Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Published bySherilyn Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "Ryan Henry I 538 /B 609 : Introduction to Cryptography."— Presentation transcript:

1 Ryan Henry I 538 /B 609 : Introduction to Cryptography

2 Ryan Henry All electronic financial transactions in the US, even those enabled by Bitcoin, have relatively high transaction costs. As a result, it becomes infeasible to run micropayments, i.e. payments that are on the order of pennies. In order to circumvent the cost of recording all transactions, Wheeler (1996) and Rivest (1997) suggested the notion of a probabilistic payment, that is, one implements payments that have expected value on the order of micro pennies by running an appropriately biased lottery for a larger payment. While there have been quite a few proposed solutions to such lottery-based micropayment schemes, all these solutions rely on a trusted third party to coordinate the transactions; furthermore, to implement these systems in today's economy would require a change to how either banks or electronic payment companies (e.g., Visa and Mastercard) handle transactions. We put forth a new lottery-based micropayment scheme for Bitcoins, and more generally any ledger- based transaction system, that can be used today without any change to the current infrastructure. Using the current Bitcoin scripting language, we discuss an implementation of micropayments that only relies on a third party whose actions are entirely verifiable. We also discuss simple modifications to the Bitcoin scripting language along with an evaluation of the cost of those changes that enables entirely removing the need for a trusted third party. We also compare probabilistic lottery based micropayments with other approaches such as the recently proposed “lightening network.” Thursday, November 5 at 12:00pm in MAURER LAW 335: abhi shelat, University of Virginia Micropayments for Decentralized Currencies This Thursday!

3 Ryan Henry Last Thursday’s lecture: Modular e th roots Discrete logarithms Today’s lecture: Computational hardness assumptions Diffie-Hellman key exchange 2

4 Ryan Henry Assignment 5 is due Tuesday, November 10! (That’s one week from today!) 3

5 Ryan Henry Recall: Modular e th roots 4 Def n : Let n and e be positive integers and let a∈℥ n. Then b∈℥ n is called an e th root of a modulo n if We write b≡a 1/e mod n to indicate that b is an e th root of a modulo n. Q: When does a unique solution for a 1/e mod n exist? A: If gcd ( e,φ(n) ) =1, then a 1/e ≡a d mod n where d≔e -1 mod φ(n) If gcd ( e,φ(n) ) ≠1, then a 1/e may or may not exist; if it does exist, it is not unique a≡b e mod n. ???

6 Ryan Henry Recall: The e th root problem 5 Def n : The eth root problem (aka the RSA problem) is: Given (n,e,a) such that 1. n=pq for distinct s-bit primes p and q, 2. a∈℥ n, and 3. gcd(e,φ(n))=1, compute a 1/e mod n. One possible solution: compute d≔e -1 mod φ(n) and output a d mod n Fact: Computing d≔e -1 mod φ(n) is equivalent to factoring n!

7 Ryan Henry Recall: Discrete logarithms Q: Does the DL of h to the base g always exist? A: No! But it does always exists if g is a generator of G. Q: If the DL of h to the base g exists, is it unique? A: Sort of… If x 1 and x 2 are DLs of h to the base g, then x 1 ≡x 2 mod |g| (i.e., the DL is unique in ℤ |g| ). 6 Def n : Let G be a group with |G|=n and let g,h∈G. A discrete logarithm (DL) of h to the base g in G is a number x∈ℤ n such that We write x=log g h to indicate that x is a DL of h to the base g h=g x in G. ???

8 Ryan Henry Recall: The DL problem 7 Def n : The DL problem is: Given (G,q,g,h) such that 1. (G,) is a cyclic group of s-bit prime order q, 2. g is a generator of G, and 3. h is an arbitrary element of G, compute x≡log g h. ▪ If (G,+) is an additive group, then the DL problem is, given (G,q,g,h) as above, to compute k such that k·g=h in G.

9 Ryan Henry Intractable problems ▪I▪Intuitively, a problem is intractable if no PPT algorithm can solve a uniform random instance the problem, except with negligible probability Q: How do we formalize the notion of intractability for problems defined in a finite group? A: Very carefully… –A–Algorithm must be PPT in what parameter? –S–Success probability must be negligible in what parameter? –I–Instance must be uniform random instance from what sample space? 8

10 Ryan Henry Group generating algorithm Def n : A group generating algorithm G is a PPT algorithm that, on input a security parameter 1 s ∈1 ℕ, outputs a description of a finite group (G,) with s-bit prime order q and a fixed generator g∈G. We write (G,q,g)← G(1 s ) to indicate that (G,) is a group with s-bit prime order q and generator g, sampled from the output of G. 9 ▪ The DL problem is both defined in a finite group ⇒ no parameter to grow large! ▪ Problem may be easy in some groups and hard in others

11 Ryan Henry Idea: Don’t consider problem instances in a particular fixed group (G,); rather, consider instances in groups (G,q,g)←G(1 s ) sampled from a fixed group generating algorithm G! Group generating algorithm 10 Q: How do we formalize the notion of intractability for problems defined in a finite group? Q1: Algorithm must be PPT in what parameter? A1: The security parameter s such that (G,q,g)←G(1 s ) Q2: Success probability must be negligible in what parameter? A2: The security parameter s such that (G,q,g)←G(1 s ) Q3: Instance must be uniform random instance from what sample space? A3: The set of problem instances in (G,)

12 Ryan Henry The DL assumption Def n : Let G be a fixed group generating algorithm. The discrete logarithm (DL) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ + such that Adv DL,G (A)≤ε(s). 11 Challenger (C) Attacker (A) (G,q,g)←G(1 s ) x∊℥ q h≔g x x’ 1 s1 s (G,q,g,h) Let E be the event that x≡x’ mod q Define A’s advantage to be Adv DL,G (A)≔Pr[E] 1 s1 s

13 Ryan Henry Average-case hardness of DL Thm (informal): Let (G,) be a group with prime order q. If the DL problem in is hard for some instance, then it is hard for almost every instance! 12 Proof (sketch): Assume that it is hard to compute x≡log g h in (G,) Idea: Reduce hardness of computing x≡log g h to hardness of solving a uniform random instance in (G,) – Randomize g: (G,q,g,h)→(G,q,g r ,h) for r∊℥ q ⇒ log g h≡(log g r h)r mod q – Randomize h: (G,q,g,h)→(G,q,g,h s ) for s∊℥ q ⇒ log g h≡(log g h s )s -1 mod q☐

14 Ryan Henry RSA instance generating algorithm Def n : An RSA instance generating algorithm G is a PPT algorithm that, on input a security parameter 1 s ∈1 ℕ, outputs a pair of distinct s-bit primes (p,q) and e∊℥ φ(pq). We write (p,q,e)← G(1 s ) to indicate that s-bit primes (p,q) and e∈℥ φ(pq) are sampled from the output of G. 13

15 Ryan Henry The e th root assumption 14 Def n : Let G be a fixed RSA instance generating algorithm. The e th root (RSA) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ + such that Adv RSA,G (A)≤ε(s). Challenger (C) Attacker (A) (p,q,e)←G(1 s ) N≔p·q a∊℥ N b≔a e mod N a’ 1 s1 s (N,e,b) Let E be the event that a≡a’ mod N Define A’s advantage to be Adv RSA,G (A)≔Pr[E] 1 s1 s

16 Ryan Henry The RSA trapdoor permutation Observation: The e th root assumption is qualitatively different from the DL assumption – In DL assumption, attacker gets complete output of G – In e th root assumption, attacker learns N=p·q but not p and q; if attacker knows (p,q) the e th root problem is easy! ▪ This is our first example of a trapdoor permutation with (p,q) being the trapdoor – More on this later… 15

17 Ryan Henry Diffie-Hellman key exchange protocol 16 Alice Bob Enc (m) Eve m =? What if Alice and Bob don’t already share a secret ket?

18 Ryan Henry Diffie-Hellman key exchange protocol 17 Alice Bob Eve gaga gbgb a∊℥ q b∊℥ q ≔h ( (g b ) a ) ≔h ( (g a ) b ) Enc (m) Suppose (G,q,g)←G(1 s ) for some group generating algorithm G =? m=?

19 Ryan Henry Security of Diffie-Hellman key exchange Q: Suppose the DL assumption holds with respect to G. Is the Diffie-Hellman protocol “secure” in the presence of an eavesdroppers? A: Errr…well, probably? – DL assumption implies that it is hard for an eavesdropper to compute a from g a or b from g b – But, is it hard to compute g ab from g a and g b ? 18

20 Ryan Henry Diffie-Hellman assumption Def n : Let G be a group generating algorithm. The (computational) Diffie-Hellman (CDH) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ + such that Adv CDH,G (A)≤ε(s). 19 Challenger (C) Attacker (A) (G,q,g)←G(1 s ) a,b∊℥ q h 1 ≔g a, h 2 ≔g b h 1 s1 s (G,q,g,h 1 ,h 2 ) Let E be the event that h=g ab Define A’s advantage to be Adv CDH,G (A)≔Pr[E] 1 s1 s

21 Ryan Henry Decision Diffie-Hellman assumption 20 1 s ∈1 ℕ b’∈{0,1} 1 s ∈1 ℕ Game 0: (input to A is a DH tuple) Game 1: (input to A is not a DH tuple) Distinguisher (D) Distinguisher (D) Challenger Challenger 1 s ∈1 ℕ A tuple (G,q,g,g a ,g b ,h) is a DH tuple if and only if h=g ab (G,q,g)←G(1 s ) a,b∊℥ q (G,q,g)←G(1 s ) a,b,c∊℥ q (G,q,g,g a ,g b ,g ab ) (G,q,g,g a ,g b ,g c ) Let E be the event that b’=0 in Game 0 or b’=1 in Game 1 Def n : Adv DDH,G (D)≔|Pr[E]- ½|

22 Ryan Henry Decision Diffie-Hellman assumption 21 Def n : Let G be a group generating algorithm. The Decision Diffie-Hellman (DDH) assumption holds with respect to G if, for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ + such that Adv DDH,G (A)≤ε(s).

23 Ryan Henry The DL, CDH, and DDH assumptions Thm: Let G be a group generating algorithm. – Fact 1: If the DDH assumption holds with respect to G, then the CDH assumption also holds with respect to G. The converse is believed to be false. – Fact 2: If the CDH assumption holds with respect to G, then the DL assumption also holds with respect to G. The converse is not known to be true. 22

24 Ryan Henry Public-key encryption schemes 23 Def n : A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that – Gen:1 ℕ →K e ×K d is a randomized “keypair generation” algorithm; – Enc:K e ×M→C is an (often randomized) “encryption” algorithm; – Dec:K d ×C→M is a deterministic “decryption” algorithm. Usually write Enc k e (m) and Dec k d (m) instead of Enc(k e,m) and Dec(k d,m) K e is the encryption key space K d is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)

25 Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) 24 Def n : A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Dec k d (Enc k e (m))=m|(k e,k d )←Gen(1 s )]≥1-ε(s)

26 Ryan Henry That’s all for today, folks! 25

Download ppt "Ryan Henry I 538 /B 609 : Introduction to Cryptography."

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Public Key Encryption Algorithm

Public Key Encryption Algorithm
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Electronic Payment Systems. Transaction reconciliation –Cash or check.

Electronic Payment Systems. Transaction reconciliation –Cash or check.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.

Similar presentations

Ads by Google