3 Due Now Homework 4 Released Professor Blocki is travelling but will be back next week 1 Cryptography CS 555 Week 11 Discrete LogDDH Applications of DDH Factoring Algorithms Discrete Log Attacks NIST Recommendations for Concrete Security Parameters ID: 793782
Download The PPT/PDF document "Course Business Homework" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Course Business
Homework 3 Due Now Homework 4 ReleasedProfessor Blocki is travelling, but will be back next week
1
Slide2Cryptography
CS 555Week 11: Discrete Log/DDH
Applications of DDH
Factoring
Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security ParametersReadings: Katz and Lindell Chapter 8.4 & Chapter 9
2
Fall 2017
Slide3Recap: Cyclic Group
(g is generator)
If
then for each
and each integer
we have
Fact 1:
Let p be a prime then
is a cyclic group of order p-1. Fact 2: Number of generators g s.t. of is Example (generator): p=7, g=5 <2>={1,5,4,6,2,3}
3
Slide4Recap: Cyclic Group
(g is generator)
If
then for each
and each integer
we have
Fact 1:
Let p be a prime then
is a cyclic group of order p-1. Fact 2: Number of generators g s.t. of is Proof: Suppose that
and let
then
Recall: if and only if gcd(i,p-1)=1.
4
Slide5Recap Diffie
-Hellman ProblemsComputational Diffie-Hellman Problem (CDH)
Attacker is given
and
Attackers goal is to find
CDH
Assumption
: For all PPT A there is a negligible function negl such that A succeeds with probability at most negl(n).Decisional Diffie-Hellman Problem (DDH)L
and let
, where x
1
,x2 and r are randomAttacker is given , and (for a random bit b)Attackers goal is to guess bDDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most ½ + negl(n). 5
Slide6Can we find a cyclic group where DDH holds?
Example 1:
where p is a random n-bit prime.
CDH is believed to be hard
DDH is *not* hard (You will prove this in homework 4 )
Theorem:
p=rq+1 be
a random n-bit prime where q is a large -bit prime then the set of rth residues modulo p is a cyclic subgroup of order q. Then is a cyclic subgroup of of order q.Remark 1: DDH is believed to hold for such a groupRemark 2: It is easy to generate uniformly random elements of Remark 3: Any element (besides 1) is a generator of 6
Slide7Can we find a cyclic group where DDH holds?
Theorem:
p=rq+1 be
a random n-bit
prime where q is a large -bit prime then the set of rth residues modulo p is a cyclic subgroup of order q. Then
is a cyclic subgroup of
of order q.
Closure
: Inverse of is Size
Remark
: Two known attacks on Discrete Log Problem for
(Section 9.2).
First runs in time
Second runs in time
7
Slide8Can we find a cyclic group where DDH holds?
Remark: Two known attacks (Section 9.2). First runs in time
Second runs in time
where n is bit length of p
Goal
: Set
and n to balance attacks
How to
sample prime ? First sample a random -bit prime q and Repeatedly check if is prime for a random bit value(s) r 8
Slide9More groups where DDH holds?
Elliptic Curves Example: Let p be a prime (p > 3) and let A, B be constants. Consider the equation
And let
Note
:
is defined to be an additive identity
W
9
Slide10Elliptic Curve Example
The line passing through
and
has the equation
Where the slope
10
(x
3
,y
3)(x3,-y3)=
Slide11Elliptic Curve Example
Formally, let
Be the slope. Then the line passing through
and
has the equation
11
(x
3
,y
3
)
(x
3
,-y
3
)=
12
Slide13Elliptic Curve Example
13
No third point R on the line intersects our elliptic curve.
Thus,
Summary: Elliptic Curves
Elliptic Curves Example: Let p be a prime (p > 3) and let A, B be constants. Consider the equation
And let
Fact
:
defines an abelian group
For
appropriate curves
the DDH assumption is believed to holdIf you make up your own curve there is a good chance it is broken…NIST has a list of recommendations 14
Slide15Week 11: Topic 1: Discrete Logarithm Applications
Diffie-Hellman Key ExchangeCollision Resistant Hash FunctionsPassword Authenticated Key Exchange15
Slide16Diffie-Hellman Key Exchange
Alice picks
and sends
to Bob
Bob
picks
and sends
to
Alice Alice and Bob can both compute 16
Slide17Key-Exchange Experiment
:
Two parties run
to exchange secret messages (with security parameter 1
n
).
Let
trans be a transcript which contains all messages sent and let k be the secret key output by each party.Let b be a random bit and let kb = k if b=0; otherwise kb is sampled uniformly at random.Attacker A is given trans and kb (passive attacker). Attacker outputs b’ (=1 if and only if b=b’)Security of against an eavesdropping attacker: For all PPT A there is a negligible function negl such that 17
Slide18Diffie-Hellman Key-Exchange is Secure
Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator
then the
Diffie
-Hellman key-exchange protocol
is secure in the presence of a (passive) eavesdropper (*). (*) Assuming keys are chosen uniformly at random from the cyclic group
Protocol
Alice picks
and sends to Bob Bob picks and sends to Alice Alice and Bob can both compute 18
Slide19Diffie-Hellman Assumptions
Computational Diffie-Hellman Problem (CDH)Attacker is given
and
Attackers goal is to find
CDH
Assumption
: For all PPT A there is a negligible function
negl upper bounding the probability that A succeedsDecisional Diffie-Hellman Problem (DDH)L
and let
, where x
1
,x2 and r are randomAttacker is given , and (for a random bit b)Attackers goal is to guess bDDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most ½ + negl(n). 19
Slide20Diffie-Hellman Key Exchange
Alice picks
and sends
to Bob
Bob picks
and sends
to Alice
Alice and Bob can both compute
Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes and still cannot distinguish between
and a random group element.Remark: Modified protocol sets
.
You will prove that this protocol is secure under the weaker CDH assumption in homework 4.
20
Slide21Diffie-Hellman Key-Exchange is Secure
Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator
then the
Diffie
-Hellman key-exchange protocol
is secure in the presence of an eavesdropper (*). Proof:
(*) Assuming keys are chosen uniformly at random from the cyclic group
21
Slide22Diffie-Hellman Key Exchange
Alice picks
and sends
to Bob
Bob picks
and sends
to Alice
Alice and Bob can both compute
Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes and still cannot distinguish between and a random group element
.Remark: The protocol is vulnerable against active attackers who can tamper with messages.
22
Slide23Man in the Middle Attack (MITM)
23
Slide24Man in the Middle Attack (MITM)
Alice picks
and sends
to Bob
Mallory intercepts
, picks
and sends
to Bob instead
Bob picks and sends to Alice Mallory intercepts, picks and sends
to Alice insteadEve computes
and
Alice computes secret key
(shared with Eve not Bob)Bob computes(shared with Eve not Alice)Mallory forwards messages between Alice and Bob (tampering with the messages if desired)Neither Alice nor Bob can detect the attack
24
Slide25Discrete Log Experiment DLog
A,G(n)Run
to obtain a cyclic group
of order q (with
) and a generator g such that
.
Select
uniformly at random.
Attacker A is given , q, g, h and outputs integer x.Attacker wins (DLogA,G(n)=1) if and only if gx=h.We say that the discrete log problem is hard relative to generator if 25
Slide26Collision Resistant Hash Functions (CRHFs)
Recall: not known how to build CRHFs from OWFsCan build collision resistant hash functions from Discrete Logarithm AssumptionLet
output
where
is a cyclic group of order
and g is a generator of the group.
Suppose that discrete
log problem is hard relative to generator
26
Slide27Collision Resistant Hash Functions
Let
output
where
is a cyclic group of order
and g is a generator of the group.
Collision Resistant Hash Function (
Gen,H
):Select random Output
(where,
)
Claim
: (Gen,H) is collision resistant if the discrete log assumption holds for 27
Slide28Collision Resistant Hash Functions
(where,
)
Claim
:
(
Gen,H
) is collision resistant
Proof: Suppose we find a collision then we have
which implies
Use extended GCD to find
then
Which means that
is the discrete log of h.
28
Slide29Password Authenticated Key-Exchange
Suppose Alice and Bob share a low-entropy password pwd and wish to communicate securely (without using any trusted party)Assuming an active attacker may try to mount a man-in-the-middle attack
Can they do it?
Tempting Approach:
Alice and Bob both compute K= KDF(pwd)=
(pwd) and communicate with using an authenticated encryption scheme.
Practice Midterm Exam:
Secure in random oracle model if attacker cannot query random oracle H(.) too many times.
29
Slide30Password Authenticated Key-Exchange
Tempting Approach: Alice and Bob both compute K= KDF(pwd)=Hn(pwd) and communicate with using an authenticated encryption scheme.
Midterm Exam:
Secure in random oracle model if attacker cannot query random oracle too many time.
Problems: In practice the attacker can (and will) query the random oracle many times.In practice people tend to pick very weak passwordsBrute-force attack: Attacker enumerates over a dictionary of passwords and attempts to decrypt messages with Kpwd
’=KDF(pwd’) (only succeeds if K
pwd
’
=K).An offline attack (brute-force) will almost always succeed30
Slide31Attempt 2
Alice picks
and sends
to Bob
Bob picks
and sends
to Alice
Alice and Bob can both compute
Alice picks random nonce and sends to BobEnc is an authentication encryption schemeBob decrypts and sends
to Alice
Advantage: MITM Attacker cannot establish connection without password
Disadvantage: Mallory could mount a brute-force attack after attempted MITM attack
31
Slide32Attempt 2: MITM Attack
Alice picks
and sends
to Bob
Bob
picks
and sends
to Alice
Mallory intercepts, picks and sends to Alice insteadBob can both compute
Allice computes
instead
Alice picks random nonce
and sends
to Bob
Mallory intercepts
and proceeds to mount brute-force attack on password
For each password guess y
let
and
if
then output y
Advantage: MITM Attacker cannot establish connection without password
Disadvantage: Mallory could mount a brute-force attack on password after attempted MITM attack
32
Slide33Password Authenticated Key-Exchange (PAKE)
Better Approach (PAKE): Alice and Bob both compute
Alice picks
and sends
“
to
Bob Bob picks computes and sends Alice the following message:
Alice computes
where
. Alice sends the message V
A= H(2,Alice,Bob,X,Y,K) to Bob.Bob verifies that VA== H(2,Alice,Bob,X,Y,K) where K = . Bob generates VB= H(3,Alice,Bob,X,Y,K) and sends VB to Alice. Alice verifies that VB==H(3,Alice,Bob,X,Y, ) where
.
If Alice and Bob don’t terminate the session key is H(4,Alice,Bob,X,Y
,
)
Security:
No offline attack (brute-force) is possible.
Attacker get’s one password guess per instantiation of the protocol.
If attacker is incorrect and he tampers with messages then he will cause the Alice & Bob to quit.
If Alice and Bob accept the secret key K and the attacker did not know/guess the password then K is “just as good” as a truly random secret key.
33See RFC 6628
Slide34Week 11: Topic 2
: Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters34
Slide35Pollard’s p-1 Algorithm (Factoring)
Let
where (p-1) has only “small” prime factors.
Pollard’s p-1 algorithm can factor N.
Remark 1: This happens with very small probability if p is a random n bit prime.Remark 2: One convenient/fast way to generate big primes it to multiply many small primes, add 1 and test for primality.Example:
is prime
Claim
: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N.
35
Slide36Pollard’s p-1 Algorithm (Factoring)
Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. Proof: Suppose B=c(p-1) for some integer c and let
Applying the Chinese Remainder Theorem we have
This means that p divides y, but q does not divide y (unless
, which is very unlikely)
.
Thus, GCD(
y,N
) = p 36
Slide37Pollard’s p-1 Algorithm (Factoring)
Let
where (p-1) has only “small” prime factors.
Pollard’s p-1 algorithm can factor N.
Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. Goal: Find B such that (p-1) divides B but (q-1) does not divide B.Remark: This is difficult if (p-1) has a large prime factor.
37
Slide38Pollard’s p-1 Algorithm (Factoring)
Goal: Find B such that (p-1) divides B but (q-1) does not divide B.Remark: This is difficult if (p-1) has a large prime factor.
Here p
1
=2,p
2
=3,…
Fact
: If (q-1) has prime factor larger than pk then (q-1) does not divide B.Fact: If (p-1) does not have prime factor larger than pk then (p-1) does divide B. 38
Slide39Pollard’s p-1 Algorithm (Factoring)
Option 1: To defeat this attack we can choose strong primes p and qA prime p is strong if (p-1) has a large prime factorDrawback: It takes more time to generate (provably) strong primesOption 2: A random prime is strong with high probability
Current Consensus:
Just pick a random prime
39
Slide40Pollard’s Rho Algorithm
General Purpose Factoring AlgorithmDoesn’t assume (p-1) has no large prime factorGoal: factor N=pq (product of two n-bit primes)
Running time:
Naïve Algorithm takes time
to factor
Core idea:
find distinct
such that Implies that x-x’ is a multiple of p and, thus, GCD(x-x’,N)=p (whp) 40
Slide41Pollard’s Rho Algorithm
General Purpose Factoring AlgorithmDoesn’t assume (p-1) has no large prime factorRunning time:
Core idea:
find distinct
such that
Implies that x-x’ is a multiple of p and, thus, GCD(x-
x’,N
)=p (whp)Question: If we pick random then what is the probability that we can find distinct such that
41
Slide42Pollard’s Rho Algorithm
Question: If we pick
random
then what is the probability that we can find distinct
such that
?
Answer:
Proof
(sketch): Use the Chinese Remainder Theorem + Birthday Bound
Note
: We will also have
(
whp) 42
Slide43Pollard’s Rho Algorithm
Question: If we pick
random
then what is the probability that we can find distinct
such that
?
Answer:
Challenge:
We do not know p or q so we cannot sort the ’s using the Chinese Remainder Theorem Representation
How can we identify the pair
such that
?
43
Slide44Pollard’s Rho Algorithm
Pollard’s Rho Algorithm is similar the low-space version of the birthday attackInput: N (product of two n bit primes)
,
For
i
=1 to
p = GCD(x-x’,N) if 1< p < N return p 44Remark 1: F should have the property that if x=x’ mod p then F(x) = F(x’) mod p.Remark 2:
will work since
Pollard’s Rho Algorithm
Pollard’s Rho Algorithm is similar the low-space version of the birthday attackInput: N (product of two n bit primes)
,
For
i
=1 to
p = GCD(x-x’,N) if 1< p < N return p 45Claim: Let
and suppose that for some distinct
we have
but
. Then the algorithm will find p.
Cycle length:
i
-j
mod p
Pollard’s Rho Algorithm (Summary)
General Purpose Factoring AlgorithmDoesn’t assume (p-1) has no large prime factorExpected Running Time:
(Birthday Bound)
(still exponential in number of bits
)
Required Space:
46
Slide47Quadratic Sieve Algorithm
Runs in sub-exponential time
Still not polynomial
time but
grows much slower than
.
Core Idea
: Find
such that and 47
Slide48Quadratic Sieve Algorithm
Core Idea: Find
such that
and
Claim
:
gcd
(x-
y,N)N=pq divides (by (1)).
(by (2
)).
N
does not divide (by (2)).N does not divide (by (2)).p is a factor of exactly one of the terms and (q is a factor of the other term) 48
Slide49Quadratic Sieve Algorithm
Core Idea: Find
such that
and
Key Question
: How to find such an
?
Step 1:
j=0;For ,…
Check if q is B-smooth (all prime factors of q are in {p
1
,…,
pk} where pk < B). If q is B smooth then factor q, increment j and define 49
Slide50Quadratic Sieve Algorithm
Core Idea: Find
such that
and
Key Question
: How to find such an
?
Step 2:
Once we have equations of the form
We can use linear algebra to find S such that for each
we have
50
Slide51Quadratic Sieve Algorithm
Key Question: How to find
such that
and
?
Step 2:
Once we have
equations of the form
We can use linear algebra to find a subset S such that for each we have
Thus,
51
Slide52Quadratic Sieve Algorithm
Key Question: How to find
such that
and
?
Thus,
But we also have
52
Slide53Quadratic Sieve Algorithm (Summary)
Appropriate parameter tuning yields sub-exponential time algorithm
Still not polynomial
time but
grows much slower than
.
53
Slide54Discrete Log Attacks
Pohlig-Hellman AlgorithmGiven a cyclic group of non-prime order q=|
|=
rpReduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller).
Preference for prime order subgroups in cryptographyBaby-step/Giant-Step Algorithm
Solve discrete logarithm in time
Pollard’s Rho Algorithm
Solve discrete logarithm in time Bonus: Constant memory!Index Calculus AlgorithmSimilar to quadratic sieveRuns in sub-exponential time Specific to the group (e.g., attack doesn’t work elliptic-curves) 54
Slide55Discrete Log Attacks
Pohlig-Hellman AlgorithmGiven a cyclic group
of non-prime order q=|
|=rp
Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller).Preference for prime order subgroups in cryptography
Let
and
be given. For simplicity assume that r is prime and r < p. Observe that generates a subgroup of size p and that .Solve discrete log problem in subgroup with input . Find z such that .Observe that generates a subgroup of size p and that
.
Solve discrete log problem in subgroup
with input
. Find y such that .Chinese Remainder Theorem where 55
Slide56Baby-step/Giant-Step Algorithm
Input:
of order q, generator g and
Set
For
i
=0 to Sort the pairs (i,gi) by their second componentFor i =0 to if then return [kt-i mod q]
56
Discrete Log Attacks
Baby-step/Giant-Step AlgorithmSolve discrete logarithm in time
Requires memory
Pollard’s Rho Algorithm
Solve discrete
logarithm
in time
Bonus: Constant memory!
Key Idea: Low-Space Birthday Attack (*) using our collision resistant hash function
(*) A few small technical details to address
57
Slide58Discrete Log Attacks
Baby-step/Giant-Step AlgorithmSolve discrete logarithm in time
Requires memory
Pollard’s Rho Algorithm
Solve discrete
logarithm
in time
Bonus: Constant memory!
Key Idea: Low-Space Birthday Attack (*)
(*) A few small technical details to address
58
Remark: We used discrete-log problem to construct collision resistant hash functions.Security Reduction showed that attack on collision resistant hash function yields attack on discrete log.Generic attack on collision resistant hash functions (e.g., low space birthday attack) yields generic attack on discrete log.
Slide59Discrete Log Attacks
Index Calculus AlgorithmSimilar to quadratic sieveRuns in sub-exponential time
Specific to the group
(e.g., attack doesn’t work elliptic-curves)
As before let {p
1
,…,
p
k} be set of prime numbers < B.Step 1.A: Find distinct values such that is B-smooth for each j. That is 59
Slide60Discrete Log Attacks
As before let {p1,…,pk} be set of prime numbers < B.
Step 1.A:
Find
distinct values
such that
is B-smooth for each j. That is
Step
1.B: Use linear algebra to solve the equations (Note: the
’s are the unknowns)
60
Slide61Discrete Log
As before let {p1,…,pk} be set of prime numbers < B.Step 1 (precomputation): Obtain y
1
,…,
yk such that
Step 2:
Given discrete log challenge h=
g
x mod p.Find y such that is B-smooth
61
Slide62Discrete Log
As before let {p1,…,pk} be set of prime numbers < B.Step 1 (precomputation): Obtain y
1
,…,
yk such that
Step 2:
Given discrete log challenge h=
g
x mod p.Find z such that is B-smooth
Remark: Precomputation costs can be amortized over many discrete log instances In practice, the same group
and generator g are used repeatedly.
62Reference: https://www.weakdh.org/
Slide63NIST Guidelines (Concrete Security)
Best known attack against 1024 bit RSA takes time (approximately) 28063
Slide64NIST Guidelines (Concrete Security)
Diffie-Hellman uses subgroup of
size q
64
q=224 bits
q=256 bits
q=384 bits
q=512 bits
Slide6565