Introduction to Information Security Lecture 6: Other Cryptographic Primitives

1
Introduction to Information Security Lecture 6
Other Cryptographic Primitives

• 2009. 7.

2
Contents

1. Mode of Operation
2. Blind Signatures
3. Secret Sharing and Threshold Cryptography
4. Zero-knowledge Proofs
5. Identification, Authentication

3
Mode of Operation
4
Modes of Operation ECB Mode
P2
P1
Pn

• Electronic Code Book Mode
• Break a message into a sequence of plaintext
  blocks
• Each plaintext block is encrypted (or decrypted)
  independently
• The same plaintext block always produces the
  same ciphertext block
• May not be secure e.g., a highly structured
  message
• Typically used for secure transmission of single
  vales (e.g., encryption key)

. . .
K
E
E
E
C1
C2
Cn
. . .
D
D
D
K
P2
Pn
P1
5
Modes of Operation CBC Mode
P1
P2
Pn

• Cipher Block Chaining Mode
• Each ciphertext block is affected by previous
  blocks
• No fixed relationship between the plaintext block
  and its input to the encryption function
• The same plaintext block, if repeated, produces
  different ciphertext blocks
• IV(Initializing Vector) must be known to both
  ends
• Most widely used for block encryption

IV
. . .
E
K
E
E
C1
C2
Cn
. . .
D
D
K
D
C1 EK(P1 ? IV)
C3 EK(P3 ? C2)
P1 IV ? DK(C1)
P3 C2 ? DK(C3)
IV
C2 EK(P2 ? C1)
C4 EK(P4 ? C3)
P1
P2
Pn
P2 C1 ? DK(C2)
P4 C3 ? DK(C4)
6
Modes of Operation CFB Mode

• Cipher Feedback Mode
• A way of using a block cipher as a stream cipher
• A shift register of block size maintains the
  current state of the cipher operation, initially
  set to some IV
• The value of the shift register is encrypted
  using key K and the leftmost j bits of the
  output is XORed with j-bit plaintext Pi to
  produce j-bit ciphertext Ci
• The value of the shift register is shifted left
  by j bits and the Ci is fed back to the rightmost
  j bits of the shift register
• Typically j 8, 16, 32, 64
• Decryption function DK is never used

IV
. . .
K
E
E
C1
Cn
C2
P1
Pn
P2
IV
. . .
K
E
E
C1
Cn
C2
P1
Pn
P2
7
Modes of Operation OFB Mode

• Output Feedback Mode
• The structure is similar to that of CFB, but
• CFB Ciphertext is fed back to the shift register
• OFB Output of E is fed back to the shift
  register
• For security reason, only the full feedback (j
  block size) mode is used
• No error propagation
• More vulnerable to a message stream modification
  attack
• May useful for secure transmission over noisy
  channel (e.g., satellite communication)

IV
. . .
K
E
E
P1
C2
Cn
P2
C1
Pn
IV
. . .
K
E
E
C1
P2
Pn
C2
P1
Cn
8
Modes of Operation CTS Mode
P1
Pn-1
Pn
000

• Ciphertext Stealing Mode
• Eliminates the padding requirement for block
  ciphers
• The same as CBC mode, except for the
  encryption/decryption of the the last two blocks
  (one complete block and the remaining partial
  block)
• Adopted in H.235 as one of operating modes for
  block ciphers

IV
. . .
E
K
E
E
C1
X
Cn-1
Cn
Cn-1
Cn
X
C1
H.235 covers security and encryption for H.323
and other H.245 based terminals. H.323 covers
multimedia communication on any packet network
. . .
D
D
D
K
E
E
Cn-2
E
Cn
000
IV
Pn-1
X
Pn
P1
9
Cryptographic Protocols
10
Typical E-commerce Scenario

• Combination of lots of computation /
  communication.
• Must be fare to all participating entities

11
Cryptographic Protocols

• Cryptographic algorithms
• Algorithm executed by a single entity
• Algorithms performing cryptographic functions
• Encryption, Hash, digital signature, etc
• Cryptographic protocols
• Protocols executed between multiple entities
  through pre-defined steps of communication
  performing security-related functions
• Perform more complicated functions than what the
  primitive algorithms can provide
• Primitives Key agreement, secret sharing, blind
  signature, coin toss, secure multiparty
  computations, etc
• Complex application protocols e-commerce,
  e-voting, e-auction, etc

12
Cryptographic Protocols

• Protocols
• Designed to accomplish a task through a series of
  communication steps, involving two or more
  entities
• Cryptographic Protocols
• Protocols that use cryptography
• Non-face-to-face interaction over an open network
• Cannot trust other entities

12
13
Security Requirements in Protocols

• Confidentiality
• Integrity
• Authentication
• Non-repudiation
• Correctness
• Verifiability
• Fairness
• Anonymity
• Privacy
• Robustness
• Efficiency
• Etc

Combinations of these requirements according to
applications
14
Protocol Primitives

• Coin Toss game over Communication Network
• Two parties play coin toss game over the
  communication network
• Can it be made fair?
• Blind Signatures
• Signer signs a document without knowledge of the
  document and the resulting signature
• Message and the resulting signature are hidden
  from the signer
• Many applications which require anonymity or
  privacy
• Digital cash, e-voting
• Key Agreements
• Two or more parties agree on a secret key over
  communication network in such a way that both
  influence the outcome.
• Do not require any trusted third party (TTP)

15
Protocol Primitives

• Secret Sharing
• Distribute a secret amongst a group of
  participants
• Each participant is allocated a share of the
  secret
• Secret can be reconstructed only when the shares
  are combined together
• Individual shares are of no use on their own.
• Threshold Cryptography
• A message is encrypted using a public key and the
  corresponding private key is shared among
  multiple parties.
• In order to decrypt a ciphertext, a number of
  parties exceeding a threshold is required to
  cooperate in the decryption protocol.

16
Protocol Primitives

• Zero-knowledge Proofs
• An interactive method for one party to prove to
  another that a (usually mathematical) statement
  is true, without revealing anything other than
  the validity of the statement.
• Identification, Authentication
• Over the communication network, one party, Alice,
  shows to another party, Bob, that she is the real
  Alice.
• Allows one party, Alice, to prove to another
  party, Bob, that she possesses secret information
  without revealing to Bob what that secret
  information is.

17
Application Protocols

• Electronic Commerce
• SET (Secure Electronic Transaction) Credit
  card transaction
• Digital cash, micropayment, e-check, e-money
• e-auction
• e-banking
• e-government
• e-voting
• Fair exchange of digital signature (for contract
  signing)
• Application Scenarios
• Traditional applications transfer to electronic
  versions
• New applications appear with the help of crypto

18
Blind Signatures
19
Blind Signature
Signing without seeing the message - We should
not reveal the content of the letter to the
signer. - For example, using a
carbon-enveloped message
1) Send an carbon-enveloped message
2) Sign on the envelop
3) Take off the envelop and get the signed
message
20
Motivation of Blind Signature

• One interesting question of public key
  cryptosystem is whether we can use digital
  signature to create some form of digital
  currency. The scenario is described as follows
• A bank published his public key.
• When one of his customer makes a withdrawal from
  his account, the bank provides it with a
  digitally signed note that specifies the amount
  withdrawn.
• The customer can present it to a merchant, who
  can then verify the banks signature.
• Upon completing a transaction, the vender can
  then remit the note to the bank, which will then
  credit the vendor the amount specified in the
  note.
• This note is, in effect, a digital monetary
  instrument, we called it as Electronic Cash or
  E-Cash.
• Privacy issue of digital cash???
• The bank can easily trace a cash to a specific
  user.

21
E-Cash Scenario
Bank
Public Key
Withdrawal Request
Deposit
E-cash Issuing
Payment
Shop
Customer
22
David Chaums Blind Signature

• David Chaum proposed a very elegant solution to
  this problem, known as blind signature.

He is also named as the father of E-cash
23
Blind Signature

• Blind signature scheme is a protocol that allows
  the provider to obtain a valid signature for a
  message m from the signer without him seeing the
  message and its signature.
• If the signer sees message m and its signature
  later, he can verify that the signature is
  genuine, but he is unable to link the
  message-signature pair to the particular instance
  of the signing protocol which has led to this
  pair.
• Many applications
• Useful when values need to be certified, yet
  anonymity should be preserved
• e-cash, e-voting

24
Blind Signature

• Protocol Steps
• Alice takes the document and uses a blinding
  factor to blind the document. (Blinding Phase)
• Alice sends the blinded document to Bob and Bob
  signs the blinded document. (Signing Phase)
• Alice can remove the blinding factor and obtain
  the signature on the original document.
  (Unblinding Phase)

25
RSA-based Blind Signature
User
Signer
Get a signature for a message m.
(1) Blinding
r ? ZN m H(m) re mod N
m
(2) Signing
s md mod N
s
(3) Unblinding
s s r-1 mod N
s s r-1 mod N (H(m) re)d r-1 mod N H(m)d
mod N
s is a valid signature of the signer The signer
cannot have any information on m and s.
26
Schnorr-based Blind Signature
User
Signer
(1) Challenge
r
(2) Blinding
e
(3) Signing
s
(4) Unblinding
(r,s) is an unknown signature for the unknown
message m
27
Zero-Knowledge Proofs
28
Interactive Proof Systems
Verifier
Prover

• Verifier is curious about provers knowledge.
• He will query difficult questions, s.t. the
  secret should be used to answer.
• Should be random questions

• Prover knows a secret (precious) information.
• Wants to prove that he knows it, but do not want
  to reveal it.

The verifiers strategy is a probabilistic
polynomial-time (PPT) procedure.
29
Ali Babas Cave

• Alice wants to prove to Bob that she knows how to
  open the secret door between A and B, but will
  not reveal the secret itself.
• Procedure
• Alice and Bob go to cave
• Alice goes to A or B randomly (Bob cannot see)
• Bob tells Alice to come from A or B
• If Alice knows the secret, she can appear from
  the correct side of the cave every time
• Bob repeats as many times until he believe Alice
  knows the secret to open the secret door
• How about Trudy? Can he convince Bob without
  knowing the secret?

30
Interactive Proof Protocol
P Prover
V Verifier
Common Inputs
Common Inputs
Commitment
Challenge
Response
Repeats t rounds

• Prover and verifier share common inputs
  (functions or values)
• The protocol yields Accept if every Response is
  accepted by the Verifier
• Otherwise, the protocol yields Reject

31
Requirements of Interactive Proofs

• Completeness
• If the statement is true, the honest verifier
  will be convinced of this fact by an honest
  prover.
• Prob(P,V)(x) Accept x Î L e where e Î
  (½,1
• Soundness
• If the statement is false, no cheating prover can
  convince the honest verifier that it is true,
  except with some small probability.
• Prob(P,V)(x) Accept x Ï L d where d Î
  0,½)

32
Zero-Knowledge Proofs

• Instances of interactive proofs with the
  following properties
• Completeness true theorems are provable
• Soundness false theorems are not provable
• Zero-Knowledge No information about the
  provers private input (secret) is revealed to
  the verifier
• GMR(Goldwasser, Micali, Rackoff)
• The knowledge complexity of interactive-proof
  systems, Proc. of 17th ACM Sym. on Theory of
  Computation, pp.291-304, 1985
• The knowledge complexity of interactive-proof
  systems, Siam J. on Computation, Vol. 18,
  pp.186-208, 1989 (revised version)
• Fundamental Theorem GMR
• Zero-knowledge proofs exist for all
  languages in NP

33
Defining Zero-Knowledge

• How to formalize Verifier learns nothing?
• Simulation Paradigm (informally)
• Require anything that can be computed in
  poly-time by interacting with prover can also be
  computed in poly-time without interacting with
  prover.
• That is, for every poly-time verifier V, there
  exists a poly-time simulator S s.t.
• output of S(x) ? output of V after
  interacting with P on x.

34
Proof of Knowledge (of discrete logarithm)

• A prover tries to prove that he knows a discrete
  logarithm x

Prover
Verifier
Commitment
Challenge
Response
35
Proof of Knowledge (of discrete logarithm)

• Example p23, g7, q22
• Key generation x13, y20
• Prover proves that he knows x13 corresponding to
  y20 without revealing x

Prover
Verifier
Commitment
Challenge
Response
36
Proof of Equality of two discrete logarithms

• Prover tries to prove that two discrete
  logarithms are equal without revealing x

Prover
Verifier
Commitment
Challenge
Response
37
Proof of Equality of two discrete logarithms
Prover
Verifier
Commitment
Challenge
Response
38
Non-Interactive Zero-Knowledge Proof

• Non-interactive Zero-knowledge (NIZK) proofs
  using Fiat-Shamir Heuristic

Prover
Verifier
39
Identification, Authentication
40
Authentication

• Entity Authentication (Identification)
• Over the communication network, one party, Alice,
  shows to another party, Bob, that she is the real
  Alice.
• Authenticate an entity by presenting some
  identification information
• Should be secure against various attacks
• Through an interactive protocols using secret
  information
• Message Authentication
• Show that a message was generated by an entity
• Using digital signature or MAC

40
41
Approach for Identification

• Using Something Known
• Password, PIN
• Using Something Possessed
• IC card, Hardware token
• Using Something Inherent
• Biometrics

41
42
Approach for Identification
Method
Examples
Reliability
Security
Cost
What you Remember (know)
Password Telephone Reg.
M (theft) L (imperso- nation)
Cheap
M/L
What you have
Registered Seal Magnetic Card IC Card
L (theft) M (imperso- nation)
Reason- able
M
Bio-metric (Fingerprint, Eye, DNA, face, Voice,
etc)
What you are
H (theft) H (Imperso- nation)
Expen- sive
H
42
43
Approach for Identification

• Password-based scheme (weak authentication)
• crypt passwd under UNIX
• one-time password
• Challenge-Response scheme (strong authentication)
• Symmetric cryptosystem
• MAC (keyed-hash) function
• Asymmetric cryptosystem
• Using Cryptographic Protocols
• Fiat-Shamir identification protocol
• Schnorr identification protocol, etc

44
Identification by Password
Sniffing attack Replay attack - Static password
44
45
S/Key (One-Time Password System)
45
46
Schnorr Identification
Prover
Verifier
Commitment
Challenge
Response