Class 25: Crash Course in Cryptography

Transcript

1. Class  25:   Crash  Course   in   Cryptography cs2102:

    Discrete  Mathematics  |  F16 uvacs2102.github.io   David  Evans   University  of  Virginia Lawn  Lighting  2001

2. Plan Today: Universal  Machines  and  Cryptanalysis Asymmetric  Cryptosystems Modern  Cryptography

   1 PSΩ:   Submit  by  Sunday  if  you   want  to  present  Tuesday

3. Glimmers  of  Universal  Machines 2 Leibniz’s  Vision  [1679] Babbage’s  Analytical

    Engine  [1870]

4. 3 Turing’s   Universal   Machine w x Result  of

   running M(w) on  input  x [Turing  1936]

5. 4 Z3  (Operational  1941) First  working  (bounded)   universal  machine

   Konrad  Zuse (1910-­‐1995)

6. The  World  in  June 1941 5 http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png Black:  Axis Red:

    Soviet  (pact  with  Nazis) Grey:  Neutral Blue:  Anti-­‐Nazis Note:  updated!  Wikipedia  has  this  for  July   1941,  but  the  Nazis  attacked  the  Soviets  on  22   June  1941,  breaking  the  non-­‐agression pact.   (Thanks  to  Helen  Simecek for  correcting  this!)

7. May  2004 Bletchley  Park 6

8. 7 21st October 1941 Dear Prime Minister, Some weeks ago

   you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston  Churchill

9. 8 Konrad Zuse Z3 “Strategically Unimportant”

10. 9 21st October 1941 Dear Prime Minister, Some weeks ago

    you paid us the honour of a visit, and we believe that you regard our work as important. … it seems to us that we have met with unnecessary impediments. …The cumulative effect, however, has been to drive us to the conviction that the importance of the work is not being impressed with sufficient force upon those outside authorities with whom we have to deal. A.M. Turing (+ 3 others) Winston  Churchill

11. The  World  in  June  1941 10 http://commons.wikimedia.org/wiki/File:Ww2_allied_axis_1941_jul.png Lorenz  Cipher

12. 11 Claude  Shannon,  A  Mathematical  Theory   of  Cryptography,  1945

     (declassified  later) Breaking  a   “nearly”   perfect  cipher  

13. Most  important  cryptographic  operation: 12 ⊕ ⊕ 0 0 0

    0 1 1 1 0 1 1 1 0

14. One-­‐Time  Pad C[i]  =  M[i]  Å K[i] 13

15. One-­‐Time  Pad  is  Only  Perfect  Cipher 14 M1 M2 Mn

    C1 C2 Cn Ki ... ... Kj To  be  perfect,  there   must  be  a  key that   maps  each  message   to  each  ciphertext. |K  |  ≥  |M | Hence,  any  practical   cipher  must  be   imperfect! [Shannon  1945]

16. One-­‐Time  Pad   (Vernam 1919) Key:  a  long   paper

     tape  with   random  bits  on   it  (5-­‐bit  code) Å 15

17. Lorenz   Cipher   Machine 16 XOR-­‐Pad  cipher  with  mechanically

     generated  key

18. HQIBPEXEZMUG! August  30,  1941 Lorenz  operator   retransmits  failed  message

    with  same  starting   configuration Uses  some  abbreviations   and  makes  some  mistakes 17 GCHQ  Today (not  what  it  looked  like  in  1941!) SPRUCHNUMMER/SPRUCHNR (Serial  Number)

19. “Two  Time”  Pad Allies  have  intercepted: C1 =  M1 Å

    K1 C2 =  M2 Å K1 18

20. “Two  Time”  Pad Allies  have  intercepted: C1 =  M1 Å

    K1 C2 =  M2 Å K1 19 C1 Å C2 =  M1 Å K1 Å M2 Å K1 =  M1 Å M2

21. Cribbing  Key Make  guesses  for  M1 (cribs) SPRUCHNUMMER ADOLF HITLER,

    FUHRER M2  =  C1 Å C2 Å M1 If  M2 seems  plausible,  calculate  key:   K1 =  M1 Å C1 Found  4000  letter  key  K1 from   intercepted  C1 and  C2 Brigadier  John  Tiltman (1894-­‐1982) 20

22. Reverse  Engineering  Lorenz 21 Bill  Tutte U.  Waterloo (1917-­‐2002)

23. 22 Main  weakness:   each  step,   either  all S

      wheels  turn,  or   none do! Knew  machine  structure,  but  a   different  initial  configuration was   used  for  each  message:  need  to   find  wheel  settings  (1019 possible)   but  weakness  reduces  to  41  × 31 K  wheels,   all  rotate   every   letter M1  and  M2   rotate   conditionally

24. Recognizing  a  Good  Guess Intercepted  Message zc,  i =  mc,i

    Å xc,i Å sc,i Message        Key  (parts  from  S-­‐wheels  and  rest) Cryptanalyze:  look  for  statistical  properties How  many  of  the  zc,i ’s are  0? How  many  of  (zc,i+1 Å zc,i )  are  0? ½  (not  useful) ½ 23 5  channels  for  each  Baudot-­‐coded  letter  

25. Double  Delta Combine  two  channels: D Z1,i Å D Z2,i

    = D M1,i Å D M2,i Å D X1,i Å D X2,i Å D S1,i Å D S2,i 24 =  ½    (key) >  ½    Yippee! >  ½  Yippee! D M1,i Å D M2,i >  ½ Higher  probability  following  letter  is  a  repetition D S1,i Å D S2,i >  ½   S-­‐wheels  only  turn  when  M-­‐wheel  is  1 Actual  advantage  ≈ 0.55

26. Using  the  Advantage Try  all  configurations  to  find  one(s)  with

     most  0s. 25 If  the  guess  of  X is  incorrect:   Pr(D Z1,i Å D Z2,I =  0)  =  ½   If  the  guess  of  X is  correct:   Pr(D Z1,i Å D Z2,I =  0)  ≈ 0.55 #  of  double  delta  operations  to  try  one  guess for  10,000  letter  message   × 1271  settings  × 7  Å per  double  delta   =  89  M  Å operations  

27. 26 Colossus  (1943) Bletchley  Park “First  working  nearly-­‐universal   somewhat-­‐programmable

     machine   that  did  something  really  useful”

28. Colossus  Design Electronic   Keytext Generator Logic Å,  =0 Tape

     Reader Counter Position   Counter Printer Ciphertext  Tape 27 50  km/h (5000  chars/second)

29. 10  Colossus  machines  operated  at  Bletchley Decoded  63  million letters

     in  Nazi  messages Learned  German  troop  locations  to  plan  D-­‐Day 28

30. Modern  Symmetric  Ciphers 29 AES  Round Å 128  or  more

     key  bits ~1017 J needed  for  most  efficient   possible  brute  force  attack Very  inexpensive:  instructions   built  in  to  most  processors

31. Symmetric  Encryption 30 AES AES Plaintext Ciphertext Plaintext Insecure  Channel

    Key Key Alice Bob

32. Asymmetric  Cryptography 31

33. Need  for  Asymmetric  Encryption 32 AES AES Plaintext Ciphertext Plaintext

    Insecure  Channel Key Key Alice Bob Requiring  shared  secret: -­‐ Alice  and  Bob  must  pre-­‐arrange  it  over  a  secure  channel -­‐ Alice  and  Bob  can  impersonate  each  other

34. Time  for  a  Revolution! 33 New  Directions  in  Cryptography Whit

     Diffie and  Martin  Hellman 1976

35. Martin  Hellman Whit  Diffie

36. Martin  Hellman Whit  Diffie Ralph  Merkle Spurned  by  ACM Cropped

     by  NYT

37. 36 Padlocked  Boxes Alice Final: True,  False,  … Analogy  due

     to  Simon  Singh,  The  Code  Book

38. 37 Padlocked  Boxes Alice’s  Padlock Alice’s  Padlock  Key EA (M)

    Alice Analogy  due  to  Simon  Singh,  The  Code  Book

39. 38 Padlocked  Boxes Shady   Sammy’s   Slimy   Shipping

      Service Alice’s  Padlock  Key Alice Analogy  due  to  Simon  Singh,  The  Code  Book

40. 39 Padlocked  Boxes Alice Bob Bob’s  Padlock Bob’s  Padlock  Key

    Alice’s  Padlock  Key EB (     ) EA (M)   Analogy  due  to  Simon  Singh,  The  Code  Book

41. 40 Padlocked  Boxes Alice Bob Alice’s  Padlock  Key EB (EA

    (M)) Bob’s  Padlock  Key Analogy  due  to  Simon  Singh,  The  Code  Book

42. 41 Padlocked  Boxes Alice’s  Padlock  Key DA (EB (EA (M)))

     =  EB (M) Alice Bob Bob’s  Padlock  Key Analogy  due  to  Simon  Singh,  The  Code  Book

43. 42 Padlocked  Boxes EB (M) Alice Bob Bob’s  Padlock  Key

    Analogy  due  to  Simon  Singh,  The  Code  Book

44. 43 Padlocked  Boxes T,  F,  .. Alice Bob Bob’s  Padlock

     Key Analogy  due  to  Simon  Singh,  The  Code  Book

45. “Padlocks”  Key  Agreement We  relied  on:  DA (EB (EA (M)))

     =  EB (M) Is  this  true  for  AES? 44 No  way! AES  (and  any  strong  symmetric   primitive)  must  involve  non-­‐linear   transformations  that  are  not  commutative.

46. “Padlocks”  Key  Agreement We  relied  on:  DA (EB (EA (M)))

     =  EB (M) Is  this  true  for  AES? 45

47. “Padlocks”  Key  Agreement We  relied  on:  DA (EB (EA (M)))

     =  EB (M) Is  this  true  for  AES? 46 No  way! AES  (and  any  strong  symmetric   primitive)  must  involve  non-­‐linear   transformations  that  are  not  commutative.

48. “Padlocks”  Key  Agreement We  relied  on:  DA (EB (EA (M)))

     =  EB (M) What  operations  is  it  true  for? 47

49. 48 Diffie-­‐Hellman-­‐Merkle Key  Agreement Alice Bob 1.  Choose  and  publish:

      q (large  prime  number) a (primitive  root  of  q) a is  a  primitive  root  of  q if  for  all   1  £ n <  q,  there  is  some  m, 1  £ m <  q such  that   am =  n mod  q All  prime  numbers have  primitive  roots.

50. 49 a is  a  primitive  root  of  q if  for

     all   1  £ n <  q,  there  is  some  m, 1  £ m <  q such  that   am =  n mod  q All  prime  numbers have  primitive  roots.

51. 50 Diffie-­‐Hellman-­‐Merkle Key  Agreement Alice Bob 1.  Choose  and  publish:

      q (large  prime  number) a (primitive  root  of  q) 2.  Generate  random  XA 3.  Send  YA =aXA mod  q. 4.  Generate  random  XB . 5.  Send  YB =aXB mod  q.

52. 51 Diffie-­‐Hellman-­‐Merkle Key  Agreement Alice Bob 1.  Choose  and  publish:

      q (large  prime  number) a (primitive  root  of  q) 2.  Generate  random  XA 3.  Send  YA =aXA mod  q. 4.  Generate  random  XB . 5.  Send  YB =aXB mod  q. K =  (YB )  XA mod  q K =  (YA )XB mod  q

53. Key  Agreement  Requirements Correctness: Both  participants  get  the  same  key

      Security:  An  eavesdropper  cannot  find  K from   all  intercepted  values 52 K =  (YB )  XA mod  q K =  (YA )XB mod  q YA = aXA mod  q YB = aXB mod  q

54. Key  Agreement  Correctness Correctness: Both  participants  get  the  same  key

      53 K =  (YB )  XA mod  q K =  (YA )XB mod  q YA = aXA mod  q YB = aXB mod  q =    (aXB mod  q)XA mod  q =    (aXBXA mod  q)mod  q =    aXBXA mod  q =    (aXA mod  q)XB mod  q =    (aXAXB mod  q)mod  q =    aXAXB mod  q Multiplication  commutes  (just  like  the  padlocks)!

55. Key  Agreement  Requirements Correctness: Both  participants  get  the  same  key

      Security:  An  eavesdropper  cannot  find  K from   all  intercepted  values 54 K =  aXAXB mod  q

56. 55 Alice Bob 1.  Choose  and  publish:   q (large

     prime  number) a (primitive  root  of  q) 2.  Generate  random  XA 3.  Send  YA =aXA mod  q. 4.  Generate  random  XB . 5.  Send  YB =aXB mod  q. K =  (YB )  XA mod  q K =  (YA )XB mod  q Eve                         An  eavesdropper  cannot  find  K from  all  intercepted  values:   q,  a,  YA ,  YB

57. 56 Alice Bob 1.  Choose  and  publish:   q (large

     prime  number) a (primitive  root  of  q) 2.  Generate  random  XA 3.  Send  YA =aXA mod  q. 4.  Generate  random  XB . 5.  Send  YB =aXB mod  q. K =  (YB )  XA mod  q K =  (YA )XB mod  q Eve                         An  eavesdropper  cannot  find  K from  all  intercepted  values:   q,  a,  YA ,  YB Discrete  logarithm  problem:  given  a,  n,  and q find   the  one  0  £ m <  q such  that   am =  n mod  q For  good  choices  of  q,  this  is  believed  to  be  hard.

58. 57 Remember  Class  1?

59. 58 Alice Bob 1.  Choose  and  publish:   q (large

     prime  number) a (primitive  root  of  q) 2.  Generate  random  XA 3.  Send  YA =aXA mod  q. 4.  Generate  random  XB . 5.  Send  YB =aXB mod  q. K =  (YB )  XA mod  q K =  (YA )XB mod  q Eve                         An  eavesdropper  cannot  find  K from  all  intercepted  values:  q,  a,   YA ,  YB .  If  they  could,  could  solve  discrete  log  problem which  is   believed  to  be  hard:  given  YA =aXA mod  q  find  XA

60. 59 What  about  Mallory? Encrypt Decrypt Plaintext Ciphertext Plaintext Alice

    Bob Mallory (active attacker) Insecure  Channel   (e.g.,  the  Internet) >>

61. Modern  Cryptography 60

62. Gale-­‐Shapley  Stable  Matching 61

63. Stable  Matching  Applications Public  schools  in  New  York,  Boston Singapore

     University  Admissions Medical  residents  in  US,  Canada,  others 35,000  applicants

64. Stable  Matching  Applications Public  schools  in  New  York,  Boston Singapore

     University  Admissions Medical  residents  in  US,  Canada,  others 35,000  applicants Use  Trusted  Third  Party  to  run  matching  algorithm: -­‐ Receives  all  private  rankings  and  keeps  confidential -­‐ Produces  correct  result  -­‐ uncorrupted

65. Secure  Two-­‐Party  Computation Alice Bob Preference  Shares  1 Preference  Shares

     2 Can  Alice  and  Bob  compute  a  function  on  private  data,  without   exposing  anything  about  their  data  besides  the  result? r = f(a, b)

66. Secure  Two-­‐Party  Computation Alice Bob Preference  Shares  1 Preference  Shares

     2 Can  Alice  and  Bob  compute  a  function  on  private  data,  without   exposing  anything  about  their  data  besides  the  result? r = f(a, b)

67. FOCS  1982 FOCS  1986 Note:  neither  paper  actually   describes

     “Yao’s  protocol”. Andrew  Yao

68. Yao’s  Garbled  Circuit  Protocol Alice  (circuit  generator) Bob  (circuit  evaluator)

    Garbled  Circuit  Protocol secret  input  a secret  input  b Agree on  function  f r = f(a, b) r = f(a, b) Learns  nothing  else  about  b Learns  nothing  else  about  a

69. Regular  Logic Inputs Output x a b 0 0 0

    0 1 0 1 0 0 1 1 1 a b x AND

70. “Obfuscated”  Logic Inputs Output x a b a1 b0 x0

    a0 b1 x0 a1 b1 x1 a1 b0 x0 a0 or  a1 x AND b0 or  b1 ai , bi , xi are  random values,   chosen  by  generator but   meaningless to  evaluator.

71. Inputs Output x a b a1 b0 x0 a0 b1

    x0 a1 b1 x1 a1 b0 x0 a0 or  a1 x AND b0 or  b1 Leaks  information! “Obfuscated”  Logic ai , bi , xi are  random values,   chosen  by  generator but   meaningless to  evaluator.

72. Inputs Output x a b a1 b0 x0 a0 b1

    x0 a1 b1 x1 a1 b0 x0 a0 or  a1 x AND b0 or  b1 Garbling  the  Table ai , bi , xi are  random values,   chosen  by  generator but   meaningless to  evaluator.

73. Garbled  Logic Inputs Output x a b a1 b0 Ea1

    ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) a0 or  a1 x AND b0 or  b1

74. Garbled  Logic Inputs Output x a b a1 b0 Ea1

    ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) a0 or  a1 x AND b0 or  b1 G Garbled  Table

75. Garbled  Circuit  Protocol Alice  (generator) Sends  ai ,  based  

    on  her  input Bob  (evaluator) Picks  random  values  for  a{0, 1} ,  b{0, 1} ,  x{0, 1} Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 ) Ea0 ||b0 (x0 ) Evaluates  circuit,   decrypting  one   row  of  each   garbled  gate xr Sends  hashes  to   decode  outputs r

76. a0,0 or  a0,1 G0 b0,0 or  b1,0 G1 … x0

    or  x1 G2 x1,0 or  x1,1 a1,0 or  a1,1 b1,0 or  b1,1 Ea0,1,b0,0 (x0,0 ) Ea0,0,b0,1 (x0,0 ) Ea0,1,b0,1 (x0,1 ) Ea0,0,b0,1 (x0,0 ) Ea1,1,b1,1 (x1,1 ) Ea1,0,b1,1 (x1,0 ) Ea1,1,b1,0 (x1,0 ) Ea1,0,b1,0 (x1,0 ) x2,0 or  x2,1 Chain  gates  to  securely   compute  any  discrete  function! Ex0,0,x1,0 (x2,0 ) Ex0,1,x1,1 (x2,1 ) Ex0,1,x1,0 (x2,0 ) Ex0,0,x1,0 (x2,0 )

77. Garbled  Circuit  Protocol Alice  (generator) Sends  ai ,  based  

    on  her  input Bob  (evaluator) Picks  random  values  for  a{0, 1} ,  b{0, 1} ,  x{0, 1} Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 ) Ea0 ||b0 (x0 ) Evaluates  circuit,   decrypting  one   row  of  each   garbled  gate xr Sends  hashes  to   decode  outputs r How  does  the  Bob  learn  his  own  input  values?

78. Primitive:  Oblivious  Transfer Alice  (generator) Bob  (evaluator) Oblivious  Transfer  

    Protocol b0 , b1 selector  i bi Learns  nothing  else  about  i Learns  nothing  about  other  value Rabin,  1981;  Even,  Goldreich,  and  Lempel,  1985;  …

79. Garble Encode Evaluate Decode f garbled  circuit F e X

    Y f(x) d x Security  properties Privacy: F,  X,  and  d leak  reveals  nothing  beyond  f(x) Obliviousness:  F,  X reveals  nothing  (new) Authenticity:  given  F,  X,  hard  to  find  Y’  such  that: Decode(Y’,  d)  ∉  {  f(x),  error }

80. Building  Computing  Systems 79 Digital  Electronic Circuits Garbled  Circuits Operate

     on  known data Operate  on  encrypted  wire  labels One-­‐bit logical  operation  requires  moving   some  electrons  a  few  nanometers   One-­‐bit logical  operation  requires   performing  four  encryption   operations Reuse  is  great! Reuse  is  not  allowed! Ea1 ||b0 (x0 ) Ea0 ||b1 (x0 ) Ea1 ||b1 (x1 )

81. Phase Time Non-­‐Free  Gates Gates/second Initialization 2.07  hours 34 B

    4.57  M Bidding 15.01  hours 173 B 3.19  M Total 17.08  hours 207 B 3.36  M Simulated  2016  US  National  Medical  Residency  Match: 35,476 prospective  residents  matching  with  4836 programs  with  30,750 total  slots Running  between  2  EC2.c4xlarge  nodes  in  same  region  (1  Gbps)

82. Phase Time Non-­‐Free  Gates Gates/second Initialization 2.07  hours 34 B

    4.57  M Bidding 15.01  hours 173 B 3.19  M Total 17.08  hours 207 B 3.36  M Simulated  2016  US  National  Medical  Residency  Match: 35,476 prospective  residents  matching  with  4836 programs  with  30,750 total  slots Running  between  2  EC2.c4xlarge  nodes  in  same  region  (1  Gbps)

83. Lighting  of  the  Lawn Never  doubt  that  a  small  group

     of  thoughtful,   committed  people  can  change  the  world.   Indeed,  it  is  the  only  thing  that  ever  has. Margaret  Mead

84. Charge Change  the  World!