Modern Cryptography Lecture 13 - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

Modern Cryptography Lecture 13

Description:

Modern Cryptography Lecture 13 Yongdae Kim Hash Tree B1 H8 B2 H9 H4 B3 H10 B4 H11 H5 H2 B5 H12 B6 H13 H6 B7 H14 B8 H15 H7 H3 H1 Hi = h ( H2i, H2i+1) Temporal Key ... – PowerPoint PPT presentation

Number of Views:221
Avg rating:3.0/5.0
Slides: 37
Provided by: wwwusersC
Category:

less

Transcript and Presenter's Notes

Title: Modern Cryptography Lecture 13


1
Modern CryptographyLecture 13
  • Yongdae Kim

2
Admin Stuff
  • E-mail
  • Subject should have 5471 in front, e.g. 5471
    Project proposal
  • CC TA lin_at_cs.umn.edu
  • Office hours
  • Me M 115 215, W 400 500 (and by
    appointment)
  • TA M 1030 1130, W 1100 1200
  • Work on projects
  • Project presentation May 2nd, 4th (Send me your
    preference)
  • Final exam May 12th, 800 AM
  • Check Calendar

3
Recap
  • Math
  • Proof techniques
  • Divisibility a divides b (ab) if ?? c such that
    b ac
  • GCD, LCM, relatively prime, existence of GCD
  • Eucledean Algorithm
  • d gcd (a, b) ? ? x, y such that d a x b y.
  • gcd(a, b) gcd(a, b ka)
  • Modular Arithmetic
  • a b (mod m) iff m a-b iff a b mk for
    some k
  • a b (mod m), c d (mod m) ? ac (bd) (mod
    m), ac bd (mod m)
  • gcd(a, n) 1 ? a has an arithmetic inverse modulo
    n.
  • Counting, probability, cardinality,
  • Security Overview
  • one-way function if f(x) is easy to compute for
    all x ? X, but it is computationally infeasible
    to find any x ? X such that f(x) y.
  • trapdoor one-way function if given trapdoor
    information, it becomes feasible to find an x ? X
    such that f(x) y.

4
Recap
  • Cryptographic Primitives
  • SKE, PKE, Digital Signatures, Hash functions and
    MACs, Key Management through SKE, PKE
  • Block Ciphers
  • Modes of operation, meet-in-the-middle attack,
    Product cipher, Feistal cipher, DES
  • Hash function
  • Onewayness, weak/strong collision resistance,
    Birthday paradox
  • Merkle Damgard Construction
  • If the compression function is collision
    resistant, then strengthened Merkle-Damgård hash
    function is also collision resistant
  • Multi-collision attack, extension property
  • MAC
  • CBC-MAC, Secret prefix, Secret Suffix, HMAC
  • Authenticated Encryption

5
Recap (cnt)
  • Advanced number theory
  • CRT, Euler theorem If a ? Zn , then a f(n) 1
    (mod n)
  • Cor if r s mod f(n) and (a, n)1, then ar as
    (mod n)
  • Generator
  • If ordn(a) f(n) then a is a generator of Zn.
  • a is a generator iff a f(n)/p ? 1 mod n for all p
    f(n).
  • Let a ? Zm and ord(a) h. Then ord(ak)
    h/gcd(h, k).
  • RSA Encryption
  • n pq, f(n) (p-1)(q-1), gcd(f(n), e) 1, ed
    ?1 mod f(n)
  • As public key is (n, e) As private key is d
  • Encryption compute c me mod n, Decryption m
    cd mod n
  • RSA Security
  • Computing d from (n, e) and factoring n are
    computationally equivalent
  • n cannot be shared
  • Small encryption exponent e 3
  • Homomorphic property

6
Recap (cnt)
  • Abstract Algebra
  • Group, cyclic groups, generator, group order,
    subgroup
  • Discrete logarithm problem
  • Diffie-Hellman
  • DLP vs. DHP, More efficient implementation (p, q,
    g)
  • Long-term vs. short-term Diffie-Hellman
  • ElGamal encryption
  • ElGamal vs. RSA encryption
  • RSA signature vs. DSA signature
  • Identificaiton PINs and keys, graphical
    password, one-time pasword

7
Recap
  • Challenge-response protocol
  • SKE, MAC, PKE, Signature-based
  • Nonce vs. time-stamp
  • Key establishment
  • Session key, PFS, known-key attack, implicit key
    authentication, key confirmation
  • Kerberos
  • Hybrid key transport
  • Authenticated Diffie-Hellman MTI, STS
  • Analysis of Key Establishment Protocols
    reflection and interleaving attacks
  • Threshold Cryptography

8
Bilinear map and ID-based EncryptionEkyd_at_cs.umn.
edu(m)???
9
Definition
  • Bilinear Map
  • G1 and G2 be two abelian groups of prime order q.
  • additive notation for G1 aP denotes the P added
    a times
  • the multiplicative notation for G2
  • A map e G1 ? G1 ? G2 is called an admissible
    bilinear map if
  • Bilinearity For any P, Q ? G1 and a, b ? Zq,
    e(aP, bQ) e(P, Q)ab
  • Non-degeneracy e(P, Q) ?1 for at least one pair
    of P, Q ? G1.
  • Efficiency
  • Hash functions
  • h 0, 1 ? 0. 1n A collision-free hash
    function
  • H 0, 1 ? G1 A collision-free full domain
    hash function (called map-to-point)
  • H G2 ? Zq A collision-free full domain hash
    function

10
Crypto Assumptions
  • Playing with Bilinear maps
  • e(aP, bQ) e(P, abQ) e(P, Q)ab
  • e(aP, Q) e(cP, Q) e( (ac) P, Q)
  • Cryptographic Problems
  • DLP is hard on G1 and G2
  • finding a from (P, aP) is hard
  • finding a from e(P, P)a is hard
  • DDH is easy
  • c ab if and only if e(aP, bP ) e(cP, P).
  • BDHP is hard
  • finding e(P, P)abc from aP, bP, cP is hard.

11
3-Way DH Key Agreement
  • Let P be public generator of G1
  • Three public keys aP (Alice), bP (Bob), cP
    (Carol)
  • Group key GABCe(P,P)abc
  • Alice computes e(bP,cP)ae(P,P)abc
  • Bob computes e(aP,cP)be(P,P)abc
  • Carol computes e(aP,bP)ce(P,P)abc
  • Properties
  • No communication
  • Others cannot compute group key BDH problem

12
Identity-Based Encryption
  • IDnamedate of birth
  • Trusted Third Party secret s in Zq
  • Public params generator P of G1 and sP
  • Secret Key Generation
  • IDAlice Alice ? TTP
  • sH(IDAlice) TTP ? Alice
  • Encryption Bob encrypts for Alice
  • Pick random r in Zq
  • Compute ge(H(IDAlice), sP))
  • Compute
  • gr e(H(IDAlice), sP))r e(H(IDAlice), rsP))
    e(rH(IDAlice), sP))
  • Ciphertext lt rP, c m XOR H2(gr) gt

13
IBE (Contd)
  • Decryption by Alice
  • Compute gre(H(IDAlice), rsP))e(sH(IDAlice),
    rP))
  • Compute H2(gr)
  • m c XOR H2(gr)
  • Why others cannot decrypt?
  • Others know only H(IDAlice) and rP
  • It is hard to determine r from rP (DLP)
  • thus they cannot compute gr as e(H(IDAlice),
    sP))r
  • They dont know s
  • cannot compute e(H(IDAlice), srP))
  • They dont know sH(IDAlice)
  • cannot compute e(sH(IDAlice), rP))

14
Discussion (PKI vs. Kerberos vs. IBE)
  • On-line vs. off-line TTP
  • Implication?
  • Non-reputation?
  • Revocation?
  • Scalability?
  • Trust issue?

15
Hash Chain and Hash Tree
16
Hash Chain
  • h Cryptographically strong hash function
  • H0 x
  • Hnh(Hn-1) h(h(h( h(x))))
  • Random mapping statistics

17
One time password
  • Setup
  • User generates H0, H1, Hn.
  • User ?Server Hn
  • Server stores Hn as the users public password.
  • Authentication
  • At time 0 User ?Server Hn-1
  • Server verifies h(Hn-1) Hn
  • Server stored Hn-1 as the users public password.
  • At time 1 User ?Server Hn-2

18
Stream Authentication
  • Streaming
  • Single-sender, single-receiver?
  • MAC!
  • Single-sender, multiple-receiver?
  • MAC?
  • Digital Signature?

19
Need for a separate scheme
  • Need for widespread trusted streamed media
    dissemination
  • Attacker may alter stock quotes distributed
    through IP multicast
  • Solution is trivial for 1 sender receiver case
  • Multiple receiver Need to use PKC
  • Digital Signatures Too inefficient
  • Needs to scale to millions of users
  • Streamed media distribution can have high packet
    loss

20
TESLA
  • Fv(x) Fv-1(F(x)), F0(x) x
  • K0 Fn (Kn), Ki Fn-i(Kn)
  • cannot invert F compute any Kj given Ki jgti
  • Receiver can compute all Kj from Ki j lt i
  • Kj Fi-j (Ki) Ki F(Ki)

Ki-1
Ki
Ki1
F
F
Pi
Pi-1
Pi1
Mi-1 Di-1 Ki-2
Mi Di Ki-1
Mi1 Di1 Ki
MAC(Ki-1, Di-1)
MAC(Ki, Di)
MAC(Ki1, Di1)
Authenticated
Authenticated after receiving Pi1
Not yet Authenticated
21
Key Strengthening
  • Preventing/mitigating on-line dictionary attack
  • Assuming that users will choose weak password
  • Salting
  • Stored key h(password random salt)
  • Ideally, random salt should be private, but
    public salt is still useful. Why?
  • Key strengthening
  • key hash(passwordsalt)
  • for 1 to 65000 do
  • key hash(key)
  • What does it provide?

22
Group Key Management
  • Secure group communication
  • IP Multicast
  • Pay-per-view video streaming
  • Video On Demand (VOD)
  • Secure teleconferencing
  • Online games
  • Group confidentiality service
  • How to share a common key over a group?

23
Assumption
  • There is a Group Controller (GC)
  • All nodes share a Traffic Encryption Key (TEK) to
    encrypt communication data.
  • When membership changes, TEK needs to be updated
  • Each node shares a Key Encryption Key with GC to
    encrypt TEK updates

24
Traffic Encryption Key
A Group of Users
ETEK(msg)
u
25
Simplest Approach
u2
u3
u1
u4
GC
u5
u6
u7
26
Join?
u2
u3
u1
u4
GC
u5
u8
u6
u7
27
Leave
u2
u3
u1
u4
GC
u5
u8
u6
u7
28
One-way Function Tree (OFT)
  • Proposed by D. A. McGrew and A. T. Sherman

bk g(k) blinded key k f ( g(kleft),
g(kright) ) k unblinded key
unblinded key
f
kleft
kright
g
g
29
Blinded Unblinded Keys
  • Unblinded Key the value that hasnt been passed
    though g
  • Blinded Key the value that has already been
    passed though g
  • If you know the unblinded key, you can compute
    the blinded key
  • The converse is not true

30
OFT Algorithm
ki f ( g(k2i), g(k2i1) )
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
u1
u2
u3
u4
u5
u6
u7
u8
31
OFT Algorithm (u4s view)
ki f ( g(k2i), g(k2i1) ) f (bk2i, bk2i1)
k1
k2
Ek2(bk3)
Ek5(bk4)
k5
Ek11(bk10)
k11
u1
u2
u3
u4
u5
u6
u7
u8
32
OFT Algorithm (leave)
u1
u2
u3
u4
u5
u6
u7
u8
33
Proof of Possession
  • Storage Service Provider
  • How can a SSP prove that it stores all blocks?
  • Or how can a client verify that the SSP stores
    all blocks?
  • Constraints The client does not have the copy of
    the whole storage.
  • Naïve solution
  • Storing hashes of each block?

34
Hash Tree
Hi h ( H2i, H2i1)
H1
H2
H3
H4
H5
H6
H7
H8
H9
H10
H11
H12
H13
H14
H15
B1
B2
B3
B4
B5
B6
B7
B8
35
Temporal Key Management
  • For each time interval, one can use different key
    to encrypt a file.
  • Temporal read access control can be provided by
    distributing keys for associated time interval
  • Constraints One does not want to store all
    previous keys.
  • Naïve solution Hash chain
  • Key generation Kt h(Kt1)
  • Use Kt at time t.
  • Problem?

36
Hash Tree-based Solution
Kright child h2 (Kparent)
Kleft child h1 (Kparent)
K1-8
K1-4
K5-8
K1-2
K3-4
K5-6
K7-8
K1
K2
K3
K4
K5
K6
K7
K8
Write a Comment
User Comments (0)
About PowerShow.com