Introduction Cryptography Short Introduction to Cryptography J. Jiménez Urroz, UPC CIMPA School, Manila, July 29, 2013 Introduction Cryptography Introduction Cryptography • Bit operation. . Introduction Cryptography • Bit operation. Multiplication of a k digits integer by an l digits integer. 11101 ×1101 101111001 . Introduction Cryptography • Bit operation. Multiplication of a k digits integer by an l digits integer. 11101 ×1101 101111001 It needs kl bit operations. . Introduction Cryptography • Bit operation. Multiplication of a k digits integer by an l digits integer. 11101 ×1101 101111001 It needs kl bit operations. • f = O(g ) if f (n) ≤ Cg (n) for some constant C and all n ∈ Zr . Introduction Cryptography • Bit operation. Multiplication of a k digits integer by an l digits integer. 11101 ×1101 101111001 It needs kl bit operations. • f = O(g ) if f (n) ≤ Cg (n) for some constant C and all n ∈ Zr . An algorithm in n-variables of ki bits each is called aQpolynomial time algorithm if the number of bit operations is O( i=1..n kidi ) Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. • Exponentiation an (mod m) is polynomial in n and m Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. • Exponentiation an (mod m) is polynomial in n and m • Multiplying two elements of Fq needs O((log q)3 ) operations while ak , for a ∈ Fq and k ∈ Z needs O((log q)3 (log k)) Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. • Exponentiation an (mod m) is polynomial in n and m • Multiplying two elements of Fq needs O((log q)3 ) operations while ak , for a ∈ Fq and k ∈ Z needs O((log q)3 (log k)) Exercise: Convert an integer into its binary representation. Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. • Exponentiation an (mod m) is polynomial in n and m • Multiplying two elements of Fq needs O((log q)3 ) operations while ak , for a ∈ Fq and k ∈ Z needs O((log q)3 (log k)) Exercise: Convert an integer into its binary representation. • Decide whether p is prime can be done in polynomial time. Introduction Cryptography • The Euclidean algorithm to Find the gcd of two integers a < b, is a polynomial time algorithm. • Finding the inverse in (Z/mZ)∗ can be done in polynomial time. • Exponentiation an (mod m) is polynomial in n and m • Multiplying two elements of Fq needs O((log q)3 ) operations while ak , for a ∈ Fq and k ∈ Z needs O((log q)3 (log k)) Exercise: Convert an integer into its binary representation. • Decide whether p is prime can be done in polynomial time. • Given n = pq where p, q are distinct primes, it is equivalent to find ϕ(n) than finding p and q. √ Exercise: Find an algorithm to compute [ n] in polynomial time. Introduction Can we solve x 2 − a (mod p) in polynomial time? Cryptography Introduction Cryptography Can we solve x 2 − a (mod p) in polynomial time? Suppose n is a non-residue. Let p − 1 = 2r s, β = ns and α = a(s+1)/2 . Then α2 /a is a 2r −1 root of unity and β is a primitive 2r -root of unity. So αβ j = x for some j = ( 0 jk = 1 Pr −2 i i=0 ji 2 . P2k−1 if ((β i=0 otherwise Then ji 2i r )2 /a)2r −k−2 =1 Introduction Cryptography Can we solve x 2 − a (mod p) in polynomial time? Suppose n is a non-residue. Let p − 1 = 2r s, β = ns and α = a(s+1)/2 . Then α2 /a is a 2r −1 root of unity and β is a primitive 2r -root of unity. So αβ j = x for some j = ( 0 jk = 1 Pr −2 i i=0 ji 2 . P2k−1 if ((β i=0 otherwise Then ji 2i r )2 /a)2r −k−2 If p ≡ 3 (mod 4), then x = a(p+1)/4 . =1 Introduction Cryptography Can we solve x 2 − a (mod p) in polynomial time? Suppose n is a non-residue. Let p − 1 = 2r s, β = ns and α = a(s+1)/2 . Then α2 /a is a 2r −1 root of unity and β is a primitive 2r -root of unity. So αβ j = x for some j = ( 0 jk = 1 Pr −2 i i=0 ji 2 . P2k−1 if ((β i=0 otherwise Then ji 2i r )2 /a)2r −k−2 =1 If p ≡ 3 (mod 4), then x = a(p+1)/4 . If p ≡ 1 (mod 4), we need a non-residue. It is not known unconditionally whether we can find it in polymial time. We know it under the Riemann hypothesis. But there are 50% of them. Introduction Theorem (Quadratic Reciprocity law) Let m, n two odd integers. Then m n n−1 m−1 = (−1) 2 2 n m Cryptography Introduction Cryptography Theorem (Quadratic Reciprocity law) Let m, n two odd integers. Then m n n−1 m−1 = (−1) 2 2 n m P i i Proof. Consider p, q odd primes, and G = q−1 i=0 q ξ , where ξ ∈ Fpk is a q-th root of unity. Then, p G = q−1 X i i=0 q X q−1 p ip p ip ξ = ξ = G q q q ip i=0 But also G p = (G 2 )(p−1)/2 G = ((−1)(q−1)/2 q)(p−1)/2 G which finish the result. Introduction Cryptography P is the set of plaintext messages, C is the set of ciphertext message. A cryptosystem is a (biyective) function f : P → C such that given m ∈ P, c = f (m) is easy to compute, but m = f −1 (c) is very hard, unless an extra information is provided, which is called the key. Introduction Cryptography P is the set of plaintext messages, C is the set of ciphertext message. A cryptosystem is a (biyective) function f : P → C such that given m ∈ P, c = f (m) is easy to compute, but m = f −1 (c) is very hard, unless an extra information is provided, which is called the key. Example: f (m) = m + 3 (mod 26) will convert philippines into sklolsslqhv. Introduction Cryptography P is the set of plaintext messages, C is the set of ciphertext message. A cryptosystem is a (biyective) function f : P → C such that given m ∈ P, c = f (m) is easy to compute, but m = f −1 (c) is very hard, unless an extra information is provided, which is called the key. Example: f (m) = m + 3 (mod 26) will convert philippines into sklolsslqhv. bjqhtrjytymjhnrufwjxjfwhmxhmttq Introduction Cryptography P is the set of plaintext messages, C is the set of ciphertext message. A cryptosystem is a (biyective) function f : P → C such that given m ∈ P, c = f (m) is easy to compute, but m = f −1 (c) is very hard, unless an extra information is provided, which is called the key. Example: f (m) = m + 3 (mod 26) will convert philippines into sklolsslqhv. bjqhtrjytymjhnrufwjxjfwhmxhmttq welcometothecimparesearchschool Introduction hash • Hash Functions. Is any algorithm that maps data of variable length to data of a fixed length. (SHA-1,2,3. Secure Hash algorithm.) It does not need a key. Cryptography Introduction Cryptography hash • Hash Functions. Is any algorithm that maps data of variable length to data of a fixed length. (SHA-1,2,3. Secure Hash algorithm.) It does not need a key. It is easy to generate hash values from input data and easy to verify that the data matches the hash, but hard to ’fake’ a hash value to hide malicious data. Introduction Cryptography hash • Hash Functions. Is any algorithm that maps data of variable length to data of a fixed length. (SHA-1,2,3. Secure Hash algorithm.) It does not need a key. It is easy to generate hash values from input data and easy to verify that the data matches the hash, but hard to ’fake’ a hash value to hide malicious data. Good for ensuring data integrity. Any change made to the contents of a message will result in a different hash. Introduction Cryptography secret key The same key is used to encrypt and decrypt the messages. It is also called symmetric encryption. Example: DES (Data Encryption Standard, IBM, 1970) Introduction Cryptography secret key The same key is used to encrypt and decrypt the messages. It is also called symmetric encryption. Example: DES (Data Encryption Standard, IBM, 1970) Introduction Cryptography secret key Secret key cryptography is ideally suited to encrypting messages. • Advantages: – Encryption is fast and simple. – Less computer resources. – Good to encrypt your own files. Introduction Cryptography secret key Secret key cryptography is ideally suited to encrypting messages. • Advantages: – Encryption is fast and simple. – Less computer resources. – Good to encrypt your own files. • Disadvantages: –Secure channel for secret key exchange. –Ensuring privacy of keys is difficult. –Origin and authenticity of message cannot be guaranteed. Introduction Public key The encryption key ke and the decryption key kd are different. Cryptography Introduction Cryptography Public key The encryption key ke and the decryption key kd are different. The algorithm to encrypt is public, while the keys are secret. Up to 1976 to know how to encipher and decipher were regarded as equivalent. Is it in this year when Diffie-Hellman invented public key cryptography. Introduction Cryptography Public key The encryption key ke and the decryption key kd are different. The algorithm to encrypt is public, while the keys are secret. Up to 1976 to know how to encipher and decipher were regarded as equivalent. Is it in this year when Diffie-Hellman invented public key cryptography. It is based on the use of a trapdoor function. A biyective function f : P → P easy to compute, but very hard to find f −1 in any single value, unless an additional information is provided, the deciphering key Kd , which is kept secret. Introduction Cryptography Public key Authentication One of the most important algorithms is digital signatures. Introduction Cryptography Public key Authentication One of the most important algorithms is digital signatures. A can send, together with the message, compute fB (fA−1 (P)) Introduction Cryptography Public key Authentication One of the most important algorithms is digital signatures. A can send, together with the message, compute fB (fA−1 (P)) In digital signatures it is often used hash functions. Changing the person, content or the date of the message would change the hash value. Introduction Cryptography Public key Authentication One of the most important algorithms is digital signatures. A can send, together with the message, compute fB (fA−1 (P)) In digital signatures it is often used hash functions. Changing the person, content or the date of the message would change the hash value. Public key cryptosystems are often used to send the keys of a symmetric scheme. This is called key exchange. In order to ensure security, probabilistic cryptosystems are used: the same plaintext has many different cipher text, depending on a random parameter. Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 4294967297 Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1 Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1= 641 × 6700417 Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1= 641 × 6700417 Exercise: Factor 307226426360331000972900308352962252674581946613617 Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1= 641 × 6700417 Exercise: Factor 307226426360331000972900308352962252674581946613617 RSA Each user A selects two huge primes, pA and qA and computes nA = pA qA . Then the user selects a random 1 < eA < ϕ(nA ) coprime to ϕ(nA )to be the public key and computes the inverse eA−1 = dA (mod ϕ(nA )), which will be the private key. c = meA . m = c dA . Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1= 641 × 6700417 Exercise: Factor 307226426360331000972900308352962252674581946613617 RSA Each user A selects two huge primes, pA and qA and computes nA = pA qA . Then the user selects a random 1 < eA < ϕ(nA ) coprime to ϕ(nA )to be the public key and computes the inverse eA−1 = dA (mod ϕ(nA )), which will be the private key. c = meA . m = c dA . What happen if (m, n) > 1? Introduction Cryptography RSA Idea: Inverting without the trapdoor function, allows to solve a difficult mathematical problem. RSA is based on the factorization problem: given n = pq, a product of two large primes, find p and q. 5 4294967297= 22 + 1= 641 × 6700417 Exercise: Factor 307226426360331000972900308352962252674581946613617 RSA Each user A selects two huge primes, pA and qA and computes nA = pA qA . Then the user selects a random 1 < eA < ϕ(nA ) coprime to ϕ(nA )to be the public key and computes the inverse eA−1 = dA (mod ϕ(nA )), which will be the private key. c = meA . m = c dA . What happen if (m, n) > 1? The primes need to have some properties. Not too close (p − 1, q − 1) small and with large prime factor. Introduction RSA Example: N = 26, k = 3, l = 4. Public: (nA , eA ) = (46927, 39423). Private: (dA = 26767) YES= 24 · 262 + 4 · 26 + 18 = 16346 Encipher: Compute 1634639423 (mod 46927) = 21166 = 263 + 5 · 262 + 8 · 26 + 2 =BFIC. Decipher: 2116626767 (mod 46927). Cryptography Introduction Cryptography RSA Example: N = 26, k = 3, l = 4. Public: (nA , eA ) = (46927, 39423). Private: (dA = 26767) YES= 24 · 262 + 4 · 26 + 18 = 16346 Encipher: Compute 1634639423 (mod 46927) = 21166 = 263 + 5 · 262 + 8 · 26 + 2 =BFIC. Decipher: 2116626767 (mod 46927). Suppose we know n = pq and m such that am ≡ 1 (mod n) for all (a, m) = 1. Find the factorization of n. Remark: If am 6= 1 for a then it happens for 50% of a’s Introduction Cryptography RSA Example: N = 26, k = 3, l = 4. Public: (nA , eA ) = (46927, 39423). Private: (dA = 26767) YES= 24 · 262 + 4 · 26 + 18 = 16346 Encipher: Compute 1634639423 (mod 46927) = 21166 = 263 + 5 · 262 + 8 · 26 + 2 =BFIC. Decipher: 2116626767 (mod 46927). Suppose we know n = pq and m such that am ≡ 1 (mod n) for all (a, m) = 1. Find the factorization of n. Remark: If am 6= 1 for a then it happens for 50% of a’s Exercise: How to make the digital signature fA−1 fB when nA and nB are different? Introduction Cryptography Discrete Logarithm Given a prime p large, a primitive root g of Fp∗ Problem: Given a number y ∈ F∗p find the exponent x such that gx = y. Introduction Cryptography Discrete Logarithm Given a prime p large, a primitive root g of Fp∗ Problem: Given a number y ∈ F∗p find the exponent x such that gx = y. This is the inverse function of exponentiation, called discrete logarithm. It is believed not to be possible to solve it in polynomial time, as its inverse. Introduction Cryptography Discrete Logarithm Given a prime p large, a primitive root g of Fp∗ Problem: Given a number y ∈ F∗p find the exponent x such that gx = y. This is the inverse function of exponentiation, called discrete logarithm. It is believed not to be possible to solve it in polynomial time, as its inverse. Diffie-Hellman key exchange. A selects a random 1 < a < p − 1 and publish ka = g a . B selects a random 1 < b < p − 1 and publish kb = g b . Now, B sends kab and B send kba which is the common key. Introduction Cryptography Discrete Logarithm Given a prime p large, a primitive root g of Fp∗ Problem: Given a number y ∈ F∗p find the exponent x such that gx = y. This is the inverse function of exponentiation, called discrete logarithm. It is believed not to be possible to solve it in polynomial time, as its inverse. Diffie-Hellman key exchange. A selects a random 1 < a < p − 1 and publish ka = g a . B selects a random 1 < b < p − 1 and publish kb = g b . Now, B sends kab and B send kba which is the common key. If a third party knows how to solve discrete logarithm problems, then he will know the key. But the problem to tackle is the Diffie Hellman problem which as follows. Introduction Discrete Logarithm Problem:(Diffie-Hellman) given g a , g b find g ab . Cryptography Introduction Discrete Logarithm Problem:(Diffie-Hellman) given g a , g b find g ab . Problem: (Decisional Diffie Hellman) Given a four tuple (c1 , c2 , c3 , c4 ) decide with probability bigger than 1/2 if it is (g , g a , g b , g ab ) or (g , g a , g b , g c ) for some c 6= ab Cryptography Introduction Discrete Logarithm Problem:(Diffie-Hellman) given g a , g b find g ab . Problem: (Decisional Diffie Hellman) Given a four tuple (c1 , c2 , c3 , c4 ) decide with probability bigger than 1/2 if it is (g , g a , g b , g ab ) or (g , g a , g b , g c ) for some c 6= ab It is not know if the Diffie Hellman problem and the discrete logarithm problem are equivalent. It is however a conjecture. Cryptography Introduction Cryptography Discrete Logarithm El Gamal cryptosystem The users agree in a large prime p and a generator g of F∗p . User A selects 1 < a < p − 1 and publish g a . If B wants to send the message m to A he will select 1 < b < p − 1 at random and send the pair (c1 , c2 ) = (g b , mg ab ). Introduction Cryptography Discrete Logarithm El Gamal cryptosystem The users agree in a large prime p and a generator g of F∗p . User A selects 1 < a < p − 1 and publish g a . If B wants to send the message m to A he will select 1 < b < p − 1 at random and send the pair (c1 , c2 ) = (g b , mg ab ). To Decipher A does c2 /c1a . Introduction Cryptography Discrete Logarithm El Gamal cryptosystem The users agree in a large prime p and a generator g of F∗p . User A selects 1 < a < p − 1 and publish g a . If B wants to send the message m to A he will select 1 < b < p − 1 at random and send the pair (c1 , c2 ) = (g b , mg ab ). To Decipher A does c2 /c1a . If C can recover a message, she can solve DDH. Introduction Cryptography Discrete Logarithm DSS (Digital signature standard) Choose q prime 160 bits, p ≡ 1 (mod q) prime 512 bits. g generator | < g > | = q. ((g0 )(p−1)/q , for random g0 ). A selects 1 < x < q − 1 secret, y = g x public. Signature: (h, r , s), where h is a hash, r = (g k (mod p)) (mod q) sk = h + xr (mod q). Introduction Cryptography Discrete Logarithm DSS (Digital signature standard) Choose q prime 160 bits, p ≡ 1 (mod q) prime 512 bits. g generator | < g > | = q. ((g0 )(p−1)/q , for random g0 ). A selects 1 < x < q − 1 secret, y = g x public. Signature: (h, r , s), where h is a hash, r = (g k (mod p)) (mod q) sk = h + xr (mod q). Check: Compute u1 = s −1 h (mod q), u2 = s −1 r (mod q) and g u1 y u2 (mod p) = z if z = r (mod q), agree. Introduction Cryptography Discrete Logarithm DSS (Digital signature standard) Choose q prime 160 bits, p ≡ 1 (mod q) prime 512 bits. g generator | < g > | = q. ((g0 )(p−1)/q , for random g0 ). A selects 1 < x < q − 1 secret, y = g x public. Signature: (h, r , s), where h is a hash, r = (g k (mod p)) (mod q) sk = h + xr (mod q). Check: Compute u1 = s −1 h (mod q), u2 = s −1 r (mod q) and g u1 y u2 (mod p) = z if z = r (mod q), agree. Small signatures with the security of Fp .
© Copyright 2026 Paperzz