Cryptography - PowerPoint PPT Presentation

About This Presentation

Title:

Cryptography

Description:

Cryptography Lecture 7 Stefan Dziembowski www.dziembowski.net stefan_at_dziembowski.net Plan Introduction to public-key cryptography Diffie-Hellman key exchange Trapdoor ... – PowerPoint PPT presentation

Number of Views:89

Avg rating:3.0/5.0

Slides: 38

Provided by: S951951

Category:

more less

Transcript and Presenter's Notes

Title: Cryptography

1
Cryptography

Lecture 7Stefan Dziembowskiwww.dziembowski.net
stefan_at_dziembowski.net

2
Plan

Introduction to public-key cryptography
Diffie-Hellman key exchange
Trapdoor one-way permutations

3
How to distribute the cryptographic keys?

If the users can meet in person beforehand its
simple.
But what to do if they cannot meet?(a typical
example on-line shopping)

4
A naive solution
give to every user Pi a separate key Kij to
communicate with every Pj
P2
P3
K12
K13
P4
K14
K15
P1
P5
5
In generala quadratic number of keys is needed
P2
P3
P4
P1
P5
6
Problems

Someone (a Key Distribution Center, KDC) needs to
give the keys
feasible if the users are e.g. working in one
company
infeasible on the internet
relies on the honesty of KDC
KDC needs to be permanently available
...
The users need to store large numbers of keys in
a secure way

7
The solution

Public-Key Cryptography

Whitfield Diffie and Martin Hellman (1976)
Ralph Merkle (1974)
8
A little bit of history

Diffie and Hellman were the first to publish a
paper containing the idea of the public-key
cryptographyW.Diffie and M.E.Hellman, New
directions in cryptographyIEEE Trans. Inform.
Theory, IT-22, 6, 1976, pp.644-654.
A similar idea was described by Ralph Merkle
in 1974 he described it in a project proposal for
a Computer Security course at UC Berkeley (it
was rejected)
in 1975 he submitted it to the CACM journal (it
was rejected)
(see http//www.merkle.com/1974/ )
It 1997 the GCHQ (the British equivalent of the
NSA) revealed that they new it already in 1973.

9
The idea

Instead of using one key K,
use 2 keys (e,d), where
e is used for encryption,
d is used for decryption, or
d is used for computing a tag,
e is used for verifying correctness of the tag.
Moreover e can be public, and only d has to be
kept secret!
Thats why its called public-key cryptography

this will be called signatures Sign the
signing algorithm
10
Anyone can send encrypted messages to anyone else
4. P3 computes D(d3,m)
P3
P2
public register
d3
e1
e2
e3
e4
e5
3. sends E(e3,m)
P4
2. reads e3
P1
1. P1 wants to send m to P3
P5
11
Anyone can verify the signatures
Sign(d3,m)
P3
P2
public register
d3
e1
e2
e3
e4
e5
1. Sign(d3,m)
Sign(d3,m)
P4
2. reads e3
P1
3. computes Vrfy(e3,m)
P5
12
Things that need to be discussed

Who maintains the register?
How to contact it securely?
How to revoke the key (if it is lost)?
...

We will discuss this things later(when we will
be talking about the Public-Key Infrastructure)
13
But is it possible?

In physical world yes!
Examples
normal signatures
padlocks

anyone can lock it
the key is needed to unlock
14
Diffie and Hellman (1976)

Diffie and Hellman proposed the public key
cryptography in 1976.
They just proposed the concept, not the
implementation.
But they have shown a protocol for key-exchange.

15
Key exchange
initially they share no secret
listens
Alice
Bob
key k
key k
Eve should have no information about k
We will formalize it later.Lets first show the
protocol.
16
The Diffie-Hellman Key exchange

G a group, where discrete log is hard
q G
g a generator of G

x ? Zq
y ? Zq
Bob
Alice
outputkA(h2)x
outputkB(h1)y
equal togyx
equal togxy
equal!
17
Security of the Diffie-Hellman exchange
h1 gx
h2 gy
G,g
knows
gyx ?
Eve
Eve should have no information about gyx
18
Is it secure?

If the discrete log in G is easy then the DH key
exchange is not secure.
(because the adversary can compute x and y from
gx and gy)
If the discrete log in G is hard, then...
it may also not be completely secure

19
Example G Zp
x is even iff h1 is a QR
x ? Zq
h1 gx
y ? Zq
h2 gy
Bob
Alice
y is even iff h2 is a QR
Therefore gyx is a QR iff (h1 is a QR)
or (h2 is a QR) So, Eve can compute some
information about gyx(namely if it is a QR, or
not).
gyx ?
20
Is it a problem, or not?

We need to
formalize what we mean by secure key exchange,
identify the assumptions needed to prove the
security.

21
interactive randomizedTuring machine A
interactiverandomized Turing machine B
transcript T the sequence of exchanged
messages
Alice
Bob
key k
key k
A protocol is a pair (A,B) of randomized Turing
machines.
Informal definition(A,B) is secure if no
efficient adversary can distinguish k from
random, given T, with a non-negligible
advantage.
key k
?
T
random string of the same length
22
How to formalize it?
security parameter 1n
T
A
B
key k ? 0,1n
key k ? 0,1n

We say (A,B) is secure a secure key-exchange
protocol if
the output of A and B is always the same, and

A
Prob M(1n,T,k) 1 - Prob M(1n,T,r) 1 is
negligible in n
polynomial-time Mthat outputs 0 or 1
r is random and r n
23
How does the protocol look now?

It needs to be defined for any parameter 1n.
Therefore we need an algorithm H that
on input 1n
outputs
a description of G of order q, such that q n,
a generator g of G.

24
How does the protocol look now?
security parameter 1n
(G,g) ? H(1n)
x ? Zq
(G,g),q, h1 gx
y ? Zq
h2 gy
Bob
Alice
outputkA(h2)x
outputkB(h1)y
(Note that we cheat a bit because k is a
pseudorandom group element, not a string of
bits.)
If such a key exchange protocol is secure, we say
thatthe Decisional Diffie-Hellman (DDH) problem
is hard with respect to H)
25
An example of H where DDH is believed to be hard

QR(p)
H(1n)
generate a random strong prime p of length n1.
set q (p-1)/2.
choose any x ? Zp such that x ? 1 (mod p) .
set g x2 mod p.
output (p,g).
Other groups are also used (e.g. groups based on
the elliptic curves).

26
Practical considerations

It is common to chose any Zp (for prime p),
instead of QR(p).
In some standards p is fixed, for example the
RFC3526 document specifies the primes of
following lengths 1536, 2048, 3072, 4096, 6144,
8192.This is the 1536-bit prime
FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B
80DC1CD1 29024E08 8A67CC74 020BBEA6 3B139B22
514A0879 8E3404DD EF9519B3 CD3A431B 302B0A6D
F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6
F44C42E9 A637ED6B 0BFF5CB6 F406B7ED EE386BFB
5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8
FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB
9ED52907 7096966D 670C354E 4ABC9804 F1746C08
CA237327 FFFFFFFF FFFFFFFF.the generator is 2.

27
A problem

The protocols that we discussed are secure only
against a passive adversary (that only
eavesdrop).
What if the adversary is active?
She can launch a man-in-the-middle attack.

28
Man in the middle attack
I am Bob
I am Alice
Alice
Bob
key k
key k
key k
key k
A very realistic attack!
So, is this thing totally useless?No! (it is
useful as a building block)
29
Two questions remain

How to construct the public-key encryption?
How to construct the signature schemes?

turns out these questions are related
30
The observation of Diffie and Hellman
(e,d) the key pair
public-key encryption
ciphertexts
plaintexts
E(e,x)
D(d,y)
easy only if one knows d
signature schemes
tags(signatures)
messages
Tag(d,y)
Vrfy(e,x)
easy only if one knows d
Looks similar...
31
Trapdoor permutations
A family of permutations indexed by pairs (e,d)
E X ? X(e,d) ? keys
this is denoted Dd
such that
Ee
easy
X
X

easy one can compute Ee-1 if one knows a
trapdoor d
hard (otherwise)

32
How to encrypt a message m
encryption
c Ee(m)
messages
plaintexts
decryption
m Dd(c)
one can compute it only if one knows d
Warning in general its not that simple. We
will explain it later.
33
How to sign a message m
one can compute it only if one knows d
signing
signatures
messages
Dd(m)
verifying
Ee(m)
Warning in general its not that simple. We
will explain it later.
34
Do such functions exist?
yes!