1 CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Cryptography (Part 4 ) Review of Last Lecture Blockciphers • Review of DES • Attacks on Blockciphers • Advanced Encryption Standard (AES) • Modes of Operation MACs and Hashes • Message Authentication Codes • Hash Functions • Compression Functions • Merkle-Damgård Construction • MACs from Hashes 1 Introduction to Cybersecurity 2016/17 Review: Attack by Meet-in-the-Middle E(K 1 ,×) m c E(K 2 ,×) DE((K 1 ,K 2 ), m) := E(K 2 , E(K 1 , m)) Attack by “meet-in-the-middle” Introduction to Cybersecurity 2016/17 2
12
Embed
Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
CISPA
Center for IT Security, Privacy and Accountabiltiy
Introduction to CybersecurityCryptography (Part 4)
Review of Last Lecture
Blockciphers
• Review of DES
• Attacks on Blockciphers
• Advanced Encryption Standard (AES)
• Modes of Operation
MACs and Hashes
• Message Authentication Codes
• Hash Functions
• Compression Functions
• Merkle-Damgård Construction
• MACs from Hashes
1Introduction to Cybersecurity 2016/17
Review: Attack by Meet-in-the-Middle
E(K1,×)m cE(K2,×)
DE((K1,K2), m) := E(K2, E(K1, m))
Attack by “meet-in-the-middle”
Introduction to Cybersecurity 2016/17 2
2
CISPA
Center for IT Security, Privacy and Accountabiltiy
Review: Modes of Operation
Cipherblock Chaining (CBC)
3Introduction to Cybersecurity 2016/17
m1
E(K,×)
+IV
c1
m2
E(K,×)
+
c2
c1
D(K,×)
+IV
m1
c2
D(K,×)
+
m2
Review: Message Integrity
Goal of message integrity:
Alice generates tag 𝑡 for message 𝑚, Bob verifies tag
Let 𝐻:ℳ → 𝒯 be a hash function (non-keyed)(often 𝐻: 0,1 ∗ → 0,1 𝑛)
A collision for 𝐻 is a tuple (𝑚1, 𝑚2) with
𝐻 𝑚1 = 𝐻 𝑚2 ∧ 𝑚1 ≠ 𝑚2
Remark: Defining that “no efficient adversary exists that finds a collision” cannot be fulfilled
Review: Hash Function
48Introduction to Cybersecurity 2016/17
Definition: Collision Resistant Hash Function (CRHF)A hash function 𝐻 is collision resistant if no “efficient” algorithm is known that finds a collision for 𝐻 in suitable time.
3
CISPA
Center for IT Security, Privacy and Accountabiltiy
Review: Merkle-Damgard Construction
53
Merkle-Damgård (iterated construction)
𝑝𝑎𝑑 is the padding function (injective)
𝑓: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is the compression function.
ℎ𝑖 are called chaining variables
𝐼𝑉 is the initial value
Message 𝑚
Padding 𝑝𝑎𝑑
Block 𝑏2 Block 𝑏3 Block 𝑏4Block 𝑏1Block 𝑏0
𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ
Introduction to Cybersecurity 2016/17
This Lecture’s Summary
Asymmetric encryption
• Number theory for El-Gamal
• El-Gamal Encryption Scheme
• Number theory for RSA
• RSA Encryption Schemes
7Foundations of Cybersecurity 2016
Symmetric vs. Asymmetric (Public-key) Encryptions
Fast
Based on Heuristics
One key for every pair of user
Two parties need to protect the secret
8Foundations of Cybersecurity 2016
Slow
Based on Security Proofs with well-defined assumptions
One key for every user
Everyone is responsible for his/her own secret key
4
CISPA
Center for IT Security, Privacy and Accountabiltiy
9Foundations of Cybersecurity 2016
E Dm
pk sk
c:= E(pk,m) c m
K
Public-key Encryption
Now public-key encryption schemes (K,E,D):
RandomizedStatefulDeterministic
Legend
Definition of Public-Key Encryption
10Foundations of Cybersecurity 2016
Definition: Public-key Encryption Scheme
A public-key encryption scheme is a triple of algorithms (𝐾, 𝐸, 𝐷):
The randomized key generation algorithm 𝐾 takes no input and returns a key pair (𝑝𝑘, 𝑠𝑘).
The (often randomized) encryption algorithm 𝐸 takes a public key 𝑝𝑘 and a message 𝑚 and returns a ciphertext 𝑐.
The deterministic decryption algorithm 𝐷 takes a secret key 𝑠𝑘, a ciphertext 𝑐 and returns a plaintext 𝑚 ∈ ℳ or a distinguished error symbol.
Correctness:
The above algorithms have to satisfy the following property: For any key pair (𝑝𝑘, 𝑠𝑘) ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈[𝐸(𝑝𝑘,𝑚)], we have that 𝐷(𝑠𝑘, 𝑐) = 𝑚.
Number Theory Basics for the El-Gamal Encryption Scheme
5
CISPA
Center for IT Security, Privacy and Accountabiltiy
Notation
From here on:
𝑁 denotes a positive integer.
𝑝 denote a prime.
Notation: ℤ𝑁 = 0,1,2, … , 𝑁 − 1
Can do addition and multiplication modulo 𝑁
Foundations of Cybersecurity 2016 12
Modular Arithmetic
Examples: let 𝑁 = 12
9 + 8 = 5 in ℤ125 × 7 = 11 in ℤ12
5 − 7 = 10 in ℤ12
Arithmetic in ℤ𝑁 works as you expect, e.g.𝑥 ⋅ 𝑦 + 𝑧 = 𝑥 ⋅ 𝑦 + 𝑥 ⋅ 𝑧
in ℤ𝑁.
Foundations of Cybersecurity 2016 13
Greatest Common Divisor (GCD)
Definition: GCD
For integers 𝑥, 𝑦 we define gcd 𝑥, 𝑦 is the greatest common divisor of 𝑥, 𝑦.
Example: gcd 12, 18 = 6
Fact: GCD
For all integers 𝑥, 𝑦 there exist integers 𝑎, 𝑏 such that
a ⋅ 𝑥 + 𝑏 ⋅ 𝑦 = gcd 𝑥, 𝑦
𝑎, 𝑏 can be found efficiently using the extended Euclidean algorithm.
If gcd 𝑥, 𝑦 = 1 we say that 𝑥 and 𝑦 are relatively prime.
Foundations of Cybersecurity 2016 14
6
CISPA
Center for IT Security, Privacy and Accountabiltiy
Security intuition: 𝐵 = 𝑚 • 𝑔𝑥𝑦 is similar to the OTP: 𝑔𝑥𝑦 is the key and • the XOR.
but: why is this secure?
Goals:
Define security of public key encryption schemes. (yes, we do that!)
Prove that ElGamal is secure. (core lecture)
11
CISPA
Center for IT Security, Privacy and Accountabiltiy
Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}
Generate Keys 𝐾(𝑛)
Encrypt(𝑝𝑘,𝑚𝑏)𝑐
(𝑝𝑘, 𝑠𝑘)
30
Indist. Ciphertexts under CPA
Foundations of Cybersecurity 2016
Let 𝑃𝐸 = (𝐾, 𝐸, 𝐷) be a public-key encryption scheme and 𝐴 an adversary. Define 𝐸𝑥𝑝𝑃𝐸,𝐴𝐶𝑃𝐴 (𝑏) as:
Adversary(𝑛)
Output 𝑏∗
𝑝𝑘
𝑚0,𝑚1
Definition: Indistinguishability of Ciphertexts under CPAA sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries 𝐴 = 𝐴𝑛 𝑛∈ℕ:
𝐴𝑑𝑣𝑃𝐸,𝐴𝐶𝑃𝐴 = |Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛
𝐶𝑃𝐴 (0) = 1] – Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛𝐶𝑃𝐴 (1) = 1]|
is negligible.
31
Only a 1-CPA Variant?
Foundations of Cybersecurity 2016
Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}
Generate Keys 𝐾(𝑛)
Encrypt(𝑝𝑘,𝑚𝑏)𝑐
(𝑝𝑘, 𝑠𝑘)
Adversary(𝑛)
Output 𝑏∗
𝑝𝑘
𝑚0,𝑚1
𝑚
𝐸(𝑝𝑘,𝑚)
Does the following extended experiment strengthen the definition?
No, since A can compute E(pk,m) itself for messages of its choice!
32
CPA-security of ElGamal
Foundations of Cybersecurity 2016
Theorem: IND-CPA of ElGamalElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in 𝐺:
Definition: Decisional Diffie-Hellman Assumption (DDH)Given a group 𝐺 with ~2𝑛 elements and a random 𝑔 ∈ 𝐺, no efficient adversary (in 𝑛) can distinguish
(𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦) and (𝑔𝑥, 𝑔𝑦, 𝑔𝑧)for 𝑥, 𝑦, 𝑧 random in {1, … , |𝐺|}.
Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier...
12
CISPA
Center for IT Security, Privacy and Accountabiltiy
RSA based ciphers(origin in 1977)
Problem of information secrecy solved?
23Foundations of Cybersecurity 2016
We need alternative schemesbased on different assumptions!