted before some time t 0, and that they be opened at time t 00. The user would submit (the encryption key K for) his bid at time t 0 <t 0, and ask for it to be encrypted with s it where t = t An o-line version The previous protocol can be converted to an oine protocol, as follows. Each trusted agent constructs a public/private keypair E i t D i t for each future time t. The public key 7

8 E i t is published immediately, and the private key D i t is published at time t. (Of course, a trusted agent always digitally signs the published E's and D's under his master public key, to eliminate would-be imposters.) The E's and D's directly replace the s's: now the user can perform the encryption of the y's himself, without needing to invoke the trusted agent. The trusted agent can now be entirely oine, except for the periodic publication of the D's. On the other hand, in this oine formulation, it seems hard to encode any structure into the agent's keys, so it seems to require more storage to store the list of public keys for the future and the private keys revealed for the past. At 200bytes per key, storing one key for each day of the next fty years requires about 3.6 megabytes. Another disadvantage of this o-line approach is that the agents are no longer usable or available as \time-stamping" agents. 4 Conclusions We have suggested a way to create \time-lock puzzles," which require (approximately) a certain amount of time (real time, not total CPU time) to solve. We have also discussed a way to use trusted agents to eciently enable timed-release crypto. References [1] Mihir Bellare and Sha Goldwasser. Veriable partial key escrow. Technical Report CS95-447, Dept. of Computer Science and Engineering, U.C. San Diego, October [2] Shimshon Berkovits. Factoring via superencryption. Cryptologia, 6(3):229{237, July [3] L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo-random number generator. SIAM J. Computing, 15(2):364{383, May [4] Sha Goldwasser, Personal communication. [5] S. Haber and W.S. Stornetta. How to time-stamp a digital document. Journal of Cryptology, 3:99{111, [6] Timothy C. May. Timed-release crypto, February [7] R. C. Merkle. Secure communications over insecure channels. Communications of the ACM, 21:294{299, April [8] Ronald L. Rivest. Remarks on a proposed cryptanalytic attack of the M.I.T. public-key cryptosystem. Cryptologia, 2(1):62{65, January

9 [9] Ronald L. Rivest. The RC5 encryption algorithm. In Bart Preneel, editor, Fast Software Encryption, pages 86{96. Springer, (Proceedings Second International Workshop, Dec. 1994, Leuven, Belgium). [10] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120{126, [11] A. Shamir. How to share a secret. Communications of the ACM, 22:612{613, November [12] Gustavus J. Simmons and Michael J. Norris. Preliminary comments on the MIT publickey cryptosystem. Cryptologia, 1(4):406{414, October [13] H. C. Williams and B. Schmid. Some remarks concerning the MIT public-key cryptosystem. BIT, 19:525{538,

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### The science of encryption: prime numbers and mod n arithmetic

The science of encryption: prime numbers and mod n arithmetic Go check your e-mail. You ll notice that the webpage address starts with https://. The s at the end stands for secure meaning that a process

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### CRYPTOGRAPHY IN NETWORK SECURITY

ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can

### 7! Cryptographic Techniques! A Brief Introduction

7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures

### Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### PRIME NUMBERS & SECRET MESSAGES

PRIME NUMBERS & SECRET MESSAGES I. RSA CODEBREAKER GAME This is a game with two players or teams. The players take turns selecting either prime or composite numbers as outlined on the board below. The

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### Lecture 6 - Cryptography

Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Introduction to Cryptography

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

### Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

### Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

### PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

### Cryptography and Network Security

Cryptography and Network Security Fifth Edition by William Stallings Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared

### Cryptography. some history. modern secret key cryptography. public key cryptography. cryptography in practice

Cryptography some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) modern secret key cryptography DES, AES public key cryptography RSA, digital signatures cryptography in practice

### Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

### Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### RSA Cryptosystem. Yufei Tao. Department of Computer Science and Engineering Chinese University of Hong Kong. RSA Cryptosystem

Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong In this lecture, we will discuss the RSA cryptosystem, which is widely adopted as a way to encrypt a message, or

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Public-Key Cryptography. Oregon State University

Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### A SOFTWARE COMPARISON OF RSA AND ECC

International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

### Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Today ENCRYPTION. Cryptography example. Basic principles of cryptography

Today ENCRYPTION The last class described a number of problems in ensuring your security and privacy when using a computer on-line. This lecture discusses one of the main technological solutions. The use

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

### Lecture 2: Complexity Theory Review and Interactive Proofs

600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography

### Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Cryptosystems Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K. C= E(M, K), Bob sends C Alice receives C, M=D(C,K) Use the same key to decrypt. Public

### Remotely Keyed Encryption Using Non-Encrypting Smart Cards

THE ADVANCED COMPUTING SYSTEMS ASSOCIATION The following paper was originally published in the USENIX Workshop on Smartcard Technology Chicago, Illinois, USA, May 10 11, 1999 Remotely Keyed Encryption

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### An Introduction to RSA Public-Key Cryptography

An Introduction to RSA Public-Key Cryptography David Boyhan August 5, 2008 According to the U.S. Census Bureau, in the 1st quarter of 2008, approximately \$33 billion worth of retail sales were conducted

### Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination

### 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

### Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography

### Chapter 9 Public Key Cryptography and RSA

Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key Private-Key Cryptography traditional private/secret/single

### Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Int Jr of Mathematics Sciences & Applications Vol3, No1, January-June 2013 Copyright Mind Reader Publications ISSN No: 2230-9888 wwwjournalshubcom Mathematical Model Based Total Security System with Qualitative

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetric-key cryptography. Distinguish

### A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes Y. Desmedt Aangesteld Navorser NFWO Katholieke Universiteit Leuven Laboratorium ESAT B-3030 Heverlee, Belgium A. M. Odlyzko

### Digital Signatures. Good properties of hand-written signatures:

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### The Misuse of RC4 in Microsoft Word and Excel

The Misuse of RC4 in Microsoft Word and Excel Hongjun Wu Institute for Infocomm Research, Singapore hongjun@i2r.a-star.edu.sg Abstract. In this report, we point out a serious security flaw in Microsoft

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key

### Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet

### CRYPTOGRAPHIC ALGORITHMS (AES, RSA)

CALIFORNIA STATE POLYTECHNIC UNIVERSITY, POMONA CRYPTOGRAPHIC ALGORITHMS (AES, RSA) A PAPER SUBMITTED TO PROFESSOR GILBERT S. YOUNG IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE COURSE CS530 : ADVANCED

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING

ANALYSIS OF RSA ALGORITHM USING GPU PROGRAMMING Sonam Mahajan 1 and Maninder Singh 2 1 Department of Computer Science Engineering, Thapar University, Patiala, India 2 Department of Computer Science Engineering,

### Applied Cryptology. Ed Crowley

Applied Cryptology Ed Crowley 1 Basics Topics Basic Services and Operations Symmetric Cryptography Encryption and Symmetric Algorithms Asymmetric Cryptography Authentication, Nonrepudiation, and Asymmetric

### Symmetric Key cryptosystem

SFWR C03: Computer Networks and Computer Security Mar 8-11 200 Lecturer: Kartik Krishnan Lectures 22-2 Symmetric Key cryptosystem Symmetric encryption, also referred to as conventional encryption or single

### Software Tool for Implementing RSA Algorithm

Software Tool for Implementing RSA Algorithm Adriana Borodzhieva, Plamen Manoilov Rousse University Angel Kanchev, Rousse, Bulgaria Abstract: RSA is one of the most-common used algorithms for public-key

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### The mathematics of cryptology

The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/ gunnells April 27, 2004 What is Cryptology?

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:

### Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

### LUC: A New Public Key System

LUC: A New Public Key System Peter J. Smith a and Michael J. J. Lennon b a LUC Partners, Auckland UniServices Ltd, The University of Auckland, Private Bag 92019, Auckland, New Zealand. b Department of

### Cryptography & Digital Signatures

Cryptography & Digital Signatures CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides, 2007, 2008 Robert H.

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

Group Blind Digital Signatures: Theory and Applications by Zulækar Amin Ramzan Submitted to the Department of Electrical Engineering and Computer Science in partial fulællment of the requirements for the

### FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION

FAREY FRACTION BASED VECTOR PROCESSING FOR SECURE DATA TRANSMISSION INTRODUCTION GANESH ESWAR KUMAR. P Dr. M.G.R University, Maduravoyal, Chennai. Email: geswarkumar@gmail.com Every day, millions of people

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Outline. Digital signature. Symmetric-key Cryptography. Caesar cipher. Cryptography basics Digital signature

Outline Digital signature Cryptography basics Digital signature Dr. László Daragó, Ph.D. Associate professor Cryptography Cryptography encryption decryption Symmetric-key Cryptography Encryption with a

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### A Novel Approach to combine Public-key encryption with Symmetric-key encryption

Volume 1, No. 4, June 2012 ISSN 2278-1080 The International Journal of Computer Science & Applications (TIJCSA) RESEARCH PAPER Available Online at http://www.journalofcomputerscience.com/ A Novel Approach

### Authentication, digital signatures, PRNG

Multimedia Security Authentication, digital signatures, PRNG Mauro Barni University of Siena Beyond confidentiality Up to now, we have been concerned with protecting message content (i.e. confidentiality)

### The RSA Algorithm. Evgeny Milanov. 3 June 2009

The RSA Algorithm Evgeny Milanov 3 June 2009 In 1978, Ron Rivest, Adi Shamir, and Leonard Adleman introduced a cryptographic algorithm, which was essentially to replace the less secure National Bureau

### Lecture 9: Application of Cryptography

Lecture topics Cryptography basics Using SSL to secure communication links in J2EE programs Programmatic use of cryptography in Java Cryptography basics Encryption Transformation of data into a form that

### CS Computer and Network Security: Applied Cryptography

CS 5410 - Computer and Network Security: Applied Cryptography Professor Patrick Traynor Spring 2016 Reminders Project Ideas are due on Tuesday. Where are we with these? Assignment #2 is posted. Let s get

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

To appear in Proceedings of the Fourth Annual Conference on Computer and Communications Security, ACM, 1997. Earlier version was Technical Report CS95-447, Department of Computer Science and Engineering,

### Chapter 12. Digital signatures. 12.1 Digital signature schemes

Chapter 12 Digital signatures In the public key setting, the primitive used to provide data integrity is a digital signature scheme. In this chapter we look at security notions and constructions for this

### HASH CODE BASED SECURITY IN CLOUD COMPUTING

ABSTRACT HASH CODE BASED SECURITY IN CLOUD COMPUTING Kaleem Ur Rehman M.Tech student (CSE), College of Engineering, TMU Moradabad (India) The Hash functions describe as a phenomenon of information security

### ΕΠΛ 674: Εργαστήριο 3

ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science Private-Key Cryptography traditional private/secret/single key cryptography uses one key

### SFWR ENG 4C03 - Computer Networks & Computer Security

KEY MANAGEMENT SFWR ENG 4C03 - Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### The Elements of Cryptography

The Elements of Cryptography (March 30, 2016) Abdou Illia Spring 2016 Learning Objectives Discuss Cryptography Terminology Discuss Symmetric Key Encryption Discuss Asymmetric Key Encryption Distinguish

Timing Attacks on Implementations of Die-Hellman, RSA, DSS, and Other Systems Paul C. Kocher Cryptography Research, Inc. 607 Market Street, 5th Floor, San Francisco, CA 94105, USA. E-mail: paul@cryptography.com.