• 沒有找到結果。

# The Secret-Key Agreement Problem

N/A
N/A
Protected

Share "The Secret-Key Agreement Problem"

Copied!
47
0
0

(1)

### The Secret-Key Agreement Problem

Exchanging messages securely using a private-key cryptosystem requires Alice and Bob possessing the same key (p. 568).

How can they agree on the same secret key when the channel is insecure?

This is called the secret-key agreement problem.

It was solved by Diffie and Hellman (1976) using one-way functions.

(2)

### The Diffie-Hellman Secret-Key Agreement Protocol

1: Alice and Bob agree on a large prime p and a primitive root g of p; {p and g are public.}

2: Alice chooses a large number a at random;

3: Alice computes α = ga mod p;

4: Bob chooses a large number b at random;

5: Bob computes β = gb mod p;

6: Alice sends α to Bob, and Bob sends β to Alice;

7: Alice computes her key βa mod p;

8: Bob computes his key αb mod p;

(3)

### Analysis

The keys computed by Alice and Bob are identical:

βa = gba = gab = αb mod p.

To compute the common key from p, g, α, β is known as the Diffie-Hellman problem.

It is conjectured to be hard.

If discrete logarithm is easy, then one can solve the Diffie-Hellman problem.

Because a and b can then be obtained by Eve.

But the other direction is still open.

(4)

### A Parallel History

Diffie and Hellman’s solution to the secret-key

agreement problem led to public-key cryptography.

At around the same time (or earlier) in Britain, the RSA public-key cryptosystem was invented first before the Diffie-Hellman secret-key agreement scheme was.

– Ellis, Cocks, and Williamson of the Communications Electronics Security Group of the British Government Communications Head Quarters (GCHQ).

(5)

### Digital Signatures

a

Alice wants to send Bob a signed document x.

The signature must unmistakably identifies the sender.

Both Alice and Bob have public and private keys eAlice, eBob, dAlice, dBob.

Assume the cryptosystem satisfies the commutative property E(e, D(d, x)) = D(d, E(e, x)). (9)

As (xd)e = (xe)d, the RSA system satisfies it.

Every cryptosystem guarantees D(d, E(e, x)) = x.

(6)

### Digital Signatures Based on Public-Key Systems

Alice signs x as

(x, D(dAlice, x)).

Bob receives (x, y) and verifies the signature by checking E(eAlice, y) = E(eAlice, D(dAlice, x)) = x

based on Eq. (9).

The claim of authenticity is founded on the difficulty of inverting EAlice without knowing the key dAlice.

Warning: If Alice signs anything presented to her, she

(7)

### Probabilistic Encryption

a

A deterministic cryptosystem can be broken if the

plaintext has a distribution that favors the “easy” cases.

The ability to forge signatures on even a vanishingly small fraction of strings of some length is a security weakness if those strings were the probable ones!

A scheme may also “leak” partial information.

– Parity of the plaintext, e.g.

The first solution to the problems of skewed distribution and partial information was based on the QRA.

aGoldwasser and Micali (1982).

(8)

(9)

(10)

### The Setup

Bob publishes n = pq, a product of two distinct primes, and a quadratic nonresidue y with Jacobi symbol 1.

Bob keeps secret the factorization of n.

Alice wants to send bit string b1b2 · · · bk to Bob.

Alice encrypts the bits by choosing a random quadratic residue modulo n if bi is 1 and a random quadratic

nonresidue (with Jacobi symbol 1) otherwise.

A sequence of residues and nonresidues are sent.

Knowing the factorization of n, Bob can efficiently test

(11)

### A Useful Lemma

Lemma 78 Let n = pq be a product of two distinct primes.

Then a number y ∈ Zn is a quadratic residue modulo n if and only if (y | p) = (y | q) = 1.

The “only if” part:

Let x be a solution to x2 = y mod pq.

Then x2 = y mod p and x2 = y mod q also hold.

Hence y is a quadratic modulo p and a quadratic residue modulo q.

(12)

### The Proof (concluded)

The “if” part:

Let a21 = y mod p and a22 = y mod q.

– Solve

x = a1 mod p, x = a2 mod q,

for x with the Chinese remainder theorem.

As x2 = y mod p, x2 = y mod q, and gcd(p, q) = 1, we must have x2 = y mod pq.

(13)

### The Jacobi Symbol and Quadratic Residuacity Test

The Legendre symbol can be used as a test for quadratic residuacity by Lemma 66 (p. 483).

Lemma 78 (p. 595) says this is not the case with the Jacobi symbol in general.

Suppose n = pq is a product of two distinct primes.

A number y ∈ Zn with Jacobi symbol (y | pq) = 1 may be a quadratic nonresidue modulo n when

(y | p) = (y | q) = −1, because (y | pq) = (y | p)(y | q).

(14)

### The Protocol for Alice

1: for i = 1, 2, . . . , k do

2: Pick r ∈ Zn randomly;

3: if bi = 1 then

4: Send r2 mod n; {Jacobi symbol is 1.}

5: else

6: Send r2y mod n; {Jacobi symbol is still 1.}

7: end if

8: end for

(15)

### The Protocol for Bob

1: for i = 1, 2, . . . , k do

3: if (r | p) = 1 and (r | q) = 1 then

4: bi := 1;

5: else

6: bi := 0;

7: end if

8: end for

(16)

### Semantic Security

This encryption scheme is probabilistic.

There are a large number of different encryptions of a given message.

One is chosen at random by the sender to represent the message.

This scheme is both polynomially secure and semantically secure.

(17)

### What Is a Proof?

A proof convinces a party of a certain claim.

“xn + yn 6= zn for all x, y, z ∈ Z+ and n > 2.”

“Graph G is Hamiltonian.”

“xp = x mod p for prime p and p 6 |x.”

In mathematics, a proof is a fixed sequence of theorems.

– Think of it as a written examination.

We will extend a proof to cover a proof process by which the validity of the assertion is established.

– Recall a job interview or an oral examination.

(18)

### Prover and Verifier

There are two parties to a proof.

– The prover (Peggy).

– The verifier (Victor).

Given an assertion, the prover’s goal is to convince the verifier of its validity (completeness).

The verifier’s objective is to accept only correct assertions (soundness).

The verifier usually has an easier job than the prover.

The setup is very much like the Turing test.a

(19)

### Interactive Proof Systems

An interactive proof for a language L is a sequence of questions and answers between the two parties.

At the end of the interaction, the verifier decides whether the claim is true or false.

The verifier must be a probabilistic polynomial-time algorithm.

The prover runs an exponential-time algorithm.

– If the prover is not more powerful than the verifier, no interaction is needed.

(20)

### Interactive Proof Systems (concluded)

The system decides L if the following two conditions hold for any common input x.

If x ∈ L, then the probability that x is accepted by the verifier is at least 1 − 2−| x |.

If x 6∈ L, then the probability that x is accepted by the verifier with any prover replacing the original prover is at most 2−| x |.

Neither the number of rounds nor the lengths of the messages can be more than a polynomial of | x |.

(21)

3

3

3

3

3

9

9

9

9

9

(22)

### IP

a

IP is the class of all languages decided by an interactive proof system.

When x ∈ L, the completeness condition can be modified to require that the verifier accepts with certainty without affecting IP.b

Similar things cannot be said of the soundness condition when x 6∈ L.

Verifier’s coin flips can be public.c

aGoldwasser, Micali, and Rackoff (1985).

bGoldreich, Mansour, and Sipser (1987).

(23)

### The Relations of IP with Other Classes

NP ⊆ IP.

– IP becomes NP when the verifier is deterministic.

BPP ⊆ IP.

– IP becomes BPP when the verifier ignores the prover’s messages.

IP actually coincides with PSPACE.a

aShamir (1990).

(24)

### Graph Isomorphism

V1 = V2 = {1, 2, . . . , n}.

Graphs G1 = (V1, E1) and G2 = (V2, E2) are isomorphic if there exists a permutation π on

{1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

No known polynomial-time algorithms.

The problem is in NP (hence IP).

It is not likely to be NP-complete.a

(25)

### graph nonisomorphism

V1 = V2 = {1, 2, . . . , n}.

Graphs G1 = (V1, E1) and G2 = (V2, E2) are

nonisomorphic if there exist no permutations π on {1, 2, . . . , n} so that (u, v) ∈ E1 ⇔ (π(u), π(v)) ∈ E2.

Again, no known polynomial-time algorithms.

– It is in coNP, but how about NP or BPP?

– It is not likely to be coNP-complete.

Surprisingly, graph nonisomorphism ∈ IP.a

aGoldreich, Micali, and Wigderson (1986).

(26)

### A 2-Round Algorithm

1: Victor selects a random i ∈ { 1, 2 };

2: Victor selects a random permutation π on { 1, 2, . . . , n };

3: Victor applies π on graph Gi to obtain graph H;

4: Victor sends (G1, H) to Peggy;

5: if G1 = H then

6: Peggy sends j = 1 to Victor;

7: else

8: Peggy sends j = 2 to Victor;

9: end if

10: if j = i then

11: Victor accepts;

12: else

(27)

### Analysis

Victor runs in probabilistic polynomial time.

Suppose G1 6∼= G2.

Peggy is able to tell which Gi is isomorphic to H.

So Victor always accepts.

Suppose G1 = G2.

No matter which i is picked by Victor, Peggy or any prover sees 2 identical graphs.

Peggy or any prover with exponential power has only probability one half of guessing i correctly.

So Victor erroneously accepts with probability 1/2.

Repeat the algorithm to obtain the desired probabilities.

(28)

### Knowledge in Proofs

Suppose I know a satisfying assignment to a satisfiable boolean expression.

I can convince Alice of this by giving her the assignment.

But then I give her more knowledge than necessary.

– Alice can claim that she found the assignment!

– Login authentication faces essentially the same issue.

– See

www.wired.com/wired/archive/1.05/atm pr.html for a famous ATM fraud in the U.S.

(29)

### Knowledge in Proofs (concluded)

Digital signatures authenticate documents but not individuals.

They hence do not solve the problem.

Suppose I always give Alice random bits.

Alice extracts no knowledge from me by any measure, but I prove nothing.

Question 1: Can we design a protocol to convince Alice (the knowledge) of a secret without revealing anything extra?

Question 2: How to define this idea rigorously?

(30)

### Zero Knowledge Proofs

a

An interactive proof protocol (P, V ) for language L has the perfect zero-knowledge property if:

For every verifier V 0, there is an algorithm M with expected polynomial running time.

M on any input x ∈ L generates the same probability distribution as the one that can be observed on the communication channel of (P, V 0) on input x.

aGoldwasser, Micali, and Rackoff (1985).

(31)

Zero knowledge is a property of the prover.

– It is the robustness of the prover against attempts of the verifier to extract knowledge via interaction.

– The verifier may deviate arbitrarily (but in

polynomial time) from the predetermined program.

– A verifier cannot use the transcript of the interaction to convince a third-party of the validity of the claim.

– The proof is hence not transferable.

(32)

Whatever a verifier can “learn” from the specified prover P via the communication channel could as well be

computed from the verifier alone.

The verifier does not learn anything except “x ∈ L.”

Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him.

(33)

The “paradox” is resolved by noting that it is not the transcript of the conversation that convinces the verifier.

But the fact that this conversation was held “on line.”

There is no zero-knowledge requirement when x 6∈ L.

Computational zero-knowledge proofs are based on complexity assumptions.

M only needs to generate a distribution that is

computationally indistinguishable from the verifier’s view of the interaction.

(34)

It is known that if one-way functions exist, then

zero-knowledge proofs exist for every problem in NP.a

The verifier can be restricted to the honest one (i.e., it follows the protocol).b

The coins can be public.c

aGoldreich, Micali, and Wigderson (1986).

(35)

### Are You Convinced?

A newspaper commercial for hair-growing products for men.

– A (for all practical purposes) bald man has a full head of hair after 3 months.

A TV commercial for weight-loss products.

– A (by any reasonable measure) overweight woman loses 10 kilograms in 10 weeks.

(36)

Let n be a product of two distinct primes.

Assume extracting the square root of a quadratic residue modulo n is hard without knowing the factors.

We next present a zero-knowledge proof for x ∈ Zn being a quadratic residue.

(37)

### Zero-Knowledge Proof of Quadratic Residuacity

1: for m = 1, 2, . . . , log2 n do

2: Peggy chooses a random v ∈ Zn and sends y = v2 mod n to Victor;

3: Victor chooses a random bit i and sends it to Peggy;

4: Peggy sends z = uiv mod n, where u is a square root of x; {u2 ≡ x mod n.}

5: Victor checks if z2 ≡ xiy mod n;

6: end for

7: Victor accepts x if Line 5 is confirmed every time;

(38)

### A Useful Corollary

Corollary 79 Let n = pq be a product of two distinct

primes. (1) If x and y are both quadratic residues modulo n, then xy ∈ Zn is a quadratic residue modulo n. (2) If x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n, then xy ∈ Zn is a quadratic nonresidue modulo n.

Suppose x and y are both quadratic residues modulo n.

Let x ≡ a2 mod n and y ≡ b2 mod n.

Now xy is a quadratic residue as xy ≡ (ab)2 mod n.

(39)

### The Proof (concluded)

Suppose x is a quadratic residue modulo n and y is a quadratic nonresidue modulo n.

By Lemma 78 (p. 595), (x | p) = (x | q) = 1 but, say, (y | p) = −1.

Now xy is a quadratic nonresidue as (xy | p) = −1, again by Lemma 78 (p. 595).

(40)

### Analysis

Suppose x is a quadratic nonresidue.

– Peggy can answer only one of the two possible challenges.

If a is a quadratic residue, then xa is a quadratic nonresidue by Corollary 79 (p. 622).

So xiy can be a quadratic residue (see Line 5) only when i = 0.

– So Peggy will be caught in any given round with probability one half.

(41)

### Analysis (continued)

Suppose x is a quadratic residue.

– Peggy can answer all challenges.

So Victor will accept x.

How about the claim of zero knowledge?

The transcript between Peggy and Victor when x is a quadratic residue can be generated without Peggy!

– So interaction with Peggy is useless.

Here is how.

(42)

### Analysis (continued)

Suppose x is a quadratic residue.a

In each round of interaction with Peggy, the transcript is a triplet (y, i, z).

We present an efficient Bob that generates (y, i, z) with the same probability without accessing Peggy.

aBy definition, we do not need to consider the other case.

(43)

### Analysis (concluded)

1: Bob chooses a random z ∈ Zn;

2: Bob chooses a random bit i;

3: Bob calculates y = z2x−i mod n;

4: Bob writes (y, i, z) into the transcript;

(44)

Assume x is a quadratic residue.

In both cases, for (y, i, z), y is a random quadratic residue, i is a random bit, and z is a random number.

Bob cheats because (y, i, z) is not generated in the same order as in the original transcript.

– Bob picks Victor’s challenge first.

– Bob then picks Peggy’s answer.

– Bob finally patches the transcript.

(45)

So it is not the transcript that convinces Victor, but that conversation with Peggy is held “on line.”

The same holds even if the transcript was generated by a cheating Victor’s interaction with (honest) Peggy.

But we skip the details.

(46)

### Does the Following Work, Too?

a

1: for m = 1, 2, . . . , log2 n do

2: Peggy chooses a random v ∈ Zn and sends y = v2 mod n to Victor;

3: Peggy sends z = uv mod n, where u is a square root of x; {u2 ≡ x mod n.}

4: Victor checks if z2 ≡ xy mod n;

5: end for

6: Victor accepts x if Line 4 is confirmed every time;

aContributed by Mr. Chih-Duo Hong (R95922079) on December 13, 2006. It is like always choosing i = 1 in the original protocol.

(47)

a

### (concluded)

Suppose x is a quadratic nonresidue.

But Peggy can mislead Victor into accepting x as a quadratic residue.

She simply sends y = x and z = x to Victor.

This pair will satisfy z2 ≡ xy mod n by construction.

The protocol is hence not even an IP protocol!

aContributed by Mr. Chin-Luei Chang (D95922007) on June 16, 2008.

• Zero-knowledge proofs yield no knowledge in the sense that they can be constructed by the verifier who believes the statement, and yet these proofs do convince him...

• The binomial interest rate tree can be used to calculate the yield volatility of zero-coupon bonds.. • Consider an n-period

2.1.1 The pre-primary educator must have specialised knowledge about the characteristics of child development before they can be responsive to the needs of children, set

Now, nearly all of the current flows through wire S since it has a much lower resistance than the light bulb. The light bulb does not glow because the current flowing through it

• Environmental Report 2020 of Transport Department, Hong Kong: to provide a transport system in an environmentally acceptable manner to align with the sustainable development of

● the F&amp;B department will inform the security in advance if large-scaled conferences or banqueting events are to be held in the property.. Relationship Between Food and

Daily operation - Sanitizing after guest checked-in / swab test (guest floor

• If we know how to generate a solution, we can solve the corresponding decision problem. – If you can find a satisfying truth assignment efficiently, then sat is