Post on 19-Jan-2016
The Pennsylvania State University
CSE597B: Special Topics in Network and Systems Security
The Miscellaneous
Instructor: Sencun Zhu
The Pennsylvania State University 2
Appetizer
• Ten scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if five or more of the scientists are present.– What is the smallest number of locks
needed? – What is the smallest number of keys to the
locks each scientist must carry?
The Pennsylvania State University 3
Outline
• A little maths– Group, ring, (finite) field– Increasing importance in cryptography– AES, Elliptic Curve, Threshold Cryptography
• Secret sharing and threshold cryptography – Based on slides by Prof. Helger Lipmaa, Helsinki
University of Technology
• Design rules
The Pennsylvania State University 4
Group
• G, a set of elements or “numbers” • Obeys:
– Closure: if a and b belong to G, a . B is also in G
– associative law: (a.b).c = a.(b.c) – has identity e: e.a = a.e = a – has inverses a-1: a.a-1 = e
• if commutative a.b = b.a – then forms an abelian group
The Pennsylvania State University 5
Cyclic Group
• Define exponentiation as repeated application of operator– example: a3 = a.a.a
• Let identity e be: e=a0
• A group is cyclic if every element is a power of some fixed element– i.e. b = ak for some a and every b in
group
• a is said to be a generator of the group
The Pennsylvania State University 6
Ring• R, a set of “numbers” with two operations,
addition and multiplication:– an abelian group with addition operation – closure under multiplication– associative under multiplication– distributive law: a(b+c) = ab + ac
• if multiplication operation is commutative, it forms a commutative ring
• if multiplication operation has inverses and no zero divisors, it forms an integral domain
The Pennsylvania State University 7
Field
• F, a set of numbers with two operations:– F is an integral domain– Multiplicative inverse
• For each a in F, except 0, there is an element a-
1 in F such that a a-1 = a-1 a =1
• In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set– Division: a/b = a b-1
The Pennsylvania State University 8
Galois Fields
• Finite fields (known as Galois fields) play a key role in cryptography
• Theorem: the number of elements in a finite field must be a power of a prime pn, denoted as GF(pn)
• In particular often use the fields:– GF(p)– GF(2n)
The Pennsylvania State University 9
Galois Fields GF(p)
• GF(p) is the set of integers {0,1, … , p-1} with arithmetic operations modulo prime p
• these form a finite field– since have multiplicative inverses
• hence arithmetic is “well-behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)
The Pennsylvania State University 10
Keep Secrets on a Computer• Very difficult• Wiping state
– Easier in C/C++, difficult in Java
• Swap file– Virtual memory
• Caches– Keep copies of data
• Data retention by memory– SRAM/DRAM could learn and remember data
• Access by others• Data integrity
The Pennsylvania State University 11
Key Storage
• Reliability and confidentiality of important data:– Information can be secured by encryption– After that, many copies of the ciphertext
can be made
• How to secure the secret key?– Encrypting of key — vicious cycle– Replicating key — insecure
• Idea: distribute the key to a group, s.t. nobody by itself knows it
The Pennsylvania State University 12
Secret Sharing:More Motivations
• USSR: At least two of the three nuclear buttons must have been pressed simultaneously
• Any other process where you might not trust a single authority
• Threshold cryptography– Computation can be performed in a distributed
way by “trusted” subsets of parties
• Verifiable SS: One can verify that inputs were shared correctly
The Pennsylvania State University 13
Secret Sharing Schemes: Definition
• A dealer shares a secret key among n parties
• Each party i in [1, n] receives a share
• Predefined groups of participants can cooperate to reconstruct the shares
• Smaller subgroups cannot get any information about the secret
The Pennsylvania State University 14
(k, n)-threshold schemes
• A dealer shares a secret key between n parties
• Each party i in [1, n] receives a share
• A group of any k participants can cooperate to reconstruct the shares
• No group of k-1 participants can get any information about the secret
The Pennsylvania State University 15
A Bad Example
• Let K be a 100-bit block cipher key. – Share it between two parties– Giving to both parties 50 bits of the key
• Why is this bad?– The requirement ‘Smaller subgroups cannot get
any information about the secret’ is violated
• Ciphertext-only attack– Both participants can recover the plaintext by
themselves, by doing a (2^50)-time exhaustive search
The Pennsylvania State University 16
(2, 2)-threshold scheme
• Let s G be a secret from group (G, +). Dealer chooses a uniformly random s1 G and lets s2 = s – s1
• The two shares are s1 and s2
• Given s1 and s2 , one can successfully recover s = s1 + s2
• Given only s1, s2 is random, vice versa
– Pr[s = k | s2 ] = Pr[s1 = k - s2 | s2 ] = 2^|G | for any k
The Pennsylvania State University 17
(n, n)-threshold scheme
The Pennsylvania State University 18
Shamir’s (k,n) Threshold Scheme
• Mathematical basis
The Pennsylvania State University 19
Shamir’s (k,n) Threshold Scheme
• Dealing phase
The Pennsylvania State University 20
Shamir’s (k,n) Threshold Scheme
The Pennsylvania State University 21
Shamir’s (k,n) Threshold Scheme
The Pennsylvania State University 22
Illustration
The Pennsylvania State University 23
Shamir’s Scheme: Efficiency
The Pennsylvania State University 24
Shamir’s Scheme: Flexibility
The Pennsylvania State University 25
Remarks
The Pennsylvania State University 26
Design Rules• Design rules:
– Complexity is the worst energy of security• There are no secure complex systems
– Correctness must be a local property• every part of the system should behave
correctly regardless of how the rest of the system works
– For a security level of n bits, every cryptographic value should be at least 2n bits long
• Due to collision attacks
– Reliability• Do not assume message reliability
– TCP cannot prevent active attacks
The Pennsylvania State University 27
Presentation
• Two presentations each class– Let us first see how it will be going
• Time– 30~35 minutes/person, including random interruption– Do not exceed
• How to give a good talk– http://www.info.ucl.ac.be/people/PVR/giving_talk.ps
• How to give a bad talk– http://www.eecs.berkeley.edu/~messer/Bad_talk.html