Download presentation

Presentation is loading. Please wait.

Published byLuis Orgel Modified over 2 years ago

1
David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols

2
12 April 2005University of Virginia CS 5882 Story So Far Symmetric Encryption –Amplify and time-shift a small secret to transmit large secrets Asymmetric Encryption –Use a trustworthy non-secret to establish secrets, check signatures Proving an encryption algorithm is secure is either: –Reasonably easy if it is a perfect cipher –Essentially impossible if it is not

3
12 April 2005University of Virginia CS 5883 Plan for Rest of the Course Today, Thursday: some interesting applications of cryptography Next Tuesday: Quantum/visual crypto Next Thursday, April 26: Software system security: real world security is mostly not about cryptography April 28: Project presentations If there’s anything you hoped this course would cover that is not listed here, send me requests by Friday

4
12 April 2005University of Virginia CS 5884 Finding Project Partners Simple way: –Ask people in the class if they want to work with you Problems: –You face rejection and ridicule if they say no Can you find partners without revealing your wishes unless they are reciprocated? –Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them

5
12 April 2005University of Virginia CS 5885 Alice is your best match Use a Universally Trusted Third Party Alice Bob Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob MatchMaker.com

6
12 April 2005University of Virginia CS 5886 Use a Universally Trusted Third Party Bob E KU M [E KR B [“Bob would like …”]] MatchMaker.com E KU B [E KR M [“Alice”]]

7
12 April 2005University of Virginia CS 5887 HashMaker.com? Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. No on else can tell Bob’s deepest darkest desires ( H is one-way) If someone else writes the same hash on the board, Bob has found his match How well does this work?

8
12 April 2005University of Virginia CS 5888 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly

9
12 April 2005University of Virginia CS 5889 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com

10
12 April 2005University of Virginia CS 58810 How can we send a message to HashMaker without it knowing who sent it? To: HashMaker From: Anonymous To: Router4 To: Router3 To: Router2 To: Router1 From: Bob

11
12 April 2005University of Virginia CS 58811 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick n random routers, R i 1 …R i n R i k gets a message M k : E KU R ik (To: R i k+1 || M k+1 )

12
12 April 2005University of Virginia CS 58812 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 1 random router: R 2 Send R 2 : E KU R 2 (To: HashMatcher.com || M)

13
12 April 2005University of Virginia CS 58813 Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 2 random routers: R 2, R 5 Send R 2 : E KU R2 [To: R5 || E KU R5 [To: HashMatcher.com || M]]

14
12 April 2005University of Virginia CS 58814 http://tor.eff.org

15
12 April 2005University of Virginia CS 58815 Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com If these are the only packets on the network, someone observing the network know it was Bob

16
12 April 2005University of Virginia CS 58816 Preventing Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com

17
12 April 2005University of Virginia CS 58817 Finding Partners If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) Using onion rounting, sends HashMatcher: E H(W) [ W ] Using onion rounting, queries HashMatcher is there is a matching item –If so, Alice wants to work with him

18
12 April 2005University of Virginia CS 58818 Problems with this Protocol Cathy could send W = “Alice + Bob” Anyone can query “ x + Bob” for all x to find out who Bob wants to work with (or who wants to work with Bob, can’t tell which) If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them? Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol

19
12 April 2005University of Virginia CS 58819 MIXes C1 C2 C3 C4 M1 M2 M3 M4 Random, secret permutation Security property: observer seeing all inputs and outputs cannot determine which output message corresponds to which input

20
12 April 2005University of Virginia CS 58820 MIX Net [Chaum81] C1 C2 C3 C4 M1 M2 M3 M4 A BC C = E KUA [E KUB [E KUC [M]]] What is input? What if Eve can see all traffic? What if one of A, B or C is corrupt? What if two are corrupt? Any good applications? E KRA (C) E KRB (C) E KRC (C)

21
12 April 2005University of Virginia CS 58821 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] How well does this work? * Note: any resemblance to real political parties is purely coincidental.

22
12 April 2005University of Virginia CS 58822 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] Each for any eavesdropper (knows public keys) to compute C for small set of possible messages

23
12 April 2005University of Virginia CS 58823 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R]]]

24
12 April 2005University of Virginia CS 58824 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ] Each mux decrypts with private key and removes R

25
12 April 2005University of Virginia CS 58825 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader”

26
12 April 2005University of Virginia CS 58826 Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” C = E KUG [“Badnarik” || R 1 ] Does publishing R 1 help?

27
12 April 2005University of Virginia CS 58827 Publishing R 1 Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted Voters can prove to someone else for whom they voted If Orange doesn’t like result, can still disrupt election C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ]

28
12 April 2005University of Virginia CS 58828 Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Send inputs to next 2 muxes D mux picks n random inputs Asks R to prove they were done correctly How does R prove it?

29
12 April 2005University of Virginia CS 58829 Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Input i = E KUR [E KUD [E KUG [v || R 1 ] R 2 ] R 3 ] Output j = E KUD [E KUG [v || R 1 ] R 2 ] If R reveals j and R 3, D can check E KUR [Output j || R 3 ] = Input i

30
12 April 2005University of Virginia CS 58830 Auditing Tradeoffs For every audit, one input-output mapping is revealed The more audits, the more likelihood of catching cheater What if each mux audits ½ of the values?

31
12 April 2005University of Virginia CS 58831 Catching Cheaters Probability a mux can cheats on k votes without getting caught = Probability a voters vote is revealed to eavesdropper If muxes collude, all bets are off ½k½k m muxes ½ m Note: unaudited votes only be one of n /2 possible outputs!

32
12 April 2005University of Virginia CS 58832 Faculty Candidate talk tomorrow: Yih-Chun Hu (CMU, Berkeley) Securing Network Routing Olsson 011, 3:30PM

Similar presentations

OK

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

Cryptography in World War II Jefferson Institute for Lifelong Learning at UVa Spring 2006 David Evans Class 4: Modern Cryptography

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google