Helger Lipmaa University of Tartu, Estonia
Transcript of Helger Lipmaa University of Tartu, Estonia
![Page 1: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/1.jpg)
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 3
Key Exchange, CDH, DDH
Helger Lipmaa University of Tartu, Estonia
![Page 2: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/2.jpg)
UP TO NOW
Basic intro
Basic algebra
Exponentiation
Assumptions
Algebra + assumptions: DL
How to define assumptions (DL)
![Page 3: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/3.jpg)
WHAT CAN BE DONE WITH DL?
First idea:
let s←ℤq be secret key and h=gˢ be public key
computation of s from h is infeasible
Use the keys to "encrypt", "sign", etc
This lecture: more details
![Page 4: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/4.jpg)
KEY EXCHANGEI want to
send secret information to Bob, but he is
in Jamaica
Let us agree on a joint secret key for further communication
![Page 5: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/5.jpg)
KEY EXCHANGE
pkₐ
pkb
skₐ,pkₐ skb,pkb
sk=SK(skₐ,pkb) sk=SK(skb,pkₐ)=sk
Symmetric, shared key
Asymmetric, public keyAsymmetric, public key
![Page 6: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/6.jpg)
KEY EXCHANGE WITH DL
h
f
s, h←gˢ t, f←gᵗ
sk=SK(s,f) sk=SK(t,h)=sk
![Page 7: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/7.jpg)
QUIZ
SK (t, gˢ) = sk = SK (s, gᵗ)
What could SK be?
Hint: we are working in a group
Use commutativity + efficient operations
Answer: SK (s, h) = hˢ
SK (t, gˢ) = gˢᵗ = gᵗˢ = SK (s, gᵗ)
![Page 8: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/8.jpg)
DIFFIE-HELLMAN KEY EXCHANGE
h
f
s, h←gˢ t, f←gᵗ
sk=gˢᵗsk=gˢᵗ
=sk
![Page 9: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/9.jpg)
DHKE: FORMALLY
h
f
s,h=gˢ t,f←gᵗ
=sk
sk=gˢᵗsk=gˢᵗ
DHKE.Setup (κ):1. Choose a group G of order q where
breaking DL has complexity 2^κ2. Choose a generator g of G3. Return gk ← desc (G) = (..., q, g)
DHKE.Keygen (gk):1. sk = s ← ℤq2. pk ← gˢ3. Return (sk, pk)
DHKE.SK (gk, s, h):1. Return hˢ
![Page 10: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/10.jpg)
QUIZ: IS DHKE SECURE?
Correct question:
is DHKE what-secure under X assumption
Three tasks:
1. Formalize security of KE
2. Decide on X
3. Provide a proof by reduction (X holds => DHKE what-secure)
![Page 11: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/11.jpg)
SECURITY DEF: FIRST TRY
We already saw some issues in the last lecture
...so we won't concentrate on the same issues
Random key, probabilistic algorithms, ...
![Page 12: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/12.jpg)
DHKE: INTUITIVE SECURITY
h
f
s, h←gˢ t, f←gᵗ
sk=gˢᵗ sk=gˢᵗ=sk
?
![Page 13: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/13.jpg)
KEY RECOVERY SECURITY
Three algorithms KE = (Setup, Keygen, SK)
Adv[KR] := | Pr[KR = 1] - 1 / q |
A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε
KE is (τ,ε)-KR secure iff no adversary ε-breaks KR security of KE in time ≤ τ
KE is KR secure iff it is (poly(κ),negl(κ))-KR secure
Game KR(κ,KE,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0
![Page 14: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/14.jpg)
SECURITY REDUCTION?
We would like to prove that DHKE is KR secure
by reducing KR-security to DL assumption
Unfortunately not known how to do it
gˢ s
gᵗ t
gˢᵗSK
SK
DL
DL
?
![Page 15: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/15.jpg)
NEW ASSUMPTION: CDH
DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976
No success in breaking it in any reasonable group where DL is hard
Seems logical: introduce a tautological assumption
CDH: Computational Diffie-Hellman
"key recovery attack against DHKE is hard"
![Page 16: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/16.jpg)
DEF: CDH ASSUMPTION
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume (for simplicity) that for any κ, Setup picks exactly one group G = G(κ)
Adv[CDH] := | Pr[CDH = 1] - 1 / q |
A ε-breaks CDH in group G iff Adv[CDH] ≥ ε
G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ
G is CDH group iff it is (poly(κ),negl(κ))-CDH group
Game CDH(G,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0
![Page 17: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/17.jpg)
REMARKS
Clearly, CDH is secure in A group iff DHKE is KR secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ
![Page 18: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/18.jpg)
QUIZ: CDH VS DL
CDH DL
?
?
![Page 19: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/19.jpg)
QUIZ: CDH VS DL
CDH hard DL hard
?
?
Answer: yes
Answer: depends
some contrived groups where DL holds but not
CDH, ...
![Page 20: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/20.jpg)
PROOF: CDH => DL
Theorem. If G is a (τ + small, (1 - 1 / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group.
Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G.
DL is easy => there exists an adversary D that breaks DL
We show CDH is easy by constructing an adversary C that breaks CDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Typical reduction
![Page 21: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/21.jpg)
INTUITIVE PROOF
Assume D can break DL
given gˢ, outputs s with probability ε
Construct adversary C that breaks CDH
given gˢ, gᵗ, call D to compute s ← D (gˢ)
return (gᵗ)ˢ = gˢᵗ
But what is the success probability of C?
![Page 22: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/22.jpg)
SECURITY GAMES
Depending on the input and the output, the challenger declares C to be either successful or not
After some computation, C returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C
Depending on the input and the output, the challenger declares D to be either successful or not
After some computation, D returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D
CDH game: need to construct C DL game: D is given
This is the only thing we know...
![Page 23: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/23.jpg)
SECURITY REDUCTION
Depending on the input and the output, the challenger declares C to be either successful or not
After some computation, C returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C After some
computation, D returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D
CDH game: need to construct C DL game: D is given
C
C
![Page 24: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/24.jpg)
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
... ;/* compute m */if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G), h)
msk*
Challenger C D
Correct distribution for DL
Correct distribution for CDH
Exists ExistsNeed to construct
![Page 25: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/25.jpg)
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
![Page 26: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/26.jpg)
REMINDER: PROBABILITY
Let A, B be two events
Pr [A] - probability that A holds
Pr [¬ A] - probability that A does not hold
Pr [A | B] - conditional probability
probability that A holds given that B holds
Then Pr [A] = Pr [A | B] · Pr [B] + Pr [A | ¬B] · Pr [¬B]
![Page 27: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/27.jpg)
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
Pr[C successful] =Pr[C successful | D successful] · Pr[D successful] +
Pr[C successful | ¬D successful] · Pr [¬D successful] =1 · (ε + 1 / q) + 1 / q · (1 - (ε + 1 / q)) = (1 - 1 / q) ε + (1 - 1 / q) / q + 1 / q =:
ε* + 1 / q
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
![Page 28: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/28.jpg)
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
Pr[C successful] = ε* + 1 / q
Thus, if G is a (τ*, ε*)-CDH group then it is a (τ, ε)-DL group
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
![Page 29: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/29.jpg)
QUIZ: ARE WE DONE?
If not, why not?
Is the achieved security sufficient?
Answer:
The fact that sk is unknown is not sufficient
Adversary should have no information about sk
![Page 30: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/30.jpg)
DHKE IN WILD WORLD
h
f
s,h←gˢ t,f←gᵗ
sk=gˢᵗsk=gˢᵗ
=sk
XORm cc + any information about
sk leaks information about m
One-time pad
![Page 31: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/31.jpg)
DHKE: IND SECURITY
h
f
s,h←gˢ t,f←gᵗ
sk=gˢᵗ sk=gˢᵗ=sk
is it sk or garbage?
sk*
Intuition: if Eve has any information about sk, she
should be able to distinguish real sk from random
![Page 32: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/32.jpg)
IND(ISTINGUISHABILITY) SECURITY
KE = (Setup, Keygen, SK)
Adv[IND] := | Pr[IND = 1] - 1 / 2 |
A ε-breaks IND security of KE iff Adv[IND] ≥ ε
KE is (τ,ε)-IND secure iff no adversary ε-breaks IND security of KE in time ≤ τ
KE is IND secure iff it is (poly(κ),negl(κ))-IND secure
Game IND(κ,KE,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, skₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0
![Page 33: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/33.jpg)
SECURITY REDUCTION?
We would like to prove that DHKE is IND secure
by reducing IND security to CDH assumption
Not possible
well-known groups where CDH holds but DHKE is not IND secure
![Page 34: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/34.jpg)
DDH
We introduce again a tautological assumption, DDH
Decisional Diffie-Hellman, known since 70s => good
...in many groups
DDH is extremely useful in many protocols
Well-known groups where DDH does not hold
pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable
interestingly, p-b groups are also extremely useful
![Page 35: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/35.jpg)
DEF: DDH SECURITY
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume that for any κ, Setup picks exactly one group G = G(κ)
Adv[DDH] := | Pr[DDH = 1] - 1 / 2 |
A ε-breaks DDH in G iff Adv[DDH] ≥ ε
G is a (τ,ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ
G is a DDH group iff it is (poly(κ),negl(κ))-DDH group
Game DDH(G,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, pkₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0
![Page 36: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/36.jpg)
DDH: SHORT FORM
Fix a cyclic group G and its generator g
Adversary has to distinguish between
(g, gˢ, gᵗ, gˢᵗ) -- DDH tuple
(g, gˢ, gᵗ, gᵐ) -- random tuple
where s, t, m are random
![Page 37: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/37.jpg)
DDH VS IND SECURITY
Clearly, a group is DDH is secure iff DHKE is IND secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ
![Page 38: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/38.jpg)
PROOF: DDH => CDH
Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group.
Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G.
CDH is easy => there exists an adversary D that breaks CDH
We show DDH is easy by constructing an adversary C that breaks DDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Home exercise:Very similar to previous proof. Finish! Find parameters
![Page 39: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/39.jpg)
BEYOND IND: SEMIHONEST VS MALICIOUS
Actual security requirements even more stringent
KR, IND security only demonstrate basic concepts
We assumed Eve is semihonest
Eavesdrops but does not change messages
Malicious Eve: can change, inject, delete messages
Alice and Bob need to authenticate each other
"Authenticated Diffie-Hellman"
Crucial notions
Security of various protocols against
malicious adversaries: second half of the course
![Page 40: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/40.jpg)
WHAT NEXT?
DDH is a very versatile assumption
One can construct many useful protocols from it
DDH
Encryption Signatures
...
E-votingCPIR
E-cash
...
![Page 41: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/41.jpg)
WHAT NEXT?
Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption
More precisely: Elgamal encryption
![Page 42: Helger Lipmaa University of Tartu, Estonia](https://reader034.fdocuments.in/reader034/viewer/2022051817/6283b56533a31f15ad44b6b8/html5/thumbnails/42.jpg)
STUDY OUTCOMES
Key exchange
DHKE in particular
KR security and CDH
IND security and DDH
Reductions: how to do