Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group theory exercise.

Published byIra Burns Modified over 5 years ago

Similar presentations

Presentation on theme: "Group theory exercise."β€” Presentation transcript:

1 Group theory exercise

2 Group A group Consists Extra property Set 𝑆 Operation β‹… :𝑆×𝑆→𝑆
Identity-element Properties Closure π‘₯,π‘¦βˆˆ 𝑆⇒ π‘₯β‹…π‘¦βˆˆπ‘† Identity βˆƒ π‘’βˆˆπ‘† : π‘₯βˆˆπ‘†β‡’ 𝑒⋅π‘₯=π‘₯ (we use e to denote the identity element) Associativity π‘₯,𝑦,π‘§βˆˆ 𝑆⇒ x⋅𝑦 ⋅𝑧⇒π‘₯β‹…(𝑦⋅𝑧) Inverse: π‘₯βˆˆπ‘†β‡’βˆƒ π‘¦βˆˆπ‘† :π‘₯⋅𝑦=𝑒 Extra property Commutativity: π‘₯,π‘¦βˆˆ 𝑆⇒ π‘₯⋅𝑦=𝑦⋅π‘₯

3 Uniqueness of multiplication
For every group 𝐺 and π‘₯,𝑦,π‘§βˆˆπΊ , if π‘₯⋅𝑦=π‘₯⋅𝑧 then 𝑦=𝑧 Proof π‘₯⋅𝑦=π‘₯⋅𝑧 π‘₯ βˆ’1 β‹… π‘₯⋅𝑦 = π‘₯ βˆ’1 β‹… π‘₯⋅𝑧 (π‘₯ βˆ’1 β‹…π‘₯)⋅𝑦 = (π‘₯ βˆ’1 β‹…π‘₯)⋅𝑧 (associativity) 1⋅𝑦 =1⋅𝑧 (inverse) 𝑦=𝑧 (identity)

4 Sampling games For any group G, for any π‘₯∈ 𝐺, the following two games are indistinguishable 𝑀 π‘ŸβˆˆπΊ 𝑀 π‘ŸβˆˆπΊ wβ†π‘Ÿ w←π‘₯β‹…π‘Ÿ Follows that For every group 𝐺 and π‘₯,𝑦,π‘§βˆˆπΊ , π‘₯⋅𝑦=π‘₯⋅𝑧 then 𝑦=𝑧

5 Inverse of product For every group 𝐺 and a,b∈𝐺, π‘Žπ‘ βˆ’1 = 𝑏 βˆ’1 β‹… π‘Ž βˆ’1
Proof: π‘Žπ‘ β‹… 𝑏 βˆ’1 π‘Ž βˆ’1 π‘Žβ‹… 𝑏⋅ 𝑏 βˆ’1 β‹… π‘Ž βˆ’1 (associativity) π‘Žβ‹…1β‹… π‘Ž βˆ’ (inverse) π‘Žβ‹… π‘Ž βˆ’ (neutral) (inverse)

6 Public-key cryptography

7 Topics in public cryptography for today
Key-exchange Public-key encryption

8 Key-exchange When Alice and Bob want to exchange keys
Adversary should learn no information about the keys

9 Key-exchange π‘˜ π‘˜ 𝐹 π‘˜π‘’π‘¦βˆ’π‘’π‘₯π‘β„Žπ‘Žπ‘›π‘”π‘’ |π‘˜| ≔ secure channel

10 Merkle puzzle β€œKey-exchange” protocol published in 1978
Alice effort small Bob’s effort 𝑂 1 Adversary’s effort 𝑂(𝑛) Gap in effort between Bob and adversary

11 Merkle puzzle Puzzle Algorithm for key-exchange
Easy to produce, some difficulty to solve Solving the puzzle produces an identifier and a key Sending the identifier does not help solve the puzzles Algorithm for key-exchange Alice creates n puzzles with different identifiers and sends them to Bob Bob solves one of them and sends the resulting identifier to Alice Alice and Bob uses the key for the one that Bob solved.

12 Diffie-Hellman assumption
Group G Generator g (𝑔 𝑦 ) π‘₯ = (𝑔 π‘₯ ) 𝑦 The following two games are indistinguishable π‘₯,𝑦 ∈ 𝑅 𝐺 π‘₯,𝑦 ∈ 𝑅 𝐺 (π‘Ž,𝑏,𝑐) β‰ˆ (π‘Ž,𝑏,𝑐) a← 𝑔 π‘₯ a← 𝑔 π‘₯ 𝑏← 𝑔 𝑦 𝑏← 𝑔 𝑦 𝑐← 𝑔 π‘₯𝑦 𝑐 ∈ 𝑅 𝐺

13 Security of DH-Key exchange
Need a group 𝐺 such that Generator g βˆ€π‘₯,π‘¦βˆˆπΊ : (𝑔 𝑦 ) π‘₯ = (𝑔 π‘₯ ) 𝑦 Diffie-Hellman assumption holds Assumption Adversary will not tamper with communication Channel is authenticated between Alice and Bob

14 Diffie-Hellman key-exchange
π‘₯ ∈ 𝑅 𝐺 𝑔 π‘₯ y ∈ 𝑅 𝐺 𝑔 𝑦 π‘˜= ( 𝑔 𝑦 ) π‘₯ = 𝑔 π‘₯𝑦 π‘˜= ( 𝑔 π‘₯ ) 𝑦 = 𝑔 π‘₯𝑦

15 Security of Diffie-Hellman key-exchange
π‘₯ ∈ 𝑅 𝐺 π‘˜ π‘˜ y ∈ 𝑅 𝐺 π‘˜β† 𝑔 π‘₯𝑦 𝑔 π‘₯ , 𝑔 𝑦 , |π‘˜|

16 Security of Diffie-Hellman key-exchange
β‰ˆ ≔ secure channel

17 Insecurity against man-in-the-middle adversary
𝑔 π‘₯ 𝑔 π‘₯ π‘₯ ∈ 𝑅 𝐺 y ∈ 𝑅 𝐺 π‘₯ ∈ 𝑅 𝐺 𝑦 ∈ 𝑅 𝐺 𝑔 𝑦 𝑔 𝑦 π‘˜ 1 = 𝑔 π‘₯ 𝑦 π‘˜ 1 = 𝑔 π‘₯ 𝑦 π‘˜ 2 = 𝑔 π‘₯ 𝑦 π‘˜ 2 = 𝑔 π‘₯ 𝑦

18 Public key-encryption
How can people send encrypted messages to google, steam, your bank, even though they have never exchanged secret keys with those companies? Public-key encryption allows you to do it Public key is revealed publicly so that everyone can encrypt messages Secret key is kept hidden and only the owner is allowed is able to decrypt the ciphertext

19 Public-key encryption
The Gen algorithm takes security parameter 1 𝑠 and outputs both a secret key and a public key The encrypt algorithm takes a public key π‘π‘˜ and a message π‘š and outputs a ciphertext 𝑐 The decrypt algorithm takes a secret key π‘ π‘˜ and a ciphertext 𝑐 and outputs the message m

20 Formal definition 𝐺𝑒𝑛 1 𝑠 β†’(π‘ π‘˜,π‘π‘˜) 𝐸𝑛 𝑐 π‘π‘˜ π‘š →𝑐 where π‘šβˆˆπ‘€, π‘βˆˆπΆ
𝐺𝑒𝑛 1 𝑠 β†’(π‘ π‘˜,π‘π‘˜) 𝐸𝑛 𝑐 π‘π‘˜ π‘š →𝑐 where π‘šβˆˆπ‘€, π‘βˆˆπΆ 𝐷𝑒 𝑐 π‘ π‘˜ 𝑐 β†’π‘š where π‘šβˆˆπ‘€, π‘βˆˆπΆ Correctness: Pr[ Dec sk 𝐸𝑛 𝑐 π‘π‘˜ π‘š =π‘š | π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛 1 𝑠 ]=1

21 Chosen-plaintext security
π‘π‘˜ π‘π‘˜ π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘š 0 , π‘š 1 π‘š 0 , π‘š 1 c←𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 0 ) c←𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 1 ) c c β‰ˆ m m c←𝐸𝑛 𝑐 π‘π‘˜ (π‘š) c←𝐸𝑛 𝑐 π‘π‘˜ (π‘š) c c Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants 𝐺 0 𝐺 1

22 Multi-message indistinguishability
pπ‘˜ pπ‘˜ π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘š 0 1 ,…, π‘š 0 𝑛 π‘š 0 1 ,…, π‘š 0 𝑛 c i ←𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 0 ) c i ←𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 1 ) π‘š 1 1 ,…, π‘š 1 𝑛 π‘š 1 1 ,…, π‘š 1 𝑛 β‰ˆ 𝑐← 𝑐 1 ,…, 𝑐 𝑛 𝑐← 𝑐 1 ,…, 𝑐 𝑛 𝑐 𝑐 𝐺 0 𝐺 1

23 Security relationship
Multi-message security of public-key encryption => CPA-security of public-key Reason: public-key encryption allows adversary to encrypt any message of his choice

24 Validation oracles / error oracles
When encrypting message using public-key encryption, it might be that the website sends you an error if the message is not valid. Homomorphic properties of certain encryption schemes 𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 1 ) βˆ— 𝐸𝑛 𝑐 π‘π‘˜ ( π‘š 2 ) = 𝐸𝑛𝑐 π‘π‘˜ ( π‘š 1 + π‘š 2 )

25 Validation oracle attack using homomorphism
𝑀 = π‘₯ | π‘₯ π‘šπ‘œπ‘‘ 3=0, π‘₯<𝑛 βˆͺ π‘₯ | π‘₯ π‘šπ‘œπ‘‘ 3=1, π‘₯<𝑛 𝐷𝑒 𝑐 π‘ π‘˜ 𝐸𝑛 𝑐 π‘π‘˜ π‘₯ βˆ—πΈπ‘› 𝑐 π‘π‘˜ 1 βˆˆπ‘€ ⇔ 𝐷𝑒 𝑐 π‘ π‘˜ 𝐸𝑛 𝑐 π‘π‘˜ π‘₯+1 βˆˆπ‘€ ⇔ π‘₯ π‘šπ‘œπ‘‘ 3=0

26 Require CCA-security Distinguisher loses automatically if 𝑐 = 𝑐′ 𝐺 0
π‘π‘˜ π‘π‘˜ π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘ π‘˜,π‘π‘˜ ←𝐺𝑒𝑛( 1 𝑠 ) π‘š 0 , π‘š 1 π‘š 0 , π‘š 1 c←𝐸𝑛𝑐( π‘š 0 ) c←𝐸𝑛𝑐( π‘š 1 ) c c 𝑐′ 𝑐′ m←𝐷𝑒𝑐(𝑐′) m m m←𝐷𝑒𝑐(𝑐′) Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants 𝐺 0 𝐺 0

27 Key-encapsulation Why not use public-key encryption to encrypt long messages? Public-key encryption is hundreds to thousand of times slower than private key-encryption Key-encapsulation attempts to combine the properties of a public key encryption with the speed of private key-encryption

28 Key-encapsulation (hybrid-encryption)
𝐺𝑒𝑛,𝐸𝑛 𝑐 π‘π‘˜ ,𝐷𝑒 𝑐 π‘ π‘˜ is a public-key encryption 𝐸𝑛 𝑐 π‘˜ ,𝐷𝑒 𝑐 π‘˜ is a private key encryption π‘˜ ∈ 𝑅 0,1 𝑛 π‘š ( 𝑐 1 , 𝑐 2 ) ( 𝑐 1 , 𝑐 2 ) π‘˜β†π·π‘’ 𝑐 π‘ π‘˜ ( 𝑐 1 ) π‘š c 1 ←𝐸𝑛 𝑐 π‘π‘˜ (π‘˜) π‘šβ†π·π‘’ 𝑐 π‘˜ ( 𝑐 2 ) c 2 ←𝐸𝑛 𝑐 π‘˜ (π‘š) 𝐸𝑛𝑐

29 Security of key-encapsulation
β‰ˆ π‘˜ ∈ 𝑅 0,1 𝑛 β‰ˆ π‘š ( 𝑐 1 , 𝑐 2 ) c 1 ←𝐸𝑛 𝑐 π‘π‘˜ (π‘˜) c 2 ←𝐸𝑛 𝑐 π‘˜ (π‘šβ€²) 𝐸𝑛𝑐

30 El-Gamal public-key encryption
Group G |𝐺| = π‘ž Generator 𝑔 𝐺𝑒𝑛 1 𝑠 π‘₯∈ 𝑅 𝐺 β„Ž= 𝑔 π‘₯ π‘ π‘˜β†π‘₯ π‘π‘˜β†(𝐺,π‘ž,𝑔,β„Ž)

31 El-Gamal encryption/ decryption
π‘π‘˜=(𝐺,π‘ž,𝑔,β„Ž) π‘š π‘š 𝑦 ∈ 𝑅 𝐺 𝑐 𝑑← 𝑔 𝑦 π‘₯ = 𝑔 π‘₯𝑦 ( 𝑔 𝑦 , 𝑐 β€² ) π‘š π‘š β„Ž 𝑦 = 𝑔 π‘₯𝑦 𝑐←( 𝑔 𝑦 , β„Ž 𝑦 β‹…π‘š) π‘šβ† 𝑐 β€² β„Ž 𝑦 𝐸𝑛𝑐 𝐷𝑒𝑐

32 Sampling games For any group G, for any π‘₯∈ 𝐺, the following two games are indistinguishable 𝑀 π‘ŸβˆˆπΊ 𝑀 π‘ŸβˆˆπΊ wβ†π‘Ÿ w←π‘₯β‹…π‘Ÿ Follows that For every group 𝐺 and π‘₯,𝑦,π‘§βˆˆπΊ , π‘₯⋅𝑦=π‘₯⋅𝑧 then 𝑦=𝑧

33 Security of El-Gamal β‰ˆ β‰ˆ π‘π‘˜=(𝐺,π‘ž,𝑔,β„Ž) π‘π‘˜=(𝐺,π‘ž,𝑔,β„Ž) π‘š 0 π‘š 𝑦 ∈ 𝑅 𝐺 𝑐 π‘š π‘š
π‘Ÿβˆˆ 𝑅 𝐺 𝑐 𝑐←( 𝑔 𝑦 , β„Ž 𝑦 β‹… π‘š 0 ) 𝑐←( 𝑔 𝑦 ,π‘Ÿβ‹… π‘š 0 ) 𝐸𝑛𝑐 𝐸𝑛𝑐 π‘π‘˜=(𝐺,π‘ž,𝑔,β„Ž) π‘π‘˜=(𝐺,π‘ž,𝑔,β„Ž) π‘š 1 π‘š π‘Ÿβˆˆ 𝑅 𝐺 𝑐 π‘š 1 β‰ˆ 𝑦 ∈ 𝑅 𝐺 𝑐 𝑐←( 𝑔 𝑦 ,π‘Ÿβ‹… π‘š 1 ) 𝑐←( 𝑔 𝑦 , β„Ž 𝑦 β‹… π‘š 1 ) 𝐸𝑛𝑐 𝐸𝑛𝑐

Download ppt "Group theory exercise."

Similar presentations

Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS 4362 - CIS 5357 Network Security.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: ι™³ζ˜±εœ».

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: ι™³ζ˜±εœ».
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Similar presentations

Ads by Google