1 / 43

Cryptography: Proofs and Tools

Cryptography: Proofs and Tools. Gerard Tel Dept of Computer Science, Utrecht. Talk overview. Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc” Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing. Cryptography:.

laddie
Download Presentation

Cryptography: Proofs and Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography:Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht

  2. Talk overview • Part 1: Proofs • Definition and existence • Proofs with numbers • Numbers versus “Ad hoc” • Part 2: Tools • Signature schemas • Zero knowledge proofs • Secret Sharing

  3. Cryptography: The art of protection using information To know or not to know To have or not to have….

  4. Encryption (DES) Alice sends emaily = Ek(x) Bob computes x = Dk(y) Oscar knows no k : which D function? Identification with One-way function H A gives Bank b = H(a) Bank pays on seeinga’ s.t. H (a’ ) = b O knows no a’ Two examples

  5. Signatures Alice signs M with xS = Sig (M, x) Bob verifies with y Ver (M, S, y) Oscar cannot forgeS’ for M’ s.t.Ver (M’ , S’ , y) Public Key pairs Alice holds secret x Bob holds public y Relation P (x, y) Oscar cannotcomputex from y Two more examples

  6. I recognize it when I see it .... • Encryption: k s.t. Dk(y) is text • Identification: a’ s.t. H (a’ ) = b • Signatures: S’ s.t. Ver (M’ , S’ , y) • Key pair: x s.t. P (x, y)

  7. …. But I don’t know it

  8. Assumption: Factoring • Primes p and q (eg. 512 bits) • n = p . q (1024 bits) • Given n, one recognizes p and q • Assumption:Given n, computing p is impossible

  9. Assumption: Discrete Log • Compute modulo large p : 0, 1, …, p -1 • Element g has order: 1 = g0, g1, g2, g3, … gord = 1Fix g of high order. • From x, power y = gx is computable • Assumption:From y, x s.t. y = gx is not computable

  10. Rabin’s encryption • Alice’ secret key: p and q public key : product n • Bob encrypts x as y = x2mod n • Alice decrypts as extracting square rootp and q are needed! • Oscar can not extract roots

  11. Square roots modulo n • A square number has 4 roots • n = 77 = 7.11 :362= 64 (1296 mod 77)36, 41, 8, 69 have square 64 • Two pairs: 36 = -41 and 8 = -69 • Combine from two pairs: 41 + 69 = 33 • gcd(33, 77) = 11

  12. Rabin: Provably Secure • If Oscar can find x from x2 = y mod n • Select random z • Solve x from x2 = z2 • Prob. 1/2: x and z differ: find p and q • Contradicts Factoring Assumption • Rabin is cryptographically strong

  13. Chosen Cipher text Attack • Procedure for CCA: • Oscar sends Alice y, obtains x, computes • Rabin is vulnerable: • Oscar sends y = z2 • succeeds with Pr = 1/2 • Decrypted messages as sensitive as key • Weakness inherent in strength

  14. RSA: Alledgedly secure • Similar but use higher order roots. • Public key: (n, e) • Encryption y = xe • Decryption x = yd (d from p, q) • e th-rooting is believed but not proven to be as hard as factoring

  15. RSA Decryption • φ = (p -1)(q -1) • All x : x φ = 1 (mod n) • From p, q, n, e, compute d s.t. e.d = k . φ +1 • y d = (x e )d = x k . φ +1 = 1k . x = x • Secretly keep d, purge p, q.

  16. RSA Keys are secure • Oscar finds φ from n: • p +q = n - φ + 1, solve p, q • Oscar finds φ from n and e : • Simulate generation of e to do without • Oscar finds d from n and e : • ne, d p, q • Key protection is cryptographically strong

  17. Ad hoc versus Numbers:Hash functions • Map H : {0,1}* {0,1}k • One-way: • From y = H (x), x cannot be found • Collision-free: • No x1, x2 can be found s.t. H (x1) = H (x2) • Such x1, x2exist

  18. Fair Guessing Games • Linda dates Jon if Jon guesses parity of x • L chooses x and givesy = H (x) • J guesses even/odd • L reveals x • Cheating • y doesn’t reveal x to Jonone-way • y binds Lindacollision-free

  19. How does it work XOR, AND, OR words Combine with sin bits Four rounds in Why does it work Why four rounds MD4 background Why this combination Attacks on variants Why is it secure? We don’t know Bit manipulation: MD5

  20. How does it work Select g, random h. :f (x, x’ ) = gx.hx’ Why does it work log(h ): a s.t. g a = hwill never be known f (x, x’ ) = f (y, y’ )gx . hx’= gy . hy’a =(x - y )(y’ - x’ ) -1 Cryptographically strong collision free Discrete Log Hash (Chaum)

  21. Trapdoor Hash • Cheat in generation of f. • Select h = g a instead of random h. • Collision: • g x . h x’= g x - a.z . h x’ + z • Trapped f remains cryptographically strong one-way.

  22. Questions?

  23. Gerard Tel, Part 2: • Cryptographic Tools: • Signatures • Zero knowledge • Secret Sharing

  24. Digital Signatures • Alice signs message M : S = Sig (M, x) • Bob verifies signature S : Ver (M, S, y ) • Validity: Ver (M, Sig (M, x), y ) • Forgery: Oscar finds M, S :Ver (M, S, y )

  25. RSA Signatures • Public/Secret key: (n, e) and (n, d ) • Functions x x e and y y d are inverses • Sign M : S = M d (compute) • Verify S : S e= M (check) • Forge signature under M : • Invert RSA public function

  26. Existential Forgery • Oscar: random S, M = S e. • M takes special form • ………01010101010101 • Hash of longer message

  27. Blind Signatures • Alice signs one message without seeing it • Bob has M, selects blinder b • Bob gives Alice blinded message M’ = M . b • Alice signs for Bob: S’ = M’ d • Bob unblinds: divide by b d.

  28. Blind Signatures • Alice signs one message without seeing it • Bob has M, selects blinder b = k e • Bob gives Alice blinded message M’ = M . b • Alice signs for Bob: S’ = M’ d • Bob unblinds: divide by b dS = S’ / k • Similar: Blind decryption

  29. Zero knowledge proofs • Identification by secret • A gives Bank b = H (a) • Bank pays on seeing a • If Alice shows a:employee, eavesdropper become as powerful. • Alice proves to know a without showing

  30. 0KP of a Square Root • Alice holds a, Bob holds b = a 2 • Withdrawing of money: • Alice selects s = r 2 and gives Bob s • Claim: I know roots of s and s.b • This is true namely r and r.aThis implies knowing aas quotient of roots

  31. Verify knowing two roots • Bob sees one! Otherwise becomes too smart • Challenge c = 0/1 • Alice must give one root:r of s (c = 0)r.a of s.b (c = 1) • Oscar does not know both • Fails with Pr = 1/2.

  32. What does Bob learn? • Triple (s, c, y) s is random squarec is random bity solves y 2 = s . b c • To generate such, choosec as random bity as random numbers as y 2 / b c

  33. How can it convince? • Compute order s, c, y : needs a • Compute order c, y, s : don’t need a • Protocol enforces s, c, y • Transcript doesn’t show order.

  34. Zero knowledge proofs • 20 rounds: 1-in-million false acceptance • Similar: e th root or logarithm • Also: Graph coloring • Use with blind signatures: • Bob proves blinded message is legal

  35. Secret Sharing • Goal: share holderstogether know a • Shares handed out by dealer • Share: related to a • k -1 shares reveal nothing • k shares reveal allin reconstruction

  36. Use: Bank, company Nuclear heads Digital money Key escrow How many shares Veto (split) Threshold (share) Protection Perfect (poor!) Verifiable Actions with secret Reconstruction Use Concepts in Sharing

  37. Dealing: a1 … ak-1random ak= a - a1- … - ak-1 ak is no better Reconstruction: a = a1 + … + ak Symmetric! Additive secret split • Shares cannot be recognized • Given k - 1 shares, every a is still possible • “Real Cryptography”: Perfect Split

  38. Using shared exponent • Secret is exponent a (e.g., for RSA)Shares: a = a1 + … + ak • To compute y a: • Shareholder i submits xi = y ai • Compute x = x1 . … . xk • Use of secret does notcompromise splitting

  39. How perfect is perfect? • Shares cannot be recognized • Shareholders may cheat • Verifiable reconstruction (hash H ): • Compute ai and bi = H (ai ) • Give ai to SH i and make bipublic • Verified reconstruction: • SH i submits ai • Check H (ai ) = bi

  40. Number hash H (a) = g a The dealer Publish b = ga Private share ai (sum a) Public share bi= gai Send ai to SH i Verifiable shares The shareholders bbinds dealer! secret is recognizable Verify product = b Verify gai = bi Reconstruction Verify submissions Dealer verifiable split

  41. Perfect Secret Shares • Theorem: through k points runs exactly one curve of degree k - 1 • Dealing: select a1 through ak-1 , a0 = a • f (z) = a0 + a1.z + … + ak-1.zk-1 • Share si is f (i ) • Reconstruction from k points: • polynomial interpolation

  42. Verifiable Secret Sharing • Dealer: • Private coefficients a0 through ak-1 • Private shares si = f (i ) • Public coefficients bi = g ai • Public shares pi = gsi • Shareholders si = a0 + a1.i + … + ak-1.i k-1 • Global pi= b0 . b1i. b2i . … . bk-1 i • Internal gsi = pi 2 k - 1

  43. Conclusions • Numbers as basis for cryptography • Most of cryptography is unproven • Results are often counterintuitive • “Elluk voordeel hep se nadele”

More Related