PowerPoint PresentationQuiz ResultsSlide 3Selected CommentsMore Commentsed  1 mod ???Solving for dThe Real ModTo Decrypt: M  Med mod nHashesWhy is there a hash in certificates?Cryptographic Hash FunctionsIOU Request ProtocolFinding x and ySlide 15Bob the Quadrillionaire!?Chances of SuccessIs Bob a Quadrillionaire?Birthday “Paradox”Birthday ParadoxSlide 21Generalizing BirthdaysBirthday ProbabilitiesHappy Birthday Bob!Applying BirthdaysFinding Problem Set PartnersDavid Evanshttp://www.cs.virginia.edu/~evansCS588: Security and PrivacyUniversity of VirginiaComputer ScienceLecture 11:Birthday Paradoxes1 Oct 2001 University of Virginia CS 588 2Quiz Results1. How well do you feel you understand RSA?a. Broke it yesterday 0b. Well enough to implement 2 (1 has done it)c. Almost everything in RSA paper 4 (but 2 revealed otherwise in their answers)d. Sort of 19 (6 answered all questions well) e/f. Not really, No Clue 118 got all blanks right 8 got all blanks right except ed  1 mod (p – 1)(q – 1)1 Oct 2001 University of Virginia CS 588 3Quiz ResultsLecturesway too fast: 3too fast: 23write in “little too fast” 3write in “just right” 2too slow: 2 (with comments: a little, but really think they’re fine)way too slow: 01 Oct 2001 University of Virginia CS 588 4Selected Comments“Math is too fast – and I am a math major!”“Too much math”“The proofs often lose me.”“It is difficult to follow the reasoning on the math from just slides, the math using the board made more sense.”“Explain the math more in encryption, using white board or chalkboard.”“Less focus on math/proofs, more on general concepts”{ want to have more combination of theory and daily application }“More practical examples might help”1 Oct 2001 University of Virginia CS 588 5More Comments“Doing the homework always helps me understand much better.”“I usually can’t keep up in lectures, but can understand after reviewing slides out of class.”“All quizes and tests should be anonymous.”“Wish people felt more comfortable speaking out answers even when wrong.”“You tend to progress as soon as you have verification that 1 person understands. Wait ‘till the majority of the class understands.”1 Oct 2001 University of Virginia CS 588 6ed  1 mod ???•Public encryption function:E(M) = Me mod n•Private encryption function:D(C) = Cdd mod nSecurity dependson this being secret Most common (wrong) answer: ed  1 mod n [Wrong]1 Oct 2001 University of Virginia CS 588 7Solving for ded  1 mod n e, n are known (public key) and relatively primeed = k0n + 1 for some k0ed – k0n = 1ed + nk = 1 (k = -k0)How do we find d?ed + nk = 1 = gcd (e, n)Euclidean Algorithm, see MBC 7.5 for proof and explanation.1 Oct 2001 University of Virginia CS 588 8The Real Mod•Finding d such that ed  1 mod X is easy is we know the value of X –So, security of RSA depends on X being unknown to the public•Could it be pq?•Could it be (p – 1)q?1 Oct 2001 University of Virginia CS 588 9To Decrypt: M  Med mod n a (n)  1 mod n Euler’s TheoremM mod n = M (n) M mod n = Mk (n) M mod n for any k = Mk (n)+1 mod n ed = k (n) + 1ed  1 mod  (n) (n) =  (pq) = (p – 1) (q – 1)1 Oct 2001 University of Virginia CS 588 10Hashes1 Oct 2001 University of Virginia CS 588 11Why is there a hash in certificates?Actually there isn’t!Your browser calculates the hash from the whole certificate.1 Oct 2001 University of Virginia CS 588 12Cryptographic Hash Functions1. Many-to-one: compresses2. Even distribution: P(H(x) = n) = 1/N3. Efficient: H(x) is easy to compute.4. One-way: given H(x), hard to find x5. Collision resistance:Weak collision resistance: given x, it is hard to find y  x such that H(y) = H(x).Strong collision resistance: it is hard to find any x and y  x such that H(y) = H(x).1 Oct 2001 University of Virginia CS 588 13IOU Request ProtocolAliceBob{KUA, KRA}EKRA[H(x)]JudgeyEKRA[H(x)]knows KUAknows KUABob picks x and y such that H(x) = H(y).x1 Oct 2001 University of Virginia CS 588 14Finding x and yBob generates 210 different agreeable (to Alice) xi messages:I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 | $2.00 | 2 dollars | two dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}.1 Oct 2001 University of Virginia CS 588 15Finding x and yBob generates 210 different agreeable (to Bob) yi messages:I, { Alice | Alice Hacker | Alice P. Hacker | Ms. A. Hacker }, { owe | agree to pay } Bob { the sum of | the amount of } { $2 quadrillion | $2000000000000000 | 2 quadrillion dollars | two quadrillion dollars } { by | before } { January 1st | 1 Jan | 1/1 | 1-1 } { 2002 | 2002 AD}.1 Oct 2001 University of Virginia CS 588 16Bob the Quadrillionaire!?•For each message xi and yi, Bob computes hxi = H(xi) and hyi = H(yi).•If hxi = hyj for some i and j, Bob sends Alice xi, gets EKRA[H(x)] back.•Bob sends the judge yj and EKRA[H(xi)].•Is this different from when Alice chooses x?1 Oct 2001 University of Virginia CS 588 17Chances of Success•Hash function generate 64-bit digest (n = 264)•Hash function is good (randomly distributed and diffuse)•Chance a randomly chosen message maps to a given hash value: 1 in n = 2-64 •By hashing m good messages, chance that a randomly chosen bad message maps to one of the m different hash values: m * 2-64•By hashing m good messages and m bad messages: m * m * 2-64(approximation)1 Oct 2001 University of Virginia CS 588 18Is Bob a Quadrillionaire?•m = 210•210 * 210 * 2-64 = 2-44 (still a pauper) •Try m = 232•232 * 232 * 2-64 = 20 = 1 (yippee!)•Flaw: some of the messages might hash to the same value, might need more than 232 to find match.1 Oct 2001 University of Virginia CS 588 19Birthday “Paradox”What is the probability that two people in this room have the same birthday?1 Oct 2001 University of Virginia CS 588 20Birthday ParadoxWays to assign k different birthdays without duplicates:N = 365 * 364 * ... * (365 – k + 1) = 365! / (365 – k)!Ways to assign k different birthdays with possible duplicates:D = 365 * 365 * ... * 365 = 365k1 Oct 2001 University of Virginia CS 588 21Birthday “Paradox”Assuming real birthdays assigned randomly: N/D = probability there are no duplicates1 - N/D = probability there is a duplicate = 1 – 365! / ((365