330 likes | 479 Views
Cryptography: Numbers and Tools. Gerard Tel Dept of Computing Science, Utrecht. Talk overview. Part 1: Numbers for Crypto Definition and existence: require P ≠ NP Encryption with numbers: Elgamal Numbers versus Ad hoc: Hashing Part 2: Tools Zero knowledge proofs Secret Sharing
E N D
Cryptography:Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht
Talk overview • Part 1: Numbers for Crypto • Definition and existence: require P ≠ NP • Encryption with numbers: Elgamal • Numbers versus Ad hoc: Hashing • Part 2: Tools • Zero knowledge proofs • Secret Sharing • Combined application: Verified committee decryption
Cryptography: The art of protection using information To know or not to know To have or not to have…. Definition (Knowledge):Party X knows all information he can feasibly compute from his available resources (facts and computing power)
Encryption (AES) Alice sends emaily = Ek(x) Bob computes x = Dk(y) Oscar knows no k : which D function? Identification with One-way function H A gives Bank b = H(a) Bank pays on seeinga’ s.t. H (a’ ) = b O knows no a’ Two examples
Public/Secret pairs Alice holds secret a Bob holds public b Relation P (a, b) Require: Oscar cannot compute a from b But: Oscar can recognize a by verifying P More general example
Assumption: Discrete Log • Compute modulo large p : 0, 1, …, p -1 • Element g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1Fix g of high prime order. • From a, power b = g a is computable • Assumption:From b, log a s.t. b = g a is not computable
The Elgamal Party Game • Program: exponentiation, discrete log, Elgamal • Booklet: group demo of send/receive • Compute k-bit integers:Expo: k 3 timeDLog: √2k time www.cs.uu.nl/~gerard/Cryptografie/Elgamal
Symmetric encryption • Secret message is number: x • Alice and Bob share a key: z (blinder) • Encryption: y = Ez(x) = x . z • Decryption: x = Dz(y) = y . z -1 • Msg unreadable w/o blinder! • Difficulty: safely sharing z
Elgamal encryption Imperial number b:51284 • New blinder for each message • Information about z with msg • Readable only with a st ga=b • Eb: (u, v) = (gk, bk.x) • Da: x = v . (ua)-1 • Blinder at Enc = (ga)k at Dec = (gk)a a
Key generation • How can Ceasar know log(b)?It is not computable from a ! • Choose random a ; // Secret keyLet b = g a ; // Public keyPublish b as the Imperial Number. • Scheme by Elgamal, 1985Diffie-Hellman key exchange, 1976
Numbers better than bits:Hash functions • Map H : {0,1}* {0,1}k Specifications regard computability: • Computable: Map H is computable • One-way:From y = H (x), x cannot be found • Collision-free:No x1, x2 can be found s.t. H (x1) = H (x2)(Such x1, x2 exist)
Fair Guessing Games • Linda agrees to date Jon if he correctly guesses parity of x • L chooses x ; commits with y = H (x) • J guesses even/odd • L reveals x • Cheating? • y doesn’t reveal x to Jonone-way • y binds Lindacollision-free
How does it work XOR, AND, OR words Combine with sin bits Four rounds in Why does it work? Why four rounds? MD4 background Why this combination? Attacks on variants Why is it secure? It isn’t! Collision found 2004 Answer: MD6? Bit manipulation: MD5
How does it work Select random b :H (x, x’ ) = gx.bx’ Why does it work log(b ): a s.t. g a = bwill never be known H (x, x’ ) = H (y, y’ )gx . bx’= gy . by’a =(x - y )(y’ - x’ ) -1 Cryptographically strong collision free Discrete Log Hash (Chaum)
Trapdoor Hash • Cheat in generation of H. • Select b = g a instead of random b. • Collision: • g x . b x’= g x - a.Z . b x’ + z • Trapped H remains cryptographically strong one-way.
Gerard Tel, Part 2: • Cryptographic tools: • Zero knowledge • Secret sharing • Combine all: group decryption
Zero knowledge proofs • Example: Identification • A gives bank b = H (a) • Bank pays on seeing a • If Alice shows a:employee, eavesdropper become as powerful. • Alice proves to knowa without showingimplicitly proves existence of a st H (a) = b • Can be done for all NP statements
ZKP of a Discrete Log • Bob sees b, Alice holds a st b = g a • Alice proves this knowledge: • Alice: random r, set s = gr and gives Bob sClaim: I know log of s.b c for any c • Bob: challenges Alice with one random c • Alice: replies y = r + a . c • Bob: verifies that g y = s . b c • If Alice indeed holds the right a, Bob’s check comes out right.
Assume Alice guesses Bob’s c beforehand: Random y Take s = g y. b –cand send s to Bob Now g y = s . b c Alice passes protocol without knowing a Can Alice cheat? Probability of correct guess is extremely small: neglectible
What does Bob learn? • Triple (s, c, y) s is random powerc is random numbery solves g y = s . b c • Bob already knew such numbers!!They can be generated from Bob’s data. • To generate such, choosec as random numbery as random numbers as g y / b c
How can it convince? • Compute in order s, c, y : needs a • Compute in order y, c, s : don’t need a • Protocol enforces s, c,y • Transcript doesn’t show order.
Order s, c, y w/o guessing c Alice sends s, and can respond on c1 and c2 • Alice knows y1 and y2 stg y1 = s . b c1 and g y2 = s . b c2 • Then b = g(y1 – y2)/(c1 – c2): Alice knows a. • Alice cannot fool Bob without knowing a.
Secret Sharing • Goal: share holderstogether know a • Share: related to a • k -1 shares reveal nothing • k shares reveal allin reconstruction • Or allow computationswith a
Use: Bank, company Nuclear heads Digital money Key escrow Digital voting How many shares Veto (split) Threshold (share) Cheating protection Holders can cheat Verifiable Actions with secret Reconstruction Use Concepts in Sharing
Additive secret split • Definition: a = a1 + … + ai + … + akThe secret is the sum of the shares • Protection: No subset of shareholders can collude to access the secretGiven k - 1 shares, every a is still possible • Generation: SHi sets random ai ;now a is defined implicitly but unknown
Example: Elgamal decrypt • Construction of public key • SHi computes and shows: bi= g ai(partial public key and public share) • Compute b = b1 . … . bk • Now b = g a, though a is still unknown! • How to send a message: • Use public b to compute (u, v) as usual: (u, v) = (g k, x . bk )
Decrypting with shared key • Computation of v . (u a)-1 • Pool shares: a = a1 + … + ak ?Compromises splitting!! • To compute u a: • SH i sends zi = u ai • Let z = z1 . … . zk • Let x = v . z-1 • Secret key is still unknown
Cheating Shareholders • If SHi doesn’t like the message she may submit a zi different from u ai • If SHi is fair she knows ai s.t.both zi = u ai and bi = g ai. • Proves knowledge in Zero Knowledge • Encryption, ZKP, Commit, Sharing
Perfect Secret Shares • Theorem: through k points runs exactly one curve of degree k - 1 • Dealing: select a1 through ak-1 , a0 = a • f (z) = a0 + a1.z + … + ak-1.z k-1 • Share si is f (i ) • Reconstruction from k points: • polynomial interpolation
Conclusions • Numbers as basis for cryptography • Most of cryptography is unproven:Relies on P ≠ NP • Tool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share • Alternative tool boxes based on Integer Factorization: RSA
Compute modulo p Secret : aPublic : bRelated : g a = b Elgamal Functions:Eb(x) = (g k, x.b k)Da(u, v) = v.(u a)-1 Chaum’s Hash:H (x, x’) = g x . b x’ ZKP of log(b): A: Rnd r, send s = g r B: Rnd c, send c A: Send y = r + ac B: Check gy = s . b c Additive Secret Split:a = a1 + … + ak Formulas on Discrete Log Cryptography