Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht."— Presentation transcript:

1 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht

2 2 Talk overview zPart 1: Proofs yDefinition and existence yProofs with numbers yNumbers versus “Ad hoc” zPart 2: Tools ySignature schemas yZero knowledge proofs ySecret Sharing

3 3 Cryptography: The art of protection using information To have or not to have…. To know or not to know

4 4 Two examples zEncryption (DES) yAlice sends email y = E k (x) yBob computes x = D k (y) yOscar knows no k : which D function? z Identification with One-way function H yA gives Bank b = H(a) yBank pays on seeing a’ s.t. H (a’ ) = b yO knows no a’

5 5 Two more examples zSignatures yAlice signs M with x S = Sig (M, x) yBob verifies with y Ver (M, S, y) yOscar cannot forge S’ for M’ s.t. Ver (M’, S’, y) z Public Key pairs yAlice holds secret x yBob holds public y yRelation P (x, y) yOscar cannot compute x from y

6 6 I recognize it when I see it.... zEncryption: k s.t.D k (y) is text zIdentification: a’ s.t.H (a’ ) = b zSignatures: S’ s.t.Ver (M’, S’, y) zKey pair: x s.t.P (x, y)

7 7 …. But I don’t know it

8 8 Assumption: Factoring zPrimes p and q(eg. 512 bits) zn = p. q(1024 bits) zGiven n, one recognizes p and q zAssumption: Given n, computing p is impossible

9 9 Assumption: Discrete Log zCompute modulo large p : 0, 1, …, p -1 zElement g has order: 1 = g 0, g 1, g 2, g 3, … g ord = 1 Fix g of high order. zFrom x, power y = g x is computable zAssumption: From y, x s.t. y = g x is not computable

10 10 Rabin’s encryption zAlice’secret key:p and q public key:product n zBobencrypts x as y = x 2 mod n zAlicedecrypts as extracting square root p and q are needed! zOscarcan not extract roots

11 11 Square roots modulo n zA square number has 4 roots zn = 77 = 7.11 : 36 2 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64 zTwo pairs: 36 = -41 and 8 = -69 zCombine from two pairs: 41 + 69 = 33 zgcd(33, 77) = 11

12 12 Rabin: Provably Secure zIf Oscar can find x from x 2 = y mod n ySelect random z ySolve x from x 2 = z 2 yProb. 1 / 2 :x and z differ: find p and q zContradicts Factoring Assumption zRabin is cryptographically strong

13 13 Chosen Cipher text Attack zProcedure for CCA: yOscar sends Alice y, obtains x, computes zRabin is vulnerable: yOscar sends y = z 2 ysucceeds with Pr = 1 / 2 zDecrypted messages as sensitive as key zWeakness inherent in strength

14 14 RSA: Alledgedly secure zSimilar but use higher order roots. zPublic key: (n, e) zEncryption y = x e zDecryption x = y d (d from p, q) ze th -rooting is believed but not proven to be as hard as factoring

15 15 RSA Decryption zφ = (p -1)(q -1) zAll x : x φ = 1 (mod n) zFromp, q, n, e, compute d s.t. e.d = k. φ +1 zy d = (x e ) d = x k. φ +1 = 1 k. x = x zSecretly keep d, purge p, q.

16 16 RSA Keys are secure zOscar finds φ from n: yp +q = n - φ + 1, solve p, q zOscar finds φ from n and e : ySimulate generation of e to do without zOscar finds d from n and e : yn e, d p, q zKey protection is cryptographically strong

17 17 Ad hoc versus Numbers: Hash functions zMap H : {0,1} * {0,1} k zOne-way: yFrom y = H (x), x cannot be found zCollision-free: yNo x 1, x 2 can be found s.t. H (x 1 ) = H (x 2 ) ySuch x 1, x 2 exist

18 18 Fair Guessing Games zLinda dates Jon if Jon guesses parity of x yL chooses x and gives y = H (x) yJ guesses even/odd yL reveals x zCheating yy doesn’t reveal x to Jon one-way yy binds Linda collision-free

19 19 Bit manipulation: MD5 zHow does it work yXOR, AND, OR words yCombine with sin bits yFour rounds in z Why does it work z Why four rounds yMD4 background z Why this combination yAttacks on variants z Why is it secure? yWe don’t know

20 20 Discrete Log Hash (Chaum) zHow does it work ySelect g, random h. y : f (x, x’ ) = g x.h x’ z Why does it work ylog(h ): a s.t. g a = h will never be known yf (x, x’ ) = f (y, y’ ) g x. h x’ = g y. h y’ a = (x - y )(y’ - x’ ) -1 z Cryptographically strong collision free

21 21 Trapdoor Hash zCheat in generation of f. ySelect h = g a instead of random h. zCollision: yg x. h x’ = g x - a.z. h x’ + z zTrapped f remains cryptographically strong one-way.

22 22 Questions?

23 23 Gerard Tel, Part 2: zCryptographic Tools: ySignatures yZero knowledge ySecret Sharing

24 24 Digital Signatures zAlice signs message M : S = Sig (M, x) zBob verifies signature S : Ver (M, S, y ) zValidity: Ver (M, Sig (M, x), y ) zForgery: Oscar finds M, S : Ver (M, S, y )

25 25 RSA Signatures zPublic/Secret key: (n, e) and (n, d ) yFunctions x  x e and y  y d are inverses zSign M : S = M d (compute) zVerify S : S e = M(check) zForge signature under M : yInvert RSA public function

26 26 Existential Forgery zOscar: random S, M = S e. zM takes special form y………01010101010101 yHash of longer message

27 27 Blind Signatures zAlice signs one message without seeing it yBob has M, selects blinder b yBob gives Alice blinded message M’ = M. b yAlice signs for Bob: S’ = M’ d yBob unblinds: divide by b d.

28 28 Blind Signatures zAlice signs one message without seeing it yBob has M, selects blinder b = k e yBob gives Alice blinded message M’ = M. b yAlice signs for Bob: S’ = M’ d yBob unblinds: divide by b d S = S’ / k zSimilar: Blind decryption

29 29 Zero knowledge proofs zIdentification by secret yA gives Bank b = H (a) yBank pays on seeing a zIf Alice shows a: employee, eavesdropper become as powerful. zAlice proves to know a without showing

30 30 0KP of a Square Root zAlice holds a, Bob holds b = a 2 zWithdrawing of money: yAlice selects s = r 2 and gives Bob s yClaim: I know roots of s and s.b zThis is true namely r and r.a This implies knowing a as quotient of roots

31 31 Verify knowing two roots zBob sees one! Otherwise becomes too smart yChallenge c = 0/1 yAlice must give one root: r of s (c = 0) r.aof s.b (c = 1) zOscar does not know both yFails with Pr = 1 / 2.

32 32 What does Bob learn? zTriple (s, c, y)s is random square c is random bit y solves y 2 = s. b c zTo generate such, choose c as random bit y as random number s as y 2 / b c

33 33 How can it convince? zCompute order s, c, y : needs a zCompute order c, y, s : don’t need a zProtocol enforces s, c, y zTranscript doesn’t show order.

34 34 Zero knowledge proofs z20 rounds: 1-in-million false acceptance zSimilar: e th root or logarithm zAlso: Graph coloring zUse with blind signatures: yBob proves blinded message is legal

35 35 Secret Sharing zGoal: share holders together know a zShares handed out by dealer zShare: related to a zk -1 shares reveal nothing zk shares reveal all in reconstruction

36 36 Concepts in Sharing zUse: yBank, company yNuclear heads yDigital money yKey escrow z How many shares yVeto(split) yThreshold(share) z Protection yPerfect (poor!) yVerifiable z Actions with secret yReconstruction yUse

37 37 Additive secret split zDealing: ya 1 … a k-1 random ya k = a - a 1 - … - a k-1 za k is no better z Reconstruction: ya = a 1 + … + a k z Symmetric! Shares cannot be recognized Given k - 1 shares, every a is still possible “Real Cryptography”: Perfect Split

38 38 Using shared exponent zSecret is exponent a (e.g., for RSA) Shares: a = a 1 + … + a k zTo compute y a : yShareholder i submits x i = y a i yCompute x = x 1. …. x k zUse of secret does not compromise splitting

39 39 How perfect is perfect? zShares cannot be recognized yShareholders may cheat zVerifiable reconstruction (hash H ): yCompute a i and b i = H (a i ) yGive a i to SH i and make b i public zVerified reconstruction: ySH i submits a i yCheck H (a i ) = b i

40 40 Dealer verifiable split zNumber hash H (a) = g a zThe dealer yPublish b = g a yPrivate share a i (sum a) yPublic share b i = g a i ySend a i to SH i z Verifiable shares z The shareholders yb binds dealer! secret is recognizable yVerify product = b yVerify g a i = b i z Reconstruction yVerify submissions

41 41 Perfect Secret Shares zTheorem: through k points runs exactly one curve of degree k - 1 zDealing: select a 1 through a k-1, a 0 = a yf (z) = a 0 + a 1.z + … + a k-1.z k-1 yShare s i is f (i ) zReconstruction from k points: ypolynomial interpolation

42 42 Verifiable Secret Sharing zDealer: yPrivate coefficients a 0 through a k-1 yPrivate shares s i = f (i ) yPublic coefficients b i = g a i yPublic shares p i = g s i zShareholders s i = a 0 + a 1.i + … + a k-1.i k-1 yGlobalp i = b 0. b 1 i. b 2 i. …. b k-1 i yInternalg s i = p i k - 12

43 43 Conclusions zNumbers as basis for cryptography zMost of cryptography is unproven zResults are often counterintuitive y“Elluk voordeel hep se nadele”

Download ppt "1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
1 Cryptography: Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht.

1 Cryptography: Numbers and Tools Gerard Tel Dept of Computing Science, Utrecht.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Similar presentations

Ads by Google