![Page 1: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/1.jpg)
Protocol Design
Jens Hermans & Roel Peeters, KU Leuven/COSIC
![Page 2: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/2.jpg)
The ideal protocol
… serves exactly the application’s needs
… comes at a low cost
… is simple (elegant)
… is efficiently implementable
… is provably secure
… does not exist
![Page 3: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/3.jpg)
Before you start, know this
Protocol design is hard !!!
Roughly half of the
protocol papers start with
“Attack on …” or “On the
(claimed) security of …”
You need someone that
constantly challenges you
Iterate, iterate, iterate> 1,5 years
many many iterations
![Page 4: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/4.jpg)
Overview
Understand Your Application
Common Goals
Common Design Choices
Building Blocks
Basic Protocols
Proofs
Common Pitfalls
![Page 5: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/5.jpg)
Understand Your
Application
This is the most important thing
whether selecting an existing protocol or designing your own
![Page 6: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/6.jpg)
Constraints
Examples:
Battery operated
Limited storage
Entire protocol < 400 ms (passive RFID tags)
Needs to work (also) offline
But also what is already available? E.g. AES instruction in
processor, ECC-coprocessor already on chip
![Page 7: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/7.jpg)
Goals
Security
Authentication (Entity / Data)
Data Confidentiality
Privacy
…
Efficiency (i.e. low cost)
Simplicity
Verifiability
![Page 8: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/8.jpg)
Attacker capabilities
Who is your attacker?
![Page 9: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/9.jpg)
Example: Unlock front door
![Page 10: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/10.jpg)
Example: Public Transportation
![Page 11: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/11.jpg)
Example: Smartmeter
![Page 12: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/12.jpg)
Example: Container Tracking
![Page 13: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/13.jpg)
Example: Medicine tracking
![Page 14: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/14.jpg)
Costs
Different types of cost:
Chip area
Power
Energy
Speed
Communication rounds
Cost at the backend
…
![Page 15: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/15.jpg)
Common Goals
![Page 16: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/16.jpg)
Data Authentication
Alice Bob
Eve
![Page 17: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/17.jpg)
Entity Authentication
Eve
Hello,
I am Alice
Bob
![Page 18: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/18.jpg)
Non-repudiation
Alice Bob
![Page 19: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/19.jpg)
Data Confidentiality
Alice Bob
Eve
![Page 20: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/20.jpg)
Privacy
? ?
Eve
![Page 21: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/21.jpg)
Prevent Denial of Service
BobEve
![Page 22: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/22.jpg)
Protect against key leakage(forward/backward secrecy)
Eve
![Page 23: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/23.jpg)
Common Design
Choices
![Page 24: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/24.jpg)
Backend Processing
Alice: €100
…
Auth Alice
€100
Trust?
![Page 25: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/25.jpg)
Symmetric/Asymmetric Key
Symmetric
Scale: O(N2) keys, central authority, or share
keys (=risk)
Efficient
Asymmetric
O(N) keys
![Page 26: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/26.jpg)
Key Management
Use key only for one function: e.g., either MAC or ENC (or AE)
Protect your keys
HW security
Key encapsulation (brute-force risk)
Secret sharing
…
When to trust a key?
![Page 27: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/27.jpg)
Key Updates
2006 2016
Swap keys (different algorithm?)
Other parties:
Central Authority?
Individual notification? Linking?
![Page 28: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/28.jpg)
Key Updates
RFID Scene: change key every time
(“improves” privacy)
Problems
Power to overwrite key in mem? 2x mem required
Desynchronisation
Inherent issues of symmetric key
![Page 29: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/29.jpg)
Mutual Authentication
Devices only respond to authorised queries
Enhanced privacy, side-channel resistance
Optional data transfer
Prevent DoS attacks when using coupons
First reader authentication,
then tag authentication
![Page 30: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/30.jpg)
Secure Hardware
![Page 31: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/31.jpg)
Building Blocks
![Page 32: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/32.jpg)
Key Derivation Function
![Page 33: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/33.jpg)
Key Derivation Function
Extract-then-Expand [Krawczyk]
![Page 34: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/34.jpg)
Hash chains
data
hash(...)
data
hash(...)
data
hash(...)
![Page 35: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/35.jpg)
Merkle Tree
data
hash(...)
data
hash(...)
data
hash(...)
data
hash(...)
data
hash(...)
data
hash(...)
data
data
data
data
data
data
r
d1 d2 d3
1
![Page 36: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/36.jpg)
One Time MAC
Information-theoretic security
Can only use key for one MAC
Cheap! (but: where does the key come from?)
Examples: pairwise-independent universal hash, Poly1305..
![Page 37: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/37.jpg)
Authenticated Encryption
Protect confidentiality & integrity
CAESAR competition
More on Wednesday!
![Page 38: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/38.jpg)
Diffie-Hellman revisited
x
ygenerate x
compute xgenerate y
compute y
compute k=( y) x compute k=( x)y
• How does Alice know that she shares this
secret key k with Bob?
• Answer: Alice has no idea at all about who
the other person is! The same holds for Bob
![Page 39: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/39.jpg)
MITM attack on DH
Eve shares a key k1 with Alice and a key k2 with Bob
Requires active attack (Eve modifies messages)
x1
y1
k1 =( y1) x1 =( x1)y1
x2
y2
k2 =( y2) x2 =( x2)y2
![Page 40: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/40.jpg)
Pairings (bilinear maps)*
G1 x G2 GT
ê(aP, bQ) = ê(bP, aQ) = ê(abP, Q) = ê(P, abQ) = ab ∙ ê(P, Q)
Pairings for Cryptographers by S.D. Galbraith and K.G. Paterson
and N.P. Smart [eprint 2006/165]
Do not use pairings over F2n !
![Page 41: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/41.jpg)
Commitments
Allow to commit to a choice without revealing it
Binding: cannot be opened to any other value
Hiding: cannot be determined to which value was been
committed
Both can be perfect/computational, however commitments
can never be both perfectly binding and perfectly hiding
![Page 42: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/42.jpg)
Bit Commitment
Alice wants to commit a bit but does not want to reveal it till some time in future
Bob wants to make sure Alice cannot change her committed choice
Why not simply encrypt something and give the key later?
- may find another key (it’s only a bit)
Using symmetric key: Bob sends R, Alice commits EK{R,b} to Bob, gives up K later
![Page 43: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/43.jpg)
Feldman Commitment
gx mod p
Perfect binding
Computationally hiding
![Page 44: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/44.jpg)
Pedersen Commitment
gx hy mod p
where a is unknown w.r.t. g = ha mod p
Computationally binding
Perfect hiding
![Page 45: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/45.jpg)
Zero Knowledge
How to explain zero-knowledge protocols to your children
[Quisquater et al. 89]
![Page 46: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/46.jpg)
Schnorr Authentication
R = rP
e
s = ex + r
X = e-1(sP-R) ?
Xx, X=xP
![Page 47: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/47.jpg)
Schnorr Authentication
Zero Knowledge: knowning only X one can come up with <R,e,s>
such that X = e-1(sP-R):
Choose e and s at random
Fix R = sP – eX
History: EC-DSA vs. Schnorr
![Page 48: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/48.jpg)
Schnorr Signature
M
e=H(R,M), s = ex + r
R’ = sP – eX
e = H(R’,M)?
Xx, X=xP
R = rP
For a message M to be signed:
![Page 49: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/49.jpg)
Blind Signatures*
M’= M ∙ re mod N
s' = M’d mod N
(e, N)(d, N)
For a message M to be signed:
r at random
s = s’ ∙ r-1 mod N
![Page 50: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/50.jpg)
Homomorphic Encryption
Enc is homomorphic for an operation □ on message space
M iff
Enc(m1 □ m2) = Enc(m1) ◊ Enc(m2)
with ◊ operation on ciphertext space C
If □ = +, then Enc is additively homomorphic
If □ = x, then Enc is multiplicatively homomorphic
![Page 51: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/51.jpg)
Multiplicative Homomorphic
Textbook RSA
ENC(m1)∙ENC(m2) = m1e ∙ m2
e mod N = (m1 ∙ m2)e mod N
= ENC(m1 ∙ m2)
ElGamal
ENC(m1)∙ENC(m2) = (gr1 , m1 ∙ yr1 ) ∙ (gr2 , m2 ∙ y
r2 )
= (gr1 + r2 , (m1 ∙ m2) ∙ yr1 + r2 ) = ENC(m1 ∙ m2)
![Page 52: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/52.jpg)
Additive Homomorphic
Exponential ElGamal
Paillier
ENC(m1)∙ENC(m2) = (gm1 ∙ r1n) ∙ (gm2 ∙ r2
n)
= gm1 + m2 ∙ (r1 ∙ r2)n
= ENC(m1 + m2 mod n2)
![Page 53: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/53.jpg)
Secret Sharing
# shares: n = 5
threshold: t+1 = 3
secret: x
share i: xi
Lagrange multipliers λi
x = ∑ xi⋅λi
![Page 54: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/54.jpg)
Verifiable Secret Sharing
The dealer also commits to polynomial, allowing each
recipient to verify that their share is on the same polynomial
f(z) = a0 + a1z + ... + atzt with a0 = s sj= f(j)
ci = gai
gsj = ∏i ci ji
![Page 55: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/55.jpg)
Distributed Key Generation
no single party knows the secret
Each party acts as dealer
Share = sum subshares
Secret = sum subsecrets
Public key needs to be extracted
![Page 56: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/56.jpg)
Resharing
A similar mechanism can be used to reshare a shared secret
To recover from parts that have been compromised
This is done by each dealer setting its current share as the
secret in a new DKG protocol
![Page 57: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/57.jpg)
Threshold Cryptography
Combine homomorphic encryption with secret sharing:
Each party can do partial decryptions using its part of the key
Partial decryptions (> t+1) can be combined into the
decryption
A similar thing can be done for signature schemes
(usually more involved because of distributed generation of
randomness while signing)
![Page 58: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/58.jpg)
Oblivious Transfer*
m0, m1 k random, b
d, N, e (RSA)
x0, x1 random N, e, x0, x1
v v = xb + ke mod N
m0’ = (v-x0)d mod N + m0
m1’ = (v-x1)d mod N + m1
m0’,m1’
mb = mb’ - k
![Page 59: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/59.jpg)
PUFs*
Process variations during manufacturing
make chips unique ~ fingerprint
Instead of programming keys into devices,
you just take the fingerprint
Measuring circuit + error correction (due to
noise and bias)
Low entropy
Physical attacks to the chip (e.g. to extract
keys) will result in destroying the PUF
![Page 60: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/60.jpg)
Basic Protocols
![Page 61: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/61.jpg)
Symmetric Authentication
ISO/IEC 9798-2 or ISO/IEC 9798-4
![Page 62: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/62.jpg)
Asymmetric Authentication
ZK-proof
Signatures (ISO/IEC 9798-3)
(H)MQV-type key establishment
![Page 63: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/63.jpg)
Schnorr Authentication
R = rP
e
s = ex + r
X = e-1(sP-R) ?
Xx, X=xP
![Page 64: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/64.jpg)
SIGMA
![Page 65: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/65.jpg)
Proofs
By trying to prove your protocol, you often identify mistakes
Show that you thought about your proposed protocol
![Page 66: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/66.jpg)
Information theoretic/
computational
vs
![Page 67: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/67.jpg)
Reductions
Assume: attacker A on protocol
Use attacker A to build attacker B on hard problem
Since B can not exist, hence A can not
![Page 68: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/68.jpg)
Random Oracle Model
Replace hash by random oracle
Input Output
I1 R1
I2 R2
![Page 69: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/69.jpg)
Generic Group Model
Similar to RO, but for groups
Perform group operations through oracle
Dlog Handle
1 P
123 Q
124 R
![Page 70: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/70.jpg)
Game Based Proofs
![Page 71: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/71.jpg)
Simulator Based Proofs
![Page 72: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/72.jpg)
Forking Lemma (Rewinding)
![Page 73: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/73.jpg)
CDH/DDH
CDH: given ga and gb , it is hard to compute gab
DDH: given ga, gb and gc, it is hard to determine if gc = gab
![Page 74: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/74.jpg)
ODH/StrongDH
OracleDH
DDH with restricted CDH oracle. Uses H(gab).
StrongDH
CDH with restricted DDH oracle
Oracle is useful to generate replies in protocols
![Page 75: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/75.jpg)
Common Pitfalls
![Page 76: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/76.jpg)
Attack Listing
![Page 77: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/77.jpg)
Non-general Model
EMV protocol & tracing
Key extraction & tracing (red-dot test)
Circular definitions
![Page 78: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/78.jpg)
Non-realistic Assumptions
Physical attacks: reveal everything but…
The ‘wise’ adversary [Ng et al. ESORICS2008]
“An adversary A who is ‘wise’ on oracle access will not make
any oracle access that is redundant, or in other words, brings
no advantage to him in attacking privacy of the protocol.
Simply speaking, A will not waste any oracle access.”
![Page 79: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/79.jpg)
Correctness !!!
Efficient, secure, private authentication
Efficient: no computation, no communication
Secure: no one that is not allowed to go in, can possibly go in
Private: no communication
![Page 80: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/80.jpg)
Way too
complex
Keep It Simple Stupid
![Page 81: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/81.jpg)
Inappropriate PUF Usage
PUFs are noisy and biased, this should be taken into account
If secure storage is needed, why a PUF in the first place?
![Page 82: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/82.jpg)
Shooting Practice
![Page 83: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/83.jpg)
BADH-1
![Page 84: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/84.jpg)
BADH-2
![Page 85: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/85.jpg)
BADH-2
![Page 86: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/86.jpg)
Liao and Hsiao’s Secure ECC-based RFID Authentication
Scheme integrated with ID-Verifier Transfer Protocol
![Page 87: Protocol Design - COSIC · Efficient Asymmetric O(N) keys. Key Management ... Enc is homomorphic for an operation on message space M iff Enc(m 1 m 2) = Enc(m 1) Enc(m 2) with operation](https://reader035.vdocuments.site/reader035/viewer/2022071018/5fd1fe50e9d6822dc763fb4b/html5/thumbnails/87.jpg)
Yoking protocols