Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Similar documents
CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Lecture 10: Zero-Knowledge Proofs

Lecture Notes, Week 10

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Winter 2011 Josh Benaloh Brian LaMacchia

March 19: Zero-Knowledge (cont.) and Signatures

Cryptographical Security in the Quantum Random Oracle Model

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Lecture 22: RSA Encryption. RSA Encryption

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Public Key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Introduction to Cryptography Lecture 13

Introduction to Modern Cryptography. Benny Chor

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

Lecture 1: Introduction to Public key cryptography

Question 1. The Chinese University of Hong Kong, Spring 2018

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Public-Key Cryptosystems CHAPTER 4

Lecture 15 - Zero Knowledge Proofs

Question: Total Points: Score:

Simple Math: Cryptography

Homework 3 Solutions

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Ma/CS 6a Class 3: The RSA Algorithm

Overview. Public Key Algorithms II

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Zero-Knowledge Proofs and Protocols

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

and Other Fun Stuff James L. Massey

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

MEETING 6 - MODULAR ARITHMETIC AND INTRODUCTORY CRYPTOGRAPHY

An Anonymous Authentication Scheme for Trusted Computing Platform

ECE596C: Handout #11

Ma/CS 6a Class 4: Primality Testing

Katz, Lindell Introduction to Modern Cryptrography

Lecture 28: Public-key Cryptography. Public-key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Lecture 38: Secure Multi-party Computation MPC

Cryptographic Protocols. Steve Lai

THE CUBIC PUBLIC-KEY TRANSFORMATION*

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Introduction to Modern Cryptography Lecture 11

Encryption: The RSA Public Key Cipher

10 Modular Arithmetic and Cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 3,4: Multiparty Computation

Theoretical Cryptography, Lectures 18-20

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

THE RSA ENCRYPTION SCHEME

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Practice Assignment 2 Discussion 24/02/ /02/2018

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Introduction to Cryptography. Lecture 8

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Public-key Cryptography and elliptic curves

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Lecture 10 - MAC s continued, hash & MAC

Discrete Mathematics GCD, LCM, RSA Algorithm

ASYMMETRIC ENCRYPTION

Dr George Danezis University College London, UK

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

1 Secure two-party computation

Notes for Lecture 17

Montgomery-Suitable Cryptosystems

Public Key Cryptography

II. Digital signatures

CPSC 467: Cryptography and Computer Security

Homework 4 for Modular Arithmetic: The RSA Cipher

1 Number Theory Basics

Ma/CS 6a Class 4: Primality Testing

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Cryptography and Security Final Exam

Number theory (Chapter 4)

Innovation and Cryptoventures. Cryptography 101. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Introduction to Modern Cryptography. Benny Chor

Cryptography and Security Midterm Exam

Notes 10: Public-key cryptography

Foundations of Network and Computer Security

CPSC 467b: Cryptography and Computer Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Transcription:

Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover (who claims to be, say, Alice) convinces the other party: verifier (Bob) that she is indeed Alice Identification can be accomplished with public key digital signatures However, signatures reveal information Also, signatures are transferable, i.e., anyone can verify them 2 1

Fiat-Shamir Identification Scheme In Fiat-Shamir, prover has an RSA modulus n = pq (factorization is secret). Factors themselves are not used in the protocol. Unlike RSA, a trusted center can generate a global n, used by everyone, as long as nobody knows its factorization. Trusted center can forget the factorization after computing n. 3 Fiat-Shamir Identification Scheme Secret Key: Prover (P) chooses a random value 1 < S < n (to serve as the key) such that gcd(s,n) = 1 Public Key: P computes I=S 2 mod n, publishes (I,n) as his public key. Purpose of the protocol: P has to convince verifier (V) that he knows the secret S corresponding to the public key (I,n), i.e., to prove that he knows a square root of I mod n, without revealing S or any portion thereof 4 2

Prover (Alice) Fiat-Shamir Verifier (Bob) n, I, S pick random R; set x=r 2 mod n I, x query = 0 1 R R * S mod n n Check that: R 2 = x mod n (RS) 2 = xi mod n 5 Fiat-Shamir Identification Scheme V wants to authenticate identity of P, who claims to have a public key I. Thus, V asks P to convince him that P knows the secret key S corresponding to I. 1. P chooses at random 1 < R < n and computes: X = R 2 mod n 2. P sends X to V 3. V randomly requests from P one of two things (0 or 1): (a) R or (b) RS mod n 4. P sends requested information 6 3

Fiat-Shamir ZK Identification Scheme 5. V checks the correct answer: a) R 2?= X (mod n) or b) (R*S) 2?= X*I (mod n) 6. If verification fails, V concludes that P does not know S 7. Protocol is repeated t (usually 20, 30, or log n) times, and, if each one succeeds, V concludes that P is the claimed party. 7 What if Prover knows the challenge ahead of time: Case 0 n, I (doesn t know S) pick random R; set x=r 2 mod n I, x n query = 0 R Check that: R 2 = x mod n 8 4

What if Prover knows the challenge ahead of time: Case 1 n, I (doesn t know S) pick random R; set x=r 2 *I mod n I, x=r 2 *I n query = 1 Check that: R*I mod n (R*I) 2 = x*i mod n (Instead of: R*S mod n) 9 Fiat-Shamir Identification Scheme CLAIM: Protocol does not reveal ANY information about S or Protocol is ZERO-KNOWLEDGE Proof: We show that no information on S is revealed: Clearly, when P sends X or R, he does not reveal any information on S. When P sends RS mod n: RS mod n is random, since R is random and gcd(s, n) = 1. If adversary can compute any information on S from I, n, X and RS mod n he can also compute the same information on S from I and n, since he can choose a random T = R S mod n and compute: X = T 2 I -1 = (R ) 2 S 2 I -1 = (R ) 2 10 5

Security Clearly, if P knows S, then V is convinced of his identity. If P does not know S, he can either: 1. know R, but not RS mod n. Since he is choosing R, he cannot multiply it by the unknown value S or 2. choose RS mod n, and thus can answer the second question: RS mod n. But, in this case, he cannot answer the first question R, since he needs to divide by the unknown S. 11 Security In any case, adversary cannot answer both questions, since otherwise he can compute S as the ratio between the two answers. But, we assumed that computing S is hard, equivalent to factoring n. Since P does not know in advance (when choosing R or RS mod n) which question that V will ask, he cannot foresee the required choice. He can succeed in guessing V s question with probability 1/2 for each question. The probability that V fails to catch P in all runs is thus: 2 -t (e.g., 1 in 1,000,000,000 for t=20) 12 6

How to explain ZK to your children Point A: entry Verifier Claustrophobic and afraid of the dark Point B Prover Claims to have the key V cannot follow P into the cave Locked door on both sides 13 How to explain ZK to your children The Protocol: 1) V asks someone he trusts to check that the door is locked on both sides. 2) P goes into the maze past point B (heading either right or left) Point A Point B 3) V looks into the cave (while standing at point A) 4) V randomly picks right or left 5) V shouts (very loudly!) for P to come out from the picked direction 6) If P doesn t come out from the picked direction, V knows that P is a liar and protocol terminates REPEAT (2)-(6) n TIMES 14 7

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback