Download presentation
Presentation is loading. Please wait.
1
1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht
2
2 Talk overview zPart 1: Proofs yDefinition and existence yProofs with numbers yNumbers versus “Ad hoc” zPart 2: Tools ySignature schemas yZero knowledge proofs ySecret Sharing
3
3 Cryptography: The art of protection using information To have or not to have…. To know or not to know
4
4 Two examples zEncryption (DES) yAlice sends email y = E k (x) yBob computes x = D k (y) yOscar knows no k : which D function? z Identification with One-way function H yA gives Bank b = H(a) yBank pays on seeing a’ s.t. H (a’ ) = b yO knows no a’
5
5 Two more examples zSignatures yAlice signs M with x S = Sig (M, x) yBob verifies with y Ver (M, S, y) yOscar cannot forge S’ for M’ s.t. Ver (M’, S’, y) z Public Key pairs yAlice holds secret x yBob holds public y yRelation P (x, y) yOscar cannot compute x from y
6
6 I recognize it when I see it.... zEncryption: k s.t.D k (y) is text zIdentification: a’ s.t.H (a’ ) = b zSignatures: S’ s.t.Ver (M’, S’, y) zKey pair: x s.t.P (x, y)
7
7 …. But I don’t know it
8
8 Assumption: Factoring zPrimes p and q(eg. 512 bits) zn = p. q(1024 bits) zGiven n, one recognizes p and q zAssumption: Given n, computing p is impossible
9
9 Assumption: Discrete Log zCompute modulo large p : 0, 1, …, p -1 zElement g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1 Fix g of high order. zFrom x, power y = g x is computable zAssumption: From y, x s.t. y = g x is not computable
10
10 Rabin’s encryption zAlice’secret key:p and q public key:product n zBobencrypts x as y = x 2 mod n zAlicedecrypts as extracting square root p and q are needed! zOscarcan not extract roots
11
11 Square roots modulo n zA square number has 4 roots zn = 77 = 7.11 : 36 2 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64 zTwo pairs: 36 = -41 and 8 = -69 zCombine from two pairs: 41 + 69 = 33 zgcd(33, 77) = 11
12
12 Rabin: Provably Secure zIf Oscar can find x from x 2 = y mod n ySelect random z ySolve x from x 2 = z 2 yProb. 1 / 2 :x and z differ: find p and q zContradicts Factoring Assumption zRabin is cryptographically strong
13
13 Chosen Cipher text Attack zProcedure for CCA: yOscar sends Alice y, obtains x, computes zRabin is vulnerable: yOscar sends y = z 2 ysucceeds with Pr = 1 / 2 zDecrypted messages as sensitive as key zWeakness inherent in strength
14
14 RSA: Alledgedly secure zSimilar but use higher order roots. zPublic key: (n, e) zEncryption y = x e zDecryption x = y d (d from p, q) ze th -rooting is believed but not proven to be as hard as factoring
15
15 RSA Decryption zφ = (p -1)(q -1) zAll x : x φ = 1 (mod n) zFromp, q, n, e, compute d s.t. e.d = k. φ +1 zy d = (x e ) d = x k. φ +1 = 1 k. x = x zSecretly keep d, purge p, q.
16
16 RSA Keys are secure zOscar finds φ from n: yp +q = n - φ + 1, solve p, q zOscar finds φ from n and e : ySimulate generation of e to do without zOscar finds d from n and e : yn e, d p, q zKey protection is cryptographically strong
17
17 Ad hoc versus Numbers: Hash functions zMap H : {0,1} * {0,1} k zOne-way: yFrom y = H (x), x cannot be found zCollision-free: yNo x 1, x 2 can be found s.t. H (x 1 ) = H (x 2 ) ySuch x 1, x 2 exist
18
18 Fair Guessing Games zLinda dates Jon if Jon guesses parity of x yL chooses x and gives y = H (x) yJ guesses even/odd yL reveals x zCheating yy doesn’t reveal x to Jon one-way yy binds Linda collision-free
19
19 Bit manipulation: MD5 zHow does it work yXOR, AND, OR words yCombine with sin bits yFour rounds in z Why does it work z Why four rounds yMD4 background z Why this combination yAttacks on variants z Why is it secure? yWe don’t know
20
20 Discrete Log Hash (Chaum) zHow does it work ySelect g, random h. y : f (x, x’ ) = g x.h x’ z Why does it work ylog(h ): a s.t. g a = h will never be known yf (x, x’ ) = f (y, y’ ) g x. h x’ = g y. h y’ a = (x - y )(y’ - x’ ) -1 z Cryptographically strong collision free
21
21 Trapdoor Hash zCheat in generation of f. ySelect h = g a instead of random h. zCollision: yg x. h x’ = g x - a.z. h x’ + z zTrapped f remains cryptographically strong one-way.
22
22 Questions?
23
23 Gerard Tel, Part 2: zCryptographic Tools: ySignatures yZero knowledge ySecret Sharing
24
24 Digital Signatures zAlice signs message M : S = Sig (M, x) zBob verifies signature S : Ver (M, S, y ) zValidity: Ver (M, Sig (M, x), y ) zForgery: Oscar finds M, S : Ver (M, S, y )
25
25 RSA Signatures zPublic/Secret key: (n, e) and (n, d ) yFunctions x x e and y y d are inverses zSign M : S = M d (compute) zVerify S : S e = M(check) zForge signature under M : yInvert RSA public function
26
26 Existential Forgery zOscar: random S, M = S e. zM takes special form y………01010101010101 yHash of longer message
27
27 Blind Signatures zAlice signs one message without seeing it yBob has M, selects blinder b yBob gives Alice blinded message M’ = M. b yAlice signs for Bob: S’ = M’ d yBob unblinds: divide by b d.
28
28 Blind Signatures zAlice signs one message without seeing it yBob has M, selects blinder b = k e yBob gives Alice blinded message M’ = M. b yAlice signs for Bob: S’ = M’ d yBob unblinds: divide by b d S = S’ / k zSimilar: Blind decryption
29
29 Zero knowledge proofs zIdentification by secret yA gives Bank b = H (a) yBank pays on seeing a zIf Alice shows a: employee, eavesdropper become as powerful. zAlice proves to know a without showing
30
30 0KP of a Square Root zAlice holds a, Bob holds b = a 2 zWithdrawing of money: yAlice selects s = r 2 and gives Bob s yClaim: I know roots of s and s.b zThis is true namely r and r.a This implies knowing a as quotient of roots
31
31 Verify knowing two roots zBob sees one! Otherwise becomes too smart yChallenge c = 0/1 yAlice must give one root: r of s (c = 0) r.aof s.b (c = 1) zOscar does not know both yFails with Pr = 1 / 2.
32
32 What does Bob learn? zTriple (s, c, y)s is random square c is random bit y solves y 2 = s. b c zTo generate such, choose c as random bit y as random number s as y 2 / b c
33
33 How can it convince? zCompute order s, c, y : needs a zCompute order c, y, s : don’t need a zProtocol enforces s, c, y zTranscript doesn’t show order.
34
34 Zero knowledge proofs z20 rounds: 1-in-million false acceptance zSimilar: e th root or logarithm zAlso: Graph coloring zUse with blind signatures: yBob proves blinded message is legal
35
35 Secret Sharing zGoal: share holders together know a zShares handed out by dealer zShare: related to a zk -1 shares reveal nothing zk shares reveal all in reconstruction
36
36 Concepts in Sharing zUse: yBank, company yNuclear heads yDigital money yKey escrow z How many shares yVeto(split) yThreshold(share) z Protection yPerfect (poor!) yVerifiable z Actions with secret yReconstruction yUse
37
37 Additive secret split zDealing: ya 1 … a k-1 random ya k = a - a 1 - … - a k-1 za k is no better z Reconstruction: ya = a 1 + … + a k z Symmetric! Shares cannot be recognized Given k - 1 shares, every a is still possible “Real Cryptography”: Perfect Split
38
38 Using shared exponent zSecret is exponent a (e.g., for RSA) Shares: a = a 1 + … + a k zTo compute y a : yShareholder i submits x i = y a i yCompute x = x 1. …. x k zUse of secret does not compromise splitting
39
39 How perfect is perfect? zShares cannot be recognized yShareholders may cheat zVerifiable reconstruction (hash H ): yCompute a i and b i = H (a i ) yGive a i to SH i and make b i public zVerified reconstruction: ySH i submits a i yCheck H (a i ) = b i
40
40 Dealer verifiable split zNumber hash H (a) = g a zThe dealer yPublish b = g a yPrivate share a i (sum a) yPublic share b i = g a i ySend a i to SH i z Verifiable shares z The shareholders yb binds dealer! secret is recognizable yVerify product = b yVerify g a i = b i z Reconstruction yVerify submissions
41
41 Perfect Secret Shares zTheorem: through k points runs exactly one curve of degree k - 1 zDealing: select a 1 through a k-1, a 0 = a yf (z) = a 0 + a 1.z + … + a k-1.z k-1 yShare s i is f (i ) zReconstruction from k points: ypolynomial interpolation
42
42 Verifiable Secret Sharing zDealer: yPrivate coefficients a 0 through a k-1 yPrivate shares s i = f (i ) yPublic coefficients b i = g a i yPublic shares p i = g s i zShareholders s i = a 0 + a 1.i + … + a k-1.i k-1 yGlobalp i = b 0. b 1 i. b 2 i. …. b k-1 i yInternalg s i = p i k - 12
43
43 Conclusions zNumbers as basis for cryptography zMost of cryptography is unproven zResults are often counterintuitive y“Elluk voordeel hep se nadele”
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.