Cryptography Cryptography 1. Activity What is cryptography ? 2.
2010 3-24 cryptography stamatiou
-
Upload
vafopoulos -
Category
Documents
-
view
1.449 -
download
0
Transcript of 2010 3-24 cryptography stamatiou
![Page 1: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/1.jpg)
Security Security ProceduresProcedures
Y.C. StamatiouDepartment of Mathematics, University of Ioannina
and
Research and Academic Computer Technology Institute
Master Program in Web Science,Veroia, March 2010
![Page 2: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/2.jpg)
Cryptography!Cryptography!
It is all about the following simple, but highly important, scenario:
![Page 3: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/3.jpg)
CryptanalysisCryptanalysis
![Page 4: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/4.jpg)
What is used in Cryptology?What is used in Cryptology?Cryptography:
– Linear algebra, abstract algebra, number theoryCryptanalysis:
– Probability, statistics, combinatorics, computing But the foundations lie in Complexity Theory!In essence, cryptology resulted from a
“collaboration” between Number Theory and Complexity Theory!
![Page 5: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/5.jpg)
Turing machine:The mathematical model of the computer!
# 0 1 0 1
q0
q1
qn
(q1,0) (q2,1,)
•Infinite tape divided into cells (memory)
•Each cell can hold one input/output symbol, usually a bit(0 ή 1), or the blank (#)
•A head that can read/write a cell and move about on the tape
•A “decision making” mechanism (state transition)
ALAN
TURING
![Page 6: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/6.jpg)
An algorithm!
q0 q1 q2 q3 q4 q5 q6
0 (q1,#,Δ) (q1,0,Δ) (q3,1,Α) (q3,0,Α) (q4,0,Α) (q5,#,Δ) -(stops)
1 (q5,#,Δ) (q2,1,Δ) (q2,1,Δ) (q3,1,Α) (q4,#,Α) (q5,#,Δ) -(stops)
#-
(hangs)(q4,#,Α) (q0,#,Δ) (q6,0,Δ) (q6,#,Δ) -
(stops)
The “program” below computes the difference between two positive integers m and n (only if m > n, otherwise it “returns” 0) given in the form 0m10n on the tape of the Turing machine (isn’t it, a bit, reminiscent of good, old Assembly?):
![Page 7: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/7.jpg)
Memory (number of tape cells/memory locations used) Time (number of movements of the read/write head) Time/space complexity functions, where n is the size of the input:
It is important not to have combinatorial explosion for these functions so as to avoid exponential increase in time/space requirements as the input size increases
The complexity functions that avoid the combinatorial explosion are called polynomial
An important note! The size of, e.g., an array or a list of numbers is roughly equal to the number of elements! The size of an integer n is not n, but logn (the base is immaterial )!
Computation resources
t(n), s(n)t(n), s(n)
![Page 8: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/8.jpg)
Observe how the functions that are bounded
from above by a polynomial have
“reasonable” rate of increase!
![Page 9: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/9.jpg)
Two important time complexity classes of problems
P: Problems for which there exists a polynomial time deterministic Turing machine (algorithm) that solves them
NPNP: Problems for which no polynomial time deterministic Turing machine has been discovered, yet, that solves them but for which a polynomial time non-deterministic Turing machine exists!
![Page 10: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/10.jpg)
Integers!
God made the integers; all else is the work of man
Leopold Kronecker (1823 – 1891)
![Page 11: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/11.jpg)
Primes: the building blocks of Primes: the building blocks of integers!integers!
prime numbers are integers greater than 1 that have as divisors 1 and self– i.e., they cannot be written as a product of other integers
e.g. 2, 3, 5, 7 are prime but 4, 6, 8, 9, 10 are not prime numbers are central to number theory list of prime number less than 200 is:
2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199
The set of primes is infinite (Euclid)
From Wolfram Demonstration Projects
![Page 12: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/12.jpg)
Prime FactorisationPrime Factorisation to factor an integer n is to write it as a product of
other numbers greater than 1 the prime factorisation of an integer n is its
decomposition into a product of primes – e.g. 91=7x13, 3600=24x32x52
Important! Factoring an integer is hard compared to the ease of multiplying the factors together to generate the integer!
![Page 13: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/13.jpg)
Relatively Prime Numbers & GCDRelatively Prime Numbers & GCD
Two integers a and b are relatively prime if they have no common divisors– e.g. 8 & 15 are relatively prime since the factors of 8 are 2,4,8
and of 15 are 3,5,15 – no common factor exists Conversely, we can determine the Greatest Common
Divisor (GCD) by comparing their prime factorizations and using least powers– e.g. 300=21x31x52 18=21x32 hence gcd(18,300)=21x31x50=6
Of course, GCDs are computed much faster with Euclid’s algorithm!
![Page 14: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/14.jpg)
Fermat's Little Theorem (FLT)Fermat's Little Theorem (FLT)The following holds:ap-1 = 1 (mod p)– where p is prime, with gcd(a,p)=1 (i.e. a, p are
coprime)Also: ap = p (mod p)Useful result in public key cryptography and
primality testing
![Page 15: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/15.jpg)
Euler Totient Function Euler Totient Function φ(φ(n)n) when doing arithmetic (addition/multiplication) modulo n complete set of residues is: 0..n-1 (i.e. the set of
remainders when an integer is divided by n) reduced set of residues is those numbers (residues) which
are relatively prime to n – e.g. for n = 10:– The complete set of residues is {0,1,2,3,4,5,6,7,8,9}.– The reduced set of residues is {1,3,7,9}.
The number of elements in reduced set of residues is called the Euler Totient Function φ(n)
![Page 16: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/16.jpg)
to compute φ(n) need to count number of residues to be excluded
in general need prime factorization, but– for p prime φ(p) = p-1 – for p.q primes φ(pq) =(p-1)x(q-1)
e.g.φ(37) = 36φ(21) = (3–1)x(7–1) = 2x6 = 12
Euler Totient Function Euler Totient Function ø(n)ø(n)
![Page 17: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/17.jpg)
Euler's TheoremEuler's Theorem a generalisation of Fermat's Theorem aφ(n) = 1(mod n)
– for any a, n where gcd(a,n)=1 e.g.
a = 3; n = 10; φ(10) = 4 hence 34 = 81 = 1 mod 10
a = 2; n = 11; φ(11) = 10hence 210 = 1024 = 1 mod 11
![Page 18: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/18.jpg)
Primality TestingPrimality Testing often need to find large prime numbers traditionally sieve using trial division
– ie. divide by all numbers (primes) in turn less than the square root of the number
– only works for small numbers alternatively can use statistical primality tests based
on properties of primes – for which all primes numbers satisfy property – but some composite numbers, called pseudo-primes, also
satisfy the property can use a slower deterministic primality test
![Page 19: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/19.jpg)
The Miller Rabin TestThe Miller Rabin Test A primality test based on Fermat’s Theorem (observe,
however, this theorem is not an “if and only if” theorem!):
We have the Miller-Rabin primality test This is a probabilistic, polynomial time algorithm The AKS primality test: deterministic, polynomial time
algorithm
![Page 20: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/20.jpg)
Algorithm Miller-Rabin probabilistic primality testMILLER-RABIN (n,t)INPUT: an odd integer n 3 and security parameter t 1.OUTPUT: an answer “prime” or “composite”.
1. Write n – 1 = 2sr such that r is odd.2. For i from 1 to t do the following:
2.1 Choose a random integer a, 2 a n – 2. 2.2 Compute y = ar mod n. 2.3 If y 1 and y n – 1 then do the following: j 1.
While j s – 1 and y n – 1 do the following: Compute y y2 mod n.
If y 1 then return (“composite”). If y n – 1 then return (“composite”). j j + 1.
3. Return (“prime”).
![Page 21: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/21.jpg)
Probabilistic ConsiderationsProbabilistic Considerations if Miller-Rabin returns “composite” the number is
definitely not primeotherwise is a prime or a pseudo-primechance it detects a pseudo-prime is < 1/4hence if repeat test with different random a then
chance n is prime after t tests is:– Pr(n prime after t tests) = 1 – (1/4)t
– This converges exponentially fast to 1– e.g. for t = 10 this probability is > 0.99999
![Page 22: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/22.jpg)
Prime Number DistributionPrime Number DistributionThe prime number theorem states that primes
occur roughly every ln(n) integers, thus prime numbers abound!
However, even numbers can be ignored immediately
Thus, in practice one needs only to test 0.5ln(n) numbers of size n to locate a prime– note this is only the “average”– sometimes primes are close together and other times
are quite far apart
![Page 23: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/23.jpg)
Chinese Remainder TheoremChinese Remainder TheoremUsed to speed up modulo computations if working
modulo a product of numbers– e.g. mod M = m1m2..mk
Chinese Remainder theorem lets us work in each moduli mi separately
Since computational cost is proportional to size, this is faster than working in the full modulus M
![Page 24: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/24.jpg)
Chinese Remainder TheoremChinese Remainder Theorem can implement CRT in several ways to compute A(mod M)
– first compute all ai = A mod mi separately– determine constants ci below, where Mi = M/mi
– then combine results to get answer using:
![Page 25: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/25.jpg)
Primitive RootsPrimitive Roots from Euler’s theorem have aφ(n)mod n=1 consider am=1 (mod n), gcd(a,n)=1
– must exist for m = φ(n) but may be smaller– once powers reach m, cycle will repeat
if smallest is m = φ(n) then a is called a primitive root if p is prime, then successive powers of a "generate" the
group mod p these are useful but relatively hard to find
![Page 26: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/26.jpg)
Discrete LogarithmsDiscrete Logarithms the inverse problem to exponentiation is to find the
discrete logarithm of a number modulo p that is to find x such that y = gx (mod p) this is written as x = loggy (mod p) if g is a primitive root then it always exists, otherwise it
may not, e.g.x = log3 4 mod 13 does not existx = log2 3 mod 13 = 4 (e.g. by trying successive powers)
whilst exponentiation is relatively easy, finding discrete logarithms is generally a computationally hard problem much like the factoring problem.
![Page 27: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/27.jpg)
One-Way Functions:One-Way Functions:Number Theory meets Number Theory meets
Complexity Theory!Complexity Theory!A function f: DR is called one-way if:
– Computing f(x) is “easy” (i.e. polynomial fast).– Computing f-1(y) for almost all the images is “hard”.
e.g. (under the Discrete Logarithm assumption)– Prime p and a generator g of Zp*. – f(x) = gx (mod p).
![Page 28: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/28.jpg)
Public key cryptographyPublic key cryptography
![Page 29: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/29.jpg)
Public key cryptographyPublic key cryptography Factoring related:
– RSA, Rabin Discrete-log related:
– Diffie-Hellman (El Gamal)– Elliptic curves
Modern Lattice Based– Ajtai-Dwork: only one for which worst case to
hardness reduction is known– Goldreich-Goldwasser and Halevi
![Page 30: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/30.jpg)
RSARSA Invented by Rivest, Shamir and Adleman in 1978 Based on difficulty of factoring. Used to “hide” the size of a group Zn
* since:
Factoring has not been reduced to RSA– an algorithm that generates m from c does not give an efficient
algorithm for factoring On the other hand, factoring has been reduced to finding
the private-key.– there is an efficient algorithm for factoring given one that can
find the private key.
)/11()(|
* pnnnp
n
![Page 31: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/31.jpg)
RSA Public-key CryptosystemRSA Public-key Cryptosystem
What we need: p and q, primes of
approximately the same size
n = pq φ(n) = (p-1)(q-1)
e Z φ(n)*
d = e-1 mod φ(n)
Public Key: (e,n)Private Key: d
Encode:m Zn
E(m) = me mod n
Decode:D(c) = cd mod n
![Page 32: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/32.jpg)
RSA continuedRSA continued Why it works: D(c) = cd mod n = cd mod pq
= med mod pq = m1 + k(p-1)(q-1) mod pq
= m · (mp-1)k(q-1) mod pq = m · (mq-1)k(p-1) mod pq
Chinese Remainder Theorem: If p and q are relatively prime, and a = b mod p and a = b mod q,then a = b mod pq.
m · (mp-1)k(q-1) = m mod pm · (mq-1)k(p-1) = m mod q
D(c) = m mod pq
![Page 33: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/33.jpg)
RSA computationsRSA computationsTo generate the keys, we need to
– Find two primes p and q. Generate candidates and use primality testing to filter them.
– Find e-1 mod (p-1)(q-1). Use Euclid’s algorithm. Takes time log2(n)
To encode and decode– Take me or cd. Use the power method.
Takes time log(e) log2(n) and log(d) log2(n) .In practice e is selected to be small so that
encoding is fast.
![Page 34: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/34.jpg)
Security of RSASecurity of RSAWarning:
– Do not use this or any other algorithm naively!Possible security holes:
– Need to use “safe” primes p and q. In particular p-1 and q-1 should have large prime factors.
– p and q should not have the same number of digits. Can use a middle attack starting at sqrt(n).
– e cannot be too small– Don’t use same n for different e’s.– You should always “pad”
![Page 35: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/35.jpg)
Algorithm to factor given d and eAlgorithm to factor given d and e If an attacker has an algorithm that generates d from e,
then he/she can factor n in PPT. Variant of the Rabin-Miller primality test.
Function TryFactor(e,d,n)– write ed – 1 as 2sr, r odd– choose w at random < n– v = wr mod n– if v = 1 then return(fail)– while v 1 mod n– v0 = v– v = v2 mod n– if v0 = n - 1 then return(fail)– return(pass, gcd(v0 + 1, n))
LasVegas algorithmProbability of pass is > .5.Will return p or q if it passes.Try until you pass.
w2sr = wed-1
= wkφ = 1 mod nv0
2 = 1 mod n(v0 – 1)(v0 + 1)= k’n
![Page 36: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/36.jpg)
RSA in the “Real World”RSA in the “Real World”Part of many standards: PKCS, ITU X.509,
ANSI X9.31, IEEE P1363
Used by: SSL, PEM, PGP, Entrust, …
The standards specify many details on the implementation, e.g.
e should be selected to be small, but not too small “multi prime” versions make use of n = pqr…
this makes it cheaper to decode especially in parallel (uses Chinese remainder theorem).
![Page 37: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/37.jpg)
Factoring in the Real WorldFactoring in the Real World Quadratic Sieve (QS):
– Used in 1994 to factor a 129 digit (428-bit) number. 1600 Machines, 8 months.
Number field Sieve (NFS):
– Used in 1999 to factor 155 digit (512-bit) number. 35 CPU years. At least 4x faster than QS
The RSA Challenge numbers
2/12/1 ))(ln(ln)))(ln(1()( nnnoenT
3/23/1 ))(ln(ln)))(ln1(923.1()( nnoenT
![Page 38: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/38.jpg)
ElGamalElGamal Based on the difficulty of the discrete log problem. Invented in 1985 Digital signature and Key-exchange variants
– DSA based on ElGamal AES standard– Incorporated in SSL (as is RSA)– Public Key used by TRW (avoided RSA patent)
Works over various groups– Zp, – Multiplicative group GF(pn), – Elliptic Curves
![Page 39: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/39.jpg)
ElGamal Public-key ElGamal Public-key CryptosystemCryptosystem
(G,*) is a group α a generator for G a Z|G| β = αa
G is selected so that it is hard to solve the discrete log problem.
Public Key: (α, β) and some description of G
Private Key: a
Encode:Pick random k Z|G|
E(m) = (y1, y2) = (αk, m * βk)
Decode:D(y) = y2 * (y1
a)-1
= (m * βk) * (αka)-1
= m * βk * (βk)-1
= mYou need to know a to
easily decode y!
![Page 40: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/40.jpg)
ElGamal: ExampleElGamal: Example
G = Z11*
α = 2a = 8β = 28 (mod 11) = 3
Public Key: (2, 3), Z11*
Private Key: a = 8
Encode: 7Pick random k = 4E(m) = (24, 7 * 34)
= (5, 6)
Decode: (5, 6)D(y) = 6 * (58)-1
= 6 * 4-1
= 6 * 3 (mod 11) = 7
![Page 41: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/41.jpg)
Probabilistic EncryptionProbabilistic Encryption
For RSA one message goes to one cipher word. This means we might gain information by running Epublic(M).
Probabilistic encryption maps every M to many C randomly. Cryptanalysists can’t tell whether C = Epublic(M).
ElGamal is an example (based on the random k), but it doubles the size of message.
![Page 42: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/42.jpg)
Digital SignaturesDigital Signatures We focus on electronic signatures that use public-key
cryptography. E.g. (Based on RSA)
– A key generation algorithm Same as in RSA encryption.
– A signing algorithm Same as decryption of MZN* by C=D(M)=Md mod N.
– A verification algorithm Same as encryption of CZN* by M=E(C)=Ce mod N. Can be calculated and verified by anyone.
Concept of Blind Signatures …
![Page 43: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/43.jpg)
Secret SharingSecret Sharing
Based on the next problem:Assuming that there are N players, how can a dealer share a secret in a way that any group of t (< N) or more players could recreate the secret, but any group of less then t players will not be able to do so?
Such schemes are called (t,N) - threshold secret sharing schemes.
![Page 44: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/44.jpg)
Shamir Secret Sharing SchemeShamir Secret Sharing Scheme
The dealer selects t-1 random integers, which forms a t-1 degree polynomial f(x) such that f(0) = S.
The dealer calculates f(i) for each player i. Those are their private shares.
Any group of t or more players can recreate the polynomial and S (using Lagrange interpolation).
![Page 45: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/45.jpg)
Threshold EncryptionThreshold Encryption
In threshold encryption we have N authorities, and we want to encrypt a message in a way that any t or more authorities could decrypt it. Again, any group of less then t authorities will not be able to do so.
No trusted dealer.Solutions are similar to Shamir’s scheme
[CGS,Pederson].
![Page 46: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/46.jpg)
Zero-knowledge ProofsZero-knowledge Proofs
Interactive protocols between two players, Prover and Verifier, in which the prover proves to the verifier, with high probability, that some statement is true.
Does not leak any information besides the veracity of this statement.
In the case of honest verifier ZKP, we can modify the protocol to non-interactive.
![Page 47: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/47.jpg)
Zero-knowledge Proof Zero-knowledge Proof ExampleExample
Let g1, g2 generators of Zq*. The Prover claims that logg1v = logg2w (=x) for publicly
known v, w, g1, g2.– P chooses random z [1..q] and sends a=g1
z, b=g2z.
– V selects random c [1..q] and sends it.– P sends r = (z+cx)– V verifies that g1
r=avc and g2r=bwc
Can be turned into non-interactive– C = Hash(a,b,v,w)
![Page 48: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/48.jpg)
The Woo-Lam The Woo-Lam Authentication ProtocolAuthentication Protocol
Alice tries to prove her identity to Bob but she does not share a key with Bob, only with Trent
The protocol goes as follows:
In Step 1 Alice declares her identity In Step 2 Bob provides a nonce challenge In Step 3 Alice returns the challenge encrypted with KAT In Step 4 Bob passes this encrypted information to Trent for translation In Step 5 Trent translates the nonce and returns it to Bob – then Bob
verifies the nonce
BK
BKAK
BK
B
A
NEBT
NEIDETB
NEBANABIDBA
BT
ATBT
AT
:.5
,:.4
:.3:.2:.1
![Page 49: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/49.jpg)
A weakness …A weakness … There is a protocol failure in Woo-Lam that comes from the
fact that the connection between Bob-to-Trent’s message and Trent-to-Bob’s message is not strong enough
The only “connection” comes from the fact that message 4 and message 5 happen shortly one after another.
This weak association can be used in an attack where Eve impersonates Alice:
1. Eve tries to authenticate herself to Bob (or Bob’s computer) at about the same time as Alice.
2. Trent will respond to each at roughly the same time.3. Eve intercepts both responses, and swaps them. Let us see how in a step-by-step description
![Page 50: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/50.jpg)
Details of the impersonation attackDetails of the impersonation attack
BK
''BK
BKEK
BKAK
BK
BK
'B
B
E
A
NE:BT
NE:BT
NE,IDE:TB
NE,IDE:TB
NE:BE
NE:BE
N:EB
N:AB
ID:BEID:BE
BT
BT
ETBT
ETBT
ET
ET
Step 1: Eve, acting as both herself and Alice, attempts to authenticate herself to Bob as both herself and Alice.
Step 2: Bob, as he should, replies with two nonce challenges. Eve gets her nonce but, at the same time, intercepts the nonce directed to Alice.
Step 3: Eve answers both challenges. Eve, naturally, can only send a wrong reply on behalf of Alice. She can, however, swap her response with Alice’s before contacting Bob.
Step 4: Bob receives both responses and contacts Trent for translation.
Step 5: Trent responds. One response consists, as expected, of garbage. The other respond, for Alice, is of course correct. Bob gets, correctly, back the challenge he issued for Alice and then authenticates Eve as Alice!
![Page 51: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/51.jpg)
A way round this problemA way round this problem The problem was (again) that the last message was not tied to the
identity of who it corresponded to. One simple fix is to make message 5 include Alice’s identity:
So, Trent tells Bob who the response corresponds to. Then, Bob will be able to tell that message 5’ does not correspond to Eve’s nonce!
One problem is that Trent does not know what host that Alice is trying to log onto. Eve might get Alice to log onto Eve’s computer. Then Eve can start a logon in Alice’s name to Bob’s machine. Eve then gets Alice to answer Bob’s challenges to Eve…
Before : Fix:
BAK N,IDE:BTBT
BAK
BAKKA
BAK
B
A
NIDEBT
NIDEEIDTB
NIDEBANABIDBA
BT
ATBT
AT
,:
,,:
,:::
BK
BKAK
BK
B
A
NEBT
NEIDETB
NEBANABIDBA
BT
ATBT
AT
:.5
,:.4
:.3:.2:.1
![Page 52: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/52.jpg)
The Needham-SchroederThe Needham-SchroederKey Exchange ProtocolKey Exchange Protocol
1:
:
,:
,,,,,:,,:
BKAB
BK
ABAK
ABAKABBBAK
ABA
NEBA
NEAB
KIDEBA
KIDEKNIDIDEATNIDIDTA
AB
BT
BTAT
Step 1: Alice tells Trent what she is requestingStep 2: Trent gives Alice the session key and gives Alice a package to deliver to Bob.Step 3: Bob can get the session key, and the identity of who he is talking with (verified because it came from Trent).Step 4: Bob sends Alice a challengeStep 5: Alice answers challenge
![Page 53: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/53.jpg)
An attack on Needham-SchroederAn attack on Needham-Schroeder In 1981, Denning and Sacco showed
if the session key is compromised, then Eve can make Bob think that he is communicating with Alice.
Assume the NS protocol took place, and that Eve has recorded the first 3 steps. Also, assume that Eve has obtained the session key.
The following steps subvert NS:
1:
:
,:
3
3
NEBE
NEAB
KIDEBE
AB
AB
BT
K
K
ABAK
Step 1: Eve replays step 3 from NS as if she were Alice. Step 2: Bob gets this message and issues a challenge to Alice in the form of a new nonce. This challenge is intercepted by Eve.
Step 3: Since Eve knows the session key, she can respond correctly to the challenge.
The basic problem: messages can be replayed once the session key is compromised!
![Page 54: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/54.jpg)
The morale?The morale?
1NE:BE
NE:AB
K,IDE:BE
3K
3K
SAK
S
S
B
1NE:BA
NE:AB
K,IDE:BA
K,IDE,K,NID,IDE:ATN,ID,ID:TA
2K
2K
SAK
SAKS1BAK
1BA
S
S
B
BA
BAK N,IDE:BTBT
BAK
BBKKA
BBK
B
A
NIDEBT
NIDEEIDTB
NIDEBANABIDBA
BT
ATBT
AT
,:
,,:
,:::
BK
BKAK
BK
B
A
NEBT
NEIDETB
NEBANABIDBA
BT
ATBT
AT
:.5
,:.4
:.3:.2:.1
![Page 55: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/55.jpg)
We will look into how theory and practice meet using two working
systems:
e-Lotteries! e-Voting!
![Page 56: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/56.jpg)
A real nationwide electronic lottery– Frequent number of drawing per day– Strict drawing times– Large number of expected players– Preclusion any participation in the number
generation and winner identification processes.
A protocol for the support of A protocol for the support of large-scale national lotterieslarge-scale national lotteries
![Page 57: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/57.jpg)
Special System CharacteristicsSpecial System CharacteristicsCryptographic robustnessProtection against various (premature &
future) manipulationsExtensive real-time auditing facilitiesPerformance (time constraint) requirementsIncorporation of Security mechanismsSystem with High –availability
![Page 58: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/58.jpg)
Agencies
Coupon File &Audit
Information
AuditInformation
AuditInformation
AuditInformation
Lottery Organization Computer
Verifier
Gen1
Gen2Data
to Optical Signal
Connected in high
AvailabilityConfiguration
Optical Fibre
Converter To TV Station
Telephone lines
An overview of the systemAn overview of the system
![Page 59: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/59.jpg)
Operational RequirementsOperational Requirements
Uniformly Distributed NumbersUnpredictable ResultsPrevention of internal/external interference with
the drawing mechanism & with the choice of winners
Constant monitoring towards early detection of interference attempts
![Page 60: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/60.jpg)
Security & Safety Security & Safety RequirementsRequirements
Confidentiality– No leaks of information– Encryption methods– Secure random number sources
Integrity– Authentication request for any step– Use of Hash and MAC functions
State Stamping– Detection of any past or future modification (e.g. coupon file)– Mainly through cryptographic tools (e.g. Hash functions)
![Page 61: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/61.jpg)
Security & Safety Security & Safety RequirementsRequirements
Availability– Service all the authorized requests– Component and data path replication
Accountability– Detection of any unauthorized access to or modification
of the system– Authentication schemes are necessary– Use of mechanisms for singing and commitment
![Page 62: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/62.jpg)
Design considerationsDesign considerations
Randomness SourcesSeed Commitment & number reproductionState StampingSeed processingSigning & Authenticating
![Page 63: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/63.jpg)
Design ConsiderationsDesign ConsiderationsRandomness SourcesRandomness Sources
Approaches Disadvantages AdvantagesCommon (e.g. as given by Java) Pseudorandom
Number Generators
Algorithm is susceptible to clever attacks
Uniform distributed
numbers
Cryptographically Secure PNG
In principle they could be guessed, given the initial state. Guessing is intractable however!Based on deterministic algorithms
Handles the disadvantage
above
Truly RandomNumber
Generators
Physical processes often obey specific distribution lawsThey depend on environmental parameters (e.g. temperature)Hard to reproduce their output
Non deterministic method, trulyrandom output
![Page 64: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/64.jpg)
Design ConsiderationsDesign ConsiderationsSeed Commitment & ReproductionSeed Commitment & Reproduction
of received numbers of received numbers
Elimination of any modification on seeds: from the time they are produced until the time that they will be used.
Bit-Commitment Protocol certifies the integrity and accountability on the connection between the Generator and the Verifier
The Verifier reproduces the numbers with additional information from generator for a final check.
![Page 65: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/65.jpg)
Design ConsiderationsDesign ConsiderationsState StampingState Stamping
Prevention of Post-bettingElimination any coupon file modificationFingerprint (hash value) of coupon file
– Check whether the hash function has the same value before and after the draw.
– If check fails, the protocol should be terminated immediately and reports the modification in highest priority
– rmd160
![Page 66: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/66.jpg)
Design ConsiderationsDesign ConsiderationsSeed ProcessingSeed Processing
Seed1->Produced from
Physical Generator
Hash value ofThe Coupon
FileNaor-ReingoldPseudorandom
Function
Input(1)
Input(2)
NR function is initially seededWith a strong random keySeed2 does not depend on (theonline drawn) physical bits
Final Seed2
![Page 67: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/67.jpg)
Seed ProcessingSeed Processing Naor-Reingold function
NR function key is a tuple <P,Q,g,a>Where P is a large prime (1000 bits)Q is a large prime divisor of P-1(200 bits)g is an element of order Q in Zp
*
And a=<a0,a1,…an> is an uniformly distributedsequence of n+1elements ZQ
For every input x and n bits, x=x1…xn,
NR function :
![Page 68: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/68.jpg)
Design ConsiderationsDesign ConsiderationsSigning and AuthenticatingSigning and Authenticating
To boost confidentiality and accountability :
After Numbers Generation
EncryptionScheme
Signing ProcessNumbers
&Seeds
Verifier
![Page 69: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/69.jpg)
A high-level description of the A high-level description of the protocolprotocol Exchange keys
for encryption &A private /public key for signature
GEN1 VERIFIERIdleDrawing Initiation signalRandom bits from the TRNGHash value of the
Coupon’s file
Bit-commitment &Signature
Seed1
Seed2
XOR
NR function
Generate theNumbers From PRNG
Verify and decryptSeeds & nums
Encrypt and sign Seeds & numbers
Verify that Gen1Commited on the True seeds
From the retrieved seedsRegenerate the numbers
SystemFailed
SUCCESS!
Check the numbers
![Page 70: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/70.jpg)
Time Table6 min before the
Draw time3 min later:
If the verifier hasn’t received the numbers,
he sends Initiation Signal to Gen2
Gen2 produces the numbers in 3
minutes, on time, with the same
processes of the Gen1
Verifier GEN1
Drawinitiation signal
GEN2Initiation signal
GEN2
![Page 71: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/71.jpg)
SoftwareSoftware random number generators random number generators
2 algebraic generators– BBS (proposed by Blum,Blum and Shub), one
of the most frequently used Cryptographically strong PRNG
– RSA/Rabin generator based on RSA function2 block cipher based generators
– DES and AES
![Page 72: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/72.jpg)
Physical Physical random number generatorsrandom number generators
We combine three physical generators with XOR– Based on the phase differences on the two
motherboard's clocks (The VonNeumannBytesVonNeumannBytes function)
– ZRANDOM hardware generator– SG100 hardware generator
![Page 73: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/73.jpg)
Output ProcessingOutput Processing
Outputs combined with two shuffling algorithms:– Algorithm M (proposed by MacLaren and Marsalia):
takes two input sequences Xn and Yn, and is shuffling the sequence Xn using elements of the sequence Yn as indexes into the sequence Xn
– Algorithm B (proposed by Bays and Durham): is similar to M, with one input sequence, and the output is a shuffled instance of input
![Page 74: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/74.jpg)
Output ProcessingOutput Processing
Combine the output with XOR operation– The four generators are combined with bit-wise
XOR– The protocol moves periodically to different
combinations of the generators
![Page 75: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/75.jpg)
Output TestingOutput Testing
Statistical tests are applied (Diehard Battery of tests) on:– The produced random numbers– The hardware random number generators
On line tests
![Page 76: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/76.jpg)
ConsiderationsConsiderations
Many factors should be considered for a robust protocol designed to support an electronic lottery– The generation of sequences that are exceptionally
difficult to guess– The measures against many possible attacks on the
generation and on the entire system operation – Business management process
![Page 77: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/77.jpg)
The Issue of The Issue of TrustTrust
Trust plays major role in the way people view and use information systems.
Trust should be the first priority for eGovernment applications.
Trust is of great importance for the success of eVoting.
![Page 78: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/78.jpg)
Our GoalOur Goal
Propose and apply a “trust preserving” approach for handling the increasingly difficult complexity issues of building eVoting systems and, in general, trust-critical eGovernment applications.
Design and implementation of a secure and efficient eVoting platform with a focus on trust establishment
![Page 79: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/79.jpg)
Decomposition of eVoting into layers containing basic trust components
facilitate the management of trust in each component
Concrete notion of trust components should be taken into consideration by designers of security critical applications in general
Our approachOur approach
![Page 80: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/80.jpg)
Pragmatic TrustPragmatic Trust
Pragmatic approach to security critical applications should be based on layeringlayering.
The layered approach to trust reflects the reflects the “trust engineering” phases“trust engineering” phases by combining technology, policy and public awareness issues.
![Page 81: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/81.jpg)
81
Technological
Security(crypto
elements)
Actual Security
Risk Models
Layers of Trust
Perceived Security
Institutional/management/organizational aspects:
- Policies - Controls - Laws and Regulations
E-V
OTI
NG
Sys
tem
TransparencyTrust
Confidence
Operators, Authorities, Experts, Citizens
The trust-centered approachThe trust-centered approach
![Page 82: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/82.jpg)
Scientific Soundness:
Crypto-based justification of all components(e.g. cryptographically secure random number generators, homomorphic functions)
Layers of the architectureLayers of the architecture
![Page 83: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/83.jpg)
Implementation Soundness:
Formal methodology for the verification of the implementation
(applied periodically)
Layers of the architectureLayers of the architecture
![Page 84: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/84.jpg)
Internal Operational Soundness:
High availability and fault tolerance
(self-auditing, self-checking, self-recovery from malfunction)
Layers of the architectureLayers of the architecture
![Page 85: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/85.jpg)
Externally Visible Operational Soundness:
Impossible for someone to interfere with the system from the outside
(quickly detectable)
Layers of the architectureLayers of the architecture
![Page 86: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/86.jpg)
Convincing the Public:
Crucial for the success of the eVoting system
(details available to the public, organize campaigns etc)
Layers of the architectureLayers of the architecture
![Page 87: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/87.jpg)
Scientific Soundness:
Crypto-based justification of all components(e.g. cryptographically secure random number generators, homomorphic functions)
Layers of the architectureLayers of the architecture
![Page 88: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/88.jpg)
Privacy: – only the final result is made public, no additional
information about votes will leak. Robustness:
– the result reflects all submitted and well-formed ballots correctly, even if some voters and/or possibly some of the entities running the election cheat.
Universal verifiability: – after the election, the result can be verified by anyone.
Some basic requirements for a Some basic requirements for a general e-Voting schemegeneral e-Voting scheme
![Page 89: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/89.jpg)
How to meet these How to meet these requirements?requirements?
we obviously need cryptographic techniquesbut tamper resistant devices as well and we need to provide
– appropriate protocols and mechanisms to meet these requirements
which we will be discussing– digital signatures to identify voters– data correctness and integrity proofs etc.
![Page 90: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/90.jpg)
MixnetsMixnets Mixnets
A mechanism for destroying the relationship between a voter and his vote through the application of consecutive vote permutations
Permutations without fixed points – derangements
Random walks in permutation groups: how many steps until the uniform distribution appears (random walk mixing time)?
Votes are fully decrypted in the last step but their link to the voters has, now, disappeared
Parallelizing efficiently the process, we conjecture, is P-complete (reduction from CVP):
Given n inputs in some particular order, is the i let to output j after the application of all the permutation stages of the Mixnet?
![Page 91: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/91.jpg)
Homomorphic functionsHomomorphic functions Homomorphic functions
Another mechanism for destroying the relationship between voter and his vote – based on homomorphic functions (i.e. ElGamal encryption!)
Based on the computational difficulty in inverting these functions
Votes are never decrypted by they are added, homomorphically, in their encrypted form!
The vote outcome is in encrypted form too and needs to be decrypted (this is not hard since the number of voters is usually small and a brute force inversion suffices – also use of Pollard Ρho, Baby-step-giant-step etc.)
)()()()( 2121 nkkknk xExExExxxE
Efficient parallelization:
![Page 92: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/92.jpg)
Registering votersRegistering voters
It is note imperative that we have an independent X.509 PKI system in place (if a PKI is available, that’s fine!)
But we will assume we have an existing registration scheme in place
Thus, we can simply send something out to a voter by mail, like a PIN-mailer– which he may use for electronic registration– at which stage a public key pair is generated for his use, and the private
key is stored securely in a central server all using HSMs the private key never leaves the HSM controlled environment
![Page 93: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/93.jpg)
This registration could take place– at home from the voter’s own work station– or at a polling station
where he presents a fairly traditional voting card received in the mail for proper identification and counting
and uses an additional small slip with a PIN or similar to vote, as in the vote home scenario
– using the PIN for identification
![Page 94: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/94.jpg)
Counting the votesCounting the votes
Let alone the issues of anonymity etc., – adding up votes electronic could be virtually instant
In order to meet some of all our requirements, it would be extremely useful with the following property– Given any two votes, m1 and m2, and their encryption, P(m1), P(m2), assume
P(m1)+P(m2) =P(m1+m2), even better, if we can “randomise” to anonymise using individual random numbers
ri for each vote, and we have the property
P(m1,r1)+P(m2,r2) =P(m1+m2,R)
for some number R (actually, R=r1+r2), then
![Page 95: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/95.jpg)
Counting by exploiting the Counting by exploiting the homomorphism propertyhomomorphism property
we call P(.,.) a homomophic public key if:for any set of votes, there always exist some R (which will vary with the votes) with
∑P(xi,ri) = P(∑xi,R) Now we have it (assuming that such a function exists, of course!):
– the voter casts the electronic vote x
– the application chooses a random number r and calculates P(x,r) signs and forwards SA(P(x,r))
– the authenticating server verifies the signature and forwards P(x,r) for counting
– the counting server calculates ∑P(xi,ri) = P(∑xi,R) and descrypts to recover ∑xi, while R is
discharged– the result is available less than 1 minute after the closing of the polling stations
![Page 96: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/96.jpg)
Server (EA)Client (Voter)
Encrypt VoteEncrypted vote M
Timestamp M’ -> M’’
ZKP ZKP of encryption
Encrypt M -> M’Joint ZKP for validity of M’
M’’
Sign M’’ Signed M’’
Sign and store M’’
CGS97 -The Protocol
![Page 97: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/97.jpg)
CGS97 -CGS97 -The ProtocolThe Protocol
Initialization– All authorities publish
Their shares. A threshold public key S. Another generator h of the multiplicative group
– The legal votes will be h-1, h1. Voting
– A voter encrypts his vote bi using E(hbi,S;r) and publishes it along with a non-interactive proof of validity of the vote on a public board.
Verification– All voter's non interactive proofs are verified (publicly) and invalid
votes are deleted.
![Page 98: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/98.jpg)
Tallying– After elections ends, t authorities calculates
E(htotal,S;rtotal) = E(hbi ,S;r) and publicly decrypt it to get htotal. Now, anyone can find Total (using linear time exhaustive search) which is the difference between the number of votes for each candidate.Those calculation can also be verified using non-interactive zero knowledge proof of equality of discrete logarithms.
![Page 99: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/99.jpg)
More on Scientific Soundness: More on Scientific Soundness: RandomnessRandomness
Cryptographically strong pseudorandom generators:1. Generators based on number theoretic problem (BBS, RSA/Rabin, Discrete Log)2. Generators employing symmetric (block) ciphers or secure hash functions (DES, AES, SHA, MD5)
In order to confuse cryptanalysts the generation process can periodically use different combination of algorithms.
shuffling algorithms (algorithm M and B)XOR operation
![Page 100: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/100.jpg)
Physical random number generators:1. The seed of any software random number generator must be drawn from a source of true randomness.2. Combine more than one such generators to avoid problems if some of the generators fail (for example with XOR).3. Use pseudorandom function (Naor-Reingold) for processing the combination of the seeds.
More on Scientific Soundness: More on Scientific Soundness: RandomnessRandomness
![Page 101: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/101.jpg)
Implementation Soundness:
Formal methodology for the verification of the implementation
(applied periodically)
Layers of the architectureLayers of the architecture
![Page 102: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/102.jpg)
Implementation SoundnessImplementation Soundness The theoretically established cryptographic security by
itself disappears if a simple implementation error occurs in the implementation code.
Testing the implementation is a crucial step in building a secure and trustworthy electronic eVoting system.
![Page 103: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/103.jpg)
Implementation SoundnessImplementation Soundness
There is a number of verification methodologies and tools that can be applied, that are based on various statistical tests.
![Page 104: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/104.jpg)
The CORAS Methodology
Methodology for security risk analysis
Customised language for threat and risk modelling (UML based) + extended documentation (diagrams, tables)
Provides detailed guidelines– Context identification– Risk identification– Risk Analysis– Risk Evaluation – Risk Treatment
Proposes different tools and techniques for each step
+ software tool to integrate tools and document results
http://coras.sourceforge.net/
Mon
itor a
nd r
evie
w
Identify Context
Treat Risks
Identify Risks
Analyse Risks
Evaluate Risks
Accept Risks Yes
No
likelihood consequences
Assess Risks
1
2
3
4
Com
mun
icat
e an
d C
onsu
lt
5
Estimate level of risk
Risk Analysis and Management (2/11)
![Page 105: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/105.jpg)
Risk Analysis and Management (2/11)
1. Context Identification• Application scenario, assets, data flows• UML modeling language
2. Risk Identification• Identification of threats• Threat Diagrams• HazOp Analysis• Fault Tree Analysis
3. Risk Analysis• Specification of Likelihood, Consequence and Risk levels• Assessment of risks (Likelihood of occurrence and Consequence)
- Qualitative - Quantitative (through Fault Tree Analysis)
4. Risk Evaluation• Risk categorization matrix
5. Risk Treatment• Countermeasures for critical risks
Basic steps of CORAS
![Page 106: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/106.jpg)
106
Step 1: Context Identification
Risk Analysis and Management (3/11)
Abstract Class Diagram
Activity DiagramUse Case DIagram
Local Database Central Database
Core Voting System
Registrar
Voter Client Central EA Server
System Administration
Log-Audit Mechanism
Local EA Server
SSL Connection VPN Connection
Focus
Vote Casting
Result publication
Vote publication
Tallying
Vote processing
Result decryption
Initialization
Vote verification
Voter Election Authority(Core subsystem)
Voter
Vote Casting
Vote Processing
«uses»
Vote Manager
Tallying
Tallier
Publication
«uses»
«uses»
«uses»
Bulletin Board
Keyholder
«uses»
Voting Protocol
Verification
«uses»
Initialization
Result Decryption
«uses»
![Page 107: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/107.jpg)
Step 1 (continues)
Risk Analysis and Management (4/11)
Example of Time Sequence Diagram (Decryption and Calculation of Result)
Step 17
Step 16
Step 15
TallierBulletinBoard
getVotes
homomorphicAdd
publish
Keyholder_1 Keyholder_sKeyholder_2
get
decryptPart
decryptPart
return_Decrypted_Product
factorsAndExpsreturn(Result)
publish
![Page 108: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/108.jpg)
Step 2: Risk Identification
Risk Analysis and Management (5/11)
Who/what causes it? How? What is the incident? What does it harm?
What makes it possible?
Keyholders Disclosure of secret keys Corrupted Keyholders (software)
Voter Disclosure of credentials (id, password, πιστοποιητικό) to another person
Malicious Voter
EA Vote Alteration Corrupted ΕΑ
EA Vote disclosure Corrupted ΕΑ
EA Tallying error Software Error
EA Result Alteration Corrupted ΕΑ
Coercer Voter coercing Lack of monitoring during remote vote casting
Hacker Vote Alteration Insufficient Security
Hacker Final result Alteration Insufficient Security
Part of high-level risk table
Threat (accidental)
Threat (deliberate)
Threat(non-human)
Threat Scenario Unwanted Incident
Asset Vulnerability
![Page 109: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/109.jpg)
Step 2 (continues) Risk Analysis and Management (6/11)
Asset: Keys Κi (step 1)
Guideword Threats Likelihood Consequence CountermeasuresManipulation Alteration of key generator
operation by authorized person
Small Keys are not secret or are not random
Testing of key generator before electionsRestricted access to software
Disclosure Disclosure of some Ki by
their holdersMedium Corruption in elections
is possibleKey sharing (k out of k). In order for the overall Key to be disclosed, all keyholders need to disclose their keys
Programming Εrrors
Errors in generator software Medium The keys are not randomly generated (fake randomness).The keys do not satisfy the requirements (e.g. length)
Application of good programming practices.Extensive testing and debugging.Use of secure random number generators
Part of HazOp Table
![Page 110: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/110.jpg)
Step 2 (Continues)
Risk Analysis and Management (7/11)
Fault Tree Diagram (ITEM Toolkit)
1
Disclosure by Voter himself
2
Error in Voter Client software
3
Malicious software in Voter's PC
2
Disclosure by Voter
4
SSL failure
3
Tapping through transmission
5
Malicious EA (Vote Manager)
6
Malicious sof tware in EA (Vote Manager
Module)
4
Disclosure by EA (Vote Manager)
1
Disclosure of encrypted Vote M
Μ: El Gamal encryption
of ballot
![Page 111: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/111.jpg)
Step 3: Risk Analysis
Risk Analysis and Management (8/11)
Assessment of likelihood of occurrence of unwanted incidents
Calculation of threat occurrence likelihood
Event Description Likelihood
Disclosure by Voter
1 Disclosure of Vote by Voter 0,05
2 Voter software error 0,1
3 Malicious software in Voter’s PC 0,1
Stolen while in transit
4 SSL failure 0,1
Disclosure by Vote Manager
5 Malicious Election Authority (vote manager) 0,05
6 Malicious software in Election Authority (vote manager) 0,05
Threat ID Description Events involved Likelihood
1 Disclosure of vote Μ 1-6 0,38 (Medium)
![Page 112: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/112.jpg)
Step 3 (Continues)
Risk Analysis and Management (9/11)
Qualitative assessment of Consequence using FMEA
ID Function/Entity
Failure Mode Effects Causes Consequences
Local System wide
1 GenerateElGamalParameters (size)
Size parameter is not available in system config file
The public parameters may not be created
System initialization is not possible
Config file is not properly updated by system administrator.Access to config file/database is not possible
Voting process may not begin
2 Publish(elGamalParameters)
Bulletin Board is not updated with the public parameters
Keyholders may not produce keys
System initialization is not possible
Connection to database is not possible
Voting process may not begin
![Page 113: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/113.jpg)
Step 4: Risk Assessment
Risk Analysis and Management (10/11)
Risk Categorization Matrix
Consequence Value
Likelihood Value
Rare Unlikely Possible Likely Certain
Insignificant
Minor 4, 10, 12, 30, 31
29, 32, 34, 35, 36, 39, 40 14
Moderate 3 8, 22
Major 1, 9, 21, 23, 26, 27
7, 17 , 20, 24, 25, 28, 33, 37 13
Catastrophic 2, 5, 11, 476, 15, 16, 18, 19, 41, 43, 44, 45, 46
38, 48, 49 42
![Page 114: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/114.jpg)
Step 5: Risk Treatment (taken into account in
the design/implementation phases) Risk ID Description Risk
Level Treatment options - measures
Risks with regard to Partial Keys disclosure or non-availability
2 Disclosure of some of Ki by their keyholders
Extreme The disclosure of partial keys would be catastrophic, as it would allow the decryption of individual votes and the final result by unauthorized parties (or even the EA)
Threshold cryptography techniques are used as a countermeasure. Such techniques require for at least t out of n keyholders to cooperate for the conduction of the elections. Moreover, colluding interests of the keyholders discourage potential alliances among them. For ultimate security, we suggest that t=n, which means that all keyholders need to cooperate.
5 Some of the Ki are not available
Extreme
![Page 115: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/115.jpg)
Layers of the ArchitectureLayers of the Architecture
Internal Operational Soundness:
High availability and fault tolerance
(self-auditing, self-checking, self-recovery from malfunction)
![Page 116: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/116.jpg)
One of the most important issues in an eVoting application is the ability to self-check its internal operation and give warnings when needed.
Self-checking reduces human intervention and increases the responsibility of the system in case of a non-normal operation.
Self-checking approaches include: Intrusion Detection Systems, hardware-based software bootloaders for secure start-up (embedded systems)
Internal Operation SoundnessInternal Operation Soundness
![Page 117: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/117.jpg)
Internal Operation SoundnessInternal Operation Soundness
All the internal activity of the system must be supervised by authorized personnel.
A personnel security plan must be deployed so that every person in the eVoting is responsible for a different action.
The computer room where the servers are kept must be isolated:
1. Biometric access control system is needed.2. The access control system must use cameras and
movement detectors.
![Page 118: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/118.jpg)
Layers of the ArchitectureLayers of the Architecture
Externally Visible Operational Soundness:
Impossible for someone to interfere with the system from the outside
(quickly detectable)
![Page 119: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/119.jpg)
Externally Visible Operational Externally Visible Operational SoundnessSoundness
It should be possible to detect erratic behavior or ascertain that everything is as expected:Detect some frequently eVoting system failures and attacks as fast as possible.
Possible failures and attacks: Failure of a random number generator System database damage Forging votes “Bogus” voting servers
![Page 120: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/120.jpg)
Operational physical security: system operators’ actions should be subjected to
monitoring and loggingvisual monitoring of the system and strict access controlstrict maintenance process for modifications of any part of
the system is needed
Forging votes:not possible – no double or non-authenticated votes are
accepted by the system
Externally Visible Operational Externally Visible Operational SoundnessSoundness
![Page 121: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/121.jpg)
“Bogus” servers:the system should be protected from intrusions a third party is needed to operate as a firewall between the
servers and the vote databaseThe third party (central Election Authority):
1. Responsible for monitoring the operation of the voting servers. 2. Re-tallying to make sure that local EAs have valid local
tallies3. Analyze IDS information
Externally Visible Operational Externally Visible Operational SoundnessSoundness
![Page 122: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/122.jpg)
Convincing the Public:
Crucial for the success of the eVoting system
(details available to the public, organize campaigns etc)
Layers of the architectureLayers of the architecture
![Page 123: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/123.jpg)
“Reassure the public that all measures have been taken in order to produce an error-free, secure and useful application.”
Such measures include:1. Trust by increasing awareness (educate the
public about security and data protection issues in non technical terms).
2. Trust by continual evaluation and accreditation (continual evaluation and certification of system’s operation, results of the evaluation publicly available).
3. Trust by independence of evaluators (the system must be verified by experts outside the
organization).
4. Trust by open challenges (call for hackers).
Layers of the architectureLayers of the architecture
![Page 124: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/124.jpg)
5. Trust by extensive logging and auditing of system activities (logging and auditing activities are
scheduled on daily basis, results available for public scrutiny).
6. Trust by contingency planning (failures in system that offer e-services are not acceptable, contingency plan publicly available).
7. Trust by regulation and laws (system operator introduces suitable legislation for the protection of the public in case of mishaps).
8. Trust by reputation and past experience (the involvement of engineers and experts should be accompanied by credentials that prove their expertise).
Convincing the publicConvincing the public
![Page 125: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/125.jpg)
TallierKeyholders
Verification block
Administration block
Registration block System Core block
Registrar
System Administrators
Auditors Loggers
Voting Server Bulletin Board ManagerCentral EΑ
VPN over Internet
Verifiers
Adversaries & Coercers
Local EAk
VPN over Internet
VPN over Internet
Clientnk
Client2
Client1
Clientn2
Client3
Client2
Client1
Local EA1
•Bouncy Castle Java crypto library•OpenCA•OpenVPN•Apache Tomcat•SSL•NTP for obtaining time
•PostgreSQL•HELENA IDS•Hardware RNGs for seeding•ATMEL’s ATMega8 microcontroller for secure bootstrapping of parameters and startup code
System and implementation System and implementation related aspectsrelated aspects
![Page 126: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/126.jpg)
Application server: Apache Application server: Apache TomcatTomcat
•Application Tier of the Election Authorities (EAs)•Execution of Java servlets (servlet container)•Responsible for:
The presentation of the web interfaces to voters who connect to the EAThe recognition of the web page for which a request for an http (or https) connection was made by a voter’s web browser (supported web browsers include: Internet Explorer, Mozilla Firefox, Netscape Navigator, Opera, and Safari)The identification and activation of the requested page, including the activation of all Java scripts linked to it (Tomcat has an internal compiler that transforms Java servlets into Java Server Pages, which are suitable for presentation by a voter’s web browser) The execution of the requests contained in the servlets (e.g. PostrgreSQL requests) The implementation of the secure https connections through the activation of the SSL module (mod_ssl)The activation of load balancing support (JK native connector)
![Page 127: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/127.jpg)
Intrusion Detection System:Intrusion Detection System:HELENAHELENA
•Developed by RACTI•Constantly gathers and analyzes incoming and outgoing traffic from a target network (the network with the central EAs in our case)•Local computer agent•Master console agent•“Not-used” request database•Threshold values – updates: target network is modeled with a directed graph with connections (vertices: computers + ports, edges: connection requests)
![Page 128: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/128.jpg)
Voter authentication:Voter authentication:OpenCAOpenCA
•Used for the identification of legal voters•Was installed to operate with Linux Ubuntu 6.10 (Edgy Eft)•Implementation of a Certification and a Registration Authority (CA and RA)•CA and RA operate at the same server and use a PostrgreSQL•The voter submits a request for the receipt of a certificate – if entitled to vote, the certificate is issued and the user installs it in the web browser. Then the voter is allowed to access the local EA•The Apache Tomcat receives and validates the certificates using SSL-based authentication protocols
![Page 129: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/129.jpg)
Ensuring privacy in the Ensuring privacy in the network:network:
OpenVPNOpenVPNInstalled at the Central EAs using the client – server model:
•The VPN server has a static IP address and is accessible from the Internet. If the VPN server is behind NAT (Network Address Translation) then the NAT router should be configured to rout traffic directed to the connection port of OpenVPN (default 1194 udp) to the VPN server.•After the installation of the OpenVPN, certificates are constructed that allow clients (i.e. Local EAs) to request VPN connections.•After installing their certificates, the clients can request and establish secure VPN connection from the VPN server
![Page 130: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/130.jpg)
High availability and fault High availability and fault tolerance:tolerance:
mon, heartbeat, and coda (1/2)mon, heartbeat, and coda (1/2)•The "mon", "heartbeat", and "coda" tools from Linux Virtual Server•Mon is a monitor of the state of the servers and the network, heartbeat sends frequent signals so as to signify the availability of the servers, and coda implements a fault tolerant distributed file storage system (actually implemented by Slony-I in our case – see below)•There is also fake, which is an IP take-over module that employs ARP spoofing
![Page 131: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/131.jpg)
High availability and fault High availability and fault tolerance:tolerance:
mon, heartbeat, and coda (1/2)mon, heartbeat, and coda (1/2)
![Page 132: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/132.jpg)
Database replication:Database replication:Slony-I (1/2)Slony-I (1/2)
•An asynchronous data replication platform (with periodic updates) for PostgreSQL that supports cascading and failover. •It creates a cluster of local databases (in our case, the local databases of votes in each Local EA and in the Central EAs)•It creates mirrors, at a master database, of databases kept at slave databases
![Page 133: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/133.jpg)
Database replication:Database replication:Slony-I (2/2)Slony-I (2/2)
ΤΟΠΙΚΗ ΕΑ 1 ΤΟΠΙΚΗ ΕΑ 2 ΤΟΠΙΚΗ ΕΑ N
ΚΕΝΤΡΙΚΗ ΕΑ
Cluster 1
Cluster 2
Cluster N
![Page 134: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/134.jpg)
Heartbeat and Slony-I:Heartbeat and Slony-I:An architecture for high availability An architecture for high availability
and fault toleranceand fault tolerance
![Page 135: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/135.jpg)
Central Election Authority: Local Election Authority:
Code + boot- loader
+
Updated Code
ATMEL’s ATmega8 AVR Microcontroller
STK500 AVR Dev. Board
Secure EA bootstrapping:Secure EA bootstrapping:MCUs with protected memoryMCUs with protected memory
•Secure storage of keys, voting parameters and bootstrapping code•Secure code execution and authentication of external applications•Low cost and easy to develop solution (as opposed to TPM based ones) that easily fits legacy hardware and software•New version of code and new keys can be dispatched over any insecure communication means in encrypted form – decryption takes place within the MCU
![Page 136: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/136.jpg)
Performance aspects/Performance aspects/System simulationSystem simulation
Network architecture: Directed Acyclic Graph (DAG)
Traffic: open Jackson network of M/M/1 queues (Poisson distributed arrival rate – exponentially distributed service rate – one server – unlimited queue size)
Voters’ arrival behavior: Weibull distributed with a peak around noon
Simulation tool: Uses the CSIM 19 (C and C++) simulation library
![Page 137: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/137.jpg)
Performance aspects/Performance aspects/System simulationSystem simulation
0,
0,0
)( )1(,
tbeat
t
tW
a
bt
aba
a
Shifted Weibull distribution with parameters α = 2.5, b = 5 and t0 = 8
Time interval λsi
[8:00,10:00) 5.67
[10:00,12:00) 10.32
[12:00,14:00) 6.70
[14:00,16:00) 2
[16:00,18:00) 0.26
[18:00,20:00) 0.026
Time interval si (incoming vote rate)
[8:00,10:00) 0.11
[10:00,12:00) 0.20
[12:00,14:00) 0.13
[14:00,16:00) 0.039
[16:00,18:00) 0.005
[18:00,20:00) 0.0005
hoursin duration election :#intervalper hours:#
voters:#
)600.3 321
DhP
s+...+s+s(shP
hD
122180000
DhP
![Page 138: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/138.jpg)
Performance aspects/Performance aspects/System simulationSystem simulation
Servers
0200400600800
1.0001.2001.400
voters
num
ber o
f ser
vers
Uniform Routing Check Queues Routing
Max Response Time for Voters
0,001,002,003,004,005,006,007,008,00
voters
seco
nds
Uniform Routing Check Queues Routing
Storage
0,0050,00
100,00150,00200,00250,00300,00
voters
GB
Uniform Routing Check Queues Routing
Utilization of Servers
0,005,00
10,0015,0020,0025,0030,0035,0040,00
Uniform Routing Check Queues Routing
![Page 139: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/139.jpg)
SummarySummary
We have presented a general, trust-centered, layered approach towards trust building in eVoting and, generally, eGovernment applications.
This approach is based on a design process that incorporates risk analysis/management methodologies for security critical systems (e.g. CORAS)
Large scale simulation results to evaluate the architecture’s efficiency as a function of the voter population size
Evaluated during a mock-up election for the members of the Western Greece sector of the Technical Chamber of Greece – useful feedback, that was incorporated in the current version of the eVoting platform
Project site: www.pnyx.cti.gr
![Page 140: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/140.jpg)
Elliptic Curve CryptographyElliptic Curve Cryptography
Based on groups which are defined on elliptic curves.Elliptic Curve: Defined over a prime (Fp) or a binary field EC over Fp (E(Fp)): set of solutions (x,y) in Fp to
along with a special point denoted by О , called the point at infinity.
baxxy 32
![Page 141: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/141.jpg)
ExampleExample y2 = x3- 4x + 3 solutions (x,y) in F23
Q F23
![Page 142: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/142.jpg)
Generation of a key pair (private-Generation of a key pair (private-public)public)
Conventional Cryptosystemsbased on Fp
1. Choose at random a privatekey d {1,p-1}
2. Find a generator g of the field3. Calculate the public key e = gd mod p
Elliptic Curve Cryptosystemsbased on Fp
1. Choose at random a privatekey d {1,m-1}
2. Find a random point G on the EC
3. Calculate the public key e = dG mod p
![Page 143: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/143.jpg)
EC Cryptosystems vs. Conventional EC Cryptosystems vs. Conventional SystemsSystems
Same level of security: N M1/3(ln(Mln2))2/3)
![Page 144: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/144.jpg)
Advantages of ECCAdvantages of ECC
More Efficient (smaller parameters)More Efficient (smaller parameters)FasterFasterLess Power and Computational ConsumptionLess Power and Computational ConsumptionCheaper Hardware (Less Silicon Area, Less Cheaper Hardware (Less Silicon Area, Less Storage Memory)Storage Memory)
![Page 145: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/145.jpg)
Generation of secure ECsGeneration of secure ECs
Cryptographic Strength suitable order m
Suitable order m = nq where q a prime > 2160
m p pk ≢ 1 (mod m) for all 1 k 20
The above conditions guarantee resistance to all known attacks to solve ECDLP
![Page 146: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/146.jpg)
Generation of ECsGeneration of ECs
The goal is to determine the defining parameters of an EC:
y2 = x3 +ax + b
The order p of the finite field Fp. The order m of the elliptic curve. The coefficients a and b.
![Page 147: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/147.jpg)
Generation of ECs-Known Generation of ECs-Known MethodsMethods
Constructive Weil descent Samples from a, rather, limited subset of
ECs. Point counting Rather slow The Complex Multiplication method Rather involved, but efficient for
generating secure ECs.
![Page 148: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/148.jpg)
The Complex Multiplication The Complex Multiplication MethodMethod
Input:an integer D
Calculate the Hilbert polynomial HD(x)
YES Is one of them suitable?
Choose prime p = x2+Dy2 and find integers (x,y)
Possible orders: m = p+1 2x
NO
Calculate the roots of the Hilbert polynomial
From every root generate a pair of ECs
Find the EC which has order m
![Page 149: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/149.jpg)
Shortcomings of the CM Shortcomings of the CM methodmethod
Time consuming construction of Hilbert polynomials as D increases – huge polynomial coefficients
Need for improvements, especially for hardware devices where memory and speed are limited resources
![Page 150: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/150.jpg)
A practical approachA practical approach
A variant of the CM method On line computation (or precomputation) of Weber
polynomials Roots of these polynomials can be transformed
into the roots of the corresponding Hilbert polynomials, but no Hilbert polynomial is actually constructed
But why use Weber polynomials?But why use Weber polynomials?
![Page 151: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/151.jpg)
Weber vs. Hilbert Polynomials
The construction of both types of polynomials requires high precision complex, floating point arithmetic.
DrawbackDrawback of Hilbert polynomials: their fast growing (with D) coefficients - time consuming construction and difficult to implement in limited resources devices.
Weber polynomials on the other hand, have much much smaller smaller coefficients.
![Page 152: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/152.jpg)
An Example (D = 292)
W292(x) = x4 - 5x3 - 10x2 - 5x + 1
H292(x) = x4 - 2062877098042830460800 x3 - 93693622511929038759497066112000000x2 +
45521551386379385369629968384000000000x
380259461042512404779990642688000000000000
![Page 153: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/153.jpg)
ImplementationImplementation
Algorithms for the basic algebraic operations Generation of secure ECs EC Protocols
Implemented:in ANSI C using the GNU Multiple Precision
Library
![Page 154: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/154.jpg)
Implementation ConsiderationsImplementation Considerations
Choice of prime fields:simplicity in number representation and in basic algebraic operations.
GNUMP had to be enhanced to include:high-precision implementation of useful functions
(factorization, primitive root location, etc)high-precision complex number arithmetichigh-precision floating point arithmetic of various
functions, e.g. cos(x), sin(x), exp(x), ln(x), arctan(x)
[Taylor series expansion suitable truncated]
![Page 155: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/155.jpg)
ArchitectureArchitecture
![Page 156: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/156.jpg)
Architecture
Architecture
![Page 157: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/157.jpg)
Attacks on ECCAttacks on ECCThe security of ECC is based on the difficulty of
solving ECDLP (Elliptic Curve Discrete Logarithm Problem).
ECDLP: find m for which Q=mP, where Q,P are two known points on the EC.
An attack on ECC is an algorithm for solving ECDLP exponential time
![Page 158: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/158.jpg)
Signatures: from “syntax” to Signatures: from “syntax” to “semantics”“semantics”
A bit-sequence may be looked upon from two different aspects:– Its pattern (i.e. its “syntax”): this is simply the sequence of 0s,1s– Its content (i.e. its “semantics”): the string may represent some
other object (e.g. a Boolean formula, a graph, or an automaton under a suitable encoding)
We could use the knowledge of a property of the object represented by a bit-sequence in order to prove that we have created or own the sequence
If this knowledge is hard to come up with or to deduce thenKnowledge of the property of the object (bit-sequence)
=Proof of identity
The tools are already here: Computational complexityComputational complexity & Threshold phenomenaThreshold phenomena!
![Page 159: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/159.jpg)
The methodologyThe methodology• Find a class of objects and identify some property of theirs such that
a) It is hard to deduce or compute it if not known in advance
b) It is easy to construct an object having the property
TOOL:TOOL: Combinatorial threshold phenomena
• Construct an “ownership proof” procedure with which you can prove knowledge of the property without divulging it
TOOL:TOOL: Zero Knowledge Interactive Proofs (ZKIPs)
• Use suitably produced objects encoded as bit-sequences as signatures!
![Page 160: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/160.jpg)
The 3-coloring problemThe 3-coloring problem We are given an undirected graph We are asked to color the vertices of the graph using at
most 3 colors so that no two adjacent vertices are assigned the same color
1
2
3
45
1
2
3
45
![Page 161: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/161.jpg)
The complexity of 3-coloringThe complexity of 3-coloring The founders of modern complexity theory: Cook (1971), Karp
(1972), and Levin (1973) – Computational Complexity Computational Complexity – SAT: SAT: the “the “drosophiladrosophila” of complexity” of complexity
3-Coloring, like SAT, is computationally intractable (technically, NP-complete) – thousands of other problems share this property!
This means that if we are given a graph and ask to find a 3-coloring of its vertices, the number of steps required may be prohibitively large. Thus, 3-colorings graphs are hard to find.
Use bit-sequences that represent graphs and proof of ownership is equivalent to the ability to
exhibit readily a 3-coloring of the graph
IDEA:
![Page 162: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/162.jpg)
The “hard”-instance regionfor 3-coloring
G: a graph with m edges and n vertices with r the ratio m/n. Cheeseman, Kanefsky, and Taylor [1991]: for values of r
around 2.3, randomly generated graphs with rn edges were either almost all 3-colorable or almost none 3-colorable depending on whether r < 2.3 or r > 2.3 respectively.
Thus, we have a transition from almost certain 3-colorability to almost certain non 3-colorability.
And what is more, graphs with ratio r around the value r0 = 2.3 were the most difficult to handle by the best of algorithms!This, implies, that one can use such graphs to create graphs whose colorings are hard to find!
![Page 163: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/163.jpg)
Threshold phenomena in other problems: 3-SAT
1 2 3 4 *** 5 6 7 8 Clause to variable ratio r = m/n
Solution steps
Fraction of satisfiable formulas
1
Many combinatorial problems exhibit a threshold behaviorthreshold behavior::
Instances generated with their critical parameter (clause/variable ratio in 3-SAT) around the value (4.2 in 3-SAT) that marks the transitiontransition from almost certain solubility (satisfiability in 3-SAT) to almost certain insolubility, seem to be among the hardesthardest to solve with the best of algorithms available
PROBLEM:PROBLEM: Proof of existence and calculation of the critical value
![Page 164: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/164.jpg)
Producing random 3-colorable graphs Let p1, p2, and p3 be real numbers such that p1 + p2 + p3 = 1 and
p1, p2, and p3 > 0.
For each j = 1, …, n, vertex vj is assigned to color class Ck with probability pk, k = 1, 2, 3.
For each pair u, v of vertices that do not belong to the same color class, introduce the undirected edge (u,v) with probability p.The above algorithm is simple and very fast. It produces, a random graph with specified 3-coloring known only to the owner of the graph (i.e. the signature)
![Page 165: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/165.jpg)
Targeting at the “hard” instances region
Set r = E[m]/n (expected number of edges/number of vertices)
This givesr = p(p1p2 + p1p3 + p2p3)n
Set r ≈ 2.3 and p1 = p2 = p3 = 1/3 (color classes of equal size give, in general, more difficult instances)
Then solving for p, we obtain
np 7
![Page 166: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/166.jpg)
Zero Knowledge Interactive Proof Zero Knowledge Interactive Proof Protocols (ZKIP)Protocols (ZKIP)
Introduced by Goldwasser et al. (1985) and Babai (1985) Convince someone of a piece of (generally) hard to acquirehard to acquire
knowledge without disclosing it! A “graphical” description of a ZKIP for 3-coloring:
– Secretly permute, at random, the 3 colors– Spread the graph on the floor with vertices hidden– The other party chooses at random a pair of adjacentadjacent vertices– Expose their colors, showing that they are, indeed, different
The above procedure is repeated until the other party is convinced that we really know the 3-coloring
![Page 167: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/167.jpg)
The “gory” details …The “gory” details …Setting: G = (V,E) where a Prover knows a 3-coloring
of G and a Verifier needs a proof of this knowledge (Goldreich et al. (1991))
P does the following (“commitment”)– Chooses a random permutation π of {1,2,3}– For each v in V, applies the color permutation π and
expresses the result using two binary bits kv,0 and kv,1
– Chooses two random values rv,0, rv,1 ≤ |V|/2– Computes (“<<” is the “left shift” operator):
Rv,0 = RSA(<<rv,0 + kv,0) and Rv,1 = RSA(<<rv,1 + kv,1)
– Sends to V {Rv,0, Rv,1 for all v in V}
![Page 168: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/168.jpg)
Challenge by V:– Selects an edge (u,v) at random and sends it to P
Response by P:– Sends out the RSA decrypt keys to V
Checking by V:– If the revealed colors are the same, V rejects.
Otherwise, V accepts.
R1,0, R1,1
1
P V
RSA keyu ,RSA keyv
Evue ),(P
P
R2,0, R2,1
2Rn,0, Rn,1
n
V
V
![Page 169: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/169.jpg)
Why the ZKIP for 3-coloring Why the ZKIP for 3-coloring works?works?
If we really did not know a 3-coloring (i.e. we tried to impersonate the legal owner) then at each interrogation by the other party there is some fixedfixed probability r that a pair is not properly colored
The probability that for a sequence of n trials we will manage to fool the other party is at most (1-r)n, which tends to 0 exponentially as r is a constant less than 1
This means that we are doomed to get caught lying as the number of rounds gets larger and larger!
![Page 170: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/170.jpg)
Completeness:If G is indeed 3-colorable, P knows a 3-coloring and both P and V follow the protocol, then V will be convinced that P knows a 3-coloring.
Soundness:If, now, P does not know a 3-coloring then P will fail on at least one edge (u,v) which P will have been colored illegally.V on the other hand, will pick such an edge with probability 1/|E| which can be brought arbitrarily close to 1 by repeating the protocol sufficiently many times
More formally …More formally …
![Page 171: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/171.jpg)
Current research effortsCurrent research efforts How to produce graphs that with high probability have a
smallsmall number of colorings as solved 3-coloring instances (i.e. instances constructed to have a specific coloring) can have a very large number of additional colorings
Identify classes of hard 3-coloring instances Give a partial effective characterization of hard instances –
Instance Complexity stemming from work of Kolmogorov (1965), Solomonoff (1964), and Chaitin (1966) && Average Case complexity by Levin (1986)
Build an integrated smart card application that includes the ZKIP protocol for identity verification – do the same for the graph generation algorithm (i.e. signature construction algorithm)
Arrive at a standard
![Page 172: 2010 3-24 cryptography stamatiou](https://reader036.fdocuments.in/reader036/viewer/2022062905/5442ae138d7f7248248b4fc7/html5/thumbnails/172.jpg)