Foundations of Network and Computer SecurityAnnouncementsI wrote/said it wrong last timeCollisions in SHA-0What Does this Mean?A Provably-Secure Blockcipher-Based Compression FunctionThe Big (Partial) PictureSymmetric vs. AsymmetricAsymmetric CryptographyBut first, a little math…NotationExamples of GroupsFinite GroupsThe Group ZmAnother Finite GroupMultiplicative GroupsMultiplicative Groups (cont)The Group Zm*Examples of Zm*Euler’s Phi FunctionEvaluating the Phi FunctionExamplesLaGrange’s TheoremBasic RSA CryptosystemSlide 25Key GenerationKey Generation NotesRSA EncryptionRSA ExampleRSA Example (cont)RSA ProofSecurity of RSAFactoring TechnologyThe Number Field SieveNFS (cont)The RecordOn the ForefrontImplementation NotesImplementation Notes (cont)Note on Primality TestingFoundations of Network and Foundations of Network and Computer SecurityComputer SecurityJJohn BlackLecture #9Sep 22nd 2005CSCI 6268/TLEN 5831, Fall 2005Announcements•Midterm #1, next class (Tues, Sept 27th)–All lecture materials and readings through today–Full 1:15 class period–Same difficulty as quiz, but twice as long•Exams are closed notes, calculators allowed•Remember to consult the class calendarI wrote/said it wrong last time1. Collision resistance given a hash function it is hard to find two colliding inputs3. Preimage resistance given a hash function and given an hash output it is hard to invert that output2. Second-preimage given a hash function and resistance given a first input, it is hard to find a second input that collides with the firstHarder than Collision resistanceCollisions in SHA-0T  A << 5 + gt (B, C, D) + E + Kt + WtWt = {t-th word of Mi 0  t 15( Wt-3 Wt-8 Wt-14  Wt-16 ) << 1 16  t 79 A  H0i-1; B  H1i-1; C H2i-1; D  H3i-1; E  H4i-1for t = 1 to 80 doE D; D C; C B >> 2; B  A; A  TH0i H0i-1; H1i  A + H1i-1; H2i C+ H2i-1; H3i  D + H3i-1; H4i  E + H4i-1endH0..4i-165not in SHA-0M1, M1’ Collision!What Does this Mean?•Who knows–Methods are not yet completely understood–Will undoubtedly be extended to more attacks–But maybe everything will come tumbling down?!•But we have OTHER ways to build hash functionsA Provably-Secure Blockcipher-Based Compression FunctionE Mihi-1hin bitsn bitsn bitsThe Big (Partial) PicturePrimitivesBlock CiphersHash FunctionsHard ProblemsStream CiphersFirst-LevelProtocolsSymmetric EncryptionDigital SignaturesMAC SchemesAsymmetric EncryptionSecond-LevelProtocolsSSH, SSL/TLS, IPSecElectronic Cash, Electronic Voting(Can do proofs)(Can do proofs)(No one knows how to prove security; make assumptions)Symmetric vs. Asymmetric•Thus far we have been in the symmetric key model–We have assumed that Alice and Bob share some random secret string–In practice, this is a big limitation•Bootstrap problem•Forces Alice and Bob to meet in person or use some mechanism outside our protocol•Not practical when you want to buy books at Amazon•We need the Asymmetric Key model!Asymmetric Cryptography•In this model, we no longer require an initial shared key–First envisioned by Diffie in the late 70’s–Some thought it was impossible–MI6 purportedly already knew a method–Diffie-Hellman key exchange was first public system•Later turned into El Gamal public-key system–RSA system announced shortly thereafterBut first, a little math…•A group is a nonempty set G along with an operation # : G £ G ! G such that for all a, b, c 2 G–(a # b) # c = a # (b # c) (associativity)– 9 e 2 G such that e # a = a # e = a (identity)– 9 a-1 2 G such that a # a-1 = e (inverses)•If 8 a,b 2 G, a # b = b # a we say the group is “commutative” or “abelian”–All groups in this course will be abelianNotation•We’ll get tired of writing the # sign and just use juxtaposition instead–In other words, a # b will be written ab–If some other symbol is conventional, we’ll use it instead (examples to follow)•We’ll use power-notation in the usual way–ab means aaaaa repeated b times–a-b means a-1a-1a-1a-1 repeated b times–Here a 2 G, b 2 Z•Instead of e we’ll use a more conventional identity name like 0 or 1•Often we write G to mean the group (along with its operation) and the associated set of elements interchangeablyExamples of Groups•Z (the integers) under + ?•Q, R, C, under + ?•N under + ? •Q under £ ?•Z under £ ?•2 £ 2 matrices with real entries under £ ?•Invertible 2 £ 2 matrices with real entries under £ ?•Note all these groups are infinite –Meaning there are an infinite number of elements in them•Can we have finite groups?Finite Groups•Simplest example is G = {0} under +–Called the “trivial group”•Almost as simple is G = {0, 1} under addition mod 2•Let’s generalize–Zm is the group of integers modulo m–Zm = {0, 1, …, m-1}–Operation is addition modulo m–Identity is 0–Inverse of any a 2 Zm is m-a–Also abelianThe Group Zm•An example–Let m = 6–Z6 = {0,1,2,3,4,5}–2+5 = 1–3+5+1 = 3 + 0 = 3–Inverse of 2 is 4 •2+4 = 0•We can always pair an element with its inversea : 0 1 2 3 4 5a -1 : 0 5 4 3 2 1•Inverses are always unique•An element can be its own inverse–Above, 0 and 0, 3 and 3Another Finite Group•Let G = {0,1}n and operation is ©–A group?–What is the identity?–What is the inverse of a 2 G?•We can put some familiar concepts into group-theoretic notation:–Caesar cipher was just P + K = C in Z26–One-time pad was just P © K = C in the group just mentioned aboveMultiplicative Groups•Is {0, 1, …, m-1} a group under multiplication mod m?–No, 0 has no inverse•Ok, toss out 0; is {1, …, m-1} a group under multiplication mod m?–Hmm, try some examples…•m = 2, so G = {1} X•m = 3, so G = {1,2} X•m = 4, so G = {1,2,3} oops!•m = 5, so G = {1,2,3,4} XMultiplicative Groups (cont)•What was the problem?–2,3,5 all prime–4 is composite (meaning “not prime”)•Theorem: G = {1, 2, …, m-1} is a group under multiplication mod m iff m is prime Proof: Ã: suppose m is composite, then m = ab where a,b 2 G and a, b  1. Then ab = m = 0 and G is not closed !: follows from a more general theorem we