Cryptography for Networks III
Pierre-Louis Cayrel
CASED [email protected]
Network Security (NetSec)
Pierre-Louis CAYREL Crypto for Network Security 1/90
Crypto for Networks
▶ 9 half hours over three weeks
(22/04/2010, 28/04/2010 and05/05/2010)
▶ Topics
▶ intro to crypto and private key encryption
▶ intro to public key crypto
▶ signature scheme
▶ certificates - authentication
▶ key distribution
▶ pitfalls
▶ hash function, PKI
▶ other Public Key Systems
▶ my own research
Part 7
Hash-function / PKI
11. Ali Aydin Selcuk slides
Pierre-Louis CAYREL Crypto for Network Security 3/90
Cryptographic Hash Functions
▶ Maps an arbitrary length input to a fixed-size output.
▶ Was originally proposed to generate input to digital signatures.
▶ Desirable features :
▶ one-way (preimage and second preimage resistant) There are two types of preimage attacks :
▶ First preimage attack : given a hashh,find a messagemsuch that hash(m) =h.
▶ Second preimage attack : given a fixed messagem1,find a different messagem2such thathash(m2) =hash(m1).
▶ pseudorandom
▶ collision resistant
Collision Resistance
▶ Birthday Problem (”paradox”) : When √
N or more are chosen randomly from a domain ofN,there is a significant chance of collision.
▶ Hence, output size≥128 bits is desirable.
▶ But why ”collision resistance”? (i.e., not just one-wayness ?)
▶ A chosen p.t. attack : Trudy is Alice’s secretary.Generates two opposite messages, each with 232 different ways of putting it.
▶ Repudiation : Alice generates two different messages and signs one of them. Later, she denies her signature and claims she in fact signed the other one.
Pierre-Louis CAYREL Crypto for Network Security 5/90
Internals of a Hash Function
▶ Merkle-Damgard construction :
▶ A fixed-size ”compression function”.
▶ Each iteration mixes an input block with the prev. output.
▶ Design :
▶ Lots of operations (rotations,⊕, +, ...).
▶ More of them are added if a weakness is found.
▶ ”Alchemy”.
Some Popular Hash Algorithms
▶ MD5 (Rivest)
▶ 128-bit output
▶ SHA-1 (NIST-NSA)
▶ US gov std ; 160-bit output
▶ RIPEMD-160
▶ Euro. RIPE project ; 160-bit
▶ NIST SHA-3 competition
▶ 51 submissions (2008)
▶ 14 semi-finalists (2009)
▶ 5 finalists (2010)
▶ winner (2011)
Algorithm Speed (MBytes/s)
MD5 205
SHA-1 205
RIPEMD-160 51
Pierre-Louis CAYREL Crypto for Network Security 7/90
Things to Do with a Hash Function
▶ Hash long messages for signing
▶ Authentication protocols
▶ Stream ciphers
▶ Block ciphers
▶ MACs
▶ . . .
Authentication Confirms an Identity
▶ Challenge-response authentication protocol :
▶ Hash is used instead of encryption and decryption
Pierre-Louis CAYREL Crypto for Network Security 9/90
Stream Cipher
Oi:=Outputi,Ci:=Cipheri,Pi:=Plaintexti
▶ CFB Cipher feedback :
Oi =H(K∣∣Ci−1) Ci=Pi⊕Oi Pi=Ci⊕Oi
▶ OFB Output feedback :
Oi =H(K∣∣Oi−1) Ci=Pi⊕Oi Pi=Ci⊕Oi
▶ CTR Counter :
C =P ⊕H(K∣∣IV +i)
Public Key Infrastructures
Pierre-Louis CAYREL Crypto for Network Security 11/90
Public Key Infrastructure
▶ CA system to securely distribute and manage public keys.
▶ Important for wide-area trust management (e.g., for e-commerce)
▶ Ideally consists of
▶ a certification authority
▶ certificate repositories
▶ a certificate revocation mechanism (CRLs, etc.)
▶ Many models possible : monopoly, oligarchy, anarchy, etc.
Monopoly Model
▶ Single organization is the CA for everyone
▶ Shortcomings :
▶ no such universally-trusted organization
▶ requires everyone to authenticate physically with the same CA
▶ compromise recovery is difficult (due to single embedded public key)
▶ once established, CA can abuse its position (excessive pricing, etc.)
▶ requires perfect security at CA
Pierre-Louis CAYREL Crypto for Network Security 13/90
Monopoly with Registration Authorities
▶ CA trusts other organizations (RAs) to check identities, do the initial authentication
▶ Solves the problem of physically meeting the CA. Other problems remain.
▶ RAs can be incorporated into other models too
Delegated CAs
▶ Root CA certifies lower-level CAs to certify others
▶ All verifiers trust the root CA and verify certificate chains beginning at the root (i.e., the root CA is the trust anchor of all verifiers)
▶ E.g., a national PKI, where a root CA certifies institutions, ISPs, universities who in turn certify their members
▶ Limitations are similar to monopoly with RAs
Pierre-Louis CAYREL Crypto for Network Security 15/90
Oligarchy
▶ Many root CAs exists trusted by verifiers
▶ The model of web security
▶ Solves the problems of single authority (e.g., excessive pricing)
▶ Disadvantages :
▶ nsecurity-sensitive sites instead of one. Compromise of any one compromises the whole system
▶ users can easily be tricked into trusting fake CAs. (depending on implementation)
Anarchy
▶ Each user decides whom to trust and how to authenticate their public keys
▶ Certificates issued by arbitrary parties can be stored in public databases, which can be searched to find a path of trust to a desired party
▶ Works well for informal, non-sensitive applications (e.g., PGP)
Pierre-Louis CAYREL Crypto for Network Security 17/90
Revocation
▶ Mechanisms to cancel certificates compromised before expiration
▶ Certificate Revocation List (CRL) : list of revoked certificates, published periodically by the CA
▶ Delta CRLs : Only the changes since the last issue are published
▶ Online Revocation Servers : No CRL is published. Verifier queries a central server to check if a certificate has been revoked.
Finding Certificate Chains
▶ Can be started with the subject sending its certificates to the verifier (e.g., SSL)
▶ A directory naming structure can be followed (e.g., DNSsec)
Pierre-Louis CAYREL Crypto for Network Security 19/90
Part 8
Other Public Key Systems
2Merkle-Hellman Knapsack System
▶ Merkle and Hellman, 1978
▶ SubsetSum
▶ Instance : IntegersS={s1,s2, ...,sn},N.
▶ Question : DoesS′⊂Sexist such that∑
n∈S′n=N?
▶ Fact : SubsetSum is NP-complete
▶ Superincreasing Set : si >
i−1
∑
j=1
sj ∀i= 2,3, . . . ,n.
▶ Fact : Superincreasing SubsetSum is easy
Pierre-Louis CAYREL Crypto for Network Security 21/90
Merkle-Hellman Knapsack Encryption
▶ Parameters :
▶ S={s1,s2, ...,sn}, a superincreasing list of integers
▶ p,a prime,>∑
isi
▶ 1≤a≤p−1,the masking factor
▶ T ={ti :ti =asi modp}
▶ T public ;S,a,psecret
▶ Encryption : For x= (x1,x2, . . . ,xn)∈ {0,1}n, y =E(x) =∑
i
xiti
▶ Decryption :
▶ z=a−1y modp(de-masking)
▶ solvez=∑
ixisi
Limitations of the Knapsack Systems
▶ Merkle-Hellman was broken by Shamir, 1982.
▶ Many variations proposed ; almost all are broken (inc. Shamir’s signature scheme).
▶ Limitations of the NP-completeness approach :
▶ NP-c deals with the worst-case complexity. More meaningful is the average-case (or, almost-all-case) complexity.
Pierre-Louis CAYREL Crypto for Network Security 23/90
ElGamal - Encryption
▶ Parameters :
▶ p,a large prime
▶ g,a generator ofℤ∗p
▶ 𝜆∈ℤp−1, 𝛽=g𝛼 modp
▶ p,g, 𝛽 public ;𝛼private
▶ Encryption :
▶ generate random, secretk∈ℤp−1.
▶ E(x,k) = (r,s),wherer=gk modp ands=x𝛽k modp
▶ Decryption :
▶ D(r,s) =s(r𝛼)−1 modp=xg𝛼kg−𝛼k modp=x.
ElGamal - Encryption
▶ Plaintextx is masked by a random factor,g𝛼k modp.
▶ DH problem : Giveng𝛼,gk modp,what isg𝛼k modp?
▶ p,g can be common. Thengk modp can be computed in advance.
▶ Samek should not be used repeatedly.
▶ Performance :
▶ encryption : two exponentiations
▶ decryption : one exponentiation, one inversion
▶ Size : Ciphertext twice as large as plaintext.
Pierre-Louis CAYREL Crypto for Network Security 25/90
ElGamal - Signature
▶ Parameters : The same as encryption.
▶ Signature :
▶ generate random, secretk∈ℤ∗p−1.
▶ S(m,k) = (r,s),wherer=gk modpands= (m−r𝛼)k−1 mod (p−1) (i.e.,m=r𝛼+sk)
▶ Verification :
▶ is𝛽rrs=gm modp?
▶ 𝛽rrs=g𝛼rgk(m−r𝛼)k−1 =g𝛼r+(m−r𝛼)=gm modp.
ElGamal - Signature
▶ Security :
▶ Only one who knows𝛼can sign ; can be verified by𝛽.
▶ Solving𝛼from𝛽,ors fromr,m, 𝛽,is discrete log.
▶ Other ways of forgery ? Unknown.
▶ Samek should not be used repeatedly.
▶ Variations :
▶ Many variants, by changing the ”signing equation”,m=r𝛼+sk.
▶ E.g., the DSA way :m=−r𝛼+sk with verification :𝛽rgm=rs modp?(=gm+r𝛼)
Pierre-Louis CAYREL Crypto for Network Security 27/90
Digital Signature Algorithm (DSA)
▶ US government standard, by NSA.
▶ Based on ElGamal :
▶ patent-free
▶ can’t be used for encryption
▶ Objections :
▶ ElGamal not analyzed as much as RSA
▶ slower verification
▶ industry had already invested in RSA
▶ closed-door design
Elliptic Curve Cryptosystems
▶ Generalized Discrete Log Problem :
▶ For any group (G,∙),forx∈G,definexn=x∙x∙...∙x (ntimes)
▶ DLP : Fory =xn,givenx,y,what isn?
▶ Elliptic curves overℤp :
▶ Set of points (x,y)∈ℤp×ℤp that satisfy y2=x3+ax+b modp
and an additional point of infinity, 0.
▶ Group operation :P∙Q is the inverse of where the line thruP and Q intersects the curve. (inverse ofP= (x,y) is defined as
P−1= (x,−y).)
Pierre-Louis CAYREL Crypto for Network Security 29/90
Elliptic Curve Cryptosystems
Elliptic curve example overℝ2
Elliptic Curve Cryptosystems
▶ Facts for an EC over a finite field :
▶ Exponentiation is efficient.
▶ DLP is hard. In fact, harder than inℤp.(no sub-exponential algorithm is known)
▶ Hence, DH, ElGamal, etc. can be used with smaller key sizes over ECs. (160-bit EC≈1024-bit RSA)
▶ Popular for constrained devices (e.g., smart cards)
▶ Advantages over RSA :
▶ smaller key size
▶ compact in hardware
▶ faster (for private key operations)
▶ Licensed by NSA.
Pierre-Louis CAYREL Crypto for Network Security 31/90
NTRU
▶ Hoffstein, Pipher, Silverman, 1996.
▶ Based on the ”Lattice Reduction Problem”.
▶ Extremely fast : 20-2000x RSA (the more limited the device, the larger the difference)
▶ Extremely compact in hardware
▶ Security : Ok (no known weaknesses)
▶ Popular for constrained devices (smart cards, RFIDs, etc.)
▶ Supported by Sony, TI, etc.
ID-Based PKC Systems
▶ Idea : Is a scheme possible where Alice’s public key is her ID ?
▶ Would solve the problem of authenticating a public key received.
▶ Question : But if anyone can derive the public key from the ID, can’t they derive the private key as well ?
▶ Support from a trusted ”private key generator”.
▶ Private keys are generated from a unique secret S known by PKG.
▶ Users know a one-way function of S, sufficient for public key generation.
▶ Practical schemes exist for signature (Shamir) and encryption (Boneh-Franklin).
Pierre-Louis CAYREL Crypto for Network Security 33/90
Summary
Scheme Hard problem Pros Cons
Merkle-Hellman knapsack broken
RSA factorisation widely used PQ insecure El Gamal discrete log pb well studied costly operations
DSA discrete log patent-free slow verif
Elliptic curve discrete log small key PQ insecure NTRU lattice pb PQ secure, fast security not so clear McEliece code pb PQ secure, fast key size
Part 9
my own research
Pierre-Louis CAYREL Crypto for Network Security 35/90
My co-workers :
In Darmstadt :
▶ Robert Niebuhr, Mohammed Meziani, Mohamed El Yousfi (Darmstadt)
▶ Rosemberg Silva (Unicamp)
▶ Markus Ruckert, Richard Lindner (Darmstadt)
▶ Falko Strenzke (FlexSecure) In the rest of the world :
▶ Philippe Gaborit, Carlos Aguilar Melchor, Pierre Dusart (Univ.
Limoges)
▶ Fabien Laguillaumie, Ayoub Otmani (Univ Caen)
▶ Damien Vergnaud (ENS)
▶ Pascal V´eron (Univ. Toulon)
▶ Paulo Barreto, Rafael Misoczki (Univ. Sao Paulo)
▶ David Galindo (Univ. Luxembourg)
Error-correcting codes
▶ make possible the correction of errors when the communication is done on a noisy channel.
▶ we addredundancyto the information transmitted.
Noise
↓e
c= m r −→ Channel −→y=c+e
▶ by correcting the errors when the message is corrupted.
▶ stronger than a control of parity, they can detect and correct errors.
We use them :
▶ DVD,CD : reduce the effects of dust ...
▶ Phone : improve the quality of the communication.
▶ cryptography ?
Pierre-Louis CAYREL Crypto for Network Security 37/90
Linear codes :
▶ most used in error correction
▶ error correcting codes for which redundancy depends linearly on the information
▶ can be defined by a generator matrix :
▶ c is a word of the code𝒞 if and only if :
Figure:G : generator matrix insystematic form
▶ rows ofG form a basis for the code𝒞.
Minimum distance
▶ TheHamming weightof a wordc is the number of non-zero coordinates.
▶ Theminimum distanced of a code is the smallest weight of a non-zero vector.
Pierre-Louis CAYREL Crypto for Network Security 39/90
Linear codes
▶ the code𝒞 is avector subspacewithdimensionk and withlenght n define byG.
▶ let denote𝒞[n,k,d] be a code of lengthn,with dimensionkand minimum distanced.
▶ the matrixG is of sizek×n.
The parity check matrix
▶ The usual scalar productx.y=∑n
i=1xiyi,defines thedual of a code :
𝒞⊥={y∈𝔽nq∣x.y = 0,∀x∈ 𝒞.}
Theparity check matrixH is orthogonal toG.
▶ it’s a (n−k)×nmatrix ;
▶ it’s the generator matrix of the dual ;
▶ the code𝒞 is the kernel ofH.
▶ c∈ 𝒞 if and only ifHc= 0.
▶ s=Hc′=Hc+He is thesyndrome of the error.
Pierre-Louis CAYREL Crypto for Network Security 41/90
Decode ?
▶ the transmitter sends c=mG,but the recipient receivesc′ =c+e.
▶ decode is findingcfromc′.
▶ Generally, we wish amaximum likelihood decoding
▶ find the word of the codecwho has the best probability of giving the word receivedc′.
▶ it depends on the channel and noise.
Syndrome decoding problem
1. Input.
H : matrix of size (n−k)×n x : vector of𝔽r2
w : integer
2. Problem.Does there exist a vectors of𝔽n2 of weightw such that : H⋅sT =x ?
▶ ProblemNP-complete
E.R. Berlekamp, R.J. McEliece and H.C. Van Tilborg
On the inherent intractability of certain coding problems.IEEE Transactions on Information Theory, 24(3), may 1978.
Pierre-Louis CAYREL Crypto for Network Security 43/90
Code based cryptosystems
▶ introduced at the same time than RSA by McEliece
▶ advantages :
▶ faster than RSA
▶ not based on number theory
▶ based onhard problem(syndrome decoding problem ...)
▶ disadvantages :
▶ size of public keys (few hundred bits...)
McEliece cryptosystem : basic idea
A public-key cryptosystem based on algebraic coding theory JPL DSN 1978.
▶ generate a code for which we have a decoding algorithm andG the generator matrix.
▶ this is theprivate key.
▶ transformG to obtainG′ which seems random.
▶ this is thepublic key.
▶ encrypt a message mby computing :
▶ c′=mG′+ewithea random error.
Pierre-Louis CAYREL Crypto for Network Security 45/90
McEliece cryptosystem Complexity
▶ Encryption : 𝒪(n2)
▶ Decryption :𝒪(n2)
▶ Size of key : kn
→ very fast system but public key very big : about 500000 bits for the original system !
Niederreiter scheme
Knapsack-type cryptosystems and algebraic coding theory Prob. Contr. Inform. Theory, 1986.
▶ Variation on the McEliece scheme, permits to improve certain parameters.
▶ Security equivalent to McEliece scheme.
▶ Private key :
▶ 𝒞 a [n,k,d] code which correctst errors,
▶ H a parity check matrix of𝒞,
▶ ak×k invertible matrixS,
▶ an×npermutation matrixP.
▶ Public key : H′ =SHP.
▶ Encryption : x→y =H′xT, withx of weightt.
▶ Decryption :decode y inz, thenzP−1gives x.
Pierre-Louis CAYREL Crypto for Network Security 47/90
Information Set Decoding
Information Set Decoding
Pierre-Louis CAYREL Crypto for Network Security 49/90
How to choose the weight for an optimal complexity ?
Works in progress
P. Barreto, P.-L. Cayrel, P. Gaborit, G. Hoffman and R.Niebuhr
▶ Implementation of the ISD for q-ary codes
▶ Describe bounds for q-ary ISD
▶ ISD with partial knowledge
▶ Complexity of ISD for QC and QD codes
▶ Identity-based Encryption scheme
Pierre-Louis CAYREL Crypto for Network Security 51/90
From cryptosystem to signature scheme
▶ PKC→signature.
▶ RSA yes
▶ McEliece and Niederreiter no directly
Code-based signature scheme
▶ Problem :McEliece and Niederreiter not invertible.
▶ if we takey ∈𝔽n2random and a code𝒞[n,k,d] for which we are able to decoded/2 errors, it is almost impossible to decodey in a word of𝒞.
▶ Solution :
▶ the hash value has to be decodable !
Pierre-Louis CAYREL Crypto for Network Security 53/90
CFS : idea
N. Courtois, M. Finiasz, N. Sendrier.How to Achieve une McEliece-Based Digital Signature Scheme. ASIACRYPT 2001 :157-174.
CFS : idea
N. Courtois, M. Finiasz, N. Sendrier.How to Achieve une McEliece-Based Digital Signature Scheme. ASIACRYPT 2001 :157-174.
Pierre-Louis CAYREL Crypto for Network Security 55/90
CFS signature scheme
▶ M the message to sign
▶ ha hash function with values in{0,1}n−k
▶ we searchs ∈𝔽n2of given weightt withh(M) =ℋsT
▶ let𝛾 be a decoding algorithm 1. i ←0
2. whileh(M∣i)is not decodable doi←i+ 1 3. computes=𝛾(h(M∣i))
Figure:CFS signature scheme
▶ signer sends{s,j} such thath(M∣j) =ℋsT
CFS signature scheme : choice of the codes
▶ we need a dense family of codes :Goppa codes
▶ binary Goppa codes [2m,2m−tm,2t+ 1]
▶ t small
▶ the probability for a random element to be decodable (in a ball of radiust centered on the codewords) is≈t!1
▶ we taken= 2m,m= 16,t = 9.
▶ we have 1 chance over 9! = 362880 to have a decodable word.
Pierre-Louis CAYREL Crypto for Network Security 57/90
CFS signature scheme : parameters
signature cost t!t2m3 12×1011 op.
signature lenght (t−1)×m+log2t 131 bits
verification cost t2m 1 296 op.
PK size tm2m 9 Mbits
cost of ISD attack 2tm(1/2 +o(1)) ≈280
▶ cons :
▶ decode several words (t!) before to find a good one
▶ 70 times slower than RSA
▶ t small leads to very big parameters
▶ public key of 9 Mbits
▶ Recently a General Birthday like attack was proposed against this scheme and new parameters where given :m= 19,t = 11.
Works in progress
P. Barreto, P.-L. Cayrel, K. Kobara, G. Hoffman, R. Misoczki and R.Niebuhr
▶ Find a dense family of compact codes (QD Goppa codes) ;
▶ Improve the decoding algorithm (Patterson algorithm for QD Goppa codes).
Pierre-Louis CAYREL Crypto for Network Security 59/90
Stern identification scheme
J. Stern.A new identification scheme based on syndrome decoding.Crypto 93, Lecture Notes in Computer Science 773 (1993), Springer-Verlag, 13-21.
▶ zero-knowledge,
▶ the security is based on the syndrome decoding problem.
The protocol
▶ generate arandommatrixℋof size (n−k)×n
▶ we choose an integert which is the weight
▶ this is thepublic key (ℋ,t)
▶ each user receive s ofnbits and weightt.
▶ this is thesecret key
▶ each user compute :i=ℋsT.
▶ justonceforℋfixed
▶ i ispublic
▶ Awants to prove toB that she knows the secret but she doesn’t want to divulgate it.
▶ The protocol is onr rounds and each of them is defined as follows :
Pierre-Louis CAYREL Crypto for Network Security 61/90
1. Achosey ofnbitsrandomly and a permutation𝜎of{1,2, . . . ,n}.
Asends to B:c1,c2,c3such that :
c1=h(𝜎∣ℋyT);c2=h(𝜎(y));c3=h(𝜎(y⊕s)) 2. B sends toAa randomb∈ {0,1,2}.
3. Three possibilities :
3.1 ifb= 0 :Arevealsy and𝜎 3.2 ifb= 1 :Areveals (y⊕s) and𝜎 3.3 ifb= 2 :Areveals𝜎(y) and𝜎(s) 4. Three possibilities :
4.1 ifb= 0 :Bchecks thatc1,c2are correct 4.2 ifb= 1 :Bchecks thatc1,c3are correct
▶ forc1we can notice that :
ℋyT=ℋ(y⊕s)T⊕i
4.3 ifb= 2 :Bchecks thatc2,c3are correct and that𝜎(s) is of weightt
Analysis
▶ for each round : probability to cheat is 23.
▶ for a security of 2180,we need 150 rounds.
▶ the norm ISO/IEC-9798-5 proposes two probabilities : 2−16 and 2−32
▶ 28 and 56 rounds.
Pierre-Louis CAYREL Crypto for Network Security 63/90
Dual construction :
1. Achosey ofnbitsrandomly and a permutation𝜎of{1,2, . . . ,n}.
Asends to B:c1,c2,c3such that :
c1=h(𝜎);c2=h(𝜎((u⊕m)G));c3=h(𝜎(uG⊕x)) 2. B sends toAa randomb∈ {0,1,2}.
3. Three possibilities :
3.1 ifb= 0 :Arevealsu⊕mand𝜎 3.2 ifb= 1 :Areveals𝜎(u⊕m)G and𝜎(e) 3.3 ifb= 2 :Areveals𝜎andu
4. Three possibilities :
4.1 ifb= 0 :Bchecks thatc1,c2are correct 4.2 ifb= 1 :Bchecks thatc1,c3are correct
4.3 ifb= 2 :Bchecks thatc2,c3are correct and that𝜎(e) is of weightt
Figure:V´eron identification scheme
Quasi-cyclic construction
Idea : Replace the random matrixℋby the parity check matrix of a certain family of codes :
the double-circulant codes.
▶ Letℓ be an integer.
▶ a random double circulant matrix ℓ×2ℓℋis defined as :
ℋ= (I∣A) ,
where Ais acyclic matrix, of the form :
A=
⎛
⎜
⎜
⎜
⎝
a1 a2 a3 ⋅ ⋅ ⋅ aℓ
aℓ a1 a2 ⋅ ⋅ ⋅ aℓ−1
... ... ... ... ...
a2 a3 a4 ⋅ ⋅ ⋅ a1
⎞
⎟
⎟
⎟
⎠ ,
where (a1,a2,a3,⋅ ⋅ ⋅,aℓ) is a random vector of𝔽ℓ2.
▶ Store ℋneeds onlyℓbits.
Pierre-Louis CAYREL Crypto for Network Security 65/90
Properties
▶ the minimum distance is the same as random matrices,
▶ the syndrom decoding is still hard,
▶ very interesting for implementation in low ressource devices.
Parameter sizes
▶ Letnequal 2ℓ
▶ Private data : the secrets of bit-lengthn.
▶ Public data :nbits (iV of size n2 and the first row ofA,n2bits).
▶ at leastℓ= 347andt= 74for a security of285
▶ public and secret key size of n= 694bits
Pierre-Louis CAYREL Crypto for Network Security 67/90
Improved code-based identification scheme
Joint work with Pascal V´ eron
Identification
▶ Private key, sk : s∈𝔽nq such thatHsT=y and wt(s) =𝜔.
▶ Public key, pk :H a (n−k×n) random matrix of rankn−k over 𝔽q, ha collision resistance hash function,y ∈𝔽n−kq and𝜔∈ℕ
Pierre-Louis CAYREL Crypto for Network Security 69/90
Identification
1. Prover : generates a vector u∈𝔽nq, a vector𝛾∈𝔽nq∗ and a permutation Σ over{1, . . . ,n} at random and computes the commitments :
c1←h(
Σ, 𝛾,HuT)
andc2←h(Π𝛾,Σ(u),Π𝛾,Σ(s)) Sends the commitments{c1,c2} to the Verifier.
2. Verifier : chooses a random𝛼∈𝔽q and sends it to the Prover.
3. Prover : sends Π𝛾,Σ(u+𝛼s) =𝛽 ∈𝔽nq to the Verifier.
4. Verifier : sends a challenge b∈ {0,1} to the Prover.
5. Prover : answers the challenge
▶ Ifb= 0 reveals Σ and𝛾.
▶ Ifb= 1 reveals Π𝛾,Σ(s).
Verifier : checks commitment correctness
▶ Ifb= 0 checks ifc1=h(Σ, 𝛾,HΠ−1𝛾,Σ(𝛽)T−𝛼y) is correct
▶ Ifb= 1 checks ifc2=h(𝛽−𝛼Π𝛾,Σ(s),Π𝛾,Σ(s)) is correct and if wt(Π (s)) =𝜔.
Parameters
We suggest to use for our scheme :
q= 256,n= 128,k= 64,wt(s) = 49.
The complexity of an attack using ISD algorithms is then at least 287.
SD G-SD Our scheme
Rounds 27 27 16
Public data (bits) 123200 124250 33792 Communication (bits) 37872 31572 30848
Computation 222.7 223.1 212.1mult+
(bits. op) (bits. op) 211.3add (bytes op.)
Figure:SD schemes vs.q-ary SD scheme
Pierre-Louis CAYREL Crypto for Network Security 71/90
Works in progress
P.-L. Cayrel, P. Dusart, M. El Yousfi, R. Lindner, R.Niebuhr, M.Ruckert, R.da Silva and P. V´eron
▶ Use this constructions with lattices problems (Stern with lattices Asiacrypt 2008) submitted to ProvSec 2010 ;
▶ Study of fault injection sensitivity of the scheme.
Identity-based signature scheme
Identity-based cryptosystems and signature schemesAdvances in Cryptology-Crypto’84, 1984.
▶ problem in public key cryptography : managementof the authenticity of thepublic keys
▶ 1984 : Shamir introduced the IDentity-basedPublicKey Cryptography (ID-PKC) to simplify the management and the authenticity of the public key
▶ the public key is link to the user(email adress, name, ...)
Pierre-Louis CAYREL Crypto for Network Security 73/90
Advantages / disadvantages
▶ advantages :
▶ no certificat
▶ key easily memorizable
▶ no need of directory
▶ disadvantages :
▶ authority very powerful (key escrow)
▶ distribution of keys is not trivial (secure channel)
Pierre-Louis CAYREL Crypto for Network Security 75/90
Idea
▶ we use CFS signature scheme to have the notion of identity based
▶ from the identity we compute the syndrome
▶ we obtain the private key{s,j}
▶ we use Stern as a classical identification scheme
▶ we use the matrixH′of the first part
▶ we use a classical Stern scheme (except the knowledge ofj)
Description
Let :
▶ 𝒞 a binary linear codet-corrector of lengthnand of dimensionk.
▶ H a parity check matrix of𝒞 (private owned by the authority)
▶ H′ =SHP (public) withS invertible andP a permutation matrix
▶ ha hash function with values in{0,1}n−k.
▶ idA Alice’s identity (public).
Alice theproverwants to identify herself to Bob theverifier.
The protocol is in two parts :
1. theauthoritygives to Alice her private key from her identity (public) 2. Alice identify herself to Bob.
Pierre-Louis CAYREL Crypto for Network Security 77/90
Preliminary : key deliverance
▶ the problem can be solved by the following algorithm (CFS).
Let𝛾 be a decoding algorithm for the hidden code : 1. i ←0
2. whileh(idA∣i)is not decodable doi ←i+ 1 3. computes=𝛾(h(idA∣i))
Figure:key deliverance
▶ we obtain a couple {s,j}such that h(idA∣j) =H′sT.
▶ this couple is theAlice’s private key
(transmitted by the secure channel from the authority to Alice).
Identification by Bob
▶ Alice (A) has obtained a couple{s,j} satisfying :h(idA∣j) =H′sT
▶ Alice wants to identify herself to Bob (B)
▶ the matrixH′ is the same as the one used in the first part
▶ we give here an identification scheme but we can derivate a signature scheme (by classical constructions)
Pierre-Louis CAYREL Crypto for Network Security 79/90
1. Achoosesrandomly a wordy ofnbits and a permutation𝜎of {1,2, . . . ,n}.
Asends to B:c1,c2,c3andj such that :
c1=h(𝜎∣H′yT);c2=h(𝜎(y));c3=h(𝜎(y⊕s)).
2. B sends toAa randomb∈ {0,1,2}.
3. Three possibilities :
3.1 ifb= 0 :Arevealsy and𝜎 3.2 ifb= 1 :Areveals (y⊕s) and𝜎 3.3 ifb= 2 :Areveals𝜎(y) and𝜎(s) 4. Three possibilities :
4.1 ifb= 0 :Bchecks thatc1,c2are corrects 4.2 ifb= 1 :Bchecks thatc1,c3are corrects
▶ forc1we can note that
H′yT=H′(y⊕s)T⊕h(idA∣j)
4.3 ifb= 2 :Bchecks thatc2,c3are corrects and thats.𝜎is of weightt
Security analysis : parameters and security of the scheme
▶ the security relies to thechoice of the parameters of CFS scheme 1. used to create the private key
2. the matrix is ’re’-use in Stern’s protocol
▶ the scheme has to respect twoimperativeconditions :
1. make the computation of{s,j}difficult without the knowledge of the description ofH′,
2. make the number of tries to determinejnot too important in order to reduce the cost of the computation ofs.
Pierre-Louis CAYREL Crypto for Network Security 81/90
Security analysis : practical values
Conversely to the original Stern’s scheme, the code used here has length 216 instead of 29, which increases the communication cost.
public key private key matrix communication key generation
tm tm 2mtm ≈2m×#rounds
144 144 9 Mb ≈500 Kb (58 rounds) 1 s
practical values for Identity Based Identification scheme :m= 16,t= 9
public key private key matrix signature key generation
tm tm 2mtm ≈2m×#rounds
144 144 9 Mb ≈1.5 Mb (150 rounds) 1 s
practical values for Identity Based Signature scheme :m= 16,t= 9
Works in progress
P.-L. Cayrel, M. El Yousfi, P. Gaborit, D. Galindo and M.Girault
▶ QD constructions
▶ Proof of security in the ROM submitted to IEEE IT
Pierre-Louis CAYREL Crypto for Network Security 83/90
Group signature
▶ Chaum and van Heyst 1991 ;
▶ Purpose : permit to members of a group to sign anonymously a document, on the behalf of the group ;
▶ the group is composed of members and a manager ;
▶ the group manager gives the public keys and the private keys to the members ;
▶ each group member can sign for the group ;
▶ if there is a problem, the anonymity can be abducted by a trusted
Ring signature
▶ Rivest, Shamir and Tauman 2001 ;
▶ can be seen as a simplified group signature without manager ;
▶ no registration, each member can created its own keys ;
▶ we can check that the signature has been made by a signer in the ring ;
▶ the users don’t know who are the other signers when they create their PK ;
▶ secret sharing is totally anonymous (not revocable).
Pierre-Louis CAYREL Crypto for Network Security 85/90
Threshold ring signatures
▶ Bresson, Stern and Szydlo (2002) extended the notion of ring signature to threshold ring signature.
▶ Principle :
▶ ring ofNpotential signers ;
▶ t members of the ring sign ;
▶ the verifier is convinced thattusers have signed but he doesn’t know which ones.
The idea
A New Efficient Threshold Ring Signature Scheme based on Coding Theory.
with Carlos Aguilar Melchor and Philippe Gaborit PQCrypto2008
▶ Let us consider a ring ofN members(A1,⋅ ⋅ ⋅,AN) and among them t userswho want to produce a ring-signature,
▶ each user Ai compute apublic matrixℋi of (n−k)×nbits,
▶ Ai chosesi a random vector of weight𝜔;
▶ generatesk−1 random vectors ;
▶ considers the code𝒞i of dimensionk obtained ;
▶ takes the dual matrix of𝒞i notedℋi.
▶ the group public key consists of the public keys of the usersℋi and an integer 𝜔 (the same for each public keys),ℋ:
ℋ=
⎛
⎜
⎜
⎜
⎜
⎜
⎜
⎝
ℋ1 0 0 ⋅ ⋅ ⋅ 0 0 ℋ2 0 ⋅ ⋅ ⋅ 0 ... ... . .. ... ... ... ... ... . .. ... 0 0 0 ⋅ ⋅ ⋅ ℋN
⎞
⎟
⎟
⎟
⎟
⎟
⎟
⎠ .
▶ the secret key associated is a wordsi with weight 𝜔 of the code𝒞i
associated to the dual ℋi.
▶ the ring secret key is the concatenation of the si of weight𝜔.
Pierre-Louis CAYREL Crypto for Network Security 87/90
Protocol
▶ the prover P(t signers amongN), prove(by a slightly modified version of Stern’s scheme) to the verifierV that he knows a codewords of weightt𝜔 with a particular structure :
▶ s has a null syndromeℋ
▶ a special form on itsN blocs of sizen: each bloc of lenghtnhas a weight 0 or𝜔.
▶ each of thet signers computean instance of the Stern schemewith ℋi and a syndrome egal to 0.
▶ a leaderLcollects the results and simulate theN−t other members of the ring (the non-signers).
▶ Lmakes a new interactive Stern protocol with the verifierV.
Conclusion
▶ size of the signature in𝒪(N)(≈20kB×N - with 20kB the size of the signature via Fiat-Shamir),
▶ withN= 100 andt = 50, we obtain a signature of2MB (other schemes : more than 260bits),
▶ cost of the protocol in𝒪(N)(more precisely in 140n2N binary operations) for allt, the others are in𝒪(2tN),
▶ the main particularity of the scheme is thatthe complexity doesn’t depend ont,
Pierre-Louis CAYREL Crypto for Network Security 89/90
Works in progress
P.-L. Cayrel, P. Gaborit, R. Lindner, M.Meziani, M.Ruckert and R.da Silva
▶ Lattices construction (submitted to Latincrypt 2010)
▶ Blind signature scheme
▶ Group signature scheme
