CS G254/U645
11/9/07
Public Key Cryptography
Primes - There is an infinite number of them
Co-primes - Φ(n)
= n(1-
1/P1)-(1
- 1/P2) - (1 - 1/Pk)
Candidate one way functions
addition
- easy to invert ?(subtraction)
multiplication
- cycles were short
- easy to invert
(division)
exponentiation
0 1 2 3 4 5 6 7 8
0 Always 0
1 Always 1
2 1 2 4 1 2 4 1 2 4
3 1 3 2 6 4 5 1 3 2
4 1
5 1
6 1
7 1
8 1
Three
generates a maximally long cycle, is called a generator.
Thm:
For any a (≠ 0), ap-1
≡ 1 mod p
We want
to use a large prime & a generator that has a long cycle.
Core idea of Diffie-Hellman
- Exponentiation is easy
- Discrete log is hard
p = 7, g = 3
3x = 6 mod 7; x ? = 3
Worst case to solve for x is p-1
steps
35 mod 7 - naively is p-1
steps. Actually log2p steps
Repeated Squaring
e.g. 3^4 - 4 operations
(3^2)2 - 2
operations
3^64 mod 127
- 6 operations
Exponentiation by Repeated
Squaring
Exp(g,
x, p)
if
x = 0, return 1
else
if x is even, return (Exp(g, x/2, p)2 mod p)
else
if x is odd, return(x*Exp(g, (x - 1)/2,p)2) mod p
O(log2
p) -running time.
Diffie-Hellman
Secret Sharing
|
←¾¾¾¾ p ¾¾¾→ |
A Picks | ←¾¾¾¾ g ¾¾¾→ | B
picks
secret
a | ¾¾ g^a mod p ¾¾→ | secret
b
computes | ←¾ g^b mod p ¾¾¾ |
computes
(g^b)^a mod p
(g^b)^a mod p
= g^(ab) mod p
= g^(ab) mod p
Thm:
If p is a prime then there exists Φ(p-1)
generators
Diffie-Hellman
Encryption
Bob's public key is <
gb mod p, g , p
>
private
key is < b >
Alice wants to send a message
m to Bob.
She picks an a &
sends ga mod p, m*gab mod p
Bob decrypts - [m * g^(ab)]/[(g^a)^b] = m
Nobody else can decrypt.
Diffie-Hellman
Signature
Bob: pub key < gb
mod p, g , p >
private key < b >
Bob wants to sign m
Bob generates Sm randomly
Sends: m, g^(Sm) mod p; y = Sm+m*b
mod (p-1)
(message with combined signature)
It is hard to extract b
since Sm cannot be computed.
Sm+m*b is
essentially a random number.
Verification:
gy ?=
(gSm) * (gb)m
Can the same Sm be used for two messages?
m1 & m2, Sm
y1 = Sm+m1*b
y2 = Sm+m2*b
(y1 - y2) / (m1 - m2) =
b
The answer is no because
if the same Sm were used for two messages
t then B's
private key would be compromised.
RSA
Relies on factoring.
p * q = n
∅(n)
= n(1- 1/p)(1 - 1/p) = (p-1)(q-1)
Bob will compute d & e.
d * e = 1
mod ∅(n)
public key
<e,n>
private key
<d>
Encryption
me
mod n
Bob decrypt (me)d = med = mk
∅(n)+1
= (m∅(n))k
m' = m mod n
Thm:
if a & n are co-prime, them a∅(n)
≡ 1 mod n
Signature
md mod n
Hard to forge since no
one other than Bob knows d.
Verify: (md)e ?= m