© Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone...
-
date post
22-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone...
![Page 1: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/1.jpg)
© Copyright Martin Tompa, 1999
Secret Codes,
Unforgeable Signatures,
and
Coin Flipping on the Phone
Martin Tompa
Computer Science & Engineering
University of Washington
![Page 2: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/2.jpg)
© Copyright Martin Tompa, 1999
Secret Codes,
Unforgeable Signatures,
and
Coin Flipping on the Phone
![Page 3: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/3.jpg)
© Copyright Martin Tompa, 1999
What Is a Cryptosystem?
A
Sender
B
Receiver
C = EAB(M) M = DAB(C)M
KAB KAB
![Page 4: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/4.jpg)
© Copyright Martin Tompa, 1999
What Is a Cryptosystem?
A
Sender
B
Receiver
Cryptanalyst
(bad guy)
C = EAB(M) M = DAB(C)M
KAB KAB
![Page 5: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/5.jpg)
© Copyright Martin Tompa, 1999
What Is a Cryptosystem?
A
Sender
B
Receiver
Cryptanalyst
(bad guy)
C = EAB(M) M = DAB(C)M
M C KAB
Message Encryption KeyPlaintext CyphertextCleartext
KAB KAB
![Page 6: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/6.jpg)
© Copyright Martin Tompa, 1999
What Is a Public Key Cryptosystem?
A
Sender
B
Receiver
Cryptanalyst
(bad guy)
C = EAB(M) M = DAB(C)M
M C KB EB
Message Encryption Key Public KeyPlaintext Cyphertext Private KeyCleartext
KAB KAB
![Page 7: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/7.jpg)
© Copyright Martin Tompa, 1999
The RSA Public Key Cryptosystem
Invented by Rivest, Shamir, and Adleman in 1977. Has proven resistant to all cryptanalytic attacks.
![Page 8: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/8.jpg)
© Copyright Martin Tompa, 1999
Receiver’s Set-Up
Choose 500-digit primes p and q (each 2 more than a multiple of 3).p = 5, q = 11
![Page 9: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/9.jpg)
© Copyright Martin Tompa, 1999
Receiver’s Set-Up
Choose 500-digit primes p and q (each 2 more than a multiple of 3).p = 5, q = 11
Let n = pq.n = 55
![Page 10: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/10.jpg)
© Copyright Martin Tompa, 1999
Receiver’s Set-Up
Choose 500-digit primes p and q (each 2 more than a multiple of 3).p = 5, q = 11
Let n = pq.n = 55
Let s = (1/3) (2(p - 1)(q - 1) + 1).s = (1/3) (2 4 10 + 1) = 27
![Page 11: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/11.jpg)
© Copyright Martin Tompa, 1999
Receiver’s Set-Up
Choose 500-digit primes p and q (each 2 more than a multiple of 3).p = 5, q = 11
Let n = pq.n = 55
Let s = (1/3) (2(p - 1)(q - 1) + 1).s = (1/3) (2 4 10 + 1) = 27
Publish n.
Keep p, q, and s secret.
![Page 12: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/12.jpg)
© Copyright Martin Tompa, 1999
Encrypting a Message
Break the message into chunks.H I C H R I S …
![Page 13: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/13.jpg)
© Copyright Martin Tompa, 1999
Encrypting a Message
Break the message into chunks.H I C H R I S …
![Page 14: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/14.jpg)
© Copyright Martin Tompa, 1999
Encrypting a Message
Break the message into chunks.H I C H R I S …
Translate each chunk into an integer M (0 < M < n) by any convenient method.8 9 3 8 18 9 19 …
![Page 15: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/15.jpg)
© Copyright Martin Tompa, 1999
Encrypting a Message
Break the message into chunks.H I C H R I S …
Translate each chunk into an integer M (0 < M < n) by any convenient method.8 9 3 8 18 9 19 …
Divide M3 by n. E(M) is the remainder.M = 8, n = 55
83 = 512 = 9×55 + 17
E(8) = 17
![Page 16: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/16.jpg)
© Copyright Martin Tompa, 1999
Decrypting a Cyphertext C
Divide Cs by n. D(C) is the remainder.C = 17, n = 55, s = 27
1727 = 1,667,711,322,168,688,287,513,535,727,415,473
= 30,322,024,039,430,696,136,609,740,498,463 × 55 + 8
D(17) = 8
![Page 17: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/17.jpg)
© Copyright Martin Tompa, 1999
Decrypting a Cyphertext C
Divide Cs by n. D(C) is the remainder.C = 17, n = 55, s = 27
1727 = 1,667,711,322,168,688,287,513,535,727,415,473
= 30,322,024,039,430,696,136,609,740,498,463 × 55 + 8
D(17) = 8
Translate D(C) into letters.H
![Page 18: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/18.jpg)
© Copyright Martin Tompa, 1999
Why Does It Work?
Euler’s Theorem (1736): Suppose p and q are distinct primes, n = pq, 0 < M < n, and k > 0.
If Mk(p-1)(q-1)+1 is divided by n, the remainder is M.
![Page 19: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/19.jpg)
© Copyright Martin Tompa, 1999
Why Does It Work?
Euler’s Theorem (1736): Suppose p and q are distinct primes, n = pq, 0 < M < n, and k > 0.
If Mk(p-1)(q-1)+1 is divided by n, the remainder is M.
(M3)s = (M3) (1/3)(2(p-1)(q-1)+1)
= M 2(p-1)(q-1)+1
![Page 20: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/20.jpg)
© Copyright Martin Tompa, 1999
Leonhard Euler 1707-1783
![Page 21: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/21.jpg)
© Copyright Martin Tompa, 1999
Why Is It Secure?
To find M = D(C), you seem to need s.
![Page 22: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/22.jpg)
© Copyright Martin Tompa, 1999
Why Is It Secure?
To find M = D(C), you seem to need s. To find s, you seem to need p and q.
![Page 23: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/23.jpg)
© Copyright Martin Tompa, 1999
Why Is It Secure?
To find M = D(C), you seem to need s. To find s, you seem to need p and q. All the cryptanalyst has is n = pq.
![Page 24: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/24.jpg)
© Copyright Martin Tompa, 1999
Why Is It Secure?
To find M = D(C), you seem to need s. To find s, you seem to need p and q. All the cryptanalyst has is n = pq. How hard is it to factor a 1000-digit number n?
With the grade school method,
doing 1,000,000,000 steps per second
it would take …
![Page 25: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/25.jpg)
© Copyright Martin Tompa, 1999
Why Is It Secure?
To find M = D(C), you seem to need s. To find s, you seem to need p and q. All the cryptanalyst has is n = pq. How hard is it to factor a 1000-digit number n?
With the grade school method,
doing 1,000,000,000 steps per second
it would take … 10483 years.
![Page 26: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/26.jpg)
© Copyright Martin Tompa, 1999
State of the Art in Factoring
1977: Inventors encrypt a challenge using “RSA129,” a 129-digit number n = pq.
1981: Pomerance invents Quadratic Sieve factoring method.
1994: Using Quadratic Sieve, RSA129 is factored over 8 months using 1000 computers on the Internet around the world.
(1999: Using a new method, RSA140 is factored.)
![Page 27: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/27.jpg)
© Copyright Martin Tompa, 1999
State of the Art in Factoring
1977: Inventors encrypt a challenge using “RSA129,” a 129-digit number n = pq.
1981: Pomerance invents Quadratic Sieve factoring method.
1994: Using Quadratic Sieve, RSA129 is factored over 8 months using 1000 computers on the Internet around the world.
(1999: Using a new method, RSA140 is factored.) Using Quadratic Sieve, a 250-digit number would
take 800,000,000 months instead of 8.
![Page 28: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/28.jpg)
© Copyright Martin Tompa, 1999
Secret Codes,
Unforgeable Signatures,
and
Coin Flipping on the Phone
![Page 29: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/29.jpg)
© Copyright Martin Tompa, 1999
Signed Messages How A sends a secret message to B
A B
C = EB(M)
M = DB(C)
C
![Page 30: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/30.jpg)
© Copyright Martin Tompa, 1999
Signed Messages How A sends a secret message to B
A B
C = EB(M)
M = DB(C)
How A sends a signed message to B
A B
C = DA(M)
M = EA(C)
C
C
![Page 31: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/31.jpg)
© Copyright Martin Tompa, 1999
Signed and Secret Messages How A sends a secret message to B ...
A B
C = EB(M)
M = DB(C)
How A sends a signed secret message to B ...
A B
C = EB(DA(M))
M = EA (DB(C))
C
C
![Page 32: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/32.jpg)
© Copyright Martin Tompa, 1999
Secret Codes,
Unforgeable Signatures,
and
Coin Flipping on the Phone
![Page 33: © Copyright Martin Tompa, 1999 Secret Codes, Unforgeable Signatures, and Coin Flipping on the Phone Martin Tompa Computer Science & Engineering University.](https://reader035.fdocuments.us/reader035/viewer/2022062421/56649d7a5503460f94a5ea6a/html5/thumbnails/33.jpg)
© Copyright Martin Tompa, 1999
Flipping a Coin Over the PhoneA B
Choose random x.
y = EA(x)
Guess if x is even or odd.
Check y = EA(x).
B wins if the guess about x was right, or y = EA(x).
y
“even”“odd”
x