Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH

Published byLynette Merritt Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH"— Presentation transcript:

1 Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH
Helger Lipmaa University of Tartu, Estonia

2 up to now Basic intro Basic algebra Exponentiation Assumptions
Algebra + assumptions: DL How to define assumptions (DL)

3 What can be done with DL? First idea:
let s ← ℤq be secret key and h ← gs be public key computation of s from h is infeasible Use the keys to "encrypt", "sign", etc This lecture: more details

4 Key Exchange I want to send secret information to Bob, but he is in Jamaica Let us agree on a joint secret key for further communication

5 Key Exchange sk←SK(ska,pkb) sk←SK(skb,pka) pka pkb = sk skb,pkb
Asymmetric, public key Asymmetric, public key ska,pka skb,pkb pka pkb sk←SK(ska,pkb) sk←SK(skb,pka) = sk Symmetric, shared key

6 Key Exchange with dl sk←SK(s,hB) sk←SK(t,hA) hA hB = sk t, hB ← gt
s, hA ← gs t, hB ← gt hA hB sk←SK(s,hB) sk←SK(t,hA) = sk

7 QUIZ SK (t, gs) = sk = SK (s, gt) What could SK be?
Hint: we are working in a group Use commutativity + efficient operations Answer: SK (s, h) = hs SK (t, gs) = gst = gts = SK (s, gt)

8 Diffie-Hellman Key Exchange
s, hA←gs t, hB ← gt hA hB sk=gst = sk

9 DHKE: Formally DHKE.Setup (κ): h DHKE.Keygen (gk): f sk=gˢᵗ sk=gst
Choose a group G of order q where breaking DL has complexity 2κ Choose a generator g of G Return gk ← desc (G) = (..., q, g) s,h=gˢ t, hB ← gt h DHKE.Keygen (gk): sk = s ← ℤq pk ← gs Return (sk, pk) f sk=gˢᵗ sk=gst DHKE.SK (gk, s, h): Return hs = sk

10 QUIZ: is dhke secure? Correct question:
is DHKE what-secure under X assumption? Three tasks: Formalize security of KE Decide on X Provide a proof by reduction (X holds => DHKE what-secure)

11 Security def: First try
We already saw some issues in the last lecture ...so we won't concentrate on the same issues Random key, probabilistic algorithms, ...

12 DHKE: intuitive security
s, hA ← gs t, hB ← gt hA hB sk=gst = sk ?

13 key recovery security Game KR(1κ,KE,A)
gk ← Setup(1κ) (ska,pka)←Keygen (gk) (skb,pkb)←Keygen (gk) sk* ← A (gk, pka, pkb) If sk* = SK (gk, ska, pkb) return 1 else return 0 Three algorithms KE = (Setup, Keygen, SK) Adv[KR] := | Pr[KR = 1] - 1 / q | A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε KE is (τ,ε)-KR secure iff no adversary ε- breaks KR security of KE in time ≤ τ KE is KR secure iff it is (poly(κ),negl(κ))- KR secure

14 SEcurity reduction? We would like to prove that DHKE is KR secure
by reducing KR-security to DL assumption Unfortunately not known how to do it DL s gs SK gst ? SK gt t DL

15 New assumption: CDH DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976 No success in breaking it in any reasonable group where DL is hard Seems logical: introduce a tautological assumption CDH: Computational Diffie-Hellman "key recovery attack against DHKE is hard"

16 Def: CDH assumption Game CDH(G,A) Adv[CDH] := | Pr[CDH = 1] - 1 / q |
Game CDH(1κ,KE,A) gk ← Setup(1κ) (ska,pka)←Keygen (gk) (skb,pkb)←Keygen (gk) sk* ← A (gk, pka, pkb) If sk* = SK (gk, ska, pkb) return 1 else return 0 Use (DHKE.Setup, DHKE.Keygen, DHKE.SK) Adv[CDH] := | Pr[CDH = 1] - 1 / q | A ε-breaks CDH in group G iff Adv[CDH] ≥ ε G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ G is CDH group iff it is (poly(κ),negl(κ))-CDH group

17 remarks Clearly, CDH is secure in A group iff DHKE is KR secure in the same group τ = τ (κ) and ε = ε (κ) are functions of κ

18 QUIZ: CDH vs DL ? CDH DL ?

19 some contrived groups where DL holds but not CDH, ...
QUIZ: CDH vs DL Answer: yes ? CDH hard DL hard ? some contrived groups where DL holds but not CDH, ... Answer: depends

20 Proof: CDH => DL Typical reduction
Theorem. If G is a (τ + small, ( / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group. Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G. DL is easy => there exists an adversary D that breaks DL We show CDH is easy by constructing an adversary C that breaks CDH C can use help from adversary D, by sending inputs to D and receiving outputs Typical reduction

21 Intuitive proof Assume D can break DL
given gs, outputs s with probability ε Construct adversary C that breaks CDH given gs, gt, call D to compute s ← D (gs) return (gt)s = gst

22 Security games CDH game: need to construct C DL game: D is given
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C A challenger generates values from some fixed "valid" distributions and sends them to the adversary D After some computation, C returns some value to the challenger After some computation, D returns some value to the challenger Depending on the input and the output, the challenger declares C to be either successful or not Depending on the input and the output, the challenger declares D to be either successful or not This is the only thing we know...

23 CDH game: need to construct C
Security reduction CDH game: need to construct C DL game: D is given A challenger generates values from some fixed "valid" distributions and sends them to the adversary C A challenger generates values from some fixed "valid" distributions and sends them to the adversary D C After some computation, C returns some value to the challenger After some computation, D returns some value to the challenger Depending on the input and the output, the challenger declares C to be either successful or not C

24 Reduction: CDH => DL
Exists Need to construct Exists Challenger C D s, t ← ℤq; hA ← gs; hB ← gt (desc(G), hA, hB) Correct distribution for CDH (desc(G), hA) remove 1 elem. Correct distribution for DL ... ;/* compute m */ if hA = gm return sk* ← fm else return sk* ← ℤq if sk* = gst return 1 else return 0 m sk*

25 about success probability
Weird expression due to “else return sk* ← ℤq” Will not analyse (see slides of 2015 if interested)

26 quiz: are we done? If not, why not?
Is the achieved security sufficient? Answer: The fact that sk is unknown is not sufficient Adversary should have no information about sk

27 c + any information about sk leaks information about m
DHKE in wild world hA hB s,hA←gs t,hB←gt sk=gst = sk XOR m c c + any information about sk leaks information about m One-time pad

28 DHKE: IND security is it sk or garbage? hA hB sk* sk=gst sk=gst = sk
Intuition: if Eve has any information about sk, she should be able to distinguish real sk from random s,hA←gs t,hB←gt hA hB sk=gst sk* sk=gst = sk is it sk or garbage?

29 IND(ISTINGUISHABILITY) security
Game IND(1κ,KE,A) gk ← Setup(1κ) (ska,pka)←Keygen (gk) (skb,pkb)←Keygen (gk) sk0 ← SK (gk, ska, pkb) sk1 ← G β ← {0, 1} β* ← A (gk,pka,pkb,skβ) Return β = β* ? 1 : 0 KE = (Setup, Keygen, SK) Adv[IND] := 2 · | Pr[IND = 1] - 1 / 2 | A ε-breaks IND security of KE iff Adv[IND] ≥ ε KE is (τ,ε)-IND secure iff no adversary ε- breaks IND security of KE in time ≤ τ KE is IND secure iff it is (poly(κ),negl(κ))-IND secure

30 SEcurity reduction? We would like to prove that DHKE is IND secure
by reducing IND security to CDH assumption Not possible well-known groups where CDH holds but DHKE is not IND secure

31 ddh We introduce again a tautological assumption, DDH
Decisional Diffie-Hellman, known since 70s => good ...in many groups DDH is extremely useful in many protocols Well-known groups where DDH does not hold pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable interestingly, pairing-based groups are also extremely useful

32 DEF: DDH security Game DDH(1κ,G,A) gk ← Setup(1κ)
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK) Assume that for any κ, Setup picks exactly one group G = G(κ) Adv[DDH] := 2 · | Pr[DDH = 1] - 1 / 2 | A ε-breaks DDH in G iff Adv[DDH] ≥ ε G is a (τ, ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ G is a DDH group iff it is (poly(κ),negl(κ))- DDH group gk ← Setup(1κ) (ska,pka)←Keygen (gk) (skb,pkb)←Keygen (gk) sk0 ← SK (gk, ska, pkb) sk1 ← G β ← {0, 1} β* ← A (gk,pka,pkb,skβ) Return β = β* ? 1 : 0

33 DDH: Short form Fix a cyclic group G and its generator g
Adversary has to distinguish between (g, gs, gt, gst) -- DDH tuple (g, gs, gt, gm) -- random tuple where s, t, m are random

34 DDH vs IND security Clearly, G is a DDH group iff DHKE is IND secure in G (tautology)

35 Home exercise:Very similar to previous proof. Finish! Find parameters
Proof: DDH => CDH Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group. Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G. CDH is easy => there exists an adversary D that breaks CDH We show DDH is easy by constructing an adversary C that breaks DDH C can use help from adversary D, by sending inputs to D and receiving outputs Home exercise:Very similar to previous proof. Finish! Find parameters

36 Beyond ind: semihonest vs malicious
Actual security requirements even more stringent KR, IND security only demonstrate basic concepts We assumed Eve is semihonest Eavesdrops but does not change messages Malicious Eve: can change, inject, delete messages Alice and Bob need to authenticate each other "Authenticated Diffie-Hellman" Crucial notions Security of various protocols against malicious adversaries: second half of the course

37 What next? DDH is a very versatile assumption
One can construct many useful protocols from it DDH Encryption Signatures ... E-voting CPIR E-cash

38 What next? Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption More precisely: Elgamal encryption

39 Study outcomes Key exchange DHKE in particular KR security and CDH
IND security and DDH Reductions: how to do

Download ppt "Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH"

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.

1 CIS 5371 Cryptography 9. Data Integrity Techniques.
0x1A Great Papers in Computer Security

0x1A Great Papers in Computer Security
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
8. Data Integrity Techniques

8. Data Integrity Techniques
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
15-499Page 1 15-499:Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei.

多媒體網路安全實驗室 Variations of Diffie-Hellman Problem Proceedings of ICICS 2003, LNCS 2836, Springer-Verlag, 2003, pp. 301–312 Feng Bao, Robert H. Deng, Huafei.
Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.

Intrusion Resilience via the Bounded-Storage Model Stefan Dziembowski Warsaw University and CNR Pisa.
On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu

On the (im)possibility of perennial message recognition protocols without public-key cryptography Peeter Laud Cybernetica AS & University of Tartu

Similar presentations

Ads by Google