Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures.

Published byMadison Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures."— Presentation transcript:

1 Cryptography Lecture 12 Arpita Patra

2  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world)  Definition: A Digital signature scheme  consists of three PPT algorithms (Gen, Sign, Vrfy): Gen 1n1n pk, sk  {0, 1} n  pk: public key (verification key)  sk: private key (signing key) Sign m  {0, 1} *  sk  Usually Randomized   is signature for m Vrfy m,  b  {0, 1} pk  b = 0  invalid signature  b = 1  valid signature  (pk, sk) plays a different “role” compared to public-key encryption  Correct ness: Except with a negligible probability over (pk, sk) output by Gen(1 n ), we require the following for every (legal) plaintext m Vrfy pk (m, Sign sk (m)) = 1  Signatures cannot be obtained by “reversing” a public-key encryption scheme  Randomized  Deterministic >> sk – signature generation (whereas pk was used for ciphertext generation) >> pk – public verification of the signature (whereas sk was used for decryption)

3 Digital Signatures : Security  Goal: we want to prevent a situation like the following: skpk m 1 = (“My Lord how are you ?”)  1 = Sign sk (m 1 ) m 2 = (“Ravana is misbehaving with me”)  2 = Sign sk (m 2 )  = (Gen, Sign, Vrfy)

4 Digital Signatures : Security  Goal: we want to prevent a situation like the following: skpk  = (Gen, Sign, Vrfy) m’ 1 = (“Ravana is not that bad”)  ’ 1 = Sign sk (m’ 1 ) m’ 2 = (“I am fine here”)  ’ 2 = Sign sk (m’ 2 )  How to model the above requirement via security experiment ? --- Experiment Sig-forge (n) A,  I can forge  PPT Attacker A Let me verify Gen(1 n ) Pk, sk m 1, …, m q (m*,  *) b = 1 if Vrfy pk (m*,  *)  0 and (m*,  *)  {(m i,  i )}  is existentially-unforgeable/CMA if for every PPT A: negl(n) Pr Sig-forge (n) =1 A,    1, …,  q  i  Sign sk (m i ) b = 0 otherwise pk

5 MAC vs Digital Signature - Key distribution has to be done apriori. - In multi-verifier scenario, a signer/prover need to hold one secret key for every verifier + Better suited for open environment (Internet) where two parties have not met personally but still want to communicate securely (Internet merchant & Customer) MACDigital Signature + No such assumption needed! + One signer can setup a single public-key/secret key and all the verifiers can use the same public key - Well-suited for closed organization (university, private company, military). Does not work for open environment (Internet Merchant) + Very fast computation. Efficient Communication. Only way to do auth in resource-constrained devices such as mobile, RFID, ATM cards etc - Orders of magnitude slower than Private-key. Heavy even for desktop computers while handling many operations at the same time + Public Verifiability & Transferability - NO Public Verifiability & Transferability Not completely correct! Relies on the fact that there is a way to send the public key in an authenticated way to the verifiers + Non-repudiation (cannot deny to anyone) - NO Non-repudiation (cannot deny only to the person holding the key)

6 Some Results on Digital Signatures  Feasibility Results for DS: Unlike PKE (which needs more assumption than HF/OWF), DS can be constructed just based on HF (in fact just from OWF) [Rompel STOC’90]  DS Schemes in Practice: >> Digital Signature Algorithm (DSA)- DL + HF- Digital Signature Standard (DSS) >> RSA-FDH (Full Domain Hash) - RSA Assumption + HF – PKCS #1 v2.1

7 Digital Certificates and Public-key Infrastructure (PKI) Public-key World My public-key is pk S Is pk S indeed a genuine public-key of Sita ? SitaRama (pk S, sk S )

8 Digital Certificates and Public-key Infrastructure (PKI) My public-key is pk S SitaRama Trusted Authority (pk M, sk M ) Knows that the public- key of is pk M (pk S, sk S ) Certify my public key pk S cert M  S = Sign sk M (“Sita’s public key is pk S ”) (After verification) cert M  S pk S is a genuine public key if and only if Vrfy pk M (“Sita’s public key is pk S ”, cert M  S ”) = 1 PKI  Several types of PKI used in practice  Single CA, multiple CA, PGP, etc  Public keys of CA are pre-configured in web browsers  Programmed to verify the certificates issued by those CAs

9 Putting It All Together – TLS (Transport Layer Security) Server Client https://mail.google.com Handshake protocol Authenticated Key Exchange Authenticated Private Communication (Using keys established by handshake protocol) Record-layer protocol (Public-key crypto) (Private-key crypto)

10 Putting It All Together – SSL/TLS (The Handshake Protocol) Server Client (pk 1, sk 1 )(pk 2, sk 2 )(pk 3, sk 3 )(pk 4, sk 4 ) CA 1 CA 2 CA 3 CA 4 pk 1, pk 2, pk 3, pk 4 (pre-configured) (pk S, sk S ) cert 2  S Certifying that pk S is the public key of the server

11 Putting It All Together – SSL/TLS (The Handshake Protocol) (pk 1, sk 1 )(pk 2, sk 2 )(pk 3, sk 3 )(pk 4, sk 4 ) CA 1 CA 2 CA 3 CA 4 pk 1, pk 2, pk 3, pk 4 (pre-configured) (pk S, sk S ) cert 2  S Random nonce N C Supported ciphersuites (hash functions, block ciphers, etc), N C Random nonce N S Corresponding ciphersuites, N S, pk S, cert 2  S Vrfy pk 2 (pk S, cert 2  S ) = 1 ? (c, pmk)  Encaps pkS (1 n ) mk:= KDF(pmk, N c, N s ) k C, k’ C, k S, k’ S := PRG(mk) c  C := Mac mk (transcript) pmk:= Decaps sk S (c) mk:= KDF(pmk, N c, N s ) k C, k’ C, k S, k’ S := PRG(mk) Vrfy mk (transcript,  C ) = 1 ?  S := Mac mk (transcript’) Vrfy mk (transcript’,  S ) = 1 ? transcript transcript’ Agreed symmetric keys

12 Putting It All Together – SSL/TLS (The Record-layer Protocol) k C, k’ C, k S, k’ S Authenticated communication k C, k’ C, k S, k’ S (k S, k’ S ) Authenticated communication (k C, k’ C )

13 Public Key Cryptography Whitfield Diffie, Martin E. Hellman:Martin E. Hellman: New directions in cryptography. IEEE Transactions on Information Theory 22(6): 644-654 (1976)IEEE Transactions on Information Theory 22(6): 644-654 (1976)

14 What We have seen and not seen? Secure + Authenticated Message Communication Cryptography Secure (multi- party) Computation Electronic election, auction, private information retrieval, Outsourcing computation to cloud, Privacy-preserving data mining, signal processing, bioinformatics etc. etc. Disc encryption, cloud storage, Secure Storage Leakage Resilient Cryptography Takes into account the side channel information. Non-committing Encryption, Deniable Encryption, Id-based Encryption, Attribute-based Encryption, Functional Encryption Homographic Encryption, Fully Homomorphic Encryption Special Purpose Encryption Schemes Finding flaws/attacks/insecurities. Side-channels Cryptanalysis Blind Signatures, Group Signature, Signcryption Special Purpose Digital Signatures

15 Crypto Zoo Oblivious Transfer Commitment Schemes Zero Knowledge Proofs MAC Hash Functions One way Function One way permutation PRGPRF Secret Sharing SPRP Public Key Encryption Minicrypt: SKC, Digital Signatures SR (x 0,x 1 ) σ xσxσ Cryptomania: Everything that u can design in Crypto We will get Cryptomaniac next semester with course on Secure Computation Choice is yours; whether u want to confine yourself in Minicrypt or u want turn to a Cryptomaniac.

16 Course on Secure Computation >> Oblivious Transfer >> Commitment Schemes >> Zero Knowledge Proofs >> Secret Sharing >> Threshold Encryption >> Secure Computation in various setting >> Secure Computation of Practical Problems- Set Intersection, Genomic Computation >> Byzantine Agreement & Broadcast PrimitivesDefinition Paradigms >> Real World- Ideal World Paradigm >> Universal Composability (UC) Paradigm Proof Paradigms >> Black-box Reduction >> Non-black-box reduction >> Random-Oracle Model (ROM)  Modeled as a random oracle (a truly random function from X  K)  Access to H is via oracle calls  To compute H(a), call oracle with a, who returns a random value from co-domain as the output --- once a value is associated as H(a), the association remains fixed for future instances  Calls to the oracle are private  If attacker has not queried for H(a), then H(a) remains uniformly random for the attacker  For many constructions based on HF

17 Concluding Remarks

18

19 El Gamal like KEM Encaps pk (1 n ) c = g y for random y k = H(h y ) = H(g xy. ) (c,k) Dec sk (c) k = H(c x )= H(g xy ) Gen(1 n ) (G, o, q, g) h = g x. For random x pk= (G,o,q,g,h,H), sk = x DDH (Strongest Diffie-Hellman Assumption; hard to distinguish g xy from a random group element even given g x, g y ) + “Regular” H (Regular => The number of elements from G that maps to k is approximately the same for all k) CPA-secure KEM + COA-secure SKE => CPA-secure PKE @ COA-secure SKE Security 1Security 2Security 3 CDH (Weaker than DDH; hard to compute g xy even given g x, g y ) + H is “Random Oracle” (Random => H behaves like an ideal random function) HDH- Hash Diffie-Hellman (Weaker than DDH but stronger than CDH when Hash function is implemented using known practical ones; hard to distinguish H(g xy ) from a random string {0,1} m even given g x, g y ) where H: {0,1}* -> {0,1} m + No assumption on H. It is incorporated in the above

Download ppt "Cryptography Lecture 12 Arpita Patra.  In PK setting, privacy is provided by PKE Digital Signatures  Integrity/authenticity is provided by digital signatures."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Course summary COS 433: Crptography -Spring 2010 Boaz Barak.

Course summary COS 433: Crptography -Spring 2010 Boaz Barak.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google