Practical Aspects of Modern Cryptography

Practical Aspects of Modern Cryptography

Practical Aspects of Modern CryptographyJosh BenalohBrian LaMacchiaWinter 20111January 6, 2011Practical Aspects of Modern CryptographyCryptography is ...Protecting Privacy of DataAuthentication of IdentitiesPreservation of Integrity

basically any protocols designed to operate in an environment absent of universal trust.2January 6, 2011Practical Aspects of Modern CryptographyCharacters3January 6, 2011Practical Aspects of Modern CryptographyCharacters

Alice4January 6, 2011Practical Aspects of Modern CryptographyCharacters

Bob5January 6, 2011Practical Aspects of Modern CryptographyBasic Communication

Alice talking to Bob6January 6, 2011Practical Aspects of Modern CryptographyAnother Character

Eve7January 6, 2011Practical Aspects of Modern CryptographyBasic Communication Problem

Eve listening to Alice talking to Bob8January 6, 2011Practical Aspects of Modern CryptographyTwo-Party Environments

Alice Bob9January 6, 2011Practical Aspects of Modern CryptographyRemote Coin FlippingAlice and Bob decide to make a decision by flipping a coin.

Alice and Bob are not in the same place.10January 6, 2011Practical Aspects of Modern CryptographyGround RuleProtocol must be asynchronous.

We cannot assume simultaneous actions.

Players must take turns.

11January 6, 2011Practical Aspects of Modern CryptographyIs Remote Coin Flipping Possible?12January 6, 2011Practical Aspects of Modern CryptographyIs Remote Coin Flipping Possible?Two-part answer:

13January 6, 2011Practical Aspects of Modern CryptographyIs Remote Coin Flipping Possible?Two-part answer:

NO I will sketch a formal proof.14January 6, 2011Practical Aspects of Modern CryptographyIs Remote Coin Flipping Possible?Two-part answer:

NO I will sketch a formal proof.

YES I will provide an effective protocol.15January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:16January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BBABAABBABBBBABABBAAB17January 6, 2011Practical Aspects of Modern CryptographyPruning the Tree

ABABABBA18January 6, 2011Practical Aspects of Modern CryptographyPruning the Tree

ABABA:B:19January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BBABAABBABBBBABABBAAB20January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BBABAABBBBABABBAAB21January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BBABAABBBBABABBB22January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABAABBBBABABBB23January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABAABBABABBB24January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABAABABABBB25January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABAABABAB26January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BAABABAB27January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABABAB28January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABBAB29January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow Tree

A:B:A:B:BABB30January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow TreeA:B:A:B:A31January 6, 2011Practical Aspects of Modern CryptographyA Protocol Flow TreeA32January 6, 2011Practical Aspects of Modern CryptographyCompleting the PruningWhen the pruning is complete one will end up with either

33January 6, 2011Practical Aspects of Modern CryptographyCompleting the PruningWhen the pruning is complete one will end up with either

a winner before the protocol has begun, or

34January 6, 2011Practical Aspects of Modern CryptographyCompleting the PruningWhen the pruning is complete one will end up with either

a winner before the protocol has begun, or

a useless infinite game.

35January 6, 2011Practical Aspects of Modern CryptographyConclusion of Part IRemote coin flipping is utterly impossible!!!36January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a Coin37January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

38January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 39January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 40January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 41January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 42January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Even43January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4n + 1:4n - 1:44January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Type +1:Type -1:45January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinFact 1

Multiplying two (odd) integers of the same type always yields a product of Type +1.

(4p+1)(4q+1) = 16pq+4p+4q+1 = 4(4pq+p+q)+1

(4p1)(4q1) = 16pq4p4q+1 = 4(4pqpq)+146January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinFact 2

There is no known method (other than factoring) to distinguish a product of two Type +1 integers from a product of two Type 1 integers.47January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinFact 3

Factoring large integers is believed to be much harder than multiplying large integers.48January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a Coin49January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinAliceBob

50January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinAliceRandomly select a bit b{1} and two large integers P and Q both of type b.Bob

51January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinAliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Bob

52January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinAliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob.Bob

53January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a Coin

Alice BobN54January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinAliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob.Bob

55January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob.56January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a Coin

Alice Bobb57January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob.58January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.Bob wins if and onlyif he correctly guessesthe value of b.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob.59January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.Bob wins if and onlyif he correctly guessesthe value of b.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob. After receiving b from Bob, reveal P and Q.

60January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a Coin

Alice BobP,Q61January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.Bob wins if and onlyif he correctly guessesthe value of b.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob. After receiving b from Bob, reveal P and Q.

62January 6, 2011Practical Aspects of Modern CryptographyLets PlayThe INTEGERS

0 4 8 12 16 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 Type +1:Type -1:63January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.Bob wins if and onlyif he correctly guessesthe value of b.AliceRandomly select a bit b{1} and two large integers P and Q both of type b.Compute N = PQ.Send N to Bob. After receiving b from Bob, reveal P and Q.

64January 6, 2011Practical Aspects of Modern CryptographyHow to Remotely Flip a CoinBobAfter receiving N from Alice, guess the value of b and send this guess to Alice.Bob wins if and onlyif he correctly guessesthe value of b.AliceRandomly select a bit b{1} and two large primes P and Q both of type b.Compute N = PQ.Send N to Bob. After receiving b from Bob, reveal P and Q.

65January 6, 2011Practical Aspects of Modern CryptographyChecking Primality Basic result from group theory If p is a prime, then for integers a such that 0 < a < p, then a p - 1 mod p = 1.This is almost never true when p is composite.66January 6, 2011Practical Aspects of Modern CryptographyHow are the Answers Reconciled?67January 6, 2011Practical Aspects of Modern CryptographyThe impossibility proof assumed unlimited computational ability.How are the Answers Reconciled?68January 6, 2011Practical Aspects of Modern CryptographyThe impossibility proof assumed unlimited computational ability.

The protocol is not 50/50 Bob has a small advantage.How are the Answers Reconciled?69January 6, 2011Practical Aspects of Modern CryptographyApplications of Remote FlippingRemote Card Playing

Internet Gambling

Various Fair Agreement Protocols70January 6, 2011Practical Aspects of Modern CryptographyBit CommitmentWe have implemented remote coin flipping via bit commitment.

Commitment protocols can also be used forSealed biddingUndisclosed contractsAuthenticated predictions

7171January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsWe have implemented bit commitment via one-way functions.

One-way functions can be used forAuthenticationData integrityStrong randomness

72January 6, 2011Practical Aspects of Modern CryptographyOne-Way Functions73January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsTwo basic classes of one-way functions74January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsTwo basic classes of one-way functions

Mathematical75January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsTwo basic classes of one-way functions

MathematicalMultiplication: Z=XY76January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsTwo basic classes of one-way functions

MathematicalMultiplication: Z=XYModular Exponentiation: Z = YX mod N77January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsTwo basic classes of one-way functions

MathematicalMultiplication: Z=XYModular Exponentiation: Z = YX mod NUgly78January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod N79January 6, 2011Practical Aspects of Modern CryptographyModular Arithmetic80Modular ArithmeticZ mod N is the integer remainder when Z is divided by N.January 6, 2011Practical Aspects of Modern Cryptography81Modular ArithmeticZ mod N is the integer remainder when Z is divided by N.The Division TheoremFor all integers Z and N>0, there exist unique integers Q and R such that Z = QN + R and 0 R N.January 6, 2011Practical Aspects of Modern Cryptography82Modular ArithmeticZ mod N is the integer remainder when Z is divided by N.The Division TheoremFor all integers Z and N>0, there exist unique integers Q and R such that Z = QN + R and 0 R N.By definition, this unique R = Z mod N.January 6, 2011Practical Aspects of Modern Cryptography83January 6, 2011Practical Aspects of Modern CryptographyModular ArithmeticTo compute (A+B) mod N,compute (A+B) and take the result mod N.84January 6, 2011Practical Aspects of Modern CryptographyModular ArithmeticTo compute (A+B) mod N,compute (A+B) and take the result mod N.To compute (A-B) mod N,compute (A-B) and take the result mod N.85January 6, 2011Practical Aspects of Modern CryptographyModular ArithmeticTo compute (A+B) mod N,compute (A+B) and take the result mod N.To compute (A-B) mod N,compute (A-B) and take the result mod N.To compute (AB) mod N,compute (AB) and take the result mod N.86January 6, 2011Practical Aspects of Modern CryptographyModular ArithmeticTo compute (A+B) mod N,compute (A+B) and take the result mod N.To compute (A-B) mod N,compute (A-B) and take the result mod N.To compute (AB) mod N,compute (AB) and take the result mod N.To compute (AB) mod N, 87January 6, 2011Practical Aspects of Modern CryptographyModular Division88January 6, 2011Practical Aspects of Modern CryptographyModular DivisionWhat is the value of (12) mod 7? We need a solution to 2x mod 7 = 1.89January 6, 2011Practical Aspects of Modern CryptographyModular DivisionWhat is the value of (12) mod 7? We need a solution to 2x mod 7 = 1.Try x = 4.

90January 6, 2011Practical Aspects of Modern CryptographyModular DivisionWhat is the value of (12) mod 7? We need a solution to 2x mod 7 = 1.Try x = 4.

What is the value of (75) mod 11? We need a solution to 5x mod 11 = 7.91January 6, 2011Practical Aspects of Modern CryptographyModular DivisionWhat is the value of (12) mod 7? We need a solution to 2x mod 7 = 1.Try x = 4.

What is the value of (75) mod 11? We need a solution to 5x mod 11 = 7.Try x = 8.92January 6, 2011Practical Aspects of Modern CryptographyModular Division93January 6, 2011Practical Aspects of Modern CryptographyModular DivisionIs modular division always well-defined?94January 6, 2011Practical Aspects of Modern CryptographyModular DivisionIs modular division always well-defined?(13) mod 6 = ?95January 6, 2011Practical Aspects of Modern CryptographyModular DivisionIs modular division always well-defined?(13) mod 6 = ?3x mod 6 = 1 has no solution!96January 6, 2011Practical Aspects of Modern CryptographyModular DivisionIs modular division always well-defined?(13) mod 6 = ?3x mod 6 = 1 has no solution!

Fact(AB) mod N always has a solution when gcd(B,N) = 1.97January 6, 2011Practical Aspects of Modern CryptographyModular DivisionFact 1(AB) mod N always has a solution when gcd(B,N) = 1.98January 6, 2011Practical Aspects of Modern CryptographyModular DivisionFact 1(AB) mod N always has a solution when gcd(B,N) = 1.

Fact 2(AB) mod N never has a solution when gcd(A,B) = 1 and gcd(B,N) 1.99January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisors100January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B) 101January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B) since any common factor of A and B is also a factor of A B andsince any common factor of B and A Bis also a factor of A.102January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B)

gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(3,6) = gcd(6,3) = gcd(3,3) = gcd(3,0) = 3103January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B)

104January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B)gcd(A , B) = gcd(B , A kB) for any integer k.

105January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B)gcd(A , B) = gcd(B , A kB) for any integer k.gcd(A , B) = gcd(B , A mod B)106January 6, 2011Practical Aspects of Modern CryptographyGreatest Common Divisorsgcd(A , B) = gcd(B , A B)gcd(A , B) = gcd(B , A kB) for any integer k.gcd(A , B) = gcd(B , A mod B)

gcd(21,12) = gcd(12,9) = gcd(9,3) = gcd(3,0) = 3107January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean AlgorithmGiven integers A and B, find integers X and Y such that AX + BY = gcd(A,B).

108January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean AlgorithmGiven integers A and B, find integers X and Y such that AX + BY = gcd(A,B).

When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such thatAX + BY = gcd(A,B) = 1.

109January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean AlgorithmGiven integers A and B, find integers X and Y such that AX + BY = gcd(A,B).

When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such thatAX + BY = gcd(A,B) = 1.

Compute (CA) mod B as C(1A) mod B.110January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm gcd(35, 8) = gcd(8, 35 mod 8) = gcd(8, 3) = gcd(3, 8 mod 3) = gcd(3, 2) = gcd(2, 3 mod 2) = gcd(2, 1) = gcd(1, 2 mod 1) = gcd(1, 0) = 1

111January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm 35 = 8 4 + 3


8 = 3 2 + 2


8 = 3 2 + 2

3 = 2 1 + 1


8 = 3 2 + 2

3 = 2 1 + 1

2 = 1 2 + 0115January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm 35 = 8 4 + 3 3 = 35 8 4

8 = 3 2 + 2 2 = 8 3 2

3 = 2 1 + 1 1 = 3 2 1

2 = 1 2 + 0116January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm3 = 35 8 4

2 = 8 3 2

1 = 3 2 1

117January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm3 = 35 8 4

2 = 8 3 2

1 = 3 2 1 = (35 8 4) (8 3 2) 1118January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm3 = 35 8 4

2 = 8 3 2

1 = 3 2 1 = (35 8 4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1119January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm3 = 35 8 4

2 = 8 3 2

1 = 3 2 1 = (35 8 4) (8 3 2) 1 = (35 8 4) (8 (35 8 4) 2) 1 = 35 3 8 13120January 6, 2011Practical Aspects of Modern CryptographyExtended Euclidean Algorithm121January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod N122January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod NWhen Z is unknown, it can be efficiently computed.123January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod NWhen X is unknown, the problem is known as the discrete logarithm and is generally believed to be hard to solve.

124January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod NWhen Y is unknown, the problem is known as discrete root finding and is generally believed to be hard to solve...

125January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod N unless the factorization of N is known. 126January 6, 2011Practical Aspects of Modern CryptographyThe Fundamental EquationZ=YX mod NThe problem is not well-studied for the case when N is unknown.127January 6, 2011Practical Aspects of Modern CryptographyImplementationZ=YX mod N128January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod N129January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NCompute YX and then reduce mod N.130January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NCompute YX and then reduce mod N.

If X, Y, and N each are 2,048-bit integers, YX consists of ~22059 bits.131January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NCompute YX and then reduce mod N.

If X, Y, and N each are 2,048-bit integers, YX consists of ~22059 bits.

Since there are roughly 2250 particles in the universe, storage is a problem.132January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod N133January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NRepeatedly multiplying by Y (followed each time by a reduction modulo N) X times solves the storage problem.

134January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NRepeatedly multiplying by Y (followed each time by a reduction modulo N) X times solves the storage problem.

However, we would need to perform ~2900 64-bit multiplications per second to complete the computation before the sun burns out.135January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod N136January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NMultiplication by Repeated Doubling

137January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NMultiplication by Repeated Doubling

To compute X Y, 138January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NMultiplication by Repeated Doubling

To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, 139January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NMultiplication by Repeated Doubling

To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by the binary representation of X.

140January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NMultiplication by Repeated Doubling

To compute X Y, compute Y, 2Y, 4Y, 8Y, 16Y, and sum up those values dictated by the binary representation of X.

Example: 26Y = 2Y + 8Y + 16Y.141January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod N142January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NExponentiation by Repeated Squaring

143January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NExponentiation by Repeated Squaring

To compute YX, 144January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NExponentiation by Repeated Squaring

To compute YX, compute Y, Y2, Y4, Y8, Y16, 145January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NExponentiation by Repeated Squaring

To compute YX, compute Y, Y2, Y4, Y8, Y16, and multiply those values dictated by the binary representation of X.

146January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NExponentiation by Repeated Squaring

To compute YX, compute Y, Y2, Y4, Y8, Y16, and multiply those values dictated by the binary representation of X.

Example: Y26 = Y2 Y8 Y16.147January 6, 2011Practical Aspects of Modern CryptographyHow to compute YX mod NWe can now perform a 2,048-bit modular exponentiation using ~3,072 2,048-bit modular multiplications.

2,048 squarings: y, y2, y4, , y22048

~1024 ordinary multiplications148January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer OperationsAddition and SubtractionMultiplicationDivision and Remainder (Mod N)Exponentiation149January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Addition

+150January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Addition





+155January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer AdditionIn general, adding two large integers each consisting of n small blocks requires O(n) small-integer additions.

Large-integer subtraction is similar.156January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Multiplication

157January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Multiplication





162January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer MultiplicationIn general, multiplying two large integers each consisting of n small blocks requires O(n2) small-integer multiplications and O(n) large-integer additions.163January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Squaring

164January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Squaring

165January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer Squaring

166January 6, 2011Practical Aspects of Modern CryptographyLarge-Integer SquaringCareful bookkeeping can save nearly half of the small-integer multiplications (and nearly half of the time).167January 6, 2011Practical Aspects of Modern CryptographyRecall computing YX mod NAbout 2/3 of the multiplications required to compute YX are actually squarings.

Overall, efficient squaring can save about 1/3 of the small multiplications required for modular exponentiation.168January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD169January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

Given 4 coefficients A, B, C, and D,170January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

Given 4 coefficients A, B, C, and D,we need to compute 3 values: 171January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD

Given 4 coefficients A, B, C, and D,we need to compute 3 values: AC, AD+BC, and BD.172January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD



Given 4 coefficients A, B, C, and D,we need to compute 3 values: AC, AD+BC, and BD.175January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD4 multiplications, 1 addition

176January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD4 multiplications, 1 addition







(A+B)(C+D) = AC + AD + BC + BD183January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD4 multiplications, 1 addition

(A+B)(C+D) = AC + AD + BC + BD(A+B)(C+D) AC BD = AD + BC184January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD4 multiplications, 1 addition

(A+B)(C+D) = AC + AD + BC + BD(A+B)(C+D) AC BD = AD + BC3 multiplications, 2 additions, 2 subtractions185January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(Ax+B)(Cx+D) = ACx2 + (AD+BC)x + BD4 multiplications, 1 addition








(A+B)(C+D) = AC + AD + BC + BD(A+B)(C+D) AC BD = AD + BC3 multiplications, 2 additions, 2 subtractions193January 6, 2011Practical Aspects of Modern CryptographyKaratsuba MultiplicationThis can be done on integers as well as on polynomials, but its not as nice on integers because of carries.

The larger the integers, the larger the benefit.194January 6, 2011Practical Aspects of Modern CryptographyKaratsuba Multiplication(A2k+B)(C2k+D) = AC22k + (AD+BC)2k + BD4 multiplications, 1 addition

(A+B)(C+D) = AC + AD + BC + BD(A+B)(C+D) AC BD = AD + BC3 multiplications, 2 additions, 2 subtractions195January 6, 2011Practical Aspects of Modern CryptographyChinese RemainderingIf X = A mod P, X = B mod Q, and gcd(P,Q) = 1, then X mod PQ can be computed as

X = AQ(Q-1 mod P) + BP(P-1 mod Q).196January 6, 2011Practical Aspects of Modern CryptographyChinese RemainderingIf N = PQ, then a computation mod N can be accomplished by performing the same computation mod P and again mod Q and then using Chinese Remaindering to derive the answer to the mod N computation.197January 6, 2011Practical Aspects of Modern CryptographyChinese RemainderingSince modular exponentiation of n-bit integers requires O(n3) time, performing two modular exponentiations on half size values requires only about one quarter of the time of a single n-bit modular exponentiation.198January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.199January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.

Large-integer division is 200January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.

Large-integer division is slow 201January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.

Large-integer division is slow cumbersome202January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.

Large-integer division is slow cumbersome disgusting203January 6, 2011Practical Aspects of Modern CryptographyModular ReductionGenerally, computing (AB) mod N requires much more than twice the time to compute AB.

Large-integer division is slow cumbersome disgusting wretched204January 6, 2011Practical Aspects of Modern CryptographyThe Montgomery MethodThe Montgomery Method performs a domain transform to a domain in which the modular reduction operation can be achieved by multiplication and simple truncation.Since a single modular exponentiation requires many modular multiplications and reductions, transforming the arguments is well justified.205January 6, 2011Practical Aspects of Modern CryptographyMontgomery MultiplicationLet A, B, and M be n-block integers represented in base x with 0 M xn.Let R = xn. GCD(R,M) = 1.The Montgomery Product of A and B modulo M is the integer ABR1 mod M.Let M = M1 mod R and S = ABM mod R.Fact: (AB+SM)/R ABR1 (mod M).206January 6, 2011Practical Aspects of Modern CryptographyUsing the Montgomery ProductThe Montgomery Product ABR1 mod M can be computed in the time required for two ordinary large-integer multiplications.Montgomery transform: AAR mod M.The Montgomery product of (AR mod M) and (BR mod M) is (ABR mod M).207January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsZ=YX mod N208January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsInformally, F : X Y is a one-way if

Given x, y = F(x) is easily computable.

Given y, it is difficult to find any x for which y = F(x).

209January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsThe family of functionsFY,N(X) = YX mod Nis believed to be one-way for most N and Y.

210January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsThe family of functionsFY,N(X) = YX mod Nis believed to be one-way for most N and Y.

No one has ever proven a function to be one-way, and doing so would, at a minimum, yield as a consequence that PNP.211January 6, 2011Practical Aspects of Modern CryptographyOne-Way FunctionsWhen viewed as a two-argument function, the (candidate) one-way functionFN(Y,X) = YX mod Nalso satisfies a useful additional property which has been termed quasi-commutivity:F(F(Y,X1),X2) = F(F(Y,X2),X1)since YX1X2 = YX2X1.

212January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeAliceBob213January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeAliceRandomly select a large integer a and send A = Ya mod N.BobRandomly select a large integer b and send B = Yb mod N.

214January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key Exchange

Alice BobAB215January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeAliceRandomly select a large integer a and send A = Ya mod N.BobRandomly select a large integer b and send B = Yb mod N.

216January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeAliceRandomly select a large integer a and send A = Ya mod N.Compute the key K = Ba mod N.BobRandomly select a large integer b and send B = Yb mod N.Compute the key K = Ab mod N.

217January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeAliceRandomly select a large integer a and send A = Ya mod N.Compute the key K = Ba mod N.BobRandomly select a large integer b and send B = Yb mod N.Compute the key K = Ab mod N.

Ba = Yba = Yab = Ab218January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key Exchange219January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeWhat does Eve see?

220January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeWhat does Eve see?Y, Ya, Yb

221January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeWhat does Eve see?Y, Ya, Yb but the exchanged key is Yab.

222January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeWhat does Eve see?Y, Ya, Yb but the exchanged key is Yab.Belief: Given Y, Ya, Yb it is difficult to compute Yab.

223January 6, 2011Practical Aspects of Modern CryptographyDiffie-Hellman Key ExchangeWhat does Eve see?Y, Ya, Yb but the exchanged key is Yab.Belief: Given Y, Ya, Yb it is difficult to compute Yab.Contrast with discrete logarithm assumption: Given Y, Ya it is difficult to compute a.

224January 6, 2011Practical Aspects of Modern CryptographyMore on Quasi-CommutivityQuasi-commutivity has additional applications.

decentralized digital signaturesmembership testingdigital time-stamping225January 6, 2011Practical Aspects of Modern CryptographyOne-Way Trap-Door FunctionsZ=YX mod N226January 6, 2011Practical Aspects of Modern CryptographyOne-Way Trap-Door FunctionsZ=YX mod NRecall that this equation is solvable for Y if the factorization of N is known, but is believed to be hard otherwise.227January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceAnyone228January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceSelect two large random primes P & Q.Anyone229January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceSelect two large random primes P & Q.Publish the product N=PQ.Anyone230January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceSelect two large random primes P & Q.Publish the product N=PQ.AnyoneTo send message Y to Alice, compute Z=YX mod N.231January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceSelect two large random primes P & Q.Publish the product N=PQ.AnyoneTo send message Y to Alice, compute Z=YX mod N.Send Z and X to Alice.232January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemAliceSelect two large random primes P & Q.Publish the product N=PQ.Use knowledge of P & Q to compute Y.AnyoneTo send message Y to Alice, compute Z=YX mod N.Send Z and X to Alice.233January 6, 2011Practical Aspects of Modern CryptographyRSA Public-Key CryptosystemIn practice, the exponent X is almost always fixed to be X = 65537 = 216 + 1.234234January 6, 2011Practical Aspects of Modern CryptographySome RSA DetailsWhen N=PQ is the product of distinct primes,YX mod N = Y wheneverX mod (P-1)(Q-1) = 1 and 0 YN.235January 6, 2011Practical Aspects of Modern CryptographySome RSA DetailsWhen N=PQ is the product of distinct primes,YX mod N = Y wheneverX mod (P-1)(Q-1) = 1 and 0 YN.Alice can easily select integers E and D such that ED mod (P-1)(Q-1) = 1.

236January 6, 2011Practical Aspects of Modern CryptographySome RSA DetailsEncryption: E(Y) = YE mod N.Decryption: D(Y) = YD mod N.

D(E(Y)) = (YE mod N)D mod N = YED mod N = Y237January 6, 2011Practical Aspects of Modern CryptographyRSA Signatures238January 6, 2011Practical Aspects of Modern CryptographyRSA SignaturesAn additional property239January 6, 2011Practical Aspects of Modern CryptographyRSA SignaturesAn additional propertyD(E(Y)) = YED mod N = Y 240January 6, 2011Practical Aspects of Modern CryptographyRSA SignaturesAn additional propertyD(E(Y)) = YED mod N = Y E(D(Y)) = YDE mod N = Y241January 6, 2011Practical Aspects of Modern CryptographyRSA SignaturesAn additional propertyD(E(Y)) = YED mod N = Y E(D(Y)) = YDE mod N = YOnly Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.242January 6, 2011Practical Aspects of Modern CryptographyRSA SignaturesAn additional propertyD(E(Y)) = YED mod N = Y E(D(Y)) = YDE mod N = YOnly Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.This D(Y) serves as Alices signature on Y.243January 6, 2011Practical Aspects of Modern CryptographyPublic Key Directory

244January 6, 2011Practical Aspects of Modern CryptographyPublic Key Directory

(Recall that E is commonly fixed to be E=65537.)245January 6, 2011Practical Aspects of Modern CryptographyCertificate Authority

Alices public modulus is NA = 331490324840-- signed CA.246January 6, 2011Practical Aspects of Modern CryptographyTrust ChainsAlice certifies Bobs key.Bob certifies Carols key.

If I trust Alice should I accept Carols key?247January 6, 2011Practical Aspects of Modern CryptographyAuthentication248January 6, 2011Practical Aspects of Modern CryptographyAuthenticationHow can I use RSA to authenticate someones identity?249January 6, 2011Practical Aspects of Modern CryptographyAuthenticationHow can I use RSA to authenticate someones identity?

If Alices public key EA, just pick a random message m and send EA(m).

250January 6, 2011Practical Aspects of Modern CryptographyAuthenticationHow can I use RSA to authenticate someones identity?

If Alices public key EA, just pick a random message m and send EA(m).

If m comes back, I must be talking to Alice.251January 6, 2011Practical Aspects of Modern CryptographyAuthenticationShould Alice be happy with this method of authentication?

252January 6, 2011Practical Aspects of Modern CryptographyAuthenticationShould Alice be happy with this method of authentication?

Bob sends Alice the authentication string y = I owe Bob $1,000,000 - signed Alice.

253January 6, 2011Practical Aspects of Modern CryptographyAuthenticationShould Alice be happy with this method of authentication?

Bob sends Alice the authentication string y = I owe Bob $1,000,000 - signed Alice.

Alice dutifully authenticates herself by decrypting (putting her signature on) y.254January 6, 2011Practical Aspects of Modern CryptographyAuthenticationWhat if Alice only returns authentication queries when the decryption has a certain format?255January 6, 2011Practical Aspects of Modern CryptographyRSA CautionsIs it reasonable to sign/decrypt something given to you by someone else?

Note that RSA is multiplicative. Can this property be used/abused?256January 6, 2011Practical Aspects of Modern CryptographyRSA CautionsD(Y1) D(Y2) = D(Y1 Y2)

Thus, if Ive decrypted (or signed) Y1 and Y2, Ive also decrypted (or signed) Y1 Y2.257January 6, 2011Practical Aspects of Modern CryptographyThe Hastad AttackGivenE1(x) = x3 mod n1E2(x) = x3 mod n2E3(x) = x3 mod n3one can easily compute x.258January 6, 2011Practical Aspects of Modern CryptographyThe Bleichenbacher AttackPKCS#1 Message Format:

00 01 XX XX ... XX 00 YY YY ... YYrandomnon-zerobytesmessage259January 6, 2011Practical Aspects of Modern CryptographyMan-in-the-Middle Attacks

260January 6, 2011Practical Aspects of Modern CryptographyThe Practical Side261January 6, 2011Practical Aspects of Modern CryptographyThe Practical SideRSA can be used to encrypt any data.

262January 6, 2011Practical Aspects of Modern CryptographyThe Practical SideRSA can be used to encrypt any data.

Public-key (asymmetric) cryptography is very inefficient when compared to traditional private-key (symmetric) cryptography.263January 6, 2011Practical Aspects of Modern CryptographyThe Practical Side264January 6, 2011Practical Aspects of Modern CryptographyThe Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.265January 6, 2011Practical Aspects of Modern CryptographyThe Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.The private session key is used to encrypt any subsequent data.266January 6, 2011Practical Aspects of Modern CryptographyThe Practical SideFor efficiency, one generally uses RSA (or another public-key algorithm) to transmit a private (symmetric) key.The private session key is used to encrypt any subsequent data.

Digital signatures are only used to sign a digest of the message.267

Hello

Hello

_977235054.ppt

A Mapping of a Protocol

A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

_977235054.ppt


A:

B:

A:

B:

_977235059.ppt


A:

B:

A:

B:

NamePublic KeyEncryption

AliceNAEA(Y)=YE mod NA

BobNBEB(Y)=YE mod NB

CarolNCEC(Y)=YE mod NC

NamePublic KeyEncryption

AliceNAEA(Y)=YE mod NA

BobNBEB(Y)=YE mod NB

CarolNCEC(Y)=YE mod NC

Alice

Bob

Alice

Eve

Bob

Documents

Practical Aspects of Modern Cryptography