Download presentation

Presentation is loading. Please wait.

Published byVirginia Wolfe Modified over 2 years ago

1
1 Cryptography: Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht

2
2 Talk overview zPart 1: Numbers for Crypto yDefinition and existence: require P ≠ NP yEncryption with numbers: Elgamal yNumbers versus Ad hoc: Hashing zPart 2: Tools yZero knowledge proofs ySecret Sharing yCombined application: Verified committee decryption

3
3 Cryptography: The art of protection using information To have or not to have…. To know or not to know Definition (Knowledge): Party X knows all information he can feasibly compute from his available resources (facts and computing power)

4
4 Two examples zEncryption (AES) yAlice sends email y = E k (x) yBob computes x = D k (y) yOscar knows no k : which D function? z Identification with One-way function H yA gives Bank b = H(a) yBank pays on seeing a’ s.t. H (a’ ) = b yO knows no a’

5
5 More general example z Public/Secret pairs yAlice holds secret a yBob holds public b yRelation P (a, b) Require: yOscar cannot compute a from b But: yOscar can recognize a by verifying P

6
6 I recognize it when I see it.... …. but I don’t know it

7
7 Assumption: Discrete Log zCompute modulo large p : 0, 1, …, p -1 zElement g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1 Fix g of high prime order. zFrom a, power b = g a is computable zAssumption: From b, log a s.t. b = g a is not computable

8
8 The Elgamal Party Game zProgram: exponentiation, discrete log, Elgamal zBooklet: group demo of send/receive zCompute k-bit integers: Expo: k 3 time DLog: √2 k time www.cs.uu.nl/~gerard/Cryptografie/Elgamal

9
9 Symmetric encryption zSecret message is number: x zAlice and Bob share a key: z (blinder) zEncryption: y = E z (x) = x. z zDecryption: x = D z (y) = y. z -1 zMsg unreadable w/o blinder! zDifficulty: safely sharing z

10
10 Elgamal encryption zNew blinder for each message zInformation about z with msg zReadable only with a st g a =b zE b : (u, v) = (g k, b k.x) zD a : x = v. (u a ) -1 zBlinderat Enc = (g a ) k at Dec = (g k ) a a Imperial number b: 51284

11
11 Key generation zHow can Ceasar know log(b)? It is not computable from a ! zChoose random a ;// Secret key Let b = g a ;// Public key Publish b as the Imperial Number. zScheme by Elgamal, 1985 Diffie-Hellman key exchange, 1976

12
12 Numbers better than bits: Hash functions zMap H : {0,1} * {0,1} k Specifications regard computability: zComputable: Map H is computable zOne-way: From y = H (x), x cannot be found zCollision-free: No x 1, x 2 can be found s.t. H (x 1 ) = H (x 2 ) (Such x 1, x 2 exist)

13
13 Fair Guessing Games zLinda agrees to date Jon if he correctly guesses parity of x yL chooses x ; commits with y = H (x) yJ guesses even/odd yL reveals x zCheating? yy doesn’t reveal x to Jon one-way yy binds Linda collision-free

14
14 Bit manipulation: MD5 zHow does it work yXOR, AND, OR words yCombine with sin bits yFour rounds in z Why does it work? z Why four rounds? yMD4 background z Why this combination? yAttacks on variants z Why is it secure? yIt isn’t! yCollision found 2004 yAnswer: MD6?

15
15 Discrete Log Hash (Chaum) zHow does it work ySelect random b y : H (x, x’ ) = g x.b x’ z Why does it work ylog(b ): a s.t. g a = b will never be known yH (x, x’ ) = H (y, y’ ) g x. b x’ = g y. b y’ a = (x - y )(y’ - x’ ) -1 z Cryptographically strong collision free

16
16 Trapdoor Hash zCheat in generation of H. ySelect b = g a instead of random b. zCollision: yg x. b x’ = g x - a.Z. b x’ + z zTrapped H remains cryptographically strong one-way.

17
17 Gerard Tel, Part 2: zCryptographic tools: yZero knowledge ySecret sharing yCombine all: group decryption

18
18 Zero knowledge proofs zExample: Identification yA gives bank b = H (a) yBank pays on seeing a zIf Alice shows a: employee, eavesdropper become as powerful. zAlice proves to know a without showing implicitly proves existence of a st H (a) = b zCan be done for all NP statements

19
19 ZKP of a Discrete Log zBob sees b, Alice holds a st b = g a zAlice proves this knowledge: yAlice: random r, set s = g r and gives Bob s Claim: I know log of s.b c for any c yBob: challenges Alice with one random c yAlice: replies y = r + a. c yBob: verifies that g y = s. b c zIf Alice indeed holds the right a, Bob’s check comes out right.

20
20 Can Alice cheat? Assume Alice guesses Bob’s c beforehand: zRandom y zTake s = g y. b –c and send s to Bob zNow g y = s. b c Alice passes protocol without knowing a Probability of correct guess is extremely small: neglectible

21
21 What does Bob learn? zTriple (s, c, y)s is random power c is random number y solves g y = s. b c zBob already knew such numbers!! They can be generated from Bob’s data. zTo generate such, choose c as random number y as random number s as g y / b c

22
22 How can it convince? zCompute in order s, c, y : needs a zCompute in order y, c, s : don’t need a zProtocol enforces s, c, y zTranscript doesn’t show order.

23
23 Order s, c, y w/o guessing c Alice sends s, and can respond on c 1 and c 2 zAlice knows y 1 and y 2 st g y1 = s. b c1 and g y2 = s. b c2 zThen b = g (y1 – y2)/(c1 – c2) : Alice knows a. zAlice cannot fool Bob without knowing a.

24
24 Secret Sharing zGoal: share holders together know a zShare: related to a zk -1 shares reveal nothing zk shares reveal all in reconstruction zOr allow computations with a

25
25 Concepts in Sharing zUse: yBank, company yNuclear heads yDigital money yKey escrow yDigital voting z How many shares yVeto(split) yThreshold(share) z Cheating protection yHolders can cheat yVerifiable z Actions with secret yReconstruction yUse

26
26 Additive secret split zDefinition: a = a 1 + … + a i + … + a k The secret is the sum of the shares zProtection: No subset of shareholders can collude to access the secret Given k - 1 shares, every a is still possible zGeneration: SHi sets random a i ; now a is defined implicitly but unknown

27
27 Example: Elgamal decrypt zConstruction of public key ySHi computes and shows: b i = g ai (partial public key and public share) yCompute b = b 1. …. b k yNow b = g a, though a is still unknown! zHow to send a message: yUse public b to compute (u, v) as usual: (u, v) = (g k, x. b k )

28
28 Decrypting with shared key zComputation of v. (u a ) -1 zPool shares: a = a 1 + … + a k ? Compromises splitting!! zTo compute u a : ySH i sends z i = u a i yLet z = z 1. …. z k yLet x = v. z -1 zSecret key is still unknown

29
29 Cheating Shareholders zIf SHi doesn’t like the message she may submit a z i different from u ai zIf SHi is fair she knows a i s.t. both z i = u ai and b i = g ai. zProves knowledge in Zero Knowledge zEncryption, ZKP, Commit, Sharing

30
30 Perfect Secret Shares zTheorem: through k points runs exactly one curve of degree k - 1 zDealing: select a 1 through a k-1, a 0 = a yf (z) = a 0 + a 1.z + … + a k-1.z k-1 yShare s i is f (i ) zReconstruction from k points: ypolynomial interpolation

31
31 Conclusions zNumbers as basis for cryptography zMost of cryptography is unproven: Relies on P ≠ NP zTool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share zAlternative tool boxes based on Integer Factorization: RSA

32
32 Questions?

33
33 Formulas on Discrete Log Cryptography zCompute modulo p zSecret: a Public: b Related: g a = b zElgamal Functions: E b (x) = (g k, x.b k ) D a (u, v) = v.(u a ) -1 zChaum’s Hash: H (x, x ’) = g x. b x ’ z ZKP of log(b): yA: Rnd r, send s = g r yB: Rnd c, send c yA: Send y = r + ac yB: Check g y = s. b c z Additive Secret Split: a = a 1 + … + a k

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google