260 likes | 395 Views
Modern Cryptography Lecture 13. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects
E N D
Modern CryptographyLecture 13 Yongdae Kim
Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Project presentation: May 2nd, 4th (Send me your preference) • 6th assignment is due 4/18 2:15 PM. • Check Calendar
Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b) x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1 a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x X, but it is computationally infeasible to find any x X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x X such that f(x) =y.
Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption
Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property
Recap (cnt) • Abstract Algebra • Group, cyclic groups, generator, group order, subgroup • Discrete logarithm problem • Diffie-Hellman • DLP vs. DHP, More efficient implementation (p, q, g) • Long-term vs. short-term Diffie-Hellman • ElGamal encryption • ElGamal vs. RSA encryption • RSA signature vs. DSA signature • Identificaiton: PINs and keys, graphical password, one-time pasword
Recap • Challenge-response protocol • SKE, MAC, PKE, Signature-based • Nonce vs. time-stamp • Key establishment • Session key, PFS, known-key attack, implicit key authentication, key confirmation • Kerberos • Hybrid key transport
Diffie-Hellman • Diffie-Hellman • Setup: prime p, generator g of Zp* • A B : gx mod p • B A : gy mod p • Properties • fixed exponent: zero-pass key agreement with special certificate • Authentication is required
MTI/A0 • Protocol • A B : gx mod p • B A : gy mod p • A: k = (gy)aPKbx = gya gbx = gya+bx • B: k = (gx)bPKay • source-substitution attack: C is not actually able to compute k itself, but rather causes B to have false belief • C registers A’s public key as its own • When A sends B, C replaces A’s certificate with its own • C forwards B’s response gy to A • B concludes that subsequently received messages encrypted by k = gbx+ay originated from C, it is only A who knows k and can originate such messages
STS • Algorithm • A B : gx mod p • B A : gy mod p, Ek(SB(gy, gx)) • A B : Ek(SA(gx, gy)) • Properties • Encryption under key k provides mutual key confirmation plus allows the conclusion that the party knowing the key is that which signed the exponentials.
Contents • Classification and framework • Key transport based on symmetric encryption • Key agreement based on symmetric techniques • Key transport based on public-key encryption • Key agreement based on asymmetric techniques • Analysis of key establishment protocols
Attack strategies and classic flaws • “man-in-the-middle” attack on unauthenticated DH • Reflection attack • Original protocol • A B : rA • B A : Ek(rA, rB) • A B : rB • Attack • A E : rA • E A : rA : Starting a new session • A E : Ek(rA, rA’) : Reply of (2) • E A : Ek(rA, rA’) : Reply of (1) • A E : rA’ • prevented by using different keys for different sessions
Attack strategies and classic flaws • Interleaving attacks • To provide freshness and entity authentication • Flawed protocol • A B : rA • B A : rB, SB(rB, rA, A) • A B : rA’, SA(rA’, rB, B) • Attack • E B : rA • B E : rB, SB(rB, rA, A) • E A : rB • A E : rA’, SA(rA’, rB, B) • E B : rA’, SA(rA’, rB, B) • Due to symmetric messages (2), (3)
Threshold Crypto • Motivating examples • (t, n) Threshold decryption • A secret key K is encrypted by a public key of a group G. • Each group member Mi knows a share SSi of the group private key. • When t members out of n group members get together, they can find the secret key. • (t, n) Threshold signature • To be a member of an on-line community, you need signature from at least t board members out of total n board members. • (t, n) threshold signature allows the member has a single certificate, which is computed from t partial certificates.
s1 s2 s3 … shares … sn-1 sn 1 2 3 … parties … n-1 n Conceptually…
Threshold Cryptography • A group < threshold size t cannot determine the secret/perform the function • A group >= threshold size t can always reconstruct the secret/perform the function • Scheme will tolerate t-1 compromised/misbehaving parties • No information leakage when t-1 members get together!
(t,n) threshold scheme • A polynomial f • degree t-1 • Dealer gives each party i secret Ki = f(i) • f(0) is the secret S. • S = i=1t ciKi where ci = 1jt, j i xj / (xj - xi)
(t, n) Threshold ElGamal • Encryption • generate random integer k and compute r = gk mod p • compute c = my kmod p • Ciphertext(r, c) • Decryption • m = c r –amod p • Threshold decryption • Note that private key a = i=1t ciKi (ci=1jt,j i xj/(xj - xi)) • So 1) t members compute rKi 2) raise it to ci to get rciKi and 3) mutiply all of them to get ra. • Threshold DSA Signature is similar…
How to prevent break-ins • As time goes by more and more board members could be corrupted (or compromised)! • Change shares but not the secret • f’(x) = f(x) + g(x) where g(0) = 0. • f’(0) = S still. • Attacker who compromises t-1 within the refresh interval has no information. • SSi will be changed to f’(i).
Definition • Bilinear Map • G1 and G2 be two abelian groups of prime order q. • additive notation for G1: aP denotes the P added a times • the multiplicative notation for G2 • A map e : G1 G1→ G2 is called an admissible bilinear map if • Bilinearity For any P, Q G1 and a, b Zq, e(aP, bQ) = e(P, Q)ab • Non-degeneracy e(P, Q) 1 for at least one pair of P, Q G1. • Efficiency • Hash functions • h : {0, 1}* → {0. 1}n: A collision-free hash function • H : {0, 1}* → G1: A collision-free full domain hash function (called map-to-point) • H*: G2→ Zq: A collision-free full domain hash function
Crypto Assumptions • Playing with Bilinear maps • e(aP, bQ) = e(P, abQ) = e(P, Q)ab • e(aP, Q) e(cP, Q) = e( (a+c) P, Q) • Cryptographic Problems • DLP is hard on G1 and G2 • finding a from (P, aP) is hard • finding a from e(P, P)a is hard • DDH is easy • c = ab if and only if e(aP, bP ) = e(cP, P). • BDHP is hard • finding e(P, P)abc from aP, bP, cP is hard.
3-Way DH Key Agreement • Let P be public generator of G1 • Three public keys: aP (Alice), bP (Bob), cP (Carol) • Group key GABC=e(P,P)abc • Alice computes e(bP,cP)a=e(P,P)abc • Bob computes e(aP,cP)b=e(P,P)abc • Carol computes e(aP,bP)c=e(P,P)abc • Properties • No communication • Others cannot compute group key : BDH problem
Identity-Based Encryption • ID=name+date of birth • Trusted Third Party: secret s in Zq • Public params: generator P of G1 and sP • Secret Key Generation • IDAlice: Alice → TTP • sH(IDAlice): TTP → Alice • Encryption: Bob encrypts for Alice • Pick random r in Zq • Compute g=e(H(IDAlice), sP)) • Compute • gr= e(H(IDAlice), sP))r= e(H(IDAlice), rsP))= e(rH(IDAlice), sP)) • Ciphertext: < rP, c = m XOR H2(gr) >
IBE (Cont’d) • Decryption by Alice • Compute gr=e(H(IDAlice), rsP))=e(sH(IDAlice), rP)) • Compute H2(gr) • m = c XOR H2(gr) • Why others cannot decrypt? • Others know only H(IDAlice) and rP • It is hard to determine r from rP (DLP) • thus they cannot compute gr as e(H(IDAlice), sP))r • They don’t know s • cannot compute e(H(IDAlice), srP)) • They don’t know sH(IDAlice) • cannot compute e(sH(IDAlice), rP))