![Page 1: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/1.jpg)
COS433/Math 473: Cryptography
Mark ZhandryPrinceton University
Spring 2020
![Page 2: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/2.jpg)
Announcements
HW5 Due TodayPR2 Due April 19th
![Page 3: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/3.jpg)
Previously on COS 433…
![Page 4: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/4.jpg)
Integer Factorization
![Page 5: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/5.jpg)
Integer Factorization
Given an integer N, find it’s prime factors
Studied for centuries, presumed difficult• Grade school algorithm: O(N1/2)• Better algorithms using birthday paradox: O(N¼)• Even better assuming G. Riemann Hyp.: O(N⅕)• Still better heuristic algorithms:
exp( C (log N)1/3 (log log N)2/3 )• However, all require super-‐polynomial time in bit-‐length of N
![Page 6: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/6.jpg)
Factoring Assumption: For any factoring algorithm running in polynomial time, ∃ negligible ε such
that:Pr[(p,q)ß (N):
N=pqp,q ßrandom λ-‐bit primes] ≤ ε(λ)
![Page 7: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/7.jpg)
Chinese Remainder Theorem
Let N = pq for distinct prime p,q
Let x∈ℤp, y∈ℤqThen there exists a unique integer z∈ℤN such that • x = z mod p, and • y = z mod q
Proof: z = [py(p-1 mod q)+qx(q-1 mod p)] mod N
![Page 8: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/8.jpg)
Quadratic Residues
Ex:• Let p be a prime, and y≠0 a quadratic residue mod p. How many square roots of y?• Let N=pq be the product of two primes, y a quadratic residue mod N. Suppose y≠0 mod p and y≠0 mod q. How many square roots?
Definition: y is a quadratic residue mod N if there exists an x such that y = x2 mod N. x is called a “square root” of y
![Page 9: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/9.jpg)
QR Assumption: For any algorithm running in polynomial time, ∃ negligible ε such that:
Pr[y2=x2 mod N:yß (N,x2) N=pq, p,qßrandom λ-‐bit primesxßℤN ] ≤ ε(λ)
![Page 10: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/10.jpg)
This Time
Factoring continued
Public key cryptography
![Page 11: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/11.jpg)
Theorem: If the factoring assumption holds, then the QR assumption holds
![Page 12: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/12.jpg)
Proof
To factor N:• xßℤN• yß (N,x2)• Output GCD(x-y,N)
Analysis:• Let {a,b,c,d} be the 4 square roots of x2
• has no idea which one you chose• With probability ½, y will not be in {+x,-x}• In this case, we know x=y mod p but x=-y mod q
![Page 13: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/13.jpg)
Collision Resistance from FactoringLet N=pq, y a QR mod NSuppose -1 is not a QRmod N
Hashing key: (N,y)Domain: {1,…,(N-1)/2}×{0,1}Range: {1,…,(N-1)/2}
H( (N,y), (x,b) ): Let z = ybx2 mod N• If z∈{1,…,(N-1)/2}, output z• Else, output –z mod N ∈{1,…,(N-1)/2}
![Page 14: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/14.jpg)
Proof:• Collision means (x0,b0)≠(x1,b1) s.t.
yb0 x02 = ± yb1 x1
2 mod N
• If b0=b1, then x0≠x1, but x02=±x1
2 mod N• x0
2=-x12 mod N not possible. Why?
• x0≠-x1 since x0,x1∈{1,…,(N-1)/2}
• If b0≠b1, then (x0/x1)2 = ±y±1 mod N• -y case not possible. Why?• (x0/x1) or (x1/x0) is a square root of y
Theorem: If the factoring assumption holds, H is collision resistant
![Page 15: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/15.jpg)
Choosing N
How to choose N so that -1 is not a QR?
By CRT, need to choose p,q such that -‐1 is not a QR mod p or mod q
Fact: if p = 3 mod 4, then -1 is not a QR mod pFact: if p = 1 mod 4, then -1 is a QR mod p
![Page 16: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/16.jpg)
Is Composite N Necessary for SQ to be hard?Let p be a prime, and suppose p = 3 mod 4
Given a QR xmod p, how to compute square root?
Hint: recall Fermat: xp-1=1mod p for all x≠0
Hint: what is x(p+1)/2 mod p?
![Page 17: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/17.jpg)
Solving Quadratic Equations
In general, solving quadratic equations is:
• Easy over prime moduli
• As hard as factoring over composite moduli
![Page 18: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/18.jpg)
Other Powers?
What about x à x4 mod N? x à x6 mod N?
The function x à x3 mod N appears quite different• Suppose 3 is relatively prime to p-1 and q-1• Then x à x3 mod p is injective for x≠0
• Let a be such that 3a = 1 mod p-1• (x3)a = x1+k(p-1) = x(xp-1)k = x mod p
• By CRT, x à x3 mod N is injective for x∈ℤN*
![Page 19: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/19.jpg)
x3 mod N
What does injectivity mean?
Cannot base of factoring:Adapt alg for square roots?• Choose a random z mod N• Compute y = z3 mod N• Run inverter on y to get a cube root x• Let p = GCD(z-x, N), q = N/p
![Page 20: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/20.jpg)
RSA Problem
Given • N = pq, • e such that GCD(e,p-1)=GCD(e,q-1)=1,• y=xe mod N for a random x
Find x
Injectivity means cannot base hardness on factoring, but still conjectured to be hard
![Page 21: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/21.jpg)
RSA Assumption: For any algorithm running in polynomial time, , ∃ negligible ε such that:
Pr[xß (N,x3 mod N) N=pq and p,q random λ-‐bit primes s.t.
GCD(3,p-1)=GCD(3,q-1)=1xßℤN* ] ≤ ε(λ)
![Page 22: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/22.jpg)
Application: PRGs
Let F(x) = x3 mod N, h(x) = least significant bit
F
h
x
Theorem: If RSA Assumption holds, then G(x) = ( F(x), h(x) ) is a secure PRG
![Page 23: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/23.jpg)
Public Key Cryptography
![Page 24: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/24.jpg)
How do Alice & Bob get k?
k k
![Page 25: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/25.jpg)
Limitations
Time consuming
Not realistic in many situations• Do you really want to send a courier to every website you want to communicate with
Doesn’t scale well• Imagine 1M people communicating with 1M people
If not meeting in person, need to trust courier
![Page 26: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/26.jpg)
Public Key Distribution
![Page 27: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/27.jpg)
Public Key Distribution
![Page 28: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/28.jpg)
Public Key Distribution
k k
![Page 29: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/29.jpg)
Public Key Distribution
k k
?
![Page 30: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/30.jpg)
Interactive Protocols
Pair of interactive (randomized) algorithms A, B
A(x)
oB
B(y)
oA
Transcript Trans
Write (Trans,oA,oB)ß(A,B)(x,y)
![Page 31: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/31.jpg)
Public Key Distribution
Pair of interactive algorithms A,B
Correctness: Pr[oA=oB: (Trans,oA,oB)ß(A,B)()] = 1
Shared key is k := oA=oB• Define (Trans,k)ß(A,B)()
Security: (Trans,k) is computationally indistinguishable from (Trans,k’) where k’ßKindependent of k
![Page 32: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/32.jpg)
Matrix Multiplication Approach
Bßℤqλ×λAßB-1
B
![Page 33: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/33.jpg)
Matrix Multiplication Approach
Bßℤqλ×λAßB-1
B
vßℤqλwßB·∙v
w
![Page 34: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/34.jpg)
Matrix Multiplication Approach
Bßℤqλ×λAßB-1
B
vßℤqλwßB·∙v
w
v = A·∙w v
![Page 35: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/35.jpg)
Matrix Multiplication Approach
Bßℤqλ×λAßB-1
B
vßℤqλwßB·∙v
w
v = A·∙w v
![Page 36: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/36.jpg)
Running Times?
Bob: O(λ2)Eve: O(λ3)
![Page 37: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/37.jpg)
Running Times?
Bob: O(λ2)Eve: O(λω) where ω≤2.373Alice: O(λω)
Different Approach:• Start with A = B = I• Repeatedly apply random elementary row ops to A, inverse to B• Output (A,B)
![Page 38: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/38.jpg)
Running Times?
Bob: O(λ2)Eve: O(λω) where ω≤2.373Alice: O(λω)
Different Approach:• Start with A = B = I• Repeatedly apply random elementary row ops to A, inverse to B• Output (A,B)
Assuming Matrix Multiplication exponent ω > 2, adversary must work harder than honest users
![Page 39: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/39.jpg)
Merkle Puzzles
Let H be some hash function with domain [λ]={1,…,λ}
a1,…,atß[λ]Ai ß H(ai)
{Ai}
b1,…,btß[λ]bi ß H(bi)
{Bi}
![Page 40: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/40.jpg)
Merkle Puzzles
Let H be some hash function with domain [λ]={1,…,λ}
a1,…,atß[λ]Ai ß H(ai)
{Ai}
b1,…,btß[λ]bi ß H(bi)
{Bi}
ai s.t. Ai∈{Bi} bi s.t. Bi∈{Ai}
![Page 41: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/41.jpg)
Analysis
Protocol succeeds iff:• H is injective (why?)• {Ai}∩{Bi}≠∅ (equiv, {ai}∩{bi}≠∅)
What does t need to be to make {Ai}∩{Bi}≠∅ ?
If adversary can only query H on various inputs, how many queries needed?
![Page 42: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/42.jpg)
Limitations
Both matrix multiplication and Merkle puzzle approaches have a polynomial gap between honest users and adversaries
To make impossible for extremely powerful adversaries, need at least λ2 > 280
• Special-‐purpose hardware means λ needs to be even bigger• Honest users require time at least λ=240
• Possible, but expensive
![Page 43: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/43.jpg)
Limitations
Instead, want want a super-‐polynomial gap between honest users and adversary• Just like everything else we’ve seen in the course
![Page 44: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/44.jpg)
Key Distribution from Obfuscation
Software obfuscation:• Compile programs into unreadable form
(intentionally)
![Page 45: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/45.jpg)
Key Distribution from Obfuscation
Let F,F-1 be a block cipher
kß{0,1}λPßObf( F(k, ·∙) )
P
![Page 46: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/46.jpg)
Key Distribution from Obfuscation
Let F,F-1 be a block cipher
kß{0,1}λPßObf( F(k, ·∙) )
P
rß{0,1}λxßP(r)
x
![Page 47: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/47.jpg)
Key Distribution from Obfuscation
Let F,F-1 be a block cipher
kß{0,1}λPßObf( F(k, ·∙) )
P
rß{0,1}λxßP(r)
x
rßF-1(k,x) r
![Page 48: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/48.jpg)
Key Distribution From Obfuscation
For decades, many attempts at commercial code obfuscators• Simple operations like variable renaming, removing whitespace, re-‐ordering operations
Really only a “speed bump” to determined adversaries• Possible to recover something close to original program (including cryptographic keys)
Don’t use commercially available obfuscators to hide cryptographic keys!
![Page 49: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/49.jpg)
Key Distribution From Obfuscation
Recently (2013), new type of obfuscator has been developed• Much stronger security guarantees• Based on mathematical tools• Many cryptographic applications beyond public key distribution
Downside?• Extraordinarily impractical (currently)
![Page 50: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/50.jpg)
Practical Key Exchange
Instead of obfuscating a general PRP, we will define a specific abstraction that will enable key agreement
Then, we will show how to implement the abstraction using number theory
![Page 51: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/51.jpg)
Trapdoor Permutations
Domain X
Gen(): outputs (pk,sk)F(pk,x∈X) = y∈XF-1(sk,y) = x
Correctness:Pr[ F-1(sk, F(pk, x)) = x : (pk,sk)ßGen() ] = 1
Correctness implies F,F-1 are deterministic, permutations
![Page 52: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/52.jpg)
Trapdoor Permutation Security
(sk,pk)ßGen()xßXyßF(pk,x)
pk,y
x’ Adversary wins if x=x’
In other words, F(pk, ·∙ ) is a one-‐way function
![Page 53: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/53.jpg)
Key Distribution from TDPs
pk(pk,sk)ßGen()
xßXyßF(pk,x)
xßF-1(sk,y) x
![Page 54: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/54.jpg)
Analysis
Correctness follows from correctness of TDP
Security:• By TDP security, adversary cannot compute x• However, x is distinguishable from a random key
![Page 55: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/55.jpg)
Hardcore Bits
Let F be a one-‐way function with domain D, range R
In other words, even given F(x), hard to guess h(x)
Definition: A function h:Dà{0,1} is a hardcore bit for F if, for any polynomial time , ∃negligible εsuch that:
| Pr[1ß (F(x), h(x)), xßD]- Pr[1ß (F(x), b), xßD,bß{0,1}] | ≤ ε(λ)
![Page 56: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/56.jpg)
Examples of Hardcore Bits
Define lsb(x) as the least significant bit of x
For x∈ZN, define Half(x) as 1 iff 0≤x<N/2
![Page 57: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/57.jpg)
Theorem: Let p be a prime, and F:Zp*àZp
* be F(g,x) = (g,gx mod p)Half is a hardcore bit for F (assume F is one-‐way)
Theorem: Let N be a product of two large primes p,q, and F:ZN
*àZN* be F(x) = xe mod N for some e
relatively prime to (p-1)(q-1)
Lsb and Half are hardcore bits for F (assuming RSA)
Theorem: Let N be a product of two large primes p,q, and F:ZN
*àZN* be F(x) = x2 mod N
Lsb and Half are hardcore bits for F (assumingfactoring)
![Page 58: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/58.jpg)
Key Distribution from TDPs
pk(pk,sk)ßGen()
xßXyßF(pk,x)
xßh( F-1(sk,y) ) h( x )
h a hardcore bit for F(pk, ·∙ )
![Page 59: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/59.jpg)
Proof:• (Trans,k) = ( (pk,y), h(x))• Hardcore bit means indist. from ( (pk,y), b)
Theorem: If h is a hardcore bit for F(pk, ·∙ ), then protocol is secure
![Page 60: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/60.jpg)
Trapdoor Permutations from RSA
Gen():• Choose random primes p,q• Let N=pq• Choose e,d .s.t ed=1 mod (p-1)(q-1)• Output pk=(N,e), sk=(N,d)
F(pk,x): Output y = xe mod N
F-1(sk,c): Output x = yd mod N
![Page 61: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/61.jpg)
Caveats
RSA is not a true TDP as defined• Why???• What’s the domain?
Nonetheless, distinction is not crucial to most applications• In particular, works for key agreement protocol
![Page 62: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/62.jpg)
Other TDPs?
For long time, essentially none known• Still interesting object:
• Useful abstraction in protocol design• Maybe more will be discovered…
Using obfuscation:• Let P be a PRP• sk = k, pk = Obf( P(k, ·∙ ) )
![Page 63: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/63.jpg)
Key Distribution from DH
Everyone agrees on group G of prime order p
aßℤp bßℤp
![Page 64: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/64.jpg)
Key Distribution from DH
Everyone agrees on group G or prime order p
ga gb
aßℤp bßℤp
![Page 65: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/65.jpg)
Key Distribution from DH
Everyone agrees on group G or prime order p
ga gb
k = (gb)a = gab k = (ga)b = gab
aßℤp bßℤp
![Page 66: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/66.jpg)
Key Distribution from DH
Proof:• (Trans,k) = ( (ga,gb), gab)• DDH means indistinguishable from ( (ga,gb), gc)
What if only CDH holds, but DDH is easy?
Theorem: If (t,ε)-DDH holds on G, then the Diffie-‐Hellman protocol is (t,ε)-secure
![Page 67: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/67.jpg)
Public Key Encryption
![Page 68: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/68.jpg)
Public Key Encryption
skpk
![Page 69: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/69.jpg)
Public Key Encryption
skpk
m
cßEnc(pk,m)
![Page 70: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/70.jpg)
Public Key Encryption
skpk
mßDec(sk,c)
cßEnc(pk,m)
m
![Page 71: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/71.jpg)
Public Key Encryption
skpk
mßDec(sk,c)
cßEnc(pk,m)
?m
![Page 72: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/72.jpg)
PKE vs Key Agreement
kABkAB
Key agreement:
![Page 73: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/73.jpg)
PKE vs Key Agreement
kABkAB
Key agreement:
![Page 74: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/74.jpg)
PKE vs Key Agreement
kABkAB
Key agreement:
kAC
kAC
![Page 75: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/75.jpg)
PKE vs Key Agreement
kABkAB
Key agreement:
kAC
kAC kBC
kBC
For n users, need O(n2) key exchanges
![Page 76: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/76.jpg)
PKE vs Key AgreementPKE:
skA pkA
![Page 77: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/77.jpg)
PKE vs Key AgreementPKE:
skA pkA skBpkB
![Page 78: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/78.jpg)
PKE vs Key AgreementPKE:
skA pkA skBpkB
skC
pkc
For n users, need O(n)public keys
![Page 79: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/79.jpg)
PKE Syntax
Message space M
Algorithms:• (sk,pk)ßGen(λ)• Enc(pk,m)• Dec(sk,m)
Correctness:Pr[Dec(sk,Enc(pk,m)) = m: (sk,pk)ßGen(λ)] = 1
![Page 80: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/80.jpg)
Security
One-‐way security
Semantic Security
CPA security
CCA Security
![Page 81: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/81.jpg)
One-‐way Security
(sk,pk)ßGen()mßMcßEnc(pk,m)
c
m’
![Page 82: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/82.jpg)
Semantic Security
(sk,pk)ßGen()
cßEnc(pk,mb)
pk
b’
m0,m1
c
![Page 83: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/83.jpg)
CPA Security
(sk,pk)ßGen()
cßEnc(pk,mb)
pk
b’
m0,m1c
mc
mc
![Page 84: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/84.jpg)
CCA Security
(sk,pk)ßGen()
cßEnc(pk,mb)
pk
b’
m0,m1c*
cm
c≠c*m
![Page 85: COS433/Math+473:+ Cryptographymzhandry/2020-Spring-COS433/LN/L… · COS433/Math+473:+ Cryptography Mark%Zhandry Princeton%University Spring%2020](https://reader035.vdocuments.net/reader035/viewer/2022071217/604b68ff3f92e65321402f92/html5/thumbnails/85.jpg)
Reminders
HW5 Due Today
PR2 Due April 19th