1

Cryptography:Proofs and Tools

Gerard TelDept of Computer Science, Utrecht

2

Talk overview

Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc”

Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing

3

Cryptography:

The art of protection using information

To have or

not to have….

To know or

not to know

4

Two examplesEncryption (DES)

Alice sends email y = Ek(x)

Bob computes x = Dk(y)

Oscar knows no k : which D function?

Identification with One-way function H A gives Bank b = H(a) Bank pays on seeing

a’ s.t. H (a’ ) = b

O knows no a’

5

Two more examples

Signatures Alice signs M with x

S = Sig (M, x) Bob verifies with y

Ver (M, S, y)

Oscar cannot forge S’ for M’ s.t. Ver (M’ , S’ , y)

Public Key pairs Alice holds secret x Bob holds public y

Relation P (x, y)

Oscar cannotcomputex from y

6

I recognize it when I see it ....

Encryption: k s.t. Dk(y) is text

Identification: a’ s.t. H (a’ ) = b

Signatures: S’ s.t. Ver (M’ , S’ , y)

Key pair: x s.t. P (x, y)

7

…. But I don’t know it

8

Assumption: Factoring

Primes p and q (eg. 512 bits)n = p . q (1024 bits)

Given n, one recognizes p and q

Assumption:Given n, computing p is impossible

9

Assumption: Discrete LogCompute modulo large p : 0, 1, …, p -1Element g has order:

1 = g0, g1, g2, g3, … gord = 1Fix g of high order.

From x, power y = gx is computableAssumption:

From y, x s.t. y = gx is not computable

10

Rabin’s encryption

Alice’ secret key: p and qpublic key : product n

Bob encrypts x as y = x2 mod nAlice decrypts as extracting square

rootp and q are needed!

Oscar can not extract roots

11

Square roots modulo n

A square number has 4 rootsn = 77 = 7.11 :

362 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64

Two pairs: 36 = -41 and 8 = -69Combine from two pairs: 41 + 69 = 33gcd(33, 77) = 11

12

Rabin: Provably SecureIf Oscar can find x from x2 = y mod

n Select random z Solve x from x2 = z2

Prob. 1/2: x and z differ: find p and qContradicts Factoring AssumptionRabin is cryptographically strong

13

Chosen Cipher text AttackProcedure for CCA:

Oscar sends Alice y, obtains x, computesRabin is vulnerable:

Oscar sends y = z2

succeeds with Pr = 1/2

Decrypted messages as sensitive as keyWeakness inherent in strength

14

RSA: Alledgedly secure

Similar but use higher order roots.Public key: (n, e)Encryption y = xe

Decryption x = yd (d from p, q)

e th-rooting is believed but not proven to be as hard as factoring

15

RSA Decryption

φ = (p -1)(q -1)All x : x φ = 1 (mod n)From p, q, n, e,

compute d s.t. e.d = k . φ +1y d = (x e )d = x k . φ +1 = 1k . x = x

Secretly keep d, purge p, q.

16

RSA Keys are secure

Oscar finds φ from n: p +q = n - φ + 1, solve p, q

Oscar finds φ from n and e : Simulate generation of e to do without

Oscar finds d from n and e : n

e, d p, q

Key protection is cryptographically strong

17

Ad hoc versus Numbers:Hash functionsMap H : {0,1}* {0,1}k

One-way: From y = H (x), x cannot be found

Collision-free: No x1, x2 can be found s.t. H (x1) = H (x2)

Such x1, x2 exist

18

Fair Guessing GamesLinda dates Jon if Jon guesses parity of x

L chooses x and gives y = H (x)

J guesses even/odd L reveals x

Cheating y doesn’t reveal x to Jon

one-way y binds Linda

collision-free

19

Bit manipulation: MD5How does it work

XOR, AND, OR words

Combine with sin bits

Four rounds in

Why does it workWhy four rounds

MD4 backgroundWhy this

combination Attacks on variants

Why is it secure? We don’t know

20

Discrete Log Hash (Chaum)

How does it work Select g, random h. :

f (x, x’ ) = gx.hx’

Why does it work log(h ): a s.t. g a = h

will never be known f (x, x’ ) = f (y, y’ )

gx . hx’ = gy . hy’

a = (x - y )(y’ - x’ ) -1

Cryptographically strong collision free

21

Trapdoor HashCheat in generation of f.

Select h = g a instead of random h.Collision:

g x . h x’ = g x - a.z . h x’ + z

Trapped f remains cryptographically strong one-way.

22

Questions?

23

Gerard Tel, Part 2:

Cryptographic Tools: Signatures Zero knowledge Secret Sharing

24

Digital Signatures

Alice signs message M : S = Sig (M, x)Bob verifies signature S : Ver (M, S, y )Validity: Ver (M, Sig (M, x), y )

Forgery: Oscar finds M, S : Ver (M, S, y )

25

RSA SignaturesPublic/Secret key: (n, e) and (n, d )

Functions x x e and y y d are inverses

Sign M : S = M d (compute)Verify S : S e = M (check)

Forge signature under M : Invert RSA public function

26

Existential ForgeryOscar: random S, M = S e.

M takes special form ………01010101010101 Hash of longer message

27

Blind SignaturesAlice signs one message without

seeing it Bob has M, selects blinder b Bob gives Alice blinded message M’ =

M . b Alice signs for Bob: S’ = M’ d

Bob unblinds: divide by b d.

28

Blind SignaturesAlice signs one message without seeing

it Bob has M, selects blinder b = k e

Bob gives Alice blinded message M’ = M . b Alice signs for Bob: S’ = M’ d

Bob unblinds: divide by b d

S = S’ / kSimilar: Blind decryption

29

Zero knowledge proofsIdentification by secret

A gives Bank b = H (a) Bank pays on seeing a

If Alice shows a:employee, eavesdropper become as powerful.

Alice proves to know a without showing

30

0KP of a Square RootAlice holds a, Bob holds b = a 2

Withdrawing of money: Alice selects s = r 2 and gives Bob s Claim: I know roots of s and s.b

This is true namely r and r.aThis implies knowing a as quotient of roots

31

Verify knowing two rootsBob sees one! Otherwise becomes too smart

Challenge c = 0/1 Alice must give one root:

r of s (c = 0)r.a of s.b (c = 1)

Oscar does not know both Fails with Pr = 1/2.

32

What does Bob learn?Triple (s, c, y) s is random square

c is random bity solves y 2 = s . b c

To generate such, choosec as random bity as random numbers as y 2 / b c

33

How can it convince?Compute order s, c, y : needs aCompute order c, y, s : don’t need a

Protocol enforces s, c, y Transcript doesn’t show order.

34

Zero knowledge proofs20 rounds: 1-in-million false

acceptanceSimilar: e th root or logarithmAlso: Graph coloring

Use with blind signatures: Bob proves blinded message is legal

35

Secret SharingGoal: share holders together know aShares handed out by dealer

Share: related to ak -1 shares reveal nothingk shares reveal all

in reconstruction

36

Concepts in SharingUse:

Bank, company Nuclear heads Digital money Key escrow

How many shares Veto (split) Threshold (share)

Protection Perfect

(poor!) Verifiable

Actions with secret Reconstruction Use

37

Additive secret splitDealing:

a1 … ak-1 random ak = a - a1 - … - ak-1

ak is no better

Reconstruction: a = a1 + … + ak

Symmetric!

• Shares cannot be recognized• Given k - 1 shares, every a is still possible• “Real Cryptography”: Perfect Split

38

Using shared exponentSecret is exponent a (e.g., for RSA)

Shares: a = a1 + … + ak To compute y a:

Shareholder i submits xi = y ai

Compute x = x1 . … . xk

Use of secret does notcompromise splitting

39

How perfect is perfect?

Shares cannot be recognized Shareholders may cheat

Verifiable reconstruction (hash H ): Compute ai and bi = H (ai ) Give ai to SH i and make bi public

Verified reconstruction: SH i submits ai

Check H (ai ) = bi

40

Dealer verifiable splitNumber hash H (a) =

g a

The dealer Publish b = g a

Private share ai (sum a)

Public share bi = g ai

Send ai to SH i

Verifiable sharesThe shareholders

b binds dealer! secret is recognizable

Verify product = b Verify g ai = bi

Reconstruction Verify submissions

41

Perfect Secret SharesTheorem: through k points runs

exactly one curve of degree k - 1Dealing: select a1 through ak-1 , a0 = a

f (z) = a0 + a1.z + … + ak-1.zk-1

Share si is f (i )Reconstruction from k points:

polynomial interpolation

42

Verifiable Secret SharingDealer:

Private coefficients a0 through ak-1

Private shares si = f (i ) Public coefficients bi = g ai Public shares pi = g si

Shareholders si = a0 + a1.i + … + ak-1.i k-1 Global pi = b0 . b1

i. b2i . … . bk-1

i

Internal gsi = pi

k - 12

43

Conclusions

Numbers as basis for cryptographyMost of cryptography is unprovenResults are often counterintuitive

“Elluk voordeel hep se nadele”