12345678901234567890123456789012345678901234567890123456789012345678901234567890 -------------------------------------------------------------------------- CSE 227 - Lecture 10 - December 3, 2001 -------------------------------------------------------------------------- Announcements - Today: 0. Evaluations [10 mins] 1. Review and Finish PK encryption 2. Digital signatures 3. The Asymptotic Approach 4. Zero-Knowledge -------------------------------------------------------------------------- 1. REVIEW --------- Trapdoor permutation: f: easy -----------------------------> D f^-1: hard R <----------------------------- f^-1: easy if know secret <----------------------------- \G = (Gen, Forward, Backward, Sample) Gen: Prob. alg. takes a "security parameter" k as input, and returns two strings, f and f^{-1}. Forward: Det. alg. Takes a string f and an input x and computes Forward(f,x), which we normally abbreviate f(x). This is a map from some set D to some set R. Backwards: Det. alg. Takes a string f^-1 and an input y and computes Backwards(f^-1,y), which we normally abbreviate f^-1(y). Sample: Prob. alg. Takes f and returns a random point in D. It must be the case that f^-1(f(x)) = f(x) for all x in D. Lovely idea, but how to realize. RSA: Gen(k) = p,q <-Primes(k); n<-pq; e <- various-options; d=e^{-1} mod (p-1)(q-1); returns (n,e), (n,d) Forward((n,e),x) = x^e mod n Backward((n,d),y) = y^d mod n Sample((n,e)) = x<-Z_n^*; return x Security definitions: just like private key case, but give adversary encryption function. To encrypt a bit b: (X b)^e mod n // not efficient To encrypt a string M: X^e mod n H(X) xor M // more efficient. // Claimed secure in the RO model. Didn't prove it, // because ran out of time. Less efficient than ad hoc methods. OAEP encryption: M 10..0 R--------------- \___padM____/ | | | ----- | | | G | | | ----- | | | | xor <------------+ | | | | | | | | \|/ S= G(R) xor padM T=H(S) xor R <---- xor /|\ | ----- | +-----------> | H |------------+ ----- Chosen-ciphertext secure (BR, [Fujisaki, Okamoto, Pointcheval, Stern]. ElGamal encryption Z_p group with p elements. Cyclic group: generator g. Imagine Sender Receiver g^a ----------------------> g^b <---------------------- g^ab g^ab To make into an encryption scheme: g^b is receiver's public key. Choose a as an "ephemeral" secret key, g^a as the "ephemeral" public key. g^a || g^{ab}*M ---------------------------> g^b Or, more reasonably, g^a || H(g^{ab}) xor M ---------------------------> ============================================================================== 2. Digital Signatures 2.1 Model SK_S PK_S <--> S Signer Receiver Contrast with physical signatures: copies necessarily valid. Contrast with secret-key trust model: non-repudiation. 2.2. Syntax A digital signature scheme is a triple Pi = (Gen, Sign, Verify) - Gen is a prob alg that takes a security parameter k and produces a pair (pk, sk) - Sign is an alg (det or prob) that takes a string sk in support(sk(K(k))) and a message M in \bits^* and produces a string sigma ("the signature"). - Verify is a det alg that takes a string pk in support(pk(K(k))), a message M in \bits^*, and a purported signature sigma and outputs a bit: 0 (for reject) or 1 (for accept) Requirement: For all k, for all (pk,sk) <- (K(k)), for all M, for all sigma <- Sign_sk(M) Verify_pk(M,sk) = 1 2.3 Definition of the goal Let Pi = (Gen, Sign, Verify) be a signature scheme and let A be an adversary with an oracle. Then Adv^sig_Pi(A,k) = Pr[(pk,sk)<-Gen(k); A^Sign_sk(.)(pk) forges] Here "A forges" means that, in the experiment above, it outputs (M,sigma) where Verify(pk,M,sigma)=1 and A made no prior query of M (alternatively, no prior query of M that returned a value of sigma) 2.4 Information-theoretic signatures don't exist Adversary: Given PK_phil, to forge M, compute any string sig such that Verify(PK_phil,M,sig) = 1. Such a string necessarily exists, since sig = Sign(SK_phil, M) is one such string. So an adversary CAN forge. The goal is to make this computationally infeasible. 2.5 Diffie-Hellman's idea Make a signature out of a _trapdoor permutation_, as defined before. Public | Private --------------------- f | f^-1 To sign M: compute f^{-1}(M). To verify (M,s): f(s)==M 2.6. The "raw RSA" signature scheme: Gen(k) = choose random k-bit primes p, q s.t. gcd(3,(p-1)(q-1))=1. Let n=pq. Compute d such that ed=1 mod (p-1)(q-1) Return (pk=(n,3), sk=(n,d)) Sign_{n,d}(M): assume M in Z_n^*. Return s = M^d mod n Verify_{n}(M,s): assume M in Z_n^*. Return s^3 == M mod n 2.7. Does Raw RSA work? Two problems: (1) what if M is not in Z_n^* (2) you can forge! Can you think of an easily forged message? Sure: M=1. Worse than that: suppose that you know the signature of M1 and M2: sigma1 = M1^d mod n sigma2 = M2^d mod n. Then you know the signature of M1*M2 mod n, since this is just (M1*M2 mod n)^d mod n = (M1^d mod n) * (M2^d mod n) mod n = (sigma1 * sigma2) mod n 2.8. William's improvement Williams suggested hashing M. Does two things: 1. Expands domain from Z_n^* to \bits^* 2. Obscures the algebraic structure of working mod n Show SHA-1. Standards have done hashing for signatures since the beginning. ( 00 01 fffffffff...fffffffff 00 H(M) )^d mod n (This is RSA PKCS #1, v. 1.) Probably can't be proven secure under any normal assumption. 2.9. FDH: (H(M))^d mod n where H is a "random" hash function onto the entire domain domain Z_n^*. Or, more generally, (f^{_1}(H(M)))^d mod n 2.10 Security of FDH: If H is modeled as a "perfect" random function (the RO model) then FDH is secure as long as RSA is a one-way function. In other words: Let Pi = (Gen, Sign, Verify) be a signature scheme (in the RO model; Sign and Verify may depend on a function H) let A be an adversary (with two oracles). Then Adv^sig_Pi(A,k) = Pr[(pk,sk)<-Gen(k); H <- Omega: A^{Sign^pk_sk(.), H(.)}(pk) forges] That is, given an adversary F that forges against FDH and uses a "random oracle" H to hash, you can construct an adversary I that inverts RSA. Construction: ............. I((n,e), y): // try to find x s.t. x^e mod n = y ------------ Choose a random value j between 1 and q_sig + q_hash Construct the pk=(n,e) for FDH. Run A(pk) When A makes its i-th query, a Hashing query Hash(M): If i = j then return y else choose a random x_i in Z_n^* and return y_i = x_i^e mod n When A asks Sign (M): If F has not already made a hash query of M, then ask Hash(M) first, answering this query as above. // we have already asked Hash(M) case 1: when we asked Hash(M), it was NOT the j-th query. So we know x_i s.t. x_i^e mod n = Hash(M). Return x_i. case 2: when we asked Hash(M), it was the j-th query. Give up. When A outputs (M*, sigma*) If there has been no query Hash(M*), ask Hash(M*) now, answering the query as above. // we have already asked Hash(M*) case 1: when we asked Hash(M*), it was NOT the j-th query. Give up. case 2: when we asked Hash(M), it was the j-th query. So we returned y. So a valid forgery would be y^d. So return sigma* as our guess of the inverse of y. (You can check if sigma* really is the inverse of y, if you like). Analysis: We won't do this, but it is not hard to see that I inverts is at least 1/(q_sig+q_hash) * (the chance that A forges) 2.11. Beating the bound: PSS :::::M:::::: ::r:: \ / \ / \ / r \ / | \/ | | | | Hash | | | | +- g1(w) + | | | 0 +++ w +++ g1(w) xor r) g2(w) )^d mod n | | -------------------------- 2.12. DSS Another popular way to sign. Signature just 320 bits. More efficient than RSA for signing, less efficient for verifying. No provable security bound known. Newest methods give 160-bit signatures, DSS but uses a different group, EC group. A provable security result is known. ---------------------------------------------------------------------------- 3.0 The Asymptotic Approach Introduced "security parameter" for PK encryption, signatures. Can have it for symmetric encryption, MACs, too. Given an adversary A, look at Adv^sig_Pi(A,k) as a function of k, \e(k). We want that if A is "reasonable" then \e(k) is "negligible". How to define these things? Traditionally, reasonable = probabilistic polynomial time. negligible = a function that vanishes faster than the inverse of any polynomial: e: N -> R^+ is NEGLIGIBLE if (for all c>0)(exits K_0)(all k>K_0) e(k) < 1/k^c Example use: A digital signature scheme Pi=(Gen,Sign,Verify) is SECURE if for every PPT adversary A, Adv^sig_Pi(A,k) is negligible. A PK enc scheme Pi=(\K,\E,\D) is SECURE if for every PPT adversary A, Adv^rr_Pi(A,k) is negligible. Advantages: simplifies statements, hides "details", focuses on big picture. Disadvantages: statements less precise, less directly useful, arguably less transparent. World in the asymptotic view: /|\ | PK-encryption | Stronger | Defns Trapdoor Permutations | | OWFs <--> PRG <--> PRF <--> PRPs <--> Sigs | ----------------------------- 4. Zero-Knowledge Example of a protocol problem. Haven't much dealt with them. Prover P wants to prove to verifier V that instance x of NP-language L is a "YES" instance. EG: Prover would like to establish that formula \phi IS satisfiable. Usual way to do this: give the satisfying assignment. But we want to do this in a way that ONLY convinces V that x is in L. Eg, it should NOT make apparent a satisfying assignment (assuming SAT is not in BPP). Example: G3C example Example: HC example What does this "envelope" mean? "Commitment scheme" -- committer can't change the contents of the bit once it has been committed to; receiver can't tell anything about the bit after the commitment. Example using RSA. Committer: Choose RSA-modulus n=pq, encryption exponent e, decryption exponent d. Make encryption scheme out of it using bit-by-bit encryption. Commit to M as Enc_{n,e}(M) Decommit to M as: p,q Verifier: check p,q are prime and multiply to n. Then decrypt C to learn what was committed. Notion of security: "simulation based" -- The adversary A learns nothing in the protocol because, even if it cheats, what it sees is just like a sample of a distribution that it could generate on its own. Def. of comp. indistinguishability: A(x) \approx_L M(x) if (For every PPT "distinguisher" D) (for every c) (exists K) (for all k>K) (for all x of length at least k) Pr[D^{A(x)}(x) =1] - Pr[D^{M(x)}(x) =1] < 1/k^c Def: Prover P is ZERO-KNOWLEDGE on language L if (for every PPT algorithm A^*) (there exists simulator M) View(P<-->A^*)(x) \approx_L M(x) Th [GMW 87]: every language in NP has a ZK proof.