# Proofs and Tools

AI and Robotics

Nov 21, 2013 (4 years and 7 months ago)

116 views

1

Cryptography:

Proofs and Tools

Gerard Tel

Dept of Computer Science, Utrecht

2

Talk overview

Part 1: Proofs

Definition and existence

Proofs with numbers

Numbers versus “Ad hoc”

Part 2: Tools

Signature schemas

Zero knowledge proofs

Secret Sharing

3

Cryptography:

The art of protection
using

information

To have or

not to have….

To know or

not to know

4

Two examples

Encryption (DES)

Alice sends email

y = E
k
(
x
)

Bob computes

x = D
k
(
y
)

Oscar knows no
k
:
which
D

function?

Identification with
One
-
way function
H

A gives Bank
b

=
H
(
a
)

Bank pays on seeing

a’

s.t.
H
(
a’
) =
b

O knows no
a’

5

Two more examples

Signatures

Alice signs
M

with
x

S

=
Sig
(
M, x
)

Bob verifies with
y

Ver
(
M, S, y
)

Oscar cannot
forge

S’

for
M’

s.t.

Ver
(
M’ , S’ , y
)

Public Key pairs

Alice holds secret
x

Bob holds public
y

Relation
P
(
x
,
y
)

Oscar cannot

compute

x

from
y

6

I recognize it when I see it ....

Encryption:

k

s.t.

D
k
(
y
) is text

Identification:
a’

s.t.

H
(
a’
) =
b

Signatures:

S’

s.t.

Ver
(
M’ , S’ , y
)

Key pair:

x

s.t.

P
(
x
,
y
)

7

…. But I don’t know it

8

Assumption: Factoring

Primes
p

and
q

(eg. 512 bits)

n

=
p . q

(1024 bits)

Given
n
, one recognizes
p

and
q

Assumption:

Given
n
, computing
p

is impossible

9

Assumption: Discrete Log

Compute modulo large
p

: 0, 1, …,
p
-
1

Element
g

has
order
:

1 =
g
0
,
g
1
,
g
2
,
g
3
, …
g
ord

= 1

Fix
g

of high order.

From
x
, power
y

=
g
x

is computable

Assumption:

From
y
,
x

s.t.
y

=
g
x

is not computable

10

Rabin’s encryption

Alice’

secret key:

p

and
q

public key

:

product
n

Bob

encrypts
x

as
y

=
x
2

mod n

Alice

decrypts as extracting square root

p

and
q

are needed!

Oscar

can not

extract roots

11

Square roots modulo
n

A square number has 4 roots

n

= 77 = 7.11 :

36
2

= 64 (1296 mod 77)

36
,
41
,
8
,
69

have square 64

Two pairs:
36 =
-
41

and
8 =
-
69

Combine from two pairs:
41

+
69

= 33

gcd(33, 77) = 11

12

Rabin: Provably Secure

If Oscar can find
x

from
x
2

=
y

mod
n

Select random
z

Solve
x

from
x
2

=
z
2

Prob.
1
/
2
:

x

and
z

differ:
find
p

and
q

Contradicts Factoring Assumption

Rabin is
cryptographically strong

13

Chosen Cipher text Attack

Procedure for CCA:

Oscar sends Alice
y
, obtains
x,
computes

Rabin is vulnerable:

Oscar sends
y

=
z
2

succeeds with Pr =
1
/
2

Decrypted messages as sensitive as key

Weakness inherent in strength

14

RSA: Alledgedly secure

Similar but use higher order roots.

Public key: (
n
,
e
)

Encryption
y

=
x
e

Decryption
x

=
y
d

(
d

from
p
,
q
)

e
th
-
rooting is
believed

but not
proven

to
be as hard as factoring

15

RSA Decryption

φ = (
p

-
1)(
q

-
1)

All
x

:
x
φ

= 1 (mod
n
)

From

p
,
q
,
n
,
e
,

compute
d

s.t.
e
.
d

=
k
. φ +1

y
d

= (
x
e

)
d

=
x
k
. φ +1

= 1
k

.
x

=
x

Secretly keep
d
, purge
p
,
q
.

16

RSA Keys are secure

Oscar finds φ from
n
:

p

+
q

=
n

-

φ + 1, solve
p
,
q

Oscar finds φ from
n
and
e
:

Simulate generation of
e

to do without

Oscar finds
d

from
n
and
e

:

n

e, d

p
,
q

Key protection is cryptographically strong

17

Ad hoc versus Numbers:

Hash functions

Map
H

: {0,1}
*

{0,1}
k

One
-
way:

From
y

=
H
(
x
),
x

cannot be found

Collision
-
free:

No
x
1
,
x
2

can be found s.t.
H
(
x
1
) =
H
(
x
2
)

Such
x
1
,
x
2

exist

18

Fair Guessing Games

Linda dates Jon if Jon guesses parity of
x

L chooses
x

and gives

y

=
H

(
x
)

J guesses even/odd

L reveals
x

Cheating

y

doesn’t reveal
x

to Jon

one
-
way

y

binds Linda

collision
-
free

19

Bit manipulation: MD5

How does it work

XOR, AND, OR words

Combine with
sin

bits

Four rounds in

Why does it work

Why four rounds

MD4 background

Why this combination

Attacks on variants

Why is it secure?

We don’t know

20

Discrete Log Hash (Chaum)

How does it work

Select
g
, random
h
.

:

f
(
x
,
x’
) =
g
x
.h
x’

Why does it work

log(
h

):
a

s.t.
g

a

=
h

will never be known

f
(
x
,
x’
) =
f
(
y
,
y’

)

g
x

. h
x’

=

g
y

. h
y’

a
=

(
x

-

y

)(
y’
-

x’
)
-
1

Cryptographically
strong collision free

21

Trapdoor Hash

Cheat in generation of
f
.

Select
h

=
g

a

instead of random
h
.

Collision:

g
x

. h
x’

=
g
x

-

a
.
z

. h
x’
+
z

Trapped
f

remains cryptographically
strong
one
-
way
.

22

Questions?

23

Gerard Tel, Part 2:

Cryptographic Tools:

Signatures

Zero knowledge

Secret Sharing

24

Digital Signatures

Alice signs message
M

:
S
=
Sig
(
M
,
x
)

Bob verifies signature
S
:
Ver
(
M
,
S
,
y

)

Validity:
Ver
(
M
,
Sig
(
M
,
x
),
y

)

Forgery: Oscar finds
M
,
S

:

Ver
(
M
,
S
,
y

)

25

RSA Signatures

Public/Secret key: (
n
,
e
) and (
n
,
d
)

Functions
x

x
e

and
y

y
d

are inverses

Sign
M

:

S

=
M

d

(compute)

Verify
S

:

S
e

=
M

(check)

Forge signature under
M

:

Invert RSA public function

26

Existential Forgery

Oscar: random
S
,
M

=
S

e
.

M

takes special form

………01010101010101

Hash of longer message

27

Blind Signatures

Alice signs one message without seeing it

Bob has
M
, selects blinder
b

Bob gives Alice blinded message
M’

=
M . b

Alice signs for Bob:
S’
=
M’
d

Bob unblinds: divide by
b

d
.

28

Blind Signatures

Alice signs one message without seeing it

Bob has
M
, selects blinder
b

=
k

e

Bob gives Alice blinded message
M’

=
M . b

Alice signs for Bob:
S’
=
M’
d

Bob unblinds: divide by
b

d

S

=
S’ / k

Similar:
Blind decryption

29

Zero knowledge proofs

Identification by secret

A gives Bank
b

=
H
(
a
)

Bank pays on seeing
a

If Alice shows
a
:

employee, eavesdropper become as powerful.

Alice proves to know
a

without showing

30

0KP of a Square Root

Alice holds
a
, Bob holds
b

=
a
2

Withdrawing of money:

Alice selects
s

=
r

2

and gives Bob
s

Claim: I know roots of
s

and
s.b

This is true

namely
r

and
r.a

This implies knowing
a

as quotient of roots

31

Verify knowing two roots

Bob sees one!
Otherwise becomes too smart

Challenge
c
= 0/1

Alice must give one root:

r

of
s

(
c
= 0)

r.a

of
s.b

(
c
= 1)

Oscar does not know both

Fails with Pr =
1
/
2
.

32

What does Bob learn?

Triple (
s
,
c
,
y
)

s

is random square

c

is random bit

y

solves
y
2

=
s . b

c

To generate such, choose

c

as random bit

y

as random number

s

as
y
2

/
b

c

33

How can it convince?

Compute order
s
,
c
,
y

: needs
a

Compute order
c
,
y
,
s

: don’t need
a

Protocol enforces
s
,
c
,
y

Transcript doesn’t show order.

34

Zero knowledge proofs

20 rounds: 1
-
in
-
million false acceptance

Similar:
e

th

root or logarithm

Also: Graph coloring

Use with blind signatures:

Bob proves blinded message is legal

35

Secret Sharing

Goal:
share holders

together

know
a

Shares handed out by
dealer

Share: related to
a

k

-
1 shares reveal nothing

k

shares reveal all

in
reconstruction

36

Concepts in Sharing

Use:

Bank, company

Nuclear heads

Digital money

Key escrow

How many shares

Veto

(split)

Threshold

(share)

Protection

Perfect

(poor!)

Verifiable

Actions with secret

Reconstruction

Use

37

Additive secret split

Dealing:

a
1

… a
k
-
1

random

a
k

=

a
-

a
1

-

-

a
k
-
1

a
k

is
no better

Reconstruction:

a

=
a
1

+ … +
a
k

Symmetric!

Shares cannot be recognized

Given
k
-

1 shares, every
a

is still possible

“Real Cryptography”:
Perfect

Split

38

Using shared exponent

Secret is exponent
a

(e.g., for RSA)

Shares:
a

=
a
1

+ … +
a
k

To compute
y

a
:

Shareholder
i

submits
x
i

=
y

a
i

Compute
x

=
x
1

. … .
x
k

Use of secret does not

compromise splitting

39

How perfect is perfect?

Shares cannot be recognized

Shareholders may
cheat

Verifiable reconstruction (hash
H

):

Compute
a
i

and
b
i

=
H

(
a
i
)

Give
a
i

to SH
i

and make
b
i

public

Verified reconstruction:

SH
i

submits
a
i

Check
H

(
a
i
) =
b
i

40

Dealer verifiable split

Number hash
H

(
a
) =
g

a

The dealer

Publish
b

=
g

a

Private share
a
i

(sum
a
)

Public share
b
i

=
g

a
i

Send
a
i

to SH
i

Verifiable shares

The shareholders

b

binds

dealer!

secret is recognizable

Verify product =
b

Verify
g

a
i

=
b
i

Reconstruction

Verify submissions

41

Perfect Secret Shares

Theorem: through
k

points runs exactly
one curve of degree
k

-

1

Dealing: select
a
1

through
a
k
-
1
,
a
0

=
a

f
(
z
) =
a
0

+
a
1
.
z

+ … +
a
k
-
1
.
z
k
-
1

Share
s
i

is
f
(
i
)

Reconstruction from
k

points:

polynomial interpolation

42

Verifiable Secret Sharing

Dealer:

Private

coefficients

a
0

through
a
k
-
1

Private

shares

s
i

=
f

(
i
)

Public

coefficients

b
i

=
g

a
i

Public

shares

p
i

=
g

s
i

Shareholders

s
i

=
a
0

+
a
1
.
i

+ … +
a
k
-
1
.
i

k
-
1

Global

p
i

=
b
0

.
b
1
i
.
b
2
i

. … .
b
k
-
1
i

Internal

g
s
i

=
p
i

k

-

1

2

43

Conclusions

Numbers as basis for cryptography

Most of cryptography is unproven

Results are often counterintuitive

“Elluk voordeel hep se nadele”