announcements: 1. hw6 due now 2. hw7 posted questions? this week: discrete logs, diffie-hellman,...
Post on 20-Dec-2015
218 views
TRANSCRIPT
Announcements:Announcements:1.1. HW6 due nowHW6 due now
2.2. HW7 postedHW7 posted
Questions? Questions?
This week:This week: Discrete Logs, Diffie-Hellman, ElGamalDiscrete Logs, Diffie-Hellman, ElGamal Hash FunctionsHash Functions
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 26Day 26
ElGamalElGamalBob publishes (Bob publishes (, p, , p, ), ),
where 1 < m < p and where 1 < m < p and ==aa
Alice chooses secret k, Alice chooses secret k, computes and sends to computes and sends to Bob the pair (r,t) whereBob the pair (r,t) where
r=r=kk (mod p) (mod p) t = t = kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a=m (mod p)=m (mod p)
1.1. Show that Bob’s decryption worksShow that Bob’s decryption works
Plug in values for t, r, and Plug in values for t, r, and . .
2.2. Eve would like to know k. Show that knowing k allows decrpytion. Eve would like to know k. Show that knowing k allows decrpytion. Why? Why?
m=m=-k-ktt
3.3. Why can’t Eve compute k from r or t? Why can’t Eve compute k from r or t?
Need to calculate a discrete log to do so, which Need to calculate a discrete log to do so, which is hard when p is largeis hard when p is large
4.4. Challenge: Alice should randomize k each time. If not, and Eve Challenge: Alice should randomize k each time. If not, and Eve gets hold of a plaintext / ciphertext (mgets hold of a plaintext / ciphertext (m11, r, r11, t, t11), she can decrypt ), she can decrypt other ciphertexts (mother ciphertexts (m22, r, r22, t, t22). Show how.). Show how.
Use mUse m11, t, t11 to solve for to solve for kk. Then use . Then use -k -k and t and t22 to to find mfind m22
5.5. If Eve says she found m from (r,t), can we verify that she really If Eve says she found m from (r,t), can we verify that she really found it, using only the public key (and not k or a)? Explain.found it, using only the public key (and not k or a)? Explain.
Not easily (see next slide)Not easily (see next slide)
Name: ______________________
Notes:
Known plaintext attackKnown plaintext attackBob publishes (Bob publishes (, p, , p, ), where 1 < m ), where 1 < m
< p and < p and ==aa
Alice chooses secret k, computes Alice chooses secret k, computes and sends to Bob the pair (r,t) and sends to Bob the pair (r,t) wherewhere
r=r=kk (mod p) (mod p) t = t = kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a=m (mod p)=m (mod p)Why does this work?Why does this work?
If Eve got hold of a plaintext/ciphertext If Eve got hold of a plaintext/ciphertext (m(m11, r, r11, t, t11), she can decrypt other ), she can decrypt other ciphertexts (mciphertexts (m22, r, r22, t, t22):):
Answer:Answer:r=r=kk (mod p), t (mod p), t11 = = kkmm11 (mod p), t (mod p), t22 = = kkmm22 (mod p)(mod p)SoSo
You can solve for mYou can solve for m22, since everything , since everything else in the proportion is known. else in the proportion is known.
Alice should randomize k each time.Alice should randomize k each time.
)(mod2
2
1
1 pm
t
m
t k
Tying everything togetherTying everything togetherBob publishes (Bob publishes (, p, , p, ), where 1 < m < p and ), where 1 < m < p and ==aa
Alice chooses secret k, computes and sends to Bob the pair (r,t) whereAlice chooses secret k, computes and sends to Bob the pair (r,t) where r=r=kk (mod p) (mod p) t = t = kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a=m (mod p)=m (mod p)Why does this work?Why does this work?
If Eve says she found m from (r,t), can we verify that she really found it, If Eve says she found m from (r,t), can we verify that she really found it, using just m,r,t and the public key? using just m,r,t and the public key?
Decision D-H Decision D-H Validity of (mod p) ElGamal ciphertexts.Validity of (mod p) ElGamal ciphertexts.
Computational D-H Computational D-H Decrypting (mod p) ElGamal ciphertexts.Decrypting (mod p) ElGamal ciphertexts.
Not easily!Not easily!
Cryptographic hash functions shrink messages Cryptographic hash functions shrink messages into a digestinto a digest
Goal: to provide a unique “fingerprint” of the message.Goal: to provide a unique “fingerprint” of the message.
Message m(long)
Message digest, y(Shorter fixed length)Cryptographic hash
Function, hShrinks data, so 2 messages can have the same digest: m1 != m2, but h(m1) = h(m2)
1
Cryptographic hash functions must satisfy three Cryptographic hash functions must satisfy three properties to be useful and secureproperties to be useful and secure
1.1. FastFast to compute y from m. to compute y from m.2.2. One-wayOne-way: given y = h(m), can’t find : given y = h(m), can’t find anyany m’m’ satisfying h(m’) = y satisfying h(m’) = y
easily.easily.3.3. Strongly Strongly collision-freecollision-free: Can’t find : Can’t find anyany pair mpair m11 ≠ m ≠ m22 such that such that
h(mh(m11)=h(m)=h(m22) easily) easily4.4. (Sometimes we can settle for weakly collision-free: (Sometimes we can settle for weakly collision-free: given mgiven m, ,
can’t find m’ ≠ m with h(m) = h(m’).can’t find m’ ≠ m with h(m) = h(m’).
Message m(long)
Message digest, y(Shorter fixed length)Cryptographic hash
Function, hShrinks data, so 2 messages can have the same digest: m1 != m2, but h(m1) = h(m2)
2
Hash functions can be used for digital signatures and Hash functions can be used for digital signatures and error detectionerror detection
Why do we care about these Why do we care about these properties? properties?
Use #1: Digital signaturesUse #1: Digital signaturesIf Alice signs h(m), what if Bob If Alice signs h(m), what if Bob could find m’ ≠ m, such that h(m) = could find m’ ≠ m, such that h(m) = h(m’)?h(m’)?He could claim Alice signed m’!He could claim Alice signed m’!Consider two contracts…Consider two contracts…
3 properties:3 properties:1.1. Fast to computeFast to compute2.2. One-way: given y = One-way: given y =
h(m), can’t find h(m), can’t find any any m’ satisfying h(m’) = m’ satisfying h(m’) = y easily.y easily.
3.3. Strongly collision-Strongly collision-free: Can’t find mfree: Can’t find m11 ≠ ≠ mm22 such that such that h(mh(m11)=h(m)=h(m22))
Use #2: Error detection – simple example:Use #2: Error detection – simple example:Alice sends (m, h(m)), Bob receives (M, H). Bob checks if H=h(M). If not, there’s an error.
3
Hash function examplesHash function examples
Examples:Examples:1.1. h(m) = m (mod n)h(m) = m (mod n)2.2. h(x) = h(x) = xx (mod (mod pp) for large prime p, which ) for large prime p, which
doesn’t divide doesn’t divide
3.3. Discrete log hashDiscrete log hashGiven large prime p, such that q=(p-1)/2 is also prime, and Given large prime p, such that q=(p-1)/2 is also prime, and
primitive roots primitive roots and and for p: for p:
where m = mwhere m = m00 + m + m11qq
EHA (next)EHA (next)
SHA-1 (tomorrow)SHA-1 (tomorrow)
MD4, MD5 (weaker than SHA; won’t discuss)MD4, MD5 (weaker than SHA; won’t discuss)
3 properties:3 properties:1.1. Fast to computeFast to compute2.2. One-way: given y = h(m), One-way: given y = h(m),
can’t find can’t find any any m’ m’ satisfying h(m’) = y easily.satisfying h(m’) = y easily.
3.3. Strongly collision-free: Strongly collision-free: Can’t find mCan’t find m11 ≠ m ≠ m22 such such that h(mthat h(m11)=h(m)=h(m22))
For first 2 examples, please check properties 1-3.
)(mod)( 10 pmh mm
4a-b
Easy Hash Algorithm (EHA) isn’t very secure!Easy Hash Algorithm (EHA) isn’t very secure!
Break m into n-bit blocks, Break m into n-bit blocks, append zeros to get a append zeros to get a multiple of multiple of nn..
There are L of them, where There are L of them, where L =|m|/nL =|m|/n
Fast! But not very secure.Fast! But not very secure.
Does performing a left shift Does performing a left shift on the rows first help?on the rows first help?
DefineDefine as left-as left-shifting m by y bitsshifting m by y bits
ThenThen
ln21
22221
11211
2
1
...
mmm
mmm
mmm
m
m
m
m
ll
n
n
l
nccc ...21
ym
)1( imm ii
=h(m)
1,1,
212322
11211
...
...
llllll
n
mmm
mmm
mmm
nccc ...21
=h(m)
Exercise:1. Show that the basic (unrotated) version doesn’t satisfy properties 2 and 3.
2. What about the version that uses rotations?
3 properties:3 properties:1.1. Fast to computeFast to compute2.2. One-way: given y = One-way: given y =
h(m), can’t find h(m), can’t find any any m’ satisfying h(m’) = m’ satisfying h(m’) = y easily.y easily.
3.3. Strongly collision-Strongly collision-free: Can’t find mfree: Can’t find m11 ≠ mm22 such that such that h(mh(m11)=h(m)=h(m22))
ln21
22221
11211
2
1
...
mmm
mmm
mmm
m
m
m
m
ll
n
n
l
4cEasy Hash Algorithm (EHA) isn’t very secure!Easy Hash Algorithm (EHA) isn’t very secure!