Tjark Weber
Cryptology
April 12, 2013
1 / 31
Lab 1
Lab 1
Lab 1 Deadline
Thanks to all who submitted their solution to part (a) of the first lab!
The deadline for parts (b) and (c) is this Thursday, April 18.
Start working on these parts todaydont wait until the last minute!
Ciphertexts are available in the Student Portal.
Contact jean-noel.monette@it.uu.se if you have any questions.
2 / 31
Exercise Solutions
Exercise Solutions
3 / 31
Exercise Solutions
Exercise Solutions
Exercise Solutions
4 / 31
Exercise Solutions
5 / 31
Exercise Solutions
Cipher
Shift
Substitution
Affine
Vigen`ere
Hill
Confusion
Diffusion
ek (x) = x + k
e (x) = (x)
e(a,b) (x) = ax + b
e(k1 ,...,km ) (x) = (x1 + k1 , . . . , xm + km )
ek (x) = xk
5 / 31
Exercise Solutions
6 / 31
7 / 31
Symmetric-key Cryptography
Symmetric-key Cryptography
All ciphers that we have discussed so far are symmetric-key ciphers: the
same key is used for encryption and decryption. In effect, the key is a
shared secret between Alice and Bob.
Major drawback: Alice and Bob first need to communicate the key via a
secure channel.
Tjark Weber (UU)
8 / 31
Bob
Common paint
+
Secret colors
Public transport
(assume
that mixture separation
is expensive)
+
Secret colors
=
6
=
Shared secret
9 / 31
Bob
g
m
Generator
Modulus
g
m
+
a
=
Secret numbers
+
b
=
ga mod m
gb mod m
Public transport
(assume
that discrete logarithm
is expensive)
ga mod m
gb mod m
+
5
a
=
+
Secret numbers
b
=
a
b
(g b) mod m Shared secret (g a ) mod m
9 / 31
Public-key Cryptography
Public-key Cryptography
A public-key cryptosystem uses two separate keys: an encryption key
(public key), and a corresponding decryption key (private key). Only the
private key must be kept secret.
10 / 31
Public-key Communication
Public-key Communication
1
2
3
4
11 / 31
A Brief History
A Brief History
12 / 31
13 / 31
14 / 31
15 / 31
Modular Exponentiation
Modular Exponentiation
16 / 31
17 / 31
Towards RSA
Towards RSA
18 / 31
19 / 31
20 / 31
x = dk (ek (x))
21 / 31
21 / 31
21 / 31
21 / 31
1h(q1) x (mod p) = x.
21 / 31
1h(q1) x (mod p) = x.
21 / 31
Compute m = pq.
Compute d = e 1 mod .
The extended Euclidean algorithm computes gcd(e, ) and d.
Publish m and e. Keep d private.
22 / 31
RSA: Example
RSA: Example
1
He computes m = pq = 55.
He chooses e = 3.
23 / 31
RSA: Example
RSA: Example
1
He computes m = pq = 55.
He chooses e = 3.
She uses his public key to encrypt: ek (14) = 143 mod 55 = 49.
23 / 31
RSA: Example
RSA: Example
1
He computes m = pq = 55.
He chooses e = 3.
She uses his public key to encrypt: ek (14) = 143 mod 55 = 49.
Bob receives the ciphertext and uses his private key (m = 55, d = 27)
to decrypt: dk (49) = 4927 mod 55 = 14.
Tjark Weber (UU)
23 / 31
Cryptanalysis of RSA
Cryptanalysis of RSA
Security of RSA relies on the (unproven) conjecture that both the integer
factorisation problem and the RSA problem are computationally hard. A
polynomial-time quantum factorisation algorithm is known.
There are a number of attacks against plain RSA: notably, an attacker can
simply try likely plaintexts. To prevent this and other attacks, RSA in
practice employs random padding of the message.
p, q, e, and d need to satisfy additional requirements; otherwise, specific
number-theoretic attacks (e.g., algorithms that can factor certain numbers
in polynomial time) are known.
Side-channel attacks on RSA implementations are known that determine
the private key, e.g., by carefully measuring decryption time.
Tjark Weber (UU)
24 / 31
Bits
330
426
512
576
663
768
Factored in
1991
1994
1999
2003
2005
2009
NIST key management guidelines suggest that 15360-bit RSA keys are
equivalent in strength to 256-bit symmetric keys.
Tjark Weber (UU)
25 / 31
Comparison Symmetric-key/Public-key
Comparison Symmetric-key/Public-key
Feature
Number of keys
Types of keys
Typical key size
Relative speed
Symmetric-key
1
secret
50-250 bits
faster
Public-key
2 (related)
public, secret
500-4500 bits
slower (by a factor of 1, 000)
26 / 31
Hybrid Cryptosystems
Hybrid Cryptosystems
27 / 31
Digital Signatures
Digital Signatures
A digital signature is a mathematical scheme for demonstrating the
authenticity of a digital message.
28 / 31
29 / 31
Exercises
Exercises
30 / 31
Exercises
Exercises
Exercises
For m = pq, where p and q are distinct primes, define
(m) =
(p 1)(q 1)
gcd(p 1, q 1)
(mod (m))
31 / 31