Title: Introduction to Information Security Lecture 6: Other Cryptographic Primitives
1Introduction to Information Security Lecture 6
Other Cryptographic Primitives
2Contents
- Mode of Operation
- Blind Signatures
- Secret Sharing and Threshold Cryptography
- Zero-knowledge Proofs
- Identification, Authentication
3Mode of Operation
4Modes of Operation ECB Mode
P2
P1
Pn
- Electronic Code Book Mode
- Break a message into a sequence of plaintext
blocks - Each plaintext block is encrypted (or decrypted)
independently - The same plaintext block always produces the
same ciphertext block - May not be secure e.g., a highly structured
message - Typically used for secure transmission of single
vales (e.g., encryption key)
. . .
K
E
E
E
C1
C2
Cn
. . .
D
D
D
K
P2
Pn
P1
5Modes of Operation CBC Mode
P1
P2
Pn
- Cipher Block Chaining Mode
- Each ciphertext block is affected by previous
blocks - No fixed relationship between the plaintext block
and its input to the encryption function - The same plaintext block, if repeated, produces
different ciphertext blocks - IV(Initializing Vector) must be known to both
ends - Most widely used for block encryption
IV
. . .
E
K
E
E
C1
C2
Cn
. . .
D
D
K
D
C1 EK(P1 ? IV)
C3 EK(P3 ? C2)
P1 IV ? DK(C1)
P3 C2 ? DK(C3)
IV
C2 EK(P2 ? C1)
C4 EK(P4 ? C3)
P1
P2
Pn
P2 C1 ? DK(C2)
P4 C3 ? DK(C4)
6Modes of Operation CFB Mode
- Cipher Feedback Mode
- A way of using a block cipher as a stream cipher
- A shift register of block size maintains the
current state of the cipher operation, initially
set to some IV - The value of the shift register is encrypted
using key K and the leftmost j bits of the
output is XORed with j-bit plaintext Pi to
produce j-bit ciphertext Ci - The value of the shift register is shifted left
by j bits and the Ci is fed back to the rightmost
j bits of the shift register - Typically j 8, 16, 32, 64
- Decryption function DK is never used
IV
. . .
K
E
E
C1
Cn
C2
P1
Pn
P2
IV
. . .
K
E
E
C1
Cn
C2
P1
Pn
P2
7Modes of Operation OFB Mode
- Output Feedback Mode
- The structure is similar to that of CFB, but
- CFB Ciphertext is fed back to the shift register
- OFB Output of E is fed back to the shift
register - For security reason, only the full feedback (j
block size) mode is used - No error propagation
- More vulnerable to a message stream modification
attack - May useful for secure transmission over noisy
channel (e.g., satellite communication)
IV
. . .
K
E
E
P1
C2
Cn
P2
C1
Pn
IV
. . .
K
E
E
C1
P2
Pn
C2
P1
Cn
8Modes of Operation CTS Mode
P1
Pn-1
Pn
000
- Ciphertext Stealing Mode
- Eliminates the padding requirement for block
ciphers - The same as CBC mode, except for the
encryption/decryption of the the last two blocks
(one complete block and the remaining partial
block) - Adopted in H.235 as one of operating modes for
block ciphers
IV
. . .
E
K
E
E
C1
X
Cn-1
Cn
Cn-1
Cn
X
C1
H.235 covers security and encryption for H.323
and other H.245 based terminals. H.323 covers
multimedia communication on any packet network
. . .
D
D
D
K
E
E
Cn-2
E
Cn
000
IV
Pn-1
X
Pn
P1
9Cryptographic Protocols
10Typical E-commerce Scenario
- Combination of lots of computation /
communication. - Must be fare to all participating entities
11Cryptographic Protocols
- Cryptographic algorithms
- Algorithm executed by a single entity
- Algorithms performing cryptographic functions
- Encryption, Hash, digital signature, etc
- Cryptographic protocols
- Protocols executed between multiple entities
through pre-defined steps of communication
performing security-related functions - Perform more complicated functions than what the
primitive algorithms can provide - Primitives Key agreement, secret sharing, blind
signature, coin toss, secure multiparty
computations, etc - Complex application protocols e-commerce,
e-voting, e-auction, etc
12Cryptographic Protocols
- Protocols
- Designed to accomplish a task through a series of
communication steps, involving two or more
entities - Cryptographic Protocols
- Protocols that use cryptography
- Non-face-to-face interaction over an open network
- Cannot trust other entities
12
13Security Requirements in Protocols
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
- Correctness
- Verifiability
- Fairness
- Anonymity
- Privacy
- Robustness
- Efficiency
- Etc
Combinations of these requirements according to
applications
14Protocol Primitives
- Coin Toss game over Communication Network
- Two parties play coin toss game over the
communication network - Can it be made fair?
- Blind Signatures
- Signer signs a document without knowledge of the
document and the resulting signature - Message and the resulting signature are hidden
from the signer - Many applications which require anonymity or
privacy - Digital cash, e-voting
- Key Agreements
- Two or more parties agree on a secret key over
communication network in such a way that both
influence the outcome. - Do not require any trusted third party (TTP)
15Protocol Primitives
- Secret Sharing
- Distribute a secret amongst a group of
participants - Each participant is allocated a share of the
secret - Secret can be reconstructed only when the shares
are combined together - Individual shares are of no use on their own.
- Threshold Cryptography
- A message is encrypted using a public key and the
corresponding private key is shared among
multiple parties. - In order to decrypt a ciphertext, a number of
parties exceeding a threshold is required to
cooperate in the decryption protocol.
16Protocol Primitives
- Zero-knowledge Proofs
- An interactive method for one party to prove to
another that a (usually mathematical) statement
is true, without revealing anything other than
the validity of the statement. - Identification, Authentication
- Over the communication network, one party, Alice,
shows to another party, Bob, that she is the real
Alice. - Allows one party, Alice, to prove to another
party, Bob, that she possesses secret information
without revealing to Bob what that secret
information is.
17Application Protocols
- Electronic Commerce
- SET (Secure Electronic Transaction) Credit
card transaction - Digital cash, micropayment, e-check, e-money
- e-auction
- e-banking
- e-government
- e-voting
- Fair exchange of digital signature (for contract
signing) - Application Scenarios
- Traditional applications transfer to electronic
versions - New applications appear with the help of crypto
18Blind Signatures
19Blind Signature
Signing without seeing the message - We should
not reveal the content of the letter to the
signer. - For example, using a
carbon-enveloped message
1) Send an carbon-enveloped message
2) Sign on the envelop
3) Take off the envelop and get the signed
message
20Motivation of Blind Signature
- One interesting question of public key
cryptosystem is whether we can use digital
signature to create some form of digital
currency. The scenario is described as follows - A bank published his public key.
- When one of his customer makes a withdrawal from
his account, the bank provides it with a
digitally signed note that specifies the amount
withdrawn. - The customer can present it to a merchant, who
can then verify the banks signature. - Upon completing a transaction, the vender can
then remit the note to the bank, which will then
credit the vendor the amount specified in the
note. - This note is, in effect, a digital monetary
instrument, we called it as Electronic Cash or
E-Cash. - Privacy issue of digital cash???
- The bank can easily trace a cash to a specific
user.
21E-Cash Scenario
Bank
Public Key
Withdrawal Request
Deposit
E-cash Issuing
Payment
Shop
Customer
22David Chaums Blind Signature
- David Chaum proposed a very elegant solution to
this problem, known as blind signature.
He is also named as the father of E-cash
23Blind Signature
- Blind signature scheme is a protocol that allows
the provider to obtain a valid signature for a
message m from the signer without him seeing the
message and its signature. - If the signer sees message m and its signature
later, he can verify that the signature is
genuine, but he is unable to link the
message-signature pair to the particular instance
of the signing protocol which has led to this
pair. - Many applications
- Useful when values need to be certified, yet
anonymity should be preserved - e-cash, e-voting
24Blind Signature
- Protocol Steps
- Alice takes the document and uses a blinding
factor to blind the document. (Blinding Phase) - Alice sends the blinded document to Bob and Bob
signs the blinded document. (Signing Phase) - Alice can remove the blinding factor and obtain
the signature on the original document.
(Unblinding Phase)
25RSA-based Blind Signature
User
Signer
Get a signature for a message m.
(1) Blinding
r ? ZN m H(m) re mod N
m
(2) Signing
s md mod N
s
(3) Unblinding
s s r-1 mod N
s s r-1 mod N (H(m) re)d r-1 mod N H(m)d
mod N
s is a valid signature of the signer The signer
cannot have any information on m and s.
26Schnorr-based Blind Signature
User
Signer
(1) Challenge
r
(2) Blinding
e
(3) Signing
s
(4) Unblinding
(r,s) is an unknown signature for the unknown
message m
27Zero-Knowledge Proofs
28Interactive Proof Systems
Verifier
Prover
- Verifier is curious about provers knowledge.
- He will query difficult questions, s.t. the
secret should be used to answer. - Should be random questions
- Prover knows a secret (precious) information.
- Wants to prove that he knows it, but do not want
to reveal it.
The verifiers strategy is a probabilistic
polynomial-time (PPT) procedure.
29Ali Babas Cave
- Alice wants to prove to Bob that she knows how to
open the secret door between A and B, but will
not reveal the secret itself. - Procedure
- Alice and Bob go to cave
- Alice goes to A or B randomly (Bob cannot see)
- Bob tells Alice to come from A or B
- If Alice knows the secret, she can appear from
the correct side of the cave every time - Bob repeats as many times until he believe Alice
knows the secret to open the secret door - How about Trudy? Can he convince Bob without
knowing the secret?
30Interactive Proof Protocol
P Prover
V Verifier
Common Inputs
Common Inputs
Commitment
Challenge
Response
Repeats t rounds
- Prover and verifier share common inputs
(functions or values) - The protocol yields Accept if every Response is
accepted by the Verifier - Otherwise, the protocol yields Reject
31Requirements of Interactive Proofs
- Completeness
- If the statement is true, the honest verifier
will be convinced of this fact by an honest
prover. - Prob(P,V)(x) Accept x Î L e where e Î
(½,1 - Soundness
- If the statement is false, no cheating prover can
convince the honest verifier that it is true,
except with some small probability. - Prob(P,V)(x) Accept x Ï L d where d Î
0,½)
32Zero-Knowledge Proofs
- Instances of interactive proofs with the
following properties - Completeness true theorems are provable
- Soundness false theorems are not provable
- Zero-Knowledge No information about the
provers private input (secret) is revealed to
the verifier - GMR(Goldwasser, Micali, Rackoff)
- The knowledge complexity of interactive-proof
systems, Proc. of 17th ACM Sym. on Theory of
Computation, pp.291-304, 1985 - The knowledge complexity of interactive-proof
systems, Siam J. on Computation, Vol. 18,
pp.186-208, 1989 (revised version) - Fundamental Theorem GMR
- Zero-knowledge proofs exist for all
languages in NP
33Defining Zero-Knowledge
- How to formalize Verifier learns nothing?
- Simulation Paradigm (informally)
- Require anything that can be computed in
poly-time by interacting with prover can also be
computed in poly-time without interacting with
prover. - That is, for every poly-time verifier V, there
exists a poly-time simulator S s.t. - output of S(x) ? output of V after
interacting with P on x.
34Proof of Knowledge (of discrete logarithm)
- A prover tries to prove that he knows a discrete
logarithm x
Prover
Verifier
Commitment
Challenge
Response
35Proof of Knowledge (of discrete logarithm)
- Example p23, g7, q22
- Key generation x13, y20
- Prover proves that he knows x13 corresponding to
y20 without revealing x
Prover
Verifier
Commitment
Challenge
Response
36Proof of Equality of two discrete logarithms
- Prover tries to prove that two discrete
logarithms are equal without revealing x
Prover
Verifier
Commitment
Challenge
Response
37Proof of Equality of two discrete logarithms
Prover
Verifier
Commitment
Challenge
Response
38Non-Interactive Zero-Knowledge Proof
- Non-interactive Zero-knowledge (NIZK) proofs
using Fiat-Shamir Heuristic
Prover
Verifier
39Identification, Authentication
40Authentication
- Entity Authentication (Identification)
- Over the communication network, one party, Alice,
shows to another party, Bob, that she is the real
Alice. - Authenticate an entity by presenting some
identification information - Should be secure against various attacks
- Through an interactive protocols using secret
information - Message Authentication
- Show that a message was generated by an entity
- Using digital signature or MAC
40
41Approach for Identification
- Using Something Known
- Password, PIN
- Using Something Possessed
- IC card, Hardware token
- Using Something Inherent
- Biometrics
41
42Approach for Identification
Method
Examples
Reliability
Security
Cost
What you Remember (know)
Password Telephone Reg.
M (theft) L (imperso- nation)
Cheap
M/L
What you have
Registered Seal Magnetic Card IC Card
L (theft) M (imperso- nation)
Reason- able
M
Bio-metric (Fingerprint, Eye, DNA, face, Voice,
etc)
What you are
H (theft) H (Imperso- nation)
Expen- sive
H
42
43Approach for Identification
- Password-based scheme (weak authentication)
- crypt passwd under UNIX
- one-time password
- Challenge-Response scheme (strong authentication)
- Symmetric cryptosystem
- MAC (keyed-hash) function
- Asymmetric cryptosystem
- Using Cryptographic Protocols
- Fiat-Shamir identification protocol
- Schnorr identification protocol, etc
44Identification by Password
Sniffing attack Replay attack - Static password
44
45S/Key (One-Time Password System)
45
46Schnorr Identification
Prover
Verifier
Commitment
Challenge
Response