Scribd
Upload
27 views

Basic Key Exchange: Trusted 3 Parties

1) The document describes how Alice and Bob can establish a shared secret using public-key encryption. 2) Alice generates a public/private key pair and sends her public key to Bob. Bob then encrypts a random value x under Alice's public key. 3) Semantic security of the encryption scheme ensures that an eavesdropper cannot learn the value of x from the public key and ciphertext. Alice and Bob can then use x as a shared secret session key.

Uploaded by

Nguyễn Giang Tuấn
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
27 views

Basic Key Exchange: Trusted 3 Parties

1) The document describes how Alice and Bob can establish a shared secret using public-key encryption. 2) Alice generates a public/private key pair and sends her public key to Bob. Bob then encrypts a random value x under Alice's public key. 3) Semantic security of the encryption scheme ensures that an eavesdropper cannot learn the value of x from the public key and ciphertext. Alice and Bob can then use x as a shared secret session key.

Uploaded by

Nguyễn Giang Tuấn
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 36

Online Cryptography Course Dan Boneh

Basic key exchange

Trusted 3rd parties

Dan Boneh
Key management
Problem: n users. Storing mutual secret keys is difficult

Total: O(n) keys per user

Dan Boneh
A better solution
Online Trusted 3rd Party (TTP)

TTP

Dan Boneh
Generating keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only.

Bob (kB) Alice (kA) TTP

“Alice wants key with Bob”


choose
random kAB
ticket

kAB kAB (E,D) a CPA-secure cipher


Dan Boneh
Generating keys: a toy protocol
Alice wants a shared key with Bob. Eavesdropping security only.

Eavesdropper sees: E(kA, “A, B” ll kAB ) ; E(kB, “A, B” ll kAB )

(E,D) is CPA-secure ⇒
eavesdropper learns nothing about kAB

Note: TTP needed for every key exchange, knows all session keys.
(basis of Kerberos system)
Dan Boneh
Toy protocol: insecure against active attacks

Example: insecure against replay attacks

Attacker records session between Alice and merchant Bob


– For example a book order

Attacker replays session to Bob


– Bob thinks Alice is ordering another copy of book

Dan Boneh
Key question
Can we generate shared keys without an online trusted 3rd party?

Answer: yes!

Starting point of public-key cryptography:


• Merkle (1974), Diffie-Hellman (1976), RSA (1977)

• More recently: ID-based enc. (BF 2001), Functional enc. (BSW 2011)

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Basic key exchange

Merkle Puzzles

Dan Boneh
Key exchange without an online TTP?
Goal: Alice and Bob want shared key, unknown to eavesdropper
• For now: security against eavesdropping only (no tampering)

Alice Bob

eavesdropper ??

Can this be done using generic symmetric crypto?


Dan Boneh
Merkle Puzzles (1974)
Answer: yes, but very inefficient

Main tool: puzzles


• Problems that can be solved with some effort
• Example: E(k,m) a symmetric cipher with k ∈ {0,1}128
– puzzle(P) = E(P, “message”) where P = 096 ll b1… b32
– Goal: find P by trying all 232 possibilities

Dan Boneh
Merkle puzzles
Alice: prepare 232 puzzles
• For i=1, …, 232 choose random Pi ∈{0,1}32 and xi, ki ∈{0,1}128
set puzzlei ⟵ E( 096 ll Pi , “Puzzle # xi” ll ki )
• Send puzzle1 , … , puzzle232 to Bob

Bob: choose a random puzzlej and solve it. Obtain ( xj, kj ) .


• Send xj to Alice

Alice: lookup puzzle with number xj . Use kj as shared secret


Dan Boneh
In a figure
puzzle1 , … , puzzlen
Alice xj Bob

kj kj

Alice’s work: O(n) (prepare n puzzles)


Bob’s work: O(n) (solve one puzzle)

Eavesdropper’s work: O( n2 ) (e.g. 264 time)


Dan Boneh
Impossibility Result
Can we achieve a better gap using a general symmetric cipher?
Answer: unknown

But: roughly speaking,


quadratic gap is best possible if we treat cipher as
a black box oracle [IR’89, BM’09]

Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Basic key exchange

The Diffie-Hellman
protocol

Dan Boneh
Key exchange without an online TTP?
Goal: Alice and Bob want shared secret, unknown to eavesdropper
• For now: security against eavesdropping only (no tampering)

Alice Bob

eavesdropper ??

Can this be done with an exponential gap?


Dan Boneh
The Diffie-Hellman protocol (informally)

Fix a large prime p (e.g. 600 digits)


Fix an integer g in {1, …, p}

Alice Bob
choose random a in {1,…,p-1} choose random b in {1,…,p-1}

b a a b
Ba
(mod p) = (g ) = kAB = g ab
(mod p) = (g ) = Ab (mod p)

Dan Boneh
Security (much more on this later)

Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p)

Can she compute gab (mod p) ??

More generally: define DHg(ga, gb) = gab (mod p)

How hard is the DH function mod p?

Dan Boneh
How hard is the DH function mod p?
Suppose prime p is n bits long.
Best known algorithm (GNFS): run time exp( )

Elliptic Curve
cipher key size modulus size size
80 bits 1024 bits 160 bits
128 bits 3072 bits 256 bits
256 bits (AES) 15360 bits 512 bits

As a result: slow transition away from (mod p) to elliptic curves


Dan Boneh
Elliptic curve
Diffie-Hellman
Dan Boneh
Insecure against man-in-the-middle
As described, the protocol is insecure against active attacks

Alice MiTM Bob

Dan Boneh
Another look at DH
Facebook

ga gb gc gd

Alice Bob Charlie David


a b c d ⋯
KAC=g ac KAC=gac

Dan Boneh
An open problem
Facebook

ga gb gc gd

Alice Bob Charlie David


a b c d ⋯
KABCD KABCD KABCD KABCD
Dan Boneh
End of Segment

Dan Boneh
Online Cryptography Course Dan Boneh

Basic key exchange

Public-key encryption

Dan Boneh
Establishing a shared secret
Goal: Alice and Bob want shared secret, unknown to eavesdropper
• For now: security against eavesdropping only (no tampering)

Alice Bob

eavesdropper ??

This segment: a different approach


Dan Boneh
Public key encryption

Alice Bob

E D

Dan Boneh
Public key encryption
Def: a public-key encryption system is a triple of algs. (G, E, D)
• G(): randomized alg. outputs a key pair (pk, sk)
• E(pk, m): randomized alg. that takes m∈M and outputs c ∈C
• D(sk,c): det. alg. that takes c∈C and outputs m∈M or ⊥

Consistency: ∀(pk, sk) output by G :


∀m∈M: D(sk, E(pk, m) ) = m
Dan Boneh
Semantic Security
For b=0,1 define experiments EXP(0) and EXP(1) as:

pk
b Chal. Adv. A
m0 , m1  M : |m0| = |m1|
(pk,sk)G()
c  E(pk, mb) b’  {0,1}
EXP(b)

Def: E =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:

AdvSS [A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible


Dan Boneh
Establishing a shared secret
Alice Bob
(pk, sk) ⟵ G()
“Alice”, pk
choose random
x ∈ {0,1}128

Dan Boneh
Security (eavesdropping)

Adversary sees pk, E(pk, x) and wants x ∈M

Semantic security ⇒
adversary cannot distinguish
{ pk, E(pk, x), x } from { pk, E(pk, x), rand∈M }

⇒ can derive session key from x.

Note: protocol is vulnerable to man-in-the-middle


Dan Boneh
Insecure against man in the middle
As described, the protocol is insecure against active attacks

Alice MiTM Bob


(pk, sk) ⟵ G() (pk’, sk’) ⟵ G()
“Alice”, pk
choose random
x ∈ {0,1}128
“Bob”, E(pk, x) “Bob”, E(pk’, x)

Dan Boneh
Public key encryption: constructions

Constructions generally rely on hard problems from


number theory and algebra

Next module:
• Brief detour to catch up on the relevant background

Dan Boneh
Further readings
• Merkle Puzzles are Optimal,
B. Barak, M. Mahmoody-Ghidary, Crypto ’09

• On formal models of key exchange (sections 7-9)


V. Shoup, 1999

Dan Boneh
End of Segment

Dan Boneh

You might also like