Tweet
Tweet

Slide 1

Slide 1 text

Class 23: Cryptosystems cs2102: Discrete Mathematics | F17 uvacs2102.github.io David Evans University of Virginia

Slide 2

Slide 2 text

Plan Goal for today: Understand how discrete math enables asymmetric cryptography Groups and Fields Symmetric Cryptography Asymmetric Cryptography

Slide 3

Slide 3 text

Recap: Abelian Group is Abelian (commutative) under the first operation (): ∀, , ∈ : associative: = commutative: = identity: ∃ ∈ : = inverse: ∃ ∈ : = = ℕ, = + is not an Abelian group: no additive inverse

Slide 4

Slide 4 text

Making Addition Abelian ∀, , ∈ : associative: + + = + + commutative: + = + identity: + 0 = inverse: ∀ . ∃ ∈ : + = 0 = ℕ, = + is not an Abelian group: no additive inverse

Slide 5

Slide 5 text

Modular Arithmetic

Slide 6

Slide 6 text

Congruence Prove: ≡ mod iff rem , = rem(, ) A number is congruent to modulo iff | ( – ). Notation: ≡ mod

Slide 7

Slide 7 text

Congruence Prove: ≡ mod iff rem , = rem(, ) A number is congruent to modulo iff | ( – ). Notation: ≡ mod By division theorem, ∃A , A , C , C, such that: = A + A = C + C − = (A −C ) + (A −C )

Slide 8

Slide 8 text

Preservation of Congruence If ≡ (mod ) and ≡ mod , (addition) + ≡ + (mod ) (multiplication) ≡ (mod ) (Proofs by algebra, in book.)

Slide 9

Slide 9 text

Defining Subsets of ℕ ℕF = ∈ ℕ ∧ < }

Slide 10

Slide 10 text

Abelian Addition ∀, , ∈ : associative: + + = + + commutative: + = + identity: + 0 = inverse: ∀ . ∃ ∈ : + = 0 ℤL = ( = ℕL , = + mod ) What is the inverse in ℤL of ∈ ℕL?

Slide 11

Slide 11 text

A ring is a set, , with two binary operations (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ), commutative: + = + additive identity: + 0 = additive inverse: + (−) = 0 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) multiplicative identity: ⋅ 1 = = 1 ⋅ 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Note: lots of disagreement about this definition – many versions do not require multiplicative identity.

Slide 12

Slide 12 text

A ring is a set, , with two binary operations (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ) commutative: + = + additive identity: + = additive inverse: + (−) = 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) mult. identity: ⋅ = = ⋅ 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Is ℤL = ( = ℕL , A = + mod , C = ×(mod )) a ring?

Slide 13

Slide 13 text

Problem Set ⍵ Create an artifact that conveys some idea from this class to a selected target audience. Teams of any size, expectations scale as √. Optional: no credit for something of no real value (test is if it is worthwhile for others). One or more PS equivalent for something valuable.

Slide 14

Slide 14 text

https://www.youtube.com/watch?v=YC-ewXitC5w Examples from last year on course site: Logical Operators by Helen Simecek

Slide 15

Slide 15 text

Groups, Rings, and Fields Abelian group:set: , binary operation: + associative, commutative, additive identity (), additive inverse (−) Ring: set: , binary operations: +, × Abelian group under + associative, multiplicative identity () under × distributive: × distributes over + Field: set: , binary operations: +, × Ring with multiplicative inverse:

Slide 16

Slide 16 text

Multiplicative Inverse

Slide 17

Slide 17 text

Groups, Rings, and Fields Abelian group:set: , binary operation: + associative, commutative, additive identity (), additive inverse (−) Ring: set: , binary operations: +, × Abelian group under + associative, multiplicative identity () under × distributive: × distributes over + Field: set: , binary operations: +, × Ring with multiplicative inverse: ∀ ∈ − 0 . ∃UA ∈ . × UA = Most cryptography is done in finite fields

Slide 18

Slide 18 text

A field is a set, , with two binary operations (e.g., + and ⋅) that satisfy the ring axioms: 1. is Abelian (commutative) under +: ∀, , ∈ : associative: ( + ) + = + ( + ) commutative: + = + additive identity: + = additive inverse: + (−) = 2. is monoid (associative) under ⋅: associative: ⋅ ⋅ = ⋅ ( ⋅ ) mult. identity: ⋅ = = ⋅ mult. inverse: ∀ ∈ − 0 . ∃UA ∈ . × UA = 3. Distributive: ⋅ + = ⋅ + ⋅ + ⋅ = ⋅ + ( ⋅ ) Fields of Dreams Which of these are fields? (1)ℚ, +,× (2){0, 1}, +,× (3)ℕL , +,×

Slide 19

Slide 19 text

1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive ℚ, +,×

Slide 20

Slide 20 text

1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive {0, 1}, +,×

Slide 21

Slide 21 text

1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive {0, 1}, +,× GF(2) Évariste Galois

Slide 22

Slide 22 text

Is ℤL = ( = ℕL , A = + mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive

Slide 23

Slide 23 text

Is ℤL = ( = ℕL , A = + mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive Which of the ℤL rings are fields?

Slide 24

Slide 24 text

If ∈ ℕL is relatively prime to , has a multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS) Definition: is relatively prime to iff gcd (, ) = 1.

Slide 25

Slide 25 text

If ∈ ℕL is relatively prime to , has a multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS) Definition: is relatively prime to iff gcd (, ) = 1. “Pulverizer” Theorem: ∀, ∈ ℕ. ∃, ∈ ℤ . gcd , = +

Slide 26

Slide 26 text

Is ℤL = ( = ℕL , A = + mod , C = × (mod )) a field? 1. is Abelian under +: associative. commutative, 0, − 2. is monoid (associative) under ⋅: associative, , UA 3. Distributive If is prime, ℤL is a field. If ∈ ℕL is relatively prime to , has a multiplicative inverse in ℤL. (Lemma 9.9.1 in MCS)

Slide 27

Slide 27 text

Cryptography

Slide 28

Slide 28 text

28 Introductions Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Eve (passive attacker) Insecure Channel

Slide 29

Slide 29 text

29 Active Attacker Encrypt Decrypt Plaintext Ciphertext Plaintext Alice Bob Insecure Channel (e.g., the Internet) Mallory (active attacker)

Slide 30

Slide 30 text

30 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext Plaintext Ciphertext Two functions: → and → Correctness property: for all possible messages ∈ , = Security property: given = it is “hard” to learn anything interesting about .

Slide 31

Slide 31 text

31 It is possible to state the security property precisely (and prove a cryptosystem satisfies it given hardness assumptions). Shafi Goldwasser and Silvio Micali 2013 Turing Award Winners (for doing this in the 1980s)

Slide 32

Slide 32 text

32 Message Cryptosystem Encrypt Decrypt Plaintext Ciphertext Plaintext Ciphertext Two functions: → and → Correctness property: for all possible messages ∈ , = Security property: given = it is “hard” to learn anything interesting about .

Slide 33

Slide 33 text

33 Auguste Kerckhoffs Kerckhoff’s Principle

Slide 34

Slide 34 text

34 “The enemy knows the system being used.” Claude Shannon, Communication Theory of Secrecy Systems (1949) Claude Shannon 1916-2001

Slide 35

Slide 35 text

(Keyed) Symmetric Cryptosystem 35 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key Only secret is the key, not the E and D functions that now take key as input.

Slide 36

Slide 36 text

36 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key How well can shared key cryptosystems work on the Internet? ∈ , ∈ . F F =

Slide 37

Slide 37 text

37 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key

Slide 38

Slide 38 text

38 Encrypt Decrypt Plaintext Ciphertext Plaintext Insecure Channel Key Key

Slide 39

Slide 39 text

Martin Hellman Whit Diffie

Slide 40

Slide 40 text

Martin Hellman Whit Diffie Ralph Merkle Spurned by ACM Cropped by NYT Included in cs2102!

Slide 41

Slide 41 text

Key Exchange Armadillo Armadillo and Bunny drawings by Sandra Boynton Bunny Goal: Armadillo and Bunny want to communicate securely, but have not already established a shared key. Insecure Channel

Slide 42

Slide 42 text

Diffie-Hellman(-Merkle) Key Exchange f mod h mod Picks secret Picks secret Armadillo Armadillo and Bunny drawings by Sandra Boynton Bunny Public values: (primitive root), (large prime)

Slide 43

Slide 43 text

Diffie-Hellman(-Merkle) Key Exchange f = f mod h = h mod Picks secret Picks secret Armadillo Armadillo and Bunny drawings by Sandra Boynton Bunny Public values: (primitive root), (large prime) fh = h f hf = f h

Slide 44

Slide 44 text

Key Agreement Requirements Correctness: both participants produce the same key, Security: an eavesdropper cannot find K from all intercepted values 44

Slide 45

Slide 45 text

DH(M) Key Exchange: Correctness f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod

Slide 46

Slide 46 text

DH(M) Key Exchange: Security f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

Slide 47

Slide 47 text

DH(M) Key Exchange: Security Public values: (primitive root), (large prime) is a primitive root of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod What are the primitive roots of 7?

Slide 48

Slide 48 text

DH(M) Key Exchange: Security Public values: (primitive root), (large prime) is a primitive root of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod Theorem (asserted without proof): If is prime, it has a primitive root.

Slide 49

Slide 49 text

Public values: (primitive root), (large prime) is a primitive root of p if ∀ ∈ 1, … , − 1 . ∃ ∈ 1, … , − 1 . l = mod Theorem (asserted without proof): If is prime, it has a primitive root.

Slide 50

Slide 50 text

DH(M) Key Exchange: Security f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

Slide 51

Slide 51 text

DH(M) Key Exchange: Security f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod Given f mod , can the adversary find ?

Slide 52

Slide 52 text

Discrete Logarithm Problem Given , , = f mod , find .

Slide 53

Slide 53 text

Continuous Logarithm Problem 285573486297238f = 18592341634236334720583 Given , = f, find .

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

Discrete Logarithm Problem Given , , = f mod , find . Believed to be “hard” for well chosen values of and , so long as your adversary doesn’t have a large quantum computer.

Slide 56

Slide 56 text

DH(M) Key Exchange: Security f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

Slide 57

Slide 57 text

DH(M) Key Exchange: Security f = f mod h = h mod Picks secret Picks secret Armadillo Bunny Public values: (primitive root), (large prime) fh = h f mod hf = f h mod Eavesdropper cannot learn anything useful about fh from: , , f = f mod , h = hmod

Slide 58

Slide 58 text

Charge Problem Set 9: will be posted Sunday, due Dec 1 Tuesday’s class: cryptography in practice