Introduction to Practical Cryptography

About This Presentation

Title:

Introduction to Practical Cryptography

Description:

Introduction to Practical Cryptography Forward Key Security Zero Knowledge Oblivious Transfer Multi-Party Computation – PowerPoint PPT presentation

Number of Views:196

Avg rating:3.0/5.0

Slides: 85

Provided by: rubin

Category:

more less

Transcript and Presenter's Notes

Title: Introduction to Practical Cryptography

1
Introduction to Practical Cryptography

Forward Key Security
Zero KnowledgeOblivious TransferMulti-Party
Computation

2
Overview

Intended as overview of specific areas
Solutions/instances of some require background
not covered in this class

3
Agenda

Forward Key Security
Zero Knowledge
Oblivious Transfer
Multi-party Computation

4
Forward Secure Encryption Schemes

Attacker learns key at time t
Should not be able to decrypt anything from prior
to time t
Encryption algorithm add an input, time
Esk(m) becomes Esk(m,t)
Current key is a function of prior key
kt F(sk,t) G(kt-1,t)
Given sk, can compute entire sequence of kts
c Ekt(m)

5
Digital Signatures

Alice has a secret key
Everyone else has the corresponding public key
Alice can sign message with her secret key
Given a signature and a message, everyone can
verify correctness using Alices public key
Desirable property non-repudiation. If Alice
signed a contract, she cant deny it later.

6
Digital Signature Schemes

Three algorithms Key-Gen, Sign, Verify
Key-Gen inputs security parameter (key size)
k output keys (PK, SK)
Sign inputs message M, secret key SK
output signature S
Verify inputs M, signature S, public key PK
output valid/invalid
Strong security notioneven given signatures on
messages of its choice,adversary cannot forge
signatures on new messages

7
Problem with Signatures

Cant tell when a signature was really generated
Not even if you include current time into the
document doesnt say when it was signed
Therefore,
signing key disclosed Þ all signatures worthless
(even if produced before
disclosure)
Inconvenience your notarized document is no
longer valid
Repudiation Alice gets out of past contracts by
anonymously leaking her SK
Key revocation doesnt help it merely informs of
the leak

8
Fixing the Problem

Attempt 1 re-sign all the past messages with a
new key
Expensive
What if the signer doesnt cooperate?
Attempt 2 change keys frequently, erasing past
SK
Disclosure of current SK doesnt affect past SK
However, changing PK is expensive, requires
certification
Attempt 3 Employ time stamping authority (third
party)

9
Forward Security

Idea change SK but not PK And97
Divide the lifetime of PK into T time periods
Each SKj is for a particular time period, erased
thereafter
If current SKj is compromised, signatures with
previous SKj-t remain secure
Note cant be done without assuming secure
erasure

10
Definitions Key-Evolving Scheme BM99

The usual three algorithms Key-Gen, Sign, Verify
Key-Gen inputs security parameter (key size)
k total number T of time periods output (PK,
SK1)
Sign inputs message M, current secret key SKj
output signature S (time period j included)
Verify inputs M, time period j, signature S,
public key PK output valid/invalid

11
Definitions Key-Evolving Scheme BM99

The usual three algorithms Key-Gen, Sign, Verify
Key-Gen inputs security parameter (key size)
k total number T of time periods output (PK,
SK1)
Sign inputs message M, current secret key SKj
output signature S (time period j included)
Verify inputs M, time period j, signature S,
public key PK output valid/invalid
A new algorithm Update
Update input current secret key SKj
output new secret key SKj1

12
Definitions Forward-Security BM99

Given
Signatures on messages and time periods of its
choice
The ability to break-in in any time period b
and get SKb
adversary cant forge a new signature for a time
period jltb

13
Simple Schemes Efficiency?

Long Public and Long Private Keys
T pairs (p1, s1), (p2,s2),. (pt, st)
PK (p1,p2,.,pt)
SK (s1,s2,..,st)
Update erase si for period i
Drawback public and private key linear in t
number of periods

14
Anderson Long Secret Key Only

T pairs as before and an additional pair (p,s)
Sig(j)SIG( j pj) with key s, j 1,,t
certificate
Public key now p (only)
Secret key (sj, Sig(j)) j1,..,t Still
linear
The public key p is like a CA key and a signature
will include the period, the certificate, the
message, signature on the message with periods
secret key

15
Long Signatures Only

Have (p,s)
In period j get (pj,sj) and
Let Cert(j) sig_sj-1 (j pj)
A signature is the entire certificate chain
signature, it is of the form (j, sig_sj(m), p1,
Cert(1),pj, Cert(j))
Think about it as a tree of degree one and height
t for t periods
(signer memory still linear in t)

16
Binary Certification tree BM

Now (s0,p0)
Each element certifies two children left and
right
We have a tree of height log t (for t periods)
At each point only a log branch of certificate is
used in the signature
Only leaves are used to sign
Keys whose children are not going to be used in
future periods are erased.
We get O(log t) key sizes, signature size

17
Concrete Scheme

Use a scheme based on Fiat-Shamir variant
Have the public key be a point x raised to 2t
Have the initial private key at period zero be x
Sign based on FS paradigm
Update by squaring the current key
The verifier is aware of the period so it knows
that currently the private key is raised to the
power 2t-1 (and the identification proofs are
adjusted accordingly).

18
Replace keys Pseudorandomness

Have future keys derived from a forward secure
pseudorandom generator
Pseudorandom generators which are forward secure
are easy replace the seed with an iteration of
the function.
Possibilities in practice
Block cipher use previous output as next input
Stream cipher previous output as next state

19
Agenda

Forward Key Security
Zero Knowledge
Oblivious Transfer
Multi-party Computation

20
Zero Knowledge
Bob
Alice
I know X
Prove it
X
Some exchange, but which does not provide X

Interactive method for Alice to prove to Bob that
she has/knows x without revealing x to Bob.
Motivation authentication
Alice wants to prove her identity to Bob via some
secret but doesn't want Bob to learn anything
about this secret
Login methods where password is not stored on
server (maybe hash of password is stored)
Alice (user/client) proves to Bob (server) that
she knows the password without giving Bob the
password

21
Zero Knowledge

Interactive method for Alice to prove to Bob that
she has/knows x without revealing x to Bob.
Zero-knowledge proof must satisfy three
properties
Statement is alice knows x
Completeness if the statement is true, the
honest verifier (that is, one following the
protocol properly) will be convinced of this fact
by an honest prover.
Soundness if the statement is false, no cheating
prover can convince the honest verifier that it
is true, except with some small probability.
Zero-knowledge if the statement is true, no
cheating verifier learns anything other than this
fact.
Completeness and soundness needed for any
interactive proof

22
Zero Knowledge

Example use enforce honest behavior while
maintaining privacy
Force a user to prove that its behavior is
correct according to the protocol.
Used in secure multiparty computation

23
Zero Knowledge

Jean-Jacques Quisquater, et. al "How to Explain
Zero-Knowledge Protocols to Your Children
Peggy (prover) has uncovered the secret password
to open a magic door in a cave. The cave is
shaped like a circle, with the entrance in one
side and the magic door blocking the opposite
side.
Victor (verifier) will pay Peggy for the secret,
but not until he's sure that she really knows it.
Peggy says she'll tell him the secret, but not
until she receives the money.
Zero knowledge need a method by which Peggy
proves to Victor that she knows the word without
telling it to him
Solution
Victor waits outside the cave, Peggy goes in.
Label the left and right paths from the entrance
A and B. She takes either A or B at random
(Victor does not know which)
Victor enters the cave and shouts the path (A or
B at random) on which she must return
Peggy returns along the path chosen by Victor,
opening the door if it was not the path on which
she had entered the cave
If Peggy did not know the word, there is a 50
chance she can return on the correct path repeat
the above many times, Peggys chance of
successfully returning becomes negligible
(assume chance of Peggy guessing the word is
negligible)
If Peggy returns correctly each time, this proves
she knows the word

door
A
B
enter
24
Agenda

Forward Key Security
Zero Knowledge
Oblivious Transfer
Multi-party Computation

25
Oblivious Transfer
Bob
Alice
0 or 1
m 1

Alice transfers a secret bit m to Bob with
probability ½ such that
Bob knows whether or not he receives m
Alice doesnt know if m transferred to Bob

26
Oblivious Transfer Example Method

Alice oblivious transfer to Bob
Alice
picks 2 random primes p,q, set n pq
encrypt message m using n (such as with RSA)
c resulting ciphertext
sends n and c to Bob
Bob
picks a ? Zn at random
sends w a2 mod n to Alice
Alice
computes square roots of w S x,-x,y,-y
picks one of the four at random, s ? S and sends
to Bob (probability s a or a is ½)
Bob
if s ? a, -a Bob can factor n and obtain m (and
will know he has m)
Wont walk through why see Rabin cryptosystem
Bob obtains m with probability ½ and Alice
doesnt know result

27
Oblivious Transfer Example Method

Works if Bob selects a at random (doesnt cheat)
Not known if Bob gains any advantage (can cheat)
if intentionally selects a specific a

28
Oblivious Transfer Application

Alice and Bob will each sign a contract only if
the other also signs it
Idea
If names are of equal length, could sign a letter
at a time, alternating
But someone must go last and could abort not
complete last letter
Sign small fragment at a time bit, pixel
Dont know who will be last
If one stops, both are approximately at same
point
But one could send garbage in a fragment
Oblivious transfer solves the problem

29
Oblivious Transfer Application

Alice and Bob will each sign a contract only if
the other also signs it
Idea
If names are of equal length, could sign a letter
at a time, alternating
But someone must go last and could abort not
complete last letter
Sign small fragment at a time bit, pixel
Dont know who will be last
If one stops, both are approximately at same
point
But one could send garbage in a fragment
Oblivious transfer solves the problem

30
Oblivious Transfer Application

Alice and Bob each
create 2 signatures, pick 2 random keys and
encrypt each signature (such as with a block
cipher)
Alice
LA Alice, this is my signature of the left
half of the contract
RA Alice, this is my signature of the right
half of the contract
Keys KLA, KRA
CLA EKLA(LA), CRA EKRA(RA)
Bob
LB Bob, this is my signature of the left half
of the contract
RB Bob, this is my signature of the right half
of the contract
Keys KLB, KRB
CLB EKLB(LB), CRB EKRB(RB)
Contract is considered signed only if Alice and
Bob each have both halves of others signature

31
Oblivious Transfer Application

Alice sends one of KLA, KRA to Bob using
oblivious transfer
Bob sends one of KLB, KRB to Alice using
oblivious transfer
Alice and Bob exchange bits of both keys, one bit
at a time from each key, in order, until all bits
are sent.
If Alice sees a mistake in key bits received,
Alice aborts
Likewise if Bob sees a mistake
Bob does not know if Alice has KBL or KBR, so he
cannot risk sending an incorrect value for either
key
Likewise for Alice
Must exchange bits simultaneously otherwise,
last one could flip last bit

32
Agenda

Forward Key Security
Zero Knowledge
Oblivious Transfer
Multi-party Computation

Some slides are modified from a presentation by
Juan Garay, Bell Labs
33
Secure MPC

A set of parties with private inputs wish to
compute some joint function of their inputs.
Parties wish to preserve some security
properties. E.g., privacy and correctness.
Example secure election protocol
Security must be preserved in the face of
adversarial behavior by some of the participants

34
Secure MPC

Multi-party computation (MPC) Goldreich-Micali-Wi
gderson 87
n parties P1, P2, , Pn each Pi holds a
private input xi
One public function f (x1,x2,,xn)
All want to learn y f (x1,x2,,xn)
(Correctness)
Nobody wants to disclose his private input
(Privacy)
2-party computation (2PC) Yao 82, Yao 86 n2

Studied for a long time. Focus has been security.
35
Secure MPC
s3
Alice
s4
s2
s5
sn
s1
s
Alice has a secret key, s, (such as a key to a
system) Afraid she may lose s Want to give is to
someone, but dont trust anyone with entire
secret Share secret among n people s s1? s2 ?
s3 ? s4 ? s5 ? sn
36
Secure MPC
s3
X
Alice
s4
s2
s5
sn
s1
s

Suppose need more flexibility
ith person loses si or is malicious
n people
Any subset of size t can recover s
Any subset of size lt t cannot recover any
information about s

37
Secure MPC

Use polynomials
Finite field F
(such as some Zp for prime p)
F(x) a0x0 a1x1 a2x2 atxt
Coefficients a0, a1, a2 at ? F
t1 terms (degree is t)

38
Secure MPC

Polynomials properties
Interpolation given t1 distinct points,
(x1,y1), (x2,y2) (xt1,yt1) , can find a0, a1,
a2 , at
Secrecy if have only t (or fewer) distinct
points, cant determine anything about a0

39
Secure MPC

Coefficients
Pick a1, a2 .. at at random
set a0 s
Each person is associated with a distinct point
Person i assigned distinct xi
Set si f(xi) (xi,si) is point for person i

40
Secure MPC

Polynomial construction requires honesty
Entity choosing ais, xis is dishonest
Collusion person 2 may give (x2,s2) to person
10
Verifiable secret sharing
Each person can verify piece received is a proper
piece
Allows for O(log n) colluders
Based on factoring Chor, Goldwasser, Micali,
Awerbuch

41
Instances of 2PC

Authentication
Parties 1 server, 1 client.
Function if (server.passwd client.passwd),
then return succeed, else return fail.
On-line Bidding
Parties 1 seller, 1 buyer.
Function if (seller.price lt buyer.price), then
return (seller.price buyer.price)/2, else
return no transaction.
Intuition In NYSE, the trading price is between
the ask (selling) price and bid (buying) price.

42
Instances of MPC

Auctions
Parties 1 auctioneer, (n-1) bidders.
Function Many possibilities (e.g., Vickrey).
Consider a secure auction (with secret bids)
An adversary may wish to learn the bids of all
parties to prevent this, requires privacy
An adversary may wish to win with a lower bid
than the highest to prevent this, requires
correctness

sealed-bid, bidders submit written bids without
knowing the bid of the others. Highest bidder
wins, but pays second-highest bid. Intent
bidders bid true value.
43
MPC Protocols

Consider 2PC (MPC is similar). Two parties P0
and P1.
Encode function as a Boolean circuit of ANDs and
XORs
Bits on each wire are shared using XOR
Per-gate evaluation
(Shared) Inputs x x0 ? x1 , y y0
? y1
XOR No interaction needed
( x ? y ) ( x0 ? y0 )
? ( x1 ? y1 )
AND More complex (needs interaction)
Each party reveals his shares

44
MPC Elections

m voters v1, v2, vm
ith voter inputs xi
Result function, f, of xis
Required properties
Only authorized voters can vote
Each can only vote once
Each vote is secret
No vote can be duplicated by another voter
Vote tally correctly computed
Anyone can check the tally is correct
Fault tolerate protocol works if some number of
bad parties
Cannot coerce a voter into revealing how he/she
voted (no vote-buying)
Meeting all requirements tricky, especially last
In real life system, logistical problems main
issues as opposed to protocols

45
MPC Digital Cash

Required properties
Prevent forgery
Prevent or detect duplication
Preserve customers anonymity
Practical
operationally feasible (ex. no large single
database of all issued digital cash)

46
Digital Cash

3 protocols
Withdrawal user can obtain a digital coin
Payment user buys goods from vendor using
digital coin
Deposit vendor gives digital coin to bank to be
credited to the vendors account
Notation
U user
B Bank
V vendor
D digital coin of 100
SKBx signature of B on x

47
Digital Cash - Withdrawal

U notifies B wants to withdraw D
B gives D to U
D SKBI am a 100 bill, 4527
U checks signature
accepts D if it is valid
else rejects D
Bank deducts D from Us account if U accepts D

48
Digital Cash - Payment

U pays V with D
V checks signature
accepts D if it is valid
else rejects D

49
Digital Cash - Deposit

V gives D to B
B checks signature
accepts D if it is valid and credits Vs account
else rejects D

50
Digital Cash Do Properties Hold?

Prevent forgery
ok, infeasible under basic assumptions of
signature schemes
Prevent or detect duplication
Very easy to duplicate coins, double spend
Preserve customers anonymity
No anonymity know U and where D was spent

51
Digital Cash Fix Properties

Blind signature
U presents D to B
B signs D without seeing its contents (i.e. cant
associate with U)
Analogy U covers check with carbon paper and
seals both inside an envelope. Bank signs outside
of envelop
But how does B know D is not fake?

52
Digital Cash Fix Properties

RSA Blind signature
Have key pair (e,n) (d,n)
U picks random r mod n
U computes D D re mod n
presents D to B
B signs D s (D)d mod n ( Md (re)d Mdr
mod n )
B deducts D from Us account
U computes signature on M s Md mod n by
dividing s by r
Now anonymity no link between U and D
But
B can be tricked into signing fake D
D can be duplicated and double spent

53
Digital Cash Fix Properties

One denomination or one public key per
denomination, feasible not many denominations
Probability method
U makes up 100 Ds
Blind signature on all 100 and gives all to B
B signs one, requires U to unblind the rest
(reveal rs)
U has 1/100 chance of successfully cheating
U spends 1 remaining D, anonymous

54
Digital Cash Fix Properties

Now have anonymity and no (or small) chance of
cheating
How to prevent double spending?
B has database of all D, records Ds as they are
returned spent from V
not too practical large database, V must wait
for B to ok each D at time of purchase

55
Digital Cash Fix Properties

What if just detect double spending?
Random identity string (RIS)
Different for every payment of D
Only U can create a valid RIS
Two different RISs on same D allows B to
retrieve Us name
If B receives two identical Ds with different
RIS values, U cheated
If B receives two different Ds with same RIS
values, V cheated

56
Digital Cash Fix Properties

H hash
U creates 100 Ds
Di (Im a 100 bill, 4527i,yi,1yi,1,yi,2,
yi,2, yi,k,yi,k)
where
yi,j H(xi,j) yi,j H(xi,j)
xi,j and xi,j are randomly chosen but such that
xi,j ? xi,j Us name ? i,j

57
Digital Cash Fix Properties

Withdrawal
U blinds each Di, get Di
B has U unblind all but one Di and reveals
appropriate xi,j and xi,j
B checks for each
yi,j H(xi,j) yi,j H(xi,j)
xi,j ? xi,j Us name
B signs remaining blind Di and gives to U

58
Digital Cash Fix Properties

Payment
U gives Di to V
V checks Bs signature on Di
V creates a challenge random bit string b1,b2,
bk
If bj 0, U reveals xi,j , else reveals xi,j
V checks yi,j H(xi,j) or yi,j H(xi,j) and
accepts if yes, else rejects
Probability in a different payment that same RIS
is produced is 2-k because V creates challenge at
random
Only U can produce valid RIS H is
computationally infeasible to invert
Two different RIS values on same DI leaks Us
name have xi,j and xi,j for some j (due two
different challenges)

59
Digital Cash Fix Properties

Deposit
V gives Di, s, RIS to B
B verifies signature, checks if already returned
If already in database, B compares RIS values
If different, U double spent
If equal, V trying to deposit twice

60
Other MPC Applications

Database Query
Alice has a string q Bob has a database of
strings
Alice wants to know whether there exists a string
ti in Bob's database that matches q (exact or
close)
Privacy
Bob cannot know Alice's q or the response
Alice cannot know the database contents except
for what can be known from the query result

61
Other MPC Applications

Profile Matching
Alice has a database of known hacker's behaviors
Bob has a hacker's behavior from a recent
break-in
How can Bob check if his hacker is in Alices
database while
Not disclosing the hacker's actual behavior to
Alice doing so that might disclose the
vulnerability in his system.
Not obtaining contents of Alices database it
contains confidential information.

62
Other MPC Applications

Companies want to cooperate in preventing
intrusions into their networks.
Need to share data patterns, but this is
sensitive information
Real data for IDS/security research
None exists
Outdated/now irrelevant MIT Lincoln Laboratory
IDS Evaluation Data Set 1998-2000

63
Other MPC Applications

In general, many database applications
Simple queries
Determining intersection
Sharing of patterns without revealing actual
content

64
Backup
65
On-line Bidding Definition of Security

Correctness
seller.output buyer.output f (seller.price,
buyer.price)
Privacy The transcript carries no additional
information about seller.price and buyer.price.

66
Privacy is a little tricky

On-line Bidding Function
if (seller.price lt buyer.price),
then return (seller.price buyer.price)/2,
else return no transaction.
If seller.price buyer.price, then both parties
can learn each others private input.
If seller.price gt buyer.price, then both parties
should learn nothing more than this fact.
Privacy Each party should only learn whatever
can be inferred from the output (which can be a
lot sometimes).

67
Fair Secure Multi-Party Computation (FMPC)
Parties P1, P2, , Pn (some corrupted), each
holding private input xi, wish to compute y
f(x1, x2,, xn) privately and correctly.
Security is about absolute information gain. At
the end of the protocol, each party learns y (and
anything inferable from y).
Fairness is about relative information gain. At
the end of the protocol, either all parties learn
y, or no party learns anything.
Important in MPC crucial in some
applications (e.g., two-party contract signing).

68
Security vs. Fairness

The problem of secure MPC/2PC is well-studied and
well-understood.
The problem of fair MPC/2PC less developed
Security and fairness different concepts
Fair without being secure

69
Security ? Fairness
On-line Bidding Function if (seller.price lt
buyer.price), then return (seller.price
buyer.price)/2 else return no transaction.
E.g., in an unfair on-line bidding protocol, the
seller may learn the output (and thus
buyer.price) before the buyer learns
anything.
70
Cheating with Unfair Protocols

A cheating seller
Initiate protocol with price x (originally
999,999).
Run until getting the output (buyer hasnt got
the output yet).
if (output no transaction), then abort
(e.g., announce network failure), set x ? x-1,
and repeat.

A cheating seller can
find out the buyers price (destroys privacy) and
achieve maximum profit (destroys correctness)
(the actual function computed is return
buyer.price)

? The lack of fairness completely voids the
security!
71
Fairness Positive Results

n parties, t corrupted
t ? n/3 possible with p2p channels
computational GMW87
information-theoretic BGW88, CCD88
n/3 ? t ? n/2 possible with broadcast channel
computational GMW87
information-theoretic RB89

72
Unfortunately

Fairness is impossible with corrupted majority (t
? n/2)

Intuition (2 parties) Party sending the last
message may abort early.

Consequently, many security definitions do
not consider fairness,
or only consider partial fairness BG90,
BL91, FGHHS02, GL02.

73
Fairness After the Impossibility Result
We still need (some form of) fairness, so tweak
model/definition

Optimistic approach (tweak the model) M97,
ASW98, CC00,
Adds a trusted party as an arbiter in case of
dispute.
Needs to be (constantly) available.

Gradual Release approach (tweak the definition)
Blum83, D95,
BN00,
No trusted party needed.
Parties take turns releasing info
little-by-little.
Still somewhat unfair, but we can quantify and
control the
amount of unfairness.

74
The Gradual Release Approach

Reasonably studied
Initial idea by Blum 83
Subsequent work ,Damgard 95, Boneh-Naor 00,
Garay-Pomerance 03, Pinkas 03,

Not quite well-understood
Ad hoc security notions
Limited general constructions (only 2PC)
Few practical constructions

75
Security and Fairness

A typical gradual release protocol (e.g., BN00,
GP03, P03) consists of two phases
Computation phase Normal computation.
Revealing phase Each Pi gradually reveals a
secret si then each Pi computes
the result y from s1, s2,, sn.

76
Observation on Existing MPC Protocols
Many (unfair) MPC protocols (e.g., GMW87,
CDN01, CLOS02) share the same structure Sharing
phase Parties share data among themselves
(simple sharing, or (n, t) threshold
sharing) Evaluation phase Gate-by-gate
evaluation (all intermediate data are
shared or blinded) Revealing phase Each
party reveal its secret share (all
parties learn the result from the shares)

77
FCPFO Commit-Prove-Fair-Open

Commit phase Every party Pi commits to a value
xi.
Prove phase Every party Pi proves a relation
about xi.
Open phase Open x1, x2,, xn simultaneously.

Simultaneous opening guarantees fairness
either all parties learn all the committed
values, or nobody learns anything.
Using FCPFO, the revealing phase becomes fair,
and so does the MPC protocol.

78
Time-lines Towards realizing FCPFO

accelerator 1
accelerator 2
accelerator k