Diffie Introduction Hellman

Cryptography and Protocols Andrei Bulatov

Cryptography and Protocols Diffie Hellman

15-2

Key Exchange
Using public key cryptography is expensive. A better way is to use in limited amount to generate a key for a private key cryptosystem If p is prime then there is a primitive root modulo p, that is a p 1 2 3 number g such that {1,2,K, p 1} = {g , g , g ,K, g } Diffie Hellman protocol: - Alice chooses a prime q and finds a primitive root g - Alice chooses a random X from {1, , q 2} and sends X p, q and X g (mod q) to Bob - Bob chooses random Y from {1, , q 2} and sends Y g Y (mod q) to Alice - Alice and Bob compute k g XY (mod q) (by computing Y X and X Y respectively. They use k as a private key

Cryptography and Protocols Diffie Hellman

15-3

Diffie Hellman Protocol

gX

Alice
X Z* p k = (gY ) X gY

Bob
Y Z* p k = ( g X )Y

Cryptography and Protocols Diffie Hellman

15-4

Diffie Hellman Protocol

If Eve can compute discrete logarithm, that is find X and Y, then the protocol is insecure. However, this is not enough Decisional Diffie Hellman (DDH) Assumption. For every prime p and a primitive root g modulo p the following two distributions over triplets are computationally indistinguishable: < g X , g Y , g XY > X, Y are random it is not true !! < g X , gY , Z > X, Y, Z are random

Cryptography and Protocols Diffie Hellman

15-5

Man in the Middle

gX

Alice
X Z* p g
W

Eve
V Z* p W Z* p k = ( g X )W k ' = ( g Y )V

gV

Bob
Y Z* p

gY

Eve masquerades as Bob for Alice and as Alice for Bob. So she can read all messages they send

Cryptography and Protocols Diffie Hellman

15-6

Other Problems
How do we know that p is prime and g is a primitive root? What if Eve replace g X with 1? What if Eve replace g X with an element of small order Safe primes: p=2q+1 where q is a prime.

Digital Signatures Introduction

Cryptography and Protocols Andrei Bulatov

Cryptography and Protocols Digital Signatures

16-8

Definition
Similar to symmetric case we need to care about data integrity A triple (Gen, Sign, Ver) is called a (T,)-secure signature scheme if validity for any pair (s,v) generated by Gen and every P {0,1}n we have Verv ( P, Signs ( P )) = 1 security for any Eve with time complexity at most T in the following game: - Alice chooses (s,v) - Eve gets black box access to Sign s (she has access to Verv ) - Eve wins if in the end she produces a pair (P,) such that (a) M was not queried (b) Verv ( P, ) = 1

Cryptography and Protocols Digital Signatures

16-9

Definition (cntd)
The probability Eve wins Pr[Eve wins ] < A scheme is secure if it is (T,)-secure for a superpolynomial pair (T,)

Cryptography and Protocols Digital Signatures

16-10

One-Time Signature Scheme

Eve is allowed to make only one query and we certify only one bit Thus Eves task is: Given (b, Sign s (b)) find (b , ) such that Verv (b , ) = 1 We use a one-way permutation f : {0,1}n {0,1}n with Pr n [Eve( f ( x)) = x] < for any polynomial time Eve and some superpolynomial Key generation: Gen chooses x 0 , x1 {0,1}n and computes y 0 = f ( x 0 ), y1 = f ( x1 ). Then set s = ( x 0 , x1 ) and v = ( y 0 , y1 ) Signing: Sign s (b) = x b Verification: Verv (b, x) = 1 f ( x) = y b
x{0,1}