Cryptography: More Primitives

Similar documents
MITOCW watch?v=zlohv4xq_ti

Other Topics in Cryptography. Truong Tuan Anh

Lecture 10, Zero Knowledge Proofs, Secure Computation

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

COMS W4995 Introduction to Cryptography November 13, Lecture 21: Multiple Use Signature Schemes

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS408 Cryptography & Internet Security

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

CPSC 467: Cryptography and Computer Security

CSC 5930/9010 Modern Cryptography: Digital Signatures

1.264 Lecture 28. Cryptography: Asymmetric keys

CS 161 Computer Security

Notes for Lecture 21. From One-Time Signatures to Fully Secure Signatures

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Notes for Lecture 14

Chapter 9 Public Key Cryptography. WANG YANG

Data Integrity. Modified by: Dr. Ramzi Saifan

Crypto Background & Concepts SGX Software Attestation

Foundations of Cryptography CS Shweta Agrawal

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Public-key Cryptography: Theory and Practice

CSE 127: Computer Security Cryptography. Kirill Levchenko

Lecture 2 Applied Cryptography (Part 2)

Secure digital certificates with a blockchain protocol

Cryptographic Hash Functions

RSA. Public Key CryptoSystem

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

What did we talk about last time? Public key cryptography A little number theory

Introduction to Cryptography Lecture 7

ISA 662 Internet Security Protocols. Outline. Prime Numbers (I) Beauty of Mathematics. Division (II) Division (I)

CSC 474/574 Information Systems Security

Introduction to Cryptography Lecture 7

CS 161 Computer Security

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Overview of Cryptography

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

UNIT - IV Cryptographic Hash Function 31.1

Refresher: Applied Cryptography

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS408 Cryptography & Internet Security

Secure Multiparty Computation

Study Guide to Mideterm Exam

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Message Authentication Codes and Cryptographic Hash Functions

Public-Key Cryptography

CS Computer Networks 1: Authentication

Introduction to Cryptography. Lecture 6

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08

Introduction to Cryptography Lecture 10

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture 4: Authentication and Hashing

CIS 4360 Secure Computer Systems Symmetric Cryptography

Applied Cryptography and Network Security

1 Defining Message authentication

1 Identification protocols

CPSC 467: Cryptography and Computer Security

Public Key Cryptography

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Lecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422

Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 8

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Introduction to Public-Key Cryptography

Security: Cryptography

Lecture 6 - Cryptography

Lecture 3.4: Public Key Cryptography IV

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC CRYPTOGRAPHY

Public Key Cryptography and the RSA Cryptosystem

Cryptographic Concepts

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Public-Key Cryptanalysis

CSC/ECE 774 Advanced Network Security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Ref:

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Other Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Applied Cryptography and Computer Security CSE 664 Spring 2018

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Public Key Encryption. Modified by: Dr. Ramzi Saifan

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

CPSC 467b: Cryptography and Computer Security

Spring 2010: CS419 Computer Security

Tuesday, January 17, 17. Crypto - mini lecture 1

On the Security of a Certificateless Public-Key Encryption

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Integrity of messages

Some Stuff About Crypto

Transcription:

Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital Signatures In the lecture, we briefly mentioned digital signatures as an application of hashing. Now we introduce digital signatures as a stand-alone primitive. A digital signature scheme has a pair of functions Sign and Verify σ = Sign(sk A, m) (1) b = Verify(pk A, m, σ) (2) In the first step, Alice signs a message m she wants to send using her secret key sk A, producing a digital signature σ. Then we want anyone who receives the pair m, σ from Alice to be able to verify if m indeed originates from Alice, using Alice s public key pk A. 1.1 What properties do we want from digital signatures? Correctness: if σ is a signature of m, then b should be true; otherwise, b should be false. Unforgeability: an adversary who has seen some valid message-signature pairs (m 1, σ 1 ), (m 2, σ 2 ),, (m t, σ t ) should not be able to come up with a forgery for a new message, i.e., (m, σ ) where m = m i for i [1..t] such that Verify(pk A, m, σ ) outputs true. Notice that there is no (known) way to prevent an adversary from passing along a valid message-signature pair it has seen before. That s why we define the unforgeability requirement in the above way. 1.2 First attempt In the early years, researchers proposed making digital signatures the inverse of public-key encryption. Sign is decryption, and Verify is encryption and compare. Use RSA as an example, the basic RSA signature scheme works as follows: Sign : σ = m d mod n Verify : b = σ e? m mod n where d is the RSA secret key and (n, e) is the RSA public key.

2 Recitation 11: Cryptography: More Primitives The hope behind this design is that: (1) think of m as a ciphertext, if we decrypt it and then encrypt it again, we will get back m, (2) to forge a signature for m, an adversary needs to decrypt m, which he cannot do without the secret key. (Can challenge the class to break it.) One problem lies in the malleability (multiplicative homomorphism) of RSA. If an adversary has seen two valid message-signature pairs (m 1, σ 1 ), (m 2, σ 2 ), it can easily come up with a forgery (m 1 m 2, σ 1 σ 2 ): σ 1 σ 2 = m d 1m d 2 (m 1 m 2 ) d mod n is a valid signature of message m 1 m 2. Another attack: choose a σ, compute m = σ e mod n, then σ is a valid signature of m. 1.3 Second attempt How about just use the hash-then-sign scheme mentioned in the lecture, i.e., replace m with h(m) in (1) and (2)? A good hash function does seem to fix the above problems. It should not be multiplicative, preventing the first attack; it should be one way, preventing the second attack (if h(m ) = σ e, one cannot figure out m ). Of course, we have also seen that h needs to be collisionresistant; otherwise the composed signature scheme is clearly forgeable. Indeed, this is much better. In fact, there are digital signature standards similar to this approach, signing the hash of the message with some padding. For example, ANSI X9.31 standard signs 6bbb bbba h(m) 33cc. PKCS #1 v1.5 standard signs 0001ff ff00 length of(h) h(m). But how do we know there are no other attacks? Well, we do not. This is a flaw of these designs: they build on ad-hoc security. We do not know how to break them, but we do not know how to prove their security, either. This is where modern cryptography departs from this approach. It tries to reduce the security of a scheme to one or several simple and easy-to-describe assumptions. Digital signatures in modern cryptography, however, are out of the scope of 6.046. 2 Message Authentication Codes So far, we have seen three of the most common cryptographic primitives: public-key encryption, private-key encryption and digital signatures. If we categorize them as confidentiality vs. integrity, asymmetric vs. symmetric, we have for confidentiality for integrity symmetric private-key encryption message authentication codes asymmetric public-key encryption digital signatures The remaining one, the symmetric integrity scheme is Message Authentication Codes (MAC). Its definition and requirements are similar to digital signatures, except that there is only one key k. σ = MAC(k, m) (3) Verification simply checks if σ =? MAC(k, m). Correctness and unforgeability are defined similarly as for digital signatures.

Recitation 11: Cryptography: More Primitives 3 Q: Is a hash not a MAC (What s the relation/difference between a hash and a MAC)? A: No, because a hash is a public function that everyone can compute. So, it s trivial to forge. But it s close. A popular way to construct a MAC is to use a keyed hash. The simplest one (and the standard today) is to use SHA-3 hash on the message with the key prepended, σ = SHA3(k m), though not every secure hash function can be turned into a MAC by simply prepending the key. 3 Merkle Tree Now consider another scenario where we want integrity. Alice stores a bunch of files on a server (e.g., Google Drive). How does Alice verify her files are not modified? In this scenario, we want freshness: when Alice accesses a file, it should be the latest version of that file (what Alice wrote there last time). In this case, MAC and digital signatures do not help. An attacker (e.g., a malicious server) can always return Alice an older version of that file with its corresponding MAC/signature (recall their unforgeability definitions). For this application, we need a new primitive. A naive method (but maybe reasonable in practice) is to let Alice store a hash of every file (the most recent version) locally, on her own computer. Assuming data on Alice s own computer cannot be modified by an adversary, Alice can detect any modification to the files. Here we say Alice s own computer is trusted storage or local storage. If Alice has n files, she needs to store n hashes locally. This requires O(n) trusted storage, which is arguably not ideal. Alternatively, Alice could concatenate all her files together, and produce a single hash. Then the trusted storage requirement becomes O(1), but time complexity is O(n): verifying one file requires downloading all the files, and updating a single file requires recomputing the hash, which involves all files. root hash σ root = h(σ 4 σ 5 ) σ 4 = h(σ 0 σ 1 ) σ 5 = h(σ 2 σ 3 ) σ 0 = h(x 0 ) σ 1 = h(x 1 ) σ 2 = h(x 2 ) σ 3 = h(x 3 ) data block x 0 data block x 1 data block x 2 data block x 3 Figure 1: A Merkle tree with 4 leaf nodes. Merkle tree or hash tree [Merkle, 1980] is a solution to this problem. In a Merkle tree, all data blocks are first hashed at the leaf nodes. Each intermediate node stores a hash of its child hashes

4 Recitation 11: Cryptography: More Primitives concatenated, until we get a root hash, which is stored in trusted storage. All the intermediate hashes and all data blocks are stored in untrusted storage and can be modified by an adversary. Therefore, a Merkle tree needs O(1) trusted storage. It has O(lg n) time complexity for verification and updating: verifying/updating a block checks/updates a path in the hash tree. The hash tree is collision resistant if the underlying hash function is collision resistant. Intuition: if x i is modified, σ i will change; otherwise a collision is found. If σ i changes, its parent will change; otherwise a collision is found... Repeat the same argument all the way to the root: either the root hash changes or a collision is found. 4 Review Knapsack Cryptosystems For this part, review the Merkle-Hellman cryptosystem (super-increasing knapsack as the private key, general knapsack as the public key), and go over the example on page 9 of the lecture note. 4.1 Why is it broken? This subsection gives intuition, not a rigorous proof. Let the trapdoor knapsack problem be sk = {u 1, u 2,, u n }, and the transformed knapsack problem be pk = {w 1, w 2,, w n }, where w i = Nu i mod M. First we show that we need M > u i. Let m 1 m 2 m n be the bit decomposition of an input message m. Encryption of m gives S = m i w i. We will then transform the sum S back to the super-increasing knapsack problem for decryption: T = N 1 S mod M = N 1 m i w i mod M = N 1 m i Nu i mod M = m i u i mod M If and only if M > u i, solving the trapdoor knapsack problem always gives the same result as solving the public-key knapsack. Next, we also need each u i to have a reasonably large range for us to choose from. If the range is too small, an attacker can brute force all the possible choices of each u i. A reasonable strategy is to select u 1 from [1, t], u 2 from [t + 1, 2t], u 3 from [3t + 1, 4t], u i from [(2 i 1 1)t + 1, 2 i 1 t]... Then, M should be larger than 2 n 1 t. Note that the largest element among w i s will be close to M. The density is then, n n n d = max(log 2 w i ) log 2 M n 1 + log 2 t Now we have a dilemma. If t is small, the range for each u i is small and may be brute-forced. For reference, there is another class of attack [Shamir, 1984] that can find a trapdoor knapsack

Recitation 11: Cryptography: More Primitives 5 that is not necessarily the same one as sk in polynomial time with high probability when t is small. If t is large, the density is low and the attack on low-density knapsack problems [Lagarias and Odlyzko, 1985] will succeed. How low a density is considered low? Lagarias and Odlyzko conjectured their attack had a high success rate if d < 0.645, and this threshold had been improved. The original MH scheme [Merkle and Hellman, 1978] proposed setting t = 2 n, making the density roughly 0.5, and is therefore vulnerable to low-density attacks. While most of the knapsack-based cryptosystems have been broken, there are a few that have so far resisted all attacks. They are still of interest due to the high encryption/decryption speed, as well as our desire of a variaty of cryptosystems (if one is broken, we have another one). But the original motivation of knapsack-based cryptosystems turned out to be unsuccessful: it is unlikely to base cryptography on NP-completeness. NP-complete problems may be hard only in the worstcase, while cryptography needs average-case hardness. 1 A Clarification for the Lecture Deciding if a integer N is prime or composite is in P, thanks to the AKS primality algorithm [Agrawal, Kayal and Saxena, 2004] that checks if a number is a prime in polynomial time. What s unknown if in NPC or not is, deciding if N is composite with a factor within a range. (The lecture note has that extra condition in it but Prof. Devadas did not write it on the board.) 1 The best summary on this topic may be Impagliazzo s five worlds in his A personal view of average-case complexity, 1995.

MIT OpenCourseWare http://ocw.mit.edu 6.046J / 18.410J Design and Analysis of Algorithms Spring 2015 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback