Download
1 / 26
260 likes | 273 Views
Dive into the security and privacy aspects of RSA encryption in this insightful lecture summary. Check out quiz results, feedback, and comments from University of Virginia students aiming to demystify encryption concepts. Explore hash functions, decryption approaches, and the importance of secure cryptographic practices. Enhance your understanding of RSA and cryptographic principles today!
E N D
Lecture 11: Birthday Paradoxes David Evans http://www.cs.virginia.edu/~evans CS588: Security and Privacy University of Virginia Computer Science
Quiz Results 1. How well do you feel you understand RSA? a. Broke it yesterday 0 b. Well enough to implement 2 (1 has done it) c. Almost everything in RSA paper 4 (but 2 revealed otherwise in their answers) d. Sort of 19 (6 answered all questions well) e/f. Not really, No Clue 11 8 got all blanks right 8 got all blanks right except ed 1 mod (p – 1)(q – 1) University of Virginia CS 588
Quiz Results Lectures way too fast: 3 too fast: 23 write in “little too fast” 3 write in “just right” 2 too slow: 2 (with comments: a little, but really think they’re fine) way too slow: 0 University of Virginia CS 588
Selected Comments “Math is too fast – and I am a math major!” “Too much math” “The proofs often lose me.” “It is difficult to follow the reasoning on the math from just slides, the math using the board made more sense.” “Explain the math more in encryption, using white board or chalkboard.” “Less focus on math/proofs, more on general concepts” { want to have more combination of theory and daily application } “More practical examples might help” University of Virginia CS 588
More Comments “Doing the homework always helps me understand much better.” “I usually can’t keep up in lectures, but can understand after reviewing slides out of class.” “All quizes and tests should be anonymous.” “Wish people felt more comfortable speaking out answers even when wrong.” “You tend to progress as soon as you have verification that 1 person understands. Wait ‘till the majority of the class understands.” University of Virginia CS 588
Security depends on this being secret ed 1 mod ??? • Public encryption function: E(M) = Me mod n • Private encryption function: D(C) = Cd mod n Most common (wrong) answer: ed 1 mod n[Wrong] University of Virginia CS 588
Solving for d ed 1 mod n e, n are known (public key) and relatively prime ed = k0n + 1 for some k0 ed – k0n = 1 ed + nk = 1 (k = -k0) How do we find d? ed + nk = 1 = gcd (e, n) Euclidean Algorithm, see MBC 7.5 for proof and explanation. University of Virginia CS 588
The Real Mod • Finding d such that ed 1 mod X is easy is we know the value of X • So, security of RSA depends on X being unknown to the public • Could it be pq? • Could it be (p – 1)q? University of Virginia CS 588
To Decrypt: M Med mod n a(n)1mod n Euler’s Theorem Mmod n = M (n) Mmod n = Mk (n) Mmod n for any k = Mk (n)+1 mod n ed= k (n) + 1 ed1 mod (n) (n) = (pq) = (p – 1) (q – 1) University of Virginia CS 588
Hashes University of Virginia CS 588
Why is there a hash in certificates? Actually there isn’t! Your browser calculates the hash from the whole certificate. University of Virginia CS 588
Cryptographic Hash Functions • Many-to-one: compresses • Even distribution: P(H(x) = n) = 1/N • Efficient: H(x) is easy to compute. • One-way: given H(x), hard to find x • Collision resistance: Weak collision resistance: given x, it is hard to find y x such that H(y) = H(x). Strong collision resistance: it is hard to find any x and y x such that H(y) = H(x). University of Virginia CS 588
IOU Request Protocol x EKRA[H(x)] Bob Alice knows KUA {KUA, KRA} y EKRA[H(x)] Bob picks x and y such that H(x) = H(y). Judge knows KUA University of Virginia CS 588
Finding x and y Bob generates 210 different agreeable (to Alice) xi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}. University of Virginia CS 588
Finding x and y Bob generates 210 different agreeable (to Bob) yi messages: I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $2000000000000000 | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}. University of Virginia CS 588
Bob the Quadrillionaire!? • For each message xi and yi, Bob computes hxi = H(xi) and hyi = H(yi). • If hxi = hyjfor some i and j, Bob sends Alice xi, gets EKRA[H(x)]back. • Bob sends the judge yjand EKRA[H(xi)]. • Is this different from when Alice chooses x? University of Virginia CS 588
Chances of Success • Hash function generate 64-bit digest (n = 264) • Hash function is good (randomly distributed and diffuse) • Chance a randomly chosen message maps to a given hash value: 1 in n = 2-64 • By hashing m good messages, chance that a randomly chosen bad message maps to one of the m different hash values: m * 2-64 • By hashing m good messages and m bad messages: m * m * 2-64 (approximation) University of Virginia CS 588
Is Bob a Quadrillionaire? • m = 210 • 210 * 210 * 2-64 = 2-44 (still a pauper) • Try m= 232 • 232 * 232 * 2-64 = 20 = 1 (yippee!) • Flaw: some of the messages might hash to the same value, might need more than 232 to find match. University of Virginia CS 588
Birthday “Paradox” What is the probability that two people in this room have the same birthday? University of Virginia CS 588
Birthday Paradox Ways to assign k different birthdays without duplicates: N = 365 * 364 * ... * (365 – k + 1) = 365! / (365 – k)! Ways to assign k different birthdays with possible duplicates: D = 365 * 365 * ... * 365 = 365k University of Virginia CS 588
Birthday “Paradox” Assuming real birthdays assigned randomly: N/D = probability there are no duplicates 1 - N/D = probability there is a duplicate = 1 – 365! / ((365 – k)!(365)k ) University of Virginia CS 588
Generalizing Birthdays n! (n – k)! nk P(n, k) = 1 – Given k random selections from n possible values, P(n, k) gives the probability that there is at least 1 duplicate. University of Virginia CS 588
Birthday Probabilities P(no two match) = 1 – P(all are different) P(2 chosen from N are different) = 1 – 1/N P(3 are all different) = (1 – 1/N)(1 – 2/N) P(n trials are all different) = (1 – 1/N)(1 – 2/N) ... (1 – (n – 1)/N) ln (P) = ln (1 – 1/N) + ln (1 – 2/N) + ... ln (1 – (k – 1)/N) University of Virginia CS 588
Happy Birthday Bob! ln (P) = ln (1 – 1/N) + ... + ln (1 – (k – 1)/N) For 0 < x < 1: ln (1 – x) x ln (P) – (1/N + 2/N + ... + (n – 1)/N) Gauss says: 1 + 2 + 3 + 4 + ... + (n – 1) + n = ½ n (n + 1) So, ln (P) ½ (k-1) k/N Pe½ (k-1)k / N Probability of match 1 – e½ (k-1)k / N University of Virginia CS 588
Applying Birthdays P(n, k) > 1 – e-k*(k-1)/2n • For n = 365, k = 40: P(365, 40) > 1 – e-40*(39)/2*365 P(365, 40) > .88 • For n = 264, k = 232: P (264, 232) > .39 • For n = 264, k = 233: P (264, 233) > .86 • For n = 264, k = 234: P (264, 234) > .9996 • For n = 2128, k = 240: P (2128, 240) > 10-15 University of Virginia CS 588
Finding Problem Set Partners • Simple way: • Ask people in the class if they want to work with you • Problems: • You face rejection and ridicule if they say no • Can you find partners without revealing your wishes unless they are reciprocated? • Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them University of Virginia CS 588
