Helger Lipmaa University of Tartu, Estonia

CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 3

Key Exchange, CDH, DDH

Helger Lipmaa University of Tartu, Estonia

UP TO NOW

Basic intro

Basic algebra

Exponentiation

Assumptions

Algebra + assumptions: DL

How to define assumptions (DL)

WHAT CAN BE DONE WITH DL?

First idea:

let s←ℤq be secret key and h=gˢ be public key

computation of s from h is infeasible

Use the keys to "encrypt", "sign", etc

This lecture: more details

KEY EXCHANGEI want to

send secret information to Bob, but he is

in Jamaica

Let us agree on a joint secret key for further communication

KEY EXCHANGE

pkₐ

pkb

skₐ,pkₐ skb,pkb

sk=SK(skₐ,pkb) sk=SK(skb,pkₐ)=sk

Symmetric, shared key

Asymmetric, public keyAsymmetric, public key

KEY EXCHANGE WITH DL

h

f

s, h←gˢ t, f←gᵗ

sk=SK(s,f) sk=SK(t,h)=sk

QUIZ

SK (t, gˢ) = sk = SK (s, gᵗ)

What could SK be?

Hint: we are working in a group

Use commutativity + efficient operations

Answer: SK (s, h) = hˢ

SK (t, gˢ) = gˢᵗ = gᵗˢ = SK (s, gᵗ)

DIFFIE-HELLMAN KEY EXCHANGE

h

f

s, h←gˢ t, f←gᵗ

sk=gˢᵗsk=gˢᵗ

=sk

DHKE: FORMALLY

h

f

s,h=gˢ t,f←gᵗ

=sk

sk=gˢᵗsk=gˢᵗ

DHKE.Setup (κ):1. Choose a group G of order q where

breaking DL has complexity 2^κ2. Choose a generator g of G3. Return gk ← desc (G) = (..., q, g)

DHKE.Keygen (gk):1. sk = s ← ℤq2. pk ← gˢ3. Return (sk, pk)

DHKE.SK (gk, s, h):1. Return hˢ

QUIZ: IS DHKE SECURE?

Correct question:

is DHKE what-secure under X assumption

Three tasks:

1. Formalize security of KE

2. Decide on X

3. Provide a proof by reduction (X holds => DHKE what-secure)

SECURITY DEF: FIRST TRY

We already saw some issues in the last lecture

...so we won't concentrate on the same issues

Random key, probabilistic algorithms, ...

DHKE: INTUITIVE SECURITY

h

f

s, h←gˢ t, f←gᵗ

sk=gˢᵗ sk=gˢᵗ=sk

?

KEY RECOVERY SECURITY

Three algorithms KE = (Setup, Keygen, SK)

Adv[KR] := | Pr[KR = 1] - 1 / q |

A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε

KE is (τ,ε)-KR secure iff no adversary ε-breaks KR security of KE in time ≤ τ

KE is KR secure iff it is (poly(κ),negl(κ))-KR secure

Game KR(κ,KE,A)

gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0

SECURITY REDUCTION?

We would like to prove that DHKE is KR secure

by reducing KR-security to DL assumption

Unfortunately not known how to do it

gˢ s

gᵗ t

gˢᵗSK

SK

DL

DL

?

NEW ASSUMPTION: CDH

DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976

No success in breaking it in any reasonable group where DL is hard

Seems logical: introduce a tautological assumption

CDH: Computational Diffie-Hellman

"key recovery attack against DHKE is hard"

DEF: CDH ASSUMPTION

Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)

Assume (for simplicity) that for any κ, Setup picks exactly one group G = G(κ)

Adv[CDH] := | Pr[CDH = 1] - 1 / q |

A ε-breaks CDH in group G iff Adv[CDH] ≥ ε

G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ

G is CDH group iff it is (poly(κ),negl(κ))-CDH group

Game CDH(G,A)

gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0

REMARKS

Clearly, CDH is secure in A group iff DHKE is KR secure in the same group

τ = τ (κ) and ε = ε (κ) are functions of κ

QUIZ: CDH VS DL

CDH DL

?

?

QUIZ: CDH VS DL

CDH hard DL hard

?

?

Answer: yes

Answer: depends

some contrived groups where DL holds but not

CDH, ...

PROOF: CDH => DL

Theorem. If G is a (τ + small, (1 - 1 / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group.

Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G.

DL is easy => there exists an adversary D that breaks DL

We show CDH is easy by constructing an adversary C that breaks CDH

C can use help from adversary D, by sending inputs to D and receiving outputs

Typical reduction

INTUITIVE PROOF

Assume D can break DL

given gˢ, outputs s with probability ε

Construct adversary C that breaks CDH

given gˢ, gᵗ, call D to compute s ← D (gˢ)

return (gᵗ)ˢ = gˢᵗ

But what is the success probability of C?

SECURITY GAMES

Depending on the input and the output, the challenger declares C to be either successful or not

After some computation, C returns some value to the challenger

A challenger generates values from some fixed "valid" distributions and sends them to the adversary C

Depending on the input and the output, the challenger declares D to be either successful or not

After some computation, D returns some value to the challenger

A challenger generates values from some fixed "valid" distributions and sends them to the adversary D

CDH game: need to construct C DL game: D is given

This is the only thing we know...

SECURITY REDUCTION

Depending on the input and the output, the challenger declares C to be either successful or not

After some computation, C returns some value to the challenger

A challenger generates values from some fixed "valid" distributions and sends them to the adversary C After some

computation, D returns some value to the challenger

A challenger generates values from some fixed "valid" distributions and sends them to the adversary D

CDH game: need to construct C DL game: D is given

C

C

REDUCTION: CDH => DL

remove 1 elem.

s, t ← ℤq; h ← gˢ; f ← gᵗ

... ;/* compute m */if h = gᵐ

return sk* ← fᵐ

else

return sk* ← ℤq

if sk* = gˢᵗ

return 1

else

return 0

(desc(G), h, f)

(desc(G), h)

msk*

Challenger C D

Correct distribution for DL

Correct distribution for CDH

Exists ExistsNeed to construct

REDUCTION: CDH => DL

remove 1 elem.

s, t ← ℤq; h ← gˢ; f ← gᵗ

if sk* = gˢᵗ

return 1

else

return 0

(desc(G), h, f)

(desc(G),h)

msk*

Challenger C D

Assume D works in time τ and is successful with prob. ε + 1 / q

if h = gᵐ

return sk* ← fᵐ

else

return sk* ← ℤq

If D is successful then C is successful and takes time τ* =τ + small

... ;/* compute m */

If D is unsuccessful then C is successful with prob. 1 / q, and takes

time τ*

REMINDER: PROBABILITY

Let A, B be two events

Pr [A] - probability that A holds

Pr [¬ A] - probability that A does not hold

Pr [A | B] - conditional probability

probability that A holds given that B holds

Then Pr [A] = Pr [A | B] · Pr [B] + Pr [A | ¬B] · Pr [¬B]

REDUCTION: CDH => DL

remove 1 elem.

s, t ← ℤq; h ← gˢ; f ← gᵗ

if sk* = gˢᵗ

return 1

else

return 0

(desc(G), h, f)

(desc(G),h)

msk*

Challenger C D

Assume D works in time τ and is successful with prob. ε + 1 / q

if h = gᵐ

return sk* ← fᵐ

else

return sk* ← ℤq

If D is successful then C is successful and takes time τ* =τ + small

Pr[C successful] =Pr[C successful | D successful] · Pr[D successful] +

Pr[C successful | ¬D successful] · Pr [¬D successful] =1 · (ε + 1 / q) + 1 / q · (1 - (ε + 1 / q)) = (1 - 1 / q) ε + (1 - 1 / q) / q + 1 / q =:

ε* + 1 / q

... ;/* compute m */

If D is unsuccessful then C is successful with prob. 1 / q, and takes

time τ*

REDUCTION: CDH => DL

remove 1 elem.

s, t ← ℤq; h ← gˢ; f ← gᵗ

if sk* = gˢᵗ

return 1

else

return 0

(desc(G), h, f)

(desc(G),h)

msk*

Challenger C D

Assume D works in time τ and is successful with prob. ε + 1 / q

if h = gᵐ

return sk* ← fᵐ

else

return sk* ← ℤq

If D is successful then C is successful and takes time τ* =τ + small

Pr[C successful] = ε* + 1 / q

Thus, if G is a (τ*, ε*)-CDH group then it is a (τ, ε)-DL group

... ;/* compute m */

If D is unsuccessful then C is successful with prob. 1 / q, and takes

time τ*

QUIZ: ARE WE DONE?

If not, why not?

Is the achieved security sufficient?

Answer:

The fact that sk is unknown is not sufficient

Adversary should have no information about sk

DHKE IN WILD WORLD

h

f

s,h←gˢ t,f←gᵗ

sk=gˢᵗsk=gˢᵗ

=sk

XORm cc + any information about

sk leaks information about m

One-time pad

DHKE: IND SECURITY

h

f

s,h←gˢ t,f←gᵗ

sk=gˢᵗ sk=gˢᵗ=sk

is it sk or garbage?

sk*

Intuition: if Eve has any information about sk, she

should be able to distinguish real sk from random

IND(ISTINGUISHABILITY) SECURITY

KE = (Setup, Keygen, SK)

Adv[IND] := | Pr[IND = 1] - 1 / 2 |

A ε-breaks IND security of KE iff Adv[IND] ≥ ε

KE is (τ,ε)-IND secure iff no adversary ε-breaks IND security of KE in time ≤ τ

KE is IND secure iff it is (poly(κ),negl(κ))-IND secure

Game IND(κ,KE,A)

gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, skₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0

SECURITY REDUCTION?

We would like to prove that DHKE is IND secure

by reducing IND security to CDH assumption

Not possible

well-known groups where CDH holds but DHKE is not IND secure

DDH

We introduce again a tautological assumption, DDH

Decisional Diffie-Hellman, known since 70s => good

...in many groups

DDH is extremely useful in many protocols

Well-known groups where DDH does not hold

pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable

interestingly, p-b groups are also extremely useful

DEF: DDH SECURITY

Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)

Assume that for any κ, Setup picks exactly one group G = G(κ)

Adv[DDH] := | Pr[DDH = 1] - 1 / 2 |

A ε-breaks DDH in G iff Adv[DDH] ≥ ε

G is a (τ,ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ

G is a DDH group iff it is (poly(κ),negl(κ))-DDH group

Game DDH(G,A)

gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, pkₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0

DDH: SHORT FORM

Fix a cyclic group G and its generator g

Adversary has to distinguish between

(g, gˢ, gᵗ, gˢᵗ) -- DDH tuple

(g, gˢ, gᵗ, gᵐ) -- random tuple

where s, t, m are random

DDH VS IND SECURITY

Clearly, a group is DDH is secure iff DHKE is IND secure in the same group

τ = τ (κ) and ε = ε (κ) are functions of κ

PROOF: DDH => CDH

Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group.

Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G.

CDH is easy => there exists an adversary D that breaks CDH

We show DDH is easy by constructing an adversary C that breaks DDH

C can use help from adversary D, by sending inputs to D and receiving outputs

Home exercise:Very similar to previous proof. Finish! Find parameters

BEYOND IND: SEMIHONEST VS MALICIOUS

Actual security requirements even more stringent

KR, IND security only demonstrate basic concepts

We assumed Eve is semihonest

Eavesdrops but does not change messages

Malicious Eve: can change, inject, delete messages

Alice and Bob need to authenticate each other

"Authenticated Diffie-Hellman"

Crucial notions

Security of various protocols against

malicious adversaries: second half of the course

WHAT NEXT?

DDH is a very versatile assumption

One can construct many useful protocols from it

DDH

Encryption Signatures

...

E-votingCPIR

E-cash

...

WHAT NEXT?

Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption

More precisely: Elgamal encryption

STUDY OUTCOMES

Key exchange

DHKE in particular

KR security and CDH

IND security and DDH

Reductions: how to do