1 / 25

Modern Cryptography Lecture 13

Modern Cryptography Lecture 13. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

heidi
Download Presentation

Modern Cryptography Lecture 13

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 13 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Project presentation: May 2nd, 4th (Send me your preference) • 6th assignment is due 4/18 2:15 PM. • Check Calendar

  3. Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x  X, but it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  4. Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption

  5. Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a  Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a  Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property

  6. Recap (cnt) • Abstract Algebra • Group, cyclic groups, generator, group order, subgroup • Discrete logarithm problem • Diffie-Hellman • DLP vs. DHP, More efficient implementation (p, q, g) • Long-term vs. short-term Diffie-Hellman • ElGamal encryption • ElGamal vs. RSA encryption • RSA signature vs. DSA signature • Identificaiton: PINs and keys, graphical password, one-time pasword

  7. Recap • Challenge-response protocol • SKE, MAC, PKE, Signature-based • Nonce vs. time-stamp • Key establishment • Session key, PFS, known-key attack, implicit key authentication, key confirmation • Kerberos • Hybrid key transport

  8. Diffie-Hellman • Diffie-Hellman • Setup: prime p, generator g of Zp* • A  B : gx mod p • B  A : gy mod p • Properties • fixed exponent: zero-pass key agreement with special certificate • Authentication is required

  9. MTI/A0 • Protocol • A  B : gx mod p • B  A : gy mod p • A: k = (gy)aPKbx = gya gbx = gya+bx • B: k = (gx)bPKay • source-substitution attack: C is not actually able to compute k itself, but rather causes B to have false belief • C registers A’s public key as its own • When A sends B, C replaces A’s certificate with its own • C forwards B’s response gy to A • B concludes that subsequently received messages encrypted by k = gbx+ay originated from C, it is only A who knows k and can originate such messages

  10. STS • Algorithm • A  B : gx mod p • B  A : gy mod p, Ek(SB(gy, gx)) • A  B : Ek(SA(gx, gy)) • Properties • Encryption under key k provides mutual key confirmation plus allows the conclusion that the party knowing the key is that which signed the exponentials.

  11. Contents • Classification and framework • Key transport based on symmetric encryption • Key agreement based on symmetric techniques • Key transport based on public-key encryption • Key agreement based on asymmetric techniques • Analysis of key establishment protocols

  12. Attack strategies and classic flaws • “man-in-the-middle” attack on unauthenticated DH • Reflection attack • Original protocol • A  B : rA • B  A : Ek(rA, rB) • A  B : rB • Attack • A  E : rA • E  A : rA : Starting a new session • A  E : Ek(rA, rA’) : Reply of (2) • E  A : Ek(rA, rA’) : Reply of (1) • A  E : rA’ • prevented by using different keys for different sessions

  13. Attack strategies and classic flaws • Interleaving attacks • To provide freshness and entity authentication • Flawed protocol • A  B : rA • B  A : rB, SB(rB, rA, A) • A  B : rA’, SA(rA’, rB, B) • Attack • E  B : rA • B  E : rB, SB(rB, rA, A) • E  A : rB • A  E : rA’, SA(rA’, rB, B) • E  B : rA’, SA(rA’, rB, B) • Due to symmetric messages (2), (3)

  14. Threshold Crypto • Motivating examples • (t, n) Threshold decryption • A secret key K is encrypted by a public key of a group G. • Each group member Mi knows a share SSi of the group private key. • When t members out of n group members get together, they can find the secret key. • (t, n) Threshold signature • To be a member of an on-line community, you need signature from at least t board members out of total n board members. • (t, n) threshold signature allows the member has a single certificate, which is computed from t partial certificates.

  15. s1 s2 s3 … shares … sn-1 sn 1 2 3 … parties … n-1 n Conceptually…

  16. Threshold Cryptography • A group < threshold size t cannot determine the secret/perform the function • A group >= threshold size t can always reconstruct the secret/perform the function • Scheme will tolerate t-1 compromised/misbehaving parties • No information leakage when t-1 members get together!

  17. (t,n) threshold scheme • A polynomial f • degree t-1 • Dealer gives each party i secret Ki = f(i) • f(0) is the secret S. • S = i=1t ciKi where ci = 1jt, j  i xj / (xj - xi)

  18. (t, n) Threshold ElGamal • Encryption • generate random integer k and compute r = gk mod p • compute c = my kmod p • Ciphertext(r, c) • Decryption • m = c r –amod p • Threshold decryption • Note that private key a = i=1t ciKi (ci=1jt,j  i xj/(xj - xi)) • So 1) t members compute rKi 2) raise it to ci to get rciKi and 3) mutiply all of them to get ra. • Threshold DSA Signature is similar…

  19. How to prevent break-ins • As time goes by more and more board members could be corrupted (or compromised)! • Change shares but not the secret • f’(x) = f(x) + g(x) where g(0) = 0. • f’(0) = S still. • Attacker who compromises t-1 within the refresh interval has no information. • SSi will be changed to f’(i).

  20. Bilinear map and ID-based EncryptionEkyd@cs.umn.edu(m)???

  21. Definition • Bilinear Map • G1 and G2 be two abelian groups of prime order q. • additive notation for G1: aP denotes the P added a times • the multiplicative notation for G2 • A map e : G1 G1→ G2 is called an admissible bilinear map if • Bilinearity For any P, Q  G1 and a, b  Zq, e(aP, bQ) = e(P, Q)ab • Non-degeneracy e(P, Q) 1 for at least one pair of P, Q  G1. • Efficiency • Hash functions • h : {0, 1}* → {0. 1}n: A collision-free hash function • H : {0, 1}* → G1: A collision-free full domain hash function (called map-to-point) • H*: G2→ Zq: A collision-free full domain hash function

  22. Crypto Assumptions • Playing with Bilinear maps • e(aP, bQ) = e(P, abQ) = e(P, Q)ab • e(aP, Q) e(cP, Q) = e( (a+c) P, Q) • Cryptographic Problems • DLP is hard on G1 and G2 • finding a from (P, aP) is hard • finding a from e(P, P)a is hard • DDH is easy • c = ab if and only if e(aP, bP ) = e(cP, P). • BDHP is hard • finding e(P, P)abc from aP, bP, cP is hard.

  23. 3-Way DH Key Agreement • Let P be public generator of G1 • Three public keys: aP (Alice), bP (Bob), cP (Carol) • Group key GABC=e(P,P)abc • Alice computes e(bP,cP)a=e(P,P)abc • Bob computes e(aP,cP)b=e(P,P)abc • Carol computes e(aP,bP)c=e(P,P)abc • Properties • No communication • Others cannot compute group key : BDH problem

  24. Identity-Based Encryption • ID=name+date of birth • Trusted Third Party: secret s in Zq • Public params: generator P of G1 and sP • Secret Key Generation • IDAlice: Alice → TTP • sH(IDAlice): TTP → Alice • Encryption: Bob encrypts for Alice • Pick random r in Zq • Compute g=e(H(IDAlice), sP)) • Compute • gr= e(H(IDAlice), sP))r= e(H(IDAlice), rsP))= e(rH(IDAlice), sP)) • Ciphertext: < rP, c = m XOR H2(gr) >

  25. IBE (Cont’d) • Decryption by Alice • Compute gr=e(H(IDAlice), rsP))=e(sH(IDAlice), rP)) • Compute H2(gr) • m = c XOR H2(gr) • Why others cannot decrypt? • Others know only H(IDAlice) and rP • It is hard to determine r from rP (DLP) • thus they cannot compute gr as e(H(IDAlice), sP))r • They don’t know s • cannot compute e(H(IDAlice), srP)) • They don’t know sH(IDAlice) • cannot compute e(sH(IDAlice), rP))

More Related