practical aspects of modern cryptography
DESCRIPTION
Practical Aspects of Modern Cryptography. Josh Benaloh Brian LaMacchia John Manferdelli. Public-Key History. 1976 New Directions in Cryptography Whit Diffie and Marty Hellman One-Way functions Diffie-Hellman Key Exchange 1978 RSA paper Ron Rivest, Adi Shamir, and Len Adleman - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/1.jpg)
Practical Aspects of Modern Cryptography
Josh Benaloh
Brian LaMacchia
John Manferdelli
![Page 2: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/2.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Public-Key History
• 1976 New Directions in CryptographyWhit Diffie and Marty Hellman• One-Way functions
• Diffie-Hellman Key Exchange
• 1978 RSA paperRon Rivest, Adi Shamir, and Len Adleman• RSA Encryption System
• RSA Digital Signature Mechanism
![Page 3: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/3.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=YZ=YXX mod Nmod N
![Page 4: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/4.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Diffie-Hellman
Z=YZ=YXX mod Nmod NWhen X is unknown, the problem is
known as the discrete logarithm and is generally believed to be hard to solve.
![Page 5: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/5.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
Alice• Randomly select a
large integer a and send A = Ya mod N.
• Compute the key K = Ba mod N.
Bob• Randomly select a
large integer b and send B = Yb mod N.
• Compute the key K = Ab mod N.
Ba = Yba = Yab = Ab
![Page 6: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/6.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
One-Way Trap-Door Functions
Z=Z=YYXX mod Nmod NRecall that this equation is solvable for Y
if the factorization of N is known, but is believed to be hard otherwise.
![Page 7: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/7.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
RSA Public-Key Cryptosystem
Alice• Select two large
random primes P & Q.• Publish the product
N=PQ.• Use knowledge of P &
Q to compute Y.
Anyone• To send message Y to
Alice, compute Z=YX mod N.
• Send Z and X to Alice.
![Page 8: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/8.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Some RSA Details
When N=PQ is the product of distinct primes,
YX mod N = Y whenever
X mod (P-1)(Q-1) = 1 and 0 YN.
Alice can easily select integers E and D such that E•D mod (P-1)(Q-1) = 1.
![Page 9: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/9.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Remaining RSA Basics
• Why is YX mod PQ = Y whenever
X mod (P-1)(Q-1) = 1, 0 YPQ,
and P and Q are distinct primes?
• How can Alice can select integers E and D such that E•D mod (P-1)(Q-1) = 1?
![Page 10: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/10.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Fermat’s Little Theorem
If p is prime,
then x p-1 mod p = 1 for all 0 < x < p.
Equivalently …
If p is prime,
then x p mod p = x mod p for all integers x.
![Page 11: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/11.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Binomial Theorem
(x + y) p = x p + ( )x p-1y + … + ( )xy p-1 + y p
where ( ) =
p1
Proof of Fermat’s Little Theorem
pp–1
pi
p!i!(p – i)!
![Page 12: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/12.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Binomial Theorem
(x + y) p = x p + ( )x p-1y + … + ( )xy p-1 + y p
where ( ) =
If p is prime, then ( ) mod p = 0 for 0 < i < p.
p1
Proof of Fermat’s Little Theorem
pp–1
pi
pi
p!i!(p – i)!
![Page 13: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/13.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Binomial Theorem
(x + y) p = x p + ( )x p-1y + … + ( )xy p-1 + y p
where ( ) =
If p is prime, then ( ) mod p = 0 for 0 < i < p.
Thus, (x + y) p mod p = (x p + y p) mod p.
p1
Proof of Fermat’s Little Theorem
pp–1
pi
pi
p!i!(p – i)!
![Page 14: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/14.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
![Page 15: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/15.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
By induction on x…
![Page 16: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/16.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
By induction on x…
Basis
![Page 17: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/17.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
By induction on x…
Basis
If x = 0, then x p mod p = 0 = x mod p.
![Page 18: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/18.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
By induction on x…
Basis
If x = 0, then x p mod p = 0 = x mod p.
If x = 1, then x p mod p = 1 = x mod p.
![Page 19: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/19.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
![Page 20: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/20.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
![Page 21: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/21.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
![Page 22: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/22.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
Then (x + 1) p mod p = (x p + 1p) mod p
![Page 23: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/23.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
Then (x + 1) p mod p = (x p + 1p) mod p
= (x + 1) mod p.
![Page 24: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/24.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
Then (x + 1) p mod p = (x p + 1p) mod p
= (x + 1) mod p.
Hence, x p mod p = x mod p for integers x ≥ 0.
![Page 25: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/25.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of Fermat’s Little Theorem
Inductive Step
Assume that x p mod p = x mod p.
Then (x + 1) p mod p = (x p + 1p) mod p
= (x + 1) mod p.
Hence, x p mod p = x mod p for integers x ≥ 0.
Also true for negative x, since (-x) p = (-1) px p.
![Page 26: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/26.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
![Page 27: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/27.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
![Page 28: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/28.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
![Page 29: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/29.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
and P is prime!
![Page 30: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/30.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
and P is prime!
You will show …
![Page 31: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/31.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
and P is prime!
You will show …
YK(P-1)(Q-1)+1 mod PQ = Y when 0 ≤ Y < PQ
![Page 32: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/32.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Proof of RSA
We have shown …
YP mod P = Y whenever 0 ≤ Y < P
and P is prime!
You will show …
YK(P-1)(Q-1)+1 mod PQ = Y when 0 ≤ Y < PQ
P and Q are distinct primes and K ≥ 0.
![Page 33: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/33.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
![Page 34: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/34.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes
![Page 35: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/35.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes• Suppose that the set of all primes were finite.
![Page 36: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/36.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
![Page 37: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/37.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
• Consider N+1.
![Page 38: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/38.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes• Suppose that the set of all primes were finite.
• Let N be the product of all of the primes.
• Consider N+1.
• The prime factors of N+1 are not among the finite set of primes multiplied to form N.
![Page 39: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/39.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Finding Primes
Euclid’s proof of the infinity of primes• Suppose that the set of all primes were finite.• Let N be the product of all of the primes.• Consider N+1.• The prime factors of N+1 are not among the
finite set of primes multiplied to form N.• This contradicts the assumption that the set of all
primes is finite.
![Page 40: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/40.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Prime Number Theorem
![Page 41: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/41.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Prime Number Theorem
The number of primes less than N is approximately N/(ln N).
![Page 42: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/42.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Prime Number Theorem
The number of primes less than N is approximately N/(ln N).
Thus, approximately 1 out of every n randomly selected n-bit integers will be prime.
![Page 43: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/43.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Testing Primality
Recall Fermat’s Little Theorem
If p is prime, then a(p-1) mod p = 1 for all a in the range 0 < a < p.
![Page 44: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/44.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
![Page 45: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/45.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
![Page 46: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/46.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
Repeat several (many) times
![Page 47: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/47.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
Repeat several (many) times
• Select a random a in 1 < a < N–1
![Page 48: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/48.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
Repeat several (many) times
• Select a random a in 1 < a < N–1
• Compute am, a2m, a4m, …, a(N–1)/2 all mod N.
![Page 49: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/49.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
Repeat several (many) times
• Select a random a in 1 < a < N–1
• Compute am, a2m, a4m, …, a(N–1)/2 all mod N.
• If am = ±1 or if some a2im = -1, then N is probably prime – continue.
![Page 50: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/50.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Miller-Rabin Primality Test
To test an integer N for primality, write N–1 as N–1 = m2k where m is odd.
Repeat several (many) times
• Select a random a in 1 < a < N–1
• Compute am, a2m, a4m, …, a(N–1)/2 all mod N.
• If am = ±1 or if some a2im = -1, then N is probably prime – continue.
• Otherwise, N is composite – stop.
![Page 51: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/51.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 52: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/52.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 53: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/53.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 54: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/54.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 55: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/55.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 56: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/56.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 57: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/57.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
2
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 58: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/58.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
3
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 59: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/59.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
3
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 60: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/60.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
3
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 61: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/61.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
3
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 62: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/62.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
3
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 63: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/63.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
5
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 64: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/64.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
5
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 65: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/65.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
5
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 66: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/66.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
5
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
![Page 67: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/67.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
5
Sieving for Primes
Pick a random starting point N.
N N+1 N+2 N+3 N+4 N+5 N+6 N+7 N+8 N+9 N+10 N+11
Sieving out multiples of
Only a few “good” candidate primes will survive.
![Page 68: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/68.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Remaining RSA Basics
![Page 69: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/69.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Remaining RSA Basics
• Why is YX mod PQ = Y whenever
X mod (P-1)(Q-1) = 1, 0 YPQ,
and P and Q are distinct primes?
![Page 70: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/70.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Remaining RSA Basics
• Why is YX mod PQ = Y whenever
X mod (P-1)(Q-1) = 1, 0 YPQ,
and P and Q are distinct primes?
• How can Alice can select integers E and D such that E•D mod (P-1)(Q-1) = 1?
![Page 71: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/71.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Arithmetic
![Page 72: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/72.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Arithmetic
• To compute (A+B) mod N,compute (A+B) and take the result mod N.
![Page 73: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/73.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Arithmetic
• To compute (A+B) mod N,compute (A+B) and take the result mod N.
• To compute (A-B) mod N,compute (A-B) and take the result mod N.
![Page 74: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/74.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Arithmetic
• To compute (A+B) mod N,compute (A+B) and take the result mod N.
• To compute (A-B) mod N,compute (A-B) and take the result mod N.
• To compute (A×B) mod N,compute (A×B) and take the result mod N.
![Page 75: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/75.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Arithmetic
• To compute (A+B) mod N,compute (A+B) and take the result mod N.
• To compute (A-B) mod N,compute (A-B) and take the result mod N.
• To compute (A×B) mod N,compute (A×B) and take the result mod N.
• To compute (A÷B) mod N, …
![Page 76: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/76.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
![Page 77: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/77.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
What is the value of (1÷2) mod 7?
We need a solution to 2x mod 7 = 1.
![Page 78: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/78.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
What is the value of (1÷2) mod 7?
We need a solution to 2x mod 7 = 1.
Try x = 4.
![Page 79: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/79.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
What is the value of (1÷2) mod 7?
We need a solution to 2x mod 7 = 1.
Try x = 4.
What is the value of (7÷5) mod 11?
We need a solution to 5x mod 11 = 7.
![Page 80: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/80.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
What is the value of (1÷2) mod 7?
We need a solution to 2x mod 7 = 1.
Try x = 4.
What is the value of (7÷5) mod 11?
We need a solution to 5x mod 11 = 7.
Try x = 8.
![Page 81: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/81.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
![Page 82: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/82.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Is modular division always well-defined?
![Page 83: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/83.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Is modular division always well-defined?
(1÷3) mod 6 = ?
![Page 84: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/84.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Is modular division always well-defined?
(1÷3) mod 6 = ?
3x mod 6 = 1 has no solution!
![Page 85: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/85.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Is modular division always well-defined?
(1÷3) mod 6 = ?
3x mod 6 = 1 has no solution!
Fact
(A÷B) mod N always has a solution when gcd(B,N) = 1.
![Page 86: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/86.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Fact
(A÷B) mod N always has a solution when gcd(B,N) = 1.*
![Page 87: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/87.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Modular Division
Fact
(A÷B) mod N always has a solution when gcd(B,N) = 1.
*There is no solution if gcd(A,B) = 1 and gcd(B,N) ≠ 1.
*
![Page 88: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/88.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
![Page 89: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/89.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
![Page 90: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/90.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
since any common factor of A and B is also a factor of A – B.
![Page 91: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/91.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
since any common factor of A and B is also a factor of A – B.
gcd(21,12) = gcd(12,9) = gcd(9,3)
= gcd(6,3) = gcd(3,6) = gcd(3,3)
= gcd(3,0) = 3
![Page 92: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/92.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
![Page 93: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/93.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
gcd(A , B) = gcd(B , A – kB) for any integer k.
![Page 94: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/94.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
gcd(A , B) = gcd(B , A – kB) for any integer k.
gcd(A , B) = gcd(B , A mod B)
![Page 95: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/95.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Greatest Common Divisors
gcd(A , B) = gcd(B , A – B)
gcd(A , B) = gcd(B , A – kB) for any integer k.
gcd(A , B) = gcd(B , A mod B)
gcd(21,12) = gcd(12,9) = gcd(9,3)
= gcd(3,0) = 3
![Page 96: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/96.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B).
![Page 97: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/97.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B).
When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that
AX + BY = gcd(A,B) = 1.
![Page 98: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/98.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given integers A and B, find integers X and Y such that AX + BY = gcd(A,B).
When gcd(A,B) = 1, solve AX mod B = 1, by finding X and Y such that
AX + BY = gcd(A,B) = 1.
Compute (C÷A) mod B as C×(1÷A) mod B.
![Page 99: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/99.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
gcd(35, 8) =
gcd(8, 35 mod 8) = gcd(8, 3) =
gcd(3, 8 mod 3) = gcd(3, 2) =
gcd(2, 3 mod 2) = gcd(2, 1) =
gcd(1, 2 mod 1) = gcd(1, 0) = 1
![Page 100: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/100.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
35 = 8 4 + 3
![Page 101: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/101.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
35 = 8 4 + 3
8 = 3 2 + 2
![Page 102: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/102.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
35 = 8 4 + 3
8 = 3 2 + 2
3 = 2 1 + 1
![Page 103: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/103.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
35 = 8 4 + 3
8 = 3 2 + 2
3 = 2 1 + 1
2 = 1 2 + 0
![Page 104: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/104.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
35 = 8 4 + 3 3 = 35 – 8 4
8 = 3 2 + 2 2 = 8 – 3 2
3 = 2 1 + 1 1 = 3 – 2 1
2 = 1 2 + 0
![Page 105: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/105.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
3 = 35 – 8 4
2 = 8 – 3 2
1 = 3 – 2 1
![Page 106: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/106.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
3 = 35 – 8 4
2 = 8 – 3 2
1 = 3 – 2 1 = (35 – 8 4) – (8 – 3 2) 1
![Page 107: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/107.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
3 = 35 – 8 4
2 = 8 – 3 2
1 = 3 – 2 1 = (35 – 8 4) – (8 – 3 2) 1 = (35 – 8 4) – (8 – (35 – 8 4) 2) 1
![Page 108: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/108.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
3 = 35 – 8 4
2 = 8 – 3 2
1 = 3 – 2 1 = (35 – 8 4) – (8 – 3 2) 1 = (35 – 8 4) – (8 – (35 – 8 4) 2) 1 = 35 3 – 8 13
![Page 109: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/109.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Extended Euclidean Algorithm
Given A,B > 0, set x1=1, x2=0, y1=0, y2=1, a1=A, b1=B, i=1.
Repeat while bi>0: {i = i + 1;
qi = ai-1 div bi-1; bi = ai-1-qbi-1; ai = bi-1;
xi+1=xi-1-qixi; yi+1=yi-1-qiyi}.
For all i: Axi + Byi = ai. Final ai = gcd(A,B).
![Page 110: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/110.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Digital Signatures
Recall that with RSA,
D(E(Y)) = YED mod N = Y
E(D(Y)) = YDE mod N = Y
Only Alice (knowing the factorization of N) knows D. Hence only Alice can compute D(Y) = YD mod N.
This D(Y) serves as Alice’s signature on Y.
![Page 111: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/111.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
In 1991, the National Institute of Standards and Technology published a Digital Signature Standard that was intended as an option free of intellectual property constraints.
![Page 112: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/112.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
DSA uses the following parameters
• Prime p – anywhere from 512 to 1024 bits
• Prime q – 160 bits such that q divides p-1
• Integer h in the range 1 < h < p-1
• Integer g = h(p-1)/q mod p
• Secret integer x in the range 1 < x < q
• Integer y = gx mod p
![Page 113: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/113.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
To sign a 160-bit message M,
![Page 114: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/114.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
To sign a 160-bit message M,
• Generate a random integer k with 0 < k < q,
![Page 115: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/115.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
To sign a 160-bit message M,
• Generate a random integer k with 0 < k < q,
• Compute r = (gk mod p) mod q,
![Page 116: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/116.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
To sign a 160-bit message M,
• Generate a random integer k with 0 < k < q,
• Compute r = (gk mod p) mod q,
• Compute s = ((M+xr)/k) mod q.
![Page 117: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/117.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
To sign a 160-bit message M,
• Generate a random integer k with 0 < k < q,
• Compute r = (gk mod p) mod q,
• Compute s = ((M+xr)/k) mod q.
The pair (r,s) is the signature on M.
![Page 118: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/118.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
![Page 119: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/119.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
• Compute w = 1/s mod q,
![Page 120: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/120.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
• Compute w = 1/s mod q,
• Compute a = wM mod q,
![Page 121: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/121.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
• Compute w = 1/s mod q,
• Compute a = wM mod q,
• Compute b = wr mod q,
![Page 122: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/122.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
• Compute w = 1/s mod q,
• Compute a = wM mod q,
• Compute b = wr mod q,
• Compute v = (gayb mod p) mod q.
![Page 123: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/123.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Digital Signature Algorithm
A signature (r,s) on M is verified as follows:
• Compute w = 1/s mod q,
• Compute a = wM mod q,
• Compute b = wr mod q,
• Compute v = (gayb mod p) mod q.
Accept the signature only if v = r.
![Page 124: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/124.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curve Cryptosystems
![Page 125: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/125.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curve Cryptosystems
An elliptic curve
![Page 126: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/126.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curve Cryptosystems
An elliptic curve
y2 = x3 + Ax + B
![Page 127: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/127.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
![Page 128: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/128.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y = x3 + Ax + B
![Page 129: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/129.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y = x3 + Ax + B
x
y
![Page 130: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/130.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 131: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/131.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 132: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/132.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 133: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/133.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 134: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/134.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 135: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/135.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 136: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/136.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 137: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/137.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves
y2 = x3 + Ax + B
x
y
![Page 138: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/138.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Curves Intersecting Lines
y2 = x3 + Ax + B
x
y
y = ax + b
![Page 139: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/139.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Non-vertical Lines
y2 = x3 + Ax + B
y = ax + b
(ax + b)2 = x3 + Ax + B
x3 + Ax2 + Bx + C = 0
Elliptic Curves Intersecting Lines
![Page 140: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/140.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
x3 + Ax2 + Bx + C = 0
x
y
Elliptic Curves Intersecting Lines
![Page 141: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/141.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Non-vertical Lines
• 1 intersection point (typical case)
• 2 intersection points (tangent case)
• 3 intersection points (typical case)
Elliptic Curves Intersecting Lines
![Page 142: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/142.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Vertical Lines
y2 = x3 + Ax + B
x = c
y2 = c3 + Ac + B
y2 = C
Elliptic Curves Intersecting Lines
![Page 143: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/143.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Vertical Lines
• 0 intersection point (typical case)
• 1 intersection points (tangent case)
• 2 intersection points (typical case)
Elliptic Curves Intersecting Lines
![Page 144: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/144.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
y2 = x3 + Ax + B
x
y
y = ax + b
![Page 145: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/145.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
y2 = x3 + Ax + B
x
y
y = ax + b
![Page 146: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/146.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
y2 = x3 + Ax + B
x
y
y = ax + b
![Page 147: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/147.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
y2 = x3 + Ax + B
x
y
x = c
![Page 148: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/148.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
• Add an “artificial” point I to handle the vertical line case.
• This point I also serves as the group identity value.
![Page 149: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/149.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
y2 = x3 + Ax + B
x
y
x = c
![Page 150: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/150.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
(x1,y1) (x2,y2) = (x3,y3)
x3 = ((y2–y1)/(x2–x1))2 – x1 – x2
y3 = -y1 + ((y2–y1)/(x2–x1)) (x1–x3)
when x1 x2
![Page 151: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/151.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
(x1,y1) (x2,y2) = (x3,y3)
x3 = ((3x12+A)/(2y1))2 – 2x1
y3 = -y1 + ((3x12+A)/(2y1)) (x1–x3)
when x1 = x2 and y1 = y2 0
![Page 152: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/152.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Elliptic Groups
(x1,y1) (x2,y2) = I
when x1= x2 but y1 y2 or y1= y2= 0
(x1,y1) I = (x1,y1) = I (x1,y1)
I I = I
![Page 153: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/153.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=YZ=YXX mod N mod N
![Page 154: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/154.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=YZ=YXX in Ein Epp(A,B)(A,B)
![Page 155: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/155.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
ZZ=Y=YXX in Ein Epp(A,B) (A,B) When Z is unknown, it can be efficiently
computed by repeated squaring.
![Page 156: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/156.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=YZ=YXX in Ein Epp(A,B)(A,B)When X is unknown, this version of the
discrete logarithm is believed to be quite hard to solve.
![Page 157: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/157.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
The Fundamental Equation
Z=Z=YYXX in Ein Epp(A,B)(A,B)When Y is unknown, it can be efficiently
computed by “sophisticated” means.
![Page 158: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/158.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
Ba = Yba = Yab = Ab
Alice
• Randomly select a large integer a and send A = Ya mod N.
• Compute the key K = Ba mod N.
Bob
• Randomly select a large integer b
and send B = Yb mod N.
• Compute the key K = Ab mod N.
![Page 159: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/159.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Diffie-Hellman Key Exchange
Ba = Yba = Yab = Ab
Alice
• Randomly select a large integer a and send A = Ya in Ep.
• Compute the key K = Ba in Ep.
Bob
• Randomly select a large integer b
and send B = Yb in Ep.
• Compute the key K = Ab in Ep.
![Page 160: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/160.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
DSA on Elliptic Curves
![Page 161: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/161.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
DSA on Elliptic Curves
• Almost identical to DSA over the integers.
![Page 162: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/162.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
DSA on Elliptic Curves
• Almost identical to DSA over the integers.
• Replace operations mod p and q with operations in Ep and Eq.
![Page 163: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/163.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why use Elliptic Curves?
![Page 164: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/164.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why use Elliptic Curves?
• The best currently known algorithm for EC discrete logarithms would take about as long to find a 160-bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 1024-bit discrete log.
![Page 165: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/165.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why use Elliptic Curves?
• The best currently known algorithm for EC discrete logarithms would take about as long to find a 160-bit EC discrete log as the best currently known algorithm for integer discrete logarithms would take to find a 1024-bit discrete log.
• 160-bit EC algorithms are somewhat faster and use shorter keys than 1024-bit “traditional” algorithms.
![Page 166: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/166.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why not use Elliptic Curves?
![Page 167: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/167.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why not use Elliptic Curves?
• EC discrete logarithms have been studied far less than integer discrete logarithms.
![Page 168: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/168.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why not use Elliptic Curves?
• EC discrete logarithms have been studied far less than integer discrete logarithms.
• Results have shown that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true.
![Page 169: Practical Aspects of Modern Cryptography](https://reader030.vdocument.in/reader030/viewer/2022032612/56812f20550346895d94b7fa/html5/thumbnails/169.jpg)
April 19, 2023Practical Aspects of Modern Cryptography
Why not use Elliptic Curves?
• EC discrete logarithms have been studied far less than integer discrete logarithms.
• Results have shown that a fundamental break in integer discrete logs would also yield a fundamental break in EC discrete logs, although the reverse may not be true.
• Basic EC operations are more cumbersome than integer operations, so EC is only faster if the keys are much smaller.