exercise in the previous class
DESCRIPTION
exercise in the previous class. Decrypt the following ciphertext . - PowerPoint PPT PresentationTRANSCRIPT
exercise in the previous class
Decrypt the following ciphertext.
qiw aufmlyn gcmwz yz c mcxae yoqweocqyaocu wpwoq jwcqkeyog zkmmwe cod vyoqwe zlaeqz, yo viyni qiakzcodz aj cqiuwqwz lceqynylcqw yo c pceywqf aj namlwqyqyaoz. qiw aufmlyn gcmwz icpw namw qa hw ewgcedwd cz qiw vaeud'z jaewmazq zlaeqz namlwqyqyao viwew maew qico qva ikodewd ocqyaoz lceqynylcqw. qiw gcmwz cew nkeewoquf iwud wpwef qva fwcez, vyqi zkmmwe cod vyoqwe aufmlyn gcmwz cuqweocqyog, cuqiakgi qiwf annke wpwef jake fwcez vyqiyo qiwye ewzlwnqypw zwczaocu gcmwz.
hint: find “typical patterns” of English
1
exercise in the previous class: solution
use the JAVA applet at;http://apal.naist.jp/~kaji/crypto/Substitution.html
The Olympic Games is a major international event featuring summer and winter sports, in which thousands of athletes participate in a variety of competitions. The Olympic Games have come to be regarded as the world's foremost sports competition where more than two hundred nations participate. The Games are currently held every two years, with Summer and Winter Olympic Games alternating, although they occur every four years within their respective seasonal games.
2
previous class: common-key cryptography
symmetric-key ―, classic ―, ...the encryption and decryption use the same keythe sender and the receiver need to agree the key in advance
3
encrypt decrypt
A B
key agreement
secure channel,or secure protocol
sender receiver
today: public-key cryptography
public-key cryptographythe receiver of ciphertexts prepares a pair of keys
the encryption key and the decryption keythe encryption key is opened to the publicthe decryption key is kept secretly by the receiver
4
encrypt decrypt
A Bopen channel
send in advancesender receiver
the difference of the two cryptography
common-key cryptography = vault (金庫 )
5
A B
public-key cryptography = post (郵便受け )
A B
C D
key needed key needed
key NOT needed key needed
each individual has its own “post”
public-key cryptography
a public-key cryptography is a triple of algorithms (G, E, D)G(seed); generates a pair of keys ek and dkE(ek, m); encrypts m by using ek as an encryption keyD(dk, c); decrypts c by using dk as an decryption key
If (ek, dk) G, then D(dk, E(ek, m)) = m.If (ek, dk) G, then D(dk, E(ek, m)) m.
6
G seed
ek
E
dk
Dm c m
key management
Each user needs to generate his/her own key pair (ek, dk).The decryption key dk is kept secretly.
only the legitimate (本物の ) user can do decryptionThe encryption key ek is opened to the public.
anybody can do encryption
7
dkA
ekA ekB ekC
dkB dkCA
DB C
A...ekA
B...ekB
C...ekC
RSA cryptography
proposed by Rivest, Shamir and Adelman in 1977
keys, plaintexts and ciphertexts are integersencryption:
key is a pair of integers: e & nc = me mod n
decryption:key is a pair of integers: d & nm = cd mod n
the “trick” is in the choice of e, d and nkeys must be very long ... n 1024bits
8
RSA
R S A
numerical example
e = 3, d = 7, n = 33:
9
c = m3 mod 33
1 12 83 274 315 266 187 138 179 3
10 1011 1112 1213 1914 515 916 4
m
17 2918 2419 2820 1421 2122 2223 2324 3025 1626 2027 1528 729 230 631 2532 32
1 12 293 94 165 146 307 288 29 15
10 1011 1112 1213 714 2015 2716 25
17 818 619 1320 2621 2122 2223 2324 1825 3126 527 328 1929 1730 2431 432 32
m = c7 mod 33c
encryption
decryption
what did we do?
encryption & decryption: (m3 mod 33)7 mod 33 m21 mod 33
10
1 1 1 1 1 12 4 8 16 32 313 9 27 15 12 34 16 31 25 1 45 25 26 31 23 166 3 18 9 21 277 16 13 25 10 48 31 17 4 32 259 15 3 27 12 9
10 1 10 1 10 111 22 11 22 11 22
1 1 1 1 1 131 29 25 17 1 2
3 9 27 15 12 34 16 31 25 1 4
16 14 4 20 1 527 30 15 24 12 6
4 28 31 19 1 725 2 16 29 1 8
9 15 3 27 12 91 10 1 10 1 10
22 11 22 11 22 11
m m2 m3 m4 m5 m6 m21
m3 m3 m3m3
(m3)7
How can we choose such numbers?
m18 m19 m20m16 m17
key generation of RSA
How to choose e, d and n of the key of RSA:step 1: choose two prime integers p and q, and let n = pqstep 2: choose e which is coprime (互いに素 ) with (p –
1)(q – 1)step 3: determine d such that ed 1 mod (p – 1)(q – 1)
e, n ... opened to the publicd (, p, q) ... kept secretly
11
a and b are coprime if gcd(a, b) = 1a b mod c (a mod c) = (b mod c)
p = 3 q = 11
(p – 1)(q – 1) = 20
n = 33
e = 3
d = 7key
algorithmic details
Q1: How can we generate prime numbers?A1: Generate numbers randomly, and do “primality tests”.
Q2: How can we find d such that ed 1 mod (p – 1)(q – 1)?A2: Use the Euclidian algorithm for computing a gcd.
12
a0 b0
ai bi
ai+1 = bi bi+1 = ai mod bi
aj bj = 0gcd of a0 and b0
computation of d with the Euclidian Algorithm++
Use the Euclidian algorithm for = (p – 1)(q – 1) and e.
13
a0 = b0 = e
aj=1 bj = 0
a1 = e b1 = a0 mod b0 = a0 – k1b0
a2 = b1 b2 = a1 mod b1 = a1 – k2b1
bj–1= 1
because and e are coprime
bi = xi + yie
1 = x + ye
ye = –x + 1
ye 1 mod choose d = y mod
= – k1e= – k2 + (k1+1)e
example of the computation of d
assume = 130 and e = 59
14
130 59
59 12 = 130 – 2×59
12 11
11 1
= 59 – 4×12 = – 4×130 + 9×59
= 12 – 11 = 5×130 – 11×59
1 = x + ye
ye = –x + 1
ye 1 mod
1 = 5 + (–11)e
(–11)e = –5 + 1
(–11)e 1 mod
d = –11 mod 130 = 119
ed = 59×119=7021 = 54×130 +1
ed 1 mod
encryption & decryption
encryption key: e and ndecryption key: d (and n)
plaintexts & ciphertexts ... integers in {0, ..., n – 1}
encryption: c = me mod ndecryption: m = cd mod n
modulus exponential?... see the page 25 of the slide of the previous class
15
summarizing example: key generation of RSA
step 1: choose p = 79, q = 97, and we have n = pq = 7663step 2: choose e = 5, which is coprime with (p – 1)(q – 1) = 7488step 3: determine d with 5d 1 mod 7488 as follows:
16
7488 5
5 3 = 7488 – 1497×5
3 2 = 5 – 3 = –7488 + 1498×5
2 1 = 3 – 2 = 2×7488 – 2995×5
d = – 2995 mod 7488 = 4493all computation in mod (p – 1)(q – 1)
summarizing example: encryption & decryption
keys: e = 5, d = 4493, n = 7663encryption:
c = m5 mod 7663
decryption: m = c4493 mod 7663
= c4096c256c128c8c4c mod 7663
17
m 51 c 6339m̂2 2601 c 2̂ 5812m̂4 6435 c 4̂ 840m̂5 6339 c 8̂ 604
c 1̂6 4655c 3̂2 5724c 6̂4 4851c 1̂28 6791c 2̂56 1747c 5̂12 2135c 1̂024 6403c 2̂048 1359c 4̂096 98c 4̂493 51all computation in
mod n = pq
the soundness proof of RSA: preparation
We need to show that(me mod n)d mod n = med mod n = m.
two assisting lemmas...
Fermat’s little theorem:xp–1 1 mod p for a prime number p and any x with gcd(x, p) = 1
Corollary of Chinese Remainder Theorem[孫子算経 ]:If x a mod p and x a mod q, then x a mod pq,where p and q are different prime numbers.
18
the soundness proof of RSA
Theorem: med mod n = m.Proof:
ed 1 mod (p – 1)(q – 1) implies that ed = k(p – 1)(q – 1) + 1we have med m mod p, because...
if gcd(m, p) = 1, then mp–1 1 mod p by Fermat, andmed = (mp–1)k(q–1)m m mod p.
if gcd(m, p)≠ 1, then m is a multiple of p and both sides 0 similarly we have med m mod qthe corollary of the Chinese Remainder Theorem guarantees
that med mod n = m
19
given an encryption key e and n, and a ciphertext c,can we find the plaintext m with c = me mod n?
exhaustive attackan attacker can “encrypt” a plaintexttest if c = xe mod n for all x{0, ..., n – 1}choose n large, and this attack is not serious
computing the e-th root of c in mod ncomputing the e-th root is easy for real numbersthe algorithms do not work for the discrete “mod n” world
attacks on RSA
20
ne c
m?
𝒆√𝒄
attacks on RSA: factorization of n
factoring (素因数分解 ) attackfind prime numbers p and q with n = pqonce p and q are revealed, d can be determined uniquelyuse d to decrypt c
But, can we factor n?there are several algorithms for factoring
brute force, quadratic sieve, elliptic curveit is still difficult to factor large composite numbers
n should be chosen so that it is in 1,024 bits or moreYou may come up with a good idea tomorrow!
21
the factoring and RSA
“if we can factor a given n, then we can break RSA” breaking RSA is not more difficult than factoring
22
easy difficult
factoringbreaking RSA
breaking Rabin cipher
theoretically saying, there are more favorable cryptography...Rabin cipher:
if we can factor a given n, then we can break Rabin cipherif we can break Rabin cipher, then we can factor a given n
“breaking Rabin cipher is as difficult as factoring”(Rabin is not efficient and not practical, many people consider...)
the security of RSA
the security of RSA is NOT a mathematically proved fact...many people believes that it is difficult to break RSA
there can be somebody who knows a good algorithm andis decrypting RSA silently...
no backup from the theory of computational complexitybreaking RSA NP, but not clear if NP-complete or not
a quantum computer can break RSAShor’s quantum algorithm for factoring
23
ElGamal encryption: key generation
based on the discrete logarithm problem (DLP)probabilistic encryption: one plaintext has many ciphertexts
key generation (remind the Diffie-Hellman key agreement)choose a prime number q and a generator g of Fq
choose a random x, and compute y = gx mod q
the encryption key is q, g and ythe decryption key is x
24
ElGamal: encryption & decryption
encryption of m:choose random r, and let
c1 = gr mod qc2 = m + yr mod q
(c1, c2) is the ciphertext
25
decryption of (c1, c2):compute u = c1
x mod qcompute v = c2 – u mod qv is the plaintext
mod q
g
y
r
m
c1
c2
c1x
mmod q
+
x
-
(gx)r(gr)x
ElGamal: example
Choose q = 13 and g = 71 712 mod 13, 2 711 mod 13, ..., 12 76 mod 13
Choose x = 5 and determine y = 75 =16807 11 mod 13
encryption: m = 6, r = 3c1 = 73 = 343 5 mod 13, c2 = 6 + 113 =1337 11 mod 13c = (5, 11) is the ciphertext
decryption: c = (5, 11)u = 55 =3125 5 mod 13, v = 11 – 5 6 mod 13v = 6 is the plaintext
26
probabilistic encryption
the encryption uses a random r together with a plaintext mdifferent choices of r make different ciphertexts
the exhaustive attack is “more difficult”
27
RSA
m c m
ElGamal
c0
m c1
cq–1
m
c = (c1, c2) ... c1 is needed to cancel the effect of r at decryption the ciphertext is “longer” in length
“breaking ElGamal is not more difficult than solving DLP”
public-key vs. common-key
common-key cryptographymore efficient: computational cost, key length, ...more variations: many algorithms, many alternatives, ...key-agreement is difficult and costly
public-key cryptography“key-agreement” is replaces by lighter “key-distribution”
(public encryption keys must be delivered correctly)
hybrid use of public and common-key cryptography is commonuse RSA to deliver the key of AES, for example
28
summary of chapter 4
We studied very basics of cryptography.common-key cryptography
DES and AESkey-agreement protocol
public-key cryptographyalgorithms and theory of RSAElGamal encryption
29
summary of this course
chapter 1: measuring informationchapter 2: compact representation of informationchapter 3: coding for noisy communicationchapter 4: cryptography
Information theory turns information processing from“ad-hoc handicrafts” to “well-defined theory”.
The study is so fundamental that usual people do not notice,but professionals of information must know it.
30
about test
June 4(Mon), 9:20AM, exercise
June 5 (Tue), 9:20AM, this roomyou can bring books, notes and copies of slidesyou can bring a calculator and/or PCPC must be disconnected from the network:
download all needed material before the test starts
本,ノート,資料,電卓, PC ...なんでも持ちこみ可PC 等の通信機能は使用不可
必要な資料類は事前にダウンロードしておくこと
31