1 / 33

Modern Cryptography Lecture 10

Modern Cryptography Lecture 10. Yongdae Kim. Admin Stuff. E-mail Subject should have [5471] in front, e.g. “[5471] Project proposal” CC TA: lin@cs.umn.edu Office hours Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 Work on projects

benjy
Télécharger la présentation

Modern Cryptography Lecture 10

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modern CryptographyLecture 10 Yongdae Kim

  2. Admin Stuff • E-mail • Subject should have [5471] in front, e.g. “[5471] Project proposal” • CC TA: lin@cs.umn.edu • Office hours • Me: M 1:15 ~ 2:15, W 4:00 ~ 5:00 (and by appointment) • TA: M 10:30 ~ 11:30, W 11:00 ~ 12:00 • Work on projects • Meeting tomorrow? • 5th assignment is due 4/4 2:15 PM. • Check Calendar

  3. Recap • Math… • Proof techniques • Divisibility: a dividesb (a|b) if  c such that b = ac • GCD, LCM, relatively prime, existence of GCD • Eucledean Algorithm • d = gcd (a, b)   x, y such that d = a x + b y. • gcd(a, b) = gcd(a, b + ka) • Modular Arithmetic • a≡b (mod m) iff m | a-b iff a = b + mk for some k • a≡b (mod m), c≡d (mod m) a+c ≡(b+d) (mod m), ac ≡ bd (mod m) • gcd(a, n) =1  a has an arithmetic inverse modulo n. • Counting, probability, cardinality, … • Security Overview • one-way function if f(x) is easy to compute for all x  X, but it is computationally infeasible to find any x  X such that f(x) =y. • trapdoor one-way function if given trapdoor information, it becomes feasible to find an x  X such that f(x) =y.

  4. Recap • Cryptographic Primitives • SKE, PKE, Digital Signatures, Hash functions and MACs, Key Management through SKE, PKE • Block Ciphers • Modes of operation, meet-in-the-middle attack, Product cipher, Feistal cipher, DES • Hash function • Onewayness, weak/strong collision resistance, Birthday paradox • Merkle Damgard Construction • If the compression function is collision resistant, then strengthened Merkle-Damgård hash function is also collision resistant • Multi-collision attack, extension property • MAC • CBC-MAC, Secret prefix, Secret Suffix, HMAC • Authenticated Encryption

  5. Recap (cnt) • Advanced number theory • CRT, Euler theorem: If a  Zn* , then a f(n) =1 (mod n) • Cor: if r ´ s mod f(n) and (a, n)=1, then ar´ as (mod n) • Generator • If ordn(a) = f(n) then a is a generator of Zn*. • a is a generator iff a f(n)/p≠ 1 mod n for all p | f(n). • Let a  Zm* and ord(a) = h. Then ord(ak) = h/gcd(h, k). • RSA Encryption • n = pq, f(n) = (p-1)(q-1), gcd(f(n), e) = 1, ed 1 mod f(n) • A’s public key is (n, e); A’s private key is d • Encryption: compute c = me mod n, Decryption: m = cd mod n • RSA Security • Computing d from (n, e) and factoring n are computationally equivalent • n cannot be shared • Small encryption exponent e = 3 • Homomorphic property

  6. Group • A nonempty set G and operator , (G, ) is a group if: • CLOSURE: for all x,y  G, x  y  G • ASSOCIATIVITY:  x,y,z  G, (x  y)  z = x (y  z) • IDENTITY:  I G such that  x G, Ix = x = xI • INVERSE:  x G,  inverse element x-1 G such that x-1 x = I = x  x-1 • A group (G, ) is ABELIAN if: • COMMUTATIVITY: for all x,y  G, x  y = y  x • A group G is finite if |G| is finite. The number of elements in a finite group is called its order.

  7. Examples • Z = {… -2, -1, 0, 1, 2, …} under + is a group • We call it (Z, +) • Abelian? • (Z, ) group? • Zn = {0, 1, 2, …, n-1} group? • M = Set of all 2 X 2 matrix • (M, +) Abelian group? • (M, ) group?

  8. Cyclic Groups • An element g  G is a group generator of group (G, ) if for all x  G, $ i such that x=gi = g  g  g  …  g (i times), G = <g> • Definition:(G, ) is cyclic if  group generator. • Definition:Group order of a group (G, ) is the size of set G, i.e., |G| or #{G} or ord(G) • Definition:Group (G, ) is finite if ord(G) is fixed. • Example: the set Zn with addition modulo n is a group. Zn with multiplication modulo n is not a group. Zn* is a group of order f(n)

  9. Cyclic Groups • An element g  G is a group generator of group (G, ) if for all x  G, $ i such that x=gi = g  g  g  …  g (i times), G = <g> • Definition:(G, ) is cyclic if  group generator. • Definition:Group order of a group (G, ) is the size of set G, i.e., |G| or #{G} or ord(G) • Definition:Group (G, ) is finite if ord(G) is fixed. • Example • (Zn, + mod n) is a cyclic group. generator? • (Zp* ,  mod n)is a cyclic group. generator?

  10. Examples • Q= {a/b | a,b Z, b  0} • (Q, +): group • the rationals are closed under addition • the identity is 0 • the inverse of x is -x • the rationals are associative • the rationals are commutative (so the group is abelian) • (Q-{0}, *): group • the rationals are closed under multiplication • the identity is 1 • the inverse of x is 1/x • the rationals are associative • the rationals are commutative (so the group is abelian)

  11. Examples (cnt.) • Zp • (Zp, +) • integers mod p are closed under + • the identity is 0 • the inverse of x: -x \equiv p-x mod p • + is associative • + is commutative (so the group is abelian) • (Zp*, ) • integers mod p are closed under  • the identity is 1 • the inverse of x: x-1 = xp-2 mod p •  is associative •  is commutative (so the group is abelian)

  12. Subgroup • (H, ) is a subgroup of (G, ) if: • H is a subset of G • a  b  H for all a,b H • $ identity • $ a-1 H for all a H. • Example: G = Z7* = {1,2,3,4,5,6}, H = {1,2,4} • H is closed under multiplication mod 7 • 1 is still the identity • 1 is 1 inverse, 2 and 4 are inverses of each other • Lagrange Theorem (slight variation) • Let G be a multiplicative group of order n. For any g in G, ord(g) divides n.

  13. Discrete Logarithm Problem • Discrete Logarithm problem • Discrete Logarithm • The discrete logarithm of y to the base g modulus p is x such that y = gx mod p • DLP: Given p, a generator g of Zp*, and an element y  Zp*, find the integer x such that gx = y mod p. • GDLP: Given a generator g of cyclic group G, and an element y  G, find the integer x such that gx = y. • Best Algorithms • Pollard’s rho: O(sqrt(q)) where q is the group size. • Index calculus: Lp[1/3, c]

  14. Diffie-Hellman • New Directions in Cryptography • Whitfield Diffie, Martin E. Hellman, IEEE Transactions on Information Theory, 1976 • Setting • Zp* = {1, 2, … , p – 1}, g –generator • Protocol • A  B : NA = gn1mod p • B  A : NB = gn2mod p • A : NBn1= gn1n2mod p • B : NAn2= gn1n2mod p • Diffie-Hellman Key : gn1 n2

  15. Diffie-Hellman • To set up a key shared between two parties who never met before • Security • DLP  Diffie-Hellman problem? • Diffie-Hellman problem  DLP? • Authentication?

  16. DLP in subgroup of Zp* • Efficient and Secure Construction • Zp* = {1, 2, … , p – 1}, g’ – generator • p = k q + 1 (|p| = 1024, |q| = 160) • g = g’ k, ordp(g) = q • G = <g> • When p = k q + 1 with |p|=1024, |q| = 160 (e.g.) • With Pollard’s rho: O(sqrt(q)) • With Index calculus: Lp[1/3, c] • So best in min of above two • That’s why we choose the above parameter and also Hash function

  17. Better Implementation of DH • Setting • Zp* = {1, 2, … , p – 1}, g’ – generator • p = k q + 1 (|p| = 1024, |q| = 160) • g = g’ k, ordp(g) = q • Protocol • A  B : NA = gn1mod p • B  A : NB = gn2mod p • A : NBn1= gn1n2mod p, B : NAn2= gn1n2mod p • Security • With Pollard’s rho: O(sqrt(q)) • With Index calculus: Lp[1/3, c]

  18. More Discussion on DH • Long-term vs. Short-term DH • Short-term DH • When n1 and n2 are fresh, you can always generate a session (symmetric) key between two entities with two messages. • Long-term DH • When A has (nA, gnA) and B has (nB, gnB) as (private, public) key pair, A and B can compute their long-term symmetric keywithout any message. • Does not provide forward/backward security: When either one’s private key is compromised, their pair-wise key is compromised. • Authentication is required! • Note that you can build DH on any group. • Elliptic Curve DH is a DH protocol on top of a group on elliptic curve.

  19. ElGamal Public Key Encryption • Key Generation • prime p (system-wide parameter) and a generator g of Zp* • A’s public key is y=gx, A’s private key is x • Encryption • generate random integer k and compute r = gk mod p • compute c = my kmod p • Ciphertext(r, c) • Decryption • m = c r –amod p

  20. Discussions on ElGamal • Hashed ElGamal • Encryption: Ey(m)=(c, d)=(gr, m⊕H(yr)) • Efficiency • 2 mod exp, 2 times message expansion • Security • Randomized encryption • precluding or decreasing CCA • Use fresh k for each encryption • c1 / c2 = m1 / m2if k is same

  21. Comparison: RSA vs. ElGamal • Speed • Encryption Speed • RSA • ElGamal • Decryption Speed • RSA • ElGamal • Message Expansion • RSA • ElGamal • Public Key Size • When do you want to use what?

  22. Digital Signature

  23. Digital Signature • Integrity • Authentication • Non-repudiation I did not have intimate relations with that woman,…, Ms. Lewinsky WJ Clinton

  24. Mh x S VA u {True, False} Digital Signature with Appendix • Schemes with appendix • Requires the message as input to verification algorithm • Rely on cryptographic hash functions rather than customized redundancy functions • DSA, ElGamal, Schnorr etc. M Mh S SA,k h m mh s* s* = SA,k(mh) u = VA(mh, s*)

  25. Desirable Properties • For each k R, SA,k should be efficient to compute • VA should be efficient to compute • It should be computationally infeasible for an entity other than the signer to find an m  M and an s  S such that VA(m’, s*) = true, where m’ = h (m)

  26. Types of Attacks • Key-only: adversary knows only the public key • Message attacks • Known-message attack: adversary has signatures for a set of messages which are known to the adversary but not chosen by him • Chosen-message attack: adversary obtains valid signatures from a chosen list of his choice (non adaptive) • Adaptive chosen-message attack: adversary can use the signer as an oracle

  27. RSA Signature • Key generation n, p, q, e, d • Sign • Compute s = h(m)d mod n • Signature: (m, s) • Verify • Obtain authentic public key (n, e) • Verify h(m) = se mod n

  28. DSA (US Standard) • DSA Algorithm : key generation • select a prime q of 160 bits • 1024 bit p with q|p-1 • Select g’ in Zp*, and g = gk=g’(p-1)/q mod p, g1 • Select 1  x q-1, compute y= gx mod p • public key (p, q, g, y), private key x

  29. DSA (cont) • DSA signature generation • Select a random integer k, 0 < k < q • Compute r=(gk mod p) mod q • compute k-1 mod q • Compute s = k-1 (h(m) + xr) mod q • signature = (r, s) • DSA signature verification • Verify 0<r<q and 0<s<q, if not, invalid • Compute w= s-1mod q and h(m) • Compute u1=wh(m)mod q, u2=rw mod q • Compute v = (gu1yu2 mod p) mod q • Valid iff v=r

  30. DSA (cont) • H(m) = -xr + ks (mod q) • w h(m) + xrw = k mod q • u1 + x u2 = k mod q • (gu1 yu2 mod p) mod q = (gk mod p) mod q • Security of DSA • two distinct DL problems: ZP*, cyclic subgroup order q • Parameters: • q~160bits, p 768~1Kb, p, q, g can be system wide

  31. DSA (cont) • Performance • Signature Generation • One modular exponentiation • Several 160-bit operations (if p is 1024 bits) • The exponentiation can be precomputed • Verification • Two modular exponentiations

  32. Comparison: RSA vs. DSA • Speed • Signature generation • RSA • DSA • Signature verification • RSA • DSA • Memory • RSA • DSA • Which one do you want to use?

  33. Blind signature scheme • Chaum for Electronic Cash • Sender A; Signer B • B’s RSA public and private key are as usual. k is a random secret integer chosen by A, satisfying 0  k < n • Protocol actions • (blinding) A: comp m* = mke mod n, to B Note: (mke)d = mdk • (signing) B comp s* = (m*)d mod n, to A • (unblinding) A: computes s = k-1s* mod n

More Related