The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The...

The Pennsylvania State University

CSE597B: Special Topics in Network and Systems Security

The Miscellaneous

Instructor: Sencun Zhu

The Pennsylvania State University 2

Appetizer

• Ten scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if five or more of the scientists are present.– What is the smallest number of locks

needed? – What is the smallest number of keys to the

locks each scientist must carry?


Outline

• A little maths– Group, ring, (finite) field– Increasing importance in cryptography– AES, Elliptic Curve, Threshold Cryptography

• Secret sharing and threshold cryptography – Based on slides by Prof. Helger Lipmaa, Helsinki

University of Technology

• Design rules


Group

• G, a set of elements or “numbers” • Obeys:

– Closure: if a and b belong to G, a . B is also in G

– associative law: (a.b).c = a.(b.c) – has identity e: e.a = a.e = a – has inverses a-1: a.a-1 = e

• if commutative a.b = b.a – then forms an abelian group


Cyclic Group

• Define exponentiation as repeated application of operator– example: a3 = a.a.a

• Let identity e be: e=a0

• A group is cyclic if every element is a power of some fixed element– i.e. b = ak for some a and every b in

group

• a is said to be a generator of the group


Ring• R, a set of “numbers” with two operations,

addition and multiplication:– an abelian group with addition operation – closure under multiplication– associative under multiplication– distributive law: a(b+c) = ab + ac

• if multiplication operation is commutative, it forms a commutative ring

• if multiplication operation has inverses and no zero divisors, it forms an integral domain


Field

• F, a set of numbers with two operations:– F is an integral domain– Multiplicative inverse

• For each a in F, except 0, there is an element a-

1 in F such that a a-1 = a-1 a =1

• In essence, a field is a set in which we can do addition, subtraction, multiplication, and division without leaving the set– Division: a/b = a b-1


Galois Fields

• Finite fields (known as Galois fields) play a key role in cryptography

• Theorem: the number of elements in a finite field must be a power of a prime pn, denoted as GF(pn)

• In particular often use the fields:– GF(p)– GF(2n)


Galois Fields GF(p)

• GF(p) is the set of integers {0,1, … , p-1} with arithmetic operations modulo prime p

• these form a finite field– since have multiplicative inverses

• hence arithmetic is “well-behaved” and can do addition, subtraction, multiplication, and division without leaving the field GF(p)


Keep Secrets on a Computer• Very difficult• Wiping state

– Easier in C/C++, difficult in Java

• Swap file– Virtual memory

• Caches– Keep copies of data

• Data retention by memory– SRAM/DRAM could learn and remember data

• Access by others• Data integrity


Key Storage

• Reliability and confidentiality of important data:– Information can be secured by encryption– After that, many copies of the ciphertext

can be made

• How to secure the secret key?– Encrypting of key — vicious cycle– Replicating key — insecure

• Idea: distribute the key to a group, s.t. nobody by itself knows it


Secret Sharing:More Motivations

• USSR: At least two of the three nuclear buttons must have been pressed simultaneously

• Any other process where you might not trust a single authority

• Threshold cryptography– Computation can be performed in a distributed

way by “trusted” subsets of parties

• Verifiable SS: One can verify that inputs were shared correctly


Secret Sharing Schemes: Definition

• A dealer shares a secret key among n parties

• Each party i in [1, n] receives a share

• Predefined groups of participants can cooperate to reconstruct the shares

• Smaller subgroups cannot get any information about the secret


(k, n)-threshold schemes

• A dealer shares a secret key between n parties

• Each party i in [1, n] receives a share

• A group of any k participants can cooperate to reconstruct the shares

• No group of k-1 participants can get any information about the secret


A Bad Example

• Let K be a 100-bit block cipher key. – Share it between two parties– Giving to both parties 50 bits of the key

• Why is this bad?– The requirement ‘Smaller subgroups cannot get

any information about the secret’ is violated

• Ciphertext-only attack– Both participants can recover the plaintext by

themselves, by doing a (2^50)-time exhaustive search


(2, 2)-threshold scheme

• Let s G be a secret from group (G, +). Dealer chooses a uniformly random s1 G and lets s2 = s – s1

• The two shares are s1 and s2

• Given s1 and s2 , one can successfully recover s = s1 + s2

• Given only s1, s2 is random, vice versa

– Pr[s = k | s2 ] = Pr[s1 = k - s2 | s2 ] = 2^|G | for any k


(n, n)-threshold scheme


Shamir’s (k,n) Threshold Scheme

• Mathematical basis



• Dealing phase


Illustration


Shamir’s Scheme: Efficiency


Shamir’s Scheme: Flexibility


Remarks


Design Rules• Design rules:

– Complexity is the worst energy of security• There are no secure complex systems

– Correctness must be a local property• every part of the system should behave

correctly regardless of how the rest of the system works

– For a security level of n bits, every cryptographic value should be at least 2n bits long

• Due to collision attacks

– Reliability• Do not assume message reliability

– TCP cannot prevent active attacks


Presentation

• Two presentations each class– Let us first see how it will be going

• Time– 30~35 minutes/person, including random interruption– Do not exceed

• How to give a good talk– http://www.info.ucl.ac.be/people/PVR/giving_talk.ps

• How to give a bad talk– http://www.eecs.berkeley.edu/~messer/Bad_talk.html

The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The...

Documents

Transcript of The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The...