1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.
-
date post
21-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.
![Page 1: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/1.jpg)
1
Cryptography:Proofs and Tools
Gerard TelDept of Computer Science, Utrecht
![Page 2: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/2.jpg)
2
Talk overview
Part 1: Proofs Definition and existence Proofs with numbers Numbers versus “Ad hoc”
Part 2: Tools Signature schemas Zero knowledge proofs Secret Sharing
![Page 3: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/3.jpg)
3
Cryptography:
The art of protection using information
To have or
not to have….
To know or
not to know
![Page 4: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/4.jpg)
4
Two examples
Encryption (DES) Alice sends email
y = Ek(x) Bob computes
x = Dk(y)
Oscar knows no k : which D function?
Identification with One-way function H A gives Bank b =
H(a) Bank pays on seeing
a’ s.t. H (a’ ) = b
O knows no a’
![Page 5: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/5.jpg)
5
Two more examples
Signatures Alice signs M with x
S = Sig (M, x) Bob verifies with y
Ver (M, S, y)
Oscar cannot forge S’ for M’ s.t. Ver (M’ , S’ , y)
Public Key pairs Alice holds secret x Bob holds public y
Relation P (x, y)
Oscar cannotcomputex from y
![Page 6: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/6.jpg)
6
I recognize it when I see it ....
Encryption: k s.t. Dk(y) is text
Identification: a’ s.t. H (a’ ) = b
Signatures: S’ s.t. Ver (M’ , S’ , y)
Key pair: x s.t. P (x, y)
![Page 7: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/7.jpg)
7
…. But I don’t know it
![Page 8: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/8.jpg)
8
Assumption: Factoring
Primes p and q (eg. 512 bits)
n = p . q (1024 bits)
Given n, one recognizes p and q
Assumption:Given n, computing p is impossible
![Page 9: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/9.jpg)
9
Assumption: Discrete Log
Compute modulo large p : 0, 1, …, p -1Element g has order:
1 = g0, g1, g2, g3, … gord = 1Fix g of high order.
From x, power y = gx is computableAssumption:
From y, x s.t. y = gx is not computable
![Page 10: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/10.jpg)
10
Rabin’s encryption
Alice’ secret key: p and qpublic key : product n
Bob encrypts x as y = x2 mod nAlice decrypts as extracting
square rootp and q are needed!
Oscar can not extract roots
![Page 11: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/11.jpg)
11
Square roots modulo n
A square number has 4 rootsn = 77 = 7.11 :
362 = 64 (1296 mod 77) 36, 41, 8, 69 have square 64
Two pairs: 36 = -41 and 8 = -69Combine from two pairs: 41 + 69 =
33gcd(33, 77) = 11
![Page 12: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/12.jpg)
12
Rabin: Provably Secure
If Oscar can find x from x2 = y mod n Select random z Solve x from x2 = z2
Prob. 1/2: x and z differ: find p and q
Contradicts Factoring Assumption
Rabin is cryptographically strong
![Page 13: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/13.jpg)
13
Chosen Cipher text Attack
Procedure for CCA: Oscar sends Alice y, obtains x, computes
Rabin is vulnerable: Oscar sends y = z2
succeeds with Pr = 1/2
Decrypted messages as sensitive as key
Weakness inherent in strength
![Page 14: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/14.jpg)
14
RSA: Alledgedly secure
Similar but use higher order roots.Public key: (n, e)Encryption y = xe
Decryption x = yd (d from p, q)
e th-rooting is believed but not proven to be as hard as factoring
![Page 15: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/15.jpg)
15
RSA Decryption
φ = (p -1)(q -1)All x : x φ = 1 (mod n)From p, q, n, e,
compute d s.t. e.d = k . φ +1
y d = (x e )d = x k . φ +1 = 1k . x = x
Secretly keep d, purge p, q.
![Page 16: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/16.jpg)
16
RSA Keys are secure
Oscar finds φ from n: p +q = n - φ + 1, solve p, q
Oscar finds φ from n and e : Simulate generation of e to do without
Oscar finds d from n and e : n
e, d p, q
Key protection is cryptographically strong
![Page 17: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/17.jpg)
17
Ad hoc versus Numbers:Hash functions
Map H : {0,1}* {0,1}k
One-way: From y = H (x), x cannot be found
Collision-free:
No x1, x2 can be found s.t. H (x1) = H (x2)
Such x1, x2 exist
![Page 18: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/18.jpg)
18
Fair Guessing Games
Linda dates Jon if Jon guesses parity of x L chooses x and gives
y = H (x) J guesses even/odd L reveals x
Cheating y doesn’t reveal x to Jon
one-way y binds Linda
collision-free
![Page 19: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/19.jpg)
19
Bit manipulation: MD5
How does it work XOR, AND, OR
words Combine with sin
bits Four rounds in
Why does it workWhy four rounds
MD4 background
Why this combination Attacks on variants
Why is it secure? We don’t know
![Page 20: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/20.jpg)
20
Discrete Log Hash (Chaum)
How does it work Select g, random h.
:
f (x, x’ ) = gx.hx’
Why does it work log(h ): a s.t. g a =
hwill never be known
f (x, x’ ) = f (y, y’ )
gx . hx’ = gy . hy’
a = (x - y )(y’ - x’ ) -1
Cryptographically strong collision free
![Page 21: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/21.jpg)
21
Trapdoor Hash
Cheat in generation of f. Select h = g a instead of random h.
Collision: g x . h x’ = g x - a.z . h x’ + z
Trapped f remains cryptographically strong one-way.
![Page 22: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/22.jpg)
22
Questions?
![Page 23: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/23.jpg)
23
Gerard Tel, Part 2:
Cryptographic Tools: Signatures Zero knowledge Secret Sharing
![Page 24: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/24.jpg)
24
Digital Signatures
Alice signs message M : S = Sig (M, x)Bob verifies signature S : Ver (M, S, y )Validity: Ver (M, Sig (M, x), y )
Forgery: Oscar finds M, S : Ver (M, S, y )
![Page 25: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/25.jpg)
25
RSA Signatures
Public/Secret key: (n, e) and (n, d ) Functions x x e and y y d are
inverses
Sign M : S = M d (compute)Verify S : S e = M (check)
Forge signature under M : Invert RSA public function
![Page 26: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/26.jpg)
26
Existential Forgery
Oscar: random S, M = S e.
M takes special form ………01010101010101 Hash of longer message
![Page 27: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/27.jpg)
27
Blind Signatures
Alice signs one message without seeing it Bob has M, selects blinder b Bob gives Alice blinded message M’ =
M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d.
![Page 28: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/28.jpg)
28
Blind Signatures
Alice signs one message without seeing it Bob has M, selects blinder b = k e
Bob gives Alice blinded message M’ = M . b Alice signs for Bob: S’ = M’ d
Bob unblinds: divide by b d
S = S’ / kSimilar: Blind decryption
![Page 29: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/29.jpg)
29
Zero knowledge proofs
Identification by secret A gives Bank b = H (a) Bank pays on seeing a
If Alice shows a:employee, eavesdropper become as powerful.
Alice proves to know a without showing
![Page 30: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/30.jpg)
30
0KP of a Square Root
Alice holds a, Bob holds b = a 2
Withdrawing of money: Alice selects s = r 2 and gives Bob s Claim: I know roots of s and s.b
This is true namely r and r.a
This implies knowing a as quotient of roots
![Page 31: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/31.jpg)
31
Verify knowing two roots
Bob sees one! Otherwise becomes too smart
Challenge c = 0/1 Alice must give one root:
r of s (c = 0)r.a of s.b (c = 1)
Oscar does not know both Fails with Pr = 1/2.
![Page 32: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/32.jpg)
32
What does Bob learn?
Triple (s, c, y) s is random squarec is random bity solves y 2 = s . b c
To generate such, choosec as random bity as random numbers as y 2 / b c
![Page 33: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/33.jpg)
33
How can it convince?
Compute order s, c, y : needs aCompute order c, y, s : don’t need a
Protocol enforces s, c, y Transcript doesn’t show order.
![Page 34: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/34.jpg)
34
Zero knowledge proofs
20 rounds: 1-in-million false acceptance
Similar: e th root or logarithmAlso: Graph coloring
Use with blind signatures: Bob proves blinded message is legal
![Page 35: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/35.jpg)
35
Secret Sharing
Goal: share holders together know aShares handed out by dealer
Share: related to ak -1 shares reveal nothingk shares reveal all
in reconstruction
![Page 36: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/36.jpg)
36
Concepts in Sharing
Use: Bank, company Nuclear heads Digital money Key escrow
How many shares Veto (split) Threshold (share)
Protection Perfect
(poor!) Verifiable
Actions with secret Reconstruction Use
![Page 37: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/37.jpg)
37
Additive secret splitDealing:
a1 … ak-1 random
ak = a - a1 - … - ak-1
ak is no better
Reconstruction: a = a1 + … + ak
Symmetric!
• Shares cannot be recognized
• Given k - 1 shares, every a is still possible
• “Real Cryptography”: Perfect Split
![Page 38: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/38.jpg)
38
Using shared exponent
Secret is exponent a (e.g., for RSA)Shares: a = a1 + … + ak
To compute y a: Shareholder i submits xi = y ai
Compute x = x1 . … . xk
Use of secret does notcompromise splitting
![Page 39: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/39.jpg)
39
How perfect is perfect?
Shares cannot be recognized Shareholders may cheat
Verifiable reconstruction (hash H ): Compute ai and bi = H (ai )
Give ai to SH i and make bi public
Verified reconstruction: SH i submits ai
Check H (ai ) = bi
![Page 40: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/40.jpg)
40
Dealer verifiable split
Number hash H (a) = g a
The dealer Publish b = g a
Private share ai (sum a)
Public share bi = g ai
Send ai to SH i
Verifiable sharesThe shareholders
b binds dealer! secret is recognizable
Verify product = b Verify g ai = bi
Reconstruction Verify submissions
![Page 41: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/41.jpg)
41
Perfect Secret Shares
Theorem: through k points runs exactly one curve of degree k - 1
Dealing: select a1 through ak-1 , a0 = a f (z) = a0 + a1.z + … + ak-1.zk-1
Share si is f (i )
Reconstruction from k points: polynomial interpolation
![Page 42: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/42.jpg)
42
Verifiable Secret Sharing
Dealer: Private coefficients a0 through ak-1
Private shares si = f (i )
Public coefficients bi = g ai
Public shares pi = g si
Shareholderssi = a0 + a1.i + … + ak-1.i k-1 Global pi = b0 . b1
i. b2i . … . bk-1
i
Internal gsi = pi
k - 12
![Page 43: 1 Cryptography: Proofs and Tools Gerard Tel Dept of Computer Science, Utrecht.](https://reader030.fdocuments.in/reader030/viewer/2022032521/56649d575503460f94a357db/html5/thumbnails/43.jpg)
43
Conclusions
Numbers as basis for cryptographyMost of cryptography is unprovenResults are often counterintuitive
“Elluk voordeel hep se nadele”