Cryptographic Hash Functions

*Slides borrowed from Vitaly Shmatikov

Hash Functions: Main Idea
hash function H
message
x . “message
digest”

.y
. x’.
x’’ . y’
bit strings of any length n-bit strings

◆ Hash function H is a lossy compression function

• Collision: H(x)=H(x’) for some inputs x≠x’
◆ H(x) should look “random”
• Every bit (almost) equally likely to be 0 or 1
◆ A cryptographic hash function must have certain properties
slide 2
One-Way
◆ Intuition: hash should be hard to invert
• “Preimage resistance”
• Given a random y, it should be hard to find any x
such that h(x)=y
– y is an n-bit string randomly chosen from the output space
of the hash function, i.e., y=h(x’) for some x’
◆ How hard?
• Brute-force: try every possible x, see if h(x)=y
• SHA-1 (a common hash function) has 160-bit output
– Suppose we have hardware that can do 230 trials a pop
– Assuming 234 trials per second, can do 289 trials per year
– Will take 271 years to invert SHA-1 on a random image
slide 3
Birthday Paradox
◆ T people
◆ Suppose each birthday is a random number taken
from K days (K=365) – how many possibilities?
• KT - samples with replacement
◆ How many possibilities that are all different?
• (K)T = K(K-1)…(K-T+1) - samples without replacement
◆ Probability of no repetition?
• (K)T/KT ≈ 1 - T(T-1)/2K
◆ Probability of repetition?
• O(T2)
Collision Resistance
◆ Should be hard to find x≠x’ such that h(x)=h(x’)
◆ Birthday paradox
• Let T be the number of values x,x’,x’’… we need to
look at before finding the first pair x≠x’ s.t. h(x)=h(x’)
• Assuming h is random, what is the probability that we
find a repetition after looking at T values? O(T2)
• Total number of pairs? O(2n)
– n = number of bits in the output of hash function
• Conclusion: T ≈ O(2n/2)
◆ Brute-force collision search is O(2n/2), not O(2n)
• For SHA-1, this means O(280) vs. O(2160)
slide 5
One-Way vs. Collision Resistance
◆ One-wayness does not imply collision resistance
• Suppose g() is one-way
• Define h(x) as g(x’) where x’ is x except the last bit
– h is one-way (cannot invert h without inverting g)
– Collisions for h are easy to find: for any x, h(x0)=h(x1)
◆ Collision resistance does not imply one-wayness
• Suppose g() is collision-resistant
• Define h(x) to be 0x if x is (n-1)-bit long, else 1g(x)
– Collisions for h are hard to find: if y starts with 0, then there are
no collisions; if y starts with 1, then must find collisions in g
– h is not one way: half of all y’s (those whose first bit is 0) are
easy to invert (how?), thus random y is invertible with prob. 1/2
slide 6
Weak Collision Resistance
◆ Given a randomly chosen x, hard to find x’
such that h(x)=h(x’)
• Attacker must find collision for a specific x… by
contrast, to break collision resistance, enough to
find any collision
• Brute-force attack requires O(2n) time
◆ Weak collision resistance does not imply
collision resistance (why?)

slide 7
Hashing vs. Encryption
◆ Hashing is one-way. There is no “uh-hashing”!
• A ciphertext can be decrypted with a decryption key…
hashes have no equivalent of “decryption”
◆ Hash(x) looks “random”, but can be compared
for equality with Hash(x’)
• Hash the same input twice → same hash value
• Encrypt the same input twice → different ciphertexts
◆ Cryptographic hashes are also known as
“cryptographic checksums” or “message
digests”
slide 8
Application: Password Hashing
◆ Instead of user password, store hash(password)
◆ When user enters a password, compute its hash
and compare with the entry in the password file
• System does not store actual passwords!
• Cannot go from hash to password!
◆ Why is hashing better than encryption here?
◆ Does hashing protect weak, easily guessable
passwords?

slide 9
Application: Software Integrity
VIRUS

badFile
goodFile

The Times
BigFirm™ hash(goodFile) User

Software manufacturer wants to ensure that the executable file

is received by users without modification…
Sends out the file to users and publishes its hash in the NY Times
The goal is integrity, not secrecy
Idea: given goodFile and hash(goodFile),
very hard to find badFile such that hash(goodFile)=hash(badFile)
slide 10
Which Property Is Needed?
◆ Passwords stored as hash(password)
• One-wayness: hard to recover entire password
• Passwords are not random and thus guessable
◆ Integrity of software distribution
• Weak collision resistance?
• But software images are not random… maybe need full
collision resistance
◆ Auctions: to bid B, send H(B), later reveal B
• One-wayness… but does not protect B from guessing
• Collision resistance: bidder should not be able to find
two bids B and B’ such that H(B)=H(B’)
slide 11
Common Hash Functions
◆ MD5
• Completely broken by now
◆ RIPEMD-160
• 160-bit variant of MD-5
◆ SHA-1 (Secure Hash Algorithm)
• Recently broken & deprecated
◆ SHA-256, SHA-3
• Still secure and recommended

slide 12
Overview of MD5
◆ Designed in 1991 by Ron Rivest
◆ Iterative design using compression function

M1 M2 M3 M4
IHV0

Com- Com- Com- Com-

press press press press

IHV4

slide 13
History of MD5 Collisions
◆ 2004: first collision attack
• The only difference between colliding messages is
128 random-looking bytes
◆ 2007: chosen-prefix collisions
• For any prefix, can find colliding messages that have
this prefix and differ up to 716 random-looking bytes
◆ 2008: rogue SSL certificates
• Talk about this in more detail when discussing PKI
◆ 2012: MD5 collisions used in cyberwarfare
• Flame malware uses an MD5 prefix collision to fake a
Microsoft digital code signature
slide 14
 Basic Structure of SHA-1
Against padding attacks

Split message into 512-bit blocks

160-bit buffer (5 registers) Compression function

initialized with magic values • Applied to each 512-bit block
and current 160-bit buffer
• This is the heart of SHA-1
slide 15
SHA-1 Compression Function
Current buffer (five 32-bit registers A,B,C,D,E)
Current message block

Four rounds, 20 steps in each

Let’s look at each

step
in more detail…

Similar to a block cipher,

with message itself used
Fifth round adds the original
as the key for each round
buffer to the result of 4 rounds

Buffer contains final hash value

slide 16
One Step of SHA-1 (80 steps total)

A B C D E

Logic function for steps +

•
•
(B∧C)∨(¬B∧D)
B⊕C⊕D
0..19
20..39 ft
• (B∧C)∨(B∧D)∨(C∧D) 40..59

5 bitwise
• B⊕C⊕D 60..79
+
left-rotate
Current message block mixed in
• For steps 0..15, W0..15=message block Wt
Multi-level shifting of message blocks
• For steps 16..79,
Wt=Wt-16⊕Wt-14⊕Wt-8⊕Wt-3 +
Special constant added
30 bitwise
left-rotate (same value in each 20-step round, Kt
4 different constants altogether)
+

A B C D E
slide 17
How Strong Is SHA-1?
◆ Every bit of output depends on every bit of input
• Very important property for collision-resistance
◆ Brute-force inversion requires 2160 ops, birthday
attack on collision resistance requires 280 ops
◆ Weaknesses discovered in 2005
• Collisions can be found in 263 ops
◆ Researchers at Google/CWI demonstrated first
collision attack in 2017

slide 18
NIST Competition
◆ A public competition to develop a new
cryptographic hash algorithm
• Organized by NIST (read: NSA)
◆ 64 entries into the competition (Oct 2008)
◆ 5 finalists in 3rd round (Dec 2010)
◆ Winner: Keccak (Oct 2012)
• standardized as SHA-3

slide 19
Integrity and Authentication

KEY MAC
(message authentication code) KEY

message, MAC(KEY,message)

?
message =
Alice Bob
Recomputes MAC and verifies whether it is
equal to the MAC attached to the message

Integrity and authentication: only someone who knows KEY can

compute correct MAC for a given message
slide 20
HMAC
◆ Construct MAC from a cryptographic hash function
• Invented by Bellare, Canetti, and Krawczyk (1996)
• Used in SSL/TLS, mandatory for IPsec
◆ Why not encryption?
• Hashing is faster than encryption
• Library code for hash functions widely available
• Can easily replace one hash function with another
• There used to be US export restrictions on encryption

slide 21
Structure of HMAC
magic value (flips half of key bits)

Secret key padded

to block size
Block size of embedded hash function

another magic value

(flips different key bits)
Embedded hash function

“Black box”: can use this HMAC

construction with any hash function
(why is this important?)

hash(key,hash(key,message))

slide 22
Overview of Symmetric Encryption
Basic Problem

-----
-----
-----
?

Given: both parties already know the same secret

Goal: send a message confidentially How is this achieved in practice?

Any communication system that aims to guarantee

confidentiality must solve this problem
slide 24
 Kerckhoffs's Principle
◆ An encryption scheme should be
secure even if enemy knows
everything about it except the key
• Attacker knows all algorithms
• Attacker does not know random numbers
◆ Do not rely on secrecy of the
algorithms (“security by obscurity”)
Full name:
Easy lesson:
use a good random number Jean-Guillaume-Hubert-Victor-
generator! François-Alexandre-Auguste
Kerckhoffs von Nieuwenhof
slide 25
Randomness Matters!

slide 26
One-Time Pad (Vernam Cipher)

-----
----- 10111101…
----- = 10111101…

⊕ 10001111… ⊕
= 00110010… 00110010… =

Key is a random bit sequence

as long as the plaintext
Encrypt by bitwise XOR of
plaintext and key:
ciphertext = plaintext ⊕ key
Decrypt by bitwise XOR of
ciphertext and key:
ciphertext ⊕ key =
(plaintext ⊕ key) ⊕ key =
plaintext ⊕ (key ⊕ key) =
plaintext

Cipher achieves perfect secrecy if and only if

there are as many possible keys as possible plaintexts, and
every key is equally likely (Claude Shannon, 1949)
slide 27
Advantages of One-Time Pad
◆ Easy to compute
• Encryption and decryption are the same operation
• Bitwise XOR is very cheap to compute
◆ As secure as theoretically possible
• Given a ciphertext, all plaintexts are equally likely,
regardless of attacker’s computational resources
• …if and only if the key sequence is truly random
– True randomness is expensive to obtain in large quantities
• …if and only if each key is as long as the plaintext
– But how do the sender and the receiver communicate the key
to each other? Where do they store the key?
slide 28
Problems with One-Time Pad
◆ Key must be as long as the plaintext
• Impractical in most realistic scenarios
• Still used for diplomatic and intelligence traffic
◆ Does not guarantee integrity
• One-time pad only guarantees confidentiality
• Attacker cannot recover plaintext, but can easily
change it to something else
◆ Insecure if keys are reused
• Attacker can obtain XOR of plaintexts

slide 29
No Integrity

0
-----
----- 10111101…
----- = 10111101… 0
⊕ 10001111… ⊕
= 00110010… 00110010… =

Key is a random bit sequence

as long as the plaintext
Encrypt by bitwise XOR of
plaintext and key:
ciphertext = plaintext ⊕ key
Decrypt by bitwise XOR of
ciphertext and key:
ciphertext ⊕ key =
(plaintext ⊕ key) ⊕ key =
plaintext ⊕ (key ⊕ key) =
plaintext

slide 30
Dangers of Reuse

----- P1
----- C1 00000000…
----- = 00000000…

⊕ 00110010… ⊕
= 00110010… 00110010… =

----- P2
----- C2
----- = 11111111…

⊕ 11001101…
= 00110010…

Learn relationship between plaintexts

C1⊕C2 = (P1⊕K)⊕(P2⊕K) =
(P1⊕P2)⊕(K⊕K) = P1⊕P2
slide 31
Reducing Key Size
◆ What to do when it is infeasible to pre-share huge
random keys?
◆ Use special cryptographic primitives:
block ciphers, stream ciphers
• Single key can be re-used (with some restrictions)
• Not as theoretically secure as one-time pad

slide 32
Block Ciphers
◆ Operates on a single chunk (“block”) of plaintext
• For example, 64 bits for DES, 128 bits for AES
• Same key is reused for each block (can use short keys)
◆ Result should look like a random permutation
◆ Not impossible to break, just very expensive
• If there is no more efficient algorithm (unproven
assumption!), can only break the cipher by brute-force,
try-every-possible-key search
• Time and cost of breaking the cipher exceed the value
and/or useful lifetime of protected information

slide 33
Permutation

1 1
2 2
3 3
4 4
CODE becomes DCEO

◆ For N-bit input, N! possible permutations

◆ Idea: split plaintext into blocks, for each block use
secret key to pick a permutation, rinse and repeat
• Without the key, permutation should “look random”
slide 34
A Bit of Block Cipher History
◆ Playfair and variants (from 1854 until WWII)
◆ Feistel structure Textbook

• “Ladder” structure: split input in half, put one half

through the round and XOR with the other half
• After 3 random rounds, ciphertext indistinguishable
from a random permutation
◆ DES: Data Encryption Standard Textbook

• Invented by IBM, issued as federal standard in 1977

• 64-bit blocks, 56-bit key + 8 bits for parity
• Very widely used (usually as 3DES) until recently
– 3DES: DES + inverse DES + DES (with 2 or 3 different keys)
slide 35
DES Operation (Simplified)

Block of plaintext Key

Add some secret key bits

S S S S to provide confusion

S S S S Each S-box transforms

its input bits in a
“random-looking” way
repeat for several rounds
to provide diffusion
(spread plaintext bits
S S S S throughout ciphertext)

Procedure must be reversible

Block of ciphertext (for decryption)
slide 36
 Remember SHA-1?
Constant value
Current message block

Very similar to a block cipher,

with message itself used
as the key for each round

Buffer contains final hash value

slide 37
Advanced Encryption Standard (AES)
◆ US federal standard as of 2001
◆ Based on the Rijndael algorithm
◆ 128-bit blocks, keys can be 128, 192 or 256 bits
◆ Unlike DES, does not use Feistel structure
• The entire block is processed during each round
◆ Design uses some clever math
• See section 8.5 of the textbook for a concise summary

slide 38
Basic Structure of Rijndael
128-bit plaintext 128-bit key
(arranged as 4x4 array of 8-bit bytes)

⊕
S shuffle the array (16x16 substitution table)

Shift rows shift array rows

(1st unchanged, 2nd left by 1, 3rd left by 2, 4th left by 3)
Expand key
mix 4 bytes in each column
Mix columns (each new byte depends on all bytes in old column)

add key for this round

⊕
repeat 10 times
slide 39
Encrypting a Large Message
◆ So, we’ve got a good block cipher, but our
plaintext is larger than 128-bit block size
◆ Electronic Code Book (ECB) mode
• Split plaintext into blocks, encrypt each one separately
using the block cipher
◆ Cipher Block Chaining (CBC) mode
• Split plaintext into blocks, XOR each block with the
result of encrypting previous blocks
◆ Also various counter modes, feedback modes, etc.

slide 40
ECB Mode

plaintext

key key key key key

block block block block block
cipher cipher cipher cipher cipher

ciphertext

◆ Identical blocks of plaintext produce identical

blocks of ciphertext
◆ No integrity checks: can mix and match blocks
slide 41
Information Leakage in ECB Mode
[Wikipedia]

Encrypt in ECB mode

slide 42
Adobe Passwords Stolen (2013)
◆ 153 million account passwords
• 56 million of them unique
◆ Encrypted using 3DES in ECB mode rather than
hashed

Password hints

slide 43
 CBC Mode: Encryption
plaintext

Initialization
vector
(random) ⊕ key ⊕ key ⊕ key ⊕ key
block block block block
Sent with ciphertext cipher cipher cipher cipher
(preferably encrypted)

ciphertext

◆ Identical blocks of plaintext encrypted differently

◆ Last cipherblock depends on entire plaintext
• Still does not guarantee integrity slide 44
 CBC Mode: Decryption
plaintext

Initialization
vector ⊕ key ⊕ key ⊕ key ⊕ key
decrypt decrypt decrypt decrypt

ciphertext

slide 45
ECB vs. CBC
[Picture due to Bart Preneel]

AES in ECB mode AES in CBC mode

Similar plaintext
blocks produce
similar ciphertext
blocks (not good!)

slide 46
Choosing the Initialization Vector
◆ Key used only once
• No IV needed (can use IV=0)
◆ Key used multiple times
• Best: fresh, random IV for every message
• Can also use unique IV (eg, counter), but then the first
step in CBC mode must be IV’ ← E(k, IV)
– Example: Windows BitLocker
– May not need to transmit IV with the ciphertext
◆ Multi-use key, unique messages
• Synthetic IV: IV ← F(k’, message)
– F is a cryptographically secure keyed pseudorandom function
slide 47
 CBC and Electronic Voting
[Kohno, Stubblefield, Rubin, Wallach]

plaintext
Initialization
vector ⊕ key ⊕ key ⊕ key ⊕ key
(supposed to
be random)
DES DES DES DES

ciphertext
Found in the source code for Diebold voting machines:
DesCBCEncrypt((des_c_block*)tmp, (des_c_block*)record.m_Data,
totalSize, DESKEY, NULL, DES_ENCRYPT)
slide 48
CTR (Counter Mode)
plaintext
Random IV

⊕ key ⊕ key ⊕ key ⊕ key

Enc(IV) Enc(IV+1) Enc(IV+2) Enc(IV+3)

IV
ciphertext

◆ Still does not guarantee integrity

◆ Fragile if counter repeats
slide 49
When Is a Cipher “Secure”?
◆ Hard to recover plaintext from ciphertext?
• What if attacker learns only some bits of the plaintext?
Some function of the bits? Some partial information
about the plaintext?
◆ Fixed mapping from plaintexts to ciphertexts?
• What if attacker sees two identical ciphertexts and
infers that the corresponding plaintexts are identical?
• What if attacker guesses the plaintext – can he verify
his guess?
• Implication: encryption must be randomized or stateful

slide 50
How Can a Cipher Be Attacked?
◆ Attackers knows ciphertext and encryption algthm
• What else does the attacker know? Depends on the
application in which the cipher is used!
◆ Known-plaintext attack (stronger)
• Knows some plaintext-ciphertext pairs
◆ Chosen-plaintext attack (even stronger)
• Can obtain ciphertext for any plaintext of his choice
◆ Chosen-ciphertext attack (very strong)
• Can decrypt any ciphertext except the target
• Sometimes very realistic
slide 51
Known-Plaintext Attack
[From “The Art of Intrusion”]

Extracting password from an encrypted PKZIP file …

◆ “… I opened the ZIP file and found a `logo.tif’ file,
so I went to their main Web site and looked at all
the files named `logo.tif.’ I downloaded them and
zipped them all up and found one that matched
the same checksum as the one in the protected
ZIP file”
◆ With known plaintext, PkCrack took 5 minutes to
extract the key
• Biham-Kocher attack on PKZIP stream cipher
slide 52
Chosen-Plaintext Attack

PIN is encrypted and

transmitted to bank

cipher(key,PIN)

Crook #2 eavesdrops
Crook #1 changes on the wire and learns
his PIN to a number ciphertext corresponding
of his choice to chosen plaintext PIN

… repeat for any PIN value

slide 53
Very Informal Intuition Minimum security
requirement for a
modern encryption scheme

◆ Security against chosen-plaintext attack

• Ciphertext leaks no information about the plaintext
• Even if the attacker correctly guesses the plaintext, he
cannot verify his guess
• Every ciphertext is unique, encrypting same message
twice produces completely different ciphertexts
◆ Security against chosen-ciphertext attack
• Integrity protection – it is not possible to change the
plaintext by modifying the ciphertext

slide 54
The Chosen-Plaintext Game
◆ Attacker does not know the key
◆ He chooses as many plaintexts as he wants, and
receives the corresponding ciphertexts
◆ When ready, he picks two plaintexts M0 and M1
• He is even allowed to pick plaintexts for which he
previously learned ciphertexts!
◆ He receives either a ciphertext of M0, or a
ciphertext of M1
◆ He wins if he guesses correctly which one it is

slide 55
Meaning of “Leaks No Information”
◆ Idea: given a ciphertext, attacker should not be
able to learn even a single bit of useful
information about the plaintext
◆ Let Enc(M0,M1,b) be a “magic box” that returns
encrypted Mb 0 or 1
• Given two plaintexts, the box always returns the
ciphertext of the left plaintext or right plaintext
• Attacker can use this box to obtain the ciphertext of
any plaintext M by submitting M0=M1=M, or he can try
to learn even more by submitting M0≠M1
◆ Attacker’s goal is to learn just this one bit b
slide 56
Chosen-Plaintext Security
◆ Consider two experiments (A is the attacker)
Experiment 0 Experiment 1
A interacts with Enc(-,-,0) A interacts with Enc(-,-,1)
and outputs his guess of bit b and outputs his guess of bit b
• Identical except for the value of the secret bit
• b is attacker’s guess of the secret bit
◆ Attacker’s advantage is defined as
| Prob(A outputs 1 in Exp0) - Prob(A outputs 1 in Exp1)) |
◆ Encryption scheme is chosen-plaintext secure if
this advantage is negligible for any efficient A
slide 57
Simple Example
◆ Any deterministic, stateless symmetric encryption
scheme is insecure
• Attacker can easily distinguish encryptions of different
plaintexts from encryptions of identical plaintexts
• This includes ECB mode of common block ciphers!
Attacker A interacts with Enc(-,-,b)
Let X,Y be any two different plaintexts
C1 ← Enc(X,X,b); C2 ← Enc(X,Y,b);
If C1=C2 then b=0 else b=1

◆ The advantage of this attacker A is 1

Prob(A outputs 1 if b=0)=0 Prob(A outputs 1 if b=1)=1
slide 58
Encrypt + MAC

Goal: confidentiality + integrity + authentication

Can tell if messages Breaks chosen-
are the same! plaintext security
K1, K2
MAC=HMAC(K2,msg) K1, K2

msg Decrypt

encrypt(msg), MAC(msg)

encrypt(msg2), MAC(msg2)
?
=
Alice Encrypt(K1,msg) Bob
Verify MAC

MAC is deterministic: messages are equal ⇒ their MACs are equal

Solution: Encrypt, then MAC (or MAC, then encrypt)

slide 59
CS 361S

Overview of
Public-Key Cryptography

slide 60
 Public-Key Cryptography
public key

public key ? private key

Alice
Bob
Given: Everybody knows Bob’s public key
- How is this achieved in practice?
Only Bob knows the corresponding private key
Goals: 1. Alice wants to send a message that
only Bob can read
2. Bob wants to send a message that
only Bob could have written slide 61
Applications of Public-Key Crypto
◆ Encryption for confidentiality
• Anyone can encrypt a message
– With symmetric crypto, must know the secret key to encrypt
• Only someone who knows the private key can decrypt
• Secret keys are only stored in one place
◆ Digital signatures for authentication
• Only someone who knows the private key can sign
◆ Session key establishment
• Exchange messages to create a secret session key
• Then switch to symmetric cryptography (why?)
slide 62
Public-Key Encryption
◆ Key generation: computationally easy to generate
a pair (public key PK, private key SK)
◆ Encryption: given plaintext M and public key PK,
easy to compute ciphertext C=EPK(M)
◆ Decryption: given ciphertext C=EPK(M) and private
key SK, easy to compute plaintext M
• Infeasible to learn anything about M from C without SK
• Trapdoor function: Decrypt(SK,Encrypt(PK,M))=M

slide 63
Some Number Theory Facts
◆ Euler totient function ϕ(n) where n≥1 is the
number of integers in the [1,n] interval that are
relatively prime to n
• Two numbers are relatively prime if their
greatest common divisor (gcd) is 1
◆ Euler’s theorem:
if a∈Zn*, then aϕ(n) ≡ 1 mod n
◆ Special case: Fermat’s Little Theorem
if p is prime and gcd(a,p)=1, then ap-1 ≡ 1 mod p

slide 64
RSA Cryptosystem
◆ Key generation:
[Rivest, Shamir, Adleman 1977]
• Generate large primes p, q
– At least 2048 bits each… need primality testing!
• Compute n=pq
– Note that ϕ(n)=(p-1)(q-1)
• Choose small e, relatively prime to ϕ(n)
– Typically, e=3 (may be vulnerable) or e=216+1=65537 (why?)
• Compute unique d such that ed ≡ 1 mod ϕ(n)
• Public key = (e,n); private key = d
◆ Encryption of m: c = me mod n
◆ Decryption of c: cd mod n = (me)d mod n = m
slide 65
Why RSA Decryption Works
◆ e⋅d ≡ 1 mod ϕ(n)
◆ Thus e⋅d = 1+k⋅ϕ(n) = 1+k(p-1)(q-1) for some k
◆ If gcd(m,p)=1, then by Fermat’s Little Theorem,
mp-1 ≡ 1 mod p
◆ Raise both sides to the power k(q-1) and multiply
by m, obtaining m1+k(p-1)(q-1) ≡ m mod p
◆ Thus med ≡ m mod p
◆ By the same argument, med ≡ m mod q
◆ Since p and q are distinct primes and p⋅q=n,
med ≡ m mod n
slide 66
Why Is RSA Secure?
◆ RSA problem: given c, n=pq, and
e such that gcd(e,(p-1)(q-1))=1,
find m such that me=c mod n
• In other words, recover m from ciphertext c and public
key (n,e) by taking eth root of c modulo n
• There is no known efficient algorithm for doing this
◆ Factoring problem: given positive integer n, find
primes p1, …, pk such that n=p1e1p2e2…pkek
◆ If factoring is easy, then RSA problem is easy, but
may be possible to break RSA without factoring n
slide 67
“Textbook” RSA Is Bad Encryption
◆ Deterministic
• Attacker can guess plaintext, compute ciphertext, and
compare for equality
• If messages are from a small set (for example, yes/no),
can build a table of corresponding ciphertexts
◆ Can tamper with encrypted messages
• Take an encrypted auction bid c and submit
c(101/100)e mod n instead
◆ Does not provide semantic security (security
against chosen-plaintext attacks)
slide 68
Integrity in RSA Encryption
◆ “Textbook” RSA does not provide integrity
• Given encryptions of m1 and m2, attacker can create
encryption of m1⋅m2
– (m1e) ⋅ (m2e) mod n ≡ (m1⋅m2)e mod n
• Attacker can convert m into mk without decrypting
– (me)k mod n ≡ (mk)e mod n
◆ In practice, OAEP is used: instead of encrypting
M, encrypt M⊕G(r) ; r⊕H(M⊕G(r))
• r is random and fresh, G and H are hash functions
• Resulting encryption is plaintext-aware: infeasible to
compute a valid encryption without knowing plaintext
– … if hash functions are “good” and RSA problem is hard slide 69
 Digital Signatures: Basic Idea
public key

public key ? private key

Alice Bob

Given: Everybody knows Bob’s public key

Only Bob knows the corresponding private key

Goal: Bob sends a “digitally signed” message

1. To compute a signature, must know the private key
2. To verify a signature, only the public key is needed
slide 70
RSA Signatures
◆ Public key is (n,e), private key is d
◆ To sign message m: s = hash(m)d mod n
• Signing and decryption are the same mathematical
operation in RSA
◆ To verify signature s on message m:
se mod n = (hash(m)d)e mod n = hash(m)
• Verification and encryption are the same mathematical
operation in RSA
◆ Message must be hashed and padded (why?)

slide 71
 Diffie-Hellman Protocol
◆ Alice and Bob never met and share no secrets
◆ Public info: p and g
• p is a large prime number, g is a generator of Zp*
– Zp*={1, 2 … p-1}; ∀a∈Zp* ∃i such that a=gi mod p

Pick secret, random X Pick secret, random Y

gx mod p

gy mod p
Alice Bob

Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p

slide 72
Why Is Diffie-Hellman Secure?
◆ Discrete Logarithm (DL) problem:
given gx mod p, it’s hard to extract x
• There is no known efficient algorithm for doing this
• This is not enough for Diffie-Hellman to be secure!
◆ Computational Diffie-Hellman (CDH) problem:
given gx and gy, it’s hard to compute gxy mod p
• … unless you know x or y, in which case it’s easy
◆ Decisional Diffie-Hellman (DDH) problem:
given gx and gy, it’s hard to tell the difference
between gxy mod p and gr mod p where r is random
slide 73
Properties of Diffie-Hellman
◆ Assuming DDH problem is hard, Diffie-Hellman
protocol is a secure key establishment protocol
against passive attackers
• Eavesdropper can’t tell the difference between the
established key and a random value
• Can use the new key for symmetric cryptography
◆ Basic Diffie-Hellman protocol does not provide
authentication
• IPsec combines Diffie-Hellman with signatures, anti-DoS
cookies, etc.

slide 74
Advantages of Public-Key Crypto
◆ Confidentiality without shared secrets
• Very useful in open environments
• Can use this for key establishment, avoiding the
“chicken-or-egg” problem
– With symmetric crypto, two parties must share a secret before
they can exchange secret messages
◆ Authentication without shared secrets
◆ Encryption keys are public, but must be sure that
Alice’s public key is really her public key
• This is a hard problem… Often solved using public-key
certificates
slide 75
Disadvantages of Public-Key Crypto
◆ Calculations are 2-3 orders of magnitude slower
• Modular exponentiation is an expensive computation
• Typical usage: use public-key cryptography to establish
a shared secret, then switch to symmetric crypto
– SSL, IPsec, most other systems based on public crypto
◆ Keys are longer
• 2048 bits (RSA) rather than 128 bits (AES)
◆ Relies on unproven number-theoretic assumptions
• Factoring, RSA problem, discrete logarithm problem,
decisional Diffie-Hellman problem…

slide 76