Cryptography: Zero-Knowledge Proofs and Review for Final Exam, Exercises of Cryptography and System Security

Download Cryptography: Zero-Knowledge Proofs and Review for Final Exam and more Exercises Cryptography and System Security in PDF only on Docsity!

Homework 5 Statistics

• Minimum Value 59.
• Maximum Value 100.
• Range 41.
• Average 82.
• Median 83.
• Standard Deviation 12.

Course Evaluation

• Please Complete Your Course Evaluations
• Your feedback is valuable!
• Homework 5 Solutions and Practice Final Available on Piazza

Review: Attacker Models

• Passive Eavesdropping Attacker (Eve)
• Active Attacker
  • Chosen Plaintext Attack: Attacker can control/influence messages that are encrypted
  • Chosen Ciphertext Attack: Attacker can convince honest party to (partially) decrypt ciphertexts of his/her choosing.
• MPC: Semi-Honest vs Malicious
• Man-In-The-Middle Attacker

Review: Key Concepts for Symmetric Key Crypto

• Building Blocks: OWFs, OWPs, PRGs, PRFs, CRHFs, PRPs (Block Cipher)
  • Constructions: PRFs from PRGs, PRPs via Feistel Network etc…
• Should understand syntax (e.g., PRF uses a key, but a PRG doesn’t)

and security definitions (e.g., PRG vs PRF)

• MAC vs. Encryption
  • Confidentiality vs Integrity
  • Syntax
  • Security Definition(s): Authenticated Encryption, CCA-Security, CPA-Security Perfect Secrecy, MAC-forgery game

Review: Key Principles

• Sufficient Key Space Principle
  • Resist brute-force attacks
• Penguin Principle
  • Issues with stateless/deterministic encryption schemes
  • Importance of nonces
• Independent Key Principle

Review: Asymmetric Key Crypto

• Key Assumptions:
  • FACTORING
  • RSA-Inversion Problem
  • Discrete Logarithm Problem
  • DDH vs CDH
  • OWFs (for Certain Signature Schemes)
• Public Key Encryption
  • Syntax
  • Security Definition(s): CPA vs CCA-security
  • Constructions: Plain RSA, El Gamal, RSA-OAEP
• Key Encapsulation Mechanism (and how to use them)

Review: Signatures and MACs

• What are some secure constructions of signatures?
  • RSA-FDH
  • Schnorr-Signatures (Fiat-Shamir)
  • DSA/ECDSA
• How to build a MAC?
  • HMAC
  • PRF: t=F (^) k(m)
• Handling Long Messages: Hash and sign/mac
• How to build an (in)secure signature/MAC scheme?

Review: Multi-Party Computation

• Malicious vs Semi-Honest Security Models
• Security Definition (Simulator)
  • Captures intuition that Alice learns “nothing else” about Bob’s input
• Yao’s Protocol (Garbled Circuits)
  • What is security model?
  • Building Blocks: Oblivious Transfer, CPA-Secure Encryption
• Use of Zero-Knowledge Proofs in MPC

Practice Problem 1: NIZK

• Build a NIZK for the group membership problem
• Verifier: Knows h, wants to be sure that h is in
• Prover: Knows x such that h=g x
  • Prover picks r and sets z = 𝑔𝑔 𝑥𝑥+𝑟𝑟
  • Prover selects the challenge b= LSB(H(z)), and sets the response R=r+bx.
  • Prover outputs the proof (z,R)
• Verifier computes b= LSB(H(z)) and checks that ℎ1−𝑏𝑏^ 𝑧𝑧 = 𝑔𝑔 𝑅𝑅
• Problem?

Practice Problem 1: NIZK (FIX)

• Build a NIZK for the group membership problem
• Verifier: Knows h, wants to be sure that h is in
• Prover: Knows x such that h=g x
  • Prover picks r 1 ,…,r (^) k and sets zi = 𝑔𝑔 𝑥𝑥+𝑟𝑟^ 𝑖𝑖^ for each i.
  • Prover selects the challenge b 1 ,…,bk= H(z 1 ,…,zk) and sets the responses Ri =r (^) i +bi x.
  • Prover outputs the proof (z 1 ,R 1 ),…,(zk,Rk)
• Verifier computes b 1 ,…,b (^) k= H(z) and checks that ℎ1−𝑏𝑏^ 𝑖𝑖^ 𝑧𝑧 (^) 𝑖𝑖 = 𝑔𝑔 𝑅𝑅^ 𝑖𝑖^ for each i.
• How to build the simulator?

Practice Problem 2: Better Soundness in ZK

Protocol:

1. Prover picks r 1 ,…,r (^) k and sets z (^) i = 𝑔𝑔 𝑥𝑥+𝑟𝑟^ 𝑖𝑖^ for each i.
2. Verifier selects the challenge b 1 ,…,b (^) k
3. Prover computes the responses R (^) i =r (^) i +b (^) i x.
4. Verifier checks that ℎ1−𝑏𝑏^ 𝑖𝑖^ 𝑧𝑧 (^) 𝑖𝑖 = 𝑔𝑔 𝑅𝑅^ 𝑖𝑖^ for each i.

• Trick Question!
• Simulator should not be able to output NIZK for claim (without tampering with random oracle)
• Dishonest verifier can set b 1 ,…,b (^) k = H(z 1 ,…,z (^) k) to obtain NIZK proof 𝜋𝜋!
  • 𝜋𝜋 = (z 1 ,R 1 ), … , (zk,R (^) k)

Practice Problem 2: Better Soundness in ZK

Protocol 2:

1. Verifier selects nonce b and sends y=H(b) to the prover.

2. Prover picks r 1 ,…,rk and sets zi = 𝑔𝑔 𝑥𝑥+𝑟𝑟𝑖𝑖^ for each i.

3. Verifier reveals b and sets challenges b 1 ,…,bk =b

4. Prover computes the responses R i =ri +bi x.

5. Verifier checks that ℎ1−𝑏𝑏^ 𝑖𝑖^ 𝑧𝑧𝑖𝑖 = 𝑔𝑔 𝑅𝑅^ 𝑖𝑖^ for each i.

Practice Problem 4: RSA Authentication

• RSA Based Authentication
  • Verifier sends random nonce r mod N to Prover
  • Prover authenticates with R= rd^ mod N
  • Verifier checks that Re=r mod N
• What would security definition look like for generic authentication

protocol?

• Define the game
• Is this protocol secure?
• Yes (assuming RSA-Inversion assumption)

Practice Problem 5: RSA Overuse

• RSA Based Authentication
  • Verifier sends random nonce r mod N to Prover
  • Prover authenticates with R= rd^ mod N
  • Verifier checks that Re=r mod N
• Suppose we use the same secret key e for Key Encapsulation and for

RSA Authentication?

• KEM: outputs (y,K=H(x)) where y=xe^ mod N
• What could go wrong?