Solution of Exercise Sheet 10

Transcription

1 Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 10 1 Diffie-Hellman Key Exchange Alice and Bob exchange a shift cipher key using the Diffie-Hellman key exchange. They agree to use the prime p = 11 for their cyclic group Z11 and g = 7 as the generator. (5 points) (a) Assume Alice uses the secret value a = 6 and Bob the secret value b = 9. Compute the intermediate values and the final key that Alice and Bob exchange. X = g a = 4 mod 11 Y = g b = 8 mod 11 K = g ab = 3 mod 11 (5 points) (b) Assume Alice and Bob exchange the values X = g a = 5 mod 11 and Y = g b = 10. Determine the secret key they both exchanged! Describe your computation steps to determine the key. (Note: the values of a and b are not the same as in the exercise above!) The correct values are simply determined by trying various values for a and b until the given values for X and Y are observed. Once a and b are found, we can easily determine the key K by computing g a b mod p manually. a = 2, b = 5, K = 1 (3 points) (c) Decrypt the following message that was encrypted using a shift cipher. The key exchanged in Exercise b was used to encrypt the message. You can use whichever method you like to decrypt the message. TVFEFKBDLFUXJUIDBOEZTUSJQFMJOJOH SUEDEJACKETWITHCANDYSTRIPELINING (12 points) 2 Key Exchange 1/5

2 Design a protocol that allows 3 parties P 1, P 2 and P 3 to exchange a single symmetric key K, minimizing the number of exchanged messages. To do this, extend the Diffie-Hellman key exchange discussed in the lecture to three parties. The following conditions have to be fulfilled: 1. Given the CDH-assumption, only the parties P 1, P 2 and P 3 can know the key K. 2. A hash H(K) has to be exchanged to verify the exchanged key K between all parties. 3. Use as few messages as possible. You can give your solution as a sequence of messages sent from P i to P j, e.g. P i m Pj. Hint: The final key K should look something like K = g abc There following is just one of many options to achieve the 3-way key-exchange with confirmation using 5 messages: We assume a prime p and the generator g to be publicly known. We denote with a, b, c the three secrets of parties P 1, P 2 and P 3. g P a 1 P 2 P 2 g ab P 3 P 3 g c,h(g abc ) P 2 P 2 g bc,h(g abc ) P 1 P 1 H(g abc ) P 3 3 Dining Cryptographers I We try to generalize the Dining Cryptographers game to the situation with more than 3 Cryptographers among which several might collude. Check the slides of the lecture to learn about the 3-party Dining Cryptographers game without collusion. In the following we assume collusion to mean that, if cryptographer C 1 and C 2 collude, then C 1 knows all coins he and C 2 can see, and vice versa (i.e C 1 and C 2 share their knowledge). (4 points) (a) Consider the 3-party Dining Cryptographers game and show that any pair of colluding Cryptographers can learn whether the third is lying or not. 2/5

3 Assume cryptographers C 1 and C 2 collude against C 3. Let c 1 be the coin shown by C 3 to C 1 and c 2 be the coin shown by C 2 to C 3. Since C 1 and C 2 collude they know the value of both c 1 and c 2, and can therefore determine whether C 3 lies or not. (6 points) (b) Assume we now have a table of n Dining Cryptographers that sit in a ring. As in the 3-party DC game, each cryptographer shares a coin with the cryptographer to his left (and we use the same mechanism of saying the truth/lying to determine whether the NSA paid for dinner). Show that, for any n, there is a seating order with which two colluding cryptographers can de-anonymize at least one other cryptographer. Consider two Cryptographers C 1, C 2 that sit adjacent to the same cryptographer C and let c 1 be the coin that C 1 shares with C and c 2 be the coin that C 2 shares with C. Now, if C 1 and C 2 coincide, they know whether c 1 and c 2 are the same. Therefore, they also know if C lies when announcing whether his two coins are the same or not, effectively breaking C anonymity. 4 Dining Cryptographers II Obviously, the ring structure used above does not provide the required anonymity. We alternatively consider a clique-structure where each cryptographer shares a coin with every other cryptographer at the table: Let C be the set of all cryptographers at the table and consider following construction: Every Cryptographer C i shares a secret coin c i,j with ever other cryptographer C j C \ {C i } (and have only one coin for every pair of cryptographers, i.e. c i,j = c j,i ). Let heads count as 1 and tails count as 0. Every cryptographer now sums up the values of all coins {c i,j } n j=1 he sees modulo 2 (i.e. he checks whether the sum is even or odd) to the value S i, i.e. S i = j [1..n]\i c i,j mod 2. If C i pays for the meal, he inverts the sum S i (i.e. if S i is 1, it is set to 0, and vice versa). In the communication phase, all cryptographers reveal their sum S i, and the sum S of all sums S i modulo 2 is computed, i.e. S = i S i mod 2 (7 points) (a) What is the value of S if no cryptographer pays for dinner? Show your steps. 3/5

4 If no cryptographer pays for dinner, all coin sums are reported with their true value. Then S = S i mod 2 = c i,j mod 2 i i = 1 2 = 1 2 j [1..n]\i i,j [1...n],i j i,j [1...n],i j c i,j + c j,i mod 2 0 = 0 (8 points) (b) In the above construction, can n 2 cryptographers that work together identify if and which of the remaining two cryptographers paid for the dinner (assume that only one cryptographer will pay for dinner)? Provide arguments for your answer. None of the n 2 coinciding cryptographers paid for the dinner and want to know which of the remaining cryptographers C 1 and C 2 have paid for the dinner. C 1 and C 2 have a shared coin c 1,2 of which the remaining cryptographers do not know the value of. Since one of C 1 and C 2 pays for dinner, one of them will invert their sum S 1 or S 2. While the coinciding cryptographers know the sum of the remaining coins (denoted by c 1 and c 2 respectively), they still cannot know which of the sums S 1 and S 2 was inverted, since they do not know the value of c 1,2. this reduces the n-diningcryptographers game to the 3-dining cryptographers game for which we showed in the lecture that it provides anonymity. (+10 bonus) (c) The cryptographers do not have enough coins at the table to use the clique structure described above. Assume there are m (m < n) cryptographers at the table which are typical loners and would thus never collude with anyone. Describe an approach that uses less coins than the clique structure described above, but still ensures anonymity for all non-colluding cryptographers (Note: There do not have to be colluding cryptographers). Describe exactly how your coins are distributed and the number of coins you use. Also, provide reasons for why your construction still provides anonymity. You get more points the fewer coins you need, starting with 1 point for n(n 1) 2 1 coins. 4/5

5 The basic idea behind the contruction is that we need to satisfy two conditions: 1. each cryptographers has a shared secret with a non-colluding cryptographer 2. each cryptographers has a shared secret with at least two other cryptographers To satisfy Condition 1, this gives us m 2 save coin flips for the noncolluding cryptographers and n m save coin flips between the potentially colluding cryptographers and the non-colluding cryptographers. To satisfy Condition 2, we finally add n 2 additional coin flips. Overall, we therefore have m 2 + (n m) + n 2 coin flips. We can compute the overall consensus as defined in the problem definition. Again, we will get an overall result of 0 if all cryptographers say the truth, and a 1 of one of them lies: each coin flip contributes twice to the overall sum, and due to mod 2 computation, gets cancelled out if everyone is truthful. Anonymity, we can show as follows: As in exercise 4.b, even if all n m potentially colluding cryptographers colluded, the remaining non-colluding cryptographers have a shared secret that is not known to the colluding cryptographers. Upon seeing the overall consensus, the colluding cryptographers can therefore not infer whether or which of the cryptographers lied. 5/5