Cryptography Course Information and Merkle-Damgard Transform Overview

m a th c m sc 456 u pd a te d c ou rse in fo n.w
1 / 39
Embed
Share

Explore details for CMSC 456 Cryptography course by Gorjan Alagic, covering Merkle-Damgard transform, random oracle models, and collision-resistant hashing. Learn about hash functions and their applications in building secure cryptographic protocols.

  • Cryptography
  • Merkle-Damgard
  • Hash Functions
  • Course Information
  • Random Oracle
rayaanacharya
baio589 Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. M A TH /C M SC 456 :: U PD A TE D C OU RSE IN FO Instructor: Gorjan Alagic (galagic@umd.edu); ATL 3102, office hours: by appointment Textbook: Introduction to Modern Cryptography, Katz and Lindell; Webpage: alagic.org/cmsc-456-cryptography-spring-2020/ (slides, reading posted here); Piazza: piazza.com/umd/spring2020/cmsc456 ELMS: active, slides and reading posted there, homework 2 due midnight Tonight. Gradescope: active, access through ELMS. TAs (Our spot: shared open area across from AVW 4166) Elijah Grubb (egrubb@cs.umd.edu) 11am-12pm TuTh (AVW); Justin Hontz (jhontz@terpmail.umd.edu) 1pm-2pm MW (AVW); Additional help: Chen Bai (cbai1@terpmail.umd.edu) 3:30-5:30pm Tu (2115 ATL inside JQI) Bibhusa Rawal (bibhusa@terpmail.umd.edu) 3:30-5:30pm Th (2115 ATL inside JQI) You can use AVW 4172 as a waiting room.

  2. RE C A P : M erkle-D am grd transform Construction (Merkle-Damg rd). Let ??????H, be a hash function, and suppose : 0,12? 0,1?. Define a new hash function: . ??????HMD: same as ??????H; MD: 0,1 0,1? defined as follows, on input ?: 1. assume length |?| of ? is divisible by ? (otherwise pad with 0s); 2. split ? as ? = (?1,?2, ,? ) and set ? +1 |?|. 3. set ?0= 0?; compute ??= (??,?? 1); 4. output ? +1 . ?2 ?3 ? +1 ?1 ? ? ? ? MD? 0? ?2 ?0 ?1 ? +1 ?

  3. RE C A P : M erkle-D am grd transform Remember: critical property we needed for integrity checks and for Hash-and-MAC was collision-resistance! What happens when we apply MD? Theorem. If is a collision-free hash function, then so is its Merkle-Damg rd transform MD. See book for proof. It s fairly straightforward.

  4. RE C A P : R A N D OM OR A C L E S Interesting: It seems like hash functions behave like random oracles! It s as if someone sampled a uniformly random function ? and then put it in an oracle! 1. Define ?: 0,1n 0,1? by setting ? ? 0,1?for each ?. 2. Put ? into a box so everyone can query it, but only as an oracle. A strong hash function (like SHA-3) is developed and standardized. LOOKS LIKE ? ? ?(?)

  5. RE C A P : R A N D OM OR A C L E S collision-resistant hashing Random Oracle Model (ROM). What crypto can we build in this model? 1. Define ?: 0,1n 0,1? by setting ? ? 0,1?for each ?. 2. Put ? into a box so everyone can query it, but only as an oracle. Collision-resistant hash: recall: random functions are collision-resistant; (because preimages are uniformly distributed) so ?itself serves as a collision-resistant hash; if we want small outputs, can discard bits of output. ? ? ?(?) Note: this is now statistical collision-resistance; for normal hash functions, it was computational (i.e., against PPT adversaries.) remember: collision-resistant one-way. So we also get one-way functions!

  6. ? bits RE C A P : R A N D OM OR A C L E S PRFs ? Random Oracle Model (ROM). What crypto can we build in this model? 1. Define ?: 0,1n 0,1? by setting ? ? 0,1?for each ?. 2. Put ? into a box so everyone can query it, but only as an oracle. Pseudorandom functions: sample a key: ? 0,1?/2; define ??: 0,1?/2 0,1?/2 ??? ?(?,?) (0 00,?) ? ? ?(?) (0 01,?) Why is it pseudorandom? Note: ? knows ?! 1. take any algorithm ??? . It makes some query ?1; 2. Pr ?1= ?,? = 2 ?/2 for any ?; so response is uniformly random in 0,1?/2; 3. in particular, ??? learned nothing with the first query. 4. so we can repeat the argument starting from 1. so ?? is oracle indistinguishable from a random function!

  7. RE C A P : R A N D OM OR A C L E S lots of stuff Random Oracle Model (ROM). What crypto can we build in this model? ROM ? PRG PRF collision-resistant hash IND-CPA encryption unforgeable MAC (fixed-length) unforgeable MAC (arbitrary-length)

  8. R A N D OM OR A C L E S one-tim e authentication IMPORTANT! NEW IDEAS! Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. KeyGen: I. Sample 2 random inputs to ?: ?1 ?1 Note each ?? 0 0 0 0 ?1 ?2 ?3 ? ? 0. 1. 0, ?2 1, ?2 0, ?3 1, ?3 0, , ? 1, , ? ? 0,1?. 1 1 1 1 ? ?1 ?2 ?3 ? ? II. Now compute, for each ?,?: ?? ? ? ?? ?; III. Output key consisting of two parts: 1. ?1 2. ?1 0 0 0 0 ?1 ?2 ?3 ? ? 0 and ?1 0 and ?1 1; 1; 0, ?2 0, ?2 0, ?3 0, ?3 0, , ? 0, , ? 1, ?2 1, ?2 1, ?3 1, ?3 1, , ? 1, , ? 1 1 1 1 ? ?1 ?2 ?3 ?

  9. R A N D OM OR A C L E S one-tim e authentication Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. 0 0 0 0 ?1 ?2 ?3 ? ? Mac: 1 1 1 1 ? ?1 ?2 ?3 ? On input a message ? 0,1 : Output tag ? 0,1? like this: For each bit position ? = 1,2, , output ?? Example: Suppose ? = 010110. ? ??. 0 0 0 0 ?1 ?2 ?3 ? ? 0 0 0 0 0 0 ?4 ?1 ?2 ?3 ?6 ?5 1 1 1 1 ? ?1 ?2 ?3 ? 1 1 1 1 1 1 ?1 ?4 ?2 ?3 ?6 ?5 1,?6 So tag is (?1 0). 0,?2 0,?4 1,?3 1,?5

  10. R A N D OM OR A C L E S one-tim e authentication Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. 0 0 0 0 ?1 ?2 ?3 ? ? Ver: 1 1 1 1 ? ?1 ?2 ?3 ? On input ? 0,1 and tag (?1,?2, ,? ): For each bit position ? = 1,2, , : If ? ?? ?? output accept. Example: Suppose ? = 010110. ?? output reject; ? Honestly generated 0 0 0 0 0 0 0 0 0 ?1 ?3 ?6 ?4 ?1 ?2 ?3 ?6 ?4 ?2 ?5 ?5 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 1 1 1 1 1 ?1 ?4 ?2 ?4 ?5 ?2 ?3 ?6 ?1 ?3 ?5 ?6 1 1 1 1 ? ?1 ?2 ?3 ? ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 ?4 ?1 ?2 ?3 ?6 ?4 ?5 ?1 ?2 ?3 ?6 ?5 1 1 1 1 1 1 1 1 1 1 1 1 ?1 ?4 ?2 ?3 ?6 ?1 ?4 ?5 ?2 ?3 ?6 ?5

  11. R A N D OM OR A C L E S one-tim e authentication Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. 0 0 0 0 ?1 ?2 ?3 ? ? Check correctness: for message ? 0,1 1 1 1 1 ? ?1 ?2 ?3 ? ?3, ,? ? ; ?1,?2 ?2,?3 tag is ?1 at the verification stage, we do this check for each ?: ? ?? ?? ? ?? = ?? ? for ? {0,1}. but in KeyGen this is exactly how we defined ?? so verification succeeds. 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ? ?1 ?2 ?3 ? So scheme is correct. Is it unforgeable?

  12. R A N D OM OR A C L E S one-tim e authentication Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. So scheme is correct. Is it unforgeable? Let s look at the adversary s view. It has two things: ? = ?0?1?2 ? 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ? ?1 ?2 ?3 ? 0 0 0 0 0 0 ?4 ?1 ?2 ?3 ?6 ?5 ? = ? 1 1 1 1 1 1 ?1 ?4 ?2 ?3 ?6 ?5 Now adversary tries to forge on ? ?. There s a bit ? where ? differs from ?. Say ? = 2. Then ? = ?0?1 0 0 0 ?2 ? But ?? and unknown. 0 ?1 ?2 ?3 ? ? ? is random 1 1 1 1 ? ?1 ?2 ?3 0 0 0 0 0 0 ? ?4 ?1 ?2 ?3 ?6 ?5 ? = 1 1 1 1 1 1 ?1 ?4 ?2 ?3 ?6 ?5

  13. R A N D OM OR A C L E S one-tim e authentication Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. So Lamport is a one-time MAC. So what? Look at verification again: 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ? ?1 ?2 ?3 ? Ver: On input ? 0,1 and tag (?1,?2, ,? ): For each bit position ? = 1,2, , : If ? ?? ?? output accept. ? ?? output reject; 0 0 0 0 ?1 ?2 ?3 ? ? ?! It only requires knowledge of the ?? 1 1 1 1 ? ?1 ?2 ?3 ?

  14. R A N D OM OR A C L E S one-tim e authentication Mac Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. So Lamport is a one-time MAC. So what? Look at verification again: for tag generation 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ? ?1 ?2 ?3 ? Ver: On input ? 0,1 and tag (?1,?2, ,?_ ): For each bit position ? = 1,2, , : If ? ?? ?? output accept. ? ?? output reject; Ver Key 0 0 0 0 ?1 ?2 ?3 ? ? ?! It only requires knowledge of the ?? for tag verification 1 1 1 1 ? ?1 ?2 ?3 ? So can split key into a Mac key, and a Ver key.

  15. R A N D OM OR A C L E S one-tim e authentication Mac Key Lamport scheme. One-time MAC for messages of length . Let ?: 0,1? 0,1?be a random oracle. So Lamport is a one-time MAC With a separate Mac key, and a Ver key. So what? for tag generation 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ? ?1 ?2 ?3 ? ?. Security only rested on unknowability of the ?? So only the Mac Key needs to be kept secret! ? Ver Key In other words, we can make Ver Key public! 0 0 0 0 ?1 ?2 ?3 ? ? for tag verification 1 1 1 1 ? ?1 ?2 ?3 ? (Mac Key stays secure because ?is one-way.)

  16. D IG ITA L SIG N A TU RE S Old setting: one key, shared privately. Alice ? Bob ? (?,?) PUBLIC-KEY CRYPTOGRAPHY! New setting: private signing key, public verification key. Alice ?? ?? (?,?) only Alice can sign anyone can verify

  17. L A M POR T SIG N A TU RE SC H E M E New setting: private signing key, public verification key. PUBLIC Alice 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ?1 ?2 ?3 ? ? 0 0 0 0 ?1 ?2 ?3 ? 1 1 1 1 ?1 ?2 ?3 ?

  18. L A M POR T SIG N A TU RE SC H E M E New setting: private signing key, public verification key. PUBLIC Alice 0 0 0 0 ?1 ?2 ?3 ? ? 1 1 1 1 ?1 ?2 ?3 ? by one-way property of ? 0 0 0 0 ?1 ?2 ?3 ? 1 1 1 1 ?1 ?2 ?3 ?

  19. L A M POR T SIG N A TU RE SC H E M E New setting: private signing key, public verification key. PUBLIC Alice 0 0 0 0 0 0 0 0 ?1 ?2 ?3 ? ?1 ?2 ?3 ? ? 1 1 1 1 1 1 1 1 ?1 ?2 ?3 ? ?1 ?2 ?3 ? 1 0,1 ? = 0 1 0 0 0 0 0 ?1 ?2 ?3 ? 1 1 1 1 ?1 ?2 ?3 ?

  20. L A M POR T SIG N A TU RE SC H E M E New setting: private signing key, public verification key. PUBLIC Alice 0 0 0 0 0 0 0 0 ?1 ?2 ?3 ? ?1 ?2 ?3 ? ? 1 1 1 1 1 1 1 1 ?1 ?2 ?3 ? ?1 ?2 ?3 ? 1 0,1 ? = 0 1 0 0 0 0 0 ?1 ?2 ?3 ? 1 1 1 1 ?1 ?2 ?3 ?

  21. L A M POR T SIG N A TU RE SC H E M E New setting: private signing key, public verification key. PUBLIC Alice 0 0 0 0 0 0 0 0 ?1 ?2 ?3 ? ?1 ?2 ?3 ? ? 1 1 1 1 1 1 1 1 ?1 ?2 ?3 ? ?1 ?2 ?3 ? ? verification: check that 1 0,1 ? = 0 1 0 0 0 0 0 ?1 ?2 ?3 ? 1 1 1 1 ?1 ?2 ?3 ? digital signature of document ?

  22. L A M POR T SIG N A TU RE SC H E M E Is it unforgeable? Let s look at the adversary s view. It has three things: ? = ?0?1?2 ? 0 0 0 0 0 0 0 0 0 0 ?4 ?1 ?2 ?1 ?2 ?3 ?6 ?3 ?5 ? ? = 1 1 1 1 1 1 1 1 1 1 ?1 ?4 ?1 ?2 ?3 ?2 ?3 ?6 ?5 ? Now adversary tries to forge on ? ?. There s a bit ? where ? differs from ?. Say ? = 2. Then an inversion occurred here! ?2 ? ? = ?0?1 To do a formal proof: build an algorithm for inverting ? which internally simulates 1-EUF-CMA with the Lamport scheme. The inversion will be at any bit where the query and the forgery differ. 0 0 0 0 0 0 ?4 ?1 ?2 ?3 ?6 ?5 ? = 1 1 1 1 1 1 ?1 ?4 ?2 ?3 ?6 ?5

  23. D IG ITA L SIG N A TU RE S Definition. A digital signature scheme is a triple of PPT algorithms: (key generation) ??????: on input 1?, outputs a secret key ?? and a public key ??; (tag generation) ????: on input a secret key ?? and message ? 0,1 , outputs signature??????(?); (verification) ???: on input a public key ?? and a message-signature pair (?,?), outputs ? or ?. satisfying correctness: for all s?,?? ?????? and all ?, ??????,??????(?) = ?. Compare to MACs: Definition. A message authentication code (MAC) is a triple of PPT algorithms: (key generation) ??????: on input 1?, outputs a key ? 0,1?; (tag generation) ???: on input a key ? and message ? 0,1 , outputs a tag ????(?); (verification) ???: on input a key ? and a message-tag pair (?,?), outputs ? or ?; satisfying correctness: for all ? and all ?, ?????,????? = 1.

  24. PU B L IC-K E Y C RYPTOG R A PH Y (a teaser)

  25. SO F A R Eve Alice ? Bob ? Until we saw Lamport all schemes used shared secret keys; this comes with a problem: how do you share the secret safely? you can t use crypto so you re left with some physical method and if that s intercepted (or searched without you knowing), all your crypto is pointless.

  26. SO F A R Eve Alice ? Bob ? There s other problems with secret keys Like symmetry! Consider authentication: with a MAC, generating tags and verifying tags are coupled together; if Alice shares a key with Bob she doesn t just grant Bob the ability to verify the authenticity of her messages; she also grants him the ability to authenticate them with her key! So, to a third party, Bob could pretend to be Alice! How do we solve that problem? (By the way, this is also why secret-key crypto is sometimes called symmetric-key crypto.)

  27. C OM M U N IC A TIO N O VE R PU B L IC C H A N N E L S? Alice Maybe the problem is just unavoidable? At first it might seem like this is just how things are after all, if you and another party don t share a secret how can you possibly communicate securely? Bob Lamport is certainly interesting, but it s one time, and only a signature scheme. what about encryption? and what about the key sharing problem? are these problems even solvable?

  28. C OM M U N IC A TIO N O VE R PU B L IC C H A N N E L S? If you think this sounds impossible you re in good company! (you could be a professor at Berkeley!) In 1974, an undergrad named Ralph Merkle took a security course at UC Berkeley. For the course project, he proposed the following:

  29. C OM M U N IC A TIO N O VE R PU B L IC C H A N N E L S? If you think this sounds impossible you re in good company! (you could be a professor at Berkeley!) In 1974, an undergrad named Ralph Merkle took a security course at UC Berkeley. for the course project, he proposed this exact problem; the prof told him to pick a different project so Merkle dropped the course, but continued working on his idea. He eventually came up with something called Merkle puzzles. it allowed two honest parties to share a secret over public channels in ?timesteps but any adversary who wanted to find the secret had to spend ?2 timesteps. He wrote a paper, but it was rejected. The expert review said: Experience shows that it is extremely dangerous to transmit key information in the clear.

  30. C OM M U N IC A TIO N O VE R PU B L IC C H A N N E L S? A few years earlier... In 1969, cryptographers in GCHQ (British NSA) discovered a protocol for public-key crypto! (This was not known to the public until 1997.) In the public world... two years after Merkle s discovery in 1976, Whitfield Diffie and Martin Hellman discovered a key-exchange protocol. What does Diffie-Hellman key exchange do? Something magical!

  31. K E Y E XC H A N G E Diffie-Hellman key-exchange. What does Diffie-Hellman key exchange do? Something magical! two parties are separated by an insecure channel (just like in encryption); but they do not share any secret information! and yet, after sending a few (insecure) messages in the open they suddenly share a secret key! WHAT? Bob Bob Alice Alice ? ?

  32. K E Y E XC H A N G E SE C RE T-K E Y C RYPTO What then? after key exchange is performed we are now in the setting we assumed for: 1. secret-key encryption 2. message authentication So: we can then use all the tools we learned about so far! Bob Alice ? ?

  33. A SYM M E TR IC C RYPTO Alice ?? ?? Is there another way? Recall how Lamport worked. no key exchange required; one private key, one public key; asymmetric roles: private key enables signing, public key enables verification. This can be extended to digital signatures for any number of messages! (?,?) What about encryption? can there be an asymmetric encryption scheme too? what s the right asymmetry? public key encrypts; private key decrypts.

  34. A SYM M E TR IC C RYPTO Public-key encryption Alice ?? ??

  35. A SYM M E TR IC C RYPTO Public-key encryption Alice ?? ?? Bob ? ?? ?

  36. A SYM M E TR IC C RYPTO Public-key encryption For two-way communication, Bob can do the same thing Alice did. Alice ?? ?? Bob ?? ? ? ?? ?

  37. PU B L IC-K E Y C RYPTOG R A PH Y Clearly public-key crypto is awesome! How do we get there? we don t know how to build it out of generic things like PRGs or PRFs. we need specific computational assumptions and these assumptions require some math. Specifically, some number theory. So some work will be involved, but it will be very worthwhile!

  38. TH E PL A N Clearly public-key crypto is awesome! How do we get there? we don t know how to build it out of generic things like PRGs or PRFs. we need specific computational assumptions and these assumptions require some math. Specifically, some elementary number theory! So some work will be involved, but it will be very worthwhile!

  39. TH E PL A N Next 6 weeks: Topic Dates Intro and symmetric-key cryptography (8 lectures) January 28 February 20 RSA and Diffie-Hellman (4 lectures + 1 hwk) Carl Miller February 25 March 5 Secret sharing (2 lectures + 1 hwk) Bill Gasarch March 10 - 12 Fun guest lecture March 24 Midterm review March 26 Midterm March 31 Fun guest lecture (blockchain, likely) April 2 I m back. April 7 - end

Related


CSE 122 Winter 2024 - Lecture 18: Putting It All Together Review

CSE 122 Winter 2024 - Lecture 18: Putting It All Together Review

lochlan
Principles and Applications of Symmetry in Magnetism Summer School Lecture

Principles and Applications of Symmetry in Magnetism Summer School Lecture

eleanora
Spring 2BL : Lecture 5

Spring 2BL : Lecture 5

zakai
An Overview of AI Applications in Medicine - Lecture Highlights

An Overview of AI Applications in Medicine - Lecture Highlights

denise
Enhancing Student Learning Through Formative Assessment in Lecture-Based Courses

Enhancing Student Learning Through Formative Assessment in Lecture-Based Courses

varian
2D Geometric Transformations for Computer Graphics

2D Geometric Transformations for Computer Graphics

maira
Understanding Heat Transfer in Thermodynamics Lecture

Understanding Heat Transfer in Thermodynamics Lecture

shania
Thermal Physics Lecture by Dr. Erwin Sitompul at President University

Thermal Physics Lecture by Dr. Erwin Sitompul at President University

mckinzle
Introduction to Code Reasoning in CSE331 Lecture

Introduction to Code Reasoning in CSE331 Lecture

yrose
Advanced Topics in Communication Systems: Lecture 18 Overview and Final Exam Details

Advanced Topics in Communication Systems: Lecture 18 Overview and Final Exam Details

smiha
Proper Handling and Storage of Lecture Bottles in Laboratories

Proper Handling and Storage of Lecture Bottles in Laboratories

gwy_ke
Medical Lecture Committee and Funds Overview

Medical Lecture Committee and Funds Overview

desantos_j

More Related Content