Download presentation

Presentation is loading. Please wait.

Published byVirginia Wolfe Modified over 2 years ago

1
1 Cryptography: Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht

2
2 Talk overview zPart 1: Numbers for Crypto yDefinition and existence: require P ≠ NP yEncryption with numbers: Elgamal yNumbers versus Ad hoc: Hashing zPart 2: Tools yZero knowledge proofs ySecret Sharing yCombined application: Verified committee decryption

3
3 Cryptography: The art of protection using information To have or not to have…. To know or not to know Definition (Knowledge): Party X knows all information he can feasibly compute from his available resources (facts and computing power)

4
4 Two examples zEncryption (AES) yAlice sends email y = E k (x) yBob computes x = D k (y) yOscar knows no k : which D function? z Identification with One-way function H yA gives Bank b = H(a) yBank pays on seeing a’ s.t. H (a’ ) = b yO knows no a’

5
5 More general example z Public/Secret pairs yAlice holds secret a yBob holds public b yRelation P (a, b) Require: yOscar cannot compute a from b But: yOscar can recognize a by verifying P

6
6 I recognize it when I see it.... …. but I don’t know it

7
7 Assumption: Discrete Log zCompute modulo large p : 0, 1, …, p -1 zElement g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1 Fix g of high prime order. zFrom a, power b = g a is computable zAssumption: From b, log a s.t. b = g a is not computable

8
8 The Elgamal Party Game zProgram: exponentiation, discrete log, Elgamal zBooklet: group demo of send/receive zCompute k-bit integers: Expo: k 3 time DLog: √2 k time www.cs.uu.nl/~gerard/Cryptografie/Elgamal

9
9 Symmetric encryption zSecret message is number: x zAlice and Bob share a key: z (blinder) zEncryption: y = E z (x) = x. z zDecryption: x = D z (y) = y. z -1 zMsg unreadable w/o blinder! zDifficulty: safely sharing z

10
10 Elgamal encryption zNew blinder for each message zInformation about z with msg zReadable only with a st g a =b zE b : (u, v) = (g k, b k.x) zD a : x = v. (u a ) -1 zBlinderat Enc = (g a ) k at Dec = (g k ) a a Imperial number b: 51284

11
11 Key generation zHow can Ceasar know log(b)? It is not computable from a ! zChoose random a ;// Secret key Let b = g a ;// Public key Publish b as the Imperial Number. zScheme by Elgamal, 1985 Diffie-Hellman key exchange, 1976

12
12 Numbers better than bits: Hash functions zMap H : {0,1} * {0,1} k Specifications regard computability: zComputable: Map H is computable zOne-way: From y = H (x), x cannot be found zCollision-free: No x 1, x 2 can be found s.t. H (x 1 ) = H (x 2 ) (Such x 1, x 2 exist)

13
13 Fair Guessing Games zLinda agrees to date Jon if he correctly guesses parity of x yL chooses x ; commits with y = H (x) yJ guesses even/odd yL reveals x zCheating? yy doesn’t reveal x to Jon one-way yy binds Linda collision-free

14
14 Bit manipulation: MD5 zHow does it work yXOR, AND, OR words yCombine with sin bits yFour rounds in z Why does it work? z Why four rounds? yMD4 background z Why this combination? yAttacks on variants z Why is it secure? yIt isn’t! yCollision found 2004 yAnswer: MD6?

15
15 Discrete Log Hash (Chaum) zHow does it work ySelect random b y : H (x, x’ ) = g x.b x’ z Why does it work ylog(b ): a s.t. g a = b will never be known yH (x, x’ ) = H (y, y’ ) g x. b x’ = g y. b y’ a = (x - y )(y’ - x’ ) -1 z Cryptographically strong collision free

16
16 Trapdoor Hash zCheat in generation of H. ySelect b = g a instead of random b. zCollision: yg x. b x’ = g x - a.Z. b x’ + z zTrapped H remains cryptographically strong one-way.

17
17 Gerard Tel, Part 2: zCryptographic tools: yZero knowledge ySecret sharing yCombine all: group decryption

18
18 Zero knowledge proofs zExample: Identification yA gives bank b = H (a) yBank pays on seeing a zIf Alice shows a: employee, eavesdropper become as powerful. zAlice proves to know a without showing implicitly proves existence of a st H (a) = b zCan be done for all NP statements

19
19 ZKP of a Discrete Log zBob sees b, Alice holds a st b = g a zAlice proves this knowledge: yAlice: random r, set s = g r and gives Bob s Claim: I know log of s.b c for any c yBob: challenges Alice with one random c yAlice: replies y = r + a. c yBob: verifies that g y = s. b c zIf Alice indeed holds the right a, Bob’s check comes out right.

20
20 Can Alice cheat? Assume Alice guesses Bob’s c beforehand: zRandom y zTake s = g y. b –c and send s to Bob zNow g y = s. b c Alice passes protocol without knowing a Probability of correct guess is extremely small: neglectible

21
21 What does Bob learn? zTriple (s, c, y)s is random power c is random number y solves g y = s. b c zBob already knew such numbers!! They can be generated from Bob’s data. zTo generate such, choose c as random number y as random number s as g y / b c

22
22 How can it convince? zCompute in order s, c, y : needs a zCompute in order y, c, s : don’t need a zProtocol enforces s, c, y zTranscript doesn’t show order.

23
23 Order s, c, y w/o guessing c Alice sends s, and can respond on c 1 and c 2 zAlice knows y 1 and y 2 st g y1 = s. b c1 and g y2 = s. b c2 zThen b = g (y1 – y2)/(c1 – c2) : Alice knows a. zAlice cannot fool Bob without knowing a.

24
24 Secret Sharing zGoal: share holders together know a zShare: related to a zk -1 shares reveal nothing zk shares reveal all in reconstruction zOr allow computations with a

25
25 Concepts in Sharing zUse: yBank, company yNuclear heads yDigital money yKey escrow yDigital voting z How many shares yVeto(split) yThreshold(share) z Cheating protection yHolders can cheat yVerifiable z Actions with secret yReconstruction yUse

26
26 Additive secret split zDefinition: a = a 1 + … + a i + … + a k The secret is the sum of the shares zProtection: No subset of shareholders can collude to access the secret Given k - 1 shares, every a is still possible zGeneration: SHi sets random a i ; now a is defined implicitly but unknown

27
27 Example: Elgamal decrypt zConstruction of public key ySHi computes and shows: b i = g ai (partial public key and public share) yCompute b = b 1. …. b k yNow b = g a, though a is still unknown! zHow to send a message: yUse public b to compute (u, v) as usual: (u, v) = (g k, x. b k )

28
28 Decrypting with shared key zComputation of v. (u a ) -1 zPool shares: a = a 1 + … + a k ? Compromises splitting!! zTo compute u a : ySH i sends z i = u a i yLet z = z 1. …. z k yLet x = v. z -1 zSecret key is still unknown

29
29 Cheating Shareholders zIf SHi doesn’t like the message she may submit a z i different from u ai zIf SHi is fair she knows a i s.t. both z i = u ai and b i = g ai. zProves knowledge in Zero Knowledge zEncryption, ZKP, Commit, Sharing

30
30 Perfect Secret Shares zTheorem: through k points runs exactly one curve of degree k - 1 zDealing: select a 1 through a k-1, a 0 = a yf (z) = a 0 + a 1.z + … + a k-1.z k-1 yShare s i is f (i ) zReconstruction from k points: ypolynomial interpolation

31
31 Conclusions zNumbers as basis for cryptography zMost of cryptography is unproven: Relies on P ≠ NP zTool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share zAlternative tool boxes based on Integer Factorization: RSA

32
32 Questions?

33
33 Formulas on Discrete Log Cryptography zCompute modulo p zSecret: a Public: b Related: g a = b zElgamal Functions: E b (x) = (g k, x.b k ) D a (u, v) = v.(u a ) -1 zChaum’s Hash: H (x, x ’) = g x. b x ’ z ZKP of log(b): yA: Rnd r, send s = g r yB: Rnd c, send c yA: Send y = r + ac yB: Check g y = s. b c z Additive Secret Split: a = a 1 + … + a k

Similar presentations

Presentation is loading. Please wait....

OK

Cryptography CS 111 -- Lecture 19 Prof. Amit Sahai.

Cryptography CS 111 -- Lecture 19 Prof. Amit Sahai.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Download free ppt on srinivasa ramanujan Ppt on distance formula and midpoint Ppt on credit default swaps market Ppt on power sharing in democracy sovereign Ppt on atm machine software Ppt on beer lambert law and its function Ppt on bluetooth applications Ppt on nasogastric tube insertion Ppt on elections in india downloads Ppt on growing bad food habits