Upload
laddie
View
37
Download
5
Embed Size (px)
DESCRIPTION
Cryptography: Proofs and Tools. Gerard Tel Dept of Computer Science, Utrecht. Talk overview. Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc” Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing. Cryptography:. - PowerPoint PPT Presentation
Citation preview
1
Cryptography:Proofs and Tools
Gerard TelDept of Computer Science, Utrecht
2
Talk overview
Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc”
Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing
3
Cryptography:
The art of protection using information
To have or
not to have….
To know or
not to know
4
Two examplesEncryption (DES)
Alice sends email y = Ek(x)
Bob computes x = Dk(y)
Oscar knows no k : which D function?
Identification with One-way function H A gives Bank b = H(a) Bank pays on seeing
a’ s.t. H (a’ ) = b
O knows no a’
5
Two more examples
Signatures Alice signs M with x
S = Sig (M, x) Bob verifies with y
Ver (M, S, y)
Oscar cannot forge S’ for M’ s.t. Ver (M’ , S’ , y)
Public Key pairs Alice holds secret x Bob holds public y
Relation P (x, y)
Oscar cannotcomputex from y
6
I recognize it when I see it ....
Encryption: k s.t. Dk(y) is text
Identification: a’ s.t. H (a’ ) = b
Signatures: S’ s.t. Ver (M’ , S’ , y)
Key pair: x s.t. P (x, y)
7
…. But I don’t know it
8
Assumption: Factoring
Primes p and q (eg. 512 bits)n = p . q (1024 bits)
Given n, one recognizes p and q
Assumption:Given n, computing p is impossible
9
Assumption: Discrete LogCompute modulo large p : 0, 1, …, p -1Element g has order:
1 = g0, g1, g2, g3, … gord = 1Fix g of high order.
From x, power y = gx is computableAssumption:
From y, x s.t. y = gx is not computable
10
Rabin’s encryption
Alice’ secret key: p and qpublic key : product n
Bob encrypts x as y = x2 mod nAlice decrypts as extracting square
rootp and q are needed!
Oscar can not extract roots
11
Square roots modulo n
A square number has 4 rootsn = 77 = 7.11 :
362 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64
Two pairs: 36 = -41 and 8 = -69Combine from two pairs: 41 + 69 = 33gcd(33, 77) = 11
12
Rabin: Provably SecureIf Oscar can find x from x2 = y mod
n Select random z Solve x from x2 = z2
Prob. 1/2: x and z differ: find p and qContradicts Factoring AssumptionRabin is cryptographically strong
13
Chosen Cipher text AttackProcedure for CCA:
Oscar sends Alice y, obtains x, computesRabin is vulnerable:
Oscar sends y = z2
succeeds with Pr = 1/2
Decrypted messages as sensitive as keyWeakness inherent in strength
14
RSA: Alledgedly secure
Similar but use higher order roots.Public key: (n, e)Encryption y = xe
Decryption x = yd (d from p, q)
e th-rooting is believed but not proven to be as hard as factoring
15
RSA Decryption
φ = (p -1)(q -1)All x : x φ = 1 (mod n)From p, q, n, e,
compute d s.t. e.d = k . φ +1y d = (x e )d = x k . φ +1 = 1k . x = x
Secretly keep d, purge p, q.
16
RSA Keys are secure
Oscar finds φ from n: p +q = n - φ + 1, solve p, q
Oscar finds φ from n and e : Simulate generation of e to do without
Oscar finds d from n and e : n
e, d p, q
Key protection is cryptographically strong
17
Ad hoc versus Numbers:Hash functionsMap H : {0,1}* {0,1}k
One-way: From y = H (x), x cannot be found
Collision-free: No x1, x2 can be found s.t. H (x1) = H (x2)
Such x1, x2 exist
18
Fair Guessing GamesLinda dates Jon if Jon guesses parity of x
L chooses x and gives y = H (x)
J guesses even/odd L reveals x
Cheating y doesn’t reveal x to Jon
one-way y binds Linda
collision-free
19
Bit manipulation: MD5How does it work
XOR, AND, OR words
Combine with sin bits
Four rounds in
Why does it workWhy four rounds
MD4 backgroundWhy this
combination Attacks on variants
Why is it secure? We don’t know
20
Discrete Log Hash (Chaum)
How does it work Select g, random h. :
f (x, x’ ) = gx.hx’
Why does it work log(h ): a s.t. g a = h
will never be known f (x, x’ ) = f (y, y’ )
gx . hx’ = gy . hy’
a = (x - y )(y’ - x’ ) -1
Cryptographically strong collision free
21
Trapdoor HashCheat in generation of f.
Select h = g a instead of random h.Collision:
g x . h x’ = g x - a.z . h x’ + z
Trapped f remains cryptographically strong one-way.
22
Questions?
23
Gerard Tel, Part 2:
Cryptographic Tools: Signatures Zero knowledge Secret Sharing
24
Digital Signatures
Alice signs message M : S = Sig (M, x)Bob verifies signature S : Ver (M, S, y )Validity: Ver (M, Sig (M, x), y )
Forgery: Oscar finds M, S : Ver (M, S, y )
25
RSA SignaturesPublic/Secret key: (n, e) and (n, d )
Functions x x e and y y d are inverses
Sign M : S = M d (compute)Verify S : S e = M (check)
Forge signature under M : Invert RSA public function
26
Existential ForgeryOscar: random S, M = S e.
M takes special form ………01010101010101 Hash of longer message
27
Blind SignaturesAlice signs one message without
seeing it Bob has M, selects blinder b Bob gives Alice blinded message M’ =
M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d.
28
Blind SignaturesAlice signs one message without seeing
it Bob has M, selects blinder b = k e
Bob gives Alice blinded message M’ = M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d
S = S’ / kSimilar: Blind decryption
29
Zero knowledge proofsIdentification by secret
A gives Bank b = H (a) Bank pays on seeing a
If Alice shows a:employee, eavesdropper become as powerful.
Alice proves to know a without showing
30
0KP of a Square RootAlice holds a, Bob holds b = a 2
Withdrawing of money: Alice selects s = r 2 and gives Bob s Claim: I know roots of s and s.b
This is true namely r and r.aThis implies knowing a as quotient of roots
31
Verify knowing two rootsBob sees one! Otherwise becomes too smart
Challenge c = 0/1 Alice must give one root:
r of s (c = 0)r.a of s.b (c = 1)
Oscar does not know both Fails with Pr = 1/2.
32
What does Bob learn?Triple (s, c, y) s is random square
c is random bity solves y 2 = s . b c
To generate such, choosec as random bity as random numbers as y 2 / b c
33
How can it convince?Compute order s, c, y : needs aCompute order c, y, s : don’t need a
Protocol enforces s, c, y Transcript doesn’t show order.
34
Zero knowledge proofs20 rounds: 1-in-million false
acceptanceSimilar: e th root or logarithmAlso: Graph coloring
Use with blind signatures: Bob proves blinded message is legal
35
Secret SharingGoal: share holders together know aShares handed out by dealer
Share: related to ak -1 shares reveal nothingk shares reveal all
in reconstruction
36
Concepts in SharingUse:
Bank, company Nuclear heads Digital money Key escrow
How many shares Veto (split) Threshold (share)
Protection Perfect
(poor!) Verifiable
Actions with secret Reconstruction Use
37
Additive secret splitDealing:
a1 … ak-1 random ak = a - a1 - … - ak-1
ak is no better
Reconstruction: a = a1 + … + ak
Symmetric!
• Shares cannot be recognized• Given k - 1 shares, every a is still possible• “Real Cryptography”: Perfect Split
38
Using shared exponentSecret is exponent a (e.g., for RSA)
Shares: a = a1 + … + ak To compute y a:
Shareholder i submits xi = y ai
Compute x = x1 . … . xk
Use of secret does notcompromise splitting
39
How perfect is perfect?
Shares cannot be recognized Shareholders may cheat
Verifiable reconstruction (hash H ): Compute ai and bi = H (ai ) Give ai to SH i and make bi public
Verified reconstruction: SH i submits ai
Check H (ai ) = bi
40
Dealer verifiable splitNumber hash H (a) =
g a
The dealer Publish b = g a
Private share ai (sum a)
Public share bi = g ai
Send ai to SH i
Verifiable sharesThe shareholders
b binds dealer! secret is recognizable
Verify product = b Verify g ai = bi
Reconstruction Verify submissions
41
Perfect Secret SharesTheorem: through k points runs
exactly one curve of degree k - 1Dealing: select a1 through ak-1 , a0 = a
f (z) = a0 + a1.z + … + ak-1.zk-1
Share si is f (i )Reconstruction from k points:
polynomial interpolation
42
Verifiable Secret SharingDealer:
Private coefficients a0 through ak-1
Private shares si = f (i ) Public coefficients bi = g ai Public shares pi = g si
Shareholders si = a0 + a1.i + … + ak-1.i k-1 Global pi = b0 . b1
i. b2i . … . bk-1
i
Internal gsi = pi
k - 12
43
Conclusions
Numbers as basis for cryptographyMost of cryptography is unprovenResults are often counterintuitive
“Elluk voordeel hep se nadele”