Modern Cryptography Lecture 1

Fall 2016
Tolga Acar
Josh Benaloh
Cryptography is ...
 Protecting Privacy of Data
 Authentication of Identities
 Preservation of Integrity
… basically any protocols designed to operate in an

environment absent of universal trust.
October 4, 2016 Practical Aspects of Modern Cryptography 2

Characters

Characters
Alice

Characters
Bob

Basic Communication
Alice talking to Bob

Hello

Another Character
Eve

Basic Communication Problem
Eve listening to Alice talking to Bob

Hello

Two-Party Environments
Alice Bob

Remote Coin Flipping
 Alice and Bob decide to make a decision by flipping a

coin.
 Alice and Bob are not in the same place.

Ground Rule
Protocol must be asynchronous.
 We cannot assume simultaneous actions.
 Players must take turns.

Is Remote Coin Flipping Possible?

Two-part answer:

Two-part answer:
 NO – I will sketch a formal proof.

Two-part answer:
 NO – I will sketch a formal proof.
 YES – I will provide an effective protocol.

A Protocol Flow Tree
A:
B:
A:
B:

A:
B:
B B A B B A
A:
B A B B B
A B A
B:
B A B B A A B

Pruning the Tree
A A A
B B B

Pruning the Tree
A:
A
A  
B:
B
B  

A:
B:
B B A B B A
A:
B A B B B
A B A
B:
B A B B A A B

A:
B:
B B A B B A
A:
B A B B B B
A B A
B:
A A B

A:
B:
B B A B B A
A:
B A B B B B B
A B A
B:

A:
B:
B A B A B B A
A:
A B B B A B B B
B:

A:
B:
B A B A A B B A
A:
B A B B B
B:

A:
B:
B A B A A B A B A
A:
B B B
B:

A:
B:
B A B A A B A B B A
A:
B:

A:
B
B:
A A B A B B A
A:
B:

A:
B A
B:
B A B B A
A:
B:

A:
B A B
B:
B B A
A:
B:

A:
B A B B
B:
A:
B:

A
A:
B:
A:
B:


Completing the Pruning
When the pruning is complete one will end up with either

 a winner before the protocol has begun, or

 a winner before the protocol has begun, or
 a useless infinite game.

Conclusion of Part I
Remote coin flipping is

utterly impossible!!!

How to Remotely Flip a Coin

The Positive INTEGERS

1 5 913 17 21 25 29 …
2 6 10 14 18 22 26 30 …
3 7 11 15 19 23 27 31 …
4 8 12 16 20 24 28 32 …

Group 1: 1 5 9 13 17 21 25 29 …
Group 2: 2 6 10 14 18 22 26 30 …
Group 3: 3 7 11 15 19 23 27 31 …
Group 4: 4 8 12 16 20 24 28 32 …

Group 1: 1 5 9 13 17 21 25 29 …
Group 2: 2 6 10 14 18 22 26 30 …
Group 3: 3 7 11 15 19 23 27 31 …
Group 4: 4 8 12 16 20 24 28 32 …
Where do products between groups wind up?

Group 1 integers all have the form: 4𝑢 + 1, where 𝑢 ∈ ℤ.
The product of two Group 1 integers looks like
4𝑢 + 1 4𝑣 + 1 = 16𝑢𝑣 + 4𝑢 + 4𝑣 + 1
= 4 4𝑢𝑣 + 𝑢 + 𝑣 + 1
which is a Group 1 integer.

Group 3 integers all have the form: 4𝑢 − 1, where 𝑢 ∈ ℤ.
The product of two Group 3 integers looks like
4𝑢 − 1 4𝑣 − 1 = 16𝑢𝑣 − 4𝑢 − 4𝑣 + 1
= 4 4𝑢𝑣 − 𝑢 − 𝑣 + 1
which is a Group 1 integer.

Fact 1
Multiplying two odd integers of from the same group always

yields a product of Group 1.

Fact 2
There is no known method (other than factoring) to distinguish a

product of two “Group 1” integers from a product of two
“Group 3” integers.

Fact 3
Factoring large integers is believed to be much harder

than multiplying large integers.


Alice Bob

Alice Bob
 Randomly select a bit 𝑏{1,3} and
two large integers 𝑃 and 𝑄
– both from Group 𝑏.

Alice Bob
 Compute 𝑁 = 𝑃𝑄.

Alice Bob
 Send 𝑁 to Bob.

Alice Bob

Alice Bob

Alice Bob
 Randomly select a bit 𝑏{1,3} and  After receiving 𝑁 from Alice, guess
two large integers 𝑃 and 𝑄 the value of 𝑏 and send this guess to
– both from Group 𝑏. Alice.

Alice Bob

Alice Bob

Alice Bob
Bob wins if and only
if he correctly guesses
the value of 𝑏.

Alice Bob
_______________________________ Bob wins if and only
 After receiving 𝑏 from Bob,
reveal 𝑃 and 𝑄 to Bob. the value of 𝑏.

Alice Bob
P,Q

Alice Bob

Let’s Play
Group 1: 1 5 9 13 17 21 25 29 …
Group 2: 2 6 10 14 18 22 26 30 …
Group 3: 3 7 11 15 19 23 27 31 …
Group 4: 4 8 12 16 20 24 28 32 …

Alice Bob

Alice Bob
primes 𝑃 and 𝑄
two large integers the value of 𝑏 and send this guess to

Checking Primality
Basic result from number theory –
If 𝑝 is a prime, then for integers 𝑎 such that 0 < 𝑎 < 𝑝,
it is true that 𝑎𝑝−1 mod 𝑝 = 1.
[Recall that 𝑧 mod 𝑛 is the remainder when 𝑥 is divided by 𝑛.]
The same computation almost never yields 1 when 𝑝 is
composite.

How is this contradiction resolved?

 The impossibility proof assumed unlimited

computational ability.

 The impossibility proof assumed unlimited

computational ability.
 The protocol is not 50/50 – Bob has a small advantage.

Applications of Remote Flipping
 Remote Card Playing
 Internet Gambling
 Various “Fair” Agreement Protocols

Bit Commitment
We have implemented remote coin flipping via bit
commitment.
Commitment protocols can also be used for

 Sealed bidding
 Undisclosed contracts
 Interactive proofs

One-Way Functions
We have implemented bit commitment via one-way
functions.
One-way functions can be used for

 Authentication
 Data integrity
 Strong “randomness”

One-Way Functions

One-Way Functions
Two basic classes of one-way functions

One-Way Functions
 Mathematical

One-Way Functions
 Mathematical
 Multiplication: 𝑍 = 𝑋 × 𝑌

One-Way Functions
 Mathematical
 Modular Exponentiation: 𝑍 = 𝑌 𝑋 mod 𝑁

One-Way Functions
 Mathematical
 Modular Exponentiation: 𝑍 = 𝑌 𝑋 mod 𝑁
 Ugly

The Fundamental Equation
𝑋
𝑍 = 𝑌 mod 𝑁

Modular Arithmetic

Modular Arithmetic
𝑍 mod 𝑁 is the integer remainder when 𝑍 is divided by 𝑁.

Modular Arithmetic
The Division Theorem
For all integers 𝑍 and 𝑁 > 0,
there exist unique integers 𝑄 and 𝑅
such that 𝑍 = 𝑄 × 𝑁 + 𝑅 and 0  𝑅  𝑁.

Modular Arithmetic
The Division Theorem
For all integers 𝑍 and 𝑁 > 0,
there exist unique integers 𝑄 and 𝑅
such that 𝑍 = 𝑄 × 𝑁 + 𝑅 and 0  𝑅  𝑁.
By definition, this unique 𝑅 = 𝑍 mod 𝑁.

Modular Arithmetic

Modular Arithmetic
 To compute (𝐴 + 𝐵) mod 𝑁,
compute (𝐴 + 𝐵) and take the result mod 𝑁.

Modular Arithmetic
 To compute (𝐴 − 𝐵) mod 𝑁,
compute (𝐴 − 𝐵) and take the result mod 𝑁.

Modular Arithmetic
 To compute (𝐴 × 𝐵) mod 𝑁,
compute (𝐴 × 𝐵) and take the result mod 𝑁.

Modular Arithmetic
 To compute (𝐴 × 𝐵) mod 𝑁,
compute (𝐴 × 𝐵) and take the result mod 𝑁.
 To compute (𝐴 ÷ 𝐵) mod 𝑁, …

Modular Division

Modular Division
What is the value of (1 ÷ 2) mod 7?
We need a solution to 2𝑥 mod 7 = 1.

Modular Division
Try 𝑥 = 4.

Modular Division
Try 𝑥 = 4.


Modular Division
Try 𝑥 = 4.

Try 𝑥 = 8.
Modular Division

Modular Division
Is modular division always well-defined?

Modular Division
(1 ÷ 3) mod 6 = ?

Modular Division
(1 ÷ 3) mod 6 = ?
3𝑥 mod 6 = 1 has no solution!

Modular Division
(1 ÷ 3) mod 6 = ?
Fact
(𝐴 ÷ 𝐵) mod 𝑁 always has a solution when gcd(𝐵, 𝑁) = 1.

Modular Division
(1 ÷ 3) mod 6 = ?
Fact
[Note: gcd is greatest common divisor.]
Modular Division
Fact 1

Modular Division
Fact 1
Fact 2
(𝐴 ÷ 𝐵) mod 𝑁 never has a solution when
gcd(𝐴, 𝐵) = 1 and gcd(𝐵, 𝑁) ≠ 1.

Greatest Common Divisors

gcd(𝐴 , 𝐵) = gcd(𝐵 , 𝐴 – 𝐵)

since any common factor of 𝐴 and 𝐵
is also a factor of 𝐴 – 𝐵
and
since any common factor of 𝐵 and 𝐴 – 𝐵
is also a factor of 𝐴.

gcd(𝟐𝟏, 𝟏𝟐) = gcd(𝟏𝟐, 𝟗) = gcd(𝟗, 𝟑)

= gcd(𝟑, 𝟔) = gcd(𝟔, 𝟑) = gcd(𝟑, 𝟑)
= gcd(𝟑, 𝟎) = 𝟑


gcd(𝐴 , 𝐵) = gcd(𝐵 , 𝐴 – 𝑘𝐵) for any integer 𝑘.

gcd(𝐴 , 𝐵) = gcd(𝐵 , 𝐴 mod 𝐵)

gcd(𝐴 , 𝐵) = gcd(𝐵 , 𝐴 mod 𝐵)
gcd(𝟐𝟏, 𝟏𝟐) = gcd(𝟏𝟐, 𝟗) = gcd(𝟗, 𝟑)

= gcd(𝟑, 𝟎) = 𝟑

Extended Euclidean Algorithm
Given integers 𝐴 and 𝐵, find integers 𝑋 and 𝑌
such that 𝐴𝑋 + 𝐵𝑌 = gcd(𝐴, 𝐵).

When gcd(𝐴, 𝐵) = 1, solve 𝐴𝑋 mod 𝐵 = 1,

by finding 𝑋 and 𝑌 such that
𝐴𝑋 + 𝐵𝑌 = gcd(𝐴, 𝐵) = 1.

When gcd(𝐴, 𝐵) = 1, solve 𝐴𝑋 mod 𝐵 = 1,

by finding 𝑋 and 𝑌 such that
𝐴𝑋 + 𝐵𝑌 = gcd(𝐴, 𝐵) = 1.
Compute (𝐶 ÷ 𝐴) mod 𝐵 as 𝐶 × (1 ÷ 𝐴) mod 𝐵.

gcd(𝟑𝟓, 𝟖) =
gcd(𝟖, 𝟑𝟓 𝒎𝒐𝒅 𝟖) = gcd(𝟖, 𝟑) =
gcd(𝟑, 𝟖 𝒎𝒐𝒅 𝟑) = gcd(𝟑, 𝟐) =
gcd(𝟐, 𝟑 𝒎𝒐𝒅 𝟐) = gcd(𝟐, 𝟏) =
gcd(𝟏, 𝟐 𝒎𝒐𝒅 𝟏) = gcd(𝟏, 𝟎) = 𝟏

35 = 8  4 + 3

35 = 8  4 + 3
8=32+2

35 = 8  4 + 3
8=32+2
3=21+1

35 = 8  4 + 3
8=32+2
3=21+1
2=12+0
35 = 8  4 + 3 3 = 35 – 8  4
8=32+2 2=8–32
3=21+1 1=3–21
2=12+0
3 = 35 – 8  4
2=8–32
1=3–21

3 = 35 – 8  4
2=8–32
1 = 3 – 2  1 = (35 – 8  4) – (8 – 3  2)  1

3 = 35 – 8  4
2=8–32
1 = 3 – 2  1 = (35 – 8  4) – (8 – 3  2)  1 = (35 – 8  4) – (8 –
(35 – 8  4)  2)  1

3 = 35 – 8  4
2=8–32
1 = 3 – 2  1 = (35 – 8  4) – (8 – 3  2)  1 = (35 – 8  4) – (8 –
(35 – 8  4)  2)  1 = 35  3 – 8  13

Given 𝐴, 𝐵 > 0, set 𝑥1 = 1, 𝑥2 = 0, 𝑦1 = 0, 𝑦2 = 1,
𝑎1 = 𝐴, 𝑏1 = 𝐵, 𝑖 = 1.
Repeat while 𝑏𝑖 > 0: {𝑖 = 𝑖 + 1;

𝑞𝑖 = 𝑎𝑖−1 div 𝑏𝑖−1 ; 𝑏𝑖 = 𝑎𝑖−1 − 𝑞𝑖 𝑏𝑖−1 ; 𝑎𝑖 = 𝑏𝑖−1 ;
𝑥𝑖+1 = 𝑥𝑖−1 − 𝑞𝑖 𝑥𝑖 ; 𝑦𝑖+1 = 𝑦𝑖−1 − 𝑞𝑖 𝑦𝑖 }.
For all 𝑖: 𝐴𝑥𝑖 + 𝐵𝑦𝑖 = 𝑎𝑖 . Final 𝑎𝑖 = gcd(𝐴, 𝐵).

If 𝑎𝑖 = 1 , then 𝑥𝑖 = 𝐴−1 mod 𝐵 and 𝑦𝑖 = 𝐵−1 mod 𝐴.
𝑋

𝑋
When 𝑍 is unknown, it can be efficiently computed.

𝑋
When 𝑋 is unknown, the problem is known as the discrete
logarithm and is generally believed to be hard to solve.

𝑋
When 𝑌 is unknown, the problem is known as discrete
root finding and is generally believed hard to solve...

𝑋
When 𝑌 is unknown, the problem is known as discrete
root finding and is generally believed hard to solve...
… unless the factorization of 𝑁 is known.
𝑋
The problem is not well-studied for the case when 𝑁 is
unknown.

Implementation
𝑋

𝑋
How to compute 𝑌 mod 𝑁

𝑋
Compute 𝑌 𝑋 and then reduce mod 𝑁.

𝑋
 If 𝑋, 𝑌, and 𝑁 each are 2,048-bit integers,

𝑋
𝑌 consists of ~22059 bits.

𝑋
 If 𝑋, 𝑌, and 𝑁 each are 2,048-bit integers,

𝑋
𝑌 consists of ~22059 bits.
 Since there are roughly 2250 particles in the universe,

storage is a problem.
𝑋

𝑋
 Repeatedly multiplying by 𝑌 (followed each time by a
reduction modulo 𝑁) 𝑋 times solves the storage
problem.

𝑋
 Repeatedly multiplying by 𝑌 (followed each time by a
reduction modulo 𝑁) 𝑋 times solves the storage
problem.
 However, we would need to perform ~2900 64-bit
multiplications per second to complete the computation
before the sun burns out.

𝑋

𝑋
Multiplication by Repeated Doubling

𝑋
To compute 𝑋 × 𝑌,

𝑋
compute 𝑌, 2𝑌, 4𝑌, 8𝑌, 16𝑌,…

𝑋
and sum up those values dictated by the binary representation
of 𝑋.

𝑋
and sum up those values dictated by the binary representation
of 𝑋.
Example: 26𝑌 = 2𝑌 + 8𝑌 + 16𝑌.

𝑋

𝑋
Exponentiation by Repeated Squaring

𝑋
To compute 𝑌 𝑋 ,

𝑋
compute 𝑌, 𝑌 2 , 𝑌 4 , 𝑌 8 , 𝑌16 , …

𝑋
compute 𝑌, 𝑌 2 , 𝑌 4 , 𝑌 8 , 𝑌16 , …
and multiply those values dictated by the binary representation
of 𝑋.

𝑋
compute 𝑌, 𝑌 2 , 𝑌 4 , 𝑌 8 , 𝑌16 , …
and multiply those values dictated by the binary representation
of 𝑋.
Example: 𝑌 26 = 𝑌 2 × 𝑌 8 × 𝑌16 .
𝑋
We can now perform a 2,048-bit modular exponentiation
using ~3,072 2,048-bit modular multiplications.
2 4 22048
 2,048 squarings: 𝑦, 𝑦 , 𝑦 , …, 𝑦
 ~1024 “ordinary” multiplications

Large-Integer Operations
 Addition and Subtraction

 Multiplication
 Division and Remainder (mod 𝑁)
 Exponentiation

Large-Integer Addition






In general, adding two large integers – each consisting of

𝑛 small blocks – requires 𝒪(𝑛) small-integer additions.
Large-integer subtraction is similar.

Large-Integer Multiplication






In general, multiplying two large integers – each

2
consisting of 𝑛 small blocks – requires 𝒪(𝑛 ) small-
integer multiplications and 𝒪(𝑛) large-integer additions.

Large-Integer Squaring



Careful bookkeeping can save nearly half of the

small-integer multiplications (and nearly half of
the time).

𝑋
Recall computing 𝑌 mod 𝑁
 About 2/3 of the multiplications required to compute
𝑌 𝑋 are actually squarings.
 Overall, efficient squaring can save about 1/3 of the

small multiplications required for modular
exponentiation.

Karatsuba Multiplication
(𝐴𝑥 + 𝐵)(𝐶𝑥 + 𝐷) = 𝐴𝐶𝑥 2 + (𝐴𝐷 + 𝐵𝐶)𝑥 + 𝐵𝐷

Given 4 coefficients 𝐴, 𝐵, 𝐶, and 𝐷,


we need to compute 3 values:


𝐴𝐶, 𝐴𝐷 + 𝐵𝐶, and 𝐵𝐷.








4 multiplications, 1 addition














(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶
3 multiplications, 2 additions, 2 subtractions


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶


(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) – 𝐴𝐶 – 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶

 This can be done on integers as well as on polynomials,

but it’s not as nice on integers because of carries.
 The larger the integers, the larger the benefit.

(𝐴 × 2𝑘 + 𝐵)(𝐶 × 2𝑘 + 𝐷) =
𝐴𝐶 × 22𝑘 + 𝐴𝐷 + 𝐵𝐶 × 2𝑘 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷) = 𝐴𝐶 + 𝐴𝐷 + 𝐵𝐶 + 𝐵𝐷
(𝐴 + 𝐵)(𝐶 + 𝐷)– 𝐴𝐶– 𝐵𝐷 = 𝐴𝐷 + 𝐵𝐶

Chinese Remaindering
If 𝑋 = 𝐴 mod 𝑃, 𝑋 = 𝐵 mod 𝑄, and gcd(𝑃, 𝑄) = 1, then

𝑋 mod (𝑃𝑄) can be computed as
𝑋 = 𝐴𝑄(𝑄 −1 mod 𝑃) + 𝐵𝑃(𝑃−1 mod 𝑄).

If 𝑁 = 𝑃𝑄, then a computation mod 𝑁 can be accomplished by
performing the same computation mod 𝑃 and again mod 𝑄
and then using Chinese Remaindering to derive the answer to
the mod 𝑁 computation.

Since modular exponentiation of 𝑛-bit integers requires 𝒪(𝑛3 )
time, performing two modular exponentiations on half size
values requires only about one quarter of the time of a single
𝑛-bit modular exponentiation.

Modular Reduction
Generally, computing (𝐴 × 𝐵) mod 𝑁 requires much more than
twice the time to compute 𝐴 × 𝐵.

Modular Reduction
Large-integer division is …

Modular Reduction
slow

Modular Reduction
slow … cumbersome

Modular Reduction
slow … cumbersome … disgusting

Modular Reduction
slow … cumbersome … disgusting … wretched

The Montgomery Method
The Montgomery Method performs a domain transform to a
domain in which the modular reduction operation can be
achieved by multiplication and simple truncation.
Since a single modular exponentiation requires many modular
multiplications and reductions, transforming the arguments is
well justified.

Montgomery Multiplication
Let 𝐴, 𝐵, and 𝑀 be 𝑛-block integers represented in base 𝑥 with
0  𝑀  𝑥𝑛.
Let 𝑅 = 𝑥 𝑛 . gcd(𝑅, 𝑀) = 1.
The Montgomery Product of 𝐴 and 𝐵 modulo 𝑀 is the integer
𝐴𝐵𝑅−1 mod 𝑀.
Let 𝑀′ = – 𝑀−1 mod 𝑅 and 𝑆 = 𝐴𝐵𝑀′ mod 𝑅.
Fact: (𝐴𝐵 + 𝑆𝑀)/𝑅  𝐴𝐵𝑅−1 (mod 𝑀).

Using the Montgomery Product
The Montgomery Product 𝐴𝐵𝑅 −1 mod 𝑀 can be computed in
the time required for two ordinary large-integer
multiplications.
Montgomery transform: 𝐴𝐴𝑅 mod 𝑀.
The Montgomery product of (𝐴𝑅 mod 𝑀) and (𝐵𝑅 mod 𝑀) is
(𝐴𝐵𝑅 mod 𝑀).

One-Way Functions
𝑋
When 𝑋 is unknown, the problem is known as the discrete
logarithm and is generally believed to be hard to solve.

One-Way Functions
Informally, 𝐹 ∶ 𝑋 → 𝑌 is a one-way if
 Given 𝑥, 𝑦 = 𝐹(𝑥) is easily computable.
 Given 𝑦, it is difficult to find any 𝑥 for which 𝑦 = 𝐹(𝑥).

One-Way Functions
The family of functions
𝐹𝑌,𝑁 𝑋 = 𝑌 𝑋 mod 𝑁
is believed to be one-way for most 𝑁 and 𝑌.

One-Way Functions
The family of functions
𝐹𝑌,𝑁 𝑋 = 𝑌 𝑋 mod 𝑁
is believed to be one-way for most 𝑁 and 𝑌.
No one has ever proven a function to be one-way, and
doing so would, at a minimum, yield as a consequence
that 𝑃𝑁𝑃.

One-Way Functions
When viewed as a two-argument function, the (candidate) one-
way function
𝐹𝑁 (𝑌, 𝑋) = 𝑌 𝑋 mod 𝑁
also satisfies a useful additional property which has been termed
quasi-commutivity:
𝐹(𝐹(𝑌, 𝑋1 ), 𝑋2 ) = 𝐹(𝐹(𝑌, 𝑋2 ), 𝑋1 )
since 𝑌𝑋1𝑋2 = 𝑌𝑋2𝑋1 .

More on Quasi-Commutivity
Quasi-commutivity has additional applications.
 decentralized digital signatures

 membership testing
 digital time-stamping

Diffie-Hellman Key Exchange
Alice Bob

Alice Bob
 Randomly select a large  Randomly select a large
integer 𝑎 and send integer 𝑏 and send
𝐴 = 𝑌𝑎 mod 𝑁. 𝐵 = 𝑌 𝑏 mod 𝑁.

Alice Bob

Alice Bob

Alice Bob
 Compute the key  Compute the key
𝐾 = 𝐵𝑎 mod 𝑁. 𝐾 = 𝐴𝑏 mod 𝑁.

Alice Bob
 Compute the key  Compute the key
𝐾 = 𝐵𝑎 mod 𝑁. 𝐾 = 𝐴𝑏 mod 𝑁.
𝐵𝑎 = 𝑌 𝑏𝑎 = 𝑌 𝑎𝑏 = 𝐴𝑏

What does Eve see?

What does Eve see?
𝑌, 𝑌 𝑎 , 𝑌 𝑏

What does Eve see?
… but the exchanged key is 𝑌 𝑎𝑏 .

What does Eve see?
Belief: Given 𝑌, 𝑌 𝑎 , 𝑌 𝑏 it is difficult to compute 𝑌 𝑎𝑏 .

What does Eve see?
Belief: Given 𝑌, 𝑌 𝑎 , 𝑌 𝑏 it is difficult to compute 𝑌 𝑎𝑏 .
Contrast with discrete logarithm assumption: Given 𝑌, 𝑌 𝑎 it is
difficult to compute 𝑎.

Modern Cryptography Lecture 1

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Modern Cryptography Lecture 1

Caricato da

Copyright:

Formati disponibili

Fall 2016

… basically any protocols designed to operate in an

October 4, 2016 Practical Aspects of Modern Cryptography 2

October 4, 2016 Practical Aspects of Modern Cryptography 3

October 4, 2016 Practical Aspects of Modern Cryptography 4

October 4, 2016 Practical Aspects of Modern Cryptography 5

Alice talking to Bob

October 4, 2016 Practical Aspects of Modern Cryptography 6

October 4, 2016 Practical Aspects of Modern Cryptography 7

Eve listening to Alice talking to Bob

October 4, 2016 Practical Aspects of Modern Cryptography 8

October 4, 2016 Practical Aspects of Modern Cryptography 9

 Alice and Bob decide to make a decision by flipping a

 Alice and Bob are not in the same place.

October 4, 2016 Practical Aspects of Modern Cryptography 10

 We cannot assume simultaneous actions.

 Players must take turns.

October 4, 2016 Practical Aspects of Modern Cryptography 11

October 4, 2016 Practical Aspects of Modern Cryptography 12

October 4, 2016 Practical Aspects of Modern Cryptography 13

 NO – I will sketch a formal proof.

October 4, 2016 Practical Aspects of Modern Cryptography 14

 NO – I will sketch a formal proof.

 YES – I will provide an effective protocol.

October 4, 2016 Practical Aspects of Modern Cryptography 15

October 4, 2016 Practical Aspects of Modern Cryptography 16

October 4, 2016 Practical Aspects of Modern Cryptography 17

October 4, 2016 Practical Aspects of Modern Cryptography 18

October 4, 2016 Practical Aspects of Modern Cryptography 19

October 4, 2016 Practical Aspects of Modern Cryptography 20

October 4, 2016 Practical Aspects of Modern Cryptography 21

October 4, 2016 Practical Aspects of Modern Cryptography 22

October 4, 2016 Practical Aspects of Modern Cryptography 23

October 4, 2016 Practical Aspects of Modern Cryptography 24

October 4, 2016 Practical Aspects of Modern Cryptography 25

October 4, 2016 Practical Aspects of Modern Cryptography 26

October 4, 2016 Practical Aspects of Modern Cryptography 27

October 4, 2016 Practical Aspects of Modern Cryptography 28

October 4, 2016 Practical Aspects of Modern Cryptography 29

October 4, 2016 Practical Aspects of Modern Cryptography 30

October 4, 2016 Practical Aspects of Modern Cryptography 31

October 4, 2016 Practical Aspects of Modern Cryptography 32

October 4, 2016 Practical Aspects of Modern Cryptography 33

 a winner before the protocol has begun, or

October 4, 2016 Practical Aspects of Modern Cryptography 34

 a winner before the protocol has begun, or

 a useless infinite game.

October 4, 2016 Practical Aspects of Modern Cryptography 35

Remote coin flipping is

October 4, 2016 Practical Aspects of Modern Cryptography 36

October 4, 2016 Practical Aspects of Modern Cryptography 37

October 4, 2016 Practical Aspects of Modern Cryptography 38

October 4, 2016 Practical Aspects of Modern Cryptography 39

October 4, 2016 Practical Aspects of Modern Cryptography 40

Where do products between groups wind up?

October 4, 2016 Practical Aspects of Modern Cryptography 41

October 4, 2016 Practical Aspects of Modern Cryptography 42

October 4, 2016 Practical Aspects of Modern Cryptography 43

Multiplying two odd integers of from the same group always

October 4, 2016 Practical Aspects of Modern Cryptography 44

There is no known method (other than factoring) to distinguish a

October 4, 2016 Practical Aspects of Modern Cryptography 45

Factoring large integers is believed to be much harder

October 4, 2016 Practical Aspects of Modern Cryptography 46