CS 388H Introduction to Cryptography 26-Aug-2009 Lecture 1: Class Introduction Instructor: Brent Waters TA: Sara Krehbiel 1 Class Overview This course reviews the foundations of Cryptography and will cover topics such as formal notions of security, encryption, signatures, complexity assumptions, zero knowledge, and multi-party computation. Most of the material will be based on ”Introduction to Modern Cryptography” by Katz and Lindell. ”Foundations of Cryptography: Volume I” is optional and more theoretical. See course syllabus for grading policies and course schedule. 2 Foundations of Cryptography 1. Crypto concepts: public key crypto, zero knowledge, signatures 2. Foundation approach: this course will emphasize precision and rigor For example: What does it mean if someone says they use a cryptographic hash function? Does it imply the system is secure? Two notions of what makes a hash function cryptographic: (a) Hard to invert: Given y, hard to find an x st f(x) = y. (b) Hard to find collisions: Given f, hard to find x = x st f(x ) = f(x ). 1 6 2 1 2 Are these different? How would you show that hardness of invertability doesn’t imply hardness of finding collisions? By counterexample: Create a function that is hard to invert but easy to find col- lisions. A good start is to consider a compressing function like f : 0, 1 2n 0, 1 n, { } → { } which will necessarily have collisions. Now suppose some f˜ : 0, 1 2n 1 0, 1 n is hard to invert (by some unstated defi- { } − → { } nition of ”hard to invert”). We don’t need assumptions about whether it is collision- resistant. 1-1 For x 0, 1 2n, let x be the last 2n 1 bits. Now define f : 0, 1 2n 0, 1 n ∈ { } 0 − { } → { } where f(x) = f˜(x0). f is a counterexample to the claim that for any function that is hard to invert, it is hard to find collisions because: f easy to invert would contradict the assumption that f˜ is hard to invert, and • it is easy to find collisions with f: for any t 0, 1 2n 1, t = 0 t collides with • ∈ { } − 0 | t = 1 t. 1 | 3. Foundational underpinnings: number theory, general assumptions Why do we generally prove statements that are implications rather than absolutes? (eg If factorization is hard, then this system exhibits some property.) Proofs of abso- lute statements often reduce to a proof of P = NP . 6 3 Perfect Secrecy: Too good to be true? Let be the cipher text space, let be the key space, and let be the message space. A C K M basic encryption system has three algorithms (may be randomized): 1. Gen k → ∈ K 2. Enc(m, k) c → ∈ C 3. Dec(c, k) m → ∈ M What is perfect secrecy? Let C =Enc(m, k) for some m and k . A system ∈ M ∈ K exhibits perfect secrecy if P r[C = c m = m ] = P r[C = c m = m ] for all m , m , c | 0 | 1 0 1 ∈ M ∈ over the distribution of specified by Gen (actual value of k is unknown to attacker). C K 3.1 One-Time Pad Encryption Let , , = 0, 1 l. The one-time pad is as follows: M C K { } 1. Gen k chosen uniformly at random from 0, 1 l → { } 2. Enc(m, k) = m k = c ⊕ 3. Dec(c, k) = c k = m ⊕ Correctness is established by verifying that (m k) k = m. ⊕ ⊕ Perfect secrecy is established by showing that P r[C = c m] = ( 1 )l for all m , c . | 2 ∈ M ∈ C 1-2 3.2 Limitations The one-time pad strategy is limited in that even if Adam and Brent get a chance to agree on some k = 0, 1 l, the message that can be sent can be length at most l. ∈ K { } This limitation that messages cannot be longer than keys generalizes to any perfectly secret system. Suppose > . (Note that there are more unique messages than unique keys |M| |K| if and only if the messages are longer than the keys.) 1. Let c be a cipher text that occurs with non-zero probability. 2. Then m,˜ k˜ st Enc(m, ˜ k˜) = c with non-zero probability. ∃ 3. If the decryption algorithm is correct, then at most messages m are such that |K| Enc(m, k) = c. (Otherwise, there would not be enough keys to uniquely decrypt the cipher text.) 4. Then (because > ) m st k Enc(m , k) = c. |M| |K| ∃ 0 ∀ ∈ K 0 6 In the definition for perfect secrecy, use m =m ˜ and m = m . P r[C = c m˜ ] > 0 = P r[C = 0 1 0 | 6 c m ] = 0, which violates perfect secrecy. Therefore, no system in which keys are shorter | 0 than messages can be perfectly secret. 4 Handouts Three handouts were given in class: 1. CS 388H Course syllabus (2 pages) 2. Very basic number theory fact sheet, Part I (4 pages) 3. Basic number theory fact sheet, Part II (4 pages) 1-3 CS 388H Introduction to Cryptography 31-Aug-2009 Lecture 2: Introduction to Number Theory Instructor: Brent Waters TA: Sara Krehbiel Recall the major limitation of perfect secrecy that messages can be no longer than keys. Instead, we verify the security of more practical encryption systems with complexity asser- tions, often substantiated by number theory. To do that, we want to be able to make sense of a description like: ”Group G of prime order p with generator g”. Note: Most of the material from this lecture can be found in the ”Very basic number theory fact sheet (Part I)” handout passed out at the first lecture. Sections 7.1-7.3 of Katz and Lindell is another reference. 1 Announcements 1. Professor office hours: M 12-1, ACES 3.438 2. TA office hours: W 2-3, ENS basement, desk 1; F 11-12, ENS basement, desk 4 3. Number theory review: Instead of regular OH this Friday (9/4), Sara will hold a number theory review in ACES 3.116. We will cover the main points from this week’s lectures and the number theory handouts, and we’ll spend the bulk of the time going over points of confusion. Please come with questions. 4. Labor day: No class or OH next Monday (9/7) 2 Basic Number Theory Facts Z denotes the set of integers • Fundamental theorem of arithmetic: Any integer a can be uniquely expressed as a • ei product of primes. Ie a = pi with pi a prime and ei a positive integer for all i. Yi a b means a divides b ( c Z st c a = b). • | ∃ ∈ · For any positive integers a and b, a can be uniquely written as a = q b + r with • · q, r Z and 0 r < b. ∈ ≤ Greatest common divisors: Define gcd(a, b) to be the largest integer d st d a and d b. • | | Note that gcd(a, b) 1 a, b Z. ≥ ∀ ∈ 2-1 3 Modular Arithmetic Let a =p b denote that a = b mod p. In the equations below, let q Z and 0 r < p. ∈ ≤ Zp = 0, 1, ..., p 1 for some prime p. • { − } Note: Small primes are used as instructive examples, but the prime numbers typically used in cryptography are on the order of 300 digits (1024 bits). Addition: m + g = r for r st m + g = qp + r. Eg 5 + 6 mod 7 = 4. • p Multiplication: m g = r for r st m g = qp + r. Eg 5 6 mod 7 = 2. • · p · · Exponentiation: mg = r for r st mg = qp + r. Eg 56 mod 7 = 1. • p Why can that particular last problem be determined without actually computing 56? 4 Fermat’s Little Theorem p 1 Theorem 4.1 For all g = 0 in Zp, g is such that g − =p 1. 6 Proof. Consider the set S = g, 2g, ..., (p 1)g . Assume that the S contains fewer than { − } p 1 distinct elements. In other words, there exist some r, s Z∗ with r = s and rg =p sg. − ∈ p 6 Then (r s)g = 0. Even in modular arithmetic, ab = 0 iff a = 0 or b = 0. g = 0 by − p 6 definition, so it must be that r s = 0. But this contradicts r = s, establishing that all − p 6 p 1 elements of S are distinct. − g = 0 means each element of S is in Z∗ = 1, 2, ..., p 1 , which is just Zp 0 , so S 6 p { − } \{ } constitutes a reordering of Zp∗. The product of the elements of S should equal the product of the elements of Zp∗: p 1 − p 1 ig =p i=1− i i=1 Yp 1 Q (p 1)!g − =p (p 1)! − p 1 − g − = 1 2 This theorem allows you to more quickly compute exponents: 512 = 56 56 = 1 mod 7. · 5 Inverses, Generators, and Orders 1 Definition: The inverse of x Zp is a Zp st a x =p 1 and is denoted x− . • ∈ ∈ · Inversion algorithm: x 1 = xp 2 by Fermat’s little theorem (xp 1 = xp 2 x = 1). • − p − − − · p The Euclidean algorithm also provides inverses and will be discussed later. Z∗ = 1, 2, ..., p 1 is the set of invertible elements in Zp. • p { − } 2-2 Z∗ is a cyclic group. In general, group G is cyclic iff there exists a generator g G st • p ∈ G = 1, g, g2, g3, ..., g G 1 . { | |− } Not every element of Z∗ is a generator. (Note that g is a generator in a different • p sense here than in the proof of Fermat’s little theorem – multiplicative vs additive.) 2 3 4 5 Observe that 3 generates Z∗ because < 3 >= 1, 3, 3 = 2, 3 = 6, 3 = 4, 3 = 5 but 7 { } 2 does not because < 2 >= 1, 2, 4, 1, 2, 4 .