This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: 1 6.080/6.089 GITCS April 17, 2008 Lecture 18 Lecturer: Scott Aaronson Scribe: Hristo Paskov Recap Last time we talked about public key cryptography which falls in the realm of accomplishing bizarre social goals using number theory. Our first example of a publickey cryptosystem, in which two people exchanging messages did not have to meet beforehand, was DiﬃeHellman. We then talked about the RSA cryptosystem, which is probably the most widely used today. Here are the basics of how it works: The first step is taken by the recipient of the message, by generating two giant prime numbers p and q and setting N = pq . Note that p and q must be chosen such that p − 1 and q − 1 are not divisible by 3. The recipient keeps p and q a closelyguarded secret, but gives out N to anyone who asks. Suppose a sender has a secret message x that she wants to send to the recipient. The sender calculates x 3 mod N and sends it to the recipient. Now it’s the recipient’s turn to recover the message. He can use some number theory together with the fact that he knows p and q , the factors of N . The recipient first finds an integer k such that 3 k = 1 mod ( p − 1)( q − 1), which can be done in polynomial time via Euclid’s algorithm, and then takes ( x 3 ) k mod N = x 3 k mod N = x . The exponentiation can be done in polynomial time by using the trick of repeated squaring. Voila! When you look at this procedure, you might wonder why are we cubing as opposed to raising to another power; is there anything special about 3? As it turns out, 3 is just the first choice that’s convenient. Squaring would lead to a ciphertext that had multiple decryptions (corresponding to the multiple square roots mod N ), while we want the decryption to be unique. Indeed, if we wanted the square root to be unique, then we’d need p − 1 and q − 1 to not divisible by 2, which is a problem since p and q (being large prime numbers) are odd! You could, however, raise to a power higher than 3, and in fact that’s what people usually do. If the other components of the cryptosystem—such as the padding out of messages with random garbage—aren’t implemented properly, then there’s a class of attacks called “smallexponent at tacks” which break RSA with small exponents though not with large ones. On the other hand, if everything else is implemented properly, then as far as we know x 3 mod N is already secure. 181 (Just like in biology, everything in cryptography is always more complicated than what you said, whatever you said. In particular, as soon as you leave a clean mathematical model and enter the real world, where code is buggy, hardware inadvertently leaks information, etc. etc., there’s always further scope for paranoia. And cryptographers are extremely paranoid people.) As mentioned in the last lecture, we know that a fast factoring algorithm would lead to a break of RSA. However, we don’t know the opposite direction: could you break RSA without factoring?factoring?...
View
Full
Document
 Spring '11
 Prof.ScottAaronson
 Cryptography, graph isomorphism

Click to edit the document details