> x(
F/0|DTimes New Roman)(0)z[ 0)DTimes New Roman (Hebrew))z[ 0) DArialNew Roman (Hebrew))z[ 0)"0DComic Sans MSn (Hebrew))z[ 0)B@DSymbolans MSn (Hebrew))z[ 0)
A.
@n?" dd@ @@``|tx_$%-7
")"$$ #%&'()*+0AAPf3@3+(ʚ;s8ʚ;g4YdYd )z[ 0ppp@<4!d!dL) 0*cS<4ddddL) 0*cS<4BdBdL)< 0*h___PPT2001D<4X@0___PPT10
?%Dp3"QLECTURE 4Data Integrity & AuthenticationMessage Authentication Codes (MACs)&L 4#Goal @/Definitions Authentication algorithm - A
Verification algorithm - V ( accept / reject )
Authentication key k
Message space (usually binary strings)
Every message between Alice and Bob is a pair (m, Ak(m))
Ak(m) is called the authentication tag of mCGOGCGOGCGC@ ) A1Definition (cont.) Requirement Vk(m,Ak(m)) = accept
The authentication algorithm is called MAC (Message Authentication Code)
Ak(m) is frequently denoted MACk(m)
Verification is by executing authentication on m and comparing with MACk(m) h%AMAEAMAEAJAMAEAM4AEAMAEAt W G B0Properties of MAC Functions Security requirement adversary can t construct a new legal pair (m, MACk(m))
even after seeing (mi, MACk(mi)) (i=1,2,& ,n)
Output should be as short as possible
The MAC function is not 1-to-1O0FA
EAE
AEAMAEAEAEMAMAEMAC<AEA@F U 5$Adversarial Model Available Data:
The MAC algorithm
Known plaintext
Chosen plaintext
Note: chosen MAC is unrealistic
Goal: Given n legal pairs
(m1, MACk(m1)), & , (mn, MACk(mn))
find a new legal pair (m, MACk(m)) 0Z3Z;ZMZC3ACGCGCGOCOCGOCGOCOCGOCGCGCOCGCZ ! O>Adversarial Model We will say that the adversary succeeded
even if the message Fran forged is
meaningless . The reason is that it is hard to
predict what has and what does not have a
meaning in an unknown context, and how will
Bob, the reciever, react to such successful
forgery. ZAJ9
Efficiency Adversary goal: given n legal pairs
(m1, MACk(m1)), & , (mn, MACk(mn)) find a new legal pair (m, MACk(m)) efficiently and with non negligible probability.
If n is large enough then n pairs (mi, MACk(mi))
determine the key k uniquely (with high prob.).
Thus a non-deterministic machine can guess k and
verify it. But doing this deterministically should
be computationally hard.
8%ZzZ2ZZ)CGOCOCGOCGOCOCGOCGCOCGCGCGCGCGCGOCOCGOCGGGACGXCGt< \ M<MACs Used in PracticeaWe describe a MAC based on CBC Mode Encryption, and a MAC based on cryptographic hash functions.
~bACA
AEAG L;5Reminder: CBC Mode Encryption(Cipher Block Chaining)$6 6 K:
CBC Mode MACs& Start with the all zero seed.
Given a message consisting of n blocks M1,M2,& ,Mn, apply CBC (using the secret key k). v<CGCGOGOGO"CGCA&M ' P?Security of CBC MAC [BKR]Claim: If Ek is a pseudo random function, then CBC MACis resilient to forgery.
Proof outline: Assume CBC MAC can be
forged efficiently. Transform the forging
algorithm into an algorithm distinguishing
Ek from random function efficiently.P&N=Combined Secrecy & MAC Given a message consisting of n blocks M1,M2,& ,Mn, apply CBC (using the secret key k1) to produce MACk1(M). 8nCGCGOGOGO"CGCGOCGCA&/ = 7&Hash Functions Map large domains to smaller ranges
Example h: {0,1,& ,p2} {0,1,& ,p-1} defined by h(x) = ax+b mod p
Used extensively for searching (hash tables)
Collisions are resolved by several possible means chaining, double hashing, etc.l, 8'Collision Resistance A hash function h: D R is called weakly collision resistant for xD if it is hard to find x x such that h(x )=h(x)
A function h: DR is called strongly collision resistant if it is hard to find x, x such that x x but h(x)=h(x )>
t] g
9)The Birthday Paradox 6If 23 people are chosen at random the probability that two of them have the same birth-day is greater than 0.5
More generally, let h:DR be any mapping. If we chose 1.17|R|1/2 elements of D at random, the probability that two of them are mapped to the same image is greater than 0.5.
T :(Cryptographic Hash Functions &Cryptographic hash functions are hash functions that are strongly collision resistant.
Notice: No secret key.
Should be very fast to compute, yet hard to
find coliding pairs (impossible if P=NP).
Usually defined by:
Compression function mapping n bits (e.g. 512) to m bits (e.g 160), m < n.XZCZ-ZZKZ`
T& | =,Extending to Longer Strings >-Extending the Domain (cont.) The seed is usually constant
Typically, padding (including text length of original message) is used to ensure a multiple of n.
Claim: if the basic function H is collision resistant, then so is its extension.Nt3 E4 Lengths Input message length should be arbitrary. In practice it is usually up to 264, which is good enough for all practical purposes.
Block length is usually 512 bits.
Output length should be at least 160 bits
to prevent birthday attacks.0!K D3Real-World Hash Functions MD family ( message digest )
MD-2
MD-4 (full description in Stinson s book)
MD-5
SHA and SHA-1 (secure hash standard, 160 bits)
(www.itl.nist.gov/fipspubs/fip180-1.htm)
RIPE-MD
SHA-256, 384 and 512 (proposed standards,
longer digests)~Z5Z4Z[Z6ZCZ54[y& 'z ?.Basing MACs on Hash Functions& First goal: combine message and secret key, hash and produce MAC
Second goal: work with any cryptographic hash function
First attempt: MACk(m)=h(k,m)
Second attempt: MACk(m)=h(m,k)pZ
@ F5HMAC Proposed in 1996 by [Bellare Canetti Krawczyk]
Internet engineering task force RFP
Receives as input a message m, a key k and a hash function h
Outputs a MAC by:
HMACk(m,h)= h(kopad, h(kipad,m))
Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found).
FIPS Standard: The keyed hash message authentication code/Z$ZPZ#ZZ/$ v
G6HMAC in Practice SSL / TLS
WTLS
IPSec:
AH
ESP&& H7Back to Number Theory I8Quadratic Residues XAn element x is a quadratic residue modulo n if there exists y such that y2x mod n
If x is a quadratic residue then so is x mod n
If p is prime there are exactly (p-1)/2 quadratic residues
If p is prime, and g is a generator of the multiplicative group, the quadratic residues are even powers of g.L-'
- 6%One-Way Functions LA function f: DR is called one-way if:
Computing f(x) is easy
Computing f-1(y) for almost all the images is hard
Given the real-world definition of hard a one-way function may be a single function (e.g. SHA-1)
Given the theoretical definition, we refer to a family of one-way functions(N
$(
' ;*Example The Domain is all the pairs of prime numbers.
The function is f(p,q) = pq
Multiplication is easy nave algorithm is O(n2)
Factoring is difficult simple algorithm is O(2n/2). NFS and ECM are better but not polynomial.
The function f(p,q) = pq maintains length @ y
2
Z U@The Chinese Remainder Theorem ( #Given
x mod p
x mod q
Compute x mod pq
If gcd(p,q)=1 take
((x mod p) (q-1 mod p) q +
(x mod q) (p-1 mod q) p) mod pq
x mod 3 = 2, x mod 5 = 3, 1/3 mod 5 = 2, 1/5 mod 3 = mod 3 = 2
(x mod p) (q-1 mod p) q = 2 * 2 * 5 = 20
(x mod q) (p-1 mod q) p = 3 * 2 * 3 = 18, 38 mod 15 = 8PP%PBPP
4
%&+ VA)The four different square roots modulo pq *'((* Let x be a quadratic residue modulo pq
Then, x mod p is a quadratic residue and so is x mod q
x mod p has two roots mod p: y and p - y
x mod q has two roots mod q: z and q - z
Using the Chinese remainder theorem, we get four root modulo pq: A, B, pq A, pq B
(y,z) -> A, (p - y, q - z) -> pq A
(y, q - z) -> B, (p y, z) -> pq B
gcd(A - B,np) = pPdZ#=Z G WBFactoring Idea: square roots Compute x2 mod np
Extract y = square root of x2 mod np
If y = x or y = np - x then useless
If not, x2 mod np = y2 mod np
then gcd(x - y, np) = p or gcd(x - y,np) = q
The square root extraction algorithm does not know if we started with x, np - x, y, or np - y yZ-ZaZ H* # !
Q XC.Pollards rho () method( @ Imagine the following process mod p:
x0 random
xi+1 = xi2+1 mod p
After p1/2 steps, we ll find xi, xj such that xi = xj mod p. What this means is that the function f(x) = x2+1 mod p loops.
"
%Zf - YD0Pollards rho () method ( @
Imagine the following process mod pq:
x0 random
xi+1 = xi2+1 mod pq
This will loop only after (pq)1/2 steps (modulo pq)
However, modulo p (or q) it will loop after p1/2 (or q1/2) steps
Given two values xi, xj, such that xi=xj mod p but xi <> xj mod pq, we have that gcd(xi - xj, pq) = p
Repeat:
x = x2 + 1 mod pq
y = (y2 +1)2 + 1 mod pq
If gcd(x - y, pq) > 1 then found factor
*PSPP"
? " ZEMore complex factoring ideas A number is smooth with respect to the set of primes d" L if all prime factors are d" L
If a smooth number has all powers even then it is easy to extract a square root
Major idea:
Generate quadratic residues, one of whose roots is known
Compute a product of these quadratic residues which is smooth and has all powers even
Now, you have a 2nd root of this product, use it for factoring
ZZZZ
, [FQuadratic Sieve Factoring wDetermine a limit L
Generate random values x2 mod pq
Check them for smoothness, discard if not
This process can be done entirely distributed
Collect all smooth quadratic residues
Solve a set of linear equations over GF(2)
This can be done if the matrix is singular, i.e., if we have sufficiently many smooth quadratic residues
How many smooth quadratic residues are required?b+
x p ` ` ̙33` 333MMM` ff3333f` f` f` 3>?" dd@,|?" dd@ " @ ` n?" dd@ @@``PR @ ` `p>>.(
6S PS
X Click to edit Master title style!!
08S S
RClick to edit Master text styles
Second level
Third level
Fourth level
Fifth level!
S >
0 S ` nSVN___PPT90(@@
h*"
0|S ` S
\*
0S ``S
\* T
<vh@ ? Default Designj0(
r
SY'0'
H
0h ?
:2@ (
r
S '
'
<h'P
VAlice
(sender)
<p' 0
U
Fran
(forger)
<̘'
pBob
(reciever)& _
<'
]Ensure integrity of messages, even in presence of
an active adversary who sends own messages.f^C G%CG"CA^ b
<T'-
0@
\Remark: Authentication is orthogonal to secrecy, yet
systems often required to provide both.j]CGCG-CC] jB
BDo@@ ^B
6DH
0h ?
P$(
r
S,'P
'
r
Sħ''
H
0h ?
`$(
r
S'P
'
r
S''
H
0h ?
p$(
r
S'P
'
r
S\''
H
0h ?
$(
r
S'P
'
r
S' '
T
<hh ? R
H(
Hl
H C''
H
c'0e0e "``
'
H
H0h ?
RJ0( d
a
0x
0 c$,'0
'
x
0 c$'0 '
0
<'Apa
> H
00h ? @(
@l
@ C
l
@ C 0
H
@0h ? P
!!<( w
<x
< c$0P`P
<
63@p`
PP1
<
<p@p
fEk&
<
6 3@@p
PC1 RB
<
s*D @
<
6#3 `
PP2
<
<(p
fEk&
<
6T.3@
PC2 RB
<
s*D @@@
<
613`
PP3
<
<6p
fEk&
<
6\<3@
PC3 RB
<
s*D @R
<
s* ` R
<
s* R
<
s*
LB
<
c$D` LB
<
c$D`@@ LB
<
c$D` RB
<
s*DpRB
<
s*D@@pRB
<
s*D p
<
6|@3P`
PS0 RB
<
s*D`LB
<
c$D`RB
<
s*D0
RB
<
s*DLB
<
c$D0 0 LB
<
c$DLB
<
c$D0 LB
<
c$D@
!<
0GH
tPrevious ciphertext is XORed with current plaintext before
encrypting current block.
An initialization vector S0 is used as a seed for the process.
Seed can be openly transmitted.
:46JH
<0h ?
nf "(8(
8l
8 CR`0P
8
cR0e0e "`
8
6TT3@p
PM1
8
<XY @p@
fEk&
8
6_@p
PC1 RB
8
s*D@
8
60d3
PM2
8
<g @
fEk&
8
6tm
PC2 RB
8
s*D@@A
8
6`r3@p
_Mn
8
<w @p@
fEk&
8
6}@p
^Cn RB
8
s*D@R
8
s*` ` R
8
s*` ` R
8
s*
` LB
8
c$DLB
8
c$D@ALB
8
c$DRB
8
s*D`
8
6̃3P
]0000000 RB
8
s*D 0
RB
8
s*D ` LB
8
c$D 0 1 P
8
0|p0
rProduce n cipertext blocks C1,C2,& ,Cn , discard first n-1.
Send M1,M2,& ,Mn & the authentication tag MACk(M)=Cn .y8 ZAEAEMEMEM
E
AEAEMEMEMAEMAEAEMA % RB
!8
s*D` RB
"8
s*D` @A RB
#8
s*D ^B
$8
6DP
0 P
^B
%8
6DP
P
RB
&8
s*D `
(8
<Z
> ...
.
.
.
.
.... H
80h ?
0L(
Ll
L C@P
l
L C
H
L0h ? p
@#D( b
Dr
D SԼ`0P
D
c0e0e "`
D
0Lå_
Produce n cipertext blocks C1,C2,& ,Cn
under a different key, k2.
Send C1,C2,& ,Cn & the authentication tag MACk1(M).
2(8 Z"8 Z58 Z8 ZCGCGOGOGOGCGGCGCGOGOGOCGOCGCZ
2 ( H
D0h ?
$(
r
SP
r
S
H
0h ?
$(
r
SXP
r
S
H
0h ?
$(
r
S8P
r
S
H
0h ?
0$(
r
S<P
r
S
H
0h ?
i
a
@(
r
S
P
b
H4``p
IH b
Hd`@P
IH b
H `
IH
6p
XM1&
6`0
XM2&
6!@0
XMk& LB
c$D@@
RB
s*D@`LB
c$D RB
s*D @ LB
c$D RB
s*D RB
s*D`RB
s*Dp@RB
s*DRB
s*DP
6)P
T"
6/`
HSeed RB
s*D
63@
Hh(M)
<1?
4pH : D --> R (fixed sets, typically {0,1}n and {0,1}m )9EAEMAEMA9H
0h ?
P$(
r
S8BP
r
SB
H
0h ?
`$(
r
SHP
r
SI
H
0h ?
p$(
r
SPP
r
SP
H
0h ?
$(
r
S]P
r
S^
H
0h ?
$(
r
Sk
r
Sk
H
0h ?
$$(
$r
$ SXyP
r
$ S,z
H
$0h ? j((
(r
( S@p
H
(0h ?
,$(
,r
, SP
r
, S
H
,0h ?
$(
r
S8P
r
S
H
0h ?
$(
r
SJ'P
'
r
SK''
H
0h ? $
P`$(
`r
` SgP
r
` S)
H
`0h ? 80___PPT10.$
`d$(
dr
d S4`
r
d S
H
d0h ? 80___PPT10.Pg
$
ph$(
hr
h S P
r
h S
H
h0h ? 80___PPT10.@ h$
l$(
lr
l S**?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Security requirement adversary can t construct a new legal pair (m, MACk(m))
even after seeing (mi, MACk(mi)) (i=1,2,& ,n)
Output should be as short as possible
The MAC function is not 1-to-1O0FA
EAE
AEAMAEAEAEMAMAEMAC<AEA@F U 5$Adversarial Model Available Data:
The MAC alDocumentSummaryInformation8Root EntrydO)OK@Current User,SummaryInformation(`PowerPoint Document(7~
_~7fiatfiat՜.+,0
$iOn-screen ShowPacket Technologies ltd.m7~#{
)Times New RomanTimes New Roman (Hebrew)ArialComic Sans MSSymbolDefault gorithm
Known plaintext
Chosen plaintext
Note: chosen MAC is unrealistic
Goal: Given n legal pairs
(m1, MACk(m1)), & , (mn, MACk(mn))
find a new legal pair (m, MACk(m)) 0Z3Z;ZMZC3ACGCGCGOCOCGOCGOCOCGOCGCGCOCGCZ ! O>Adversarial Model We will say that the adversary succeeded
even if the message Fran forged is
meaningless . The reason is that it is hard to
predict what has and what does not have a
meaning in an unknown context, and how will
Bob, the reciever, react to such successful
forgery. ZAJ9
Efficiency Adversary goal: given n legal pairs
(m1, MACk(m1)), & , (mn, MACk(mn)) find a new legal pair (m, MACk(m)) efficiently and with non negligible probability.
If n is large enough then n pairs (mi, MACk(mi))
determine the key k uniquely (with high prob.).
Thus a non-deterministic machine can guess k and
verify it. But doing this in poly time should
be computationally hard.
8%ZzZ2ZZ)CGOCOCGOCGOCOCGOCGCOCGCGCGCGCGCGOCOCGOCGGGACGSCGt< \ M<MACs Used in PracticeaWe describe a MAC based on CBC Mode Encryption, and a MAC based on cryptographic hash functions.
~bACA
AEAG L;5Reminder: CBC Mode Encryption(Cipher Block Chaining)$6 6 K:
CBC Mode MACs& Start with the all zero seed.
Given a message consisting of n blocks M1,M2,& ,Mn, apply CBC (using the secret key k). v<CGCGOGOGO"CGCA&M ' P?Security of CBC MAC [BKR]Claim: If Ek is a pseudo random function, then CBC MACis resilient to forgery.
Proof outline: Assume CBC MAC can be
forged efficiently. Transform the forging
algorithm into an algorithm distinguishing
Ek from random function efficiently.P&N=Combined Secrecy & MAC Given a message consisting of n blocks M1,M2,& ,Mn, apply CBC (using the secret key k1) to produce MACk1(M). 8nCGCGOGOGO"CGCGOCGCA&/ = 7&Hash Functions Map large domains to smaller ranges
Example h: {0,1,& ,p2} {0,1,& ,p-1} defined by h(x) = ax+b mod p
Used extensively for searching (hash tables)
Collisions are resolved by several possible means chaining, double hashing, etc.l, 8'Collision Resistance A hash function h: D R is called weakly collision resistant for xD if it is hard to find x x such that h(x )=h(x)
A function h: DR is called strongly collision resistant if it is hard to find x, x such that x x but h(x)=h(x )>
t] g
9)The Birthday Paradox 6If 23 people are chosen at random the probability that two of them have the same birth-day is greater than 0.5
More generally, let h:DR be any mapping. If we chose 1.17|R|1/2 elements of D at random, the probability that two of them are mapped to the same image is greater than 0.5.
T :(Cryptographic Hash Functions &Cryptographic hash functions are hash functions that are strongly collision resistant.
Notice: No secret key.
Should be very fast to compute, yet hard to
find coliding pairs (impossible if P=NP).
Usually defined by:
Compression function mapping n bits (e.g. 512) to m bits (e.g 160), m < n.XZCZ-ZZKZ`
T& | =,Extending to Longer Strings >-Extending the Domain (cont.) The seed is usually constant
Typically, padding (including text length of original message) is used to ensure a multiple of n.
Claim: if the basic function H is collision resistant, then so is its extension.Nt3 E4 Lengths Input message length should be arbitrary. In practice it is usually up to 264, which is good enough for all practical purposes.
Block length is usually 512 bits.
Output length should be at least 160 bits
to prevent birthday attacks.0!K D3Real-World Hash Functions MD family ( message digest )
MD-2
MD-4 (full description in Stinson s book)
MD-5
SHA and SHA-1 (secure hash standard, 160 bits)
(www.itl.nist.gov/fipspubs/fip180-1.htm)
RIPE-MD
SHA-256, 384 and 512 (proposed standards,
longer digests)~Z5Z4Z[Z6ZCZ54[y& 'z ?.Basing MACs on Hash Functions& First goal: combine message and secret key, hash and produce MAC
Second goal: work with any cryptographic hash function
First attempt: MACk(m)=h(k,m)
Second attempt: MACk(m)=h(m,k)pZ
@ F5HMAC Proposed in 1996 by [Bellare Canetti Krawczyk]
Internet engineering task force RFP
Receives as input a message m, a key k and a hash function h
Outputs a MAC by:
HMACk(m,h)= h(kopad, h(kipad,m))
Theorem [BCK]: HMAC can be forged if and only if the underlying hash function is broken (collisions found).
FIPS Standard: The keyed hash message authentication code/Z$ZPZ#ZZ/$ v
G6HMAC in Practice SSL / TLS
WTLS
IPSec:
AH
ESP&& H7Back to Number Theory I8Quadratic Residues XAn element x is a quadratic residue modulo n if there exists y such that y2x mod n
If x is a quadratic residue then so is x mod n
If p is prime there are exactly (p-1)/2 quadratic residues
If p is prime, and g is a generator of the multiplicative group, the quadratic residues are even powers of g.L-'
- 6%One-Way Functions LA function f: DR is called one-way if:
Computing f(x) is easy
Computing f-1(y) for almost all the images is hard
Given the real-world definition of hard a one-way function may be a single function (e.g. SHA-1)
Given the theoretical definition, we refer to a family of one-way functions(N
$(
' ;*Example The Domain is all the pairs of prime numbers.
The function is f(p,q) = pq
Multiplication is easy nave algorithm is O(n2)
Factoring is difficult simple algorithm is O(2n/2). NFS and ECM are better but not polynomial.
The function f(p,q) = pq maintains length @ y
2
Z U@The Chinese Remainder Theorem ( #Given
x mod p
x mod q
Compute x mod pq
If gcd(p,q)=1 take
((x mod p) (q-1 mod p) q +
(x mod q) (p-1 mod q) p) mod pq
x mod 3 = 2, x mod 5 = 3, 1/3 mod 5 = 2, 1/5 mod 3 = mod 3 = 2
(x mod p) (q-1 mod p) q = 2 * 2 * 5 = 20
(x mod q) (p-1 mod q) p = 3 * 2 * 3 = 18, 38 mod 15 = 8PP%PBPP
4
%&+ VA)The four different square roots modulo pq *'((* Let x be a quadratic residue modulo pq
Then, x mod p is a quadratic residue and so is x mod q
x mod p has two roots mod p: y and p - y
x mod q has two roots mod q: z and q - z
Using the Chinese remainder theorem, we get four root modulo pq: A, B, pq A, pq B
(y,z) -> A, (p - y, q - z) -> pq A
(y, q - z) -> B, (p y, z) -> pq B
gcd(A - B,np) = pPdZ#=Z G WBFactoring Idea: square roots Compute x2 mod np
Extract y = square root of x2 mod np
If y = x or y = np - x then useless
If not, x2 mod np = y2 mod np
then gcd(x - y, np) = p or gcd(x - y,np) = q
The square root extraction algorithm does not know if we started with x, np - x, y, or np - y yZ-ZaZ H* # !
Q XC.Pollards rho () method( @ Imagine the following process mod p:
x0 random
xi+1 = xi2+1 mod p
After p1/2 steps, we ll find xi, xj such that xi = xj mod p. What this means is that the function f(x) = x2+1 mod p loops.
"
%Zf - YD0Pollards rho () method ( @
Imagine the following process mod pq:
x0 random
xi+1 = xi2+1 mod pq
This will loop only after (pq)1/2 steps (modulo pq)
However, modulo p (or q) it will loop after p1/2 (or q1/2) steps
Given two values xi, xj, such that xi=xj mod p but xi <> xj mod pq, we have that gcd(xi - xj, pq) = p
Repeat:
x = x2 + 1 mod pq
y = (y2 +1)2 + 1 mod pq
If gcd(x - y, pq) > 1 then found factor
*PSPP"
? " ZEMore complex factoring ideas A number is smooth with respect to the set of primes d" L if all prime factors are d" L
If a smooth number has all powers even then it is easy to extract a square root
Major idea:
Generate quadratic residues, one of whose roots is known
Compute a product of these quadratic residues which is smooth and has all powers even
Now, you have a 2nd root of this product, use it for factoring
ZZZZ
, [FQuadratic Sieve Factoring wDetermine a limit L
Generate random values x2 mod pq
Check them for smoothness, discard if not
This process can be done entirely distributed
Collect all smooth quadratic residues
Solve a set of linear equations over GF(2)
This can be done if the matrix is singular, i.e., if we have sufficiently many smooth quadratic residues
How many smooth quadratic residues are required?b+
x
RJ0( d
a
0x
0 c$0
x
0 c$ 0
0
<Apa
> H
00h ? rJQ{5mn}[DesignRLECTURE 4 Data Integrity & Authentication Message Authentication Codes (MACs)GoalDefinitionsDefinition (cont.)Properties of MAC FunctionsAdversarial ModelAdversarial ModelEfficiencyMACs Used in Practice6Reminder: CBC Mode Encryption (Cipher Block Chaining)CBC Mode MACsSecurity of CBC MAC [BKR]Combined Secrecy & MAC Hash FunctionsCollision ResistanceThe Birthday ParadoxCryptographic Hash FunctionsExtending to Longer StringsExtending the Domain (cont.) LengthsReal-World Hash FunctionsBasing MACs on Hash FunctionsHMACHMAC in PracticeBack to Number TheoryQuadratic ResiduesOne-Way FunctionsExampleThe Chinese Remainder Theorem *The four different square roots modulo pqFactoring Idea: square rootsPollards rho (ρ) methodPollards rho (ρ) method More complex factoring ideasQuadratic Sieve FactoringFonts UsedDesign Template
Slide Titles#**