1 / 33

Cryptography: Numbers and Tools

Cryptography: Numbers and Tools. Gerard Tel Dept of Computing Science, Utrecht. Talk overview. Part 1: Numbers for Crypto Definition and existence: require P ≠ NP Encryption with numbers: Elgamal Numbers versus Ad hoc: Hashing Part 2: Tools Zero knowledge proofs Secret Sharing

sadie
Download Presentation

Cryptography: Numbers and Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptography:Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht

  2. Talk overview • Part 1: Numbers for Crypto • Definition and existence: require P ≠ NP • Encryption with numbers: Elgamal • Numbers versus Ad hoc: Hashing • Part 2: Tools • Zero knowledge proofs • Secret Sharing • Combined application: Verified committee decryption

  3. Cryptography: The art of protection using information To know or not to know To have or not to have…. Definition (Knowledge):Party X knows all information he can feasibly compute from his available resources (facts and computing power)

  4. Encryption (AES) Alice sends emaily = Ek(x) Bob computes x = Dk(y) Oscar knows no k : which D function? Identification with One-way function H A gives Bank b = H(a) Bank pays on seeinga’ s.t. H (a’ ) = b O knows no a’ Two examples

  5. Public/Secret pairs Alice holds secret a Bob holds public b Relation P (a, b) Require: Oscar cannot compute a from b But: Oscar can recognize a by verifying P More general example

  6. I recognize it when I see it ....…. but I don’t know it

  7. Assumption: Discrete Log • Compute modulo large p : 0, 1, …, p -1 • Element g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1Fix g of high prime order. • From a, power b = g a is computable • Assumption:From b, log a s.t. b = g a is not computable

  8. The Elgamal Party Game • Program: exponentiation, discrete log, Elgamal • Booklet: group demo of send/receive • Compute k-bit integers:Expo: k 3 timeDLog: √2k time www.cs.uu.nl/~gerard/Cryptografie/Elgamal

  9. Symmetric encryption • Secret message is number: x • Alice and Bob share a key: z (blinder) • Encryption: y = Ez(x) = x . z • Decryption: x = Dz(y) = y . z -1 • Msg unreadable w/o blinder! • Difficulty: safely sharing z

  10. Elgamal encryption Imperial number b:51284 • New blinder for each message • Information about z with msg • Readable only with a st ga=b • Eb: (u, v) = (gk, bk.x) • Da: x = v . (ua)-1 • Blinder at Enc = (ga)k at Dec = (gk)a a

  11. Key generation • How can Ceasar know log(b)?It is not computable from a ! • Choose random a ; // Secret keyLet b = g a ; // Public keyPublish b as the Imperial Number. • Scheme by Elgamal, 1985Diffie-Hellman key exchange, 1976

  12. Numbers better than bits:Hash functions • Map H : {0,1}* {0,1}k Specifications regard computability: • Computable: Map H is computable • One-way:From y = H (x), x cannot be found • Collision-free:No x1, x2 can be found s.t. H (x1) = H (x2)(Such x1, x2 exist)

  13. Fair Guessing Games • Linda agrees to date Jon if he correctly guesses parity of x • L chooses x ; commits with y = H (x) • J guesses even/odd • L reveals x • Cheating? • y doesn’t reveal x to Jonone-way • y binds Lindacollision-free

  14. How does it work XOR, AND, OR words Combine with sin bits Four rounds in Why does it work? Why four rounds? MD4 background Why this combination? Attacks on variants Why is it secure? It isn’t! Collision found 2004 Answer: MD6? Bit manipulation: MD5

  15. How does it work Select random b :H (x, x’ ) = gx.bx’ Why does it work log(b ): a s.t. g a = bwill never be known H (x, x’ ) = H (y, y’ )gx . bx’= gy . by’a =(x - y )(y’ - x’ ) -1 Cryptographically strong collision free Discrete Log Hash (Chaum)

  16. Trapdoor Hash • Cheat in generation of H. • Select b = g a instead of random b. • Collision: • g x . b x’= g x - a.Z . b x’ + z • Trapped H remains cryptographically strong one-way.

  17. Gerard Tel, Part 2: • Cryptographic tools: • Zero knowledge • Secret sharing • Combine all: group decryption

  18. Zero knowledge proofs • Example: Identification • A gives bank b = H (a) • Bank pays on seeing a • If Alice shows a:employee, eavesdropper become as powerful. • Alice proves to knowa without showingimplicitly proves existence of a st H (a) = b • Can be done for all NP statements

  19. ZKP of a Discrete Log • Bob sees b, Alice holds a st b = g a • Alice proves this knowledge: • Alice: random r, set s = gr and gives Bob sClaim: I know log of s.b c for any c • Bob: challenges Alice with one random c • Alice: replies y = r + a . c • Bob: verifies that g y = s . b c • If Alice indeed holds the right a, Bob’s check comes out right.

  20. Assume Alice guesses Bob’s c beforehand: Random y Take s = g y. b –cand send s to Bob Now g y = s . b c Alice passes protocol without knowing a Can Alice cheat? Probability of correct guess is extremely small: neglectible

  21. What does Bob learn? • Triple (s, c, y) s is random powerc is random numbery solves g y = s . b c • Bob already knew such numbers!!They can be generated from Bob’s data. • To generate such, choosec as random numbery as random numbers as g y / b c

  22. How can it convince? • Compute in order s, c, y : needs a • Compute in order y, c, s : don’t need a • Protocol enforces s, c,y • Transcript doesn’t show order.

  23. Order s, c, y w/o guessing c Alice sends s, and can respond on c1 and c2 • Alice knows y1 and y2 stg y1 = s . b c1 and g y2 = s . b c2 • Then b = g(y1 – y2)/(c1 – c2): Alice knows a. • Alice cannot fool Bob without knowing a.

  24. Secret Sharing • Goal: share holderstogether know a • Share: related to a • k -1 shares reveal nothing • k shares reveal allin reconstruction • Or allow computationswith a

  25. Use: Bank, company Nuclear heads Digital money Key escrow Digital voting How many shares Veto (split) Threshold (share) Cheating protection Holders can cheat Verifiable Actions with secret Reconstruction Use Concepts in Sharing

  26. Additive secret split • Definition: a = a1 + … + ai + … + akThe secret is the sum of the shares • Protection: No subset of shareholders can collude to access the secretGiven k - 1 shares, every a is still possible • Generation: SHi sets random ai ;now a is defined implicitly but unknown

  27. Example: Elgamal decrypt • Construction of public key • SHi computes and shows: bi= g ai(partial public key and public share) • Compute b = b1 . … . bk • Now b = g a, though a is still unknown! • How to send a message: • Use public b to compute (u, v) as usual: (u, v) = (g k, x . bk )

  28. Decrypting with shared key • Computation of v . (u a)-1 • Pool shares: a = a1 + … + ak ?Compromises splitting!! • To compute u a: • SH i sends zi = u ai • Let z = z1 . … . zk • Let x = v . z-1 • Secret key is still unknown

  29. Cheating Shareholders • If SHi doesn’t like the message she may submit a zi different from u ai • If SHi is fair she knows ai s.t.both zi = u ai and bi = g ai. • Proves knowledge in Zero Knowledge • Encryption, ZKP, Commit, Sharing

  30. Perfect Secret Shares • Theorem: through k points runs exactly one curve of degree k - 1 • Dealing: select a1 through ak-1 , a0 = a • f (z) = a0 + a1.z + … + ak-1.z k-1 • Share si is f (i ) • Reconstruction from k points: • polynomial interpolation

  31. Conclusions • Numbers as basis for cryptography • Most of cryptography is unproven:Relies on P ≠ NP • Tool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share • Alternative tool boxes based on Integer Factorization: RSA

  32. Questions?

  33. Compute modulo p Secret : aPublic : bRelated : g a = b Elgamal Functions:Eb(x) = (g k, x.b k)Da(u, v) = v.(u a)-1 Chaum’s Hash:H (x, x’) = g x . b x’ ZKP of log(b): A: Rnd r, send s = g r B: Rnd c, send c A: Send y = r + ac B: Check gy = s . b c Additive Secret Split:a = a1 + … + ak Formulas on Discrete Log Cryptography

More Related