cryptography what is it good for?
DESCRIPTION
Andrej Bogdanov Chinese University of Hong Kong. CRYPTOGRAPHY WHAT IS IT GOOD FOR?. CMSC 5719 | 6 Feb 2012. cryptography. phhw ph dw wjh uxelfrq. I know what he is up to!. A model for encryptio n. saopgpwnhx. Bob. Alice. nizpfkel3c. OK!. ??!. Eve. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/1.jpg)
CRYPTOGRAPHYWHAT IS IT GOOD FOR?
Andrej BogdanovChinese University of Hong Kong
CMSC 5719 | 6 Feb 2012
![Page 2: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/2.jpg)
cryptography
![Page 3: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/3.jpg)
phhw ph dw wjh uxelfrq
I know what he is
up to!
![Page 4: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/4.jpg)
A model for encryption
Alice Bob
Alice and Bob want to exchange messages
but remain private to eavesdroppers
saopgpwnhxnizpfkel3c
OK!
??!Eve
![Page 5: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/5.jpg)
Bad news
Alice Bob
impossible!
saopgpwnhxnizpfkel3c
OK!
??!Eve
Eve can simulate the states of Alice & Boband learn everything they know
![Page 6: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/6.jpg)
The one-time pad
Alice10111001
Bob10111001want to say
hello = 01101001 ⊕ 1011100111010000
Alice and Bob share a secret key
Bob can recover the message,but to Eve it looks totally random!
![Page 7: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/7.jpg)
Secret-key cryptography
Alice Bobsaopgpwnhxnizpfkel3c
OK!
Easy if they sharea secret key
10111001 10111001
… but the key must be as long as all the messages they will ever exchange!
![Page 8: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/8.jpg)
Enter computation
easy
953081× 603749
575421700669easy hard?
hard
![Page 9: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/9.jpg)
• Assuming there exist digital tasks that are hard to reverse-engineer* we can do
The cryptographic revolution
Alice Bobsaopgpwnhxnizpfkel3c
OK!
??!Eve
public key encryption mental poker
[Diffie-Hellman, Rivest-Shamir-Adleman] [Yao, Blum, Goldreich-Micali-Wigderson]
secure multiparty computation
![Page 10: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/10.jpg)
The foundations of cryptography
953081× 603749
575421700669Is it really that hard?
We can’t say for sure, but many have tried and failed.
![Page 11: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/11.jpg)
• Cryptography is based on digital tasks that are easy to do forward, but hard to do backwards
•We are not 100% sure such tasks exist at all, but there are several viable candidates
The foundations of cryptography
953081× 603749
575421700669 0 1 1 1 0 0
0 1 1 0
![Page 12: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/12.jpg)
Goldreich’s function
1 0 1 1 1 0 0 1
0 1 1 0 input bits
output bits
Input and output are typically large, e.g. 500 bits input, 10,000 bits output
very
eas
y
?
output = majority(input1, input2, input3)
![Page 13: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/13.jpg)
• One-wayness: Given an output, can you recover the input that led to it?
• Pseudorandomness: Can you distinguish the output from a random string of the same length?
Two measures of hardness
1 0 1 1 1 0 0 1
0 1 1 0
![Page 14: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/14.jpg)
Encryption from pseudorandomness
Alice0110
Bob0110want to say
hello = 01101001
1 0 1 1 1 0 0 1
0 1 1 0
⊕ 1011100111010000
To Eve it looks the same as whenAlice and Bob used a one-time pad
![Page 15: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/15.jpg)
Can this be broken?
small local dependenciesallow reverse-engineering
Fortunately, most graphs are expanding:they have no local dependencies
does not look random
![Page 16: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/16.jpg)
blabla
Public-key encryption
Alice Bobprivate-key
public-key Alice Bobblabla
Alice and Bob can communicate securely,although they have never met before!
![Page 17: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/17.jpg)
Public-key encryption
Alice Bobblabla
Bob: generate (Public Key, Secret Key) pairpublic key is broadcast, secret key is hidden➊
Alice: encrypt message using public key➋
Bob: decrypt using secret key➌
![Page 18: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/18.jpg)
One-bit encryption
Alice Bob1Alice Bob0Eve?
one-bit encryptiona simplified setting
A proposed one-bit schemeby Applebaum, Barak, and Wigderson
![Page 19: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/19.jpg)
One-bit encryption
Bob:generate (Public Key, Secret Key) pair
➊
public key:the graph G
secret key:a hidden subgraph with k outputsconnecting to k − 1 inputs
send Public Key to Alice
![Page 20: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/20.jpg)
One-bit encryption
Alice encrypts:➋
to encrypt 0:0 1 1 0
XOR (+)
1 0 1 0 0 1
to encrypt 1:1 1 0 1
XOR (+)
0 1 1 0 1 01 0 0 1 0 1reverse
![Page 21: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/21.jpg)
One-bit encryption
Bob decrypts:➌
1 0 1 0 0 1
1 0 0 1 0 1
fewer inputs than outputs,so outputs must satisfy
a linear constrainty1 y2 y3 y1 + y2 + y3 = 0
y1 + y2 + y3 = 0Enc(0)
y1 + y2 + y3 = 1Enc(1) = NOT Enc(0)
![Page 22: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/22.jpg)
• Eve cannot tell which is the right linear constraint to check because subgraph is hidden
• To argue security, we must make an assumption*
Security?
1 0 1 0 0 1
Finding a hidden subgraph in a graph is computationally hard
![Page 23: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/23.jpg)
• This assumption is not enough as the message can be recovered by solving linear equations
Insecurity
1 0 1 0 0 1
x1 x2 x3 x4 indeterminates
101001 is an encryption of 0
x1 + x2 = 1x1 = 0x2 = 1
x1 + x2 + x3 = 0x1 + x2 + x3 + x4 = 0x1 + x3 + x4 = 1has a solution.
if
![Page 24: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/24.jpg)
One-bit encryption
Alice encrypts:➋
to encrypt 0:0 1 1 0
XOR (+)
1 0 1 0 0 1
add random noise 1 0 1 1 0 0
If the noise stays outside the secret key,decryption will still work
![Page 25: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/25.jpg)
Security of one-bit encryption?
1 0 1 0 0 1
x1 x2 x3 x4
x1 + x2 = 1x1 = 0x2 = 1
x1 + x2 + x3 = 1x1 + x2 + x3 + x4 = 0x1 + x3 + x4 = 1
1 0 1 1 0 0
Now some equations are incorrect, so they are unlikely to have a solution
![Page 26: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/26.jpg)
• So we make plausible (studied) assumptions
Is public-key cryptography secure?
0 1 1 0
XOR (+)
1 0 1 0 0 1
1 1 0 1
XOR (+)
0 1 1 0 1 0
1 0 1 0 1 1 1 0 0 0 0 0
1 0 0 1 0 1
Enc(0) Enc(1)is indistinguishable from
We never now for sure!
![Page 27: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/27.jpg)
Elections
AliceBobEve✓
✗✗
24% 11% 35%
![Page 28: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/28.jpg)
Elections
Elections should be free and fair
integrity Every vote cast should be countedproperly
anonymityPeople cannot find out who you voted for
… other features?
![Page 29: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/29.jpg)
Electronic voting
How to run elections online?
Solution using public key cryptography:
AliceBobEve✓
✗✗
001
EncPublic Key(0)EncPublic Key(0)EncPublic Key(1)
![Page 30: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/30.jpg)
Anonymity
The Public Key is known to everyoneassumptions
The Secret Key is kept secret (by the trustworthy electoral commission)
EncPublic Key(0)EncPublic Key(0)EncPublic Key(1)
EncPublic Key(0)EncPublic Key(0)EncPublic Key(1)
EncPublic Key(0)EncPublic Key(1)EncPublic Key(0)
votes for
AliceBobEve
voter
![Page 31: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/31.jpg)
Anonymity
EncPublic Key(0)
EncPublic Key(0)
EncPublic Key(1)
EncPublic Key(0)
EncPublic Key(0)
EncPublic Key(1)
EncPublic Key(0)
EncPublic Key(1)
EncPublic Key(0)
votes for
AliceBobEve
voter
EncPublic Key(0)EncPublic Key(1)
EncPublic Key(0)
EncPublic Key(1)EncPublic Key(0)
EncPublic Key(0)
EncPublic Key(0)EncPublic Key(1)
EncPublic Key(0)
AliceBobEve
If Enc is secure, this collection of votes looks indistinguishable from e.g.
![Page 32: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/32.jpg)
Counting the votes
EncPublic Key(1) EncPublic Key(0) EncPublic Key(1)votes for Bob
If we reveal the individual votes to the commission,anonymity will be violated
solution 1: mixnetrandomly permute the votes
EncPublic Key(0) EncPublic Key(1) EncPublic Key(1)votes for Bob
![Page 33: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/33.jpg)
• The encryption we described is additively homomorphic* mod 2 (homework)
• If we work with larger numbers instead of bits, we can make it additively homomorphic over integers
Counting the votes
solution 2: additively homomorphic encryption
EncPublic Key(1) EncPublic Key(0) EncPublic Key(1) EncPublic Key(1+0+1)++ =EncPublic Key(2)=
![Page 34: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/34.jpg)
• How do we prevent a person from voting for several candidates or voting multiple times?
Some other issues
AliceBobEve✓
✗ 021
EncPublic Key(0)EncPublic Key(2)EncPublic Key(1)
✓✓
In a mixnet, we may detect and invalidate such patterns
With homomorphic encryption, the voter needs to prove that his votes are valid (but without revealing the votes)there is a cryptographic technology called zero-knowledge
![Page 35: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/35.jpg)
• In a real election, I cannot prove who I voted for
Some other issues
AliceBobEve✓
✗✗
this prevents coercing votes.
What happens in electronic voting?
![Page 36: CRYPTOGRAPHY WHAT IS IT GOOD FOR?](https://reader036.vdocuments.net/reader036/viewer/2022062501/5681637d550346895dd45cc2/html5/thumbnails/36.jpg)
• In applications like electronic voting, even understanding the requirements is not easy
•We start with an ideal list of requirements and see if they can be implemented using cryptography
• Sometimes we succeed; other times we can prove that all the requirements are impossible to meet
Electronic voting