EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim - PowerPoint PPT Presentation

EE817/IS�893� Cryptography�Engineering�and� Cryptocurrency� Yongdae�Kim� 한국과학기술원 �

Admin�Stuff� q Mar�13�midnight:�Homework�1�submission� q Mar�14�morning:�Homework�1�solution�posting� q Mar�19�class:�Quiz�1� q About�2�weeks�after:�Homework�2,�Quiz�2� q About�2�weeks�after:�Homework�3,�midterm,�… � q Question�on�homework?�

Recap�� q Proof�techniques� ▹ Direct/Indirect�proof,�Proof�by�contradiction,�Proof�by�cases,�Existential/Universal�Proof,� Forward/backward�reasoning�� q Divisibility:�a�divides�b�(a|b)�if� ∃ �c�such�that�b�=�ac� q d�=�gcd(a,b)�is�the�largest�positive�integer�that�divides�both�a�and�b,�more�formally,� 1)� d�>� 0,�2)�d�|�a�and�d�|�b,�3)�e�|�a�and�e�|�b�implies�e�|�d � q lcm(a,b)�is�the�smallest�positive�integer�divisible�by�both�a�and�b� q Euclidean�Algorithm� q p�≥�2�is�prime�if�1)�a�|�p� ⇒ �a�=� ± �1�or� ± �p� q Prime�number�theorem:� �lim x→ ∞ � π (x)/(x/ln�x)�=�1� q Euler�phi�function:�For�n�≥�1,�let�f(n)�denote�the�number�of�integers�in�[1,�n]�which�are� relatively�prime�to�n.�� q Pairwise�relatively�prime!� q a�≡�b�(mod�m)�if�m�divides�a-b� q a*�is�an�arithmetic�inverse�of�a�modulo�n,�if�a�a*� ≡ �1�mod�n.� q Cardinality,�counting,�discrete�probability,�…� q Oneway�function,�Trapdoor�oneway�function� q Symmetric�key�cryptography,�public�key�cryptography� 2

Key�Management � q Key�establishment� ▹ Process�to�whereby�a�shared�secret�key�becomes� available�to�two�or�more�parties� ▹ Subdivided�into�key�agreement�and�key�transport.� q Key�management� ▹ The�set�of�processes�and�mechanisms�which�support� key�establishment��� ▹ The�maintenance�of�ongoing�keying�relationships� between�parties�

Key�Management�Through�SKE� q Pros� K A ,�K B� ▹ Easy�to�add�and�remove� entities� ▹ Each�entity�needs�to�store� only�one�long-term�secret�key� q Cons� ▹ Initial�interaction�with�the� 3.�E SK (“Hi”),�E KB (SK)� TTP� 4.�E SK (“Hi,�Alice”)� ▹ TTP�needs�to�maintain� n �long- K A � K B � term�secret�keys� ▹ TTP�can�read�all�messages� ▹ Single�point�of�failure�

Key�Management�Through�PKE� q Advantages� 0xDAD12345 Alice ▹ TTP�not�required� 0xBADD00D1 Bob ▹ Only� n �public�keys�need�to� be�stored� ▹ The�central�repository� could�be�a�local�file�� q Problem� ▹ Public�key�authentication� 1.�Alice,�PK A � problem� q Solution� 2.�Bob,�PK B� SK A ,PK A� SK B ,PK B� ▹ Need�of�TTP�to�certify�the� public�key�of�each�entity�

Public�Key�Certificates� q Entities�trust�a�third�party,�who�issues�a�certificate� q Certificate�=�(data�part,�signature�part)� ▹ Data�part�=�(name,�public-key,�other�information)� ▹ Signature�=�(signature�of�TTP�on�data�part)� q If�B�wants�to�verify�authenticity�of�A’s�public�key� ▹ Acquire�public�key�certificate�of�A�over�a�secured�channel� ▹ Verify�TTP’s�signature� ▹ If�signature�verified�A’s�public�key�in�the�certificate�is� authentic�

Symmetric�vs.�Public�key� Pros� Cons� n The�key�must�remain�secret�at� both�ends� n �High�data�throughput� n O(n 2 )�keys�to�be�managed� SKE� n �Relatively�short�key�size� n Relatively�short�lifetime�of�the� key� n O(n)�keys� n Only�the�private�key�must�be� n Low�data�throughput� kept�secret� PKE� n Much�larger�key�sizes�� n longer�key�life�time� n digital�signature�

Kerckhoff’s�Principle� q Security�should�depend�only�on�the�key� ▹ Don’t�assume�enemy�won’t�know�algorithm� » Can�capture�machines,�disassemble�programs,�etc.� » Too�expensive�to�invent�new�algorithm�if�it�might�have�been� compromised� ▹ Security�through�obscurity�isn’t� » Look�at�history�of�examples� » Better�to�have�scrutiny�by�open�experts� q “The�enemy�knows�the�system�being�used.”�(Claude� Shannon)�

ID-based�Cryptography� q No�public�key� q Public�key�=�ID�(email,�name,�etc.)� q PKG� ▹ Private�key�generation�center� ▹ SK ID �=�PKG S (ID)� ▹ PKG’s�public�key�is�public.� ▹ distributes�private�key�associated�with�the�ID� q Encryption:�C=�E ID (M)� q Decryption:�D SK (C)�=�M�

Discussion�(PKI�vs.�Kerberos�vs.�IBE)� q On-line�vs.�off-line�TTP� ▹ Implication?� q Non-reputation?� q Revocation?� q Scalability?� q Trust�issue?�

Block�Cipher� q E:�V n � × � K � → V n � ▹ V n �=�{0,1} n ,�K�=�{0,�1} k ,�n�is�called�block�length,�k�is�called�key�size � ▹ E(P,�K)�=�C�for�K� ∈ �K�and�P,�C� ∈ �V n � ▹ E(P,�K)�=�E K (P)�is�invertible�mapping�from�V n� to�V n� » E K :�encryption�function � ▹ D(C,�K)�=�D K (C)�is�the�inverse�of�E K� » D k :�decryption�function� P�(plaintext)� P�(plaintext)� K� E � E K � Key� C�(ciphertext)� C�(ciphertext)�

Modes�of�Operation� A�block�cipher�encrypts�plaintext�in�fixed-size�n-bit�blocks�(often�n�=128).�What�happens� q if�your�message�is�greater�than�the�block�size? � x j� c 0 =IV � C j-1 � x j� D� k � k � E� E -1 � k � k � E� C j-1 � x j ’ � x j ’ � I 1 =IV � I j � I j � I j � I j � I 1 =IV � k � E� E� k � k � E� E� k � O j � O j � O j � O j � x j� x j ’ � x j� x j ’ �

Modes�of�Operation� ECB� q Encryption:�c j � ← E K (x j )� ▹ Decryption:�x j � ← �E − 1 K �(c j )� ▹ CBC� q Encryption:�c 0 � ← �IV,�c j � ← �E K (c j − 1 ⊕ �x j )� ▹ Decryption:�c 0 � ← �IV,�x j � ← �c j − 1� ⊕ �E − 1 K (c j )� ▹ CFB� q Encryption:�I 1 � ← �IV,�c j � ← �x j � ⊕ �E K (I j ),�I j+1 �=�c j � ▹ Decryption:�I 1 � ← �IV,�x j � ← �c j � ⊕ �E K (I j ),�I j+1 �=�c j� ▹ OFB� q Encryption:�I 1 � ← �IV,�o j �=�E K (I j ),�c j � ← �x j � ⊕ �o j ,�I j+1 �=�o j � ▹ Decryption:�I 1 � ← �IV,�o j �=�E K (I j ),�x j � ← �c j � ⊕ �o j ,�I j+1 �=�o j� ▹

Modes�of�Operation�(CTR)� CTR � CTR+1 � CTR+N-1 � E� E� E� k � k � k � x 1� x 2� x N� c 1� c 2� c N� CTR � CTR+1 � CTR+N-1 � E� E� E� k � k � k � c 1� c 2� c N� x 1� x 2� x N� 14

CTR�advantages� q Hardware�efficiency� ▹ Parallelizable� q Software�efficiency� ▹ Similar,�modern�processors�support�parallel�computation� q Preprocessing� ▹ Pad�can�be�computed�earlier� q Random-access� ▹ Each�ciphertext�block�can�be�encrypted�independently� ▹ important�in�applications�like�hard-disk�encryption� q Provable�security� ▹ no�worse�than�what�one�gets�for�CBC�encryption� q Simplicity� ▹ No�decryption�algorithm�and�key�scheduling�

Double�DES� q C�=�E K2 [E K1 �[P]]� q P�=�D K1 [D K2 [C]]� q Reduction�to�single�stage?� ▹ E K2 [E K1 �[P]]�=?�E K3 [P]� ▹ It�was�proven�that�it�does�not�hold�

Meet-in-the-middle�Attack� q Diffie�1977� q Exhaustively�cracking�it�requires�2 112 ?� q C�=�E K2 [E K1 �[P]]� ▹ X�=�E K1 �[P]�=�D K2 [C]� q Given�a�known�pair,�(P,�C)� ▹ Encrypt�P�with�all�possible�2 56 �values�of�K 1 � ▹ Store�this�results�and�sort�by�X� ▹ Decrypt�C�with�all�possible�2 56 �K 2 ,�and�check�table� ▹ If�same,�accept�it�as�the�correct�key� q Are�we�done?�&&#@!#(�

Meet-in-the-middle�Attack,�cnt� q Little�statistics� ▹ For�any�P,�there�are�2 64 �possible�C� ▹ DDES�uses�112�bit�key,�so�2 112� keys� ▹ Given�C,�there�are�2 112 /2 64 �=�2 48 �possible�P� » So�there�are�2 48� false�alarms� ▹ If�one�more�(P’,�C’)�pair,�we�can�reduce�it�to�2 -16� q So�using�two�(plaintext,�ciphertext)�pairs,�we�can�break� DDES�c�*�2 56� encryption/decryption� q C�=�E K2 [D K1 �[P]]�different?�

Triple�DES�with�two�keys� q Obvious�counter�to�DDES:�Use�three�keys� ▹ Complexity?� ▹ 168�bit�key� q Triple�DES�=�EDE�=�encrypt-decrypt-encrypt� ▹ C�=�E K1 [D K2 �[E K1 [P]]]� q Attacks?� ▹ No�practical�one�so�far�