1
Cryptography:
Proofs and Tools
Gerard Tel
Dept of Computer Science, Utrecht
2
Talk overview
Part 1: Proofs
Definition and existence
Proofs with numbers
Numbers versus “Ad hoc”
Part 2: Tools
Signature schemas
Zero knowledge proofs
Secret Sharing
3
Cryptography:
The art of protection
using
information
To have or
not to have….
To know or
not to know
4
Two examples
Encryption (DES)
Alice sends email
y = E
k
(
x
)
Bob computes
x = D
k
(
y
)
Oscar knows no
k
:
which
D
function?
Identification with
One

way function
H
A gives Bank
b
=
H
(
a
)
Bank pays on seeing
a’
s.t.
H
(
a’
) =
b
O knows no
a’
5
Two more examples
Signatures
Alice signs
M
with
x
S
=
Sig
(
M, x
)
Bob verifies with
y
Ver
(
M, S, y
)
Oscar cannot
forge
S’
for
M’
s.t.
Ver
(
M’ , S’ , y
)
Public Key pairs
Alice holds secret
x
Bob holds public
y
Relation
P
(
x
,
y
)
Oscar cannot
compute
x
from
y
6
I recognize it when I see it ....
Encryption:
k
s.t.
D
k
(
y
) is text
Identification:
a’
s.t.
H
(
a’
) =
b
Signatures:
S’
s.t.
Ver
(
M’ , S’ , y
)
Key pair:
x
s.t.
P
(
x
,
y
)
7
…. But I don’t know it
8
Assumption: Factoring
Primes
p
and
q
(eg. 512 bits)
n
=
p . q
(1024 bits)
Given
n
, one recognizes
p
and
q
Assumption:
Given
n
, computing
p
is impossible
9
Assumption: Discrete Log
Compute modulo large
p
: 0, 1, …,
p

1
Element
g
has
order
:
1 =
g
0
,
g
1
,
g
2
,
g
3
, …
g
ord
= 1
Fix
g
of high order.
From
x
, power
y
=
g
x
is computable
Assumption:
From
y
,
x
s.t.
y
=
g
x
is not computable
10
Rabin’s encryption
Alice’
secret key:
p
and
q
public key
:
product
n
Bob
encrypts
x
as
y
=
x
2
mod n
Alice
decrypts as extracting square root
p
and
q
are needed!
Oscar
can not
extract roots
11
Square roots modulo
n
A square number has 4 roots
n
= 77 = 7.11 :
36
2
= 64 (1296 mod 77)
36
,
41
,
8
,
69
have square 64
Two pairs:
36 =

41
and
8 =

69
Combine from two pairs:
41
+
69
= 33
gcd(33, 77) = 11
12
Rabin: Provably Secure
If Oscar can find
x
from
x
2
=
y
mod
n
Select random
z
Solve
x
from
x
2
=
z
2
Prob.
1
/
2
:
x
and
z
differ:
find
p
and
q
Contradicts Factoring Assumption
Rabin is
cryptographically strong
13
Chosen Cipher text Attack
Procedure for CCA:
Oscar sends Alice
y
, obtains
x,
computes
Rabin is vulnerable:
Oscar sends
y
=
z
2
succeeds with Pr =
1
/
2
Decrypted messages as sensitive as key
Weakness inherent in strength
14
RSA: Alledgedly secure
Similar but use higher order roots.
Public key: (
n
,
e
)
Encryption
y
=
x
e
Decryption
x
=
y
d
(
d
from
p
,
q
)
e
th

rooting is
believed
but not
proven
to
be as hard as factoring
15
RSA Decryption
φ = (
p

1)(
q

1)
All
x
:
x
φ
= 1 (mod
n
)
From
p
,
q
,
n
,
e
,
compute
d
s.t.
e
.
d
=
k
. φ +1
y
d
= (
x
e
)
d
=
x
k
. φ +1
= 1
k
.
x
=
x
Secretly keep
d
, purge
p
,
q
.
16
RSA Keys are secure
Oscar finds φ from
n
:
p
+
q
=
n

φ + 1, solve
p
,
q
Oscar finds φ from
n
and
e
:
Simulate generation of
e
to do without
Oscar finds
d
from
n
and
e
:
n
e, d
p
,
q
Key protection is cryptographically strong
17
Ad hoc versus Numbers:
Hash functions
Map
H
: {0,1}
*
{0,1}
k
One

way:
From
y
=
H
(
x
),
x
cannot be found
Collision

free:
No
x
1
,
x
2
can be found s.t.
H
(
x
1
) =
H
(
x
2
)
Such
x
1
,
x
2
exist
18
Fair Guessing Games
Linda dates Jon if Jon guesses parity of
x
L chooses
x
and gives
y
=
H
(
x
)
J guesses even/odd
L reveals
x
Cheating
y
doesn’t reveal
x
to Jon
one

way
y
binds Linda
collision

free
19
Bit manipulation: MD5
How does it work
XOR, AND, OR words
Combine with
sin
bits
Four rounds in
Why does it work
Why four rounds
MD4 background
Why this combination
Attacks on variants
Why is it secure?
We don’t know
20
Discrete Log Hash (Chaum)
How does it work
Select
g
, random
h
.
:
f
(
x
,
x’
) =
g
x
.h
x’
Why does it work
log(
h
):
a
s.t.
g
a
=
h
will never be known
f
(
x
,
x’
) =
f
(
y
,
y’
)
g
x
. h
x’
=
g
y
. h
y’
a
=
(
x

y
)(
y’

x’
)

1
Cryptographically
strong collision free
21
Trapdoor Hash
Cheat in generation of
f
.
Select
h
=
g
a
instead of random
h
.
Collision:
g
x
. h
x’
=
g
x

a
.
z
. h
x’
+
z
Trapped
f
remains cryptographically
strong
one

way
.
22
Questions?
23
Gerard Tel, Part 2:
Cryptographic Tools:
Signatures
Zero knowledge
Secret Sharing
24
Digital Signatures
Alice signs message
M
:
S
=
Sig
(
M
,
x
)
Bob verifies signature
S
:
Ver
(
M
,
S
,
y
)
Validity:
Ver
(
M
,
Sig
(
M
,
x
),
y
)
Forgery: Oscar finds
M
,
S
:
Ver
(
M
,
S
,
y
)
25
RSA Signatures
Public/Secret key: (
n
,
e
) and (
n
,
d
)
Functions
x
x
e
and
y
y
d
are inverses
Sign
M
:
S
=
M
d
(compute)
Verify
S
:
S
e
=
M
(check)
Forge signature under
M
:
Invert RSA public function
26
Existential Forgery
Oscar: random
S
,
M
=
S
e
.
M
takes special form
………01010101010101
Hash of longer message
27
Blind Signatures
Alice signs one message without seeing it
Bob has
M
, selects blinder
b
Bob gives Alice blinded message
M’
=
M . b
Alice signs for Bob:
S’
=
M’
d
Bob unblinds: divide by
b
d
.
28
Blind Signatures
Alice signs one message without seeing it
Bob has
M
, selects blinder
b
=
k
e
Bob gives Alice blinded message
M’
=
M . b
Alice signs for Bob:
S’
=
M’
d
Bob unblinds: divide by
b
d
S
=
S’ / k
Similar:
Blind decryption
29
Zero knowledge proofs
Identification by secret
A gives Bank
b
=
H
(
a
)
Bank pays on seeing
a
If Alice shows
a
:
employee, eavesdropper become as powerful.
Alice proves to know
a
without showing
30
0KP of a Square Root
Alice holds
a
, Bob holds
b
=
a
2
Withdrawing of money:
Alice selects
s
=
r
2
and gives Bob
s
Claim: I know roots of
s
and
s.b
This is true
namely
r
and
r.a
This implies knowing
a
as quotient of roots
31
Verify knowing two roots
Bob sees one!
Otherwise becomes too smart
Challenge
c
= 0/1
Alice must give one root:
r
of
s
(
c
= 0)
r.a
of
s.b
(
c
= 1)
Oscar does not know both
Fails with Pr =
1
/
2
.
32
What does Bob learn?
Triple (
s
,
c
,
y
)
s
is random square
c
is random bit
y
solves
y
2
=
s . b
c
To generate such, choose
c
as random bit
y
as random number
s
as
y
2
/
b
c
33
How can it convince?
Compute order
s
,
c
,
y
: needs
a
Compute order
c
,
y
,
s
: don’t need
a
Protocol enforces
s
,
c
,
y
Transcript doesn’t show order.
34
Zero knowledge proofs
20 rounds: 1

in

million false acceptance
Similar:
e
th
root or logarithm
Also: Graph coloring
Use with blind signatures:
Bob proves blinded message is legal
35
Secret Sharing
Goal:
share holders
together
know
a
Shares handed out by
dealer
Share: related to
a
k

1 shares reveal nothing
k
shares reveal all
in
reconstruction
36
Concepts in Sharing
Use:
Bank, company
Nuclear heads
Digital money
Key escrow
How many shares
Veto
(split)
Threshold
(share)
Protection
Perfect
(poor!)
Verifiable
Actions with secret
Reconstruction
Use
37
Additive secret split
Dealing:
a
1
… a
k

1
random
a
k
=
a

a
1

…

a
k

1
a
k
is
no better
Reconstruction:
a
=
a
1
+ … +
a
k
Symmetric!
•
Shares cannot be recognized
•
Given
k

1 shares, every
a
is still possible
•
“Real Cryptography”:
Perfect
Split
38
Using shared exponent
Secret is exponent
a
(e.g., for RSA)
Shares:
a
=
a
1
+ … +
a
k
To compute
y
a
:
Shareholder
i
submits
x
i
=
y
a
i
Compute
x
=
x
1
. … .
x
k
Use of secret does not
compromise splitting
39
How perfect is perfect?
Shares cannot be recognized
Shareholders may
cheat
Verifiable reconstruction (hash
H
):
Compute
a
i
and
b
i
=
H
(
a
i
)
Give
a
i
to SH
i
and make
b
i
public
Verified reconstruction:
SH
i
submits
a
i
Check
H
(
a
i
) =
b
i
40
Dealer verifiable split
Number hash
H
(
a
) =
g
a
The dealer
Publish
b
=
g
a
Private share
a
i
(sum
a
)
Public share
b
i
=
g
a
i
Send
a
i
to SH
i
Verifiable shares
The shareholders
b
binds
dealer!
secret is recognizable
Verify product =
b
Verify
g
a
i
=
b
i
Reconstruction
Verify submissions
41
Perfect Secret Shares
Theorem: through
k
points runs exactly
one curve of degree
k

1
Dealing: select
a
1
through
a
k

1
,
a
0
=
a
f
(
z
) =
a
0
+
a
1
.
z
+ … +
a
k

1
.
z
k

1
Share
s
i
is
f
(
i
)
Reconstruction from
k
points:
polynomial interpolation
42
Verifiable Secret Sharing
Dealer:
Private
coefficients
a
0
through
a
k

1
Private
shares
s
i
=
f
(
i
)
Public
coefficients
b
i
=
g
a
i
Public
shares
p
i
=
g
s
i
Shareholders
s
i
=
a
0
+
a
1
.
i
+ … +
a
k

1
.
i
k

1
Global
p
i
=
b
0
.
b
1
i
.
b
2
i
. … .
b
k

1
i
Internal
g
s
i
=
p
i
k

1
2
43
Conclusions
Numbers as basis for cryptography
Most of cryptography is unproven
Results are often counterintuitive
“Elluk voordeel hep se nadele”
Comments 0
Log in to post a comment