HW6 due tomorrow HW6 due tomorrow Teams T will get to pick their Teams T will get to pick their presentation day in the order presentation day in the order Questions? Questions? Review of mid-term feedback Review of mid-term feedback This week: This week: Discrete Logs, Discrete Logs, Diffie-Hellman, ElGamal Diffie-Hellman, ElGamal Hash Functions Hash Functions DTTF/NB479: Dszquphsbqiz DTTF/NB479: Dszquphsbqiz Day Day 25 25 ) ( p ft lateDaysLe avg T p
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
Dec 19, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
HW6 due tomorrowHW6 due tomorrow Teams T will get to pick their Teams T will get to pick their
presentation day in the orderpresentation day in the order
Questions? Questions? Review of mid-term feedbackReview of mid-term feedback
This week:This week: Discrete Logs, Discrete Logs, Diffie-Hellman, ElGamalDiffie-Hellman, ElGamal Hash FunctionsHash Functions
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 25Day 25
)( pftlateDaysLeavgTp
Discrete LogsDiscrete Logs
)(Lx
Find x
We denote this as
Why is this hard?
Given )(mod px
Some things we won’t cover in Some things we won’t cover in class about Discrete Logsclass about Discrete Logs
7.2.2 Baby step, Giant Step (worth reading)7.2.2 Baby step, Giant Step (worth reading)7.2.3 Index Calculus: like sieve method of factoring 7.2.3 Index Calculus: like sieve method of factoring primesprimes The equation on p. 207 might help with some of homework The equation on p. 207 might help with some of homework
7.7.
Discrete logs mod 4 and bit commitmentDiscrete logs mod 4 and bit commitment We skip to make time for some applications of discrete logsWe skip to make time for some applications of discrete logs Although the football game prediction analogy is Although the football game prediction analogy is
interesting…interesting…
)1(mod)(
)(mod
ppLak
pp
ii
ai
k i
Diffie-Hellman is an alternative to RSA for key Diffie-Hellman is an alternative to RSA for key exchange, but is based on discrete logsexchange, but is based on discrete logs
Publish large prime p, and a primitive root Publish large prime p, and a primitive root
Alice’s secret exponent: xAlice’s secret exponent: x
Bob’s secret exponent: yBob’s secret exponent: y 0 < x,y < p-10 < x,y < p-1
Alice sends Alice sends xx (mod p) to Bob (mod p) to Bob
Bob sends Bob sends yy (mod p) to Alice (mod p) to Alice
Each know key K=Each know key K=xyxy
Eve sees p, Eve sees p, xx , , yy … …why can’t she determine why can’t she determine xyxy??
Diffie-Hellman Key ExchangeDiffie-Hellman Key ExchangePublish large prime p, Publish large prime p, primitive root primitive root Alice’s secret exponent: xAlice’s secret exponent: xBob’s secret exponent: yBob’s secret exponent: y
0 < x,y < p-10 < x,y < p-1Alice sends Alice sends xx (mod p) to Bob (mod p) to BobBob sends Bob sends yy (mod p) to Alice (mod p) to AliceEach know key K=Each know key K=xyxy
Eve sees Eve sees , p, , p, xx , , yy ; why ; why can’t she determine can’t she determine xyxy??
Discrete logs: Discrete logs: ““Given Given xx = = (mod p), find x(mod p), find x
Computational Diffie-Hellman Computational Diffie-Hellman problem:problem:““Given Given , p, , p, xx (mod p), (mod p), yy (mod p), (mod p),
find find xyxy (mod p)” (mod p)”
Decision Diffie-Hellman problem:Decision Diffie-Hellman problem:““Given Given , p, , p, xx (mod p), (mod p), yy (mod p), (mod p),
and c ≠ 0 (mod p). and c ≠ 0 (mod p). Verify that c=Verify that c=xyxy (mod p)” (mod p)”
What’s the relationship between the three? Which is hardest?What’s the relationship between the three? Which is hardest?
The ElGamal Cryptosystem is an entire public-key The ElGamal Cryptosystem is an entire public-key cryptosystem like RSA, but based on discrete logscryptosystem like RSA, but based on discrete logs
p large so secure and > m = messagep large so secure and > m = message
1
Bob chooses prime p, primitive root Bob chooses prime p, primitive root , integer a, integer aBob computes Bob computes ≡ ≡ a a (mod p)(mod p)Bob publishes (Bob publishes (, p, , p, ) and holds ) and holds aa secret secret Alice chooses secret k, computes and sends to Bob the pair (r,t) whereAlice chooses secret k, computes and sends to Bob the pair (r,t) where
r ≡ r ≡ kk (mod p) (mod p) t ≡ t ≡ kkm (mod p)m (mod p)
Bob calculates: trBob calculates: tr-a-a ≡ m (mod p) ≡ m (mod p)
Why does this decrypt?Why does this decrypt?
ElGamal CryptosystemElGamal CryptosystemBob publishes (Bob publishes (, p, , p, ≡ ≡ aa))Alice chooses secret k, Alice chooses secret k,
computes and sends to Bob computes and sends to Bob the pair (r,t) wherethe pair (r,t) where
r ≡ r ≡ kk (mod p) (mod p) t ≡ t ≡ kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a ≡ m (mod p) ≡ m (mod p)Why does this work?Why does this work?
Multiplying m by Multiplying m by kk scrambles it. scrambles it.
Eve sees Eve sees , p, , p, , r, t. If she only knew , r, t. If she only knew a or k!a or k!
Knowing a allows decryption.Knowing a allows decryption.
Knowing k also allows decryption. Knowing k also allows decryption. Why?Why?
Can’t find k from r or t.Can’t find k from r or t. Why?Why?
2-3
ElGamalElGamalBob publishes (Bob publishes (, p, , p, ≡ ≡ aa))Alice chooses secret k, Alice chooses secret k,
computes and sends to computes and sends to Bob the pair (r,t) whereBob the pair (r,t) where
r ≡ r ≡ kk (mod p) (mod p) t ≡ t ≡ kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a ≡ m (mod p) ≡ m (mod p)
1.1. Show that Bob’s decryption worksShow that Bob’s decryption works
2.2. Eve would like to know k. Show that knowing k Eve would like to know k. Show that knowing k allows decryption. Why? allows decryption. Why?
3.3. Why can’t Eve compute k from r or t? Why can’t Eve compute k from r or t?
4.4. Challenge: Alice should randomize k each time. If Challenge: Alice should randomize k each time. If not, and Eve gets hold of a plaintext / ciphertext (mnot, and Eve gets hold of a plaintext / ciphertext (m11, , rr11, t, t11), she can decrypt other ciphertexts (m), she can decrypt other ciphertexts (m22, r, r22, t, t22). ). Show how.Show how.
5.5. If Eve says she found m from (r,t), can we verify that If Eve says she found m from (r,t), can we verify that she really found it, using only m,r,t, and the public she really found it, using only m,r,t, and the public key (and not k or a)? Explain.key (and not k or a)? Explain.
6.6. (For HW: Create a public key ((For HW: Create a public key (, p, , p, ), encrypt a ), encrypt a message as (r,t), and decrypt it using the private message as (r,t), and decrypt it using the private key. You may do this with a friend as we did for key. You may do this with a friend as we did for RSA, or do it on your own.)RSA, or do it on your own.)
4-6
Related Documents
