1

Cryptography:Numbers and Tools

Gerard TelDept of Computing Science, Utrecht

2

Talk overview

Part 1: Numbers for Crypto Definition and existence: require P ≠ NP Encryption with numbers: Elgamal Numbers versus Ad hoc: Hashing

Part 2: Tools Zero knowledge proofs Secret Sharing Combined application: Verified committee

decryption

3

Cryptography:

The art of protection using information

To have ornot to have….

To know ornot to know

Definition (Knowledge):Party X knows all information he can feasibly compute from his available resources (facts and computing power)

4

Two examples

Encryption (AES) Alice sends email

y = Ek(x) Bob computes

x = Dk(y)

Oscar knows no k : which D function?

Identification with One-way function H A gives Bank b =

H(a) Bank pays on seeing

a’ s.t. H (a’ ) = b

O knows no a’

5

More general example

Public/Secret pairs Alice holds secret a Bob holds public b Relation P (a, b)

Require: Oscar cannot compute a from bBut: Oscar can recognize a by

verifying P

6

I recognize it when I see it ....…. but I don’t know it

7

Assumption: Discrete Log

Compute modulo large p : 0, 1, …, p -1Element g has order:

1 = g 0, g 1, g 2, g 3, … g ord = 1Fix g of high prime order.

From a, power b = g a is computableAssumption:

From b, log a s.t. b = g a is not computable

8

The Elgamal Party Game

Program: exponentiation, discrete log, Elgamal

Booklet: group demo of send/receive

Compute k-bit integers:Expo: k 3 timeDLog: √2k time

www.cs.uu.nl/~gerard/Cryptografie/Elgamal

9

Symmetric encryption

Secret message is number: xAlice and Bob share a key: z (blinder)Encryption: y = Ez(x) = x . z

Decryption: x = Dz(y) = y . z -1

Msg unreadable w/o blinder!Difficulty: safely sharing z

10

Elgamal encryption

New blinder for each message

Information about z with msgReadable only with a st ga =b

Eb: (u, v) = (gk, bk.x)

Da: x = v . (u a)-1

Blinder at Enc = (ga)k

at Dec = (gk)a

a

Imperial number b:

51284

11

Key generation

How can Ceasar know log(b)?It is not computable from a !

Choose random a ; // Secret keyLet b = g a ; // Public keyPublish b as the Imperial Number.

Scheme by Elgamal, 1985Diffie-Hellman key exchange, 1976

12

Numbers better than bits:Hash functions

Map H : {0,1}* {0,1}k

Specifications regard computability:Computable: Map H is computableOne-way:

From y = H (x), x cannot be foundCollision-free:

No x1, x2 can be found s.t. H (x1) = H (x2)(Such x1, x2 exist)

13

Fair Guessing Games

Linda agrees to date Jon if he correctly guesses parity of x L chooses x ;

commits with y = H (x) J guesses even/odd L reveals x

Cheating? y doesn’t reveal x to Jon

one-way y binds Linda

collision-free

14

Bit manipulation: MD5

How does it work XOR, AND, OR

words Combine with sin

bits Four rounds in

Why does it work?Why four rounds?

MD4 background

Why this combination? Attacks on variants

Why is it secure? It isn’t! Collision found 2004 Answer: MD6?

15

Discrete Log Hash (Chaum)

How does it work Select random b

:

H (x, x’ ) = gx.bx’

Why does it work log(b ): a s.t. g a =

bwill never be known

H (x, x’ ) = H (y, y’ )

gx . bx’ = gy . by’

a = (x - y )(y’ - x’ ) -1

Cryptographically strong collision free

16

Trapdoor Hash

Cheat in generation of H. Select b = g a instead of random b.

Collision: g x . b x’ = g x - a.Z . b x’ + z

Trapped H remains cryptographically strong one-way.

17

Gerard Tel, Part 2:

Cryptographic tools: Zero knowledge Secret sharing Combine all:

group decryption

18

Zero knowledge proofs

Example: Identification A gives bank b = H (a) Bank pays on seeing a

If Alice shows a:employee, eavesdropper become as powerful.

Alice proves to know a without showingimplicitly proves existence of a st H (a) = b

Can be done for all NP statements

19

ZKP of a Discrete Log

Bob sees b, Alice holds a st b = g a

Alice proves this knowledge: Alice: random r, set s = g r and gives Bob

s Claim: I know log of s.b c for any c

Bob: challenges Alice with one random c Alice: replies y = r + a . c Bob: verifies that g y = s . b c

If Alice indeed holds the right a, Bob’s check comes out right.

20

Can Alice cheat?

Assume Alice guesses

Bob’s c beforehand: Random y Take s = g y . b –c

and send s to Bob Now g y = s . b c

Alice passes protocolwithout knowing a

Probability of correct guess is extremely small: neglectible

21

What does Bob learn?

Triple (s, c, y) s is random powerc is random numbery solves g y = s . b c

Bob already knew such numbers!!They can be generated from Bob’s data.

To generate such, choosec as random numbery as random numbers as g y / b c

22

How can it convince?

Compute in order s, c, y : needs aCompute in order y, c, s : don’t need

a

Protocol enforces s, c, y Transcript doesn’t show order.

23

Order s, c, y w/o guessing c

Alice sends s, and can respond on c1 and c2

Alice knows y1 and y2 stg y1 = s . b c1 and g y2 = s . b c2

Then b = g (y1 – y2)/(c1 – c2): Alice knows a.

Alice cannot fool Bob without knowing a.

24

Secret Sharing

Goal: share holders together know a

Share: related to ak -1 shares reveal nothingk shares reveal all

in reconstructionOr allow computations

with a

25

Concepts in Sharing

Use: Bank, company Nuclear heads Digital money Key escrow Digital voting

How many shares Veto (split) Threshold (share)

Cheating protection Holders can cheat Verifiable

Actions with secret Reconstruction Use

26

Additive secret split

Definition: a = a1 + … + ai + … + ak

The secret is the sum of the shares

Protection: No subset of shareholders can collude to access the secretGiven k - 1 shares, every a is still possible

Generation: SHi sets random ai ;now a is defined implicitly but unknown

27

Example: Elgamal decrypt

Construction of public key SHi computes and shows: bi = g ai

(partial public key and public share) Compute b = b1 . … . bk

Now b = g a, though a is still unknown!

How to send a message: Use public b to compute (u, v) as usual:

(u, v) = (g k, x . bk )

28

Decrypting with shared key

Computation of v . (u a)-1

Pool shares: a = a1 + … + ak ?Compromises splitting!!

To compute u a: SH i sends zi = u ai

Let z = z1 . … . zk

Let x = v . z -1

Secret key is still unknown

29

Cheating Shareholders

If SHi doesn’t like the message she may submit a zi different from u ai

If SHi is fair she knows ai s.t.both zi = u ai and bi = g ai.

Proves knowledge in Zero Knowledge

Encryption, ZKP, Commit, Sharing

30

Perfect Secret Shares

Theorem: through k points runs exactly one curve of degree k - 1

Dealing: select a1 through ak-1 , a0 = a f (z) = a0 + a1.z + … + ak-1.z k-1

Share si is f (i )

Reconstruction from k points: polynomial interpolation

31

Conclusions

Numbers as basis for cryptography

Most of cryptography is unproven:Relies on P ≠ NP

Tool box based on Discrete Logarithm: Encrypt, Hash, ZKP, Secret share

Alternative tool boxes based on Integer Factorization: RSA

32

Questions?

33

Formulas on Discrete Log Cryptography

Compute modulo p

Secret : aPublic : bRelated : g a = b

Elgamal Functions:Eb(x) = (g k, x.b k)Da(u, v) = v.(u a)-1

Chaum’s Hash:H (x, x ’) = g x . b x ’

ZKP of log(b): A: Rnd r, send s = g

r

B: Rnd c, send c A: Send y = r + ac B: Check gy = s . b c

Additive Secret Split:a = a1 + … + ak