Cryptography is an indispensable tool for protecting information in computer systems. In this course you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key. Throughout the course participants will be exposed to many exciting open problems in the field and work on fun (optional) programming projects. In a second course (Crypto II) we will cover more advanced cryptographic tasks such as zero-knowledge, privacy mechanisms, and other forms of encryption.
A Unifying Theme
Loading...
From the course by Stanford University
Cryptography I
2134 ratings
From the lesson
Public-Key Encryption
Week 6. This week's topic is public key encryption: how to encrypt using a public key and decrypt using a secret key. Public key encryption is used for key management in encrypted file systems, in encrypted messaging systems, and for many other tasks. The videos cover two families of public key encryption systems: one based on trapdoor functions (RSA in particular) and the other based on the Diffie-Hellman protocol. We construct systems that are secure against tampering, also known as chosen ciphertext security (CCA security). There has been a ton of research on CCA security over the past decade and given the allotted time we can only summarize the main results from the last few years. The lectures contain suggestions for further readings for those interested in learning more about CCA secure public-key systems. The problem set this week involves a bit more math than usual, but should expand your understanding of public-key encryption. Please don't be shy about posting questions in the forum. This is the last week of this Crypto I course. I hope everyone learned a lot and enjoyed the material. Crypto is a beautiful topic with lots of open problems and room for further research. I look forward to seeing you in Crypto II where we will cover additional core topics and a few more advanced topics.
Meet the Instructors
Dan BonehProfessor
Computer Science
This week, we saw two families of public encryption systems. One family was built
from trapdoor functions, and particularly RSA, and the other family was built from
the Diffie-Hellman protocol. In this last segment, I wanna show you that both
families in fact follow from a more general principle. The unifying theme is
what's called a one-way function. So what is a one-way function? Well, we've already
seen this concept briefly before. But basically, a function from, one set to
another, say, from X to Y is said to be one way, if, in fact, there's an efficient
algorithm that allows us to evaluate the function F. So anyone can evaluate the
function F at any point of their choice. However, inverting the function F should
be difficult. That's what makes the function one way. So what do I mean by
that? Well, you can think of the function F as a function again mapping the set X to
the set Y. But it so happens in many points in X could actually be mapped into
a single point in Y. Now when they say that the function is difficult to invert,
what I mean is that when I give you some point inside of Y and I ask you find me
pre-image of this point, you won't be able to point to any of these as a pre-image.
In other words, no efficient algorithm can find any point that is the inverse of the
given point Y. Now the way we say that more precisely is that we say that for all
efficient algorithm A, if I chose a random X in the set, capital X, and now I'm gonna
give f(x) to algorithm A. And then, what I'm gonna ask algorithm A to do, is
basically produce a pre-image of the point f(x). Well, what does it mean that A
produced a pre-image of the point f(x)? It means that if I apply the function f to
the output of A, what I should get back is, well, f(x). Let's think through this
one more time. So I chose a random point x in Capital X. You know I give algorithm A
f(x). So I'm gonna give algorithm A this point here. And now A is gonna produce
some points. So let's pretend that A produces this point over here. And now I
wanna say that if I apply the function F to this point here, that A produced, the
probability that I get the same point that I started with is negligible. In other
words the probability that algorithm A was able to produce one of these three points is, in
fact, negligible. All he can do is produce some other point that maps into something
other than f(x), okay? So, again, all this is trying to do is just capture the
fact that given f(x), it's hard to find some pre-image of f(x). So here's some
easy examples of functions that are not one-way. For example, the identity
function f(x) is equal to x is trivially not one way because given f(x), I can
easily come up with an inverse of f(x), namely x. Similarly the function that will
maps everything to zero is also not one way. So in our picture, let the function
maps everything to zero simply looks as follows. It takes all its points and maps
them all to a single point. Well this function is not one way because if I give
you this point in the image, it's trivial to find the pre-image. Namely, just pick
any point in capital X, and there will be a pre-image of zero. And so, f(x) equal
to zero is also not a one-way function. And by the way, I didn't want to do it
here. But if I define one-way functions more formally, then it turns out that
proving that one-way functions exist, we'll have also proven that P is not equal
to NP. So, since we can't today, prove that P is not equal to NP, basically we
can't prove that one-way functions exist. And we just have to assume that they do.
So let's look at our first example of a 1-way function. Or at least a presumed
1-way function. And so we're gonna build it from a pseudo random generator. And
suppose I have a function F from x to y there is a secure pseudo random generator.
So the output of f s much larger than the input. Remember, a pseudo-random
generator takes a small seed and expands it into a much larger output. And for
example you can, you know, the pseudo random generator maybe is built using
deterministic counter mode out of AES. Well, it's fairly easy to see that if, in
fact, F is a secure pseudo random generator, then F is in fact a one-way
function. So our first example of a one-way function is directly built from a
pseudo random generator. This is actually kind of a trivial proof, so let's prove
the contra positive. So suppose I have an efficient algorithm that inverts F, okay?
So I'm proving the contra positive. Suppose F is not one way. Then A is an
efficient algorithm than an inverse F. And now I need to build an algorithm B that
breaks the pseudorandom generator. Ok, so I'm proving again by contra-positive. Okay so how do I break the
pseudo-random generator? Well, all we do is the following. So algorithm B is given
some y in the set Y. And what it's gonna do is the following, it's gonna try and
run algorithm a on the input y. And now, well, if y is the output of the
pseudorandom generator, then algorithm A will output the seed, and namely
[inaudible] an element in X with, you know, non-negligible probability. So what
we'll do is we'll apply the pseudorandom generator again to the output of algorithm
A. As I said, if y was the output of a generator, then [A of A ???] will have output
the seed cuz it inverted the pseudorandom generator. So if we apply the pseudorandom
generator again to the output of A, what we should get back is basically the y that
we started with. Okay, so if this condition holds we're gonna say we're
gonna output zero. And if this condition doesn't hold, we're gonna output one
otherwise. That's it, that's our distinguisher against a pseudo-random
generator. So if our distinguisher is given a y that is the output of the pseudo
random generator, then with non-negligible probability, our distinguisher B will
output zero. However, if our distinguisher B is given a truly random string. Well, a
truly random string doesn't have any seed that causes the generator to output that
string. And therefore our distinguishable output one with again, with also very high
probability. And again I hope that's clear. Basically, if we look at the set of
all possible outputs, namely the set Y, very few of those outputs happened to
be the output of the pseudorandom generator. So if we are just given an
output y over hearsay, that's not the output of the pseudorandom generator, then
we rerun algorithm A on it. It can't possibly produce a seed that will output
this point starr because there is no such seed. And as a result, since most
points actually are not in the image of the pseudorandom generator, most points
will not have a seed that, maps the generator to them and there's also where
we were given a random point in Y, a truly uniform point in Y, our distinguishable B
will output 1 with very high probability. However, if we are given a
pseudo random output of a generator, then algorithm A will output the corresponding
seed. When we apply the generator to that seed, we'll get the initial output y and
therefore we'll output zero with non-negligible probability. Okay, so if A
was able to invert F, then B is able to break the generator. And since the
generator is secure, algorithm A can't invert F. And in particular, no efficient
algorithm can invert F. And therefore, F is a one-way function. Excellent, so this
is a long discussion of kind of a minor point. But all I wanted to show you is
that in fact, a pseudo-random generator directly gives us a one-way function.
Unfortunately, this one-way function has no special properties. And what that means
is it's actually difficult to use it for key exchange or for public key encryption.
In some sense, the best key exchange we can do with this, as far as we know, is
Merkle puzzles. So now let's look at our second example. The second example is
what I'm gonna call the discrete log one way function. So let's fix a group, a
cyclic group of order N the group G and let g be some generator of the group
capital G so again I remind you that all that means is, if I look at all powers of
g, then I basically span the entire group capital G. And now let's define the
following function. The function goes from ZN to G and it's defined basically as the
exponentiation to the power of X. Okay, so this maps any element between zero and n-1
to an element of the group capital G simply by raising g, little g to the
appropriate power. And it's kind of obvious that if the discrete log problem
in the group capital G is hard, then in fact f is one way. In fact, the one
wayness of f is the discrete log assumption. So if the discrete log is
hard, f is one way. Now the interesting thing about this one-way functions is it's
got some interesting properties. In particular, if I give you f(x) and f(y)
I claim that it's very easy to compute f(x + y). Even though we have no idea
what x or y are. All we're given is just f(x) and f(y), nevertheless, we can
compute f(x + y). Let me ask you, how would you do that? Well, just by rules of
exponentiation, basically, f(x + y) is simply f(x) times f(y). And again,
this is all done inside the group G. If you're not convinced, simply recall that f(x + y)
is g to the (x + y). Which is simply g to the x times g to the y, which
is exactly what we have here. And this simple property, this simple fact that the
function has this additive property, if you think about it, is exactly what
enables key exchange and public key encryption. So, this additional property
of the one-way function is what enabled all of public key cryptography. So let's
look at our next example the RSA one way function so here we're going to choose two
primes p and q we're going to set N to be p times q then were going to choose e that's
relatively prime to phi(N). And then, we define the functions, and simply as a
function from ZN star to ZN star, simply as f(x) equals x to the e. Okay,
so raising x to the power of e. And again we say that this function is one way,
simply under the RSA assumption. Again, the RSA assumption is the assumption that
this function is one way. And the interesting thing about this function is
that it has properties similar to the one that we saw on the previous slide, namely
the given f(x) and f(y), now we can compute f(x y) as opposed to f(x + y)
So we say that this function has a multiplicative property as opposed to
the additive property on the previous slide. But more importantly this is kind of
not the most interesting thing about this function. The really exciting thing about
this function is it in fact has a trapdoor. In other words there's a secret
key that all of a sudden allows us to invert this function. Even though without
the secret key the function is one way. As far as we know. And this property, I'll
say, the fact that it has a trap door, again, enabled all of public key
cryptography. I'll say that this trap door also makes the RSA function especially
well suited for digital signatures. In week seven, we're gonna see that both the
RSA function and the discrete log functions let us construct digital
signatures. But the RSA function, because it has a trap door, makes it very, very
easy to construct digital signatures from it. And so, in fact, most digital
signatures out there in the world, in fact, rely on the RSA function just
because it's so simple to build digital signatures from it. So again, we see that
this one-way function with the special properties. It has a multiplicative
property and a trap door. Essentially again, enables all of public key crypto. So
to summarize, the reason we are able to build public key cryptography namely, the
reason we're able to do key exchange and public key encryption and so on, is
because we're able to construct one-way functions that have very, very special
properties. In particular, they have these properties that are sometimes called
homomorphic properties, namely they're given f(x) and f(y). We can construct
a f(x + y) or, f(x y), and some functions, like RSA, even have trap
doors, which let us build digital signatures very, very easily. But the main
thing I wanted to show you is that the magic of public key crypto is basically made
possible because of these one-way functions with their special properties. So
that's the end of this module and then in week seven, we'll start with digital signatures.
Explore our Catalog
Join for free and get personalized recommendations, updates and offers.
Coursera provides universal access to the world’s best education,
partnering with top universities and organizations to offer courses online.
© 2018 Coursera Inc. All rights reserved.
