Solution of Exercise Sheet 10

Similar documents
CS 161 Computer Security

CS 161 Computer Security

Protocols for Anonymous Communication

Lecture 7 - Applied Cryptography

Public Key Algorithms

CS 161 Computer Security

MPRI Course on Concurrency. Lecture 16. The need for randomization: examples in distributed computing and in security

Oblivious Transfer(OT)

Eating from the Tree of Ignorance Part 2

Other Topics in Cryptography. Truong Tuan Anh

CS61A Lecture #39: Cryptography

DC Networks The Protocol. Immanuel Scholz

Cryptographic Concepts

CS 161 Computer Security

CS Computer Networks 1: Authentication

CSC 774 Advanced Network Security

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Security and Anonymity

Solution of Exercise Sheet 11

Spring 2010: CS419 Computer Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

ECEN 5022 Cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

Lecture IV : Cryptography, Fundamentals

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

Anonymity. MPRI Course on Concurrency. Lecture 14. Application of probabilistic process calculi to security. Anonymity: particular case of Privacy

Encryption 2. Tom Chothia Computer Security: Lecture 3

Context. Protocols for anonymity. Routing information can reveal who you are! Routing information can reveal who you are!

Cryptographic Systems

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Key Establishment and Authentication Protocols EECE 412

ISSN: (Online) Volume 3, Issue 5, May 2015 International Journal of Advance Research in Computer Science and Management Studies

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

CIS 3362 Final Exam 12/4/2013. Name:

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Uzzah and the Ark of the Covenant

HOST Cryptography III ECE 525 ECE UNM 1 (1/18/18)

Introduction to Cryptography Lecture 7

CSC/ECE 774 Advanced Network Security

EEC-682/782 Computer Networks I

Ref:

1 Extended Euclidean Algorithm

Computational Security, Stream and Block Cipher Functions

Chapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

CSC 5930/9010 Modern Cryptography: Public Key Cryptography

COMPUTER & NETWORK SECURITY

Lecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption

Channel Coding and Cryptography Part II: Introduction to Cryptography

Key Management and Distribution

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Efficiency Optimisation Of Tor Using Diffie-Hellman Chain

CS 134 Winter Privacy and Anonymity

Quantum Encryption Keys

CPSC 467b: Cryptography and Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Notes for Lecture 14

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Classic Cryptography: From Caesar to the Hot Line

More crypto and security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CPSC 467b: Cryptography and Computer Security

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Key Exchange. Secure Software Systems

Fall 2010/Lecture 32 1

T Cryptography and Data Security

T Cryptography and Data Security

CS 161 Computer Security

Anonymity With material from: Dave Levin

Secrets & Lies, Knowledge & Trust. (Modern Cryptography) COS 116 4/20/2006 Instructor: Sanjeev Arora

Fall 2017 CIS 3362 Final Exam. Last Name: First Name: 1) (10 pts) Decrypt the following ciphertext that was encrypted using the shift cipher:

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Cryptography III Want to make a billion dollars? Just factor this one number!

A PROPOSED AUTHENTICATION SCHEME USING THE CONCEPT OF MINDMETRICS

Lecture 10, Zero Knowledge Proofs, Secure Computation

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Lecture 2 Applied Cryptography (Part 2)

Using Commutative Encryption to Share a Secret

Encryption. INST 346, Section 0201 April 3, 2018

CS3235 Seventh set of lecture slides

CS408 Cryptography & Internet Security

Anonymity. With material from: Dave Levin and Michelle Mazurek

PROTECTING CONVERSATIONS

Password Authenticated Key Exchange by Juggling

Innovation and Cryptoventures. Digital Signatures. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Innovation and Cryptoventures. Digital Signatures. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Cryptography and Network Security

Abhijith Chandrashekar and Dushyant Maheshwary

1 Extended Euclidean Algorithm

Assignment 9 / Cryptography

Cryptography: More Primitives

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Transcription:

Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 10 1 Diffie-Hellman Key Exchange Alice and Bob exchange a shift cipher key using the Diffie-Hellman key exchange. They agree to use the prime p = 11 for their cyclic group Z11 and g = 7 as the generator. (5 points) (a) Assume Alice uses the secret value a = 6 and Bob the secret value b = 9. Compute the intermediate values and the final key that Alice and Bob exchange. X = g a = 4 mod 11 Y = g b = 8 mod 11 K = g ab = 3 mod 11 (5 points) (b) Assume Alice and Bob exchange the values X = g a = 5 mod 11 and Y = g b = 10. Determine the secret key they both exchanged! Describe your computation steps to determine the key. (Note: the values of a and b are not the same as in the exercise above!) The correct values are simply determined by trying various values for a and b until the given values for X and Y are observed. Once a and b are found, we can easily determine the key K by computing g a b mod p manually. a = 2, b = 5, K = 1 (3 points) (c) Decrypt the following message that was encrypted using a shift cipher. The key exchanged in Exercise b was used to encrypt the message. You can use whichever method you like to decrypt the message. TVFEFKBDLFUXJUIDBOEZTUSJQFMJOJOH SUEDEJACKETWITHCANDYSTRIPELINING (12 points) 2 Key Exchange 1/5

Design a protocol that allows 3 parties P 1, P 2 and P 3 to exchange a single symmetric key K, minimizing the number of exchanged messages. To do this, extend the Diffie-Hellman key exchange discussed in the lecture to three parties. The following conditions have to be fulfilled: 1. Given the CDH-assumption, only the parties P 1, P 2 and P 3 can know the key K. 2. A hash H(K) has to be exchanged to verify the exchanged key K between all parties. 3. Use as few messages as possible. You can give your solution as a sequence of messages sent from P i to P j, e.g. P i m Pj. Hint: The final key K should look something like K = g abc There following is just one of many options to achieve the 3-way key-exchange with confirmation using 5 messages: We assume a prime p and the generator g to be publicly known. We denote with a, b, c the three secrets of parties P 1, P 2 and P 3. g P a 1 P 2 P 2 g ab P 3 P 3 g c,h(g abc ) P 2 P 2 g bc,h(g abc ) P 1 P 1 H(g abc ) P 3 3 Dining Cryptographers I We try to generalize the Dining Cryptographers game to the situation with more than 3 Cryptographers among which several might collude. Check the slides of the lecture to learn about the 3-party Dining Cryptographers game without collusion. In the following we assume collusion to mean that, if cryptographer C 1 and C 2 collude, then C 1 knows all coins he and C 2 can see, and vice versa (i.e C 1 and C 2 share their knowledge). (4 points) (a) Consider the 3-party Dining Cryptographers game and show that any pair of colluding Cryptographers can learn whether the third is lying or not. 2/5

Assume cryptographers C 1 and C 2 collude against C 3. Let c 1 be the coin shown by C 3 to C 1 and c 2 be the coin shown by C 2 to C 3. Since C 1 and C 2 collude they know the value of both c 1 and c 2, and can therefore determine whether C 3 lies or not. (6 points) (b) Assume we now have a table of n Dining Cryptographers that sit in a ring. As in the 3-party DC game, each cryptographer shares a coin with the cryptographer to his left (and we use the same mechanism of saying the truth/lying to determine whether the NSA paid for dinner). Show that, for any n, there is a seating order with which two colluding cryptographers can de-anonymize at least one other cryptographer. Consider two Cryptographers C 1, C 2 that sit adjacent to the same cryptographer C and let c 1 be the coin that C 1 shares with C and c 2 be the coin that C 2 shares with C. Now, if C 1 and C 2 coincide, they know whether c 1 and c 2 are the same. Therefore, they also know if C lies when announcing whether his two coins are the same or not, effectively breaking C anonymity. 4 Dining Cryptographers II Obviously, the ring structure used above does not provide the required anonymity. We alternatively consider a clique-structure where each cryptographer shares a coin with every other cryptographer at the table: Let C be the set of all cryptographers at the table and consider following construction: Every Cryptographer C i shares a secret coin c i,j with ever other cryptographer C j C \ {C i } (and have only one coin for every pair of cryptographers, i.e. c i,j = c j,i ). Let heads count as 1 and tails count as 0. Every cryptographer now sums up the values of all coins {c i,j } n j=1 he sees modulo 2 (i.e. he checks whether the sum is even or odd) to the value S i, i.e. S i = j [1..n]\i c i,j mod 2. If C i pays for the meal, he inverts the sum S i (i.e. if S i is 1, it is set to 0, and vice versa). In the communication phase, all cryptographers reveal their sum S i, and the sum S of all sums S i modulo 2 is computed, i.e. S = i S i mod 2 (7 points) (a) What is the value of S if no cryptographer pays for dinner? Show your steps. 3/5

If no cryptographer pays for dinner, all coin sums are reported with their true value. Then S = S i mod 2 = c i,j mod 2 i i = 1 2 = 1 2 j [1..n]\i i,j [1...n],i j i,j [1...n],i j c i,j + c j,i mod 2 0 = 0 (8 points) (b) In the above construction, can n 2 cryptographers that work together identify if and which of the remaining two cryptographers paid for the dinner (assume that only one cryptographer will pay for dinner)? Provide arguments for your answer. None of the n 2 coinciding cryptographers paid for the dinner and want to know which of the remaining cryptographers C 1 and C 2 have paid for the dinner. C 1 and C 2 have a shared coin c 1,2 of which the remaining cryptographers do not know the value of. Since one of C 1 and C 2 pays for dinner, one of them will invert their sum S 1 or S 2. While the coinciding cryptographers know the sum of the remaining coins (denoted by c 1 and c 2 respectively), they still cannot know which of the sums S 1 and S 2 was inverted, since they do not know the value of c 1,2. this reduces the n-diningcryptographers game to the 3-dining cryptographers game for which we showed in the lecture that it provides anonymity. (+10 bonus) (c) The cryptographers do not have enough coins at the table to use the clique structure described above. Assume there are m (m < n) cryptographers at the table which are typical loners and would thus never collude with anyone. Describe an approach that uses less coins than the clique structure described above, but still ensures anonymity for all non-colluding cryptographers (Note: There do not have to be colluding cryptographers). Describe exactly how your coins are distributed and the number of coins you use. Also, provide reasons for why your construction still provides anonymity. You get more points the fewer coins you need, starting with 1 point for n(n 1) 2 1 coins. 4/5

The basic idea behind the contruction is that we need to satisfy two conditions: 1. each cryptographers has a shared secret with a non-colluding cryptographer 2. each cryptographers has a shared secret with at least two other cryptographers To satisfy Condition 1, this gives us m 2 save coin flips for the noncolluding cryptographers and n m save coin flips between the potentially colluding cryptographers and the non-colluding cryptographers. To satisfy Condition 2, we finally add n 2 additional coin flips. Overall, we therefore have m 2 + (n m) + n 2 coin flips. We can compute the overall consensus as defined in the problem definition. Again, we will get an overall result of 0 if all cryptographers say the truth, and a 1 of one of them lies: each coin flip contributes twice to the overall sum, and due to mod 2 computation, gets cancelled out if everyone is truthful. Anonymity, we can show as follows: As in exercise 4.b, even if all n m potentially colluding cryptographers colluded, the remaining non-colluding cryptographers have a shared secret that is not known to the colluding cryptographers. Upon seeing the overall consensus, the colluding cryptographers can therefore not infer whether or which of the cryptographers lied. 5/5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback