More crypto and security

Transcription

1 More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade based on project report and presentation Mihir Bellare UCSD 1

2 More crypto and security CSE 207 Graduate introduction to cryptography Focus on provable-security Material overlaps with 107 but changes in focus as above Mihir Bellare UCSD 2

3 Security courses CSE 127, Savage / Shacham Undergraduate introduction to security Systems issues CSE 227, Savage/Shacham Graduate introduction to security Mihir Bellare UCSD 3

4 Advanced courses CSE 208 is a Topics course whose content varies from year to year. Some past topics: Program obfuscation Pairing-based cryptography Lattices in cryptography Zero-knowledge Electronic payments Mihir Bellare UCSD 4

5 Grad school? MS: 2 years PhD: 5+ years, research-orientated You can consider a PhD if you enjoy research: solving new problems, exploring the unknown. An MS is to gain expertise. Mihir Bellare UCSD 5

6 PhD application process Applications for Fall due in previous winter PhD students are usually fully funded through fellowships, RA-ships and TA-ships. Admission to top schools is very competitive but there are niche schools that are excellent in specific areas To get admitted to a good program you need a high GPA, strong recommendation letters and a convincing statement of purpose. Best of all: accomplished research! Mihir Bellare UCSD 6

7 APPLICATIONS AND PROTOCOLS Mihir Bellare UCSD 7

8 Some applications and protocols Internet Casino Commitment Shared coin flips Threshold cryptography Forward security Program obfuscation Zero-knowledge Certified Electronic voting Auctions Identity-based encryption Functional encryption Fully-homomorphic encryption Searchable encryption Oblivious transfer Garbling schemes Secure computation Group signatures Aggregate signatures Mihir Bellare UCSD 8

9 Internet Casino: Protocol G1 Player Casino $1, G T, d T $ {1, 2,..., 100} if G = T then d $200 else d $0 Would you play? Expected value of d is $200( ) = $2 > $1 so probability theory says that the player will earn money by playing. Mihir Bellare UCSD 9

10 Problem: Casino can cheat Player $1, G T, d Casino T $ {1, 2,..., 100}\{G} d $0 Mihir Bellare UCSD 10

11 Internet Casino: Protocol G2 Player $1 Casino T G d T $ {1, 2,..., 100} if G = T then d $200 else d $0 But now player can always win by setting G = T. No casino would do this! Mihir Bellare UCSD 11

12 Internet Casino problem Player and Casino need to exchange G, T so that Casino cannot choose T as a function of G. Player cannot choose G as a function of T. How do we resolve this Catch-22 situation? Mihir Bellare UCSD 12

13 Internet Casino: Protocol G3 Player $1, T G Casino T $ {1, 2,..., 100} d G G if G = T then d $200 else d $0 is a locked safe containing a piece of paper with G written on it. is a key to open the safe. Mihir Bellare UCSD 13

14 Internet Casino: Protocol G3 Player $1, T G Casino T $ {1, 2,..., 100} d G G if G = T then d $200 else d $0 Casino cannot choose T as a function of G because, without the key, it cannot see G. Player cannot choose G as a function of T because, by putting it in the safe, she is committed to it in the first move. Mihir Bellare UCSD 14

15 Internet Casino Protocol using cryptography Player K $ {0, 1} 128 C H(K G) C T Casino T $ {1, 2,..., 100} G, K d if (H(K G) = C and G =T ) then d $99 else d $0 Here H is a cryptographic hash function. More generally one can use a primitive called a committment scheme. Mihir Bellare UCSD 15

16 Commitment Schemes A commitment scheme CS = (P, C, V) is a triple of algorithms P π M C C K V 0/1 Parameter generation algorithm P is run once by a trusted party to produce public parameters π. In Internet Casino M Data being commited G C K Commital Decommital key Mihir Bellare UCSD 16

17 Security properties Hiding: A commital C generated via (C, K) $ C(π, M) should not reveal information about M. = C does not reveal M. Binding: It should be hard to find C, M 0, M 1, K 0, K 1 such that M 0 M 1 but V(π, C, M 0, K 0 ) = V(π, C, M 1, K 1 ) = 1. K 0 C M 0 K 1 C M 1 Mihir Bellare UCSD 17

18 Internet Casino Protocol using a commitment scheme Player (C, K) $ C(π, G) C T Casino T $ {1, 2,..., 100} G, K d if (V(π, C, G, K) = 1 and G =T ) then d $99 else d $0 Mihir Bellare UCSD 18

19 Hiding Formally Let CS = (P, C, V) be a commitment scheme and A an adversary. Game HIDE CS procedure Initialize π $ P; b $ {0, 1} return π procedure LR(M 0, M 1 ) (C, K) $ C(π, M b ) return C procedure Finalize(b ) return (b = b ) The hiding-advantage of A is [ ] Adv hide CS (A) = 2 Pr HIDE A CS true 1. Mihir Bellare UCSD 19

20 Binding Formally Let CS = (P, C, V) be a commitment scheme and A an adversary. Game BIND CS procedure Initialize π $ P return π procedure Finalize(C, M 0, M 1, K 0, K 1 ) v 0 V(π, C, M 0, K 0 ) v 1 V(π, C, M 1, K 1 ) return (v 0 = v 1 = 1 and M 0 M 1 ) The binding-advantage of A is [ ] Adv bind CS (A) = Pr BIND A CS true. Mihir Bellare UCSD 20

21 Commitment from symmetric encryption Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K $ K; C $ E K (M) return (C, K) Alg V(π, C, M, K) if D K (C) = M then return 1 else return 0 Is this secure? Mihir Bellare UCSD 21

22 Commitment from symmetric encryption Let SE = (K, E, D) be an IND-CPA-secure symmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where P returns π = ε and Alg C(π, M) K $ K; C $ E K (M) return (C, K) Alg V(π, C, M, K) if D K (C) = M then return 1 else return 0 Is this secure? It is certainly hiding. But need not be binding: it may be possible to find C, M 0, M 1, K 0, K 1 such that D K0 (C) = M 0 and D K1 (C) = M 1 For example this is easy when SE is CBC$ encryption. Mihir Bellare UCSD 22

23 Commitment from public key encryption Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk) $ K π pk return π Alg C(pk, M) K $ {0, 1} k C E pk (M; K) return (C, K) Alg V(pk, C, M, K) if E pk (M; K) = C then return 1 else return 0 E pk (M; K) means encryption of M with coins K. Mihir Bellare UCSD 23

24 Commitment from public key encryption Let AE = (K, E, D) be an IND-CPA-secure asymmetric encryption scheme and let CS = (P, C, V) be the commitment scheme where Alg P (pk, sk) $ K π pk return π Alg C(pk, M) K $ {0, 1} k C E pk (M; K) return (C, K) Alg V(pk, C, M, K) if E pk (M; K) = C then return 1 else return 0 E pk (M; K) means encryption of M with coins K. Certainly hiding. Binding too since C has only one decryption relative to pk, namely M = D sk (C). Mihir Bellare UCSD 24

25 Commitment from hashing Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is Mihir Bellare UCSD 25

26 Commitment from hashing Let H be a hash function and CS = (P, C, V) the commitment scheme where P returns π = ε and Alg C(π, M) C H(M); K M return (C, K) Alg V(π, C, M, K) return (C = H(M) and M = K) This is Binding if H is collision-resistant. But not hiding. For example in the Internet Casino M = G {1,..., 100} so given C = H(M) the casino can recover M via for i = 1,..., 100 do if H(i) = C then return i Mihir Bellare UCSD 26

27 Commitment from hashing A better scheme is CS = (P, C, V) where P returns π = ε and Alg C(π, M) K $ {0, 1} 128 C H(K M) return (C, K) Alg V H (π, C, M, K) return (H(K M) = C) Mihir Bellare UCSD 27

28 Commitment schemes usage Commitment schemes are very broadly and widely used across all kinds of protocol design and in particular to construct zero-knowledge proofs. Mihir Bellare UCSD 28

29 Flipping a common coin Alice and Bob are getting divorced They want to decide who keeps the Lexus They aggree to flip a coin, but Alice is in NY and Bob is in LA Protocol CF1: Alice Bob c $ {0, 1} c Mihir Bellare UCSD 29

30 Flipping a common coin Alice and Bob are getting divorced They want to decide who keeps the Lexus They aggree to flip a coin, but Alice is in NY and Bob is in LA Protocol CF1: Alice Bob c $ {0, 1} c Bob is not too smart but he doesn t like it... Can you help them out? Mihir Bellare UCSD 30

31 Protocol CF2 Let CS = (P, C, V) be a commitment scheme. Alice Bob a $ {0, 1} (C, K) $ C(π, a) C b $ {0, 1} b a, K if V(π, C, a, K) = 1 then c a b c a b else c c is the common coin. Neither party can control it. Mihir Bellare UCSD 31

32 Protocol CF3: Concrete instantiation of CF2 Alice Bob a $ {0, 1} ; K $ {0, 1} 128 C H(K a) C b $ {0, 1} b a, K if H(K a) = C then c a b c a b else c c is the common coin. Neither party can control it. H is a cryptographic hash function. Mihir Bellare UCSD 32

33 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Mihir Bellare UCSD 33

34 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Easy: Let Party i send x i to party 1 (2 i n) Party 1 computes f (x 1,.., x n ) = x x n and broadcasts it Mihir Bellare UCSD 34

35 Secure summation Suppose we have n parties 1,..., n Party i has an integer x i The parties want to know the value of f (x 1,.., x n ) = x x n Easy: Let Party i send x i to party 1 (2 i n) Party 1 computes f (x 1,.., x n ) = x x n and broadcasts it What they don t like about this: Party 1 now knows everyone s values Privacy constraint: Party i does not wish to reveal x i Mihir Bellare UCSD 35

36 Secure summation Party i has input x i (1 i n). The parties want to know f (x 1,.., x n ) = x x n but do not want to reveal their inputs in the process. Scenarios: x i = score of student i on midterm exam x i = salary of employee i x i {0, 1} = vote of voter i on proposition X on ballot Mihir Bellare UCSD 36

37 The model and goal Parties i, j are connected via a secure channel (1 i, j n). Privacy and authenticity of messages sent over channel are guaranteed. The parties will exchange messages to arrive at f (x 1,..., x n ). If i j then, at the end of the protocol, party i should not know x j. For example you, as player i, enter x i into some app on your cellphone which then communicates with the cellphones of the other parties. At the end, the sum shows up on your screen. Take your phone apart and examine all memory contents and you still will not discover x j for j i. Mihir Bellare UCSD 37

38 Setup for secure communication protocol Let N be such that x 1,..., x n Z N = {0,..., N 1}. Let M = nn. Let S denote x x n. We will compute S mod M, which is just S since x x n n(n 1) < M Mihir Bellare UCSD 38

39 Protocol step 1: secret sharing For i = 1,..., n party i Picks x i,1,..., x i,n Z M at random subject to x i, x i,n x i (mod M) Sends x i,j to party j over secure channel (1 j n) x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 x 1 x 2 x 3 x 4 Observation: x i,j is a random number unrelated to x i so party j has no information about x i (i j) Mihir Bellare UCSD 39

40 Protocol step 2,3: Column sums and conclusion x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 C 1 C 2 C 3 C 4 x 1 x 2 x 3 x 4 For j = 1,..., n party j Computes C j = (x 1,j + x 2,j x n,j ) mod M Sends C j to party i (1 i n) Observation: S (C C n ) (mod M). So each party can compute S (C C n ) mod M Mihir Bellare UCSD 40

41 Security of the protocol x 1,1 x 1,2 x 1,3 x 1,4 x 2,1 x 2,2 x 2,3 x 2,4 x 3,1 x 3,2 x 3,3 x 3,4 x 4,1 x 4,2 x 4,3 x 4,4 c 1 c 2 c 3 c 4 x 1 x 2 x 3 x 4 At end of protocol, party 1 knows (1) x 1, and the first-row entries of the matrix (2) the sum S = x 1 + x 2 + x 3 + x 4 (3) c 1, c 2, c 3, c 4 (4) the first column entries x 1,1, x 2,1, x 3,1, x 4,1. Claims: Party 1 learn nothing about x 4 Even if parties 1, 2 pool their information, they learn nothing about x 4... Mihir Bellare UCSD 41

42 Secure summation project Project: Analyze and prove secure the summation protocol: (1) Give a game based definition of privacy (2) Prove that the protocol meets it. Mihir Bellare UCSD 42

43 Secure Computation Parties 1,..., n Party i has private input x i They want to compute f (x 1,..., x n ) Fact: For any function f, there is a n/2 - private protocol to compute it. A protocol is t-private if any t parties, getting together, cannot figure out anything about the input of the other parties other than implied by the value of f (x 1,..., x n ). The protocol views f as a circuit (program) and computes it gate (instruction) by gate (instruction). Enormous body of research. Mihir Bellare UCSD 43

44 Zero-Knowledge Proofs [GMR] A zero-knowledge (ZK) proof allows you to Convince Bob your claim is true Without revealing anything beyond that For example: You claim to have Bob is What is not revealed A solution to the homework Another student The solution problem The password for this account The server The password A proof that P NP The Clay Institute The proof Mihir Bellare UCSD 44