80 likes | 90 Views
Learn about the concepts of discrete logs, Diffie-Hellman key exchange, and the ElGamal cryptosystem. Understand the challenges and relationships between these cryptographic methods.
E N D
DTTF/NB479: Dszquphsbqiz Day 26 • Pass in HW6 now • Can use up to 2 late days • But one incentive not to burn them all:teams will get to pick their presentation day in the order • Announcements: • HW7 posted. • Questions? • This week: • Discrete Logs, Diffie-Hellman, ElGamal • Hash Functions
Plus-delta feedback • Thanks for some great feedback! My eyes are opened.
Discrete Logs Given Find x We denote this as Why is this hard?
Diffie-Hellman Key Exchange • Publish large prime p, primitive root a • Alice’s secret exponent: x • Bob’s secret exponent: y • 0 < x,y < p-1 • Alice sends ax (mod p) to Bob • Bob sends ay (mod p) to Alice • Each know key K=axy • Eve sees p, ax , ay ; why can’t she determine axy?
Publish large prime p, primitive root a Alice’s secret exponent: x Bob’s secret exponent: y 0 < x,y < p-1 Alice sends ax (mod p) to Bob Bob sends ay (mod p) to Alice Each know key K=axy Eve sees a, p, ax , ay ; why can’t she determine axy? Computational Diffie-Hellman problem: “Given a, p, ax (mod p), ay (mod p), find axy (mod p)” Not harder than problem of finding discrete logs Is it easier? No one knows! Decision Diffie-Hellman problem: “Given a, p, ax (mod p), ay (mod p), and c != 0 (mod p). Verify that c=axy (mod p)” Diffie-Hellman Key Exchange What’s the relationship between the two? Which is harder?
ElGamal Cryptosystem • Another public-key cryptosystem like RSA. • Bob publishes (a, p, b), where 1 < m < p and b=aa • Alice chooses secret k, computes and sends to Bob the pair (r,t) where • r=ak (mod p) • t = bkm (mod p) • Bob calculates: tr-a=m (mod p) • Why does this decrypt?
Bob publishes (a, p, b), where 1 < m < p and b=aa Alice chooses secret k, computes and sends to Bob the pair (r,t) where r=ak (mod p) t = bkm (mod p) Bob finds: tr-a=m (mod p) Why does this work? Multiplying m by bk scrambles it. Eve sees a, p, b, r, t. If she only knew a or k! Knowing a allows decryption. Knowing k also allows decryption. Why? Can’t find k from r or t.Why? ElGamal Cryptosystem
Bob publishes (a, p, b), where 1 < m < p and b=aa Alice chooses secret k, computes and sends to Bob the pair (r,t) where r=ak (mod p) t = bkm (mod p) Bob finds: tr-a=m (mod p) Show that Bob’s decryption works Eve would like to know k. Show that knowing k allows decrpytion. Why? Why can’t Eve compute k from r or t? Challenge: Alice should randomize k each time. If not, and Eve gets hold of a plaintext / ciphertext (m1, r1, t1), she can decrypt other ciphertexts (m2, r2, t2). Show how. If Eve says she found m from (r,t), can we verify that she really found it, using only m,r,t, and the public key (and not k or a)? Explain. If time allows, send a friend a public key (a, p, b), have him encrypt a message as (r,t), and decrypt it. Otherwise, you can run through the cycle on your own. Name: ______________________ ElGamal Notes: