 But as far as we know in general the only way to do that is to actually find p and q But interesting problem might might it be a little easier Okay How about the algomal system which is based on the discrete log problem? Well this introduces some randomness. I mentioned some randomness with the CVP in a second ago, but Let me talk about a little more almost all Secure cryptography relies on having a source of randomness. I'm gonna talk about that a little later Those at Christel's talk realize that it really makes a difference if someone can Subvert your source of random bits They basically completely Compromised everything you do anyway, so here's how algomal works The public key while we're working mod p picks on your favorite big prime You take a g so you're looking at g mod p and You raise g to the secret power g to the k mod p Okay, so Bob knows these three numbers even it knows these three numbers But presumably it's hard for them to figure out what k is So Bob wants to send the message m which will be a number mod p So he chooses a random number mod p minus 1 Okay, so let's assume he has a way to do that And then the ciphertext is not a single number. It's a pair of numbers first Bob takes the number g which is in the you know public and raises it to this secret random number He chose mod p and he sends Alice c1 Alice cannot figure out what r is Right because she knows g to the r but finding r is the discrete log problem, but Alice gets to see c1 Eve gets to see c1 Bob also takes g to the k which remember Alice has published Raises that to his secret power and multiplies it by his message and reduces mod p so he sends Alice these two numbers and How does Alice decrypt? Well, I'm going to give you the formula and it's fun for you to figure out why it's just a little bit of algebra But it's fun for you to do She takes the c1 that Bob sent her She raises it to her secret power She inverts it mod p Inversion mod p is it's just the Euclidean algorithm. That's really quick She multiplies it by the other part of the Ciphertext the c2 and reduces mod p and That will get Bob's message back You can almost do this in your head probably but if not write it down I will mention you may notice the parentheses around the c to the k here are look kind of different That's because I forgot to type them in late in latex, so they're not on the slides when you go look at them So it looks like c1 to the k-1 power, which is not right Okay, so I did warn you about typos Elliptic curl the al-gamal work Identically except every place where I'm raising to a power I'm instead adding the point in the elliptic curve that many times. It's just group law Just replace multiplication group law by elliptic curve group law And again, I've cheated a little bit the underlying hard problem that Eve has to solve To read Bob's message is not actually finding Alice's secret K What does she need to do? She's given well, I've kind of done it abstractly down here. What does Eve know? Read the eavesdropper. She knows G to the R Well, actually, let's take it back Yeah Okay, I think this isn't entirely I claim that if you can solve this Diffie-Helman problem Then you can break Eve's crypto system even though you don't know what K is and The problem you have to solve I'll give you G I'll give you G to some power. I won't tell you what A is I'll give you G to some other power I won't tell you what B is And I'm not requiring you to find A and B. I'm just requiring you to compute G to the A times B power Okay, and again as far as we know the only way to do that in general is to actually find A and B But maybe there's a clever way To do it. I mean you can kind of see there's no natural way to multiply G to the A's and G to the B's and get G to the A B Because when you multiply G to the A times G to the B Despite what most of our calculus students think you do not get G to the A times B power you get G to the A plus B power All right Right except it But Alice is good Alice has published G to the Alice doesn't need to find G Doesn't need to find R because Alice has published G to the K So she actually knows what the K is So she knows the solution to the discrete log for G to the K because she created and if you look at how El Gamal works It's that number that you need and the GDR gets cancelled out in the decryption process So Alice never does figure out what G what are us? Yeah Okay so Third fourth however, we're counting the CVP hard problem How do you turn that into you know quick question? Yep How much would it matter if you could figure out R if you can figure out R you can decrypt So the answer is it's a disaster if Bob generates R in some way that's compromised Yeah, good question Yeah, you should every every system we come up with That has some randomness built in you should check that if someone compromises the randomness they can break the system It's almost always the case. Yeah, good question Okay so Next time I'll describe two ways to use CVP To create crypto systems one of them called GGH the other called and true GGH is relatively straightforward It's more or less what I wrote earlier Its problem is that it has very very large key sizes So and true uses those sort of special lattices to make that To help solve that problem, but since that's not the topic of this Yeah, okay So that's not the topic of today's lecture. So I'm just gonna leave it to say Come back on Friday Come back on Thursday and Friday But I will mention that next week Kristen Louder is gonna give a series of talks about using elliptic curves to create public key crypto systems And probably digital signatures also which we'll get to in a minute, but not using the elliptic curve discrete log problem using a different problem which Again people think and hope is harder than the elliptic curve discrete log problem Which is based on isogenes which are isogenes is the fancy word for a homomorphism from one elliptic curve to another So that's a preview for next week Okay, so up till now I've been talking about what are called public key crypto systems That's I want to send a message to someone in the back row there Person in the back row has published their public key so I can do that But all of you sitting in between can't decrypt the message because you don't know that person's private key That's one of many aspects an important part, but many aspects of Well public key cryptography in general the other Really really important part of what's called digital signatures And in some sense, they were almost more important than encryption methods Okay, so what's a digital signature? Well, let's start with what's a signature that's not digital so You're all familiar with it. Well, actually, I shouldn't say this once upon a time All of you would have been familiar with having a physical check and you write pay to X $20 and you write your signature on it. That was your signature. So here's a check that Bob is sending Alice a hundred dollars And how does the bank know that that's Actually a check that they should cash well because they can see Bob's signature at the bottom and they have a copy of his signature on record This is not a good model for electronic things Right So now instead of signing a check like that Bob has this digital file Okay, and he wants to send it to Alice actually wants to send it to the whole world Okay, but he wants to prove that it's really from him so he wants to sign that file It could be I don't know an audio file a video file A PDF whatever he wants an NFT, right? He wants to prove that it's his He's the one who created it and no one else and he does that using what's called a digital signature and Just one example to keep in mind which will give you an idea of how important this is how many people have apps on their phones How many people's apps on their phones have been updated sometime in the last month or year? everyone's How do you know that those updates don't contain all kinds of malicious software? the answer is the updates when you install the original app it has The public key for your digital signature from that company and when the company sends you an update It checks that the that the file actually came from that company Okay so basically none of The way apps work really could function Without digital signatures unless the world was a nice safe place where there were no bad people And that would be nice, but Okay, here's how digital signatures work mathematically so The idea is Bob has a digital document he wants to sign He uses his private signing key And there's a signing function and what comes out as a signature Then the verification function takes three inputs it takes Bob's public key It takes the signature that Bob got from this when he signed his document and it takes the document and The output is just one bit. Yes, it's valid or no, it's not valid and What you want this to satisfy? Is it if you have a valid public private key pair? then when you Apply the verification function to the public key the signature in the document you'll get yes if and only if The signature here came from signing using Bob's private key So the only way to create a valid signature is to know the private key It's not so easy to think how to do it's actually harder to build these Generally than it is to build public key crypto systems and we'll get to why especially on Friday Because there's sort of an extra attack Anyway, here's how RSA works. I'm gonna go through these really quickly You if you haven't seen them you should look at them in the problem session and check that they actually work Which again is this is a bunch of fun number theory and algebra But RSA signatures, it's the same set up with the product of the primes and the exponents but now the private key is The solution to that congruence that was used to decrypt before The documents in number D Bob raises his document to this secret power and That's his signature and Checking that the signature is valid Alice takes The supposed signature raises it to the e-power where that was published and checks that she got she gets the document back Okay Good El Gamal signatures These are significantly more complicated. I actually I Encourage you to go and read them in detail. I only want to pinpoint one thing well two things one they Elkamal signatures also depend on choosing a random number But and they also have two parts to them. So the signature consists of two numbers That's not that's fine. It doubles the length We're talking bits not even you know not even kilobytes But the slightly weird thing about Elkamal signatures, which still gives me a little bit of disquieted is this random number R Appears as an exponent on the first piece of the signature and it appears Sort of in the linear Not as an exponent in the second part So it's a little weird Although this s2 in some sense gets p-1 you kind of think of it as being exponent like anyway And it's a fun exercise to check That the signature will be valid provided This quantity equals this quantity and that can be checked Because G to the K was published but to create this signature you actually need to know the K All right, and Ladis-based signatures we will talk about on Friday Okay, so we've talked about public key crypto systems That all about encryption schemes how you send messages digital signatures how you prove That a digital file is actually yours But there are a whole bunch of Underlying technical problems a couple of which I want to talk about the first is suppose that the document that Bob wants to sign is a video file of a movie Okay, we're talking gigabytes Okay, these in encryption schemes the signatures I mean the documents you're signing are numbers mod pq for example if you're using RSA p times q is 2000 bits 4,000 bits so what Bob would be doing is signing every 4,000 bit chunk of this 20 gigabyte file that's inefficient and It has the added problem that it means that each part of the file is Sort of signed separately So so the file isn't tied together So what people do instead is they sign what's called a hash function If you've taken CS classes, you've probably seen hash functions and hash tables They're used for sorting efficient sorting and stuff like that These are a little trickier because the hash function has to be what's called cryptographically secure Which I will tell you about in a moment So what happens is Bob takes this huge document He runs it through a hash function and he actually signs the hash value not the document itself So the intuition is a hash function takes some huge file some arbitrary length set of bits gigabytes It's a function it takes that as input it's supposed to be very very fast And it outputs a single bit string containing b bits and you just choose b big enough basically so that people can't Find strings in here by brute force searches cheating a little bit So here are the properties that we need the hash function to have to use for cryptography These are not necessary for most computer science applications, but they're crucial for crypto Okay, so you have your document Zero one to the star the note that's notation for a finite but arbitrarily long bit string Okay, you know set zero one raised to the nth power for some begin So computing it should be very fast Remember that we always want efficiency However, if I give you a target string, I Just give you some b bit string that I've chosen at random It should be very very difficult for you to find any string at all which hits that one Now you can do it by brute force eventually right if you try two to the b different inputs You should have it well at least a 50-50 chance of getting it if you choose Three to the b inputs. You'll almost certainly hit it, but we'll make b big enough. You can't do that and It's usually good to have what's something even a little stronger which is called Collision resistance, which means not only can't you hit a target here that I give you You also can't find two different input strings to give the same output Okay, and the final thing which I guess we don't need because it's blocked by the Blockboards, I don't know if you can read that I'll read it for you. It says altering one bit of the input affects every bit of the output in a random way Okay, so If I take that movie file and I flip one of the bits The output of the hash will look completely different Okay, now the other Thing that one wants as we've seen our random numbers Algamol uses random numbers The Lattice-based systems as we'll see tomorrow use random numbers RSA doesn't Right, if you look at it, that's actually not a Good feature that's a flaw in RSA and people usually build some randomness into the encryption process Precisely to improve security Okay So here is a semi realistic example of how one would build some randomness in Regardless of what crypto system you're doing. It's a good idea to do this before you transmit your message your message Okay So Bob wants to send the message M to Alice So he chooses a random number random string of bits The same is the same length as M and He sends Alice this double vertical is concatenation So computer science notation, so he sends Alice the bit string R And he also X or is R with the message M so again computer science X soaring you just take each bit and Of the message in each bit of the random string and X or them Or if you're not a computer science You take the each bit in the message and the bit in the Random, so you have two bits two numbers zero and one add the mod to So X or to me is just a fancy way of writing add the coordinates mod to Anyway, so and and then notice he can't send this M Prime directly to Alice He now uses some crypto system to encrypt it and he sends M Prime the encrypted M Prime to Alice She decrypts it to get M Prime back, but then once she has M Prime She knows R and She knows R X or M, so she can simply take the R X or M which was part of the Plain text it looks like plain text and X or it with the R and If you X or with the same thing twice it goes away Why because mod 2 if you add something to itself at zero Now this is not what's really done The problem with this is that the case bit of R affects the case bit of M But what you really want is every bit of R to affect every bit of M So people do things that are much more complicated But the underlying idea