David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols

12 April 2005University of Virginia CS 5882 Story So Far Symmetric Encryption –Amplify and time-shift a small secret to transmit large secrets Asymmetric Encryption –Use a trustworthy non-secret to establish secrets, check signatures Proving an encryption algorithm is secure is either: –Reasonably easy if it is a perfect cipher –Essentially impossible if it is not

12 April 2005University of Virginia CS 5883 Plan for Rest of the Course Today, Thursday: some interesting applications of cryptography Next Tuesday: Quantum/visual crypto Next Thursday, April 26: Software system security: real world security is mostly not about cryptography April 28: Project presentations If there’s anything you hoped this course would cover that is not listed here, send me requests by Friday

12 April 2005University of Virginia CS 5884 Finding Project Partners Simple way: –Ask people in the class if they want to work with you Problems: –You face rejection and ridicule if they say no Can you find partners without revealing your wishes unless they are reciprocated? –Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them

12 April 2005University of Virginia CS 5885 Alice is your best match Use a Universally Trusted Third Party Alice Bob Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob MatchMaker.com

12 April 2005University of Virginia CS 5886 Use a Universally Trusted Third Party Bob E KU M [E KR B [“Bob would like …”]] MatchMaker.com E KU B [E KR M [“Alice”]]

12 April 2005University of Virginia CS 5887 HashMaker.com? Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. No on else can tell Bob’s deepest darkest desires ( H is one-way) If someone else writes the same hash on the board, Bob has found his match How well does this work?

12 April 2005University of Virginia CS 5888 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly

12 April 2005University of Virginia CS 5889 Untrusted Third Party Bob E H(W) [ W ] HashMatcher.com

12 April 2005University of Virginia CS How can we send a message to HashMaker without it knowing who sent it? To: HashMaker From: Anonymous To: Router4 To: Router3 To: Router2 To: Router1 From: Bob

12 April 2005University of Virginia CS Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick n random routers, R i 1 …R i n R i k gets a message M k : E KU R ik (To: R i k+1 || M k+1 )

12 April 2005University of Virginia CS Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 1 random router: R 2 Send R 2 : E KU R 2 (To: HashMatcher.com || M)

12 April 2005University of Virginia CS Onion Routing R5 R4 R3 R2 R1 Bob HashMatcher.com Pick 2 random routers: R 2, R 5 Send R 2 : E KU R2 [To: R5 || E KU R5 [To: HashMatcher.com || M]]

12 April 2005University of Virginia CS

12 April 2005University of Virginia CS Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com If these are the only packets on the network, someone observing the network know it was Bob

12 April 2005University of Virginia CS Preventing Traffic Analysis R5 R4 R3 R2 R1 Bob HashMatcher.com

12 April 2005University of Virginia CS Finding Partners If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) Using onion rounting, sends HashMatcher: E H(W) [ W ] Using onion rounting, queries HashMatcher is there is a matching item –If so, Alice wants to work with him

12 April 2005University of Virginia CS Problems with this Protocol Cathy could send W = “Alice + Bob” Anyone can query “ x + Bob” for all x to find out who Bob wants to work with (or who wants to work with Bob, can’t tell which) If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them? Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol

12 April 2005University of Virginia CS MIXes C1 C2 C3 C4 M1 M2 M3 M4 Random, secret permutation Security property: observer seeing all inputs and outputs cannot determine which output message corresponds to which input

12 April 2005University of Virginia CS MIX Net [Chaum81] C1 C2 C3 C4 M1 M2 M3 M4 A BC C = E KUA [E KUB [E KUC [M]]] What is input? What if Eve can see all traffic? What if one of A, B or C is corrupt? What if two are corrupt? Any good applications? E KRA (C) E KRB (C) E KRC (C)

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] How well does this work? * Note: any resemblance to real political parties is purely coincidental.

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik”]]] Each for any eavesdropper (knows public keys) to compute C for small set of possible messages

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R]]]

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ] Each mux decrypts with private key and removes R

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader”

12 April 2005University of Virginia CS Voting Application C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” C = E KUG [“Badnarik” || R 1 ] Does publishing R 1 help?

12 April 2005University of Virginia CS Publishing R 1 Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted Voters can prove to someone else for whom they voted If Orange doesn’t like result, can still disrupt election C = E KUR [E KUD [E KUG [“Badnarik” || R 1 ] R 2 ] R 3 ]

12 April 2005University of Virginia CS Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Send inputs to next 2 muxes D mux picks n random inputs Asks R to prove they were done correctly How does R prove it?

12 April 2005University of Virginia CS Auditing Muxes C1 C2 C3 C4 M1 M2 M3 M4 Republicrat Party Democrican Party Orange Party “Nader” Input i = E KUR [E KUD [E KUG [v || R 1 ] R 2 ] R 3 ] Output j = E KUD [E KUG [v || R 1 ] R 2 ] If R reveals j and R 3, D can check E KUR [Output j || R 3 ] = Input i

12 April 2005University of Virginia CS Auditing Tradeoffs For every audit, one input-output mapping is revealed The more audits, the more likelihood of catching cheater What if each mux audits ½ of the values?

12 April 2005University of Virginia CS Catching Cheaters Probability a mux can cheats on k votes without getting caught = Probability a voters vote is revealed to eavesdropper If muxes collude, all bets are off ½k½k m muxes ½ m Note: unaudited votes only be one of n /2 possible outputs!

12 April 2005University of Virginia CS Faculty Candidate talk tomorrow: Yih-Chun Hu (CMU, Berkeley) Securing Network Routing Olsson 011, 3:30PM