special topics in cryptography - computer sciencemohammad/courses... · defining digital signatures...
TRANSCRIPT
![Page 1: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/1.jpg)
Special Topics in Cryptography
Mohammad Mahmoody
![Page 2: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/2.jpg)
Last time
• RSA public key encryption
• Digital signatures
• Finishing digital signatures
• Zero Knowledge Proofs
• Secure Computation.
Today
![Page 3: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/3.jpg)
Public Key Authentication:Digital Signatures
• Secure authentication without shared secret keys!
![Page 4: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/4.jpg)
Defining Digital Signatures
• Alice has a signing key 𝑠𝑘 and a verification key 𝑣𝑘
• Using 𝑠𝑘 Alice can sign 𝑚 with 𝜎 = Sign𝑠𝑘(𝑚)
• If Bob verifies Verif𝑣𝑘 𝑚, 𝜎 = 1 he can be sure Alice signed 𝑚
• Security: For any poly-time adversary 𝐴 who has access to a signing oracle Sign𝑠𝑘(⋅), the probability of 𝐴 finding (𝑚, 𝜎) for 𝑚 not asked by 𝐴 that also passes the test Verif𝑣𝑘 𝑚,𝜎 = 1 is negligible.
![Page 5: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/5.jpg)
One possible idea based on TDPs (e.g. RSA)
• Signing key: “private key” (or the trapdoor)
• Verification key: “public key” (or the description of the permutation)
• To sign 𝑚 publish 𝜎 𝑚 = 𝑡
• To verify (𝑚, 𝑡) accept if and only if: 𝜋 𝑡 = 𝑚
• Is it secure signature? No, because we can choose 𝑡 first and then find 𝑚 for it easily!
![Page 6: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/6.jpg)
“Hash and sign” using ideal hash function
• Directly works for any message (arbitrary length) :
• Suppose ℎ ∶ 0,1 ∗ → 0,1 𝑛 for security parameter 𝑛
• And we have trapdoor permutation 𝜋, 𝜋−1 on domain 0,1 𝑛
• Signing key 𝜋−1
• Verification key 𝜋
• To sign 𝑚, first get 𝑠 = ℎ(𝑚) and then output 𝜎 = 𝜋−1(𝑚)
![Page 7: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/7.jpg)
Why is it a good signing method?
![Page 8: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/8.jpg)
Zero Knowledge Proofs
• Proving the truth of statements, while revealing nothing about the proof!
![Page 9: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/9.jpg)
Can we ever prove we know something without revealing the details of the secret?• Alice knows a magic word to open the door inside the cave:
• How can she prove to Bob that she knows that word?
![Page 10: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/10.jpg)
What is an “efficiently provable” property?
• Examples:
![Page 11: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/11.jpg)
What is an “efficiently provable” property?
• Complexity Class NP: set of all languages 𝐿 where there is an efficientverifier 𝑉 for proving membership in 𝐿. Name for all 𝑥 ∈ 𝐿 there is a “witness” (or proof) 𝑤 that 𝑉 𝑥,𝑤 = 1
![Page 12: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/12.jpg)
NP complete problems
![Page 13: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/13.jpg)
GMW: membership in any NP language can be proved Zero Knowledge!• Enough to do it for one NP complete problem only.
• Idea: using *interaction*
• Suppose we have digital lockable envelopes
![Page 14: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/14.jpg)
Proving a graph is 3 colorable
![Page 15: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/15.jpg)
Why is this a convincing (sound) interactive proof?
![Page 16: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/16.jpg)
Why is this proof carrying “zero knowledge”?
![Page 17: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/17.jpg)
Formal Definition of Zero Knowledge Proofs
![Page 18: Special Topics in Cryptography - Computer Sciencemohammad/courses... · Defining Digital Signatures •Alice has a signing key 𝑘and a verification key 𝑘 •Using 𝑘Alice can](https://reader035.vdocuments.mx/reader035/viewer/2022070901/5f48b7687d129b07481c0704/html5/thumbnails/18.jpg)
How to get a lockable digital envelope?