DTTF/NB479: Dszquphsbqiz Day 25. HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams mostly formed. One team of 2 or two teams of 3? Questions? Review of mid-term feedback This week: Discrete Logs, Diffie -Hellman, ElGamal Hash Functions. - PowerPoint PPT Presentation
HW6 due tomorrow HW6 due tomorrow Teams T will get to pick their Teams T will get to pick their presentation day in the order presentation day in the order Teams mostly formed. One team of 2 or two Teams mostly formed. One team of 2 or two teams of 3? teams of 3? Questions? Questions? Review of mid-term feedback Review of mid-term feedback This week: This week: Discrete Logs, Discrete Logs, Diffie-Hellman, ElGamal Diffie-Hellman, ElGamal Hash Functions Hash Functions DTTF/NB479: Dszquphsbqiz DTTF/NB479: Dszquphsbqiz Day Day 25 25 ) ( p ft lateDaysLe avg T p
Transcript
HW6 due tomorrowHW6 due tomorrow Teams T will get to pick their Teams T will get to pick their
presentation day in the orderpresentation day in the order Teams mostly formed. One team of 2 or two teams of 3?Teams mostly formed. One team of 2 or two teams of 3?
Questions? Questions? Review of mid-term feedbackReview of mid-term feedback
DTTF/NB479: DszquphsbqizDTTF/NB479: Dszquphsbqiz Day 25Day 25
)( pftlateDaysLeavgTp
Discrete LogsDiscrete Logs
)(Lx
Find x
We denote this as
Why is this hard?
Given )(mod px
Some things we won’t cover in Some things we won’t cover in class about Discrete Logsclass about Discrete Logs
7.2.2 Baby step, Giant Step (worth reading)7.2.2 Baby step, Giant Step (worth reading)7.2.3 Index Calculus: like sieve method of 7.2.3 Index Calculus: like sieve method of factoring primesfactoring primes The equation on p. 207 might help with some of The equation on p. 207 might help with some of
homework 7.homework 7.
Discrete logs mod 4 and bit commitmentDiscrete logs mod 4 and bit commitment
)1(mod)(
)(mod
ppLak
pp
ii
ai
k i
Diffie-Hellman is an alternative to RSA for key Diffie-Hellman is an alternative to RSA for key exchange, but is based on discrete logsexchange, but is based on discrete logs
Publish large prime p, and a primitive root Publish large prime p, and a primitive root
Alice’s secret exponent: xAlice’s secret exponent: x
Alice sends Alice sends xx (mod p) to Bob (mod p) to Bob
Bob sends Bob sends yy (mod p) to Alice (mod p) to Alice
Each know key K=Each know key K=xyxy
Eve sees p, Eve sees p, xx , , yy … …why can’t she determine why can’t she determine xyxy??
Diffie-Hellman Key Exchange involves three Diffie-Hellman Key Exchange involves three computational problemscomputational problems
Publish large prime p, Publish large prime p, primitive root primitive root Alice’s secret exponent: xAlice’s secret exponent: xBob’s secret exponent: yBob’s secret exponent: y
0 < x,y < p-10 < x,y < p-1Alice sends Alice sends xx (mod p) to Bob (mod p) to BobBob sends Bob sends yy (mod p) to Alice (mod p) to AliceEach know key K=Each know key K=xyxy
Eve sees Eve sees , p, , p, xx , , yy ; why ; why can’t she determine can’t she determine xyxy??
Discrete logs: Discrete logs: ““Given Given xx = = (mod p), find x(mod p), find x
Computational Diffie-Hellman Computational Diffie-Hellman problem:problem:““Given Given , p, , p, xx (mod p), (mod p), yy (mod p), (mod p),
find find xyxy (mod p)” (mod p)”
Decision Diffie-Hellman problem:Decision Diffie-Hellman problem:““Given Given , p, , p, xx (mod p), (mod p), yy (mod p), (mod p),
and c ≠ 0 (mod p). and c ≠ 0 (mod p). Verify that c=Verify that c=xyxy (mod p)” (mod p)”
What’s the relationship between the three? Which is hardest?What’s the relationship between the three? Which is hardest?
The ElGamal Cryptosystem is an entire public-key The ElGamal Cryptosystem is an entire public-key cryptosystem like RSA, but based on discrete logscryptosystem like RSA, but based on discrete logs
p large so secure and > m = messagep large so secure and > m = message
1
Bob chooses prime p, primitive root Bob chooses prime p, primitive root , integer a, integer aBob computes Bob computes ≡ ≡ a a (mod p)(mod p)Bob publishes (Bob publishes (, p, , p, ) and holds ) and holds aa secret secret Alice chooses secret k, computes and sends to Bob the pair (r,t) whereAlice chooses secret k, computes and sends to Bob the pair (r,t) where
r ≡ r ≡ kk (mod p) (mod p) t ≡ t ≡ kkm (mod p)m (mod p)
Bob calculates: trBob calculates: tr-a-a ≡ m (mod p) ≡ m (mod p)
computes and sends to computes and sends to Bob the pair (r,t) whereBob the pair (r,t) where
r ≡ r ≡ kk (mod p) (mod p) t ≡ t ≡ kkm (mod p)m (mod p)
Bob finds: Bob finds: trtr-a-a ≡ m (mod p) ≡ m (mod p)
1.1. Show that Bob’s decryption works Show that Bob’s decryption works √√
2.2. Eve would like to know k. Show that knowing k Eve would like to know k. Show that knowing k allows decryption. Why? allows decryption. Why? √√
3.3. Why can’t Eve compute k from r or t? Why can’t Eve compute k from r or t? √√
4.4. Challenge: Alice should randomize k each time. If Challenge: Alice should randomize k each time. If not, and Eve gets hold of a plaintext / ciphertext (mnot, and Eve gets hold of a plaintext / ciphertext (m11, , rr11, t, t11), she can decrypt other ciphertexts (m), she can decrypt other ciphertexts (m22, r, r22, t, t22). ). Show how.Show how.
5.5. If Eve says she found m from (r,t), can we verify that If Eve says she found m from (r,t), can we verify that she really found it, using only m,r,t, and the public she really found it, using only m,r,t, and the public key (and not k or a)? Explain.key (and not k or a)? Explain.
6.6. (For HW: Create a public key ((For HW: Create a public key (, p, , p, ), encrypt a ), encrypt a message as (r,t), and decrypt it using the private message as (r,t), and decrypt it using the private key. You may do this with a friend as we did for key. You may do this with a friend as we did for RSA, or do it on your own.)RSA, or do it on your own.)
