Cryptographic protocols

Similar documents
Identification Schemes

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Zero Knowledge Protocol

Computer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1

Study Guide for the Final Exam

CSA E0 312: Secure Computation October 14, Guest Lecture 2-3

Lecture 5: Zero Knowledge for all of NP

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Solutions to exam in Cryptography December 17, 2013

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Publicly-verifiable proof of storage: a modular construction. Federico Giacon

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

CSC 5930/9010 Modern Cryptography: Digital Signatures

Digital Signatures. Sven Laur University of Tartu

CS 395T. Formal Model for Secure Key Exchange

HOST Authentication Overview ECE 525

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

CS408 Cryptography & Internet Security

One-Shot Verifiable Encryption from Lattices. Vadim Lyubashevsky and Gregory Neven IBM Research -- Zurich

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

Notes for Lecture 24

Proofs for Key Establishment Protocols

Cryptography V: Digital Signatures

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Introduction to Modern Cryptography. Benny Chor

On Deniability in the Common Reference String and Random Oracle Model

T Cryptography and Data Security

Introduction to Public-Key Cryptography

Chapter 9. Public Key Cryptography, RSA And Key Management

Zero-Knowledge Proof and Authentication Protocols

CS549: Cryptography and Network Security

Public Key Cryptography on RFID tags "A survey on the GPS identification scheme"

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Reminder: Homework 4. Due: Friday at the beginning of class

Cryptography V: Digital Signatures

Lecture 10, Zero Knowledge Proofs, Secure Computation

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Secure Multiparty Computation

CPSC 467: Cryptography and Computer Security

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Spring 2010: CS419 Computer Security

Advanced Topics in Cryptography

Applied Cryptography and Computer Security CSE 664 Spring 2018

Introduction to Cryptography Lecture 7

Session key establishment protocols

Session key establishment protocols

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

l20 nov zero-knowledge proofs

Secure Computation of Functionalities based on Hamming Distance and its Application to Computing Document Similarity

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Public Key Algorithms

Public Key Algorithms

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Efficient and Non-Malleable Proofs of Plaintext Knowledge and Applications

Combining ABCs with ABE

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Cryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols

Digital Signatures 1

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack

Contents Digital Signatures Digital Signature Properties Direct Digital Signatures

CS 161 Computer Security

Cryptographic proof of custody for incentivized file-sharing

Public Key Algorithms

CSCE 715: Network Systems Security

Dawn Song

Security. Communication security. System Security

Public-Key Cryptography

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Other Topics in Cryptography. Truong Tuan Anh

Zero-Knowledge Proofs

Spring 2010: CS419 Computer Security

Indistinguishable Proofs of Work or Knowledge

Lecture 2 Applied Cryptography (Part 2)

Lecture 6: ZK Continued and Proofs of Knowledge

Overview. Public Key Algorithms I

Securely Combining Public-Key Cryptosystems

Direct Anonymous Attestation

Cryptography and Network Security. Sixth Edition by William Stallings

Introduction to Cryptography Lecture 7

Practical Solutions to Identification and Signature Problems

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Public Key Cryptography

Computer Security CS 526

A Thesis for the Degree of Master of Science. Provably Secure Threshold Blind Signature Scheme Using Pairings

Practical Threshold Signatures with Linear Secret Sharing Schemes

An Identity Escrow Scheme with Appointed Verifiers

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation

Random and Pseudorandom Bit Generators

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Analysis, demands, and properties of pseudorandom number generators

Transcription:

Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital signatures or PK encryption avoid block ciphers, sequence numbers, timestamps Similar to challenge response protocols but are based on interactive proofs and zero-knowledge proofs, and employ random numbers as commitments to prevent cheating Not only as challenges 1

ZK concepts ZK allows prover (claimant) to demonstrate knowledge of a secret without revealing any information of use to the verifier Single bit of information need be conveyed that the prover knows the secret (related to trusted oracles) Interactive proofs Multiple messages exchanged Typically dependant on random numbers Probabilistic rather than absolute Called also proof by protocol Proof of knowledge Interactive proof is said to be a proof of knowledge if it has two properties: Completeness: Given honest prover and honest verifier, the protocol succeeds with overwhelming probability Soundness: Exists a polynomial-time algorithm M with the following property: If a dishonest prover (A ) can with non-negligible probability successfully execute the protocol with B, then M can be used to extract from this prover knowledge which with overwhelming probability allows successful subsequent protocol run 2

Note on soundness Any party impersonating A must know equivalent of A s secret Soundness guarantees that impersonator must know equivalent of A s secret (can be extracted in polynomial time) Soundness required for cryptographic use prevents dishonest prover from convincing an honest verifier Does not guarantee that acquiring the prover s secret is difficult Zero-knowledge property equally important ZK-property Transcript: A collection of messages resulting from a protocol execution ZK-property: A protocol that is a proof of knowledge has the ZK-property if it is simulatable in the following sense: Exists an expected polynomial-time algorithm (simulator) which can produce, upon input of assertions to be proven but without interacting with the real prover, transcripts indistinguishable from those resulting from interaction with real prover. 3

Computational vs. perfect ZK Computational ZK: An observer restricted to probabilistic polynomial-time tests can not distinguish real from simulated transcripts Real and simulated transcripts are said to be polynomially indistinguishable: Any information extracted by a verifier through interaction with a prover provides no advantage to the verifier within polynomial time Perfect ZK: Probability distributions of the transcripts must be identical ZK vs. other asymmetric protocols No degradation with usage: Resist chosen-text attacks Encryption avoided: political advantages? Efficiency: reasonable computation and communication overhead, efficiency raises from the nature of interactive proofs, not from ZK aspect Unproven assumptions: rely on same unproven PK assumptions (factoring, quadratic residuosity) ZK-based vs. ZK: Many real-world implementations not ZK, only based on ZK 4

Fiat-Shamir identification protocol A proves knowledge of s to B in t executions of a 3-pass protocol 1. One-time setup 2. Protocol messages 3. Protocol actions Fiat-Shamir setup a. Trust centre T 1. selects and publishes RSA-like modulus n=pq 2. keeps p and q secret b. Each claimant A 1. selects a secret s co-prime to n, 1 s n-1 2. computes v=s 2 mod n 3. registers v with T as it s public key 5

Fiat-Shamir protocol messages 1. 2. Each of t rounds has three messages with the form as follows: A B : A B : x = r 2 e {0,1} mod n 3. A B : y = r s e mod n Fiat-Shamir protocol actions Following steps iterated t times, B accepts the proof if all t rounds succeed: a. A chooses a random (commitment) r, 1 r n-1 and sends x=r 2 mod n to B b. B randomly selects a (challenge) bit e, sends to A c. A computes, sends to B (response) y. Either y=r (if e=0) or y=rs mod n (if e=1) d. B rejects the proof if y=0, otherwise accepts upon verifying y 2 x v e (mod n) 6

Why is it secure? A must answer two questions: One that demonstrates knowledge of secret s Another (easy) to prevent cheating Adversary impersonating A might try to cheat selecting any r and setting x=r 2 /v, answering challenge e=1 with correct y=r can not answer challenge e=0 that requires knowledge of square root of x mod n Has probability 2 -t for guessing t times right Prover A can answer both questions Schnorr identification protocol Security based on the intractability of the discrete logarithm problem Allows pre-computation, reducing real-time computation of the claimant to a single multiplication module a prime q Suitable for low-end devices Further efficiency through use of a subgroup of order q of the multiplicative group of integers module p, where q (p-1) Lower communication bandwidth than Fiat- Shamir 7

Schnorr protocol overview A proves knowledge of secret a (without revealing it) in a time-variant manner (depending on challenge e), identifying A through the association of a with the public key v via A s authenticated certificate A proves it s identity to B in a 3-pass protocol: Selection of system parameters Selection of per-user parameters Protocol messages Protocol actions Schnorr system parameters 1. Prime p is selected such that p-1 is divisible by other prime Discrete logarithms modulo p must be computationally infeasible (e.g. p 2 1024, q 2 160 ) 2. Element β is chosen, 1 β p-1 having multiplicative order q E.g. for α, a generator mod p, β= α (p-1)/q mod p 3. Each party obtains an authentic copy of system parameters (p,q, β) and the public key of trusted party T allowing verification of T s signatures S T (m) 4. Parameter t, 2 t < q is chosen, defines security level 2 t 8

Schnorr per-user parameters 1. Each claimant A is given a unique identity I A 2. A chooses private key a, 0 a q-1, computes v= β -a mod p 3. A identifies itself by conventional means (e.g. passport) to T, transfers v to T with integrity, obtains certificate cert A from T binding I A with v. Schnorr protocol messages Involves three messages: 1. A B : cert 2. A B : e where r, x = β mod p 1 e 2 3. A B : y = ae + r mod q A t q 9

Schnorr protocol actions 1. A chooses a random r (commitment), 1 r q-1, computes (witness) x= β r mod p, sends to B 2. B verifies certa, sends to A (never previously used) random e (challenge), 1 e 2 t 3. A checks 1 e 2 t and sends B (response) y=ae+r mod q 4. B computes z=β y v e mod p, accepts A s identity provided z=x. Notes on Schnorr security Probability of forgery: t must be sufficiently large to make the probability 2 -t of correctly guessing challenge e negligible. t=40, q 22t = 280 originally recommended. Larger q may be needed to timememory trade-offs, q 2160 recommended to preclude other off-line discrete log attacks. Guessing of e allows adversary to impersonate A. Soundness: Any party completing the protocol as A must be capable of computing a (i.e. protocol is a proof of knowledge). ZK-property:Not ZK for large e because through interaction, B obtains solution (x,y,e) to x=β y v e mod pi which B itself might not be able to compute 10

Avoiding attacks on identification Type of attack replay interleaving reflection chosen-text forced delay Avoidance Use of challenge response, use of nonces, embed target identity in response linking together all messages from a protocol run (e.g. using chained nonces) embed identifier of target party in responses to challenges, construc protocols with each message being different format (avoid symmetries), use unidirectional keys use of ZK, embed in each response to a challenge a self-chosen random number (cofounder) combine use of random numbers with short response time-outs, timestamps Thank you! Jussipekka Leiwo, Ph.D. 6/16/03 (c) Jussipekka Leiwo www.ialan.com 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback