Overview of Cryptography Lectures by Arpita Patra

Overview of Cryptography Lectures by Arpita Patra
Slide Note
Embed
Share

This content covers various topics in cryptography including definitions of security, constructions based on secure schemes, hash functions, domain extensions, key agreement, and assumptions in finite cyclic groups. It also discusses the importance and applications of hash functions such as message authentication codes, file integrity checks, virus fingerprinting, deduplication, and password hashing.

  • Cryptography
  • Lectures
  • Security
  • Hash Functions
  • Applications
jfre
jfre Follow

Uploaded on Mar 06, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Cryptography Lecture 7 Arpita Patra

  2. Quick Recall and Todays Roadmap >> AE: Two definitions (in one CCA-security was explicit and in the other it was implicit), >> AE: Construction based on CPA secure SKE + CMA-secure MAC; proof of Security >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >> Davis Meyer Hash function >> Domain Extension for MAC using Hash function: Hash-and-Mac >> Key Agreement >> Assumptions in Finite Cyclic groups - DL, CDH, DDH Groups Finite groups (modulo arithmetic) Finite cyclic groups Finite Cyclic groups of prime orders (special advantages)

  3. Hash Functions Informally a hash-function is a (one-to-many) function mapping arbitrary-length bit- string to fixed-length bit-strings h {0, 1}l(n) {0, 1}* Usually |domain| >>>> |Co-domain| collisions exist ( x1 x2: h(x1) = h(x2)) Requirement from a good cryptographic hash function : Given the description of h, finding collisions should be infeasible- Collision Resistance Given the description of h, x and h(x) finding x with h(x ) = h(x) should be infeasible- Second Preimage Resistance Given the description of h, given y = h(x) finding x with y = h(x ) should be infeasible- Preimage Resistance

  4. Applications of Hash Functions Application to MAC - Domain Extension) Message digest (hash) of file X Hash Function File X Message digest of a file serves as its unique identifier (unless a collision is found) The above idea has several applications File Integrity Check When a file is downloaded, its hash is also supplied, which is then compared with the hash of the downloaded file Virus Fingerprinting Virus scanners store the hashes of known viruses When an email attachment or an application is downloaded, its hash is compared with the known hashes in the table to identify viruses Deduplication When a cloud storage is shared by several users, then storing the same file multiple times by multiple users is avoided by comparing the digests of uploaded files Password Hashing

  5. Hash Functions Ivan Damg rd: Collision Free Hash Functions and Public Key Signature Schemes. EUROCRYPT 1987: 203-216

  6. Collision Resistance Security = (Gen, h), n Experiment Hash-CR (n) A, Attacker A k (x,x ) I can break Run time: Poly(n) Let me verify Collision Gen(1n) game output 1 (A succeeds) if h(x) = h(x ) 0 (A fails) otherwise is Collision Resistant HF if for every A, there is a negl(n) such that Pr [Hash-CR (n) = 1] negl(n) A,

  7. Second Preimage Resistance Security = (Gen, h), n Experiment Hash-SPR (n) A, Attacker A k and a uniform x x I can break Run time: Poly(n) Let me verify Gen(1n) game output 1 (A succeeds) if h(x) = h(x ) 0 (A fails) otherwise is second preimage resistant HF if for every A, there is a negl(n) such that Pr [Hash-SPR (n) = 1] negl(n) A,

  8. Collision Resistance & Second Preimage Resistance h(x) {0, 1}n {0, 1}n {0, 1}m {0, 1}m g(x) Collision Resistance second preimage resistance. Otherway? Let h: {0, 1}m {0, 1}nbe a second preimage resistant hash function We can design a new hash function from h which is second preimage resistant but not collision resistant ? Define a new hash function g: {0, 1}m {0, 1}nas follows: 0n, if x = 0mor x = 1m g(x) = h(x), otherwise g is collision resistant with probability 0 If h is second preimage resistant with probability negl() then g is second preimage resistant with probability = 1/2m-1+ negl() = negligible

  9. Preimage Resistance Security = (Gen, h), n Experiment Hash-PR (n) A, Attacker A k and uniform y x I can break Run time: Poly(n) Let me verify Gen(1n) game output 1 (A succeeds) if h(x) = y 0 (A fails) otherwise Is Preimage Resistant HF if for every A, there is a negl(n) such that Pr [Hash-PR (n) = 1] negl(n) A,

  10. Pre-image Resistance Second Pre-image Resistance h(x) Let h: {0, 1}m {0, 1}nbe a pre-image resistant hash function {0, 1}n {0, 1}m Define a new hash function g: {0, 1}m {0, 1}nas follows: Function g x = (x0 x1 xm-2 xm-1) h(x0 x1 xm-20) If h is pre-image resistant with probability negl() then g is pre-image resistant with probability at least 2negl() = negligible g is second-preimage resistant with probability 0 Given a random x and g(x), trivial to find x x with g(x ) = g(x) x is the whole x with final bit flipped --- in fact g is also not collision-resistant

  11. Relation among Security Notions Collision resistance Second pre-image resistance Pre-image resistance (One-wayness)

  12. Second Preimage Resistance and Preimage Resistance Let h: {0, 1}m {0, 1}nbe a second- preimage resistant hash function h(x) Does it imply that h is also pre-image resistant ? {0, 1}n Depends upon the compression ratio !! {0, 1}m Suppose h is not pre-image resistant --- PPT algorithm Aprefor computing pre-image Then consider the following PPT algorithm Asecfor computing second pre-images corresponding to random x and h(x) Apre y R{0, 1}n x {0, 1}m h(x) = y

  13. Second Preimage Resistance and Preimage Resistance Let h: {0, 1}m {0, 1}nbe a second- preimage resistant hash function h(x) Does it imply that h is also pre-image resistant ? {0, 1}n Depends upon the compression ratio !! {0, 1}m Suppose h is not pre-image resistant --- PPT algorithm Aprefor computing pre-image Then consider the following PPT algorithm Asecfor computing second pre-images corresponding to random x and h(x) Asec Apre x R{0, 1}m h(x) x h(x) x {0, 1}m h(x ) = y What is the probability that Asecoutputs x x ? --- depends upon compression ratio Ex: if m = 2n, then on an average every two different x values mapped to the same y. So with probability roughly 1-2-n, x x h is not second-preimage resistant (contradiction)

  14. Second Preimage Resistance and Preimage Resistance Let h: {0, 1}m {0, 1}nbe a second- preimage resistant hash function h(x) Does it imply that h is also pre-image resistant ? {0, 1}n Depends upon the compression ratio !! {0, 1}m Suppose h is not pre-image resistant --- PPT algorithm Aprefor computing pre-image Then consider the following PPT algorithm Asecfor computing second pre-images corresponding to random x and h(x) Asec Apre x R{0, 1}m h(x) x h(x) x {0, 1}m h(x ) = y What is the probability that Asec outputs x x ? --- depends upon compression ratio Ex: if m = n (say the identity function), then x x with probability 0 h is not second- preimage resistant (no contradiction)

  15. Constructing Hash Functions Goal: h: {0, 1}* {0, 1}n >> Stage I: h: {0, 1}l (n) {0, 1}l(n); l (n) > l(n) Implies compressing by bit as hard (easy) as compressing arbitrary number of bits >> Stage II: Domain Extension

  16. The Merkle-Damgaard Transform Given: A fixed-length collision-resistant function h: {0, 1}2n {0, 1}n Goal: A arbitrary-length collision-resistant function h: {0, 1}* {0, 1}n * < 2n Divide input x into blocks of length n --- B = L/ n (use 0-padding to make L a multiple of n) x1 x2 xB xB+1= L x h h h h g(x) Z0= 0n ZB Z1 Z2 Used Everywhere in practice! SHA2, MD5

  17. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. Proof: Reduction yet again! If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case I: L L : x x1 x2 xB x x 1 x 2 x B L L 0n ZB Z2 Z 2 g(x ) h h h h h h h g(x) h Z1 Z 1 0n Z B Can you spot a collision for h in this case ?

  18. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case I: L L : x x L L ZB g(x ) h h g(x) Z B Can you spot a collision for h in this case ? (ZB|| L) (Z B || L ) is a collision for h --- contradiction

  19. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case II: L = L : x x1 x2 xB x x 1 x 2 x B L L ZB Z2 Z 2 g(x ) h h h h h h h g(x) h Z1 Z 1 Z B 0n 0n Can you spot a collision for h in this case ?

  20. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case II: L = L : x x1 x2 xB x x 1 x 2 x B L L ZB Z2 Z 2 g(x ) h h h h h h h g(x) h Z1 Z 1 Z B 0n 0n Can you spot a collision for h in this case ? Define Ii= (xi|| Zi-1) and I i= (x i|| Z i-1) --- inputs for the ithinvocation of h Let N be the largest index with IN I N--- such an N always exist

  21. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case II: L = L : x xN x x N L L Z N-1 h Z N ZN-1 h ZN By maximality of N, ZN= Z Nas IN+1= I N+1and so on

  22. The Merkle-Damgard Transform: Security Theorem: If h is a hash function for messages of length 2n, then the Merkle-Damgard transformation yields a collision-resistant hash function for arbitrary length messages. If Merkle-Damgard is not collision-resistant then h is also not collision resistant Let x = (x1x2 xBL) and x = (x 1x 2 x B L ) be two different messages of length L and L respectively, such that g(x) = g(x ) Case II: L = L : x xN xN+1 x x N x N+1 L L Z N-1 h Z N ZN-1 h h ZN h By maximality of N, ZN= Z Nas IN+1= I N+1and so on So h(IN) = h(I N), even though IN I N (IN, I N) constitutes a collision for h --- a contradiction

  23. Constructing Hash Functions Goal: h: {0, 1}* {0, 1}n >> Stage I: h: {0, 1}l (n) {0, 1}l(n); l (n) > l(n) >> Stage II: Domain Extension >> Davies-Meyer construction, >> Matyas-Meyer-Oseas construction, >> Miyaguchi-Preneel construction, etc >> Heuristics. >> None of them are provably secure >> Weak guarantees of them being collision resistant is known

  24. Davis-Meyer Construction k R{0,1}n Given : A SPRP F: {0, 1}nx {0, 1}l {0, 1}l Fk(x) {0,1}l x {0,1}l Goal : F A fixed-length hash function h: {0, 1}l+n {0, 1}l n l z x k z y = h(x) = F(k, z) k F h Is h a collision-resistant compression function ?

  25. Davis-Meyer Construction n l z x k z y = h(x) = F(k, z) k F h How to prevent such attack? Easy to find collision assuming F to be SPRP. x = z||k y = F(k,z) z = F-1(k ,F(k,z)) x = z || k

  26. Davis-Meyer Construction n l z x k z y = h(x) = F(k, z) z k F h 5thChalk and Talk topic The previous collision finding algorithm work for this construction fail with high probability Part I: Proof of the theorem below Part II: Birthday Attack OR Time/Space Tradeoff for Inverting Functions No proof of CR of the above scheme under PRF/PRP/SPRP assumption!! Open problem >> Think of the reduction, does not work! Theorem: If F is a ideal random strong permutation, then adversary making q < 2l/2queries finds a collision with probability q2/2l

  27. Practical Construction of Hash Functions MD5 : 128-bit output; designed in 1991 and believed to be secure (collision-resistant) Completely broken in 2004 by Chinese cryptanalysts; collision can be found in less than a minute on a desktop PC SHA (Secure Hash Algorithm) Family Standardized by NIST. Got two flavors SHA-1 and SHA-2 First a fixed-length compression function designed from a block cipher In the second stage, the Merkle-Damgard transformation is applied Special block ciphers designed for the stage I SHA-3 (Keccak) Winner of the NIST competition for hash functions Construction very different from previous constructions For stage I uses an un-keyed permutation of block length 1600 bits For stage II uses a new approach called sponge construction

  28. Message Authentication Using Hash Functions Given a fixed-length MAC, we can design arbitrary-length MAC using two methods: Method I: Generic (randomized) but inefficient construction l m m2 m3 3 m1 1 r 2 r r l l l Mack(m) = t = (r, t1|| t2|| t3) k Mac Mac Mac t1= Mack(m1 || 1 || l || r) t2= Mack(m2|| 2 || l || r) t3= Mack(m3|| 1 || l || r) Method II: Efficient CBC-Mac m Can we do further improvement m2 m3 using hash functions ? m1 |m| k F F F F t = Mack(m)

  29. Message Authentication Using Hash Functions (Hash-and-MAC Paradigm) Given an arbitrary-length message, compute its Mac-tag in two stages: Step I: Compress the arbitrary-length message to a fixed-length string using a CRHF Step II: Compute the Mac-tag on the message digest (output of the CRHF) Let: MAC= (Mac, Vrfy) be a MAC for messages of length l(n) h: {0, 1}* {0, 1}l(n)be a collision-resistant hash function Then MAC= (Mac , Vrfy ) is a MAC for arbitrary-length messages constructed as follows: Tag Generation Tag Verification m {0, 1}* m {0, 1}* h h t d d k 0 k Mac Vrfy t Mac Vrfy

  30. Message Authentication Using Hash Functions (Hash-and-MAC Paradigm) Given an arbitrary-length message, compute its Mac-tag in two stages: Step I: Compress the arbitrary-length message to a fixed-length string using a CRHF Step II: Compute the Mac-tag on the message digest (output of the CRHF) Let: MAC= (Mac, Vrfy) be a MAC for messages of length l(n) h: {0, 1}* {0, 1}l(n)be a collision-resistant hash function Then MAC= (Mac , Vrfy ) is a MAC for arbitrary-length messages constructed as follows: Tag Generation Tag Verification m {0, 1}* m {0, 1}* h h t m d d k 1 k Mac Vrfy t Mac Vrfy The above construction is more efficient than CBC-Mac --- is it secure ?

  31. Hash-and-MAC Paradigm: Security (Sketch) Tag Generation Tag Verification m {0, 1}* m {0, 1}* h h t m d d k 1 k Mac Vrfy t Mac Vrfy The above construction gives a secure MAC for arbitrary-length messages m1, m2, , mq PPT Attacker A t1, t2, , tq ti= Mack(h(mi)) (m*, t*) Gen(1n) I can forge (Mac , Vrfy ) MAC-Oracle A successfully forges (Mac , Vrfy ) if m* m1, m2, , mqand Vrfyk(m*, t*) = 1 The above is possible under two possible cases: Case I: There exists some mi {m1, , mq} such that h(mi) = h(m*) --- then Mac k(mi) = Mac k(m*) = ti But the probability that h(m*) = h(mi) for m* miis negligible ---- as h is a CRHF

  32. Hash-and-MAC Paradigm: Security (Sketch) Tag Generation Tag Verification m {0, 1}* m {0, 1}* h h t m d d k 1 k Mac Vrfy t Mac Vrfy The above construction gives a secure MAC for arbitrary-length messages m1, m2, , mq PPT Attacker A t1, t2, , tq ti= Mack(h(mi)) (m*, t*) Need to formally prove the two cases via suitable reductions Gen(1n) I can forge (Mac , Vrfy ) MAC-Oracle A successfully forges (Mac , Vrfy ) if m* m1, m2, , mqand Vrfyk(m*, t*) = 1 The above is possible under two possible cases: Case II: There exists no mi {m1, , mq} such that h(mi) = h(m*) Then Vrfyk(m*, t*) = 1 only if A is able to forge MAC= (Mac, Vrfy) --- contradiction

  33. Key Management/Agreement

  34. How do Parties Maintain Keys ? Several ways depending on the applications Personally meeting and agreeing on several keys Assumption: Secure channel available at some point Ex: several keys embedded in a secure hardware and distributed Common in military application Use some secure courier service Depend on a trusted key-distribution center (KDC) Used in large closed organizations, ex a University, a company, etc Assumption: Secure channel available at some point + Trust on KDC + opening up possibility for Single- point-failure Birth of the public-key revolution Several practical protocols based on the idea of KDC Ex: Needham-Schroeder protocol Diffie-Hellman Key-exchange protocol Forms the backbone of Kerberos system --- used in Windows and some Unix systems for secure networked authentication and communication Can parties establish secure keys on a public channel without having any prior shared secret ? Seems like an impossible task !!

  35. Diffie-Hellman Key Exchange Protocol Whitfield Diffie and Martin Hellman. New Directions in Cryptography. 1976 Showed how two people can publicly establish a secret-key even if an eavesdropper monitors the entire conversation Underlying observation: asymmetry is often present in the world !! No key required Not possible without key Based on some assumptions in (some) cyclic groups of prime order Very Easy Extremely difficult

  36. Roadmap Groups Finite groups modular arithmetic Finite cyclic groups Three Assumptions Finite Cyclic groups of prime order (special advantages)

  37. Modular Arithmetic Central to public-key cryptography --- set of integers Let a, N , with N > 1. Then [a mod N] = remainder when a is divided by N Proposition: Given a and N, there always exist integers q and r such that : a = qN + r, where 0 r < N Notation: r is denoted as [a mod N] There exists a unique mapping from a to [a mod N]; f: {0, .,N-1} Definition (Reduction modulo N): The process of mapping an integer a to [a mod N] is called reduction modulo N

  38. Easy way of Modular Reduction To do reduction modulo N, always imagine a clock with marks 0, 1, , N-1 Find [a mod N] in the clock notation as follows: If a is positive: start counting from 0 in the clock in a clock-wise direction and stop after counting a times --- the final mark represents [a mod N] If a is negative: start counting from 0 in the clock in an anti clock-wise direction and stop after counting a times --- the final mark represents [a mod N] Ex: N = 4 [5 mod 4] = 1 [-7 mod 4] = 1 0 0 0 3 1 3 1 3 1 2 2 2

  39. Congruence Modulo N Definition (Congruence Modulo N): If [a mod N] = [b mod N], then a is said to be congruent to b modulo N a and b are mapped to the same r Notation: a = b mod N; Note that a = [b mod N] is different; modulo reduction done on b ONLY 36 = 21 mod 15, but 36 =/= 6 a = b mod N N divides (a - b) Proposition: Congruence modulo N is an equivalence relation: Reflexive, symmetric & transitive

  40. Standard Rules of Arithmetic for Congruence mod N Yes, trivially for Addition. Subtraction and Multiplication Reduce and then add/subtract/multiply Instead of add/subtract/multiply and then reduce If a = a mod N and b = b mod N then a + b = a + b mod N If a = a mod N and b = b mod N then a b = a - b mod N If a = a mod N and b = b mod N then a * b = a * b mod N Example: Compute [1093028 * 190301 mod 100] Option I : first compute 1093028 * 190301 and then reduce mod 100 Option II : first reduce 1093028 and 190301 mod 100 and get 28 and 1 respectively. Then compute 28* 1 and reduce mod 100 Definitely option II is far better than option I

  41. Private-key Cryptography: A Top-down Approach Private-key Cryptography Message Authentication Codes Pseudorandom Permutations Block Ciphers Pseudorandom Generators Next few lectures One-way Functions Number Theoretic Assumptions Public-key Cryptography

Related


Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

Cryptography,.Quantum-safe Cryptography& Quantum Cryptography

pendragon
Introduction to Cryptography: Basics, Terminology, and Significance

Introduction to Cryptography: Basics, Terminology, and Significance

lucius
The Fascinating World of Cryptography

The Fascinating World of Cryptography

solveig
Formal Verification of Quantum Cryptography by Dominique Unruh

Formal Verification of Quantum Cryptography by Dominique Unruh

aslan
Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

Evolution of Cryptography: From Ancient Techniques to Modern Security Mechanisms

damari
Introduction to Cryptography, Cryptanalysis, and Cryptology

Introduction to Cryptography, Cryptanalysis, and Cryptology

waverly
Cloud Cryptography for Secure Data Processing

Cloud Cryptography for Secure Data Processing

vespera
Exploring the World of Quantum Money and Cryptography

Exploring the World of Quantum Money and Cryptography

guinevere
Overview of Basic Security Properties and Cryptography Fundamentals

Overview of Basic Security Properties and Cryptography Fundamentals

kawhi
Introduction to Cryptography: The Science of Secure Communication

Introduction to Cryptography: The Science of Secure Communication

catt504
Post-Quantum Cryptography Security Proofs and Models Overview

Post-Quantum Cryptography Security Proofs and Models Overview

siddhi
Foundations of Cryptography: MIT Course Overview and Key Concepts

Foundations of Cryptography: MIT Course Overview and Key Concepts

dherb
Key Distribution and Management in Cryptography

Key Distribution and Management in Cryptography

kreitzer_k
Secure Computation in the Age of Information

Secure Computation in the Age of Information

kha_va
Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

Overview of Public-Key Cryptography and Knapsack Problem in Cryptology

dhrn907
Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

Efficient Verified Cryptography in F* by Jean-Karim Zinzindohou

rago_a
Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

Cryptographic Center in Novosibirsk: Advancements in Cryptography and Research

lott995
Key Exchange and Public-Key Cryptography Overview

Key Exchange and Public-Key Cryptography Overview

rini_lyn
Secure Computation Lecture Recap and Solutions

Secure Computation Lecture Recap and Solutions

she_cha
New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

New Directions in Cryptography: Harta Dwijaksara, Yi Jae Park

antwu
Cryptography and Its Algorithms

Cryptography and Its Algorithms

rkar
Cryptography

Cryptography

schryver_v

More Related Content