Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

Published byLuis Orgel Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols

2 12 April 2005University of Virginia CS 5882 Story So Far Symmetric Encryption –Amplify and time-shift a small secret to transmit large secrets Asymmetric Encryption –Use a trustworthy non-secret to establish secrets, check signatures Proving an encryption algorithm is secure is either: –Reasonably easy if it is a perfect cipher –Essentially impossible if it is not

3 12 April 2005University of Virginia CS 5883 Plan for Rest of the Course Today, Thursday: some interesting applications of cryptography Next Tuesday: Quantum/visual crypto Next Thursday, April 26: Software system security: real world security is mostly not about cryptography April 28: Project presentations If there’s anything you hoped this course would cover that is not listed here, send me requests by Friday

4 12 April 2005University of Virginia CS 5884 Finding Project Partners Simple way: –Ask people in the class if they want to work with you Problems: –You face rejection and ridicule if they say no Can you find partners without revealing your wishes unless they are reciprocated? –Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them

5 12 April 2005University of Virginia CS 5885 Alice is your best match Use a Universally Trusted Third Party Alice Bob Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob MatchMaker.com

6 12 April 2005University of Virginia CS 5886 Use a Universally Trusted Third Party Bob E KU M [E KR B [“Bob would like …”]] MatchMaker.com E KU B [E KR M [“Alice”]]

7 12 April 2005University of Virginia CS 5887 HashMaker.com? Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. No on else can tell Bob’s deepest darkest desires ( H is one-way) If someone else writes the same hash on the board, Bob has found his match How well does this work?

8 12 April 2005University of Virginia CS 5888 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly

9 12 April 2005University of Virginia CS 5889 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com

10 12 April 2005University of Virginia CS 58810 How can we send a message to HashMaker without it knowing who sent it? To: HashMaker From: Anonymous To: Router4 To: Router3 To: Router2 To: Router1 From: Bob

11 12 April 2005University of Virginia CS 58811 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick n random routers, R i 1 …R i n R i k gets a message M k : E KU R ik (To: R i k+1 || M k+1 )

12 12 April 2005University of Virginia CS 58812 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 1 random router: R 2 Send R 2 : E KU R 2 (To: HashMatcher.com || M)

13 12 April 2005University of Virginia CS 58813 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 2 random routers: R 2, R 5 Send R 2 : E KU R2 [To: R5 || E KU R5 [To: HashMatcher.com || M]]

14 12 April 2005University of Virginia CS 58814 http://tor.eff.org

15 12 April 2005University of Virginia CS 58815 Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com If these are the only packets on the network, someone observing the network know it was Bob

16 12 April 2005University of Virginia CS 58816 Preventing Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com

17 12 April 2005University of Virginia CS 58817 Finding Partners If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) Using onion rounting, sends HashMatcher: E H(W) [ W ] Using onion rounting, queries HashMatcher is there is a matching item –If so, Alice wants to work with him

18 12 April 2005University of Virginia CS 58818 Problems with this Protocol Cathy could send W = “Alice + Bob” Anyone can query “ x + Bob” for all x to find out who Bob wants to work with (or who wants to work with Bob, can’t tell which) If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them? Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol

19 12 April 2005University of Virginia CS 58819 MIXes C1 C2 C3 C4 M1 M2 M3 M4 Random, secret permutation Security property: observer seeing all inputs and outputs cannot determine which output message corresponds to which input

20 12 April 2005University of Virginia CS 58820 MIX Net [Chaum81] C1 C2 C3 C4 M1 M2 M3 M4 A BC C = E KUA [E KUB [E KUC [M]]] What is input? What if Eve can see all traffic? What if one of A, B or C is corrupt? What if two are corrupt? Any good applications? E KRA (C) E KRB (C) E KRC (C)

21 12 April 2005University of Virginia CS 58821 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] How well does this work? * Note: any resemblance to real political parties is purely coincidental.

22 12 April 2005University of Virginia CS 58822 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] Each for any eavesdropper (knows public keys) to compute C for small set of possible messages

23 12 April 2005University of Virginia CS 58823 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R]]]

24 12 April 2005University of Virginia CS 58824 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ] Each mux decrypts with private key and removes R

25 12 April 2005University of Virginia CS 58825 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader”

26 12 April 2005University of Virginia CS 58826 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” C = E KUG [“Badnarik” || R 1 ] Does publishing R 1 help?

27 12 April 2005University of Virginia CS 58827 Publishing R 1 Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted Voters can prove to someone else for whom they voted If Orange doesn’t like result, can still disrupt election C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ]

28 12 April 2005University of Virginia CS 58828 Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Send inputs to next 2 muxes D mux picks n random inputs Asks R to prove they were done correctly How does R prove it?

29 12 April 2005University of Virginia CS 58829 Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Input i = E KUR [E KUD [E KUG [v || R 1 ] R 2 ] R 3 ] Output j = E KUD [E KUG [v || R 1 ] R 2 ] If R reveals j and R 3, D can check E KUR [Output j || R 3 ] = Input i

30 12 April 2005University of Virginia CS 58830 Auditing Tradeoffs For every audit, one input-output mapping is revealed The more audits, the more likelihood of catching cheater What if each mux audits ½ of the values?

31 12 April 2005University of Virginia CS 58831 Catching Cheaters Probability a mux can cheats on k votes without getting caught = Probability a voters vote is revealed to eavesdropper If muxes collude, all bets are off ½k½k m muxes ½ m Note: unaudited votes only be one of n /2 possible outputs!

32 12 April 2005University of Virginia CS 58832 Faculty Candidate talk tomorrow: Yih-Chun Hu (CMU, Berkeley) Securing Network Routing Olsson 011, 3:30PM

Download ppt "David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols."

Similar presentations

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.

COS 461 Fall 1997 Todays Lecture u intro to security in networking –confidentiality –integrity –authentication –authorization u orientation for assignment.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 5: Logs and Trees

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 5: Logs and Trees
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.

Slide 1 Vitaly Shmatikov CS 378 Key Establishment Pitfalls.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Similar presentations

Ads by Google