12
1 CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Cryptography (Part 4 ) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message Authentication Codes Hash Functions Compression Functions Merkle-Damgård Construction MACs from Hashes 1 Introduction to Cybersecurity 2016/17 Review: Attack by Meet-in-the-Middle E(K 1 ,×) m c E(K 2 ,×) DE((K 1 ,K 2 ), m) := E(K 2 , E(K 1 , m)) Attack by “meet-in-the-middle” Introduction to Cybersecurity 2016/17 2

Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

  • Upload
    others

  • View
    7

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

1

CISPA

Center for IT Security, Privacy and Accountabiltiy

Introduction to CybersecurityCryptography (Part 4)

Review of Last Lecture

Blockciphers

• Review of DES

• Attacks on Blockciphers

• Advanced Encryption Standard (AES)

• Modes of Operation

MACs and Hashes

• Message Authentication Codes

• Hash Functions

• Compression Functions

• Merkle-Damgård Construction

• MACs from Hashes

1Introduction to Cybersecurity 2016/17

Review: Attack by Meet-in-the-Middle

E(K1,×)m cE(K2,×)

DE((K1,K2), m) := E(K2, E(K1, m))

Attack by “meet-in-the-middle”

Introduction to Cybersecurity 2016/17 2

Page 2: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

2

CISPA

Center for IT Security, Privacy and Accountabiltiy

Review: Modes of Operation

Cipherblock Chaining (CBC)

3Introduction to Cybersecurity 2016/17

m1

E(K,×)

+IV

c1

m2

E(K,×)

+

c2

c1

D(K,×)

+IV

m1

c2

D(K,×)

+

m2

Review: Message Integrity

Goal of message integrity:

Alice generates tag 𝑡 for message 𝑚, Bob verifies tag

Goal: Attacker cannot change message, i.e., attacker cannot generate any valid pair (𝑚, 𝑡)

41

AddMAC

Plaintext

Verify

Key KeyPlaintextwith MAC

Plaintext

Alice Bob

Introduction to Cybersecurity 2016/17

Let 𝐻:ℳ → 𝒯 be a hash function (non-keyed)(often 𝐻: 0,1 ∗ → 0,1 𝑛)

A collision for 𝐻 is a tuple (𝑚1, 𝑚2) with

𝐻 𝑚1 = 𝐻 𝑚2 ∧ 𝑚1 ≠ 𝑚2

Remark: Defining that “no efficient adversary exists that finds a collision” cannot be fulfilled

Review: Hash Function

48Introduction to Cybersecurity 2016/17

Definition: Collision Resistant Hash Function (CRHF)A hash function 𝐻 is collision resistant if no “efficient” algorithm is known that finds a collision for 𝐻 in suitable time.

Page 3: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

3

CISPA

Center for IT Security, Privacy and Accountabiltiy

Review: Merkle-Damgard Construction

53

Merkle-Damgård (iterated construction)

𝑝𝑎𝑑 is the padding function (injective)

𝑓: 0,1 𝑘 × 0,1 𝑛 → 0,1 𝑛 is the compression function.

ℎ𝑖 are called chaining variables

𝐼𝑉 is the initial value

Message 𝑚

Padding 𝑝𝑎𝑑

Block 𝑏2 Block 𝑏3 Block 𝑏4Block 𝑏1Block 𝑏0

𝑓 𝑓 𝑓 𝑓 𝑓ℎ1 ℎ2 ℎ3 ℎ4ℎ0𝐼𝑉 Hash ℎ

Introduction to Cybersecurity 2016/17

This Lecture’s Summary

Asymmetric encryption

• Number theory for El-Gamal

• El-Gamal Encryption Scheme

• Number theory for RSA

• RSA Encryption Schemes

7Foundations of Cybersecurity 2016

Symmetric vs. Asymmetric (Public-key) Encryptions

Fast

Based on Heuristics

One key for every pair of user

Two parties need to protect the secret

8Foundations of Cybersecurity 2016

Slow

Based on Security Proofs with well-defined assumptions

One key for every user

Everyone is responsible for his/her own secret key

Page 4: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

4

CISPA

Center for IT Security, Privacy and Accountabiltiy

9Foundations of Cybersecurity 2016

E Dm

pk sk

c:= E(pk,m) c m

K

Public-key Encryption

Now public-key encryption schemes (K,E,D):

RandomizedStatefulDeterministic

Legend

Definition of Public-Key Encryption

10Foundations of Cybersecurity 2016

Definition: Public-key Encryption Scheme

A public-key encryption scheme is a triple of algorithms (𝐾, 𝐸, 𝐷):

The randomized key generation algorithm 𝐾 takes no input and returns a key pair (𝑝𝑘, 𝑠𝑘).

The (often randomized) encryption algorithm 𝐸 takes a public key 𝑝𝑘 and a message 𝑚 and returns a ciphertext 𝑐.

The deterministic decryption algorithm 𝐷 takes a secret key 𝑠𝑘, a ciphertext 𝑐 and returns a plaintext 𝑚 ∈ ℳ or a distinguished error symbol.

Correctness:

The above algorithms have to satisfy the following property: For any key pair (𝑝𝑘, 𝑠𝑘) ∈ [𝐾], any message 𝑚 ∈ 𝑀 , and any 𝑐 ∈[𝐸(𝑝𝑘,𝑚)], we have that 𝐷(𝑠𝑘, 𝑐) = 𝑚.

Number Theory Basics for the El-Gamal Encryption Scheme

Page 5: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

5

CISPA

Center for IT Security, Privacy and Accountabiltiy

Notation

From here on:

𝑁 denotes a positive integer.

𝑝 denote a prime.

Notation: ℤ𝑁 = 0,1,2, … , 𝑁 − 1

Can do addition and multiplication modulo 𝑁

Foundations of Cybersecurity 2016 12

Modular Arithmetic

Examples: let 𝑁 = 12

9 + 8 = 5 in ℤ125 × 7 = 11 in ℤ12

5 − 7 = 10 in ℤ12

Arithmetic in ℤ𝑁 works as you expect, e.g.𝑥 ⋅ 𝑦 + 𝑧 = 𝑥 ⋅ 𝑦 + 𝑥 ⋅ 𝑧

in ℤ𝑁.

Foundations of Cybersecurity 2016 13

Greatest Common Divisor (GCD)

Definition: GCD

For integers 𝑥, 𝑦 we define gcd 𝑥, 𝑦 is the greatest common divisor of 𝑥, 𝑦.

Example: gcd 12, 18 = 6

Fact: GCD

For all integers 𝑥, 𝑦 there exist integers 𝑎, 𝑏 such that

a ⋅ 𝑥 + 𝑏 ⋅ 𝑦 = gcd 𝑥, 𝑦

𝑎, 𝑏 can be found efficiently using the extended Euclidean algorithm.

If gcd 𝑥, 𝑦 = 1 we say that 𝑥 and 𝑦 are relatively prime.

Foundations of Cybersecurity 2016 14

Page 6: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

6

CISPA

Center for IT Security, Privacy and Accountabiltiy

How to compute gcd? The Extended Euclid Algorithm

15

Example: gcd 240,46

240 = 5 ⋅ 46 + 1046 = 4 ⋅ 10 + 610 = 6 + 46 = 4 + 24 = 2 ⋅ 2

240 − 5 ⋅ 46 = 1046 − 4 ⋅ 10 = 610 − 6 = 46 − 4 = 2

240 − 5 ⋅ 46 = 1046 − 4 ⋅ 10 = 62 ⋅ 6 − 10 = 2

240 − 5 ⋅ 46 = 102 ⋅ (46 − 4 ⋅ 10) − 10 = 2

240 − 5 ⋅ 46 = 102 ⋅ 46 − 9 ⋅ 10 = 2

2 ⋅ 46 − 9 ⋅ (240 − 5 ⋅ 46) = 2

−9 ⋅ 240 + 47 ⋅ 46 = 2

Foundations of Cybersecurity 2016

Modular Inversion

Definition: Inverse

The inverse of 𝑥 in ℤ𝑁 is an element 𝑦 in ℤ𝑁 such that 𝑥 ⋅ 𝑦 = 1 in ℤ𝑁.

𝑦 is denoted by 𝑥−1.

Over rationals, inverse of 2 is 1

2. What about ℤ𝑁?

Example: let 𝑁 be an odd integer. The inverse of 2 in ℤ𝑁 is

2 ⋅𝑁+1

2= 𝑁 + 1 = 1 in ℤ𝑁

Foundations of Cybersecurity 2016 16

Modular Inversion

Lemma:

𝑥 in ℤ𝑁 has an inverse if and only if gcd(x,N) = 1

Which elements have an inverse in ℤ𝑁?

Proof:gcd 𝑥, 𝑁 = 1 ⇒ ∃𝑎, 𝑏: 𝑎 ⋅ 𝑥 + 𝑏 ⋅ 𝑁 = 1

⇒ 𝑎 ⋅ 𝑥 = 1 in ℤ𝑁

⇒ 𝑥 = 𝑎−1 in ℤ𝑁

gcd 𝑥, 𝑁 > 1 ⇒ ∀𝑎: gcd 𝑎 ⋅ 𝑥, 𝑁 > 1

⇒ 𝑎 ⋅ 𝑥 ≠ 1 in ℤ𝑁

Foundations of Cybersecurity 2016 17

Page 7: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

7

CISPA

Center for IT Security, Privacy and Accountabiltiy

More notation

Definition: Set of invertible Elements in ℤ𝑁ℤ𝑁∗ ≔ { 𝑥 ∈ ℤ𝑁 ∶ gcd 𝑥, 𝑁 = 1}

Examples:

For a prime p: ℤ𝑝∗ = ℤ𝑝\{0} = 1,2, … , 𝑝 − 1

ℤ12∗ = {1,5,7,11}

For 𝑥 in ℤ𝑁∗ , we can find 𝑥−1 using the extended Euclid algorithm.

Foundations of Cybersecurity 2016 18

Solving modular linear equations

Solve: 𝑎 ⋅ 𝑥 + 𝑏 = 0 in ℤ𝑁

Solution: 𝑥 = −𝑏 ⋅ 𝑎−1 in ℤ𝑁

Find 𝑎−1 in ℤ𝑁 using the extended Euclid.

Run time: 𝑂(log2𝑁)

Foundations of Cybersecurity 2016 19

The structure ofℤ𝑝∗

Example: 𝑝 = 7.

𝑔 = 3 is a generator:1, 3, 32, 33, 34 , 35 = 1, 3, 2, 6, 4, 5 = ℤ7

Not every element is a generator:1, 2, 22 , 23, 24, 25 = {1, 2, 4}

Theorem (Euler): ℤ𝑝∗ is a cyclic group, that is

∃𝑔 ∈ ℤ𝑝∗ such that 1, 𝑔, 𝑔2, 𝑔3, … = ℤ𝑝

𝑔 is called a generator of ℤ𝑝∗ .

Foundations of Cybersecurity 2016 20

Page 8: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

8

CISPA

Center for IT Security, Privacy and Accountabiltiy

Order

Examples: 𝑜𝑟𝑑7 3 = 6; 𝑜𝑟𝑑7 2 = 3; 𝑜𝑟𝑑7 1 = 1.

Definition: Order of 𝒈The order of 𝑔 ∈ ℤ𝑝

∗ is the size of <𝑔>, denoted by 𝑜𝑟𝑑𝑝 𝑔 = |<𝑔>|.

It is the smallest 𝑎 > 0 s.t. 𝑔𝑎 = 1 in ℤ𝑝∗ .

For 𝑔 ∈ the set {1, 𝑔, 𝑔2, 𝑔3, … } is called the group generated by 𝒈, denoted by <𝑔>.

Theorem (Lagrange): ∀𝑔 ∈ ℤ𝑝∗ : 𝑜𝑟𝑑𝑝 𝑔 divides 𝑝 − 1

Foundations of Cybersecurity 2016 21

Fermat’s little Theorem

22

Theorem: Fermat’s little TheoremFor every prime 𝑝 and every 𝑥 ∈ ℤ𝑝

∗ it holds that 𝑥𝑝−1 = 1mod p.

Follows from Langrange’s Theorem and the fact that 𝑥𝑜𝑟𝑑𝑝 𝑥 = 1 𝑚𝑜𝑑 𝑝.

Foundations of Cybersecurity 2016

Easy problems

Given composite 𝑁 and 𝑥 in ℤ𝑁 find 𝑥−1 in ℤ𝑁.

Given prime 𝑝 and polynomial 𝑓 𝑥

find 𝑥 in ℤ𝑝 s.t. 𝑓 𝑥 = 0 in ℤ𝑝 (if one exists)

Running time is linear in deg 𝑓 .

… but many problems are difficult.

Foundations of Cybersecurity 2016 23

Page 9: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

9

CISPA

Center for IT Security, Privacy and Accountabiltiy

Intractable problems with primes – discrete logarithm

Fix a prime 𝑝 > 2 and 𝑔 in ℤ𝑝∗ of order 𝑞.

Consider the function 𝑥 → 𝑔𝑥 in ℤ𝑝

Now, consider the inverse function:

𝐷𝑙𝑜𝑔𝑔 𝑔𝑥 = 𝑥 where 𝑥 ∈ {0, … , 𝑞 − 2}

in : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10

Dlog2(⋅) : 0, 1, 8, 2, 4, 9, 7, 3, 6, 5

Example:

Foundations of Cybersecurity 2016 24

Computing Dlog in ℤ𝑝∗ (n-bit prime p)

Best known algorithm (GNFS): run time exp(𝑂 3 𝑛 )

Cipher key size Modulus Size Elliptic curve group size

80 bits 1024 bits 160 bits

128 bits 3072 bits 256 bits

256 bits (AES) 15360 bits 512 bits

As a result: slow transition away from (mod p) to elliptic curves

Foundations of Cybersecurity 2016 25

El-Gamal Encryption Scheme

Page 10: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

10

CISPA

Center for IT Security, Privacy and Accountabiltiy

27

ElGamal Encryption System (1984)

Foundations of Cybersecurity 2016

Pick random n-bit prime 𝑝Pick random generator 𝑔 for ℤ𝑝

Pick random 𝑥 ∈ {1, … , 𝑝 − 1}

Set 𝑝𝑘 ∶= (𝑝, 𝑔, ℎ: = 𝑔𝑥)Set 𝑠𝑘 ∶= (𝑝, 𝑔, 𝑥)

Output (𝑝𝑘, 𝑠𝑘)

Key Generation 𝐾(𝑛) for security parameter 𝑛

Can be publicly known}

Encryption 𝐸𝑛𝑐(𝑝𝑘,𝑚); 𝑝𝑘 = (𝑝, 𝑔, ℎ), 𝑚 ∈ ℤ𝑝∗

Pick random 𝑦 ∈ {1, … , 𝑝 − 1}

Set 𝑖 ∶= 𝑔𝑦, 𝑘 ∶= ℎ𝑦

Set 𝑐: = (𝑖,𝑚 • 𝑘)

Output 𝑐

28

ElGamal Encryption System (1984)

Foundations of Cybersecurity 2016

Decryption 𝐷𝑒𝑐 𝑠𝑘, 𝑐 ; 𝑠𝑘 = (𝑝, 𝑔, 𝑥) and 𝑐 = (𝐴, 𝐵)

Set 𝑑 ∶= 𝐵 • 𝐴−𝑥

Output 𝑑

Correctness: El-Gamal𝐵 • 𝐴−𝑥 = 𝐵 • 𝑔𝑦 −𝑥

= 𝐵 • 𝑔𝑥 −𝑦

= 𝐵 • ℎ−𝑦

= (𝑚 • ℎ𝑦) • ℎ−𝑦

= 𝑚

29

ElGamal Encryption System (cont’d)

Foundations of Cybersecurity 2016

Security intuition: 𝐵 = 𝑚 • 𝑔𝑥𝑦 is similar to the OTP: 𝑔𝑥𝑦 is the key and • the XOR.

but: why is this secure?

Goals:

Define security of public key encryption schemes. (yes, we do that!)

Prove that ElGamal is secure. (core lecture)

Page 11: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

11

CISPA

Center for IT Security, Privacy and Accountabiltiy

Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}

Generate Keys 𝐾(𝑛)

Encrypt(𝑝𝑘,𝑚𝑏)𝑐

(𝑝𝑘, 𝑠𝑘)

30

Indist. Ciphertexts under CPA

Foundations of Cybersecurity 2016

Let 𝑃𝐸 = (𝐾, 𝐸, 𝐷) be a public-key encryption scheme and 𝐴 an adversary. Define 𝐸𝑥𝑝𝑃𝐸,𝐴𝐶𝑃𝐴 (𝑏) as:

Adversary(𝑛)

Output 𝑏∗

𝑝𝑘

𝑚0,𝑚1

Definition: Indistinguishability of Ciphertexts under CPAA sequence of public-key encryption schemes PE has indistinguishable ciphertexts under chosen-plaintext attack (CPA) if for all efficient adversaries 𝐴 = 𝐴𝑛 𝑛∈ℕ:

𝐴𝑑𝑣𝑃𝐸,𝐴𝐶𝑃𝐴 = |Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛

𝐶𝑃𝐴 (0) = 1] – Pr[𝐸𝑥𝑝𝑃𝐸,𝐴𝑛𝐶𝑃𝐴 (1) = 1]|

is negligible.

31

Only a 1-CPA Variant?

Foundations of Cybersecurity 2016

Challenger(𝑏, 𝑛),𝑏 ∈ {0,1}

Generate Keys 𝐾(𝑛)

Encrypt(𝑝𝑘,𝑚𝑏)𝑐

(𝑝𝑘, 𝑠𝑘)

Adversary(𝑛)

Output 𝑏∗

𝑝𝑘

𝑚0,𝑚1

𝑚

𝐸(𝑝𝑘,𝑚)

Does the following extended experiment strengthen the definition?

No, since A can compute E(pk,m) itself for messages of its choice!

32

CPA-security of ElGamal

Foundations of Cybersecurity 2016

Theorem: IND-CPA of ElGamalElGamal has indistinguishable ciphertexts under CPA if the following Decisional Diffie-Hellman assumption holds in 𝐺:

Definition: Decisional Diffie-Hellman Assumption (DDH)Given a group 𝐺 with ~2𝑛 elements and a random 𝑔 ∈ 𝐺, no efficient adversary (in 𝑛) can distinguish

(𝑔𝑥, 𝑔𝑦, 𝑔𝑥𝑦) and (𝑔𝑥, 𝑔𝑦, 𝑔𝑧)for 𝑥, 𝑦, 𝑧 random in {1, … , |𝐺|}.

Why decisional? CPA-security says it must be hard to distinguish, CDH that it is hard to compute. But distinguishing might be easier...

Page 12: Introduction to Cybersecurity Cryptography (Part 4) · 2017-01-06 · Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers • Review of DES

12

CISPA

Center for IT Security, Privacy and Accountabiltiy

RSA based ciphers(origin in 1977)

Problem of information secrecy solved?

23Foundations of Cybersecurity 2016

We need alternative schemesbased on different assumptions!