theory and practice of cryptography · 2020. 10. 15. · alice: 1. gives bob access to both...
TRANSCRIPT
![Page 1: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/1.jpg)
Theory and Practice of Cryptography
Theory of Cryptography
![Page 2: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/2.jpg)
Recap of Week 2
Course materials on: http://saweis.net/crypto.shtml
Video on YouTube:http://youtube.com/watch?v=KDvt_0cafPw
![Page 3: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/3.jpg)
Today's Lecture
What does it mean for a cryptosystem to be secure?
How do we prove security?
What are zero knowledge proofs?
Does cryptography exist?
![Page 4: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/4.jpg)
What does "secure" mean?
Would you trust a cryptosystem that leaked a single bit?
![Page 5: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/5.jpg)
A Cryptographic Game
Alice:1. Generates a public key and sends it to Bob.
3. Picks a random bit b
4. Sends Bob c=E(mb)
Bob:
2. Sends Alice two messages: m0 and m1
5. Given c, tried to guess b
![Page 6: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/6.jpg)
Semantic security
IND-CPA: Indistinguishability under chosen plaintext attack
![Page 7: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/7.jpg)
RSA Example
Alice:1. Sends Bob a RSA public key: (n, e) = (2701, 5)
3. Picks a random bit b=0
4. Sends Bob c=10^5 mod 2701 = 63
Bob:
2. Sends Alicem0=10 and m1=42
5. Bob can trivially tell that c=E(m0) and outputs 0
![Page 8: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/8.jpg)
RSA is not semantically secure
No deterministic cryptosystem is
![Page 9: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/9.jpg)
ElGamal
Taher ElGamal, 1984:Cyclic group G and generator gPrivate key sPublic key h = g^sE(h, m) = (g^r, mh^r) = (c, d)D(s, c, d) = d/(c^s) = mh^r/g^(rs) = m
Some nice properties:Semantic security (under DDH assumption)Ciphertexts can be re-randomizedHomomorphic multiplicationSupports precomputationConducive to ZK proofs
![Page 10: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/10.jpg)
Proof by reduction
Computational DH: Given (g, g^a, g^b) output g^(ab)Decisional DH: Given (g, g^a, g^b) distinguish g^(ab) and g^c
If Bob has a non-negligible advantage in winning the IND-CPA game, we can use him as an oracle for solving the DDH.
If DDH is hard, then ElGamal is semantically secure.
DDH is thought to be hard in several efficiently computable groups, but is not hard in Zp*.
![Page 11: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/11.jpg)
Lunchtime Attack
Alice:1. Gives Bob access to both encryption and decryption oracles, E and D.
4. Picks a random bit b5. Sends Bob c=E(mb)
Bob:
2. Talks to both oracles.3. Sends Alice two messages: m0 and m1
6. Talks to just the E oracle.7. Guesses a bit b'
![Page 12: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/12.jpg)
Adaptive Chosen Ciphertext Attack
Alice:1. Gives Bob access to both encryption and decryption oracles, E and D.
4. Picks a random bit b5. Sends Bob c=E(mb)
Bob:
2. Talks to both oracles.3. Sends Alice two messages: m0 and m1
6. Talks to both oracles, but can't ask D to decrypt c.7. Guesses a bit b'
![Page 13: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/13.jpg)
ElGamal IND-CCA2 Game
Alice:1. Gives Bob public key (g, h) and decryption oracle D.
4. Picks a random bit b5. Sends (c,d)=(g^r, mbh^r)
Bob:
2. Sends Alice two messages: m0 and m1
6. Asks D to decrypt (c, 2d) to get 2mb
7. Correctly outputs b
![Page 14: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/14.jpg)
ElGamal is not CCA2 secure
But Cramer-Shoup is under DDH
![Page 15: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/15.jpg)
Recap
RSA: Not semantically secure
ElGamal: Semantically secure, not CCA2 secure
Cramer-Shoup: CCA2 secure under DDH assumption
RSA-OAEP: CCA2 secure in "random oracle model"
Can convert any IND-CPA scheme into a IND-CCA2 scheme with the use of zero knowledge proofs
![Page 16: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/16.jpg)
What's a zero knowledge proof?
Prove a statement without revealing anything but its veracity.
![Page 17: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/17.jpg)
Ali Baba's Cave: Commitment
![Page 18: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/18.jpg)
Ali Baba's Cave: Challenge
![Page 19: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/19.jpg)
Ali Baba's Cave: Response
![Page 20: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/20.jpg)
ZK Proof of Graph 3-Colorability
Alice knows a 3-coloring of a graph. Wants to prove it to Bob.
![Page 21: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/21.jpg)
ZK Proof of Graph 3-Colorability
Each round, she randomly relabels her graph coloring:
![Page 22: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/22.jpg)
ZK Proof of Graph 3-Colorability
Alice sends Bob a commitment of each relabeled vertex:
![Page 23: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/23.jpg)
ZK Proof of Graph 3-Colorability
Bob challenges Alice with an edge. She reveals the vertices:
![Page 24: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/24.jpg)
Future of Zero Knowledge
Potential applications:Authentication
Secure Multiparty Computation
Voting Protocols
Much work to be done and many flavors in the literature:Perfect, statistical, computational, honest-verifier, non-interactive, concurrent, resettable, public-coin, constant-round, witness indistinguishable, precise, etc.
![Page 25: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/25.jpg)
Crypto "Complexity Classes"
The following all imply each other:One way functionsPseudo-random generatorsSymmetric-key encryptionPublic key signature schemesBit commitments
Trapdoor permutations imply...Public key encryption, which imply...Key agreement protocols, which imply...One-way functions
![Page 26: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/26.jpg)
Does cryptography exist?
We don't know.
![Page 27: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/27.jpg)
Cryptography implies P≠NP
But P≠NP should not imply crypto
![Page 28: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/28.jpg)
"Hardness" in practical systems?
Hardness based on several different mathematical problems:Factoring is in (NP ∩ co-NP) and BQP
Discrete logarithms
Finding shortest vectors in a lattice
Decoding random binary linear codes
![Page 29: Theory and Practice of Cryptography · 2020. 10. 15. · Alice: 1. Gives Bob access to both encryption and decryption oracles, E and D. 4. Picks a random bit b 5. Sends Bob c=E(mb)](https://reader035.vdocuments.us/reader035/viewer/2022071408/6100b4aba0f3ee06557e0f63/html5/thumbnails/29.jpg)
Next Week: Ben Adida
Cryptographic voting protocols