This preview shows pages 1–11. Sign up to view the full content.
p1.
Public
‐
Key Cryptography and RSA
794Q: Introduction to Cryptography
Spring 2010
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document p2.
PublicKey Cryptography
•
Also known as
asymmetrickey
cryptography.
•
Each user has a pair of keys: a public key and a private key.
•
The public key is used for encryption.
–
The key is known to the public.
•
The private key is used for decryption.
–
The key is only known to the owner.
p3.
Bob
Alice
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document p4.
Why PublicKey Cryptography?
•
Developed to address two main issues:
–
key distribution
–
digital signatures
•
Invented by Diffie & Hellman in 1976.
p5.
PublicKey Cryptosystem (PKC)
•
Each user u has a pair of keys (PK
u
, SK
u
).
–
PK
u
is the public key, available in a public directory.
–
SK
u
the private key, known to u only.
•
Keygeneration algorithm:
to generate keys.
•
Encryption algorithm E
: to send message M to user u,
compute C = E(PK
u
, M).
•
Decryption algorithm D
: Upon receiving C, user u computes
D(SK
u
, C).
•
Requirement:
D(SK
u
,E(PK
u
, M)) = M.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document p6.
()
Key generation algorithm
:
On input 1 ,
(1 ) outputs
a pair of keys,
,
, each of length at least
.
Encryption algorit
hm
: On input a public key
and a pla
Publickey encryption scheme
nn
GG
pk sk
n
Ep
k
•
•
intext
,
outputs a ciphertext
.
We write
( ).
(The message space may depend on
.)
Decryption algorithm
: On input a secret key
and a ciphertext
,
outputs a message
pk
k
mM
E
c
c
E
m
pk
Ds
k
cD
←
•
∈
.
We write
:
( ).
Correctness requirement:
Pr
( )
:
1
except for a negligible measure of
key pairs output by
(
1)
.
k
sk
pk
pk
n
mm
D
c
DEm
m
m
M
G
=
⎡⎤
=←
=
⎣
•
⎦
p7.
()
Adversary:
a polynomialtime eavesdropper.
( , , ) : a publickey encryption scheme.
Imagine a
n experiment:
(1 ) is run to obtain a pair of keys
,
.
CiphertextIndistinguishability
n
GED
Gp
k
s
k
•
•
•
i
01
The adversary is given
, and outputs a pair of
messages
,
of the same length.
A random bit
{0,1} is chosen;
and a ciphertext
(
) is computed and given to the a
pk
pk
b
pk
mm
M
b
cE
m
∈
←
←
i
i
dversary.
The adversary determines whether
is the encryption
of
or
.
c
i
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document p8.
ciphertextindistinguishable against eave
A publickkey encryption scheme with security
parameter
is
if for every polynomialtime adversary
Definit
there
sdropper
exists
ion:
a neg
ligib
s
le
n
A
•
01
function
such that
Pr
(
,
,
, )
:
(
,
)
(1 ), {
,
}
{
,
},
( )
1
negl( )
2
n
Ap
k
up
k
negl
km mc m
p
ks
k
G
m m
M
mm
m
c
E
m
n
⎡
=←
←
⎣
⎤
←←
⎦
≤+
p9.
Since the adversary knows the publick key
, it can encrypt
any polynomial number of messages of its choice.
That is, eavesdroppers are capable of CPA's.
Thus, if a pub
lickey encryp
Remarks
pk
•
•
•
tion scheme is secure against
eavesdroppers, then it is also CPAsecure.
Most publickkey encryption schemes are based on oneway
funct
.
ions
•
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document p10.
1
1
trapdoor
Easy:
Hard:
Use
as the private key.
Most (assumed) oneway functions come from
number theory
trapdoo
.
This is the end of the preview. Sign up
to
access the rest of the document.
This note was uploaded on 01/22/2011 for the course CSE 794 taught by Professor Tenh.lai during the Spring '10 term at Ohio State.
 Spring '10
 TenH.Lai

Click to edit the document details