The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The Miscellaneous Instructor: Sencun Zhu

The Pennsylvania State University2 Appetizer Ten scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if five or more of the scientists are present. –What is the smallest number of locks needed? –What is the smallest number of keys to the locks each scientist must carry?

The Pennsylvania State University3 Outline A little maths –Group, ring, (finite) field –Increasing importance in cryptography –AES, Elliptic Curve, Threshold Cryptography Secret sharing and threshold cryptography –Based on slides by Prof. Helger Lipmaa, Helsinki University of Technology Design rules

The Pennsylvania State University4 Group G, a set of elements or “numbers” Obeys: –Closure: if a and b belong to G, a. B is also in G –associative law: (a.b).c = a.(b.c) –has identity e : e.a = a.e = a –has inverses a -1 : a.a -1 = e if commutative a.b = b.a –then forms an abelian group

The Pennsylvania State University5 Cyclic Group Define exponentiation as repeated application of operator –example: a 3 = a.a.a Let identity e be: e=a 0 A group is cyclic if every element is a power of some fixed element –i.e. b = a k for some a and every b in group a is said to be a generator of the group

The Pennsylvania State University6 Ring R, a set of “numbers” with two operations, addition and multiplication: –an abelian group with addition operation –closure under multiplication –associative under multiplication –distributive law: a(b+c) = ab + ac if multiplication operation is commutative, it forms a commutative ring if multiplication operation has inverses and no zero divisors, it forms an integral domain

The Pennsylvania State University7 Field F, a set of numbers with two operations: –F is an integral domain –Multiplicative inverse For each a in F, except 0, there is an element a -1 in F such that a a -1 = a -1 a =1 In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set –Division: a/b = a b -1

The Pennsylvania State University8 Galois Fields Finite fields (known as Galois fields) play a key role in cryptography Theorem: the number of elements in a finite field must be a power of a prime p n, denoted as GF(p n ) In particular often use the fields: –GF(p) –GF(2 n )

The Pennsylvania State University9 Galois Fields GF(p) GF(p) is the set of integers {0,1, …, p- 1} with arithmetic operations modulo prime p these form a finite field –since have multiplicative inverses hence arithmetic is “well-behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)

The Pennsylvania State University10 Keep Secrets on a Computer Very difficult Wiping state –Easier in C/C++, difficult in Java Swap file –Virtual memory Caches –Keep copies of data Data retention by memory –SRAM/DRAM could learn and remember data Access by others Data integrity

The Pennsylvania State University11 Key Storage Reliability and confidentiality of important data: –Information can be secured by encryption –After that, many copies of the ciphertext can be made How to secure the secret key? –Encrypting of key — vicious cycle –Replicating key — insecure Idea: distribute the key to a group, s.t. nobody by itself knows it

The Pennsylvania State University12 Secret Sharing:More Motivations USSR: At least two of the three nuclear buttons must have been pressed simultaneously Any other process where you might not trust a single authority Threshold cryptography –Computation can be performed in a distributed way by “trusted” subsets of parties Verifiable SS: One can verify that inputs were shared correctly

The Pennsylvania State University13 Secret Sharing Schemes: Definition A dealer shares a secret key among n parties Each party i in [1, n] receives a share Predefined groups of participants can cooperate to reconstruct the shares Smaller subgroups cannot get any information about the secret

The Pennsylvania State University14 (k, n)-threshold schemes A dealer shares a secret key between n parties Each party i in [1, n] receives a share A group of any k participants can cooperate to reconstruct the shares No group of k-1 participants can get any information about the secret

The Pennsylvania State University15 A Bad Example Let K be a 100-bit block cipher key. –Share it between two parties –Giving to both parties 50 bits of the key Why is this bad? –The requirement ‘Smaller subgroups cannot get any information about the secret’ is violated Ciphertext-only attack –Both participants can recover the plaintext by themselves, by doing a (2^50)-time exhaustive search

The Pennsylvania State University16 (2, 2)-threshold scheme Let s G be a secret from group (G, +). Dealer chooses a uniformly random s 1 G and lets s 2 = s – s 1 The two shares are s 1 and s 2 Given s 1 and s 2, one can successfully recover s = s 1 + s 2 Given only s 1, s 2 is random, vice versa – Pr[s = k | s 2 ] = Pr[s 1 = k - s 2 | s 2 ] = 2^|G | for any k

The Pennsylvania State University17 (n, n)-threshold scheme

The Pennsylvania State University18 Shamir’s (k,n) Threshold Scheme Mathematical basis

The Pennsylvania State University19 Shamir’s (k,n) Threshold Scheme Dealing phase

The Pennsylvania State University20 Shamir’s (k,n) Threshold Scheme

The Pennsylvania State University21 Shamir’s (k,n) Threshold Scheme

The Pennsylvania State University22 Illustration

The Pennsylvania State University23 Shamir’s Scheme: Efficiency

The Pennsylvania State University24 Shamir’s Scheme: Flexibility

The Pennsylvania State University25 Remarks

The Pennsylvania State University26 Design Rules Design rules: –Complexity is the worst energy of security There are no secure complex systems –Correctness must be a local property every part of the system should behave correctly regardless of how the rest of the system works –For a security level of n bits, every cryptographic value should be at least 2n bits long Due to collision attacks –Reliability Do not assume message reliability –TCP cannot prevent active attacks

The Pennsylvania State University27 Presentation Two presentations each class –Let us first see how it will be going Time –30~35 minutes/person, including random interruption –Do not exceed How to give a good talk – How to give a bad talk –