310 likes | 435 Views
exercise in the previous class. Decrypt the following ciphertext .
E N D
exercisein the previous class Decrypt the following ciphertext. qiwaufmlyngcmwzyz c mcxaeyoqweocqyaocuwpwoqjwcqkeyogzkmmwe cod vyoqwezlaeqz, yoviyniqiakzcodzajcqiuwqwzlceqynylcqwyo c pceywqfajnamlwqyqyaoz. qiwaufmlyngcmwzicpwnamwqahwewgcedwdczqiwvaeud'zjaewmazqzlaeqznamlwqyqyaoviwewmaewqicoqvaikodewdocqyaozlceqynylcqw. qiwgcmwzcewnkeewoqufiwudwpwefqvafwcez, vyqizkmmwe cod vyoqweaufmlyngcmwzcuqweocqyog, cuqiakgiqiwfannkewpwefjakefwcezvyqiyoqiwyeewzlwnqypwzwczaocugcmwz. hint: find “typical patterns”of English
exercisein the previous class: solution use the JAVA applet at; http://apal.naist.jp/~kaji/crypto/Substitution.html The Olympic Games is a major international event featuring summer and winter sports, in which thousands of athletes participate in a variety of competitions. The Olympic Games have come to be regarded as the world's foremost sports competition where more than two hundred nations participate. The Games are currently held every two years, with Summer and Winter Olympic Games alternating, although they occur every four years within their respective seasonal games.
A B previous class: common-key cryptography symmetric-key―, classic ―, ... • the encryption and decryption use the same key • the sender and the receiver need to agree the key in advance sender receiver key agreement secure channel, or secure protocol encrypt decrypt
A B today: public-key cryptography public-key cryptography • the receiverof ciphertexts prepares a pair of keys • the encryptionkey and the decryptionkey • the encryption key is opened to the public • the decryption key is kept secretly by the receiver sender receiver send in advance open channel encrypt decrypt
A A B B C D the difference of the two cryptography • common-key cryptography = vault(金庫) key needed key needed • public-key cryptography = post(郵便受け) key NOT needed key needed each individual has its own “post”
public-key cryptography a public-key cryptography is a triple of algorithms (G, E, D) • G(seed); generates a pair of keys ek and dk • E(ek, m); encrypts m by using ek as an encryption key • D(dk, c); decrypts c by using dk as an decryption key • If (ek, dk) G, then D(dk, E(ek, m)) = m. • If (ek, dk) G, then D(dk, E(ek, m)) m. G seed ek dk E D m c m
A D B C key management Each user needs to generate his/her own key pair (ek, dk). • The decryption keydk is kept secretly. only the legitimate (本物の) user can do decryption • The encryption key ek is opened to the public. anybody can do encryption dkA dkB dkC ekA ekB ekC A...ekA B...ekB C...ekC
RSA cryptography proposed by Rivest, Shamir and Adelman in 1977 • keys, plaintexts and ciphertexts are integers • encryption: • key is a pair of integers: e & n • c = me mod n • decryption: • key is a pair of integers: d & n • m = cd mod n • the “trick” is in the choice of e, d and n • keys must be very long ... n1024bits A R S R S A
numerical example e = 3, d = 7, n = 33: m c = m3mod 33 c m = c7mod 33 encryption decryption
what did we do? encryption & decryption: (m3 mod 33)7 mod 33 m21 mod 33 m m3 m21 m2 m4 m5 m6 m16 m17 m18 m19 m20 m3 m3 m3 m3 (m3)7 How can we choose such numbers?
key generation of RSA How to choose e, d and n of the key of RSA: step 1: choose two prime integersp and q, and let n = pq step 2: choose e which is coprime (互いに素) with (p – 1)(q – 1) step 3: determine d such that ed 1 mod (p – 1)(q – 1) • e, n... opened to the public • d (, p, q)... kept secretly p = 3 q = 11 (p – 1)(q – 1) = 20 a and b are coprimeif gcd(a, b) = 1 ab mod c (a mod c) = (b mod c) e = 3 key d = 7 n = 33
algorithmic details Q1: How can we generate prime numbers? A1: Generate numbers randomly, and do “primality tests”. Q2: How can we find dsuch that ed 1 mod (p – 1)(q – 1)? A2: Use the Euclidian algorithm for computing a gcd. a0 b0 ai bi ai+1 = bi bi+1 = ai mod bi aj bj = 0 gcdof a0 and b0
computation of d with the Euclidian Algorithm++ Use the Euclidian algorithm for = (p – 1)(q – 1) and e. a0 = b0 = e a1 = e b1 = a0mod b0 = a0 – k1b0 = – k1e a2 = b1 b2 = a1 mod b1 = a1 – k2b1 =– k2+(k1+1)e bi= xi+ yie bj–1= 1 aj=1 bj= 0 1 = x+ ye because and e are coprime ye= –x+ 1 choose d = y mod ye 1 mod
example of the computation of d • assume = 130 and e = 59 130 59 = 130 – 2×59 59 12 = 59 – 4×12 = – 4×130+ 9×59 12 11 11 1 = 12 – 11 = 5×130– 11×59 1 = x+ ye 1 = 5+ (–11)e ed = 59×119=7021 = 54×130 +1 ye= –x+ 1 (–11)e= –5+ 1 ed 1 mod ye 1 mod (–11)e 1 mod d = –11 mod 130 = 119
encryption & decryption • encryption key: e and n • decryption key: d (and n) • plaintexts & ciphertexts ... integers in {0, ..., n – 1} • encryption: c = me mod n • decryption: m = cd mod n modulus exponential? ... see the page 25 of the slide of the previous class
7488 5 5 3 = 7488 – 1497×5 3 2 = 5 – 3 = –7488 + 1498×5 2 1 = 3 – 2 = 2×7488 – 2995×5 summarizing example: key generation of RSA step 1: choose p= 79, q = 97, and we have n= pq = 7663 step 2: choose e = 5, which is coprime with (p– 1)(q – 1) = 7488 step 3: determine d with 5d 1 mod 7488 as follows: all computation in mod (p – 1)(q – 1) d= – 2995 mod 7488 = 4493
summarizing example: encryption & decryption keys: e = 5, d = 4493, n = 7663 • encryption: c = m5 mod 7663 • decryption: m = c4493 mod 7663 = c4096c256c128c8c4c mod 7663 all computation in mod n = pq
the soundness proof of RSA: preparation We need to show that (me mod n)d mod n = med mod n = m. two assisting lemmas... Fermat’s little theorem: xp–1 1 mod p for a prime number p and any x with gcd(x, p) = 1 Corollary of Chinese Remainder Theorem[孫子算経]: If x a mod pand x a mod q, then x a mod pq, where p and q are different prime numbers.
the soundness proof of RSA Theorem: med mod n = m. Proof: • ed 1 mod (p – 1)(q – 1) implies that ed= k(p – 1)(q – 1) + 1 • we have med m mod p, because... • if gcd(m, p) = 1, then mp–1 1 mod pby Fermat, and med= (mp–1)k(q–1)m m mod p. • if gcd(m, p)≠ 1, then m is a multiple of p and both sides 0 • similarly we have med m mod q • the corollary of the Chinese Remainder Theorem guarantees that medmod n = m
attacks on RSA n given an encryption key e and n, and a ciphertextc, can we find the plaintext m with c = me mod n? • exhaustive attack • an attacker can “encrypt” a plaintext • test if c = xe mod n for all x{0, ..., n – 1} • choose n large, and this attack is not serious • computing the e-th root of c in mod n • computing the e-throot is easy for real numbers • the algorithms do not work for the discrete “mod n” world e c m?
attacks on RSA: factorization of n • factoring (素因数分解) attack • find prime numbers p and q with n = pq • once p and q are revealed, d can be determined uniquely • use d to decrypt c But, can we factor n? • there are several algorithms for factoring • brute force, quadratic sieve, elliptic curve • it is still difficult to factor large composite numbers • n should be chosen so that it is in 1,024 bits or more • You may come up with a good idea tomorrow!
the factoring and RSA • “if we can factor a given n, then we can break RSA” breaking RSA is not more difficult than factoring breaking RSA factoring easy difficult theoretically saying, there are more favorable cryptography... • Rabin cipher: • if we can factor a given n, then we can break Rabin cipher • if we can break Rabin cipher, then we can factor a given n • “breaking Rabin cipher is as difficult as factoring” (Rabin is not efficient and not practical, many people consider...) breaking Rabin cipher
the security of RSA the security of RSA is NOT a mathematically proved fact... • many people believes that it is difficult to break RSA • there can be somebody who knows a good algorithm and is decrypting RSA silently... • no backup from the theory of computational complexity • breaking RSA NP, but not clear if NP-complete or not • a quantum computer can break RSA • Shor’s quantum algorithm for factoring
ElGamal encryption: key generation • based on the discrete logarithm problem (DLP) • probabilistic encryption: one plaintext has many ciphertexts • key generation (remind the Diffie-Hellman key agreement) • choose a prime number qand a generator g of Fq • choose a random x, and compute y = gx mod q • the encryption key is q, g and y • the decryption key is x
g x y ElGamal: encryption & decryption encryption of m: • choose random r, and let • c1 = gr mod q • c2 = m + yr mod q • (c1, c2) is the ciphertext decryption of (c1, c2): • compute u = c1x mod q • compute v = c2 – u mod q • v is the plaintext c1x c1 r (gx)r (gr)x m c2 m + - mod q mod q
ElGamal: example • Choose q = 13 and g = 7 • 1 712 mod 13, 2 711mod 13, ..., 12 76mod 13 • Choose x = 5 and determine y= 75 =16807 11mod 13 • encryption: m = 6, r = 3 • c1 = 73 = 343 5 mod 13, c2 = 6 + 113 =1337 11 mod 13 • c = (5, 11) is the ciphertext • decryption: c = (5, 11) • u = 55 =3125 5 mod 13, v = 11 – 5 6 mod 13 • v = 6 is the plaintext
probabilistic encryption • the encryption uses a random r together with a plaintext m • different choices of r make different ciphertexts the exhaustive attack is “more difficult” c0 c1 m m c m m RSA ElGamal cq–1 • c = (c1, c2) ... c1 is needed to cancel the effect of r at decryption the ciphertext is “longer” in length • “breaking ElGamal is not more difficult than solving DLP”
public-key vs. common-key • common-key cryptography • more efficient: computational cost, key length, ... • more variations: many algorithms, many alternatives, ... • key-agreement is difficult and costly • public-key cryptography • “key-agreement” is replaces by lighter “key-distribution” (public encryption keys must be delivered correctly) hybrid use of public and common-key cryptography is common • use RSA to deliver the key of AES, for example
summary of chapter 4 We studied very basics of cryptography. • common-key cryptography • DES and AES • key-agreement protocol • public-key cryptography • algorithms and theory of RSA • ElGamal encryption
summary of this course • chapter 1: measuring information • chapter 2: compact representation of information • chapter 3: coding for noisy communication • chapter 4: cryptography • Information theory turns information processing from “ad-hoc handicrafts” to “well-defined theory”. • The study is so fundamental that usual people do not notice, but professionals of information must know it.
about test • June 4(Mon), 9:20AM, exercise • June 5 (Tue), 9:20AM, this room • you can bring books, notes and copies of slides • you can bring a calculator and/or PC • PC must be disconnectedfrom the network: download all needed material before the test starts • 本,ノート,資料,電卓,PC ...なんでも持ちこみ可 • PC 等の通信機能は使用不可 必要な資料類は事前にダウンロードしておくこと