communication security & cryptographykoclab.cs.ucsb.edu/teaching/cs192/docx/lect11.pdfwriting or...
TRANSCRIPT
Computational Thinking Communication Security & Cryptography
Communication Security & Cryptography
Cetin Kaya Kochttp://koclab.cs.ucsb.edu/teaching/cs192
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 1 / 44
Computational Thinking Communication Security & Cryptography
Secure Communication over an Insecure Channel
Sender Receiver
Adversary
M
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 2 / 44
Computational Thinking Communication Security & Cryptography
Secret-Key Cryptography
Sender Receiver
Adversary
C
C=EKe(M) M=DKd(C)
secure
channel Kd
Encryption and decryption functions: E (·) & D(·)Encryption and decryption keys: Ke & Kd
Plaintext and ciphertext: M & C
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 3 / 44
Computational Thinking Communication Security & Cryptography
Secret-Key Cryptography
C = EKe (M) and M = DKd(C )
Either E (·) = D(·) and Ke 6= Kd
Kd is easily deduced from Ke
Ke is easily deduced from Kd
Or E (·) 6= D(·) and Ke = Kd
D(·) is easily deduced from E (·)E (·) is easily deduced from D(·)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 4 / 44
Computational Thinking Communication Security & Cryptography
First Example: Shift Cipher
Input/output: {a, b, . . . , z} with encoding {0, 1, . . . , 25}
a b c d e f g h i j k l m n o
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
p q r s t u v w x y z
15 16 17 18 19 20 21 22 23 24 25
Encryption function: Ek(x) = x + k (mod 26)Decryption function: Dk(y) = y − k (mod 26)
The encryption or decryption key: k ∈ {0, 1, 2, . . . , 25}Key space size: 26 (or 25, if you do not count k = 0)
Caesar cipher: Shift cipher with a constant encryption key k = 3
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 5 / 44
Computational Thinking Communication Security & Cryptography
Shift Cipher
For k = 15, hello is encrypted as wtaad sinceE15(h) = E15(7) = 7 + 15 = 22 (mod 26) → w
E15(e) = E15(4) = 4 + 15 = 19 (mod 26) → t
E15(l) = E15(11) = 11 + 15 = 26 = 0 (mod 26) → a
E15(o) = E15(14) = 14 + 15 = 29 = 3 (mod 26) → d
For k = 12, eqqw is decrypted as seek sinceD12(e) = D12(4) = 4− 12 = −8 = 18 (mod 26) → s
D12(q) = D12(16) = 16− 12 = 4 (mod 26) → e
D12(w) = D12(22) = 22− 12 = 10 (mod 26) → k
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 6 / 44
Computational Thinking Communication Security & Cryptography
Cryptanalysis of Shift Cipher
Ciphertext only
Exhaustive key search: a paragraph of ciphertext(in order to avoid ambiguity)Frequency analysis: a paragraph of ciphertext(in order to get statistically reliable frequency count)
Known plaintext: a single plaintext/ciphertext pair
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 7 / 44
Computational Thinking Communication Security & Cryptography
Exhaustive Key Search
Given an encrypted text: vnnc vn jc ljsn jc oxda yv
Decrypt the text with all possible keys:k=1−→ ummb um ib kirm ib nwcz xuk=2−→ tlla tl ha jhql ha mvby wt
· · ·k=8−→ nffu nf bu dbkf bu gpvs qnk=9−→ meet me at caje at four pm
A short encrypted text may have several “meaningful” decryptions:
vnnck=9−→ meet
vnnck=25−→ wood
For a sufficiently long encrypted text, there will not be ambiguity
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 8 / 44
Computational Thinking Communication Security & Cryptography
Frequency Analysis
The most frequently occurring ciphertext is the encryption of themost frequently occurring plaintext
In English: that would be the letter e, followed up by letters t and a
Letter frequencies (percentages) in Englisha b c d e f g h i j
8.2 1.5 2.8 4.3 12.7 2.2 2.0 6.1 7.0 0.2
k l m n o p q r s t0.8 4.0 2.4 6.7 7.5 1.9 0.1 6.0 6.3 9.1
u v w x y z
2.8 1.0 2.3 0.1 2.0 0.1
Compute the ciphertext letter frequencies, and find the mostfrequently occurring the letter: this must be the ciptertext for theletter e
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 9 / 44
Computational Thinking Communication Security & Cryptography
Occurrences of Letter e
Frequency: 54435 ≈ 12.4%
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 10 / 44
Computational Thinking Communication Security & Cryptography
Occurrences of Letter a
Frequency: 23435 ≈ 5.3%
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 11 / 44
Computational Thinking Communication Security & Cryptography
Unusual Texts
The novel “Gadsby” by E. V. Wright is written asa lipogram∗; it has 50,000 words in it without asingle occurrence of the letter e
“A Void”, translated from the original French “LaDisparition” (The Disappearance), is a 300-pagelipogrammatic novel, written in 1969 by GeorgesPerec, entirely without using the letter e (exceptfor the author’s name)
However, the probability of occurrence for such texts is very low
∗ A lipogram (leipogrammatos: leaving out a letter) is a kind of constrained
writing or word game consisting of writing paragraphs in which a particular letter
or group of letters is avoided
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 12 / 44
Computational Thinking Communication Security & Cryptography
Frequency Analysis
Given the short ciphertext: tbxqebo fp dobxq ebob
Frequency analysis finds the most frequently occurring letter as b
The letter b (most probably) is the ciphertext for the letter e
Ek(e) = b
Ek(4) = 4 + k = 1 (mod 26)
k = 1− 4 = − 3 = 23 (mod 26)
Indeed, if we decrypt the encrypted text using the key k = 23, weobtain:tbxqebo fp dobxq ebob
k=23−→ weather is great here
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 13 / 44
Computational Thinking Communication Security & Cryptography
Known Plaintext Scenario
Given a (any) single plaintext/ciphertext pair (x , y), we have
Ek(x) = x + k = y (mod 26)
k = y − x (mod 26)
Consider the encrypted message:zrrg zr ng bhe frperg ybpngvba
and the plaintext/ciphertext pair: m → z
Ek(m) = z
Ek(12) = 12 + k = 25 (mod 26)
k = 25− 12 = 13 (mod 26)
We find the key as k = 13; indeed this key decrypts the messagek=13−→ meet me at our secret location
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 14 / 44
Computational Thinking Communication Security & Cryptography
Second Example: Hill Algebra
Encoding: {a, b, . . . , z} −→ {0, 1, . . . , 25}Select a d × d matrix A of integers and find its inverse A−1 mod 26
For example, for d = 2
A =
[3 32 5
]and A−1 =
[15 1720 9
]Verify:[
3 32 5
] [15 1720 9
]=
[105 78130 79
]=
[1 00 1
](mod 26)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 15 / 44
Computational Thinking Communication Security & Cryptography
Hill Cipher
Encryption function: c = E (m) = Am (mod 26)
Decryption function: m = D(c) = A−1 c (mod 26)
m and c are d × 1 vectors of plaintext and ciphertext letter encodings
Encryption key Ke : ADecryption key Kd : A−1 (mod 26)
A and A−1 are d × d matrices such that det(A) 6= 0 (mod 26) andA−1 is the inverse of A mod 26
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 16 / 44
Computational Thinking Communication Security & Cryptography
Hill Cipher Example
The plaintext: "help"
u1 =
["h"
"e"
]=
[74
]; u2 =
["l"
"p"
]=
[1115
]Encryption: v1 = A u1 and v2 = A u2[
3 32 5
] [74
]=
[3334
]=
[78
]=
["h"
"i"
][
3 32 5
] [1115
]=
[7897
]=
[0
19
]=
["a"
"t"
]The ciphertext: "hiat"
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 17 / 44
Computational Thinking Communication Security & Cryptography
Hill Cipher
To decrypt the ciphertext: "hiat", we need the vectors v1 and v2
Decryption: u1 = A−1 v1 and u2 = A−1 v2[15 1720 9
] [78
]=
[241212
]=
[74
]=
["h"
"e"
][
15 1720 9
] [0
19
]=
[323171
]=
[1115
]=
["l"
"p"
]The plaintext: "help"
The d-dimensional Hill cipher is poly-alphabetic on single letters,however, mono-alphabetic on words of length d
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 18 / 44
Computational Thinking Communication Security & Cryptography
Key Space Size for Hill Space
It was suggested by Overbey, Traves, and Wojdylo in Cryptologia,29(1), Jan 2005, that the number of d × d matrices invertible modulom is ∏
i
(p(ni−1)d2
i
d−1∏k=0
(pdi − pki )
)such that m =
∏pnii
When m = 26 = 21 · 131, we simplify this as
d−1∏k=0
(2d−2k)(13d−13k) = 26d2
(1−1/2) · · · (1−1/2d)(1−1/13) · · · (1−1/13d)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 19 / 44
Computational Thinking Communication Security & Cryptography
Key Space Size for Hill Cipher
We enumerate and find the number of keys for as follows:
d Number of Keys Power of 10
2 157,248 105.2
3 1,750,755,202,560 1012.2
4 13,621,827,326,505,327,820,800 1022.1
5 72,803,944,226,174,990,390,435,243,910,758,400 1034.9
Exhaustive key search is probably not feasible for 4-dimensional Hillciphers (requires significant resources), and definitely not feasible for5-dimensional (and beyond) Hill ciphers
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 20 / 44
Computational Thinking Communication Security & Cryptography
Frequency Analysis of the Hill Cipher
Frequency analysis is not applicable for single letters — a plaintextletter is encrypted to different ciphertext letter depending on whetherit is the first or second letter and what the other letter is
For example, for our example 2-dimensional Hill cipher, theencryption of x is as follows:"xy" → "lk" implies "x" → "l"
"xz" → "op" implies "x" → "o"
"zx" → "oj" implies "x" → "j"
However, digrams (2-letter words) are always encrypted to the sameciphertext bigrams for a 2-dimensional cipher"xyabcd" → "lkdfpt"
"abxycd" → "dflkpt"
"abcdxy" → "dfptlk"
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 21 / 44
Computational Thinking Communication Security & Cryptography
Digram Frequencies in English
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 22 / 44
Computational Thinking Communication Security & Cryptography
Frequency Analysis of the Hill Cipher
We can apply frequency attack to a d-dimensional Hill cipher if wehave “useful” (distinguishable) d-gram frequencies
As expected the digram "th" appears in English more often — somestudies have shown that the frequency of diagram "th" is about3.15%
Similarly the frequency of "the" is higher than most other trigrams,followed up by "and", "for" — however, these frequencies are toolow and too close to one another
As expected, as the word size increases the frequencies becomeindistinguishable from one another — we loose those useful frequencyvalues such as 12.7% for the single letter "e"
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 23 / 44
Computational Thinking Communication Security & Cryptography
Secret-Key versus Public-Key Cryptography
Secret-Key Cryptography:
Requires establishment of a secure channel for key exchangeTwo parties cannot start communication if they never metSecure communication of n parties requires n(n − 1)/2 keysKeys are “shared”, rather than “owned” (secret vs private)
Public-Key Cryptography:
No need for a secure channelMay require establishment of a public-key directoryTwo parties can start communication even if they never metSecure communication of n parties requires n keysKeys are “owned’, rather than “shared”Ability to “sign” digital data (secret vs private)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 24 / 44
Computational Thinking Communication Security & Cryptography
Diffie-Hellman Key Exchange Method
Martin Hellman (1945): American cryptologist and co-inventor ofpublic key cryptography in cooperation with Whitfield Diffie andRalph Merkle at Stanford
Bailey Whitfield Diffie (1944) is an American cryptographer andco-inventor of public key cryptography
Diffie and Hellman’s paper “New Directions in Cryptography” waspublished IEEE Tran. Information Theory in Nov 1976
It introduced a radically new method of distributing cryptographickeys, that went far toward solving one of the fundamental problems ofcryptography, key distribution
It has become known as Diffie-Hellman key exchange.
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 25 / 44
Computational Thinking Communication Security & Cryptography
Diffie-Hellman Key Exchange Method
A and B agree on a prime p and a primitive element g of Z∗p
This is accomplished in public: p and g are known to the adversary
A selects a ∈ Z∗p , computes s = ga (mod p), and sends s to B
B selects b ∈ Z∗p , computes r = gb (mod p), and sends r to A
A computes K = ra (mod p)
B computes K = sb (mod p)
K = ra = (gb)a = gab (mod p)
K = sb = (ga)b = gab (mod p)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 26 / 44
Computational Thinking Communication Security & Cryptography
Diffie-Hellman Key Exchange Method
User A
a
ga
(gb
)a
K = gab
User B
b
gb
(ga
)b
K = gab
Adversary
p & g
ga
gb
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 27 / 44
Computational Thinking Communication Security & Cryptography
Discrete Logarithm Problem
The adversary knows the group: p and g
The adversary also sees (obtains copies of) s = ga and r = gb
The discrete logarithm problem (DLP):the computation of x ∈ Z∗
p in
y = g x (mod p)
given p, g , and y
Example: Given p = 23 and g = 5, find x such that
10 = 5x (mod 23)
Answer: x = 3
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 28 / 44
Computational Thinking Communication Security & Cryptography
Discrete Logarithm Problem
Given p = 158(2800 + 25) + 1 =
1053546280395016975304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359
and g = 3, find x ∈ Z∗p such that
2 = 3x (mod p)
Answer: ?
How difficult is it to find x?
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 29 / 44
Computational Thinking Communication Security & Cryptography
Diffie-Hellman Key Exchange Method
The Diffie-Hellman algorithm allows two parties to agree on a key thatis known only to them, except that the adversary can solve the DLP
Once the secret key (shared key) is established, the parties can use asecret-key cryptographic algorithm to encrypt and decrypt
However, we still have the problem of establishing n(n − 1)/2 keysbetween n parties, and other difficulties of the secret-keycryptography also remain
But, we no longer need a (secret-key type) secure channel — theDiffie-Hellman algorithm gave us a secure channel, whose securitydepends on computational difficulty of the DLP
The Diffie-Hellman algorithm is not a public-key encryption method
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 30 / 44
Computational Thinking Communication Security & Cryptography
Public-Key Cryptography
The functions C (·) and D(·) are inverses of one another
C = EKe (M) and M = DKd(C )
Encryption and decryption processes are asymmetric:
Ke 6= Kd
Ke is public, known to everyone
Kd is private, known only to the user
Ke may be easily deduced from Kd
However, Kd is NOT easily deduced from Ke
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 31 / 44
Computational Thinking Communication Security & Cryptography
Public-Key Cryptography
User2 User0
Adversary
C2
C3=EKe(M3)
M1=DKd(C1)
User1
User3
PK Directory
User0 Ke
C1
C3
C1=EKe(M1)
C2=EKe(M2)
M2=DKd(C2)
M3=DKd(C3)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 32 / 44
Computational Thinking Communication Security & Cryptography
Public-Key Cryptography
The User publishes his/her own public key: Ke
Anyone can obtain the public key Ke and can encrypt a message M,and send the ciphertext to the User
C = EKe (M)
The private key is known only to the User: Kd
Only the User can decrypt the ciphertext to get the message
M = DKd(C )
The adversary may be able to block the ciphertext, but cannot decrypt
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 33 / 44
Computational Thinking Communication Security & Cryptography
Public-Key Cryptography
A public-key cryptographic algorithm is based on a function y = f (x)such thatGiven x , computing y is EASY: y = f (x)Given y , computing x is HARD: x = f −1(y)
x
easy
−−−−−−−−−−−−−−→←−−−−−−−−−−−−−−
hard
y = f (x)
Such functions are called one-way
In order to decide what is hard: Theory of complexity could help
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 34 / 44
Computational Thinking Communication Security & Cryptography
Well-Known One-Way Functions
Discrete Logarithm:Given p, g , and x , computing y in y = g x (mod p) is EASYGiven p, g , y , computing x in y = g x (mod p) is HARD
Factoring:Given p and q, computing n in n = p · q is EASYGiven n, computing p or q in n = p · q is HARD
Discrete Square Root:Given x and y , computing y in y = x2 (mod n) is EASYGiven y and n, computing x in y = x2 (mod n) is HARD
Discrete eth Root:Given x , n and e, computing y in y = xe (mod n) is EASYGiven y , n and e, computing x in y = xe (mod n) is HARD
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 35 / 44
Computational Thinking Communication Security & Cryptography
One-Way Functions for PKC
However, a one-way function is difficult for anyone to invert
What we need: a function easy to invert for the legitimate receiver ofthe encrypted message, but for everyone else: hard
Such functions are called one-way trapdoor functions
In order to build a public-key encryption algorithm, we need aone-way trapdoor function
Once that is understood (in around 1975-1976), researchers lookedfor such special functions which are either based on the knownone-way functions or some other constructions
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 36 / 44
Computational Thinking Communication Security & Cryptography
Rivest-Shamir-Adleman Algorithm
Invented by three young faculty members at MIT: Ronald Rivest(CS), Adi Shamir (Math), and Leonard Adleman (Math) in theSummer and Fall of 1976:“Ron and Adi would come up with ideas, and Len would try to shootthem down. Len was consistently successful; late one night, though,Ron came up with an algorithm that Len couldnt crack.”
Following the ideas of building a public-key encryption method usingtrapdoor one-way functions of Merkle and Hellman
It is based on the one-way functions factoring and discrete eth root
The paper was published in 1977 (Comm. of ACM)
The method was patented by MIT in 1983, which ended in 2000
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 37 / 44
Computational Thinking Communication Security & Cryptography
Rivest-Shamir-Adleman Algorithm
The User generates two large, approximately same size randomprimes: p and q
The modulus n is the product of these two primes: n = pq
Euler’s totient function of n is given by φ(n) = (p − 1)(q − 1)
The User selects a number 1 < e < φ(n) such that
gcd(e, φ(n)) = 1
and computes d with
d = e−1 (mod φ(n))
using the extended Euclidean algorithm
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 38 / 44
Computational Thinking Communication Security & Cryptography
Rivest-Shamir-Adleman Algorithm
e is the public exponent and d is the private exponent
The public key: The modulus n and the public exponent e
The private key: The private exponent d , the primes p and q, andφ(n) = (p − 1)(q − 1)
Encryption and decryption are performed by computing
C = Me (mod n)
M = Cd (mod n)
where M,C are the plaintext and ciphertext such that
0 ≤ M,C < n
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 39 / 44
Computational Thinking Communication Security & Cryptography
Example RSA
The primes p = 11 and q = 13, the modulus n = 11 · 13 = 143
φ(n) = φ(143) = (p − 1)(q − 1) = 10 · 12 = 120
Find e such that gcd(e, φ(n)) = φ(e, 120) = 1
Since 120 = 23 · 3 · 5, we select e = 7
d = e−1 (mod φ(n)) which gives d = 7−1 (mod 120) as d = 103
Encryption C = Me (mod n) gives C = 87 (mod 143) as C = 57Decryption D = Cd (mod n) gives M = 57103 (mod 143) as M = 8
Encryption C = Me (mod n) gives C = 117 (mod 143) as C = 132Decryption D = Cd (mod n) gives M = 132103 (mod 143) asM = 11
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 40 / 44
Computational Thinking Communication Security & Cryptography
Security of RSA
The public key (e, n) is publishedThe private key parameters p, q, φ(n), d are kept by the user
Breaking RSA:one or several or all instances → Computing M, given C and (e, n)all instances → Computing d , given (e, n)
Taking discrete eth Root → Computing MCompute eth Root of Me (mod n) and obtain M
Factoring n ⇒ Computing dFactor n = pq, compute d = e−1 mod (p − 1)(q − 1)
Computing φ(n) ⇒ Computing dCompute d = e−1 mod φ(n)
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 41 / 44
Computational Thinking Communication Security & Cryptography
Knowing φ(n) ⇒ Factoring n
We know n = pq, we can also write:
n − φ(n) + 1 = pq − (p − 1)(q − 1) + 1 = p + q
Thus we have pq and p + q, and we can write a quadratic equationwhose roots are p and q
x2 − (p + q)x + pq = x2 − (n − φ(n) + 1) + n = 0
The roots of the equations are
1
2(n − φ(n) + 1±
√(n − φ(n) + 1)2 − 4n )
Example: For n = 143 and φ(n) = 120, we writep, q = (1/2)(143− 120 + 1±
√(143− 120 + 1)2 − 4 · 143) = 11, 13
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 42 / 44
Computational Thinking Communication Security & Cryptography
Knowing d ⇒ (Probabilistically) Factoring n
Given d , we can write
d · e = 1 + Kφ(n)
since they are inverses of one another mod φ(n)
Since d · e − 1 is a multiple of φ(n), for gcd(a, n) = 1 we can write
ade−1 = (aφ(n))K = 1 (mod n)
If there is a universal exponent b such that ab = 1 (mod n) for all awith gcd(a, n), then there is exists a probabilistic method for factoringn
This probabilistic factorization algorithm is based on the Miller-Rabinprimality test
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 43 / 44
Computational Thinking Communication Security & Cryptography
Breaking RSA?⇒ Factoring
Factoring n indeed breaks the RSA encryption algorithm
However, does “Breaking RSA” mean that we can factor n ?
There is no general proof for such a claim — a lack of progress
A related result: Breaking the low-exponent RSA is not as hard asfactoring integers
Strong evidence: An RSA breaker cannot be used for factoringintegers
Cetin Kaya Koc http://koclab.cs.ucsb.edu Fall 2016 44 / 44