Introduction to Cryptography

(1)

Pascal Lafourcade

ESC January 2021

(2)

Introduction to Cryptography Historic of Cryptography

Outline

Historic of Cryptography

Partial and Full Homomorphic Encryption Security Properties

ZKP Conclusion

(3)

Art to hide written secret

Steganography Cryptography

Transposition Substitution

Code

Encryption

(4)

Art to hide written secret

Steganography

Cryptography

Code

Encryption

(5)

Art to hide written secret

Code

Encryption

(6)

Art to hide written secret

Transposition

Substitution

Code

Encryption

(7)

Art to hide written secret

Code

Encryption

(8)

Art to hide written secret

Code

Encryption

(9)

Art to hide written secret

Cryptography

Code

Encryption

(10)

Applications

(11)

Long time ago

(12)

Grecks and Scythale

Transposition

(13)

Grecks and Scythale

Transposition

(14)

Romans

Caesar Encryption Substitution +3

Dyh Fhvdu Ave Cesar

(15)

Romans

Dyh Fhvdu

Ave Cesar

(16)

Romans

Dyh Fhvdu Ave Cesar

(17)

Is it secure ?

Frequence Analysis

(18)

Is it secure ?

Frequence Analysis

(19)

Substitution polyalphabetic (Alberti, Vigen` ere 1553)

Example with the key k = 3,7,10

m = CON NAI TRE

E_k(m) = FVX QHS WYO

(20)

Substitution polyalphabetic (Alberti, Vigen` ere 1553)

Example with the key k = 3,7,10

m = CON NAI TRE E_k(m) = FVX QHS WYO

(21)

Kerchoff’s Principle

In 1883, a Dutch linguist Auguste Kerchoff von Nieuwenhof stated in his book “La Cryptographie Militaire” that:

“the security of a crypto-system must be totally dependent on the secrecy of the key, not the secrecy of the algorithm.”

Author’s name sometimes spelled Kerckhoff

(22)

Encryption : Enigma (Second World War)

+ =

+ + + + + + + =

(23)

Encryption : Enigma (Second World War)

+ =

+ + + + + + + =

(24)

Encryption : Enigma (Second World War)

+ =

+ + + + + + + =

(25)

Encryption : Enigma (Second World War)

+ =

+ + + + + + + =

(26)

Encryption : Enigma (Second World War)

+ =

+ + + + + + + =

(27)

One-Time Pad (Vernam 1917)

Example:

m = 010111 k = 110010 c = 100101

(28)

Shannon’s Principle 1949

Confusion

The purpose of confusion is to make the relation between the key and the ciphertext as complex as possible.

Ciphers that do not offer much confusion (such as Vigenere cipher) are susceptible to frequency analysis.

Diffusion

Diffusion spreads the influence of a single plaintext bit over many ciphertext bits.

The best diffusing component is substitution (homophonic) Principle

A good cipher design uses Confusion and Diffusion together

(29)

Shannon’s Principle 1949

Confusion

Diffusion

The best diffusing component is substitution (homophonic)

Principle

(30)

Shannon’s Principle 1949

Confusion

Diffusion

The best diffusing component is substitution (homophonic) Principle

(31)

Introduction to Cryptography Introduction to Cryptography

Outline

Historic of Cryptography Introduction to Cryptography

ZKP Conclusion

(32)

c o n c l

(33)

Symmetric Encryption

encryption decryption

Clef symétrique Clef symétrique

Examples

I Caesar, Vigen`ere

I One Time Pad (OTP) c =m⊕k I Data Encryption Standard (DES) 1976

(34)

Phone Communications

(35)

Public Key Encryption

encryption decryption

Clef publique

Clef privée

Examples

I RSA (Rivest Shamir Adelmman 1977): c =m^e mod n I ElGamal (1981) : c ≡(g^r,h^r ·m)

(36)

Comparaison

I Size of the key

I Complexity of computation (time, hardware, cost ...) I Number of different keys ?

I Key distribution

I Signature only possible with asymmetric scheme

(37)

Computational cost of encryption

2 hours of video (assumes 3Ghz CPU)

DVD 4,7 G.B Blu-Ray 25 GB Schemes encrypt decrypt encrypt decrypt RSA 2048(1) 22 min 24 h 115 min 130 h RSA 1024(1) 21 min 10 h 111 min 53 h AES CTR(2) 20 sec 20 sec 105 sec 105 sec

(38)

ElGamal Encryption Scheme

Key generation: Alice chooses a prime numberp and a group generator g of (Z/pZ)^∗ anda∈(Z/(p−1)Z)^∗.

Public key: (p,g,h), where h=g^a mod p.

Private key: a

Encryption: Bob chooses r ∈_R (Z/(p−1)Z)^∗ and computes (u,v) = (g^r,Mh^r)

Decryption: Given (u,v), Alice computes M ≡_p _u^va

Justification: _u^va = ^Mh_gra^r ≡_p M

Remarque: re-usage of the same random r leads to a security flaw:

M1h^r

M₂h^r ≡_p M1

M₂

Practical Inconvenience: Cipher is twice as long as plain text.

(39)

Hash Function (SHA-256, SHA-3)

Security properties I Pr´e-image Resistance

I Second Pr´e-image Resistance I Collision Resistance

I Unkeyed Hash function: Integrity

I Keyed Hash function (Message Authentication Code): Authentification

(40)

Hash Function (SHA-256, SHA-3)

(41)

Hash Function (SHA-256, SHA-3)

I Second Pr´e-image Resistance

I Collision Resistance

(42)

Hash Function (SHA-256, SHA-3)

I Keyed Hash function (Message Authentication Code):

Authentification

(43)

Software Installation

H( )

Integrity of the downloaded file.

22 / 59

(44)

MD5, MD4 and RIPEMD Broken

MD5(james.jpg)= e06723d4961a0a3f950e7786f3766338

MD5(barry.jpg) = e06723d4961a0a3f950e7786f3766338

How to Break MD5 and Other Hash Functions, by Xiaoyun Wang, et al.

MD5 : Average run time on P4 1.6ghz PC: 45 minutes

MD4 and RIPEMD : Average runtime on P4 1.6ghz: 5 seconds

(45)

MD5, MD4 and RIPEMD Broken

MD5(james.jpg)= e06723d4961a0a3f950e7786f3766338 MD5(barry.jpg) = e06723d4961a0a3f950e7786f3766338

How to Break MD5 and Other Hash Functions, by Xiaoyun Wang, et al.

(46)

SHA-1 broken in 2017 shattered.io

M. Stevens, P. Karpman, E. Bursztein, A. Albertini, Y. Markov

(47)

SHA-1 broken in 2017 shattered.io

(48)

SHA-1 broken in 2017 shattered.io

(49)

SHA-1 broken in 2017 shattered.io

(50)

Signature

signature

secret key public key

verification

Clef privée

Clef publique

RSA:m^d modn

(51)

Signature

signature

secret key public key

verification

Clef privée

Clef publique

(52)

Application : avoid to “fraude au pr´ esident”

I In 2010 >485 billions of euros I In 5 years 2.300 court cases

Solution :

(53)

Application : avoid to “fraude au pr´ esident”

Solution :

(54)

Application : avoid to “fraude au pr´ esident”

Solution :

(55)

Broadcast encryption (Fiat-Noar 1994)

The sender can select the target group of receivers to control who access to the data like in PAYTV

(56)

Functional encryption [Boneh-Sahai-Waters 2011]

The user generates sub-keysK_y according to the inputy to control the amount of shared data.

FromC =Encrypt(x), then Decrypt(Ky,C), outputsf(x,y)

(57)

Partial and Full Homomorphic Encryption

Outline

Security Properties ZKP

Conclusion

(58)

Fully Homomorphic Encryption [Gentry 2009]

(59)

Fully Homomorphic Encryption [Gentry 2009]

FHE: encrypt data, allow manipulation over data.

Symmetric Encryption (secret key) is enough

f({x₁}_K,{x₂}_K, . . . ,{x_n}_K) ={f(x1,x2, . . . ,xn)}_K I Allows private storage

I Allows private computations

(60)

Rivest Adleman Dertouzos 1978

“Going beyond the storage/retrieval of encrypted data by permitting encrypted data to be operated on for interesting operations, in a public fashion?”

(61)

Partial Homomorphic Encryption

Definition (additively homomorphic)

E(m1)⊗E(m2)≡E(m1⊕m2).

Applications

I Electronic voting

I Secure Fonction Evaluation

I Private Multi-Party Trust Computation I Private Information Retrieval

I Private Searching

I Outsourcing of Computations (e.g., Secure Cloud Computing)

(62)

Brief history of partially homomorphic cryptosystems

Enc(a,k)∗Enc(b,k) =Enc(a∗b,k)

Year Name Security hypothesis Expansion

1977 RSA factorization

1982 Goldwasser - Micali quadratic residuosity log₂(n)

1994 Benaloh higher residuosity >2

1998 Naccache - Stern higher residuosity >2

1998 Okamoto - Uchiyama p-subgroup 3

1999 Paillier composite residuosity 2

2001 Damgaard - Jurik composite residuosity ^d+1_d 2005 Boneh - Goh - Nissim ECC Log

2010 Aguilar-Gaborit-Herranz SIVP integer lattices Expansion factor is the ration ciphertext over plaintext.

(63)

Scheme Unpadded RSA

If the RSA public key is modulusmand exponent e, then the encryption of a messagex is given by

E(x) =x^e modm

E(x₁)· E(x₂) = x₁^ex₂^e mod m

= (x₁x₂)^e mod m

= E(x₁·x₂)

(64)

Scheme ElGamal

In the ElGamal cryptosystem, in a cyclic groupG of order q with generatorg, if the public key is (G,q,g,h), where h=g^x andx is the secret key, then the encryption of a messagem is

E(m) = (g^r,m·h^r), for some randomr ∈ {0, . . . ,q−1}.

E(m₁)· E(m₂) = (g^r¹,m1·h^r¹)(g^r²,m2·h^r²)

= (g^r¹^+r²,(m1·m2)h^r¹^+r²)

= E(m₁·m₂)

(65)

Fully Homomorphic Encryption

Enc(a,k)∗Enc(b,k) =Enc(a∗b,k) Enc(a,k) +Enc(b,k) =Enc(a+b,k) f(Enc(a,k),Enc(b,k)) =Enc(f(a,b),k) Fully Homomorphic encryption

I Craig Gentry (STOC 2009) using lattices

I Marten van Dijk; Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan using integer

I Craig Gentry; Shai Halevi. ”A Working Implementation of

(66)

Simple SHE: SGHV Scheme [vDGHV10]

Public error-free element : x₀ =q₀·p Secret keysk =p

Encryption ofm∈ {0,1}

c =q·p+ 2·r+m whereq is a large random andr a small random.

Decryption ofc

m= (c modp) mod 2

(67)

Simple SHE: SGHV Scheme [vDGHV10]

Public error-free element : x₀ =q₀·p Secret keysk =p

Encryption ofm∈ {0,1}

c =q·p+ 2·r+m whereq is a large random andr a small random.

Decryption ofc

m= (c modp) mod 2

(68)

Introduction to Cryptography Security Properties

Outline

ZKP Conclusion

(69)

Traditional security properties

I Common security properties are:

- Confidentiality or Secrecy: No improper disclosure of information

- Authentification: To be sure to talk with the right person.

disclosure of information

- Integrity: No improper modification of information

- Availability: No improper impairment of functionality/service

(70)

Authentication

(71)

Mechanisms for Authentication

Strong authenticationcombines multiple factors:

(72)

Other security properties

I Non-repudiation (also calledaccountability) is where one can establish responsibility for actions.

I Fairness is the fact there is no advantage to play one role in a protocol comparing with the other ones.

I Privacy

Anonymity: secrecy of principal identities or communication relationships.

Pseudonymity: anonymity plus link-ability.

Data protection: personal data is only used in certain ways.

(73)

Example: e-voting

I An e-voting system should ensure that I only registered voters vote,

I each voter can only vote once, I integrity of votes,

I privacy of voting information (only used for tallying), and I availability of system during voting period

(74)

Introduction to Cryptography ZKP

Outline

ZKP Conclusion

(75)

Idea of Zero Knowledge Proof

Prover (P)

(P) convinces (V) that it knows something without revealing any information

Verifier (V)

Applications:

I Authentication systems: prove its identity to someone using a password without reavealing anything about the secret. I Prove that a praticipant behavior is correct according to the

protocol (e.g. integrity of ballots in vote).

I Group signature, secure multiparty computation, e-cash ...

(76)

Idea of Zero Knowledge Proof

Prover (P)

(P) convinces (V) that it knows something without revealing any information

Verifier (V) Applications:

I Authentication systems: prove its identity to someone using a password without reavealing anything about the secret.

I Prove that a praticipant behavior is correct according to the protocol (e.g. integrity of ballots in vote).

I Group signature, secure multiparty computation, e-cash ...

(77)

Cave example (0)

Door with a secret code

(78)

Cave example (I)

V waits outside while P chooses a path

(79)

Cave example (II)

V enters and shouts the name of a path

(80)

Cave example (III)

P returns along the desired path (using the secret if necessary)

A= “P does not know the secret” is equivalent to say “P is lucky”

Pr[A] = 1 2 Afterk tries,

Pr[A] = (1 2)^k

A= “P knows the secret”, then Pr[A] = 1−Pr[A] = 1−(1

2)^k

(81)

Cave example (III)

P returns along the desired path (using the secret if necessary) A= “P does not know the secret”

is equivalent to say “P is lucky”

Pr[A] = 1 2

Afterk tries,

Pr[A] = (1 2)^k

2)^k

(82)

Cave example (III)

Pr[A] = (1 2)^k

2)^k

(83)

Cave example (III)

Pr[A] = (1 2)^k

A= “P knows the secret”, then

(84)

Graph 3-coloring is NP-complete: • • •

1 2

3 4

5

6 7

8

9

10

Petersen graph

(85)

Graph 3-coloring is NP-complete: • • •

1 2

3 4

5

6 7

8

9

10

(86)

P wants to prove to V his 3-coloring of G = (E , V )

P selects a permutationπ of the 3 colors.

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

Chooses∀u∈V,r_u

→ ∀u ∈V,eu =H(π(c(u))||r_u)→

←−u_i,u_j ←−

−→r_u_i,r_u_j, π(c(u_i)), π(c(v_j))−→ V accepts, ifeu_i =H(π(c(u_i))||r_u_i) and

e_u_j =H(π(c(u_j))||r_u_j) Choosesi andj

(87)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

−→r_u_i,r_u_j, π(c(u_i)), π(c(v_j))−→ V accepts, ife_u_i =H(π(c(u_i))||r_u_i) and

(88)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

Chooses∀u ∈V,r_u

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

(89)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

e_u_j =H(π(c(u_j))||r_u_j)

(90)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

e_u_j =H(π(c(u_j))||r_u_j)

Choosesi andj

(91)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

−→r_u_i,r_u_j, π(c(u_i)), π(c(v_j))−→

V accepts, ife_u_i =H(π(c(u_i))||r_u_i) and e_u_j =H(π(c(u_j))||r_u_j)

(92)

P wants to prove to V his 3-coloring of G = (E , V )

π(

1 2

4 3 5

6 7

8 9

10

)=

1 2

4 3 5

6 7

8 9

10

→ ∀u ∈V,eu=H(π(c(u))||r_u)→

←−u_i,u_j ←−

−→r_u_i,r_u_j, π(c(u_i)), π(c(v_j))−→

V accepts, ife_u_i =H(π(c(u_i))||r_u_i) and

e_u =H(π(c(u_j))||r_u) Choosesi andj

(93)

Schnorr Protocol, 1991

LetG_q a cyclic group of orderq with a public generatorg Goal

P wants to prove the knowledge ofx, where y=g^x

Chooses a randomr

−→t=g^r −→

←−c ←−

−→s =r+x·c −→

V accepts, ift·y^c =g^s Chooses a randomc t·y^c =g^r ·(g^x)^c =g^r^+x·c =g^s

(94)

Schnorr Protocol, 1991

Chooses a randomr

−→t=g^r −→

←−c ←−

−→s =r+x·c −→

(95)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→

(96)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→ V accepts, ift·y^c =g^s

Chooses a randomc

t·y^c =g^r ·(g^x)^c =g^r^+x·c =g^s

(97)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→ V accepts, ift·y^c =g^s

Chooses a randomc

(98)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→

V accepts, ift·y^c =g^s

Chooses a randomc

(99)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→

V accepts, ift·y^c =g^s Chooses a randomc

(100)

Schnorr Protocol, 1991

Chooses a randomr

−→t =g^r −→

←−c ←−

−→s =r+x·c −→

V accepts, ift·y^c =g^s Chooses a randomc t·y^c =g^r ·(g^x)^c =g^r+x·c =g^s

(101)

Introduction to Cryptography Conclusion

Outline

ZKP Conclusion

(102)

Today

1. Historic of Cryprography 2. Cryptographic primitives 3. Properties security

(103)

Ron Rivest

“Once you have something on the Internet, you are telling the world, please come hack me.”