1 / 32

David Evans cs.virginia/evans

Lecture 17: Public-Key Protocols. David Evans http://www.cs.virginia.edu/evans. CS588: Cryptography University of Virginia Computer Science. Story So Far. Symmetric Encryption Amplify and time-shift a small secret to transmit large secrets Asymmetric Encryption

lacey-randolph
Download Presentation

David Evans cs.virginia/evans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 17: Public-Key Protocols David Evans http://www.cs.virginia.edu/evans CS588: Cryptography University of Virginia Computer Science

  2. Story So Far • Symmetric Encryption • Amplify and time-shift a small secret to transmit large secrets • Asymmetric Encryption • Use a trustworthy non-secret to establish secrets, check signatures • Proving an encryption algorithm is secure is either: • Reasonably easy if it is a perfect cipher • Essentially impossible if it is not University of Virginia CS 588

  3. Plan for Rest of the Course • Today, Thursday: some interesting applications of cryptography • Next Tuesday: Quantum/visual crypto • Next Thursday, April 26: Software system security: real world security is mostly not about cryptography • April 28: Project presentations If there’s anything you hoped this course would cover that is not listed here, send me requests by Friday University of Virginia CS 588

  4. Finding Project Partners • Simple way: • Ask people in the class if they want to work with you • Problems: • You face rejection and ridicule if they say no • Can you find partners without revealing your wishes unless they are reciprocated? • Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them University of Virginia CS 588

  5. Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob Alice is your best match Use a Universally Trusted Third Party MatchMaker.com Bob Alice University of Virginia CS 588

  6. EKUM [EKRB [“Bob would like …”]] Use a Universally Trusted Third Party MatchMaker.com EKUB [EKRM [“Alice”]] Bob University of Virginia CS 588

  7. HashMaker.com? • Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. • No on else can tell Bob’s deepest darkest desires (H is one-way) • If someone else writes the same hash on the board, Bob has found his match • How well does this work? University of Virginia CS 588

  8. Untrusted Third Party HashMatcher.com EH(W) [W] Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly Bob University of Virginia CS 588

  9. Untrusted Third Party HashMatcher.com EH(W) [W] Bob University of Virginia CS 588

  10. To: HashMaker • From: Anonymous To: Router4 To: Router3 To: Router2 To: Router1 From: Bob How can we send a message to HashMaker without it knowing who sent it? University of Virginia CS 588

  11. Onion Routing R3 Bob R2 R4 R1 R5 Pick n random routers, Ri1…Rin Rik gets a message Mk: EKURik(To: Rik+1 ||Mk+1) HashMatcher.com University of Virginia CS 588

  12. Onion Routing HashMatcher.com R3 Bob R2 R4 R1 R5 Pick 1 random router: R2 Send R2: EKUR2(To: HashMatcher.com||M) University of Virginia CS 588

  13. Onion Routing HashMatcher.com R3 Bob R2 R4 R1 R5 Pick 2 random routers: R2, R5 Send R2: EKUR2[To: R5 ||EKUR5[To: HashMatcher.com || M]] University of Virginia CS 588

  14. http://tor.eff.org University of Virginia CS 588

  15. Traffic Analysis HashMatcher.com R3 Bob R2 R4 R1 R5 If these are the only packets on the network, someone observing the network know it was Bob University of Virginia CS 588

  16. Preventing Traffic Analysis HashMatcher.com R3 Bob R2 R4 R1 R5 University of Virginia CS 588

  17. Finding Partners • If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) • Using onion rounting, sends HashMatcher: EH(W) [W] • Using onion rounting, queries HashMatcher is there is a matching item • If so, Alice wants to work with him University of Virginia CS 588

  18. Problems with this Protocol • Cathy could send W = “Alice + Bob” • Anyone can query “x + Bob” for all x to find out who Bob wants to work with (or who wants to work with Bob, can’t tell which) • If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them? • Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol University of Virginia CS 588

  19. MIXes C1 M1 C2 M2 M3 C3 M4 C4 Random, secret permutation Security property: observer seeing all inputs and outputs cannot determine which output message corresponds to which input University of Virginia CS 588

  20. MIX Net [Chaum81] C1 M1 C2 M2 M3 C3 M4 A EKRB (C) C4 B C EKRA (C) EKRC (C) C = EKUA [EKUB [EKUC [M]]] What is input? What if Eve can see all traffic? What if two are corrupt? Any good applications? What if one of A, B or C is corrupt? University of Virginia CS 588

  21. Voting Application C1 M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik”]]] How well does this work? * Note: any resemblance to real political parties is purely coincidental. University of Virginia CS 588

  22. Voting Application C1 M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik”]]] Each for any eavesdropper (knows public keys) to compute C for small set of possible messages University of Virginia CS 588

  23. Voting Application C1 M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik” || R]]] University of Virginia CS 588

  24. Voting Application C1 M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3] Each mux decrypts with private key and removes R University of Virginia CS 588

  25. Voting Application C1 M1 C2 “Nader” M2 “Nader” “Nader” M3 C3 “Nader” M4 Republicrat Party C4 Democrican Party Orange Party University of Virginia CS 588

  26. Voting Application C1 M1 C2 “Nader” M2 “Nader” “Nader” M3 C3 “Nader” M4 Republicrat Party C4 Democrican Party Orange Party C = EKUG [“Badnarik” || R1] Does publishing R1 help? University of Virginia CS 588

  27. Publishing R1 • Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted • Voters can prove to someone else for whom they voted • If Orange doesn’t like result, can still disrupt election C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3] University of Virginia CS 588

  28. Auditing Muxes C1 M1 C2 “Nader” M2 “Nader” “Nader” M3 C3 “Nader” M4 Republicrat Party C4 Democrican Party Orange Party Send inputs to next 2 muxes D mux picks n random inputs Asks R to prove they were done correctly How does R prove it? University of Virginia CS 588

  29. Auditing Muxes C1 M1 C2 “Nader” M2 “Nader” “Nader” M3 C3 “Nader” M4 Republicrat Party C4 Democrican Party Orange Party Inputi = EKUR [EKUD [EKUG [v || R1] R2] R3] Outputj = EKUD [EKUG [v || R1] R2] If R reveals j and R3, D can check EKUR [Outputj || R3] = Inputi University of Virginia CS 588

  30. Auditing Tradeoffs • For every audit, one input-output mapping is revealed • The more audits, the more likelihood of catching cheater • What if each mux audits ½ of the values? University of Virginia CS 588

  31. Catching Cheaters • Probability a mux can cheats on k votes without getting caught = • Probability a voters vote is revealed to eavesdropper • If muxes collude, all bets are off ½k m muxes ½m Note: unaudited votes only be one of n/2 possible outputs! University of Virginia CS 588

  32. Faculty Candidate talk tomorrow:Yih-Chun Hu (CMU, Berkeley)Securing Network RoutingOlsson 011, 3:30PM University of Virginia CS 588

More Related