cryptography: numbers and tools
DESCRIPTION
Cryptography: Numbers and Tools. Gerard Tel Dept of Computing Science, Utrecht. Talk overview. Part 1: Numbers for Crypto Definition and existence: require P ≠ NP Encryption with numbers: Elgamal Numbers versus Ad hoc: Hashing Part 2: Tools Zero knowledge proofs Secret Sharing - PowerPoint PPT PresentationTRANSCRIPT
1
Cryptography:Numbers and Tools
Gerard TelDept of Computing Science, Utrecht
2
Talk overview
Part 1: Numbers for Crypto Definition and existence: require P ≠ NP Encryption with numbers: Elgamal Numbers versus Ad hoc: Hashing
Part 2: Tools Zero knowledge proofs Secret Sharing Combined application: Verified committee
decryption
3
Cryptography:
The art of protection using information
To have ornot to have….
To know ornot to know
Definition (Knowledge):Party X knows all information he can feasibly compute from his available resources (facts and computing power)
4
Two examples
Encryption (AES) Alice sends email
y = Ek(x) Bob computes
x = Dk(y)
Oscar knows no k : which D function?
Identification with One-way function H A gives Bank b =
H(a) Bank pays on seeing
a’ s.t. H (a’ ) = b
O knows no a’
5
More general example
Public/Secret pairs Alice holds secret a Bob holds public b Relation P (a, b)
Require: Oscar cannot compute a from bBut: Oscar can recognize a by
verifying P
6
I recognize it when I see it ....…. but I don’t know it
7
Assumption: Discrete Log
Compute modulo large p : 0, 1, …, p -1Element g has order:
1 = g 0, g 1, g 2, g 3, … g ord = 1Fix g of high prime order.
From a, power b = g a is computableAssumption:
From b, log a s.t. b = g a is not computable
8
The Elgamal Party Game
Program: exponentiation, discrete log, Elgamal
Booklet: group demo of send/receive
Compute k-bit integers:Expo: k 3 timeDLog: √2k time
www.cs.uu.nl/~gerard/Cryptografie/Elgamal
9
Symmetric encryption
Secret message is number: xAlice and Bob share a key: z (blinder)Encryption: y = Ez(x) = x . z
Decryption: x = Dz(y) = y . z -1
Msg unreadable w/o blinder!Difficulty: safely sharing z
10
Elgamal encryption
New blinder for each message
Information about z with msgReadable only with a st ga =b
Eb: (u, v) = (gk, bk.x)
Da: x = v . (u a)-1
Blinder at Enc = (ga)k
at Dec = (gk)a
a
Imperial number b:
51284
11
Key generation
How can Ceasar know log(b)?It is not computable from a !
Choose random a ; // Secret keyLet b = g a ; // Public keyPublish b as the Imperial Number.
Scheme by Elgamal, 1985Diffie-Hellman key exchange, 1976
12
Numbers better than bits:Hash functions
Map H : {0,1}* {0,1}k
Specifications regard computability:Computable: Map H is computableOne-way:
From y = H (x), x cannot be foundCollision-free:
No x1, x2 can be found s.t. H (x1) = H (x2)(Such x1, x2 exist)
13
Fair Guessing Games
Linda agrees to date Jon if he correctly guesses parity of x L chooses x ;
commits with y = H (x) J guesses even/odd L reveals x
Cheating? y doesn’t reveal x to Jon
one-way y binds Linda
collision-free
14
Bit manipulation: MD5
How does it work XOR, AND, OR
words Combine with sin
bits Four rounds in
Why does it work?Why four rounds?
MD4 background
Why this combination? Attacks on variants
Why is it secure? It isn’t! Collision found 2004 Answer: MD6?
15
Discrete Log Hash (Chaum)
How does it work Select random b
:
H (x, x’ ) = gx.bx’
Why does it work log(b ): a s.t. g a =
bwill never be known
H (x, x’ ) = H (y, y’ )
gx . bx’ = gy . by’
a = (x - y )(y’ - x’ ) -1
Cryptographically strong collision free
16
Trapdoor Hash
Cheat in generation of H. Select b = g a instead of random b.
Collision: g x . b x’ = g x - a.Z . b x’ + z
Trapped H remains cryptographically strong one-way.
17
Gerard Tel, Part 2:
Cryptographic tools: Zero knowledge Secret sharing Combine all:
group decryption
18
Zero knowledge proofs
Example: Identification A gives bank b = H (a) Bank pays on seeing a
If Alice shows a:employee, eavesdropper become as powerful.
Alice proves to know a without showingimplicitly proves existence of a st H (a) = b
Can be done for all NP statements
19
ZKP of a Discrete Log
Bob sees b, Alice holds a st b = g a
Alice proves this knowledge: Alice: random r, set s = g r and gives Bob
s Claim: I know log of s.b c for any c
Bob: challenges Alice with one random c Alice: replies y = r + a . c Bob: verifies that g y = s . b c
If Alice indeed holds the right a, Bob’s check comes out right.
20
Can Alice cheat?
Assume Alice guesses
Bob’s c beforehand: Random y Take s = g y . b –c
and send s to Bob Now g y = s . b c
Alice passes protocolwithout knowing a
Probability of correct guess is extremely small: neglectible
21
What does Bob learn?
Triple (s, c, y) s is random powerc is random numbery solves g y = s . b c
Bob already knew such numbers!!They can be generated from Bob’s data.
To generate such, choosec as random numbery as random numbers as g y / b c
22
How can it convince?
Compute in order s, c, y : needs aCompute in order y, c, s : don’t need
a
Protocol enforces s, c, y Transcript doesn’t show order.
23
Order s, c, y w/o guessing c
Alice sends s, and can respond on c1 and c2
Alice knows y1 and y2 stg y1 = s . b c1 and g y2 = s . b c2
Then b = g (y1 – y2)/(c1 – c2): Alice knows a.
Alice cannot fool Bob without knowing a.
24
Secret Sharing
Goal: share holders together know a
Share: related to ak -1 shares reveal nothingk shares reveal all
in reconstructionOr allow computations
with a
25
Concepts in Sharing
Use: Bank, company Nuclear heads Digital money Key escrow Digital voting
How many shares Veto (split) Threshold (share)
Cheating protection Holders can cheat Verifiable
Actions with secret Reconstruction Use
26
Additive secret split
Definition: a = a1 + … + ai + … + ak
The secret is the sum of the shares
Protection: No subset of shareholders can collude to access the secretGiven k - 1 shares, every a is still possible
Generation: SHi sets random ai ;now a is defined implicitly but unknown
27
Example: Elgamal decrypt
Construction of public key SHi computes and shows: bi = g ai
(partial public key and public share) Compute b = b1 . … . bk
Now b = g a, though a is still unknown!
How to send a message: Use public b to compute (u, v) as usual:
(u, v) = (g k, x . bk )
28
Decrypting with shared key
Computation of v . (u a)-1
Pool shares: a = a1 + … + ak ?Compromises splitting!!
To compute u a: SH i sends zi = u ai
Let z = z1 . … . zk
Let x = v . z -1
Secret key is still unknown
29
Cheating Shareholders
If SHi doesn’t like the message she may submit a zi different from u ai
If SHi is fair she knows ai s.t.both zi = u ai and bi = g ai.
Proves knowledge in Zero Knowledge
Encryption, ZKP, Commit, Sharing
30
Perfect Secret Shares
Theorem: through k points runs exactly one curve of degree k - 1
Dealing: select a1 through ak-1 , a0 = a f (z) = a0 + a1.z + … + ak-1.z k-1
Share si is f (i )
Reconstruction from k points: polynomial interpolation
31
Conclusions
Numbers as basis for cryptography
Most of cryptography is unproven:Relies on P ≠ NP
Tool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share
Alternative tool boxes based on Integer Factorization: RSA
32
Questions?
33
Formulas on Discrete Log Cryptography
Compute modulo p
Secret : aPublic : bRelated : g a = b
Elgamal Functions:Eb(x) = (g k, x.b k)Da(u, v) = v.(u a)-1
Chaum’s Hash:H (x, x ’) = g x . b x ’
ZKP of log(b): A: Rnd r, send s = g
r
B: Rnd c, send c A: Send y = r + ac B: Check gy = s . b c
Additive Secret Split:a = a1 + … + ak