david evans cs.virginia/evans
DESCRIPTION
Lecture 17: Public-Key Protocols. David Evans http://www.cs.virginia.edu/evans. CS588: Cryptography University of Virginia Computer Science. Story So Far. Symmetric Encryption Amplify and time-shift a small secret to transmit large secrets Asymmetric Encryption - PowerPoint PPT PresentationTRANSCRIPT
David Evanshttp://www.cs.virginia.edu/evans
CS588: CryptographyUniversity of VirginiaComputer Science
Lecture 17:Public-Key Protocols
12 April 2005 University of Virginia CS 588 2
Story So Far• Symmetric Encryption
– Amplify and time-shift a small secret to transmit large secrets
• Asymmetric Encryption– Use a trustworthy non-secret to establish
secrets, check signatures• Proving an encryption algorithm is secure
is either:– Reasonably easy if it is a perfect cipher– Essentially impossible if it is not
12 April 2005 University of Virginia CS 588 3
Plan for Rest of the Course• Today, Thursday: some interesting
applications of cryptography• Next Tuesday: Quantum/visual crypto• Next Thursday, April 26: Software system
security: real world security is mostly not about cryptography
• April 28: Project presentations
If there’s anything you hoped this course would cover that is
not listed here, send me requests by Friday
12 April 2005 University of Virginia CS 588 4
Finding Project Partners• Simple way:
– Ask people in the class if they want to work with you• Problems:
– You face rejection and ridicule if they say no• Can you find partners without revealing your
wishes unless they are reciprocated?– Identify people who want to work together, but don’t
reveal anything about anyone’s desires to work with people who don’t want to work with them
12 April 2005 University of Virginia CS 588 5
Alice is your best match
Use a Universally Trusted Third Party
AliceBob
Bob would like to work with:Ron RivestSandra BullockAlice
Alice:Thomas JeffersonColleen HackerBob
MatchMaker.com
12 April 2005 University of Virginia CS 588 6
Use a Universally Trusted Third Party
Bob
EKUM [EKRB
[“Bob would like …”]]
MatchMaker.com
EKUB [EKRM
[“Alice”]]
12 April 2005 University of Virginia CS 588 7
HashMaker.com?• Bob writes H(“I am looking for someone
who wants to play with Euler’s totient function.”) on the board.
• No on else can tell Bob’s deepest darkest desires (H is one-way)
• If someone else writes the same hash on the board, Bob has found his match
• How well does this work?
12 April 2005 University of Virginia CS 588 8
Untrusted Third Party
Bob
EH(W) [W]
HashMatcher.com
Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will
match exactly
12 April 2005 University of Virginia CS 588 9
Untrusted Third Party
Bob
EH(W) [W]
HashMatcher.com
12 April 2005 University of Virginia CS 588 10
How can we send a message to HashMaker without it
knowing who sent it?
To: HashMakerFrom: Anonymous
To: Router4To: Router3To: Router2To: Router1From: Bob
12 April 2005 University of Virginia CS 588 11
Onion Routing
R5
R4
R3
R2
R1
Bob
HashMatcher.com
Pick n random routers, Ri1…Rin
Rik gets a message Mk:
EKURik (To: Rik+1
|| Mk+1)
12 April 2005 University of Virginia CS 588 12
Onion Routing
R5
R4
R3
R2
R1
Bob
HashMatcher.com
Pick 1 random router: R2
Send R2: EKUR2 (To: HashMatcher.com
||
M)
12 April 2005 University of Virginia CS 588 13
Onion Routing
R5
R4
R3
R2
R1
Bob
HashMatcher.com
Pick 2 random routers: R2, R5
Send R2: EKUR2 [To: R5 ||
EKUR5
[To: HashMatcher.com || M]]
12 April 2005 University of Virginia CS 588 14
http://tor.eff.org
12 April 2005 University of Virginia CS 588 15
Traffic Analysis
R5
R4
R3
R2
R1
Bob
HashMatcher.com
If these are the only packets on the network, someone observing the network know it was Bob
12 April 2005 University of Virginia CS 588 16
Preventing Traffic Analysis
R5
R4
R3
R2
R1
Bob
HashMatcher.com
12 April 2005 University of Virginia CS 588 17
Finding Partners• If Bob wants to work with Alice, he
constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order)
• Using onion rounting, sends HashMatcher: EH(W) [W]
• Using onion rounting, queries HashMatcher is there is a matching item– If so, Alice wants to work with him
12 April 2005 University of Virginia CS 588 18
Problems with this Protocol• Cathy could send W = “Alice + Bob” • Anyone can query “x + Bob” for all x to find
out who Bob wants to work with (or who wants to work with Bob, can’t tell which)
• If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them?
• Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol
12 April 2005 University of Virginia CS 588 19
MIXesC1
C2
C3
C4
M1
M2
M3
M4
Random, secret permutation
Security property: observer seeing all inputs and outputscannot determine which output message corresponds to which input
12 April 2005 University of Virginia CS 588 20
MIX Net [Chaum81]C1
C2
C3
C4
M1
M2
M3
M4A B C
C = EKUA [EKUB [EKUC [M]]]What is input?What if Eve can see all traffic?What if one of A, B or C is corrupt?
What if two are corrupt?Any good applications?
EKRA (C) EKRB (C) EKRC (C)
12 April 2005 University of Virginia CS 588 21
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
C = EKUR [EKUD [EKUG [“Badnarik”]]]How well does this work?
* Note: any resemblance to real political parties is purely coincidental.
12 April 2005 University of Virginia CS 588 22
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
C = EKUR [EKUD [EKUG [“Badnarik”]]]Each for any eavesdropper (knows public keys) to
compute C for small set of possible messages
12 April 2005 University of Virginia CS 588 23
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
C = EKUR [EKUD [EKUG [“Badnarik” || R]]]
12 April 2005 University of Virginia CS 588 24
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3]Each mux decrypts with private key and removes R
12 April 2005 University of Virginia CS 588 25
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
“Nader”
“Nader”
“Nader”
“Nader”
12 April 2005 University of Virginia CS 588 26
Voting ApplicationC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
“Nader”
“Nader”
“Nader”
“Nader”
C = EKUG [“Badnarik” || R1]Does publishing R1 help?
12 April 2005 University of Virginia CS 588 27
Publishing R1
• Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted
• Voters can prove to someone else for whom they voted
• If Orange doesn’t like result, can still disrupt election
C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3]
12 April 2005 University of Virginia CS 588 28
Auditing MuxesC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
“Nader”
“Nader”
“Nader”
“Nader”
Send inputs to next 2 muxesD mux picks n random inputsAsks R to prove they were done correctly
How does R prove it?
12 April 2005 University of Virginia CS 588 29
Auditing MuxesC1
C2
C3
C4
M1
M2
M3
M4Republicrat
PartyDemocrican
PartyOrangeParty
“Nader”
“Nader”
“Nader”
“Nader”
Inputi = EKUR [EKUD [EKUG [v || R1] R2] R3]
Outputj = EKUD [EKUG [v || R1] R2]
If R reveals j and R3, D can check EKUR [Outputj || R3] = Inputi
12 April 2005 University of Virginia CS 588 30
Auditing Tradeoffs
• For every audit, one input-output mapping is revealed
• The more audits, the more likelihood of catching cheater
• What if each mux audits ½ of the values?
12 April 2005 University of Virginia CS 588 31
Catching Cheaters
• Probability a mux can cheats on k votes without getting caught =
• Probability a voters vote is revealed to eavesdropper
• If muxes collude, all bets are off
½k
m muxes½m
Note: unaudited votes only beone of n/2 possible outputs!
12 April 2005 University of Virginia CS 588 32
Faculty Candidate talk tomorrow:
Yih-Chun Hu (CMU, Berkeley)Securing Network Routing
Olsson 011, 3:30PM