EE817/IS893 CryptographyEngineeringand Cryptocurrency YongdaeKim - - PowerPoint PPT Presentation

EE817/IS893 CryptographyEngineeringand Cryptocurrency

YongdaeKim 한국과학기술원

AdminStuff

q Mar13midnight:Homework1submission q Mar14morning:Homework1solutionposting q Mar19class:Quiz1 q About2weeksafter:Homework2,Quiz2 q About2weeksafter:Homework3,midterm,…

Recap

q Math… q Prooftechniques

▹ Direct/Indirectproof,Proofbycontradiction,Proofbycases,

Existential/UniversalProof,Forward/backwardreasoning

q Divisibility:adividesb(a|b)if ∃csuchthatb=ac q Congruences

2

Math,Math,Math!

3

Zn,Zn

*

q Zn={0,1,2,3,…,n-1} q Zn

*={x|x∈Znandgcd(x,n)=1}.

q Z6

={0,1,2,3,4,5}

q Z6*={1,5} q ForasetS,|S|meansthenumberofelementinS. q |Zn|=n q |Zn*|=φ(n)

Cardinality

q Forfinite(only)sets,cardinalityisthenumberof

elementsintheset

q Forfiniteandinfinitesets,twosetsAandBhave

thesamecardinalityifthereisaone-to-one correspondencefromAtoB

Counting

q Multiplicationrule

▹ Iftherearen1waystodotask1,andn2waystodotask2

» Thentherearen1n2waystodobothtasksinsequence.

▹ Example

» Thereare18mathmajorsand325CSmajors » HowmanywaysaretheretopickonemathmajorandoneCSmajor?

q Additionrule

▹ Iftherearen1waystodotask1,andn2waystodotask2

» Ifthesetaskscanbedoneatthesametime,then… » Thentherearen1+n2waystodooneofthetwotasks

▹ Howmanywaysaretheretopickonemathmajororone

CSmajor?

q Theinclusion-exclusionprinciple

▹ |A1 UA2|=|A1|+|A2|-|A1 ∩A2|

Permutation,Combination

q Anr-permutationisanorderedarrangementofr

elementsoftheset:P(n,r),nPr

▹ Howmanypokerhands(withordering)?

▹ P(n,r)=n(n-1)(n-2)…(n-r+1)

=n!/(n-r)!

q Combination:Whenorderdoesnotmatter…

▹ Inpoker,thefollowingtwohandsareequivalent:

» A♦,5♥,7♣,10♠,K♠ » K♠,10♠,7♣,5♥,A♦

▹ Thenumberofr-combinationsofasetwithnelements,

wherenisnon-negativeand0≤r≤nis: C(n,r)=n!/(r!(n-r)!)

▹ (x+y)n

Probabilitydefinition

q Theprobabilityofaneventoccurringis:

p(E)=|E|/|S|

▹ WhereEisthesetofdesiredevents(outcomes) ▹ WhereSisthesetofallpossibleevents(outcomes) ▹ Notethat0≤|E|≤|S|

» Thus,theprobabilitywillalwaysbetween0and1 » Aneventthatwillneverhappenhasprobability0 » Aneventthatwillalwayshappenhasprobability1

8

What’sbehinddoornumberthree?

q TheMontyHallproblemparadox

▹ Consideragameshowwhereaprize(acar)isbehindoneofthree

doors

▹ Theothertwodoorsdonothaveprizes(goatsinstead) ▹ Afterpickingoneofthedoors,thehost(MontyHall)opensa

differentdoortoshowyouthatthedoorheopenedisnottheprize

▹ Doyouchangeyourdecision?

q Yourinitialprobabilitytowin(i.e.picktherightdoor)is1/3 q Whatisyourchanceofwinningifyouchangeyourchoiceafter

Montyopensawrongdoor?

q AfterMontyopensawrongdoor,ifyouchangeyourchoice,your

chanceofwinningis2/3

▹ Thus,yourchanceofwinningdoublesifyouchange ▹ Huh?

9

AssigningProbability

q S:Samplespace q p(s):probabilitythatshappens.

▹ 0≤p(s)≤1foreachs∈S ▹ ∑s∈Sp(s)=1

q Thefunctionpiscalledprobabilitydistribution q Example

▹ Faircoin:p(H)=1/2,p(T)=1/2 ▹ Biasedcoinwhereheadscomesuptwiceasoftenastail

» p(H)=2p(T) » p(H)+p(T)=1⇒3p(T)=1⇒p(T)=1/3,p(H)=2/3

More…

q Uniformdistribution

▹ Eachelements∈S(|S|=n)isassignedwiththeprobability1/n.

q Random

▹ Theexperimentofselectinganelementfromasamplespacewith

uniformdistribution.

q ProbabilityoftheeventE

▹ p(E)=∑s∈Ep(s).

q Example

▹ Adieisbiasedsothat3appearstwiceasoftenasothers

» p(1)=p(2)=p(4)=p(5)=p(6)=1/7,p(3)=2/7

▹ p(O)whereOistheeventthatanoddnumberappears

» p(O)=p(1)+p(3)+p(5)=4/7.

CombinationofEvents

q Still

▹ p(Ec)=1-p(E) ▹ p(E1∪E2)=p(E1)+p(E2)-p(E1∩E2)

» E1∩E2=∅⇒p(E1∪E2)=p(E1)+p(E2) » Foralli≠j,Ei∩Ei=∅⇒p(∪iEi)=∑ip(Ei)

ConditionalProbability

q Flipcoin3times

▹ alleightpossibilityareequallylikely. ▹ Supposeweknowthatthefirstcoinwastail(EventF).Whatisthe

probabilitythatwehaveoddnumberoftails(EventE)?

» Onlyfourcases:TTT,TTH,THT,THH » So2/4=1/2. q ConditionalprobabilityofEgivenF

▹ WeneedtouseFasthesamplespace ▹ FortheoutcomeofEtooccur,theoutcomemustbelongtoE∩F. ▹ p(E|F)=p(E∩F)/p(F).

BernoulliTrials&BinomialDistribution

q Beronoullitrial

▹ anexperimentwithonlytwopossibleoutcomes ▹ i.e.0(failure)and1(success). ▹ Ifpistheprobabilityofsuccessandqisthe

probabilityoffailure,p+q=1.

q Abiasedcoinwithprobabilityofheads2/3

▹ Whatistheprobabilitythatfourheadsupoutof7

trials?

RandomVariable

q Arandomvariableisafunctionfromthesamplespaceofan

experimenttothesetofrealnumbers.

▹ Randomvariableassignsarealnumbertoeachpossibleoutcome. ▹ Randomvariableisnotvariable!notrandom!

q Example:threetimescoinflipping

▹ LetX(t)betherandomvariablethatequalsthenumberofheadsthat

appearwhentistheoutcome

▹ X(HHH)=3,X(THH)=X(HTH)=X(HHT)=2,X(TTH)=X(THT)=X(HTT)=

1,X(TTT)=0

q ThedistributionofarandomvariableXonasamplespaceSisthe

setofpairs(r,p(X=r))forallr∈X(S)

▹ wherep(X=r)istheprobabilitythatXtakesvaluer. ▹ p(X=3)=1/8,p(X=2)=3/8,p(X=1)=3/8,p(X=0)=1/8

ExpectedValue

q TheexpectedvalueoftherandomvariableX(s)onthe

samplespaceSisequalto E(X)=∑s∈Sp(s)X(s)

q ExpectedvalueofaDie

▹ Xisthenumberthatcomesupwhenadieisrolled. ▹ WhatistheexpectedvalueofX? ▹ E(X)=1/61+1/62+1/63+…1/66=21/6=7/2

q Threetimescoinflippingexample

▹ X:numberofheads ▹ E(X)=1/83+3/82+3/81+1/80=12/8=3/2

Security:Overview

17

Themainplayers

18

Alice Bob Eve Yves?

Attacks,Mechanisms,Services

q SecurityAttack:Anyactionthatcompromisesthe

securityofinformation.

q SecurityMechanism:Amechanismthatisdesignedto

detect,prevent,orrecoverfromasecurityattack.

q SecurityService:Aservicethatenhancesthesecurity

• fdataprocessingsystemsandinformationtransfers.

Asecurityservicemakesuseofoneormoresecurity mechanisms.

Attacks

Source Destination

NormalFlow

Source Destination

Interruption:Availability

Source Destination

Interception:Confidentiality

Source Destination

Modification:Integrity

Source Destination

Fabrication:Authenticity

TaxonomyofAttacks

q Passiveattacks

▹ Eavesdropping ▹ Trafficanalysis

q Activeattacks

▹ Masquerade ▹ Replay ▹ Modificationofmessagecontent ▹ Denialofservice

SecurityServices

q Confidentialityorprivacy

▹ keepinginformationsecretfromallbutthosewhoareauthorizedtoseeit.

q DataIntegrity

▹ ensuringinformationhasnotbeenalteredbyunauthorizedorunknownmeans.

q Entityauthenticationoridentification

▹ corroborationoftheidentityofanentity

q Messageauthentication

▹ corroboratingthesourceofinformation

q Signature

▹ ameanstobindinformationtoanentity.

q Authorization,Validation,Accesscontrol,Certification,Timestamping,

Witnessing,Receipt,Confirmation,Ownership,Anonymity,Non-repudiation, Revocation

Bigpicture

Trustedthirdparty (e.g.arbiter,distributor

• fsecretinformation)

Secret Information Message Secret Information Message Alice Bob

Information Channel

Eve

Moredetails

q Littlemaths q Taxonomy q Definitions

LittleMaths:-)

q Function

▹ f:XàYiscalledafunctionffromsetXtosetY.

» X:domain,Y:codomain.

▹ fory=f(x)wherex∈Xandy∈Y

» y:imageofx,x:preimageofy

▹ Im(f):thesetthatally∈Yhaveatleastonepreimage

q 1−1ifeachelementinYistheimageofatmostone

elementinX.

q ontoifIm(f)=Y q bijectioniffis1−1andonto.

(Trap-door)One-wayfunction

q one-wayfunctionif

▹ f(x)iseasytocomputeforallx∈X,but ▹ itiscomputationallyinfeasibletofindanyx∈X

suchthatf(x)=y.

q trapdoorone-wayfunctionif

▹ giventrapdoorinformation,itbecomesfeasibleto

findanx∈Xsuchthatf(x)=y.

Taxonomyofcryptoprimitives

Arbitrarylengthhashfunctions One-waypermutations Randomsequences Symmetric-keyciphers

Arbitrarylengthhashfunctions(MACs)

Signatures Pseudorandomsequences Identificationprimitives Public-keyciphers Signatures Identificationprimitives Unkeyed Primitives Symmetric-key Primitives Public-key Primitives Security Primitives Block ciphers Stream ciphers

TerminologyforEncryption

q Mdenotesasetcalledthemessagespace

▹ Mconsistsofstringsofsymbolsfromanalphabet ▹ AnelementofMiscalledaplaintext

q Cdenotesasetcalledtheciphertextspace

▹ Cconsistsofstringsofsymbolsfromanalphabet ▹ AnelementofCiscalledaciphertext

q Kdenotesasetcalledthekeyspace

▹ AnelementofKiscalledakey

q Eeisanencryptionfunctionwheree∈K q Ddcalledadecryptionfunctionwhered∈K

Encryption

q Whydoweusekey?

▹ Orwhynotusejustasharedencryptionfunction?

29

Plaintextsource Encryption Ee(m)=c destination Decryption Dd(c)=m c insecurechannel

• Alice
• Bob
• Adversary

m m

Symmetric-keyencryption

q Encryptionschemeissymmetric-key

▹ ifforeach(e,d)itiseasycomputationallyeasyto

computeeknowingdanddknowinge

▹ Usuallye=d

q BlockCipher

▹ Breaksplaintextintoblockoffixedlength ▹ Encryptsoneblockatatime

q StreamCipher

▹ Takesaplaintextstringandproducesaciphertextstring

usingkeystream

▹ Blockcipherwithblocklength1

SKEwithSecurechannel

31

Plaintextsource Encryption Ee(m)=c destination Decryption Dd(c)=m c Insecurechannel

Alice

• Bob
• Adversary

Keysource e m m dSecurechannel

Public-keyEncryption(Crypto)

q EveryentityhasaprivatekeySKandapublickey

PK

▹ Publickeyisknowntoall ▹ ItiscomputationallyinfeasibletofindSKfromPK ▹ OnlySKcandecryptamessageencryptedbyPK

q IfAwishestosendaprivatemessageMtoB

▹ AencryptsMbyB’spublickey,C=EBPK(M) ▹ BdecryptsCbyhisprivatekey,M=DBSK(C)

PKEwithInsecureChannel

33

Plaintext source Encryption Ee(m) = c destination Decryption Dd(c) = m c Insecure channel

Alice Bob

Passive Adversary

Key source d m m e Insecure channel

PublicKeyshouldbeauthentic!

34

e e

Ee(m) e’ Ee’(m) Ee(m)

DigitalSignatures

q Primitiveinauthenticationandnon-repudiation q Signature

▹ Processoftransformingthemessageandsomesecret

informationintoatag

q Nomenclature

▹ Missetofmessages ▹ Sissetofsignatures ▹ SAissignaturetransformationfromMtoSforA,kept

private

▹ VAisverificationtransformationfromMtoSforA,

publiclyknown

Definitions

q DigitalSignature-adatastringwhichassociatesa

messagewithsomeoriginatingentity

q DigitalSignatureGenerationAlgorithm­amethod

forproducingadigitalsignature

q Digitalsignatureverificationalgorithm­amethod

forverifyingthatadigitalsignatureisauthentic (i.e.,wasindeedcreatedbythespecifiedentity).

q DigitalSignatureScheme-consistsofasignature

generationalgorithmandanassociatedverification algorithm

DigitalSignaturewithAppendix

q Schemeswithappendix

▹ Requiresthemessageasinputtoverification

algorithm

▹ Relyoncryptographichashfunctionsratherthan

customizedredundancyfunctions

▹ DSA,ElGamal,Schnorretc.

DigitalSignaturewithAppendix

M m mh Mh h s* S SA,k MhxS {True,False} VA s*=SA,k(mh)

• u=VA(mh,s*)

HashfunctionandMAC

q Ahashfunctionisafunctionh

▹ compression—hmapsaninputxofarbitraryfinitebitlength,toanoutputh(x)of

fixedbitlengthn.

▹ easeofcomputation—h(x)iseasytocomputeforgivenxandh

▹ Properties

» one-way:foragiveny,findx’suchthath(x’)=y » collisionresistance:findxandx’suchthath(x)=h(x’)

q MAC(messageauthenticationcodes)

▹ bothauthenticationandintegrity ▹ MACisafamilyoffunctionshk

» easeofcomputation(ifkisknown!!) » compression,xisofarbitrarylength,hk(x)hasfixedlength » computationresistance:given(x’,hk(x’))itisinfeasibletocomputeanewpair(x,hk(x))for anynewx≠x’

MessageAuthenticationCodeMAC

q MACisafamilyoffunctionshk

▹ easeofcomputation(ifkisknown!!) ▹ compression,xisofarbitrarylength,hk(x)hasfixedlength ▹ computationresistance:given(x’,hk(x’))itisinfeasibletocomputeanewpair(x,

hk(x))foranynewx≠x’

q Typicaluse

▹ AèB:(x,H=hk(x)) ▹ B:verifiesifH=hk(x)

q Properties

▹ Withoutk,noonecangeneratevalidMAC. ▹ Withoutk,noonecanverifyMAC. ▹ bothauthenticationandintegrity

Authentication

q Howtoproveyouridentity?

▹ Provethatyouknowasecretinformation

q WhenkeyKissharedbetweenAandServer

▹ AèS:HMACK(M)whereMcanprovidefreshness ▹ Whyfreshness?

q Digitalsignature?

▹ AèS:SigSK(M)whereMcanprovidefreshness

q Comparison?

EncryptionandAuthentication

q EK(M) q Redundancy-then-Encrypt:EK(M,R(M)) q Hash-then-Encrypt:EK(M,h(M)) q HashandEncrypt:EK(M),h(M) q MACandEncrypt:Eh1(K)(M),HMACh2(K)(M) q MAC-then-Encrypt:Eh1(K)(M,HMACh2(K)(M))

KeyManagementThroughSKE

q EachentityAisharessymmetrickeyKiwithaTTP q TTPgeneratesasessionkeyKsandsendsEKi(Ks) q Pros

▹ Easytoaddandremoveentities ▹ Eachentityneedstostoreonlyonelong-termsecretkey

q Cons

▹ InitialinteractionwiththeTTP ▹ TTPneedstomaintainnlong-termsecretkeys ▹ TTPcanreadallmessages ▹ Singlepointoffailure

Authentication

q Authentication

▹ Message(Dataorigin)authentication

» providetoonepartywhichreceivesamessageassuranceofthe identityofthepartywhichoriginatedthemessage.

▹ Entityauthentication(identification)

» onepartyofboththeidentityofasecondpartyinvolved,andthat thesecondwasactiveatthetimetheevidencewascreatedor acquired.

KeyManagement

q Keyestablishment

▹ Processtowherebyasharedsecretkeybecomes

availabletotwoormoreparties

▹ Subdividedintokeyagreementandkeytransport.

q Keymanagement

▹ Thesetofprocessesandmechanismswhichsupport

keyestablishment

▹ Themaintenanceofongoingkeyingrelationships

betweenparties

KeyManagementThroughSKE

q Pros

▹ Easytoaddandremove

entities

▹ Eachentityneedstostore

• nlyonelong-termsecretkey

q Cons

▹ Initialinteractionwiththe

TTP

▹ TTPneedstomaintainnlong-

termsecretkeys

▹ TTPcanreadallmessages ▹ Singlepointoffailure

KA KB KA,KB

3.ESK(“Hi”),EKB(SK) 4.ESK(“Hi,Alice”)

KeyManagementThroughPKE

q Advantages

▹ TTPnotrequired ▹ Onlynpublickeysneedto

bestored

▹ Thecentralrepository

couldbealocalfile

q Problem

▹ Publickeyauthentication

problem

q Solution

▹ NeedofTTPtocertifythe

publickeyofeachentity

0xBADD00D1 Bob 0xDAD12345 Alice

SKA,PKA

1.Alice,PKA 2.Bob,PKB

SKB,PKB

PublicKeyCertificates

q Entitiestrustathirdparty,whoissuesacertificate q Certificate=(datapart,signaturepart)

▹ Datapart=(name,public-key,otherinformation) ▹ Signature=(signatureofTTPondatapart)

q IfBwantstoverifyauthenticityofA’spublickey

▹ AcquirepublickeycertificateofAoverasecuredchannel ▹ VerifyTTP’ssignature ▹ IfsignatureverifiedA’spublickeyinthecertificateis

authentic

Symmetricvs.Publickey

Pros Cons SKE

n Highdatathroughput n Relativelyshortkeysize n Thekeymustremainsecretat

bothends

n O(n2)keystobemanaged n Relativelyshortlifetimeofthe

key PKE

n O(n)keys n Onlytheprivatekeymustbe

keptsecret

n longerkeylifetime n digitalsignature n Lowdatathroughput n Muchlargerkeysizes

Kerckhoff’sPrinciple

q Securityshoulddependonlyonthekey

▹ Don’tassumeenemywon’tknowalgorithm

» Cancapturemachines,disassembleprograms,etc. » Tooexpensivetoinventnewalgorithmifitmighthavebeen compromised

▹ Securitythroughobscurityisn’t

» Lookathistoryofexamples » Bettertohavescrutinybyopenexperts

q “Theenemyknowsthesystembeingused.”(Claude

Shannon)

Questions?

q YongdaeKim

▹ email: yongdaek@kaist.ac.kr ▹ Home: http://syssec.kaist.ac.kr/~yongdaek ▹ Facebook: https://www.facebook.com/y0ngdaek ▹ Twitter: https://twitter.com/yongdaek ▹ Google “Yongdae Kim”

51