Modern Cryptography Lecture 13

1
Modern CryptographyLecture 13

• Yongdae Kim

2
Admin Stuff

• E-mail
• Subject should have 5471 in front, e.g. 5471
  Project proposal
• CC TA lin_at_cs.umn.edu
• Office hours
• Me M 115 215, W 400 500 (and by
  appointment)
• TA M 1030 1130, W 1100 1200
• Work on projects
• Project presentation May 2nd, 4th (Send me your
  preference)
• Final exam May 12th, 800 AM
• Check Calendar

3
Recap

• Math
• Proof techniques
• Divisibility a divides b (ab) if ?? c such that
  b ac
• GCD, LCM, relatively prime, existence of GCD
• Eucledean Algorithm
• d gcd (a, b) ? ? x, y such that d a x b y.
• gcd(a, b) gcd(a, b ka)
• Modular Arithmetic
• a b (mod m) iff m a-b iff a b mk for
  some k
• a b (mod m), c d (mod m) ? ac (bd) (mod
  m), ac bd (mod m)
• gcd(a, n) 1 ? a has an arithmetic inverse modulo
  n.
• Counting, probability, cardinality,
• Security Overview
• one-way function if f(x) is easy to compute for
  all x ? X, but it is computationally infeasible
  to find any x ? X such that f(x) y.
• trapdoor one-way function if given trapdoor
  information, it becomes feasible to find an x ? X
  such that f(x) y.

4
Recap

• Cryptographic Primitives
• SKE, PKE, Digital Signatures, Hash functions and
  MACs, Key Management through SKE, PKE
• Block Ciphers
• Modes of operation, meet-in-the-middle attack,
  Product cipher, Feistal cipher, DES
• Hash function
• Onewayness, weak/strong collision resistance,
  Birthday paradox
• Merkle Damgard Construction
• If the compression function is collision
  resistant, then strengthened Merkle-Damgård hash
  function is also collision resistant
• Multi-collision attack, extension property
• MAC
• CBC-MAC, Secret prefix, Secret Suffix, HMAC
• Authenticated Encryption

5
Recap (cnt)

• Advanced number theory
• CRT, Euler theorem If a ? Zn , then a f(n) 1
  (mod n)
• Cor if r s mod f(n) and (a, n)1, then ar as
  (mod n)
• Generator
• If ordn(a) f(n) then a is a generator of Zn.
• a is a generator iff a f(n)/p ? 1 mod n for all p
  f(n).
• Let a ? Zm and ord(a) h. Then ord(ak)
  h/gcd(h, k).
• RSA Encryption
• n pq, f(n) (p-1)(q-1), gcd(f(n), e) 1, ed
  ?1 mod f(n)
• As public key is (n, e) As private key is d
• Encryption compute c me mod n, Decryption m
  cd mod n
• RSA Security
• Computing d from (n, e) and factoring n are
  computationally equivalent
• n cannot be shared
• Small encryption exponent e 3
• Homomorphic property

6
Recap (cnt)

• Abstract Algebra
• Group, cyclic groups, generator, group order,
  subgroup
• Discrete logarithm problem
• Diffie-Hellman
• DLP vs. DHP, More efficient implementation (p, q,
  g)
• Long-term vs. short-term Diffie-Hellman
• ElGamal encryption
• ElGamal vs. RSA encryption
• RSA signature vs. DSA signature
• Identificaiton PINs and keys, graphical
  password, one-time pasword

7
Recap

• Challenge-response protocol
• SKE, MAC, PKE, Signature-based
• Nonce vs. time-stamp
• Key establishment
• Session key, PFS, known-key attack, implicit key
  authentication, key confirmation
• Kerberos
• Hybrid key transport
• Authenticated Diffie-Hellman MTI, STS
• Analysis of Key Establishment Protocols
  reflection and interleaving attacks
• Threshold Cryptography

8
Bilinear map and ID-based EncryptionEkyd_at_cs.umn.
edu(m)???
9
Definition

• Bilinear Map
• G1 and G2 be two abelian groups of prime order q.
• additive notation for G1 aP denotes the P added
  a times
• the multiplicative notation for G2
• A map e G1 ? G1 ? G2 is called an admissible
  bilinear map if
• Bilinearity For any P, Q ? G1 and a, b ? Zq,
  e(aP, bQ) e(P, Q)ab
• Non-degeneracy e(P, Q) ?1 for at least one pair
  of P, Q ? G1.
• Efficiency
• Hash functions
• h 0, 1 ? 0. 1n A collision-free hash
  function
• H 0, 1 ? G1 A collision-free full domain
  hash function (called map-to-point)
• H G2 ? Zq A collision-free full domain hash
  function

10
Crypto Assumptions

• Playing with Bilinear maps
• e(aP, bQ) e(P, abQ) e(P, Q)ab
• e(aP, Q) e(cP, Q) e( (ac) P, Q)
• Cryptographic Problems
• DLP is hard on G1 and G2
• finding a from (P, aP) is hard
• finding a from e(P, P)a is hard
• DDH is easy
• c ab if and only if e(aP, bP ) e(cP, P).
• BDHP is hard
• finding e(P, P)abc from aP, bP, cP is hard.

11
3-Way DH Key Agreement

• Let P be public generator of G1
• Three public keys aP (Alice), bP (Bob), cP
  (Carol)
• Group key GABCe(P,P)abc
• Alice computes e(bP,cP)ae(P,P)abc
• Bob computes e(aP,cP)be(P,P)abc
• Carol computes e(aP,bP)ce(P,P)abc
• Properties
• No communication
• Others cannot compute group key BDH problem

12
Identity-Based Encryption

• IDnamedate of birth
• Trusted Third Party secret s in Zq
• Public params generator P of G1 and sP
• Secret Key Generation
• IDAlice Alice ? TTP
• sH(IDAlice) TTP ? Alice
• Encryption Bob encrypts for Alice
• Pick random r in Zq
• Compute ge(H(IDAlice), sP))
• Compute
• gr e(H(IDAlice), sP))r e(H(IDAlice), rsP))
  e(rH(IDAlice), sP))
• Ciphertext lt rP, c m XOR H2(gr) gt

13
IBE (Contd)

• Decryption by Alice
• Compute gre(H(IDAlice), rsP))e(sH(IDAlice),
  rP))
• Compute H2(gr)
• m c XOR H2(gr)
• Why others cannot decrypt?
• Others know only H(IDAlice) and rP
• It is hard to determine r from rP (DLP)
• thus they cannot compute gr as e(H(IDAlice),
  sP))r
• They dont know s
• cannot compute e(H(IDAlice), srP))
• They dont know sH(IDAlice)
• cannot compute e(sH(IDAlice), rP))

14
Discussion (PKI vs. Kerberos vs. IBE)

• On-line vs. off-line TTP
• Implication?
• Non-reputation?
• Revocation?
• Scalability?
• Trust issue?

15
Hash Chain and Hash Tree
16
Hash Chain

• h Cryptographically strong hash function
• H0 x
• Hnh(Hn-1) h(h(h( h(x))))
• Random mapping statistics

17
One time password

• Setup
• User generates H0, H1, Hn.
• User ?Server Hn
• Server stores Hn as the users public password.
• Authentication
• At time 0 User ?Server Hn-1
• Server verifies h(Hn-1) Hn
• Server stored Hn-1 as the users public password.
• At time 1 User ?Server Hn-2

18
Stream Authentication

• Streaming
• Single-sender, single-receiver?
• MAC!
• Single-sender, multiple-receiver?
• MAC?
• Digital Signature?

19
Need for a separate scheme

• Need for widespread trusted streamed media
  dissemination
• Attacker may alter stock quotes distributed
  through IP multicast
• Solution is trivial for 1 sender receiver case
• Multiple receiver Need to use PKC
• Digital Signatures Too inefficient
• Needs to scale to millions of users
• Streamed media distribution can have high packet
  loss

20
TESLA

• Fv(x) Fv-1(F(x)), F0(x) x
• K0 Fn (Kn), Ki Fn-i(Kn)
• cannot invert F compute any Kj given Ki jgti
• Receiver can compute all Kj from Ki j lt i
• Kj Fi-j (Ki) Ki F(Ki)

Ki-1
Ki
Ki1
F
F
Pi
Pi-1
Pi1
Mi-1 Di-1 Ki-2
Mi Di Ki-1
Mi1 Di1 Ki
MAC(Ki-1, Di-1)
MAC(Ki, Di)
MAC(Ki1, Di1)
Authenticated
Authenticated after receiving Pi1
Not yet Authenticated
21
Key Strengthening

• Preventing/mitigating on-line dictionary attack
• Assuming that users will choose weak password
• Salting
• Stored key h(password random salt)
• Ideally, random salt should be private, but
  public salt is still useful. Why?
• Key strengthening
• key hash(passwordsalt)
• for 1 to 65000 do
• key hash(key)
• What does it provide?

22
Group Key Management

• Secure group communication
• IP Multicast
• Pay-per-view video streaming
• Video On Demand (VOD)
• Secure teleconferencing
• Online games
• Group confidentiality service
• How to share a common key over a group?

23
Assumption

• There is a Group Controller (GC)
• All nodes share a Traffic Encryption Key (TEK) to
  encrypt communication data.
• When membership changes, TEK needs to be updated
• Each node shares a Key Encryption Key with GC to
  encrypt TEK updates

24
Traffic Encryption Key
A Group of Users
ETEK(msg)
u
25
Simplest Approach
u2
u3
u1
u4
GC
u5
u6
u7
26
Join?
u2
u3
u1
u4
GC
u5
u8
u6
u7
27
Leave
u2
u3
u1
u4
GC
u5
u8
u6
u7
28
One-way Function Tree (OFT)

• Proposed by D. A. McGrew and A. T. Sherman

bk g(k) blinded key k f ( g(kleft),
g(kright) ) k unblinded key
unblinded key
f
kleft
kright
g
g
29
Blinded Unblinded Keys

• Unblinded Key the value that hasnt been passed
  though g
• Blinded Key the value that has already been
  passed though g
• If you know the unblinded key, you can compute
  the blinded key
• The converse is not true

30
OFT Algorithm
ki f ( g(k2i), g(k2i1) )
k1
k2
k3
k4
k5
k6
k7
k8
k9
k10
k11
k12
k13
k14
k15
u1
u2
u3
u4
u5
u6
u7
u8
31
OFT Algorithm (u4s view)
ki f ( g(k2i), g(k2i1) ) f (bk2i, bk2i1)
k1
k2
Ek2(bk3)
Ek5(bk4)
k5
Ek11(bk10)
k11
u1
u2
u3
u4
u5
u6
u7
u8
32
OFT Algorithm (leave)
u1
u2
u3
u4
u5
u6
u7
u8
33
Proof of Possession

• Storage Service Provider
• How can a SSP prove that it stores all blocks?
• Or how can a client verify that the SSP stores
  all blocks?
• Constraints The client does not have the copy of
  the whole storage.
• Naïve solution
• Storing hashes of each block?

34
Hash Tree
Hi h ( H2i, H2i1)
H1
H2
H3
H4
H5
H6
H7
H8
H9
H10
H11
H12
H13
H14
H15
B1
B2
B3
B4
B5
B6
B7
B8
35
Temporal Key Management

• For each time interval, one can use different key
  to encrypt a file.
• Temporal read access control can be provided by
  distributing keys for associated time interval
• Constraints One does not want to store all
  previous keys.
• Naïve solution Hash chain
• Key generation Kt h(Kt1)
• Use Kt at time t.
• Problem?

36
Hash Tree-based Solution
Kright child h2 (Kparent)
Kleft child h1 (Kparent)
K1-8
K1-4
K5-8
K1-2
K3-4
K5-6
K7-8
K1
K2
K3
K4
K5
K6
K7
K8