Impossible Encryption

Download Impossible Encryption

Post on 10-Apr-2016

5 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

encryption techniques

TRANSCRIPT

  • *

    Thinking the ImpossibleModern CryptographyJeremy R. Johnson

  • *IntroductionObjective: To see how to securely communicate on the internet without giving up privacy. To understand what a public key cryptosystem is and how the RSA algorithm works. To do impossible things.

    Modern cryptographySolutions to some impossible problemsPublic Key CryptosystemsModular ArithmeticRSA Algorithm

    References: Rivest, Shamir, Adelman CS Unplugged

  • *Importance of the AreaDid you buy anything online recently? Use an ATM machine? If so, whether you know it or not, you used cryptography. Cryptography (in the guise of the SSL protocol) protects your credit card information as it whizzes across the Internet, and ensures that others can't withdraw money from your account.

    The ubiquitous use of tools such as SSL and SSH shows that cryptography, once an esoteric military concern, has now burst into the mainstream. Yet, this is only the beginning of a coming flood.

  • *Impossible Problem OneHow can you determine the outcome of a vote on the intenet without revealing individual votes?

  • *Classical CryptographyBasic problem: Secure communication over an insecure channel

    Solution: private key encryptionm E(k,m) = c D(k,c) = m

    Shannon provided a rigorous theory of perfect secrecy based on information theoryAdversary has unlimited computational resources, but key must be as long as message

  • *Substitution CypherHELLOALL HAIL CEASAR

  • *Substitution CypherKHOORDOO KDLO FHDVDU

  • *Frequency Analysis

    en.wikipedia.org/wiki/Frequency_analysis_(cryptanalysis)scottbryce.com/cryptograms

  • *One Time PadPad = b1 bn {0,1}* chosen randomlym = m1 mnE(Pad,m) = c = m PadD(Pad,c) = c Pad = (m Pad) Pad = m

    m,c PrPad[E(Pad,m) = c] = 1/2nNo information gained from seeing cHowever, E(Pad,m) E(Pad,m) = m m

  • *Impossible Problem TwoHow can you send a secret over the internet without previously sending a courier to distribute the secret key?

    Is your method secure?

    The answer comes from modern cryptography and relies on public key cryptography

    Whitfield Diffie and Martin E. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, Vol. IT-22, No. 6, Nov. 1976.

  • *Public Key CryptosystemLet M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. D(E(M)) = MBoth E() and D() are easy to computePublicly revealing E() does not make it easy to determine D()E(D(M)) = M - needed for signatures

    The collection of E()s are made publicly available but the D()s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

  • Public Key Encryption Map (From CS Unplugged)

  • Public Key Encryption MapThe MapWhat To DoCome up with 10 numbers that add up to your ASCII value.Label your vertices with the values.Take each vertex and its neighbors, compute the sum, and replace the vertex value with that sum.Erase the old values!!!

  • ASCII Table

  • Private Key Encryption Map

  • Private Key Encryption MapThe Private KeyWhat To DoJust add up the values of each bold vertex from the public map you were given.

  • *Modern CryptographyAdversarys resources are computationally boundedProbabilistic polynomial time algorithmImpossibility of breaking the encryption system Infeasibility of breakingRely on gap between efficient algorithms for encryption and computational infeasibility of decryption by adversary

  • *Dominating Sets & NP Completeness

  • *Dominating Sets & NP Completeness

  • *Impossible Problem ThreeHow can you flip a coin over the phone?

    The answer comes from modern cryptography and is the key to secure communication over the internet, provides privacy, authentication and digital signatures

  • *Public Key CryptosystemLet M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. D(E(M)) = MBoth E() and D() are easy to computePublicly revealing E() does not make it easy to determine D()E(D(M)) = M - needed for signatures

    The collection of E()s are made publicly available but the D()s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

  • *Impossible Problem FourHow can you prove you know something to an adversary without revealing your secret?

    The answer comes from the area of zero knowledge proofs

  • Wheres Waldo*

  • Open Sesame*Jean-Jacques Quisquater, Louis C. Guillou, Thomas A. Berson. How to Explain Zero-Knowledge Protocols to Your Children. Advances in Cryptology - CRYPTO '89: Proceedings, v.435, p.628-631, 1990.

  • *Zero Knowledge Proof Completeness: if the statement is true, the honest verifier (that is, one following the protocol properly) will be convinced of this fact by an honest prover.Soundness: if the statement is false, no cheating prover can convince the honest verifier that it is true, except with some small probability.Zero-knowledge: if the statement is true, no cheating verifier learns anything other than this fact. This is formalized by showing that every cheating verifier has some simulator that, given only the statement to be proven (and no access to the prover), can produce a transcript that "looks like" an interaction between the honest prover and the cheating verifier.

  • Secure PasswordsEvery users stores a statement of a theorem in a publicly readable directoryUpon login, the user engages in a zero-knowledge proof of the correctness of the theoremIf the proof is convincing access is grantedGuarantees that an adversary who overhears the proof can not learn enough to gain access*

  • *

    RSA Public Key Cryptosystem

  • *Public Key CryptosystemLet M be a message and let C be the encrypted message (ciphertext). A public key cryptosystem has a separate method E() for encrypting and D() decrypting. D(E(M)) = MBoth E() and D() are easy to computePublicly revealing E() does not make it easy to determine D()E(D(M)) = M - needed for signatures

    The collection of E()s are made publicly available but the D()s remain secret. Called a one-way trap-door function (hard to invert, but easy if you have the secret information)

  • *Clock Arithmetic123456789101107+6 = ?

  • *Clock Arithmetic123456789101107 + 1

  • *Clock Arithmetic123456789101107 + 2

  • *Clock Arithmetic123456789101107 + 3

  • *Clock Arithmetic123456789101107 + 4

  • *Clock Arithmetic123456789101107 + 5

  • *Clock Arithmetic123456789101107 + 6 = 1 (mod 12)

  • *Clock Arithmetic123456789101105 5 = ?

  • *Clock Arithmetic123456789101105 2

  • *Clock Arithmetic123456789101105 3

  • *Clock Arithmetic123456789101105 4

  • *Clock Arithmetic123456789101105 5 = 1 (mod 12)

  • *Multiplication Table mod 5

    01234000000101234202413303142404321

  • *Multiplication Table mod 6

    012345000000010123452024024303030340420425054321

  • *Modular Arithmetic (Zn)Definition: a b (mod n) n | (b - a) Alternatively, a = qn + b

    Properties (equivalence relation)a a (mod n) [Reflexive]a b (mod n) b a (mod n) [Symmetric]a b (mod n) and b c (mod n) a c (mod n) [Transitive]

    Definition: An equivalence class mod n

    [a] = { x: x a (mod n)} = { a + qn | q Z}

  • *Modular Arithmetic (Zn)It is possible to perform arithmetic with equivalence classes mod n.

    [a] + [b] = [a+b] [a] * [b] = [a*b]

    In order for this to make sense, you must get the same answer (equivalence) class independent of the choice of a and b. In other words, if you replace a and b by numbers equivalent to a or b mod n you end of with the sum/product being in the same equivalence class.

    a1 a2 (mod n) and b1 b2 (mod n) a1+ b1 a2 + b2 (mod n) a1* b1 a2 * b2 (mod n)

    (a + q1n) + (b + q2n) = a + b + (q1 + q2)n(a + q1n) * (b + q2n) = a * b + (b*q1 + a*q2 + q1* q2)n

  • *Representation of ZnThe equivalence classes [a] mod n, are typically represented by the representatives a.

    Positive Representation: Choose the smallest positive integer in the class [a] then the representation is {0,1,,n-1}.

    Symmetric Representation: Choose the integer with the smallest absolute value in the class [a]. The representation is {-(n-1)/2 ,, n/2 }. When n is even, choose the positive representative with absolute value n/2.E.G. Z6 = {-2,-1,0,1,2,3}, Z5 = {-2,-1,0,1,2}

  • *Greatest Common DivisorDefinition: g = gcd(a,b) g|a and g|b if e|a and e|b then e|g

    Example: gcd(30,12) = 6 30 = 2 3 5 12 = 22 3

    Inefficient!!!

  • *Euclidean Algorithmgcd(a,b) if b = 0 then return a else return gcd(b, a mod b)

    Example: gcd(30,12) gcd(12,6) gcd(6,0) Efficient!!! O(log N), a, b N

  • *Modular InversesDefinition: x is the inverse of a mod n, if ax 1 (mod n)

    The equation ax 1 (mod n) has a solution iff gcd(a,n) = 1.

    Extended Euclidean Algorithm, there exist x and y such that ax + ny = gcd(a,n).

    When gcd(a,n) = 1, ax + ny = 1 ax 1 (mod n)

    Example

    gcd(5,12) = 1, 5 5 + -2 12 = 1

  • *Euler phi functionDefinition: phi(n) = #{a: 0 < a < n and gcd(a,n) = 1}Propert