Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.
120 Pages
4-RSA
Course: CSE 794, Spring 2010School: Ohio State
Rating:
Word Count: 6649
Document Preview
Introduction PublicKeyCryptographyandRSA 794Q: to Cryptography Spring 2010 p1. Public-Key Cryptography Also known as asymmetric-key cryptography. Each user has a pair of keys: a public key and a private key. The public key is used for encryption. The key is known to the public. The private key is used for decryption. The key is only known to the owner. p2. Bob Alice p3. Why Public-Key Cryptography?...
Unformatted Document Excerpt
Coursehero >> Ohio >> Ohio State >> CSE 794Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Introduction PublicKeyCryptographyandRSA
794Q: to Cryptography Spring 2010
p1.
Public-Key Cryptography
Also known as asymmetric-key cryptography. Each user has a pair of keys: a public key and a private key. The public key is used for encryption. The key is known to the public. The private key is used for decryption. The key is only known to the owner.
p2.
Bob
Alice
p3.
Why Public-Key Cryptography?
Developed to address two main issues: key distribution digital signatures Invented by Diffie & Hellman in 1976.
p4.
Public-Key Cryptosystem (PKC)
Each user u has a pair of keys (PKu, SKu). PKu is the public key, available in a public directory. SKu the private key, known to u only. Key-generation algorithm: to generate keys. Encryption algorithm E: to send message M to user u, compute C = E(PKu, M). Decryption algorithm D: Upon receiving C, user u computes D(SKu, C). Requirement: D(SKu , E(PKu, M)) = M.
p5.
Public-key encryption scheme
Key generation algorithm G: On input 1n , G (1n ) outputs a pair of keys, ( pk , sk ) , each of length at least n. Encryption algorithm E : On input a public key pk and a plaintext m M pk , E outputs a ciphertext c. We write c Ek (m). (The message space may depend on pk .) Decryption algorithm D : On input a secret key sk and a ciphertext c, D outputs a message m. We write m := Dk (c). Correctness requirement: Pr Dsk ( E pk (m) ) = m : m M pk = 1 except for a negligible measure of key pairs output by G (1n ).
p6.
Ciphertext-Indistinguishability
Adversary: a polynomial-time eavesdropper. (G, E , D) : a public-key encryption scheme. Imagine an experiment: i G (1n ) is run to obtain a pair of keys ( pk , sk ) . i The adversary is given pk , and outputs a pair of messages m0 , m1 M pk of the same length. i A random bit b {0,1} is chosen; and a ciphertext c E pk (mb ) is computed and given to the adversary. i The adversary determines whether c is the encryption of m0 or m1.
p7.
Definition: A publick-key encryption scheme with security parameter n is ciphertext-indistinguishable against eavesdroppers if for every polynomial-time adversary A there exists a negligible function negl such that Pr A( pk , m0 , m1 , c) = m : (pk , sk ) G (1n ), {m0 , m1} A M pk m u {m0 , m1}, c E pk ( m) 1 + negl(n) 2
p8.
Remarks
Since the adversary knows the publick key pk , it can encrypt any polynomial number of messages of its choice. That is, eavesdroppers are capable of CPA's. Thus, if a public-key encryption scheme is secure against eavesdroppers, then it is also CPA-secure. Most publick-key encryption schemes are based on one-way functions.
p9.
One-way function with trapdoor
Easy: Hard: Easy: x y
f
x y x y
f 1 trapdoor
f 1
Use trapdoor as the private key. Most (assumed) one-way functions come from number theory.
p10.
Modular Arithmetic
p11.
Integers
a | b: a divides b, a is a divisor of b. gcd( a, b): greatest common divisor of a and b. Coprime or relatively prime: gcd( a, b) = 1. Euclid's algorithm: compute gcd( a, b). Extented Euclid's algorithm: compute integers x and y such that ax + by = gcd( a, b).
p12.
Integers modulo n
Let n 2 be an integer. Def: a is congruent to b modulo n, written a b mod n, if n | (a b), i.e., a and b have the same remainder when divided by n. Note: a b mod n and a = b mod n are different. Def: [a ]n = {all integers congruent to a modulo n}. [a ]n is called a residue calss modulo n, and a is a representative of that class.
p13.
There are exactly n residue classes modulo n : [0], [1], [2], , [n 1]. Note: "congruence mod n" is an equivalence relation, whose equivalence classes are the residue classes. If x [a ], y [b], then x + y [a + b] and x y [a b]. Define addition and multiplication for residue classes: [a ] + [b] = [a + b] [a ] [b] = [a b].
p14.
Define Z n = {[0], [1], ..., [n 1]}. Or, more conveniently, Z n = {0, 1, ..., n 1}.
( Z n , + ) forms an abelian additive group.
i a + b = (a + b) mod n. (Or, [a ] + [b] = [a + b] = [a + b mod n].) i 0 is the identity element. i The inverse of a, denoted by a, is n a.
For a, b Z n ,
When doing addition/substraction in Z n , just do the regular addition/substraction and reduce the result modulo n. i In Z10 , 5 + 5 + 9 + 4 + 6 + 2 + 8 + 3 = ?
p15.
( Z n , ) is not a group, because 01 does not exist.
+ Z n , ) is not necessarily a group; some a 1 may not exist. (
+ Even if we exclude 0 and consider only Z n = Z n \ {0},
For a Z n , a 1 exists if and only if gcd(a, n) = 1. gcd(a, n) = 1 ax + ny = 1 for some integers x and y [a ] [ x] + [n] [ y ] = [1] in Z n [a] [ x] = [1] in Z n [a ]1 = [ x] in Z n
p16.
* L et Z n = {a Z n : gcd( a , n ) = 1}.
( Z n ,)
is an abelian multiplicative group.
a b = ab mod n. i a b = ab mod n. i 1 is the identity elemen t. i The inverse of a , written a 1 , can be computated b y the Extended Euclidean Algorithm.
* For example, Z 12 = {1, 5, 7 ,11}. 5 7 = 35 mod12 = 11. * Q: How many eleme nts are there in Z n ?
p17.
Euler's totient function:
(n) = {a : 1 a n and gcd(a, n) = 1}
* = Zn
Facts: 1. ( p ) = ( p 1) p
e e 1
for prime p
2. (ab) = (a ) (b) if gcd(a, b) = 1
p18.
Let G be a (multiplicative) finite group. The order of G , ord(G ), is the number of elements in G. The order of a G, written ord(a ), is the smallest positive integer t such that a t = e. (e, identity element.) Lagrange's theorem: For any element a G, ord( a ) | ord(G ). Corollary: For any element a G , a ord( G ) = e. Fermat's little theorem: If a Z * ( p a prime), then a ( p ) = a p 1 = 1 in Z * . p p Euler's theorem:
* * If a Z n (for any n > 1), then a ( n ) = 1 in Z n .
p19.
Example: n = 15
* Z15 = {1, 2, 4, 7, 8, 11, 13, 14} * Z15 = (15) = (3) (5) = 2 4 = 8 * a Z15 : ord(a) :
1 2 4 7 8 11 13 14 142442 4 2
a ( n ) = a 8 = 1
p20.
The Chinese Remainder Problem
A problem described in an ancient Chinese arithmetic book, Sun Tze Suan Ching (), by Sun Tze (around 300AD, author of The Art of War). Problem: We have a number of objects, but we do not know exactly how many. If we count them by threes we have two left over. If we count them by fives we have three left over. If we count them by sevens we have two left over. How many objects are there?
i Mathematically, if x 2 mod 3, x 3mod 5, x 2 mod 7, what is x ?
p21.
Chinese remainder theorem
If integers n1 ,, nk are pairwise coprime, then the system of congruences x a1 mod n1 x a mod n 2 2 x ak mod nk has a unique solution modulo N = n1n2 nk : x ai N i yi mod N
i =1 k
where N i = N ni and yi = N i 1 mod ni (A formula by Gauss)
p22.
Example: Chinese remainder theorem
Suppose x 1 mod 3 x 6 mod 7 x 8 mod 10 By the Chinese remainer theorem, the solution is: x 1 70 (701 mod 3) + 6 30 (301 mod 7) + 8 21 (211 mod10) 1 70 (11 mod 3) + 6 30 (21 mod 7) + 8 21 (11 mod10) 1 70 1 + 6 30 4 + 8 21 1 mod 210 958 mod 210 118 mod 210
p23.
Another version of CRT
N = n1n2 ZN a nk (the numbers ni are pairwise coprime) Z nk There is a one-to-one correspondence : Z n1
( a1 ,
, ak ) , where a Z N and ai = a mod ni
( x y ) = ( x) ( y ). ( x + y ) = ( x) + ( y ). For math students: is a ring isomorphism.
p24.
Chinese remainder theorem
Let N = n1n2 nk , where n1 ,, nk are pairwise coprime. Define a mapping
: Z N Zn Zn
1 2
Z nk
x Then,
( x mod n1 , x mod n2 , , x mod nk )
is bijective (one-to-one and onto). ( x y ) = ( x) ( y ). ( x + y ) = ( x) + ( y ).
p25.
Computations in Z N can be done by performing corresponding computations in Z n1 , Z n2 , , Z nk , and then solve the CRP. If then ab ab a b mod N a b
( a1 , , ak ) ( b1, , bk ) ( a1 b1 , , ak bk ) ( a1 b1 , , ak bk ) ( a1 b1 , , ak bk )
mod n1 mod nk
p26.
* if b Z N
Example: Chinese remainder theorem
Z15 Z 3 Z 5
* * * Z15 Z 3 Z 5 ) (
8 ( 8mod 3, 8mod 5 ) = (2,3) 11 (11mod 3, 11mod 5 ) = (2,1) Suppose we want to compute 8 11 mod15. 8 11mod15 (2 2 mod 3, 3 1mod 5) = (1,3). x (1,3) (which number x Z15 corresponds to (1,3)?) x 1mod 3 Solve x = 13 x 3mod 5
p27.
Algorithms
gcd ( a, b ) a 1 mod n a mod n
k
Running time: O ( log n )
3
p28.
Euclidean Algorithm
Comment: compute gcd(a, b), where a > b > 1. r0 := a r1 := b for i := 1, 2, until rn +1 = 0 ri +1 := ri 1 mod ri return (rn ) Running time: i O(log a ) iterations; O (log 2 a ) time for each mod. i Overall running time: O(log 3 a )
p29.
Extended Euclidean Algorithm
Given a > b > 0, compute x, y such that gcd(a, b) = ax + by. Example: gcd(299, 221) = ? 299 = 1 221 + 78 221 = 2 78 + 65 78 = 1 65 + 13 65 = 5 13 + 0 gcd(229, 221) = 13 = 78 65 = 78 (221 2 78) = 3 78 221 = 3 (299 1 221) 221 = 3 299 4 221
p30.
How to compute a 1 mod n ?
Compute a in Z .
* n 1
a exists if and only if gcd(a, n) = 1. Use extended Euclidean algorithm to find x, y such that ax + ny = gcd(a, n) = 1 (in Z ) [a ][ x] + [n][ y ] = [1] [a ][ x] = [1] (since [n] = [0]) [a ]1 = [ x]. Note: may omit [ ], but reduce everything modulo n.
p31.
1
Example
Compute 151 mod 47. 47 = 15 3 + 2 (divide 47 by 15; remainder = 2) 15 = 2 7 + 1 (divide 15 by 2; remainder = 1) 1 = 15 2 7 ( mod 47) = 15 (47 15 3) 7 ( mod 47) = 15 22 47 7 ( mod 47) = 15 22 ( mod 47) 151 mod 47 = 22
* That is, 151 = 22 in Z 47
p32.
Algorithm: Square-and-Multiply(x, c, n)
Comment: compute x c mod n, where c = ck ck 1 c0 in binary. z 1 for i k downto 0 do z z 2 mod n if ci = 1 return (z ) Note: At the end of iteration i, z = x ck ...ci .
p33.
i.e., z z x ci mod n then z ( z x ) mod n
(
)
Example: 1123 mod187
23 = 10111b z 1 z z 2 11 mod 187 = 11 (square and multiply) z z 2 mod 187 = 121 (square) z z 2 11 mod 187 = 44 (square and multiply) z z 2 11 mod 187 = 165 (square and multiply) z z 2 11 mod 187 = 88 (square and multiply)
p34.
The RSA Cryptosystem
RSA Encryption RSA Digital Signature
p35.
The RSA Cryptosystem
By Rivest, Shamir & Adleman of MIT in 1977. Best known and most widely used public-key scheme. Based on the assumed one-way property of modular powering: f : x x e mod n f 1 : x e x mod n (easy) (hard)
p36.
Idea behind RSA
* It works in group Z n . RSA x x e
Encryption (easy): Decryption (hard):
x x
ed
RSA 1
e
Looking for a trapdoor: ( x ) = x. If d is a number such that ed 1mod ( n ), then ed = k ( n ) + 1 for some k , and (x ) = x
ed ed
=x
( n ) k +1
= (x
(n) k
)
x = 1 x = x.
p37.
RSA Cryptosystem
Key generation: (a) Choose large primes p and q, and let n := pq. (b) Choose e (1 < e < (n )) coprime to ( n ), and compute d := e 1 mod (n ). (ed 1 mod ( n ).) (c) Public key: pk = ( n, e). Secret key: sk = ( n, d ).
* Encryption: E pk ( x ) := x e mod n, where x Z n . * Decryption: Dsk ( y ) := y d mod n, where y Z n .
p38.
Why RSA Works?
* The setting of RSA is the group ( Z n , i ) :
i In group ( Z , i ) , for any x Z , we have x
* n * n
(n)
= 1.
i We have chosen e, d such that ed 1 mod (n), i.e., ed = k ( n) + 1 for some positive integer k . i For x Z , ( x
* n ed
)
=x =x
ed
k ( n ) +1
= (x
(n) k
)
x = x.
p39.
What if x Z n \ Z n* ?
RSA still works, but not secure.
* x Z n gcd( x, n ) 1 x = ap or x = aq for some a.
Say x = ap. Then x ed 0 mod p ed x x mod q By CRT, x ed x mod n x ed mod n = x D ( E ( x) ) = x
p40.
x ed = x k ( n )+1 = x k ( p 1)( q 1)+1 ) (
RSA Example: Key Setup
Select two primes: p = 17, q = 11. Compute the modulus n = pq = 187. Compute ( n) = ( p 1)( q 1) = 160. Select e between 0 and 160 such that gcd(e,160) = 1. Say e = 7. Compute d = e 1 mod (n) = 7 1 mod160 = 23 (using extended Euclid's algorithm). Public key: pk = (e, n) = (7, 187). Secret key: sk = (d , n) = (23, 187).
p41.
RSA Example: Encryption & Decryption
Suppose m = 88. Encryption: c = me mod n = 887 mod187 = 11. Decryption: m = c d mod n = 1123 mod187 = 88. When computing 1123 mod187, we do not first compute 1123 and then reduce it modulo 187. Rather, use square-and-multiply, and reduce intermediate results modulo 187 whenever they get bigger than 187.
p42.
Encryption Key e
To speed up encryption, small values are usually used for e. Popular choices are 3, 17 = 24 + 1, 65537 = 216 + 1. These values have only two 1's in their binary representation. There is an interesting attack on small e.
p43.
Decryption Key d
One may be tempted to use a small d to speed up decryption. Unfortunately, that is risky. Wiener's attack: If d < n1/ 4 /3 and p < q < 2 p, then the decryption exponent d can be computed from (n, e). CRT can be used to speed up decryption.
p44.
Speeding up Decryption by CRT
Decryption: c d mod n. Time: O ( k 3 ), where k = n . Instead of computing c d mod n directly, we compute i c1 := c mod p, and c2 := c mod q i m1 := c1d mod ( p ) mod p, and m2 := c2 d mod ( q ) mod q x m1 mod p i recover the plaintext by solving x m2 mod q Time: 1 4 of the direct computation. If n = p1 p2 ... pt , will speed up even more.
p45.
Attacks on RSA
p46.
Attacks on RSA
Four categories of attacks on RSA: i brute-force key search
( infeasible given the large key space )
i mathematical attacks i timing attacks i chosen ciphertext attacks
p47.
Mathematical Attacks
Factor n into pq. Then (n) = ( p 1)(q 1) and d = e 1 mod (n) can be calculated easily. Determine (n) directly. Equivalent to factoring n. Knowing (n) will enable us to factor n by solving n = pq (n) = ( p 1)(q 1) Determine d directly. If d is known, n can be factored with high probability.
p48.
Integer Factorization
A difficult problem, assumed to be infeasible. More and more efficient algorithms have been developed. In 1977, RSA challenged researchers to decode a ciphertext encrypted with a key (n ) of 129 digits (428 bits). Prize: $100. RSA thought it would take quadrillion years to break the code using best algorithms of that time. Solved in 1994. In 1991, RSA put forward more challenges, with prizes, to encourage research on factorization.
p49.
RSA Numbers
Each RSA number is a semiprime. (A number is semiprime if it is the product of two primes.) There are two labeling schemes. i by the number of decimal digits: RSA-100, ..., RSA-500, RSA-617. i by the number of bits: RSA-576, 640, 704, 768, 896, 1024, 1536, 2048.
p50.
RSA Numbers which have been factored
RSA-100 (332 bits), 1991, 7 MIPS-year, Quadratic Sieve. RSA-110 (365 bits), 1992, 75 MIPS-year, QS. RSA-120 (398 bits), 1993, 830 MIPS-year, QS. RSA-129 (428 bits), 1994, 5000 MIPS-year, QS. RSA-130 (431 bits), 1996, 1000 MIPS-year, GNFS. RSA-140 (465 bits), 1999, 2000 MIPS-year, GNFS. RSA-155 (512 bits), 1999, 8000 MIPS-year, GNFS. RSA-160 (530 bits), 2003, Lattice Sieve. RSA-576 (174 digits), 2003, Lattice Sieve.
RSA-640 (193 digits), 2005, Lattice Sieve. RSA-200 (663 bits), 2005, Lattice Sieve.
p51.
RSA-200 =
27,997,833,911,221,327,870,829,467,638, 722,601,621,070,446,786,955,428,537,560, 009,929,326,128,400,107,609,345,671,052, 955,360,856,061,822,351,910,951,365,788, 637,105,954,482,006,576,775,098,580,557, 613,579,098,734,950,144,178,863,178,946, 295,187,237,869,221,823,983.
p52.
Remarks
In light of current factorization technoligies, RSA recommends that n be of 1024-2048 bits.
* If a message m Z n \ Z n ,
i RSA works, but i Since gcd( m, n ) > 1, the sender can factor n. i Since gcd( m e , n ) > 1, the adversary can factor n, too.
* Question: how likely is m Z n \ Z n ?
p53.
Miscellaneous attacks against RSA
Common modulus:
Suppose two users use the same modulus n, and their encryption exponents e1 and e2 are coprime. A message m sent to them, encrypted as c1 = me1 mod n and c2 = me2 mod n, is not protected by RSA: e1 , e2 coprime re1 + se2 = 1 for some r , s. m = m re1 + se2 = c1r c2 s mod n.
p54.
A nother problem with common modulus:
i O wners of keys ( n , e , d ) usually do not know n = pq. i But, actually, given ( n , e , d ), one can factor n with high probability of success. i Thus , if tw o RSA users share the same n , they can figure out each other's secret key ( d value). i So, do not use a c ommon n . i Also, if your secret key is compromised, do not just change the exponents e and d . You should also change n .
p55.
If d is known, we can factor n:
i x 2 1 mod n has four solutions: 1, a for some a 1. i If a 2 1 mod n and a 1 a 2 1 0 mod n n | ( a + 1)( a 1) gcd( n , a 1) yield the factors of n .
i Factor n by looking for a nontrivial square root of 1 mod n (i.e., an a 1 such that a 2 1 mod n ).
p56.
* i F or all w Z n , w ed 1 1 mod n .
i Write ed 1 = r 2 , where r is odd. (So, w
s * i Pick any w Z n . * (What if w Z n \ Z n ?) r 22
r 2s
1 mod n )
i Compute w , w , w
r r2
,w
r 23
, ,w
r 2 t 1
,w
r 2t
, , w
r 2s
u ntil we find the first w i If t 0, let a = w
r 2 t 1
r 2t
1 mod n for some t .
mod n . Then a 2 1 mod n , and a 1.
i If a n 1, then a is a nontrivial square root o f 1 mod n . i Otherwise (i.e., t = 0 or a = n 1), try another w.
p57.
Low encryption exponent attack
A message m sent to e users who employ the same encryption exponent e is not protected by RSA. Say, e = 3, and Bob sends a message m to three recipients encrypted as: c1 = m3 mod n1 , c 2 = m3 mod n2 , c3 = m3 mod n3 . Eve intercepts the three ciphertexts, and recovers m: i m3 c1 mod n1 , m3 c2 mod n2 , m3 c3 mod n3 . i By CRT, m3 c mod n1n2 n3 for some c < n1n2 n3 . i Also, m3 < n1n2 n3 . So, m3 = c, and m = 3 c .
p58.
Wiener's low decryption exponent attack:
Recall: pk = (n, e), sk = (n, d ), and Dsk (c) = c d mod n. One may be tempted to use a small d to speed up decryption. Unfortunately, that may be risky. The decryption exponent d can be computed from (n, e) if 3d < n1/ 4 and p < q < 2 p. (Before Wiener's attack, the condition p < q < 2 p often held in practice.)
p59.
i Continued fraction : q1 + 1 q2 + 1 q3 + 1 + qm = [q1 , q2 ,..., qm ]
i Any (positive) rational number a b can be expressed as a continued fraction, called its continued fraction expansion. i Convergents of [q1 , q2 ,..., qm ]: [q1 ], [q1 , q2 ], [q1 , q2 , q3 ], [q1 , q2 ,..., qm ]. (This sequence converges to [q1 , q2 ,..., qm ].)
p60.
34 =0+ i Example: 99 2+
1 1 1+ 1
= [0,2,1,10,3]
1 10 + 3 i Obtained from Euclidean algorithm: 34 = 0 99 + 34, 99 = 2 34 + 31, 34 = 1 31 + 3, 31 = 10 3 + 1, 3 = 3 1 i Convergents of [0,2,1,10,3]: [0], [0,2], [0,2,1], [0,2,1,10], [0,2,1,10,3]
p61.
ac 1 i Theorem. If < 2 , where gcd( c, d ) = 1, b d 2d then c d equals one of the convergents of the continued fraction expansion of a b . e e t i For RSA, ed = t ( n ) + 1 for some t. So, . n (n) d et 1 i If 3d < n and p < q < 2 p, then < 2 . n d 2d i So, t d equals one of the convergents of e n . Check the convergents one by one to find the right one.
1/4
p62.
Small message space attack:
i If the message space is small. The adversary can encrypt all messages and compare them with the intercepted ciphertext. This i attack is not specific to RSA.
p63.
Timing Attacks
Paul Kocher in mid-1990s demonstrated that a snooper can determine a private key by keeping track of how long a computer takes to decipher messages. RSA decryption: c d mod n. Countermeasures: i Use constant decryption time i Add a random delay to decryption time i Blinding: modify the ciphertext c to c and compute
( c )
d
mod n.
p64.
Blinding in Some of RSA Products
RSA encryption has a homomorphism property: RSA(m r ) = RSA( m) RSA( r ). To decrypt a ciphertext cm = RSA(m ): i Generate a random message r. i Encrypt r as cr = RSA( r ). i Multiply the two ciphertexts: c = cm cr = RSA( mr ). i Decrypting c yields a value equal to mr. i Multiplying that value by r 1 yields m.
* Note: all calculations are done in Z n (i.e., modulo n ).
p65.
A chosen-ciphertext attack
Based RSA's homomorphism property: RSA( m r ) = RSA( m) RSA( r ) Assume Eve has acess to a decryption oracle. The attack: i Given c := RSA(m), Eve wants to know m = ? i She computes RSA(r ) for an arbitrary r Z .
* n
i Now, presenting RSA(m r ) = RSA(m) RSA( r ) to the Oracle, she obtains m r , from which she can compute m = (m r ) r 1.
p66.
Padded RSA
p67.
Security of RSA
We have seen many attacks on RSA. Also, RSA is deterministic and, therefore, not CPA-secure (i.e., not ciphertext-indistinguishable against CPA). We wish to make RSA secure against CPA and aforementioned attacks. RSA primitive: the RSA we have described. i also called plain RSA or textbook RSA
p68.
Padded RSA
Encryption: E pk ( m) = RSA( r m ) = ( r m ) e mod n, where r is a random string. Thus, Padded-RSA(m ) = RSA( r m ) for some random r. Secure against many of aforementioned attacks. Theorem: Padded RSA is CPA-secure if m = O ( log n ) . Padded RSA is adopted in PKCS #1 v.1.5.
p69.
Padded RSA as in PKCS #1 v.1.5
PKCS: Public Key Cryptography Standard. Let (n, e, d ) give a pair of RSA keys. Let k denote the length of n in bytes (e.g., k = 216). To encrypt a message m : i pad m so that m = 00 02 r 00 m (k bytes) i where r = 8 or more random bytes 00. i original message m must be k 11 bytes. i the ciphertext is c := RSA ( m) = ( m) mod n.
e
In 1998, Bleichenbacher published a chosen-ciphertext attack, forcing RSA to upgrade its PKCS #1.
p70.
Bleichenbacher's chosen-ciphertext attack
A message is called PKCS conforming if it has the specified format: 00 02 padding string 00 original message. PKCS #1 implementations usually send you (sender) an error message if RSA 1 (c ) is not PKCS conforming. It is just like you have an Oracle which, given c, answers whether or not RSA 1 (c) is PKCS conforming. Bleichenbacher's attack takes advange of such an Oracle.
p71.
Given c = RSA(m ), Eve tries to find m. i (Assume m is PKCS conforming.) How can Oracle help? i Recall that RSA is homomorphic:
* RSA(a b) =RSA(a ) RSA(b) (computated in Z n ) * i Given RSA(m ), Eve can compute RSA(m s ) for any s Z n .
i She can ask the Oracle,
* Is ms Z n PKCS conforming?
(That is, is ms mod n PKCS conforming?) Why is this info useful?
p72.
Recall PKCS Format (k bytes): 00 02 padding string 00 original message Let B = 00 01 08( k 2) = 28( k 2) (as a binary integer) Then, 2B = 00 02 08( k 2) and 3B = 00 03 08( k 2). If m is PKCS conforming 2B < m < 3B. If, in addition, ms mod n is PKCS conforming 2B < ms mod n < 3B 2B + tn < ms < 3B + tn for some t 2B s + t n s < m < 3B s + t n s for some t
p73.
If m is PKCS conforming m is in the blue area. If ms mod n is also PKCS conforming ms mod n is in the blue area ms is in the red areas m is in the red lines. Thus, m is in the red lines of the blue area.
2B 3B
0
n
2n
3n
4n ns
p74.
Let's focus on the blue area, (2B, 3B). If m is PKCS conforming m is in the blue area. If ms mod n is also PKCS conforming m is in red areas/lines If ms mod n is also PKCS conforming m is in purple areas/lines So, m blue red purple
2B 3B
p75.
So, starting with the fact that m is PKCS conforming, Eve finds a sequence of integers s1 , s2 , s3 , ... such that 2si 1 si and msi mod n is PKCS conforming. To find si , randomly choose an s 2si 1 , and ask the oracle whether ms mod n is PKCS conforming. If not, then try a different s. This way, Eve can repeatedly narrow down the area containing m, and eventually finds m. For n having 1024 bits, it takes roughly 1 million accesses to the oracle in order to find s1 , s2 , s3 , ...
p76.
CCA-Secure RSA in the Random Oracle Model
p77.
Protecting Every Bit
There are CCAs that only require the oracle to reveal partial information about the plaintext such as: whether the plaintext is PKCS conforming whether the plaintext is even or odd
* whether the plaintext x Z n is in the first half or the
second half of Z n (i.e., x < n / 2 or x n / 2 ?) It is desirable to protect every bit (or any partial information) of the plaintext.
p78.
OAEP: basic idea
Message padding: instead of encrypting m directly, we encrypt m r r , where r is a random bit string. As such, however, there is a 50% overhead. So, we wish to use a shorter bit string r. Besides, r should be protected, too. This leads to a scheme called Optimal Asymmetric Encryption Padding (OAEP). It can be applied not only to RSA but to other trapdoor functions.
p79.
OAEP
Choose k , l (k l ) s.t. k + l = n . (n, RSA modulus). G :{0,1}k {0,1}l , a pseudorandom generator. h :{0,1}l {0,1}k , a hash function. Encryption. To encrypt a block m of l bits : 1. choose a random bit string r {0,1}k . 2. encode m as x := (m G (r ) r h(m G (r ))) (if x Z n , the message space of RSA, return to step 1). 3. compute the ciphertext y := E pk ( x ). Decryption: x := Dsk ( y ) = a b. m = a G ( b h(a ) ) .
p80.
Remarks on OAEP
OAEP is adopted in current RSA PKCS #1 (v. 2.1). A padding or encoding scheme, not an encryption scheme. Intuitively, with OAEP, the ciphertext would not reveal any information about the plaintext if RSA is one-way and h and G are truely random (random oracles). A slightly more complicated version of OAEP, in which x = (m0k G (r ) r h(m0k G (r ))), has been proved CCA-secure in the random oracle model (i.e., if G, h are random oracles.) In practice, hash functions such as SHA-1 are used for G, h.
p81.
The Random Oracle Model
A random oracle is a random function f :{0,1}n {0,1}l ( n ) . Recall: there are 2 such functions. Each random oracle is a black box that implements one of the 2
l ( n ) 2n l ( n ) 2n
random functions, say f 0 .
The 2n values of f 0 are totally independent. The only way to know the value of f 0 ( x ) is to explicitly evaluate f 0 at x (i.e., ask the oracle). No feasible way to implement a random oracle. i Infeasible: use a trusted authority. i Infeasible: use a l (n) 2n -bit disk.
p82.
The Random Oracle Model
Since random oracles cannot be implemented, is it useful to prove that some scheme is secure in the random oracle model? It's controversial, but more "for" than "against."
p83.
Digital Signatures
p84.
Digital Signatures
RSA (or any trapdoor one-way function f ) can be used for digital signatures. Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem.
Message m
MACk(m)
Message m
Sigsk(m)
p85.
Digital signature: 1. Bob has a key pair ( sk , pk ). 2. Bob sends m Sig sk (m) to Alice. 3. Alice verifies the received m s by checking if s = Verify pk ( m)? Sig sk ( m) is called a signature for m. Security requirement: infeasible to produce a valid pair ( m, Sig sk ( m)) without knowing sk .
p86.
Encryption (using RSA): Alice M PKBob E C SKBob D Bob M
Signing (using RSA-1): Alice
E(S) =M?
PKBob E S
SKBob D Sign
Bob M
Verify the signature
p87.
Basic RSA Signature
Keys are generated as for RSA encryption: Public key: pk = ( n, e). Secret key: sk = ( n, d ).
* Signing a message m Z n : = Dsk ( m) = m d mod n.
That is, = RSA 1 (m ). Verifying a signature (m, ) : check if m = E pk ( ) = e mod n, or m = RSA( ).
p88.
Correctness: As in RSA encryption, E D( m) = m, for all m Z n . A signed message ( m, ) produced by Bob using his sk will be verified and accepted. Remarks: i Basic RSA signature is the reverse of basic RSA encryption. i Secure RSA signature is not the reverse of secure RSA encryption.
p89.
Existentially forgeable: 1. Every message m is a valid signature of its ciphertext c, since RSA 1 (c) = m. 2. If Bob signed m1 and m2 , then the signature for m1m2 can be easily forged: (m1m2 ) = (m1 ) (m2 ). Remedy: hash then sign (HTS): = Dsk (h(m)), using some collision-resistant hash function h.
p90.
Question: Does hash-then-sign make RSA signature secure against all chosen-message attacks? Answer: Yes, if h is a full-domain random oracle, i.e., i h is a random oracle mapping {0,1}* Z n i (Z n is the full domain of RSA)
p91.
Chosen-mesage attacks on
Basic RSA signature Hash-then-sign
h ( m1 ) h(m1 ) m1 RSA 1 RSA 1
( m1 ) m1 ( mk ) mk
Forgery:
RSA 1
h ( mk ) h( mk ) mk
RSA 1
( m) m
RSA 1
h (m) h(m ) m
RSA 1
p92.
Theorem: Full-domain hash RSA signature is secure against any chosen-message attack under the random oracle model. We will show RSA 1 Chosen-message attack. Thus, assume a polynomial-time probabilistic chosenmessage forger F with non-negligible success probability. We will design a polynomial-time algorithm A that
* computes RSA 1 ( y ) for y Z n with non-negligible success
probability, by calling F . This contradicts the RSA one-way assumption.
p93.
F , the forger, having access to a random oracle h and a hash-then-sign oracle Sig , works as follows. F requests h( mi ) and/or Sig(mi ) for various messages mi and then produces a forgery ( m, ) :
h 0 h(m1 ) m1 RSA 1
h h (mt ) mt
h k h( mk ) mk
RSA 1
Forgery:
h h(m) m RSA 1
p94.
If F is able to produce a valid signature for m, it must be one of the two cases: i m M = {m1 , m2 , , mk } i a pure fluke (if m M ) Why? Are we able to say the same if h is not a random oracle?
p95.
Algorithm A( N , e, y ) //compute RSA 1 ( y ) by calling F // 0. Let k be the max number of queries F may make to the random oracle; k is bounded by the running time of F .
* 1. Randomly choose k signatures 1 , 2 , , k Z N ;
compute hi = RSA( i ) = ie mod N , 0 i k ; randomly replace one of them, say ht , by y. 2. Run algorithm F (which adaptively prepares up to k messages m1 , m2 , , mk ; requests h (m1 ), h( m2 ), , h( mk ); requests Sig ( m) for polynomial times). 3. Whenever F asks for h( mi ), give it hi . Thus, for F , y h( mi ) = hi if i = t otherwise
p96.
Algorithm A (to compute RSA 1 ( y )) :
1 h1 = RSA( 1 ) m1
h
RSA 1
y
RSA 1
h mt
h k hk = RSA( k ) mk
Forgery:
RSA 1
y
h mt
p97.
4. Whenever F asks for Sig (m), i if m = mi , i t , give it i ; i if m = mt , return("failure");
* i if m mi for all 1 i k , give it a random value in Z N .
// F didn't ask for h( m ) but now asks for Sig ( m) // 5. If F returns a valid forgery ( m, ) with m = mt , then return( ) // = RSA 1 ( h(mt ) ) = RSA 1 ( y )// else return("failure")
p98.
Analysis: i Let M = {m1 , ..., mk ( n ) }, queries to random oracle h. i A successfully computes RSA 1 (y ) if and only if F forges a valid (m, ) and m = mt . i Pr [ F forges a valid (m, ) with m = mt ] Pr [ m = mt | m M ] 1 = (non-negligible(n )) k (n) = non-negligible(n ), where n = |N|.
p99.
= Pr [ F forges a valid (m, ) with m M ]
Problem with full-domain hash: In practice, h is not full-domain. For instance, the range of SHA-1 is {0,1}160 , while Z n = {0,1,..., 2n 1} , with n 1024. Desired: a secure signature scheme that does not require a full-domain hash.
p100.
Probabilistic signature scheme
Hash function h :{0,1}* {0,1}l Z N (not full domain). l < n = |N |. (E.g., SHA-1, l = 160; RSA, n = 1024.)
pad Idea: m m r hash w = h( m r ) expand y = w ( r 0n 1l k ) G ( w) sign = RSA 1 ( y )
{0,1}* {0,1}l {0,1}n 1 ZN
where
r {0,1}k G : {0,1}l {0,1}n 1l (pseudorandom generator)
p101.
Signing a message m {0,1}*: 1. choose a random r {0,1}k ; compute w = h (m r ); 2. compute y = w r G1 ( w) G2 ( w); 3. The signature is = RSA 1 ( y ). Verifying a signature ( m, ) : compute RSA( ) = w t u; check if u = G2 ( w), w = h ( m t G1 ( w)). // G = G1 G2 //
p102.
Remarks PSS is secure against chosen-message attacks in the random oracle model (i.e., if h and G are random oracles). PSS is adopted in PKCS #1 v.2.1. Hash functions such as SHA-1 are used for h and G. For instance, let n = 1024, and l = k = 160 let h = SHA-1 (G1 , G2 )( w) = G ( w) = h( w 0) h( w 1) h( w 2), ...
p103.
Generating large primes
To set up an RSA cryptosystem, we need two large primes p and q.
p104.
How many prime numbers are there?
Infinitely many. First proved by Euclid: Assume only a finite number of primes p1 , p2 , , pn . Let M = p1 p2 pn + 1. M is not a prime, because M pi , 1 i n. So, M is composite and has a prime factor pi for some i pi | M pi |1 contradiction.
p105.
Distribution of Prime Numbers
The Prime Number Theorem: Let ( x) denote the number of primes x. Then x ( x) for large x. ln x
* Dirichlet's Theorem: For b Z n , let n , b ( x) denote the number
of primes y such that y x and y b mod n. Then, x 1 n , b ( x) for large x. ln x (n)
p106.
How to generate a large prime number ?
Generate a random odd number n of desired size. Test if n is prime. If not, discard it and try a different number. Q: How many numbers are expected to be tested before a prime is found?
p107.
Primality test : Is n a prime?
Can it be solved in polynomial time? A long standing open problem until 2002. AKS(Agrawal, Kayal, Saxena) : O ( log n ) i Later improved by others to O ( log n ) to O ( log n )
(
6+
).
(
(
12 +
10.5
) , and then
3
).
In practice, Miller-Rabin's probabilistic algorithm is still the most popular --- much faster, O ( log n ) .
p108.
(
)
Miller-Rabin primality test : Is n a prime?
Looking for a characteristic property of prime numbers: i n is prime what?
* i n is prime a Z n , P (a ) = true * i n is prime a Z n , P ( a ) = true * not prime k elements a Z n , P (a ) = false * Given a number n, check P( a ) for t elements a Z n .
i If P ( a ) all true, then return "prime" else return "composite." i A "prime" answer may be incorrect with probability p ( k , t ).
p109.
Looking for P( a ): i How about P( a ) = a n 1 1 mod n ?
i Fermat's little theorem:
* If n is prime a Z n , a n 1 1 mod n.
i The converse is not true. There are composite numbers n,
called Carmichael numbers, for which a n 1 1 mod n
* a Z n .
i Need to refine the condition a n 1 1 mod n .
p110.
Fact: if n 2 is prime, then 1 has exactly two square
* roots in Z n , namely 1.
Write n 1 = u 2 k , where u is odd. If n is prime a Z , a
* n u 2k
1 mod n
(Fermat's little theorem)
a u 1 mod n or * a Z n , P ( a ) = i a u 2 1 mod n for some i, 0 i k 1 = true Why? Consider the sequence a,a ,a
u u2 u 22
, , a
u 2k 1
,a
u 2k
=1
p111.
* If P (a ) = false for some a Z n , then n is composite.
i Such an a is called a strong witness that n is composite. Loosely speaking,
* i If n is composite, at least one half of the elements in Z n
are strong witnesses. i As mentioned earlier, given a number n,
* randomly pick a Z n and check P( a ).
If a is a strong witness, then return "composite" else return "prime." i A "prime" answer may be incorrect with probability 1 2.
p112.
A composite number n is a prime power if n = p e for some prime p and integer e 2. (A perfect power if n = k e for some integer k and e 2.) Theorem: If n is an odd composite and not a prime power,
* then at least one half of the elements a Z n are strong
witnesses. Idea of Proof: The set A of non-strong witnesses
* * forms a proper subgroup of Z n . So, ord(A) < ord(Z n ) and
1 * ord(A) | ord(Z ). So, ord(A) ord(Z n ). 2
* n
p113.
Algorithm: Miller-Rabin primality test
i Input: integer n > 2 and parameter t i Output: a decision as to whether n is prime or composite 1. if n is even, return "composite" 2. if n is a perfect power, return "composite" 3. for i := 1 to t do choose a random integer a, 2 a n 1 if gcd( a, n) 1, return "composite" if a is a strong witness, return "composite" 4. return ("prime")
p114.
Analysis: Miller-Rabin primality test
If the algorithm answers "composite", it is always correct. If the algorithm answers "prime", it may or may not be correct. The algorithm gives a wrong answer if n is composite but the algorithm fails to find a strong witness in t iterations. This may happen with probability at most 2 t . Actually, at most 4 t , by a more sophisticated analysis.
p115.
Monte Carlo algorithms
A Monte Carlo algorithm is a probabilistic algorithm i which always gives an answer i but the answer may sometimes be incorrect. A Monte Carlo algorithm for a decision problem is yes-biased if its yes answer is always correct but a no answer may be incorrect with some error probability. A t -iteration Miller-Rabin is a composite-biased Monte Carlo algorithm with error probability at most 4 t.
p116.
Las Vegas algorithms
A Las Vegas algorithm is a probabilistic algorithm i which may sometimes fail to give an answer i but never gives an incorrect one A Las Vegas algorithm can be converted into a Monte Carlo algorithm.
p117.
RSA Assumption
* * RSA family: RSA:= {RSA n ,e : Z n Z n , x
xe }
( n ,e )I
, where
I := {( n, e) | n = pq, p q primes, 0 < e < ( n), e prime to ( n)} . RSA assumption: Let I k := {(n, e) I | n = pq, |p| = |q| = k} , with k . For any probabilistic polynomial-time algorithm A( n, e, y ), there is a negligible function negl( k ) such that
* Pr A( n, e, y ) = RSA 1e ( y) : ( n, e) u I k , y u Z n negl( k ). n,
p118.
Formal Definition of One-Way Functions
Let I = ( I k )k be a key (index) set with security parameter k . Let f = { fi : Di Ri }iI be a family of functions between finite sets Di and Ri . Let K be a probabilistic polynomial-time sampling algorithm for I , which on input 1k outputs i I k . Let X be a probabilistic polynomial-time sampling algorithm for D = ( Di )iI that on input i outputs x Di . (We may allow K and X to fail or make errors with negligible probability.)
p119.
f is a family of one-way functions (or, for short, a one-way function) with key generator K and domain sampling algorithm X if and only if i f can be computed by a polynomial-time algorithm F (i, x ). i f is not invertible by any polynomial-time algorithm. That is, for every probabilistic polynomial-time algorithm A(i , y ), there is a function negl(k ) such that Pr A(i, y ) f i 1 ( y ) : i K (1k ) , x X (i ), y := f i ( x ) negl( k ).
p120.
Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more.
Course Hero has millions of course specific materials providing students with the best way to expand
their education.
Below is a small sample set of documents:
Below is a small sample set of documents:
Ohio State - CSE - 794
Cryptosystems Based on Discrete Logarithms1Outline Discrete Logarithm Problem Cryptosystems Based on Discrete Logarithm Encryption Digital signature2Discrete logarithm problem (DLP) A group G is cyclic if there is an element G of order |G|. Let (G,
Ohio State - CSE - 794
Cryptographic Protocols Entity Authentication Key Agreement Fiat-Shamir Identification Schemes Zero-Knowledge Proof Systems Shnorrs Identification/Signature Scheme Commitment Schemes Secret Sharing Electronic ElectionEntity AuthenticationProblem: Alice
Ohio State - CSE - 794
New CourseCSE 794: Introduction to CryptographySpring 2010Time: MWF 1:30-2:18 Course Description: Cryptography is a fascinating subject. Imagine that you can encrypt a secret message m simply as c : m3 mod n (where n is public information) and nobody e
Ohio State - CSE - 794
CSE 794 Homework 1Due: Monday, April 12 by class time1. Show that if an encryption scheme is perfectly secret and M K C , then all ciphertexts have the same probability, i.e., Pr c 1 for all c C. |C |n2. For any fixed integer n 0, Vernams one-time pa
Ohio State - CSE - 794
CSE 794Q Homework 2Due: Wednesday, April 21 by class time1. Consider an encryption scheme (G, E, D). Show that if the encryption algorithm E is deterministic (rather than probabilistic), then the encryption scheme cannot be multipleciphertext indistingu
Ohio State - CSE - 794
CSE 794Q Homework 3Due: Wednesday, April 28, by class time1. What RC4 key value will leave S unchanged during initialization? That is, after the initial permutation of S, the entries will be equal to the values from 0 through 255 in ascending order. (Hi
Ohio State - CSE - 794
CSE 794 Homework 4Due: Wednesday, May 5 by class timeMidterm exam: Monday, May 10, open book, covering up to hash and MAC.1. Let f k :cfw_0,1n cfw_0,1n k cfw_0,1nbe a family of n-bit pseudorandom functions.Construct a MAC scheme for messages of leng
Ohio State - CSE - 794
CSE 794 Homework 5Due: Wednesday, May 26 by class time1. Fix the RSA modulus n, and assume there is an adversary A running in time t for which* Pr A x e mod N x : x u Z N 0.01. That is, A can decrypt the ciphertext of a random message x with probabili
Alfaisal University - ART - 431
Reference 10.3.2 Process Management System Calls in UNIX Modern Operating System 2nd Edition, Andrew S. Tanenbaum Man pages available in course folder1The fork() system callAt the end of the system call there is a new process waiting to run once the
San Jose State - EE - 118
CREATING MEMORY.V FILE USING MEGAWIZARD (QUARTUS 2)1. To create a Memory Initialization File (.mif) or Hexadecimal (Intel-Format) File (.hex):Choose New (File menu). ShortcutIn the New dialog box, click the Other Files tab.To create a MIF, select Mem
San Jose State - EE - 118
/-/ Copyright 1996 by Doone Publications. All rights reserved.// Design: ALU/ Name: Doug Smith/ Date: 1st June 1996// Description:/ ALU with separate Logic Unit, Arithmetic Unit/ and Shifter Unit./-module ALU (Sel, CarryIn, A, B, Y); input [4
San Jose State - EE - 118
San Jose State University EE118, Introduction to Digital Design Spring 1999 Final Lab Alarm Clock Design -1 Hz clock -> | |=> Hour (5 bits) | Your Design |=> Minute (6 bits) | |=> Second (6 bits) | |-> AM/PM (1 bit 1=AM 0=PM)Set time -> | |-> A
San Jose State - EE - 118
EE118Spring 2009 SAN JOSE STATE UNIVERSITY DEPARTMENT OF ELECTRICAL ENGINEERINGCourse Information (Greensheet)COURSE:EE118 - Digital Logic Design (Digital Design I) Lecture - Mon, Wed, 9am10:15pm, ENG345 Lab - Coordinated by Prof. Choo, and taught by
San Jose State - EE - 270
San Jose State University Department of Electrical EngineeringEE270 - Advanced Logic DesignInstructor: Office Location: Telephone: Email: Office Hours: Class Days/Time: Class Room: Laboratory: Tri Caohuu ENGR 375 (408) 924-3951 tri.caohuu@sjsu.edu Tuesd
San Jose State - EE - 270
EE270Project DueMay13th,2009 Designacircuitthatmeetsthefollowingspecifications: Thecircuithastwoinputs:aclockinputcandacontrolinputw.Theoutput,z,replicatestheclockpulse whenw=1;otherwisez=0.Thepulsesappearsonzmustbefullpulses.Consequentlyifc=1whenw change
San Jose State - EE - 270
EE270, Spr 08 Special Home Work 1Obtain an executable Espresso Algorithm at http:/www.fke.utm.my/downloads/espresso/ (or some other sources) a) Find the minimized expression for following function using Espresso F(A,B,C,D,E) = m(0,1,3,9,11,12,14,15) b) V
San Jose State - EE - 270
INPUTS OUTPUTS Comb. LogicRegisterSTATECLOCK INPUTS OUTPUTS DelayComb. LogicSTATE
San Jose State - EE - 270
HW#2 Due date: Oct 7th, 2010EE270 Fall 20101. Determine minimum SOP form of the following: a) F(A,B,C,D,E) = m (4,7,9,15,16,21,27,28, 31 ) + d (1,2,3,6,8,11,20) b) F(A,B,C,D,E) = m (0,2,3,4,5,9,14,15,21,30,31) + d (8,10,11,18,26,27) 3. Minimize the foll
San Jose State - EE - 270
EE270 Fall 2010 Homework #1 1) Prove the following relation using only fundamentals of Boolean a. a+ab = a+b b. (a+b) = a. b 2) Express in DCF and CCF a. a + ab + cd b. (x+y+z)(x+y) 3) Show that the following function is self dual a. F1 = a(b+c)+bc b. F2
San Jose State - EE - 270
EE 270Fall 2006San Jose State UniversityDepartment of Electrical EngineeringCourse Title: Advanced Logic Design Meeting: MW Lab19:00 - 20:15, Clark 229 Open Lab, E 389Instructor: Dr. Tri Caohuu, ENG 375 Email: caohuut@email.sjsu.edu Tel: (408) 924 3
San Jose State - EE - 270
EE 270 Reader Table of Contentso Review 1. Sequential Logic Design. Source: Contemporary logic Design 2nd edition by Randy Katz & Gaetano Borriello 2. Simplification of Switching Functions Source: Digital Logic Circuit Analysis & Design by Victor Nelson,
Art Inst. Phoenix - RS - 101
Harvey 1 Shran Harvey Professor Russell RS101 8 September 2010 How to Ruin a Job Interview for the Career of Your Dreams In these tumultuous economic times, hundreds of people apply for a single position, so it is imperative that you stand out as a prime
Alfaisal University - COE - 10001
National University of Computer & Emerging Sciences Operating System Spring 07Lec10-Interprocess Communication Prepared by Uzma Maroofuzma.maroof@nu.edu.pkClass Notes2Reference Operating system concepts, Silberschatz, 6th edition 4.4 4.5.1- 4.5.4
Alfaisal University - COE - 10001
National University of Computer & Emerging Sciences Operating System Operating Spring 09Lec11-IPC Unix case study Prepared by Uzma Maroofuzma.maroof@nu.edu.pkReference Operating system concepts, Silberschatz, 6th edition 4.4 4.5.1- 4.5.4 Unix Networ
Alfaisal University - COE - 10001
National University of Computer & Emerging Sciences Operating System Operating Spring 09Lec11-IPC Unix case study Prepared by Uzma Maroofuzma.maroof@nu.edu.pkReference Operating system concepts, Silberschatz, 6th edition 4.4 4.5.1- 4.5.4 Unix Networ
Alfaisal University - COE - 10001
Reference Introduction To Unix Signals Programming Man page sigprocmask, alarm Understanding the Linux Kernel (Oreilly)1Signal: An IPC Mechanism Signal: With pipes we communicated data With signal, we can communicate control command The only informati
California Coast University - COB - acct
CHAPTER 1Accounting Information Systems: An Overview 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 85INTRODUCTION Questions to be addressed in this chapter include: What is the meaning of system, d
California Coast University - COB - acct
CHAPTER 2Overview of Business Processes 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 119INTRODUCTION Questions to be addressed in this chapter include: What are the basic business processes in whi
California Coast University - COB - acct
CHAPTER 3Systems Development and Documentation Techniques 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 136INTRODUCTION Questions to be addressed in this chapter include: What is the purpose of doc
California Coast University - COB - acct
CHAPTER 16Implementing an REA Model in a Relational Database 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 121INTRODUCTION Questions to be addressed in this chapter: How are REA diagrams for indivi
California Coast University - COB - acct
CHAPTER 17Special Topics in REA Modeling 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 92INTRODUCTION Questions to be addressed in this chapter: How are REA data models developed for organizations
California Coast University - COB - acct
CHAPTER 18Introduction to Systems Development and Systems Analysis 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 153INTRODUCTION Questions to be addressed in this chapter include: What are the phas
California Coast University - COB - acct
CHAPTER 19AIS Development Strategies 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 172INTRODUCTION Questions to be addressed in this chapter include: How do organizations buy software, hardware, and
California Coast University - COB - acct
CHAPTER 20Systems Design, Implementation, and Operation 2008 Prentice Hall Business PublishingAccounting Information Systems, 11/eRomney/Steinbart1 of 173INTRODUCTION Questions to be addressed in this chapter include: What are the activities that
California Coast University - COB - acct
CHAPTER 2 OVERVIEW OF BUSINESS PROCESSESINTRODUCTION Questions to be addressed in this chapter include: What are the basic business activities in which an organization engages? What decisions must be made to undertake these activities? What information
California Coast University - COB - acct
CHAPTER 3 Systems Development and Documentation TechniquesINTRODUCTION Questions to be addressed in this chapter include: What is the purpose of documentation? Why do accountants need to understand documentation? What documentation techniques are used i
California Coast University - COB - acct
CHAPTER 4 RELATIONAL DATABASESINTRODUCTION Questions to be addressed in this chapter: How are databases different than file-based legacy systems? Why are databases important and what is their advantage? What is the difference between logical and physica
California Coast University - COB - acct
CHAPTER 5 COMPUTER FRAUD AND ABUSEINTRODUCTION Questions to be addressed in this chapter: What is fraud, and how is it perpetrated? Who perpetrates fraud and why? What is computer fraud, and what forms does it take? What approaches and techniques are us
California Coast University - COB - acct
CHAPTER 6 CONTROL AND ACCOUNTING INFORMATION SYSTEMSINTRODUCTIONQuestions to be addressed in this chapter include: What are the basic internal control concepts, and why are computer control and security important? What is the difference between the COBI
California Coast University - COB - acct
CHAPTER 7 INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART 1: INFORMATION SECURITYINTRODUCTION Questions to be addressed in this chapter include: How does security affect systems reliability? What are the four criteria that can be used to evalu
California Coast University - COB - acct
CHAPTER 8 INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART 2: CONFIDENTIALITY, PRIVACY, PROCESSING INTEGRITY, AND AVAILABILITYINTRODUCTION Questions to be addressed in this chapter include: What controls are used to protect the confidentiality
California Coast University - COB - acct
CHAPTER 9 AUDITING COMPUTER-BASED INFORMATION SYSTEMSINTRODUCTION Questions to be addressed in this chapter include: What are the scope and objectives of audit work, and what major steps take place in the audit process? What are the objectives of an inf
California Coast University - COB - acct
CHAPTER 14 GENERAL LEDGER AND REPORTING SYSTEMINTRODUCTION Questions to be addressed in this chapter include: What information processing operations are required to update the general ledger and produce reports for internal and external users? How do IT
California Coast University - COB - acct
CHAPTER 15 DATABASE DESIGN USING THE REA DATA MODELINTRODUCTION Questions to be addressed in this chapter include: What steps are followed to design and implement a database system? How is the REA data model used to design an AIS database? How is an ent
California Coast University - COB - acct
CHAPTER 16 IMPLEMENTING AN REA MODEL IN A RELATIONAL DATABASEINTRODUCTION Questions to be addressed in this chapter: How are REA diagrams for individual transaction cycles integrated into a single comprehensive organization-wide REA diagram? How are tab
California Coast University - COB - acct
CHAPTER 17 SPECIAL TOPICS IN REA MODELINGINTRODUCTION Questions to be addressed in this chapter: How are REA data models developed for organizations other than retail stores? How are REA data models developed for the HRM/payroll, manufacturing, and capi
California Coast University - COB - acct
CHAPTER 18 INTRODUCTION TO SYSTEMS DEVELOPMENT AND SYSTEMS ANALYSISINTRODUCTION Questions to be addressed in this chapter: What are the phases in the systems development life cycle? Who are the individuals involved in systems development? What technique
California Coast University - COB - acct
CHAPTER 19 AIS DEVELOPMENT STRATEGIESINTRODUCTION Questions to be addressed in this chapter: How do organizations buy software, hardware, and vendor services? How do information systems departments develop custom software? How do end users develop, use
California Coast University - COB - acct
CHAPTER 20 SYSTEM DESIGN, IMPLEMENTATION, AND OPERATIONINTRODUCTION Questions to be addressed in this chapter: What are the activities that take place in the conceptual design phase of the systems development life cycle (SDLC)? What activities take plac
California Coast University - COB - acct
CHAPTER 10 THE REVENUE CYCLE: SALES AND CASH COLLECTIONSINTRODUCTION Questions to be addressed in this chapter include: What are the basic business activities and data processing operations that are performed in the revenue cycle? What decisions need to
California Coast University - COB - auditing
The Demand for Audit and Other The Assurance Services AssuranceChapter 12010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Auditing1-1Sarbanes-Oxley ActThe Act established the Public Company Accounting Oversight Board.It also
California Coast University - COB - auditing
The CPA ProfessionChapter 22010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Auditing2-1Learning Objective 1Describe the nature of CPA firms, what they do, and their structure.2010 Prentice Hall Business Publishing, Auditing
California Coast University - COB - acct
1. 01026 Theprimaryobjectiveofaccountingisto StudentResponse A. implementstrong internalcontrols. B. provideuseful informationto decisionmakers. C. preparefinancial statements. D. ensuretheprofitability ofanorganization. 100% Value CorrectAnswer Feedback
California Coast University - COB - acct
1. Whichstepbelowisnotconsideredtobepartofthedataprocessingcycle? StudentResponse A. datainput B. feedbackfrom externalsources C. datastorage D. dataprocessing 100% Value CorrectAnswer Feedback Score: 4/4 2. Basicdatastorageconceptsdefinebothentitie
California Coast University - COB - acct
1. 03056 Usethechartbelowtoanswerthefollowingquestionsregardingflowchartsymbols.Whichsymbolwouldbeusedinaflowcharttorepresentaconnectionbyadatacommunicationlink? StudentResponse A. #12 B. #13 100% Value CorrectAnswer Feedback C. #14 D. #15 Score: 4/
California Coast University - COB - acct
1. 04072 Whichoneofthefollowingresultscorrespondstothequerybelow? A. B. C.StudentResponseValueCorrectAnswer Feedback 0%D.Score: 0/4 2.04044 Awellstructuredor"normalized"databaseimposesseveralrequirementsonthestructureoftables.The constraintthaten
California Coast University - COB - acct
1. 05070 WallyHewittmaintainsanonlinebrokerageaccount.InearlyMarch,Wallyreceivedanemailfromthefirmthat explainedthattherehadbeenacomputererrorandthatprovidedaphonenumbersothatWallycouldverifyhis customerinformation.Whenhecalled,arecordingaskedthatheentert
California Coast University - COB - acct
1. 06059 RiverRaftingAdventuresofIowaprovidesraftsandtourguidestotouristseagertoridethewildriversofIowa. Managementhasdeterminedthatthereisonechanceinathousandofaclientbeinginjuredorkilled. Settlementofresultinglawsuitshasanaveragecostof$650,000.Insurance
California Coast University - COB - acct
070431. Thesystemandprocessesusedtoissueandmanageasymmetrickeysanddigitalcertificates. Student Value 0% CorrectAnswer Feedback Response A. Asymmetric encryption B. Certificateauthority C. Digitalsignature D. Publickey infrastructureScore: 0/4 2.07045
California Coast University - COB - acct
08016 Datamatchingisanexampleof Student Value CorrectAnswer 100% Feedback 1.Response A. Dataentrycontrols B. Datatransmission controls C. Processing controls D. Sourcedata controlsScore: 4/4 2.08063 MikeColbytookacallfromaclient."Listen,Mike,Ineedform
California Coast University - COB - acct
09048 Theuseofasecurefilelibraryandrestrictionsonphysicalaccesstodatafilesisacontrol procedureusedinconjunctionwith Student Value CorrectAnswer Feedback 1.Response A. computer processing controls. B. datafiles. C. program modification procedures. D. pro