more crypto and security
TRANSCRIPT
More crypto and security
CSE 199, Projects/Research
• Individual enrollment
• Projects / research, individual or small group
• Implementation or theoretical
• Weekly one-on-one meetings, no lectures
• Course grade based on project report and presentation
Mihir Bellare UCSD 1
More crypto and security
CSE 207
• Graduate introduction to cryptography
• Focus on provable-security
• Material overlaps with 107 but changes in focus as above
Mihir Bellare UCSD 2
Security courses
CSE 127, Savage / Shacham
• Undergraduate introduction to security
• Systems issues
CSE 227, Savage/Shacham
• Graduate introduction to security
Mihir Bellare UCSD 3
Advanced courses
CSE 208 is a “Topics” course whose content varies from year to year.Some past topics:
• Program obfuscation
• Pairing-based cryptography
• Lattices in cryptography
• Zero-knowledge
• Electronic payments
Mihir Bellare UCSD 4
Grad school?
• MS: 2 years
• PhD: 5+ years, research-orientated
You can consider a PhD if you enjoy research: solving new problems,exploring the unknown.
An MS is to gain expertise.
Mihir Bellare UCSD 5
PhD application process
• Applications for Fall due in previous winter
• PhD students are usually fully funded through fellowships, RA-shipsand TA-ships.
• Admission to top schools is very competitive but there are nicheschools that are excellent in specific areas
• To get admitted to a good program you need a high GPA, strongrecommendation letters and a convincing statement of purpose.
• Best of all: accomplished research!
Mihir Bellare UCSD 6
APPLICATIONS AND PROTOCOLS
Mihir Bellare UCSD 7
Some applications and protocols
• Internet Casino
• Commitment
• Shared coin flips
• Threshold cryptography
• Forward security
• Program obfuscation
• Zero-knowledge
• Certified e-mail
• Electronic voting
• Auctions
• Identity-based encryption
• Functional encryption
• Fully-homomorphic encryption
• Searchable encryption
• Oblivious transfer
• Garbling schemes
• Secure computation
• Group signatures
• Aggregate signatures
Mihir Bellare UCSD 8
Internet Casino: Protocol G1
Player Casino
$1,G -
T$←{1, 2, . . . , 100}
if G = T then d ← $200else d ← $0
T , d�
Would you play?
Expected value of d is $200( 1100) = $2 > $1 so probability theory says that
the player will earn money by playing.
Mihir Bellare UCSD 9
Problem: Casino can cheat
Player Casino$1,G -
T$←{1, 2, . . . , 100}\{G}
d ← $0T , d�
Mihir Bellare UCSD 10
Internet Casino: Protocol G2
Player Casino$1 -
T$←{1, 2, . . . , 100}
T�
G -
if G = T then d ← $200else d ← $0
d�
But now player can always win by setting G = T . No casino would do this!
Mihir Bellare UCSD 11
Internet Casino problem
Player and Casino need to exchange G , T so that
• Casino cannot choose T as a function of G .
• Player cannot choose G as a function of T .
How do we resolve this Catch-22 situation?
Mihir Bellare UCSD 12
”Internet” Casino: Protocol G3
G
G
Casino
T$←{1, 2, . . . , 100}
T
if G = T then d ← $200d else d ← $0
G
Player
$1,
is a locked safe containing a piece of paper with Gwritten on it.
is a key to open the safe.
Mihir Bellare UCSD 13
“Internet” Casino: Protocol G3
G
G
Casino
T$←{1, 2, . . . , 100}
T
if G = T then d ← $200d else d ← $0
G
Player
$1,
• Casino cannot choose T as a function of G because, without the key,it cannot see G .
• Player cannot choose G as a function of T because, by putting it inthe safe, she is committed to it in the first move.
Mihir Bellare UCSD 14
Internet Casino Protocol using cryptography
Player Casino
K$←{0, 1}128
C ← H(K‖G ) C -
T$←{1, 2, . . . , 100}
T�
G ,K -
if (H(K‖G ) = C and G =T )then d ← $99 else d ← $0
d�
Here H is a cryptographic hash function. More generally one can use aprimitive called a committment scheme.
Mihir Bellare UCSD 15
Commitment Schemes
A commitment scheme CS = (P, C,V) is a triple of algorithms
C C
P π
VK
M
0/1
Parameter generation algorithm P is run once by a trusted party toproduce public parameters π.
In Internet Casino
M Data being commited G
C Commital
K Decommital keyMihir Bellare UCSD 16
Security properties
• Hiding: A commital C generated via (C ,K )$←C(π,M) should not
reveal information about M.
= C does not reveal M.
• Binding: It should be hard to find C ,M0,M1,K0,K1 such thatM0 6= M1 but V(π,C ,M0,K0) = V(π,C ,M1,K1) = 1.
K0 C
CK1
M0
M1
Mihir Bellare UCSD 17
Internet Casino Protocol using a commitment scheme
Player Casino
(C ,K )$←C(π,G ) C -
T$←{1, 2, . . . , 100}
T�
G ,K -
if (V(π,C ,G ,K ) = 1 and G =T )then d ← $99else d ← $0
d�
Mihir Bellare UCSD 18
Hiding Formally
Let CS = (P, C,V) be a commitment scheme and A an adversary.
Game HIDECS
procedure Initializeπ
$←P; b$←{0, 1}
return π
procedure LR(M0,M1)
(C ,K )$←C(π,Mb)
return C
procedure Finalize(b′)return (b = b′)
The hiding-advantage of A is
AdvhideCS (A) = 2 · Pr[HIDEA
CS ⇒ true]− 1.
Mihir Bellare UCSD 19
Binding Formally
Let CS = (P, C,V) be a commitment scheme and A an adversary.
Game BINDCS
procedure Initializeπ
$←Preturn π
procedure Finalize(C ,M0,M1,K0,K1)v0 ← V(π,C ,M0,K0)v1 ← V(π,C ,M1,K1)return (v0 = v1 = 1 and M0 6= M1)
The binding-advantage of A is
AdvbindCS (A) = Pr[BINDA
CS ⇒ true].
Mihir Bellare UCSD 20
Commitment from symmetric encryption
Let SE = (K, E ,D) be an IND-CPA-secure symmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where P returns π = εand
Alg C(π,M)
K$←K;C
$←EK (M)return (C ,K )
Alg V(π,C ,M,K )
if DK (C ) = M then return 1else return 0
Is this secure?
• It is certainly hiding.
• But need not be binding: it may be possible to find C ,M0,M1,K0,K1
such that
DK0(C ) = M0 and DK1(C ) = M1
For example this is easy when SE is CBC$ encryption.
Mihir Bellare UCSD 21
Commitment from symmetric encryption
Let SE = (K, E ,D) be an IND-CPA-secure symmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where P returns π = εand
Alg C(π,M)
K$←K;C
$←EK (M)return (C ,K )
Alg V(π,C ,M,K )
if DK (C ) = M then return 1else return 0
Is this secure?
• It is certainly hiding.
• But need not be binding: it may be possible to find C ,M0,M1,K0,K1
such that
DK0(C ) = M0 and DK1(C ) = M1
For example this is easy when SE is CBC$ encryption.
Mihir Bellare UCSD 22
Commitment from public key encryption
Let AE = (K, E ,D) be an IND-CPA-secure asymmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where
Alg P(pk, sk)
$←Kπ ← pkreturn π
Alg C(pk,M)
K$←{0, 1}k
C ← Epk(M;K )return (C ,K )
Alg V(pk,C ,M,K )
if Epk(M;K ) = C thenreturn 1
else return 0
Epk(M;K ) means encryption of M with coins K .
• Certainly hiding.
• Binding too since C has only one decryption relative to pk, namelyM = Dsk(C ).
Mihir Bellare UCSD 23
Commitment from public key encryption
Let AE = (K, E ,D) be an IND-CPA-secure asymmetric encryption schemeand let CS = (P, C,V) be the commitment scheme where
Alg P(pk, sk)
$←Kπ ← pkreturn π
Alg C(pk,M)
K$←{0, 1}k
C ← Epk(M;K )return (C ,K )
Alg V(pk,C ,M,K )
if Epk(M;K ) = C thenreturn 1
else return 0
Epk(M;K ) means encryption of M with coins K .
• Certainly hiding.
• Binding too since C has only one decryption relative to pk, namelyM = Dsk(C ).
Mihir Bellare UCSD 24
Commitment from hashing
Let H be a hash function and CS = (P, C,V) the commitment schemewhere P returns π = ε and
Alg C(π,M)
C ← H(M); K ← Mreturn (C ,K )
Alg V(π,C ,M,K )
return (C = H(M) and M = K )
This is
• Binding if H is collision-resistant.
• But not hiding. For example in the Internet Casino M = G ∈ {1, ...,100} so given C = H(M) the casino can recover M via
for i = 1, ..., 100 doif H(i) = C then return i
Mihir Bellare UCSD 25
Commitment from hashing
Let H be a hash function and CS = (P, C,V) the commitment schemewhere P returns π = ε and
Alg C(π,M)
C ← H(M); K ← Mreturn (C ,K )
Alg V(π,C ,M,K )
return (C = H(M) and M = K )
This is
• Binding if H is collision-resistant.
• But not hiding. For example in the Internet Casino M = G ∈ {1, ...,100} so given C = H(M) the casino can recover M via
for i = 1, ..., 100 doif H(i) = C then return i
Mihir Bellare UCSD 26
Commitment from hashing
A better scheme is CS = (P, C,V) where P returns π = ε and
Alg C(π,M)
K$←{0, 1}128
C ← H(K ||M)return (C ,K )
Alg VH(π,C ,M,K )
return (H(K ||M) = C )
Mihir Bellare UCSD 27
Commitment schemes usage
Commitment schemes are very broadly and widely used across all kinds ofprotocol design and in particular to construct zero-knowledge proofs.
Mihir Bellare UCSD 28
Flipping a common coin
• Alice and Bob are getting divorced
• They want to decide who keeps the Lexus
• They aggree to flip a coin, but
• Alice is in NY and Bob is in LA
Protocol CF1:
Alice Bob
c$←{0, 1} c -
Bob is not too smart but he doesn’t like it...
Can you help them out?
Mihir Bellare UCSD 29
Flipping a common coin
• Alice and Bob are getting divorced
• They want to decide who keeps the Lexus
• They aggree to flip a coin, but
• Alice is in NY and Bob is in LA
Protocol CF1:
Alice Bob
c$←{0, 1} c -
Bob is not too smart but he doesn’t like it...
Can you help them out?
Mihir Bellare UCSD 30
Protocol CF2
Let CS = (P, C,V) be a commitment scheme.
Alice Bob
a$←{0, 1}
(C ,K )$←C(π, a) C - b
$←{0, 1}b�
a,K - if V(π,C , a,K ) = 1 thenc ← a⊕ b c ← a⊕ b
elsec ← ⊥
c is the common coin. Neither party can control it.
Mihir Bellare UCSD 31
Protocol CF3: Concrete instantiation of CF2
Alice Bob
a$←{0, 1} ; K
$←{0, 1}128
C ← H(K‖a) C - b$←{0, 1}
b�
a,K - if H(K‖a) = C thenc ← a⊕ b c ← a⊕ b
elsec ← ⊥
c is the common coin. Neither party can control it. H is a cryptographichash function.
Mihir Bellare UCSD 32
Secure summation
Suppose we have n parties 1, ..., nParty i has an integer xiThe parties want to know the value of
f (x1, .., xn) = x1 + ...+ xn
Easy: Let
• Party i send xi to party 1 (2 ≤ i ≤ n)
• Party 1 computes f (x1, .., xn) = x1 + ...+ xn and broadcasts it
What they don’t like about this: Party 1 now knows everyone’s values
Privacy constraint: Party i does not wish to reveal xi
Mihir Bellare UCSD 33
Secure summation
Suppose we have n parties 1, ..., nParty i has an integer xiThe parties want to know the value of
f (x1, .., xn) = x1 + ...+ xn
Easy: Let
• Party i send xi to party 1 (2 ≤ i ≤ n)
• Party 1 computes f (x1, .., xn) = x1 + ...+ xn and broadcasts it
What they don’t like about this: Party 1 now knows everyone’s values
Privacy constraint: Party i does not wish to reveal xi
Mihir Bellare UCSD 34
Secure summation
Suppose we have n parties 1, ..., nParty i has an integer xiThe parties want to know the value of
f (x1, .., xn) = x1 + ...+ xn
Easy: Let
• Party i send xi to party 1 (2 ≤ i ≤ n)
• Party 1 computes f (x1, .., xn) = x1 + ...+ xn and broadcasts it
What they don’t like about this: Party 1 now knows everyone’s values
Privacy constraint: Party i does not wish to reveal xi
Mihir Bellare UCSD 35
Secure summation
Party i has input xi (1 ≤ i ≤ n). The parties want to knowf (x1, .., xn) = x1 + ...+ xn but do not want to reveal their inputs in theprocess.
Scenarios:
• xi = score of student i on midterm exam
• xi = salary of employee i
• xi ∈ {0, 1} = vote of voter i on proposition X on ballot
Mihir Bellare UCSD 36
The model and goal
Parties i , j are connected via a secure channel (1 ≤ i , j ≤ n).Privacy and authenticity of messages sent over channel are guaranteed.
The parties will exchange messages to arrive at f (x1, ..., xn).
If i 6= j then, at the end of the protocol, party i should not know xj .
For example you, as player i , enter xi into some app on your cellphonewhich then communicates with the cellphones of the other parties. At theend, the sum shows up on your screen. Take your phone apart andexamine all memory contents and you still will not discover xj for j 6= i .
Mihir Bellare UCSD 37
Setup for secure communication protocol
Let N be such that x1, ..., xn ∈ ZN = {0, ...,N − 1}.Let M = nN.Let S denote x1 + ...+ xn.We will compute S mod M, which is just S since
x1 + ...+ xn ≤ n(N − 1) < M
Mihir Bellare UCSD 38
Protocol step 1: secret sharing
For i = 1, ..., n party i
• Picks xi ,1, ..., xi ,n ∈ ZM at random subject to xi ,1 + ...+ xi ,n ≡ xi(mod M)
• Sends xi ,j to party j over secure channel (1 ≤ j ≤ n)
x1,1 x1,2 x1,3 x1,4x2,1 x2,2 x2,3 x2,4x3,1 x3,2 x3,3 x3,4x4,1 x4,2 x4,3 x4,4
→ x1→ x2→ x3→ x4
Observation: xi ,j is a random number unrelated to xi so party j has noinformation about xi (i 6= j)
Mihir Bellare UCSD 39
Protocol step 2,3: Column sums and conclusion
x1,1 x1,2 x1,3 x1,4x2,1 x2,2 x2,3 x2,4x3,1 x3,2 x3,3 x3,4x4,1 x4,2 x4,3 x4,4
→ x1→ x2→ x3→ x4
↓ ↓ ↓ ↓C1 C2 C3 C4
For j = 1, ..., n party j
• Computes Cj = (x1,j + x2,j + ...+ xn,j) mod M
• Sends Cj to party i (1 ≤ i ≤ n)
Observation: S ≡ (C1 + · · ·+ Cn) (mod M).
So each party can compute S ← (C1 + ...+ Cn) mod M
Mihir Bellare UCSD 40
Security of the protocol
x1,1 x1,2 x1,3 x1,4x2,1 x2,2 x2,3 x2,4x3,1 x3,2 x3,3 x3,4x4,1 x4,2 x4,3 x4,4
→ x1→ x2→ x3→ x4
↓ ↓ ↓ ↓c1 c2 c3 c4
At end of protocol, party 1 knows (1) x1, and the first-row entries of thematrix (2) the sum S = x1 + x2 + x3 + x4 (3) c1, c2, c3, c4 (4) the firstcolumn entries x1,1, x2,1, x3,1, x4,1.
Claims:
• Party 1 learn nothing about x4
• Even if parties 1, 2 pool their information, they learn nothing about x4
• ...
Mihir Bellare UCSD 41
Secure summation project
Project: Analyze and prove secure the summation protocol: (1) Give agame based definition of privacy (2) Prove that the protocol meets it.
Mihir Bellare UCSD 42
Secure Computation
Parties 1, ..., nParty i has private input xiThey want to compute f (x1, ..., xn)
Fact: For any function f , there is a n/2 - private protocol to compute it.
A protocol is t-private if any t parties, getting together, cannot figure outanything about the input of the other parties other than implied by thevalue of f (x1, ..., xn).
The protocol views f as a circuit (program) and computes it gate(instruction) by gate (instruction).
Enormous body of research.
Mihir Bellare UCSD 43
Zero-Knowledge Proofs [GMR]
A zero-knowledge (ZK) proof allows you to
• Convince Bob your claim is true
• Without revealing anything beyond that
For example:
You claim to have Bob is What is notrevealed
A solution to the homeworkproblem
Another student The solution
The password for this ac-count
The server The password
A proof that P 6= NP The Clay Institute The proof
Mihir Bellare UCSD 44