more crypto and security

More crypto and security

CSE 199, Projects/Research

• Individual enrollment

• Projects / research, individual or small group

• Implementation or theoretical

• Weekly one-on-one meetings, no lectures

• Course grade based on project report and presentation

Mihir Bellare UCSD 1

More crypto and security

CSE 207

• Graduate introduction to cryptography

• Focus on provable-security

• Material overlaps with 107 but changes in focus as above


Security courses

CSE 127, Savage / Shacham

• Undergraduate introduction to security

• Systems issues

CSE 227, Savage/Shacham

• Graduate introduction to security


Advanced courses

CSE 208 is a “Topics” course whose content varies from year to year.Some past topics:

• Program obfuscation

• Pairing-based cryptography

• Lattices in cryptography

• Zero-knowledge

• Electronic payments


Grad school?

• MS: 2 years

• PhD: 5+ years, research-orientated

You can consider a PhD if you enjoy research: solving new problems,exploring the unknown.

An MS is to gain expertise.


PhD application process

• Applications for Fall due in previous winter

• PhD students are usually fully funded through fellowships, RA-shipsand TA-ships.

• Admission to top schools is very competitive but there are nicheschools that are excellent in specific areas

• To get admitted to a good program you need a high GPA, strongrecommendation letters and a convincing statement of purpose.

• Best of all: accomplished research!


APPLICATIONS AND PROTOCOLS


Some applications and protocols

• Internet Casino

• Commitment

• Shared coin flips

• Threshold cryptography

• Forward security

• Program obfuscation

• Zero-knowledge

• Certified e-mail

• Electronic voting

• Auctions

• Identity-based encryption

• Functional encryption

• Fully-homomorphic encryption

• Searchable encryption

• Oblivious transfer

• Garbling schemes

• Secure computation

• Group signatures

• Aggregate signatures


Internet Casino: Protocol G1

Player Casino

$1,G -

T$←{1, 2, . . . , 100}

if G = T then d ← $200else d ← $0

T , d�

Would you play?

Expected value of d is $200( 1100) = $2 > $1 so probability theory says that

the player will earn money by playing.


Problem: Casino can cheat

Player Casino$1,G -

T$←{1, 2, . . . , 100}\{G}

d ← $0T , d�


Internet Casino: Protocol G2

Player Casino$1 -

T$←{1, 2, . . . , 100}

T�

G -

if G = T then d ← $200else d ← $0

d�

But now player can always win by setting G = T . No casino would do this!


Internet Casino problem

Player and Casino need to exchange G , T so that

• Casino cannot choose T as a function of G .

• Player cannot choose G as a function of T .

How do we resolve this Catch-22 situation?


”Internet” Casino: Protocol G3

G

G

Casino

T$←{1, 2, . . . , 100}

T

if G = T then d ← $200d else d ← $0

G

Player

$1,

is a locked safe containing a piece of paper with Gwritten on it.

is a key to open the safe.


“Internet” Casino: Protocol G3

G

G

Casino

T$←{1, 2, . . . , 100}

T

if G = T then d ← $200d else d ← $0

G

Player

$1,

• Casino cannot choose T as a function of G because, without the key,it cannot see G .

• Player cannot choose G as a function of T because, by putting it inthe safe, she is committed to it in the first move.


Internet Casino Protocol using cryptography

Player Casino

K$←{0, 1}128

C ← H(K‖G ) C -

T$←{1, 2, . . . , 100}

T�

G ,K -

if (H(K‖G ) = C and G =T )then d ← $99 else d ← $0

d�

Here H is a cryptographic hash function. More generally one can use aprimitive called a committment scheme.


Commitment Schemes

A commitment scheme CS = (P, C,V) is a triple of algorithms

C C

P π

VK

M

0/1

Parameter generation algorithm P is run once by a trusted party toproduce public parameters π.

In Internet Casino

M Data being commited G

C Commital

K Decommital keyMihir Bellare UCSD 16

Security properties

• Hiding: A commital C generated via (C ,K )$←C(π,M) should not

reveal information about M.

= C does not reveal M.

• Binding: It should be hard to find C ,M0,M1,K0,K1 such thatM0 6= M1 but V(π,C ,M0,K0) = V(π,C ,M1,K1) = 1.

K0 C

CK1

M0

M1


Internet Casino Protocol using a commitment scheme

Player Casino

(C ,K )$←C(π,G ) C -

T$←{1, 2, . . . , 100}

T�

G ,K -

if (V(π,C ,G ,K ) = 1 and G =T )then d ← $99else d ← $0

d�


Hiding Formally

Let CS = (P, C,V) be a commitment scheme and A an adversary.

Game HIDECS

procedure Initializeπ

$←P; b$←{0, 1}

return π

procedure LR(M0,M1)

(C ,K )$←C(π,Mb)

return C

procedure Finalize(b′)return (b = b′)

The hiding-advantage of A is

AdvhideCS (A) = 2 · Pr[HIDEA

CS ⇒ true]− 1.


Binding Formally

Let CS = (P, C,V) be a commitment scheme and A an adversary.

Game BINDCS

procedure Initializeπ

$←Preturn π

procedure Finalize(C ,M0,M1,K0,K1)v0 ← V(π,C ,M0,K0)v1 ← V(π,C ,M1,K1)return (v0 = v1 = 1 and M0 6= M1)

The binding-advantage of A is

AdvbindCS (A) = Pr[BINDA

CS ⇒ true].


Commitment from symmetric encryption

Let SE = (K, E ,D) be an IND-CPA-secure symmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where P returns π = εand

Alg C(π,M)

K$←K;C

$←EK (M)return (C ,K )

Alg V(π,C ,M,K )

if DK (C ) = M then return 1else return 0

Is this secure?

• It is certainly hiding.

• But need not be binding: it may be possible to find C ,M0,M1,K0,K1

such that

DK0(C ) = M0 and DK1(C ) = M1

For example this is easy when SE is CBC$ encryption.


Commitment from public key encryption

Let AE = (K, E ,D) be an IND-CPA-secure asymmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where

Alg P(pk, sk)

$←Kπ ← pkreturn π

Alg C(pk,M)

K$←{0, 1}k

C ← Epk(M;K )return (C ,K )

Alg V(pk,C ,M,K )

if Epk(M;K ) = C thenreturn 1

else return 0

Epk(M;K ) means encryption of M with coins K .

• Certainly hiding.

• Binding too since C has only one decryption relative to pk, namelyM = Dsk(C ).


Commitment from hashing

Let H be a hash function and CS = (P, C,V) the commitment schemewhere P returns π = ε and

Alg C(π,M)

C ← H(M); K ← Mreturn (C ,K )

Alg V(π,C ,M,K )

return (C = H(M) and M = K )

This is

• Binding if H is collision-resistant.

• But not hiding. For example in the Internet Casino M = G ∈ {1, ...,100} so given C = H(M) the casino can recover M via

for i = 1, ..., 100 doif H(i) = C then return i



Let H be a hash function and CS = (P, C,V) the commitment schemewhere P returns π = ε and

Alg C(π,M)

C ← H(M); K ← Mreturn (C ,K )

Alg V(π,C ,M,K )

return (C = H(M) and M = K )

This is

• Binding if H is collision-resistant.

• But not hiding. For example in the Internet Casino M = G ∈ {1, ...,100} so given C = H(M) the casino can recover M via

for i = 1, ..., 100 doif H(i) = C then return i



A better scheme is CS = (P, C,V) where P returns π = ε and

Alg C(π,M)

K$←{0, 1}128

C ← H(K ||M)return (C ,K )

Alg VH(π,C ,M,K )

return (H(K ||M) = C )


Commitment schemes usage

Commitment schemes are very broadly and widely used across all kinds ofprotocol design and in particular to construct zero-knowledge proofs.


Flipping a common coin

• Alice and Bob are getting divorced

• They want to decide who keeps the Lexus

• They aggree to flip a coin, but

• Alice is in NY and Bob is in LA

Protocol CF1:

Alice Bob

c$←{0, 1} c -

Bob is not too smart but he doesn’t like it...

Can you help them out?


Protocol CF2

Let CS = (P, C,V) be a commitment scheme.

Alice Bob

a$←{0, 1}

(C ,K )$←C(π, a) C - b

$←{0, 1}b�

a,K - if V(π,C , a,K ) = 1 thenc ← a⊕ b c ← a⊕ b

elsec ← ⊥

c is the common coin. Neither party can control it.


Protocol CF3: Concrete instantiation of CF2

Alice Bob

a$←{0, 1} ; K

$←{0, 1}128

C ← H(K‖a) C - b$←{0, 1}

b�

a,K - if H(K‖a) = C thenc ← a⊕ b c ← a⊕ b

elsec ← ⊥

c is the common coin. Neither party can control it. H is a cryptographichash function.


Secure summation

Suppose we have n parties 1, ..., nParty i has an integer xiThe parties want to know the value of

f (x1, .., xn) = x1 + ...+ xn

Easy: Let

• Party i send xi to party 1 (2 ≤ i ≤ n)

• Party 1 computes f (x1, .., xn) = x1 + ...+ xn and broadcasts it

What they don’t like about this: Party 1 now knows everyone’s values

Privacy constraint: Party i does not wish to reveal xi


Secure summation


f (x1, .., xn) = x1 + ...+ xn

Easy: Let






Secure summation

Party i has input xi (1 ≤ i ≤ n). The parties want to knowf (x1, .., xn) = x1 + ...+ xn but do not want to reveal their inputs in theprocess.

Scenarios:

• xi = score of student i on midterm exam

• xi = salary of employee i

• xi ∈ {0, 1} = vote of voter i on proposition X on ballot


The model and goal

Parties i , j are connected via a secure channel (1 ≤ i , j ≤ n).Privacy and authenticity of messages sent over channel are guaranteed.

The parties will exchange messages to arrive at f (x1, ..., xn).

If i 6= j then, at the end of the protocol, party i should not know xj .

For example you, as player i , enter xi into some app on your cellphonewhich then communicates with the cellphones of the other parties. At theend, the sum shows up on your screen. Take your phone apart andexamine all memory contents and you still will not discover xj for j 6= i .


Setup for secure communication protocol

Let N be such that x1, ..., xn ∈ ZN = {0, ...,N − 1}.Let M = nN.Let S denote x1 + ...+ xn.We will compute S mod M, which is just S since

x1 + ...+ xn ≤ n(N − 1) < M


Protocol step 1: secret sharing

For i = 1, ..., n party i

• Picks xi ,1, ..., xi ,n ∈ ZM at random subject to xi ,1 + ...+ xi ,n ≡ xi(mod M)

• Sends xi ,j to party j over secure channel (1 ≤ j ≤ n)

x1,1 x1,2 x1,3 x1,4x2,1 x2,2 x2,3 x2,4x3,1 x3,2 x3,3 x3,4x4,1 x4,2 x4,3 x4,4

→ x1→ x2→ x3→ x4

Observation: xi ,j is a random number unrelated to xi so party j has noinformation about xi (i 6= j)


Protocol step 2,3: Column sums and conclusion


→ x1→ x2→ x3→ x4

↓ ↓ ↓ ↓C1 C2 C3 C4

For j = 1, ..., n party j

• Computes Cj = (x1,j + x2,j + ...+ xn,j) mod M

• Sends Cj to party i (1 ≤ i ≤ n)

Observation: S ≡ (C1 + · · ·+ Cn) (mod M).

So each party can compute S ← (C1 + ...+ Cn) mod M


Security of the protocol


→ x1→ x2→ x3→ x4

↓ ↓ ↓ ↓c1 c2 c3 c4

At end of protocol, party 1 knows (1) x1, and the first-row entries of thematrix (2) the sum S = x1 + x2 + x3 + x4 (3) c1, c2, c3, c4 (4) the firstcolumn entries x1,1, x2,1, x3,1, x4,1.

Claims:

• Party 1 learn nothing about x4

• Even if parties 1, 2 pool their information, they learn nothing about x4

• ...


Secure summation project

Project: Analyze and prove secure the summation protocol: (1) Give agame based definition of privacy (2) Prove that the protocol meets it.


Secure Computation

Parties 1, ..., nParty i has private input xiThey want to compute f (x1, ..., xn)

Fact: For any function f , there is a n/2 - private protocol to compute it.

A protocol is t-private if any t parties, getting together, cannot figure outanything about the input of the other parties other than implied by thevalue of f (x1, ..., xn).

The protocol views f as a circuit (program) and computes it gate(instruction) by gate (instruction).

Enormous body of research.


Zero-Knowledge Proofs [GMR]

A zero-knowledge (ZK) proof allows you to

• Convince Bob your claim is true

• Without revealing anything beyond that

For example:

You claim to have Bob is What is notrevealed

A solution to the homeworkproblem

Another student The solution

The password for this ac-count

The server The password

A proof that P 6= NP The Clay Institute The proof


more crypto and security

Documents