COM401 - Chapter 7 - Public Key Crypto
5 - Why do we have different constants with the RSA padding?
- 0002 for encryption - 0001 for digital signature This would allow us to use the same key for encryption and digital signatures
Describe the ECDSA signature generation
- Select k invertible mod n - compute exponential of k in basis g - Obtain another point (x1, y1) which is a field element - Transform field element to integer x-bar (r and s) - Make sure r and s not 0, otherwise signature is the pair (r, s) - Signature is a point on the EC
How can we break RSA? What do we do to defeat this task?
- We can break RSA by factoring N - Thus factoring must be hard and N must be large
5 - Boneh-Boyen Signature (no H)
Again uses elliptic curve pairings. Proposed with no hash. Thus we do not need to assume hash is a random function
Describe the Secure Communications over Insecure Channels protocol
Alice - Generates many puzzles i - Sends c, every yi Bob - Has to solve all puzzles until finds correct yi, can then get ki
What would happen if the adversary obtains Alice's state at CK2?
Cannot go back to CK1
What is the primary use of digital signatures?
Certificates - Server sends pk to server, authority signs certificate, sends to client - Client can then know the public key is from the server
2 - What are the concatenates used for?
Do make the homomorphic properties more difficult to exploit
What is forward secrecy?
If long-term secret keys are disclosed in the future, communication is still private
What would happen if the adversary obtains Alice's state at CK0?
The adversary can predict CK1 and CK2, but this changes when the direction of messages change
3 - How do we protect against the homomorphic properties?
The constant protects against it
Why don't we need an encryption oracle?
We have the public key
Describe the semi-static variant
- Alice has a long term key - Bob is supposed to know Alice's public key, and can directly send his fresh ephemeral key
More specifically
- Alice sends her ephemeral secret to Bob. Knows Bob's ephemeral secret - For next message, Bob generates a new ephemeral DH key. Runs the DH protocol with Alice's ephemeral secret and his new ephemeral secret - Bob sends new ephemeral secret to Alice - This happens every time the direction of change
What is the complexity for Alice, Bob, and an attacker?
- Alice: N - Bob: S (solving the puzzle) - Attacker: NxS
What is a Trapdoor permutation?
- An encryption Perm that is easy to compute in one way - Hard to compute the other way (InvPerm) - Except using a trapdoor K, which would then make it easy to invert
Describe the ECDSA signature verification
- Check public key not point at infinity, belongs to curve, has order n and is a prime number - Check r and s both in Zn* - Compute (x1, y1)
Describe the variants of Diffie-Hellman relating to how long the key is used
- Ephemeral DH: X and Y are fresh and destroyed after the protocol completes - Static: X and Y are used like public keys - Semi-Static: One key is fixed (public key), and the other is fresh
Describe the second ratchet in more detail
- First message encrypted with MK1 - Second message encrypted with MK2 (All the messages going in one direction) - If the adversary corrupts the state of Alice, cannot recover MK1 if Alice's state is MK2
6 - RSA-PSS Signature
- One Feistel scheme round - hash with salt - signed using plain RSA signature
3 - RSA-OAEP Encryption
- Put a constant, Delimiter of 0....01, M - Feistel scheme. Pick random seed, apply MGF function - MaskedDB (message), MaskedSeed - Encrypt
3 - Give an overview of ECDSA (MOST IMPORTANT SIGNATURE SCHEME WE WILL ENCOUNTER)
- Setup elliptic curve - Signer selects secret key d - Compute public key Q=dG. Thus, Q is an element of the group of order n
What are the benefits of DSA?
- Signatures shorter - No proper subgroup (only {1} and itself) - Some form of provable security (discrete logarithm problem is hard)
What are some drawbacks of the ElGamal signature scheme?
- Signatures very long (two integers mod(p) and mod(P-1) - Problems of subgroups of Zp-1 (because we do not work in a group of prime order) - Lack of security proof for arbitrary public parameters. There is an attack which consists of forging insecure parameters. So if parameters are not random, then it is insecure - Issues with leaking k
3 - What is the MGF function?
- X is concatenated to a four byte counter - The counter size is until the string is the proper length per the algorithm
Describe the differences between - key exchange - key agreement - key establishment - key transfer
- key exchange: no exchange of keys, just of data used to create keys - key agreement: same thing - key establishment: more general, so this would include a key exchange and key transfer - key transfer: a type of key establishment where one participant chooses a key and sends
What are the benefits of ECDSA relative to DSA?
- keys shorter - computation lighter
What happens if k leaks or is reused?
- leaks: If k leaks, then we reveal the long-term secret key, so we could forge the signature of whatever we want - reuse: If k is reused, we also reveal the long-term secret key. We now have two equations with two unknowns NOTE: If k comes from a bad pseudorandom generator, then k has a bias, and we can thus have attacks that reveal x
1 - Why do we not use vanilla RSA?
- messages not elements in Zn - RSA has homomorphic properties - Can leak a variety of things
OVERVIEW
1 - Public Key Crypto 2 - Diffie-Hellman Key Exchange 3 - RSA Crypto 4 - ElGamal Crypto 5 - Selecting Key Lengths 6 - Formalism 7 - Towards Post-Quantum Crypto 8 - Other Primitives
What security does a key exchange protocol provide agains what types of adversaries?
A passive adversary should not be able to infer K from the exchanges
What is a double ratchet?
A ratchet for every time the direction of exchange changes - ratchet message indicates the new ephemeral key to use in the DH protocol - good forward and future secrecy
Here is the protocol
Alice gets from the server some key material from Bob - Runs triple DH protocol - Derives secret key
Here are the steps more specifically
Alice wants to send a message to Bob - Alice asks server for Bob - Bob had previously generated some keys - Server gives some of these keys to Alice (including one of the one-time keys - Alice computes 3 DH protocols - Run a KDF from these 3 DH keys - Remove ephemeral key - Start communication
Describe how DH led to RSA and ElGamal
Both public key cryptosystems - RSA: used trapdoor permutation. Operation in Zn which can be inverted with the factorization of n - ElGamal: uses DH key agreement and symmetric crypto
What type of permutation is RSA? What can RSA be used for?
Concrete trapdoor permutation that can be used for - public key cryptosystem - signature scheme
Give the formal definition of a public-key cryptosystem. What algorithms are deterministic, what probabilistic?
Dec is deterministic, While Gen and Enc are not - M is a plaintext domain
Describe the Digital Signature Primitive. What security notion do digital signatures provide?
Digital signatures provide Non-repudiation - relies on signature being unforgeable
What variant has forward secrecy?
Ephemeral DH has forward secrecy (as nothing is stored long term)
Describe the first ratchet in terms of X3DH
Every time direction of exchange changes - the sender picks a fresh ephemeral DH key - send fresh ephemeral DH key to receiver - Sender runs DH with previous ephemeral key of counterpart
How can we break DH Cryptography? How do we defeat this attack?
If we can compute discrete logarithm, we can break DH - We need DLP to be hard by choosing the size and order
Define IND-CPA security
Indistinguishability against chosen plaintext attacks - Generate a keypair and give public key to adversary - Adversary algorithm 1: Runs with public key and outputs different plaintexts that have the same length (because encryption leaks info about the size), Encrypt the plaintext, obtain ciphertext - Adversary algorithm 2: Returns a value z which is output of game (st is a state variable that can be passed from algorithm 1 to 2)
Does this algorithm give polynomial time complexity for an attacker?
No, although NxS would be pretty large if N and S are both very large numbers
Does Semi-static DH have forward secrecy?
No, because Alice's secret can leak, which would allow for the communications between Alice and Bob to leak
4 - Boneh-Lynn-Schacham (BLS Signature)
Proposed as digital signature with shortest possible signature value. Uses elliptic curve pairing - v is the public key, x is the secret key - Signature is H(M)^x - To verify the signature, we use a pairing. We compare these pairings to verify the signature
What is future secrecy?
Protects future sessions against compromises of current ephemeral secret keys
What is forward secrecy?
Protects past sessions against future compromises of long-term secret keys
Why does this signature provide security?
The discrete logarithm problem is hard
Describe IND-CCA Security
The same as before, but the adversaries have access to decryption oracles - Second one isn't allowed to use the same ciphertext that trying to encrypt
What is the issue with deterministic encryption with the prior security notions?
The second adversary could just encrypt p0 and p1 and determine which is correct. this is because, the ct would not be randomized
Here is a meta-comparison of cryptographic strengths
These are different studies comparing different cryptographic techniques - hash length 2x key length in symmetric crypto - order of group length should be 2x symmetric key length - RSA modulus length or p length should follow these tables NOTE: The following columns - DL: right column is length of p, left column is length of order of subgroup. Length of p same as RSA. length of order of subgroup about 2x symmetric - EC: bitlength of order of elliptic curve (2x length of symmetric key) - RSA: N
Describe the static variant
They do not need to exchange parameters
How does a ratchet provide future secrecy?
We change keys often in a way that cannot go backward
4 - How was RSA's trapdoor permutation used to sign messages?
We sign the message with the inverse permutation (using the secret key) - receiver uses the permutation and checks if matches the message NOTE: this is signature with message recovery
Describe the second ratchet
When we send multiple messages in the same direction, we have a symmetric ratchet
1 - Does RSA have homomorphic properties? If so, what?
Yes - Enc(ab) = Enc(a)Enc(b)
