Class 23: Cryptosystems

Transcript

1. Class 23: Cryptosystems cs2102: Discrete Mathematics | F17 uvacs2102.github.io David

   Evans University of Virginia

2. Plan Goal for today: Understand how discrete math enables asymmetric

   cryptography Groups and Fields Symmetric Cryptography Asymmetric Cryptography

3. Recap: Abelian Group is Abelian (commutative) under the first operation

   (): ∀, , ∈ : associative: = commutative: = identity: ∃ ∈ : = inverse: ∃ ∈ : = = ℕ, = + is not an Abelian group: no additive inverse

4. Making Addition Abelian ∀, , ∈ : associative: + +

   = + + commutative: + = + identity: + 0 = inverse: ∀ . ∃ ∈ : + = 0 = ℕ, = + is not an Abelian group: no additive inverse

5. Modular Arithmetic

6. Congruence Prove: ≡ mod iff rem , = rem(, )

   A number is congruent to modulo iff | ( – ). Notation: ≡ mod

7. Congruence Prove: ≡ mod iff rem , = rem(, )

   A number is congruent to modulo iff | ( – ). Notation: ≡ mod By division theorem, ∃A , A , C , C, such that: = A + A = C + C − = (A −C ) + (A −C )

8. Preservation of Congruence If ≡ (mod ) and ≡ mod

   , (addition) + ≡ + (mod ) (multiplication) ≡ (mod ) (Proofs by algebra, in book.)

9. Defining Subsets of ℕ ℕF = ∈ ℕ ∧ <

   }

10. Abelian Addition ∀, , ∈ : associative: + + =

    + + commutative: + = + identity: + 0 = inverse: ∀ . ∃ ∈ : + = 0 ℤL = ( = ℕL , = + mod ) What is the inverse in ℤL of ∈ ℕL?

11. A ring is a set, , with two binary operations

    (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ), commutative: + = + additive identity: + 0 = additive inverse: + (−) = 0 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) multiplicative identity: ⋅ 1 = = 1 ⋅ 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Note: lots of disagreement about this definition – many versions do not require multiplicative identity.

12. A ring is a set, , with two binary operations

    (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ) commutative: + = + additive identity: + = additive inverse: + (−) = 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) mult. identity: ⋅ = = ⋅ 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Is ℤL = ( = ℕL , A = + mod , C = ×(mod )) a ring?

13. Problem Set ⍵ Create an artifact that conveys some idea

    from this class to a selected target audience. Teams of any size, expectations scale as √. Optional: no credit for something of no real value (test is if it is worthwhile for others). One or more PS equivalent for something valuable.

14. https://www.youtube.com/watch?v=YC-ewXitC5w Examples from last year on course site: Logical Operators

    by Helen Simecek

15. Groups, Rings, and Fields Abelian group:set: , binary operation: +

    associative, commutative, additive identity (), additive inverse (−) Ring: set: , binary operations: +, × Abelian group under + associative, multiplicative identity () under × distributive: × distributes over + Field: set: , binary operations: +, × Ring with multiplicative inverse:

16. Multiplicative Inverse

17. Groups, Rings, and Fields Abelian group:set: , binary operation: +

    associative, commutative, additive identity (), additive inverse (−) Ring: set: , binary operations: +, × Abelian group under + associative, multiplicative identity () under × distributive: × distributes over + Field: set: , binary operations: +, × Ring with multiplicative inverse: ∀ ∈ − 0 . ∃UA ∈ . × UA = Most cryptography is done in finite fields

18. A field is a set, , with two binary operations

    (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ) commutative: + = + additive identity: + = additive inverse: + (−) = 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) mult. identity: ⋅ = = ⋅ mult. inverse: ∀ ∈ − 0 . ∃UA ∈ . × UA = 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Fields of Dreams Which of these are fields? (1)ℚ, +,× (2){0, 1}, +,× (3)ℕL , +,×

19. 1. is Abelian under +: associative. commutative, 0, − 2.

    is monoid (associative) under ⋅: associative, , UA 3. Distributive ℚ, +,×

20. 1. is Abelian under +: associative. commutative, 0, − 2.

    is monoid (associative) under ⋅: associative, , UA 3. Distributive {0, 1}, +,×

21. 1. is Abelian under +: associative. commutative, 0, − 2.

    is monoid (associative) under ⋅: associative, , UA 3. Distributive {0, 1}, +,× GF(2) Évariste Galois

22. Is ℤL = ( = ℕL , A = +

    mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive

23. Is ℤL = ( = ℕL , A = +

    mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive Which of the ℤL rings are fields?

24. If ∈ ℕL is relatively prime to , has a

    multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS) Definition: is relatively prime to iff gcd (, ) = 1.

25. If ∈ ℕL is relatively prime to , has a

    multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS) Definition: is relatively prime to iff gcd (, ) = 1. “Pulverizer” Theorem: ∀, ∈ ℕ. ∃, ∈ ℤ . gcd , = +

26. Is ℤL = ( = ℕL , A = +

    mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive If is prime, ℤL is a field. If ∈ ℕL is relatively prime to , has a multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS)

27. Cryptography

28. 28 Introductions Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Eve

    (passive attacker) Insecure Channel

29. 29 Active Attacker Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob

    Insecure Channel (e.g., the Internet) Mallory (active attacker)

30. 30 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext Plaintext Ciphertext Two

    functions: → and → Correctness property: for all possible messages ∈ , = Security property: given = it is “hard” to learn anything interesting about .

31. 31 It is possible to state the security property precisely

    (and prove a cryptosystem satisfies it given hardness assumptions). Shafi Goldwasser and Silvio Micali 2013 Turing Award Winners (for doing this in the 1980s)

32. 32 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext Plaintext Ciphertext Two

    functions: → and → Correctness property: for all possible messages ∈ , = Security property: given = it is “hard” to learn anything interesting about .

33. 33 Auguste Kerckhoffs Kerckhoff’s Principle

34. 34 “The enemy knows the system being used.” Claude Shannon,

    Communication Theory of Secrecy Systems (1949) Claude Shannon 1916-2001

35. (Keyed) Symmetric Cryptosystem 35 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure

    Channel Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key Only secret is the key, not the E and D functions that now take key as input.

36. 36 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key

    How well can shared key cryptosystems work on the Internet? ∈ , ∈ . F F =

37. 37 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key

38. 38 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key

39. Martin Hellman Whit Diffie

40. Martin Hellman Whit Diffie Ralph Merkle Spurned by ACM Cropped

    by NYT Included in cs2102!

41. Key Exchange Armadillo Armadillo and Bunny drawings by Sandra Boynton

    Bunny Goal: Armadillo and Bunny want to communicate securely, but have not already established a shared key. Insecure Channel

42. Diffie-Hellman(-Merkle) Key Exchange f mod h mod Picks secret Picks

    secret Armadillo Armadillo and Bunny drawings by Sandra Boynton Bunny Public values: (primitive root), (large prime)

43. Diffie-Hellman(-Merkle) Key Exchange f = f mod h = h

    mod Picks secret Picks secret Armadillo Armadillo and Bunny drawings by Sandra Boynton Bunny Public values: (primitive root), (large prime) fh = h f hf = f h

44. Key Agreement Requirements Correctness: both participants produce the same key,

    Security: an eavesdropper cannot find K from all intercepted values 44

45. DH(M) Key Exchange: Correctness f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod

46. DH(M) Key Exchange: Security f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

47. DH(M) Key Exchange: Security Public values: (primitive root), (large prime)

    is a primitive root of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod What are the primitive roots of 7?

48. DH(M) Key Exchange: Security Public values: (primitive root), (large prime)

    is a primitive root of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod Theorem (asserted without proof): If is prime, it has a primitive root.

49. Public values: (primitive root), (large prime) is a primitive root

    of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod Theorem (asserted without proof): If is prime, it has a primitive root.

50. DH(M) Key Exchange: Security f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

51. DH(M) Key Exchange: Security f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod Given f mod , can the adversary find ?

52. Discrete Logarithm Problem Given , , = f mod ,

    find .

53. Continuous Logarithm Problem 285573486297238f = 18592341634236334720583 Given , = f,

    find .
54. None

55. Discrete Logarithm Problem Given , , = f mod ,

    find . Believed to be “hard” for well chosen values of and , so long as your adversary doesn’t have a large quantum computer.

56. DH(M) Key Exchange: Security f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

57. DH(M) Key Exchange: Security f = f mod h =

    h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

58. Charge Problem Set 9: will be posted Sunday, due Dec

    1 Tuesday’s class: cryptography in practice