helger lipmaa university of tartu, estonia
TRANSCRIPT
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 3
Key Exchange, CDH, DDH
Helger Lipmaa University of Tartu, Estonia
UP TO NOW
Basic intro
Basic algebra
Exponentiation
Assumptions
Algebra + assumptions: DL
How to define assumptions (DL)
WHAT CAN BE DONE WITH DL?
First idea:
let s←ℤq be secret key and h=gˢ be public key
computation of s from h is infeasible
Use the keys to "encrypt", "sign", etc
This lecture: more details
KEY EXCHANGEI want to
send secret information to Bob, but he is
in Jamaica
Let us agree on a joint secret key for further communication
KEY EXCHANGE
pkₐ
pkb
skₐ,pkₐ skb,pkb
sk=SK(skₐ,pkb) sk=SK(skb,pkₐ)=sk
Symmetric, shared key
Asymmetric, public keyAsymmetric, public key
KEY EXCHANGE WITH DL
h
f
s, h←gˢ t, f←gᵗ
sk=SK(s,f) sk=SK(t,h)=sk
QUIZ
SK (t, gˢ) = sk = SK (s, gᵗ)
What could SK be?
Hint: we are working in a group
Use commutativity + efficient operations
Answer: SK (s, h) = hˢ
SK (t, gˢ) = gˢᵗ = gᵗˢ = SK (s, gᵗ)
DIFFIE-HELLMAN KEY EXCHANGE
h
f
s, h←gˢ t, f←gᵗ
sk=gˢᵗsk=gˢᵗ
=sk
DHKE: FORMALLY
h
f
s,h=gˢ t,f←gᵗ
=sk
sk=gˢᵗsk=gˢᵗ
DHKE.Setup (κ):1. Choose a group G of order q where
breaking DL has complexity 2^κ2. Choose a generator g of G3. Return gk ← desc (G) = (..., q, g)
DHKE.Keygen (gk):1. sk = s ← ℤq2. pk ← gˢ3. Return (sk, pk)
DHKE.SK (gk, s, h):1. Return hˢ
QUIZ: IS DHKE SECURE?
Correct question:
is DHKE what-secure under X assumption
Three tasks:
1. Formalize security of KE
2. Decide on X
3. Provide a proof by reduction (X holds => DHKE what-secure)
SECURITY DEF: FIRST TRY
We already saw some issues in the last lecture
...so we won't concentrate on the same issues
Random key, probabilistic algorithms, ...
DHKE: INTUITIVE SECURITY
h
f
s, h←gˢ t, f←gᵗ
sk=gˢᵗ sk=gˢᵗ=sk
?
KEY RECOVERY SECURITY
Three algorithms KE = (Setup, Keygen, SK)
Adv[KR] := | Pr[KR = 1] - 1 / q |
A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε
KE is (τ,ε)-KR secure iff no adversary ε-breaks KR security of KE in time ≤ τ
KE is KR secure iff it is (poly(κ),negl(κ))-KR secure
Game KR(κ,KE,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0
SECURITY REDUCTION?
We would like to prove that DHKE is KR secure
by reducing KR-security to DL assumption
Unfortunately not known how to do it
gˢ s
gᵗ t
gˢᵗSK
SK
DL
DL
?
NEW ASSUMPTION: CDH
DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976
No success in breaking it in any reasonable group where DL is hard
Seems logical: introduce a tautological assumption
CDH: Computational Diffie-Hellman
"key recovery attack against DHKE is hard"
DEF: CDH ASSUMPTION
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume (for simplicity) that for any κ, Setup picks exactly one group G = G(κ)
Adv[CDH] := | Pr[CDH = 1] - 1 / q |
A ε-breaks CDH in group G iff Adv[CDH] ≥ ε
G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ
G is CDH group iff it is (poly(κ),negl(κ))-CDH group
Game CDH(G,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk* ← A (gk, pkₐ, pkb)If sk* = SK (gk, skₐ, pkb) return 1else return 0
REMARKS
Clearly, CDH is secure in A group iff DHKE is KR secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ
QUIZ: CDH VS DL
CDH DL
?
?
QUIZ: CDH VS DL
CDH hard DL hard
?
?
Answer: yes
Answer: depends
some contrived groups where DL holds but not
CDH, ...
PROOF: CDH => DL
Theorem. If G is a (τ + small, (1 - 1 / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group.
Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G.
DL is easy => there exists an adversary D that breaks DL
We show CDH is easy by constructing an adversary C that breaks CDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Typical reduction
INTUITIVE PROOF
Assume D can break DL
given gˢ, outputs s with probability ε
Construct adversary C that breaks CDH
given gˢ, gᵗ, call D to compute s ← D (gˢ)
return (gᵗ)ˢ = gˢᵗ
But what is the success probability of C?
SECURITY GAMES
Depending on the input and the output, the challenger declares C to be either successful or not
After some computation, C returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C
Depending on the input and the output, the challenger declares D to be either successful or not
After some computation, D returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D
CDH game: need to construct C DL game: D is given
This is the only thing we know...
SECURITY REDUCTION
Depending on the input and the output, the challenger declares C to be either successful or not
After some computation, C returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary C After some
computation, D returns some value to the challenger
A challenger generates values from some fixed "valid" distributions and sends them to the adversary D
CDH game: need to construct C DL game: D is given
C
C
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
... ;/* compute m */if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G), h)
msk*
Challenger C D
Correct distribution for DL
Correct distribution for CDH
Exists ExistsNeed to construct
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
REMINDER: PROBABILITY
Let A, B be two events
Pr [A] - probability that A holds
Pr [¬ A] - probability that A does not hold
Pr [A | B] - conditional probability
probability that A holds given that B holds
Then Pr [A] = Pr [A | B] · Pr [B] + Pr [A | ¬B] · Pr [¬B]
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
Pr[C successful] =Pr[C successful | D successful] · Pr[D successful] +
Pr[C successful | ¬D successful] · Pr [¬D successful] =1 · (ε + 1 / q) + 1 / q · (1 - (ε + 1 / q)) = (1 - 1 / q) ε + (1 - 1 / q) / q + 1 / q =:
ε* + 1 / q
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
REDUCTION: CDH => DL
remove 1 elem.
s, t ← ℤq; h ← gˢ; f ← gᵗ
if sk* = gˢᵗ
return 1
else
return 0
(desc(G), h, f)
(desc(G),h)
msk*
Challenger C D
Assume D works in time τ and is successful with prob. ε + 1 / q
if h = gᵐ
return sk* ← fᵐ
else
return sk* ← ℤq
If D is successful then C is successful and takes time τ* =τ + small
Pr[C successful] = ε* + 1 / q
Thus, if G is a (τ*, ε*)-CDH group then it is a (τ, ε)-DL group
... ;/* compute m */
If D is unsuccessful then C is successful with prob. 1 / q, and takes
time τ*
QUIZ: ARE WE DONE?
If not, why not?
Is the achieved security sufficient?
Answer:
The fact that sk is unknown is not sufficient
Adversary should have no information about sk
DHKE IN WILD WORLD
h
f
s,h←gˢ t,f←gᵗ
sk=gˢᵗsk=gˢᵗ
=sk
XORm cc + any information about
sk leaks information about m
One-time pad
DHKE: IND SECURITY
h
f
s,h←gˢ t,f←gᵗ
sk=gˢᵗ sk=gˢᵗ=sk
is it sk or garbage?
sk*
Intuition: if Eve has any information about sk, she
should be able to distinguish real sk from random
IND(ISTINGUISHABILITY) SECURITY
KE = (Setup, Keygen, SK)
Adv[IND] := | Pr[IND = 1] - 1 / 2 |
A ε-breaks IND security of KE iff Adv[IND] ≥ ε
KE is (τ,ε)-IND secure iff no adversary ε-breaks IND security of KE in time ≤ τ
KE is IND secure iff it is (poly(κ),negl(κ))-IND secure
Game IND(κ,KE,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, skₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0
SECURITY REDUCTION?
We would like to prove that DHKE is IND secure
by reducing IND security to CDH assumption
Not possible
well-known groups where CDH holds but DHKE is not IND secure
DDH
We introduce again a tautological assumption, DDH
Decisional Diffie-Hellman, known since 70s => good
...in many groups
DDH is extremely useful in many protocols
Well-known groups where DDH does not hold
pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable
interestingly, p-b groups are also extremely useful
DEF: DDH SECURITY
Use (DHKE.Setup, DHKE.Keygen, DHKE.SK)
Assume that for any κ, Setup picks exactly one group G = G(κ)
Adv[DDH] := | Pr[DDH = 1] - 1 / 2 |
A ε-breaks DDH in G iff Adv[DDH] ≥ ε
G is a (τ,ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ
G is a DDH group iff it is (poly(κ),negl(κ))-DDH group
Game DDH(G,A)
gk ← Setup(κ)(skₐ,pkₐ)←Keygen (gk)(skb,pkb)←Keygen (gk)sk₀ ← SK (gk, pkₐ, pkb)sk₁ ← Ge ← {0, 1}e* ← A (gk,pkₐ,pkb,skₑ)Return e = e* ? 1 : 0
DDH: SHORT FORM
Fix a cyclic group G and its generator g
Adversary has to distinguish between
(g, gˢ, gᵗ, gˢᵗ) -- DDH tuple
(g, gˢ, gᵗ, gᵐ) -- random tuple
where s, t, m are random
DDH VS IND SECURITY
Clearly, a group is DDH is secure iff DHKE is IND secure in the same group
τ = τ (κ) and ε = ε (κ) are functions of κ
PROOF: DDH => CDH
Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group.
Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G.
CDH is easy => there exists an adversary D that breaks CDH
We show DDH is easy by constructing an adversary C that breaks DDH
C can use help from adversary D, by sending inputs to D and receiving outputs
Home exercise:Very similar to previous proof. Finish! Find parameters
BEYOND IND: SEMIHONEST VS MALICIOUS
Actual security requirements even more stringent
KR, IND security only demonstrate basic concepts
We assumed Eve is semihonest
Eavesdrops but does not change messages
Malicious Eve: can change, inject, delete messages
Alice and Bob need to authenticate each other
"Authenticated Diffie-Hellman"
Crucial notions
Security of various protocols against
malicious adversaries: second half of the course
WHAT NEXT?
DDH is a very versatile assumption
One can construct many useful protocols from it
DDH
Encryption Signatures
...
E-votingCPIR
E-cash
...
WHAT NEXT?
Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption
More precisely: Elgamal encryption
STUDY OUTCOMES
Key exchange
DHKE in particular
KR security and CDH
IND security and DDH
Reductions: how to do