Lecture 17: Public-Key Protocols CS588: Cryptography University of Virginia Computer Science David Evans http://www.cs.virginia.edu/evans Story So Far • Symmetric Encryption – Amplify and time-shift a small secret to transmit large secrets • Asymmetric Encryption – Use a trustworthy non-secret to establish secrets, check signatures • Proving an encryption algorithm is secure is either: – Reasonably easy if it is a perfect cipher – Essentially impossible if it is not 12 April 2005 University of Virginia CS 588 2 Plan for Rest of the Course • Today, Thursday: some interesting applications of cryptography • Next Tuesday: Quantum/visual crypto • Next Thursday, April 26: Software system security: real world security is mostly not about cryptography If there’s anything you hoped this course would cover that is • April 28: Project not listed here, send me presentations requests by Friday 12 April 2005 University of Virginia CS 588 3 Finding Project Partners • Simple way: – Ask people in the class if they want to work with you • Problems: – You face rejection and ridicule if they say no • Can you find partners without revealing your wishes unless they are reciprocated? – Identify people who want to work together, but don’t reveal anything about anyone’s desires to work with people who don’t want to work with them 12 April 2005 University of Virginia CS 588 4 Use a Universally Trusted Third Party MatchMaker.com Bob would like to work with: Ron Rivest Sandra Bullock Alice Alice: Thomas Jefferson Colleen Hacker Bob Alice is your best match Bob 12 April 2005 Alice University of Virginia CS 588 5 Use a Universally Trusted Third Party MatchMaker.com EKUM [EKRB [“Bob would like …”]] EKUB [EKRM [“Alice”]] Bob 12 April 2005 University of Virginia CS 588 6 HashMaker.com? • Bob writes H(“I am looking for someone who wants to play with Euler’s totient function.”) on the board. • No on else can tell Bob’s deepest darkest desires (H is one-way) • If someone else writes the same hash on the board, Bob has found his match • How well does this work? 12 April 2005 University of Virginia CS 588 7 Untrusted Third Party HashMatcher.com EH(W) [W] Bob 12 April 2005 Use the hash of the wish as the encryption key so some symmetric cipher: HashMatcher can’t determine the wish Someone with the same exact wish will match exactly University of Virginia CS 588 8 Untrusted Third Party HashMatcher.com EH(W) [W] Bob 12 April 2005 University of Virginia CS 588 9 How can we send a message to HashMaker without it knowing who sent it? To: To: HashMaker Router4 To:Router1 Router2 Router3 To: From: Anonymous From: Bob 12 April 2005 University of Virginia CS 588 10 Onion Routing R3 Bob R2 R4 R1 R5 Pick n random routers, Ri1…Rin Rik gets a message Mk: EKURik (To: Rik+1 || Mk+1) 12 April 2005 University of Virginia CS 588 HashMatcher.com 11 Onion Routing R3 HashMatcher.com Bob R2 R4 R1 R5 Pick 1 random router: R2 Send R2: EKUR2 (To: HashMatcher.com || M) 12 April 2005 University of Virginia CS 588 12 Onion Routing R3 HashMatcher.com Bob R2 R4 R1 R5 Pick 2 random routers: R2, R5 Send R2: EKUR2 [To: R5 || EKUR5 [To: HashMatcher.com || M]] 12 April 2005 University of Virginia CS 588 13 http://tor.eff.org 12 April 2005 University of Virginia CS 588 14 Traffic Analysis R3 HashMatcher.com Bob R2 R4 R1 R5 If these are the only packets on the network, someone observing the network know it was Bob 12 April 2005 University of Virginia CS 588 15 Preventing Traffic Analysis R3 HashMatcher.com Bob R2 R4 R1 12 April 2005 R5 University of Virginia CS 588 16 Finding Partners • If Bob wants to work with Alice, he constructs W = “Alice + Bob” (all students agree to list names in this way in alphabetical order) • Using onion rounting, sends HashMatcher: EH(W) [W] • Using onion rounting, queries HashMatcher is there is a matching item – If so, Alice wants to work with him 12 April 2005 University of Virginia CS 588 17 Problems with this Protocol • Cathy could send W = “Alice + Bob” • Anyone can query “x + Bob” for all x to find out who Bob wants to work with (or who wants to work with Bob, can’t tell which) • If Colleen wants to work with Bob too, how do matches reflect preferences without revealing them? • Challenge problem: invent a good (define carefully what good means) humiliation-free matching protocol 12 April 2005 University of Virginia CS 588 18 C1 MIXes M1 C2 M2 M3 C3 M4 C4 Random, secret permutation Security property: observer seeing all inputs and outputs cannot determine which output message corresponds to which input 12 April 2005 University of Virginia CS 588 19 C1 MIX Net [Chaum81] M1 C2 M2 C3 M3 C4 M4 C EKRC (C) A EKRA (C) B EKRB (C) What is input? C = EKUA [EKUB [EKUC [M]]] What if Eve can see all traffic? What if two are corrupt? What if one of A, B or C is corrupt? Any good applications? 12 April 2005 University of Virginia CS 588 20 Voting Application C1 M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik”]]] How well does this work? * Note: any resemblance to real political parties is purely coincidental. 12 April 2005 University of Virginia CS 588 21 C1 Voting Application M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik”]]] Each for any eavesdropper (knows public keys) to compute C for small set of possible messages 12 April 2005 University of Virginia CS 588 22 C1 Voting Application M1 C2 M2 M3 C3 M4 C4 Republicrat Party Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik” || R]]] 12 April 2005 University of Virginia CS 588 23 C1 Voting Application M1 C2 M2 M3 C3 M4 Republicrat Party C4 Democrican Party Orange Party C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3] Each mux decrypts with private key and removes R 12 April 2005 University of Virginia CS 588 24 C1 Voting Application C2 “Nader” M1 “Nader” M2 “Nader” C3 M3 “Nader” M4 C4 12 April 2005 Republicrat Party Democrican Party University of Virginia CS 588 Orange Party 25 C1 Voting Application C2 “Nader” M1 “Nader” M2 “Nader” C3 M3 “Nader” M4 C4 Republicrat Party Democrican Party Orange Party C = EKUG [“Badnarik” || R1] Does publishing R1 help? 12 April 2005 University of Virginia CS 588 26 Publishing R1 • Voters could prove their vote is misrecorded (or left out), but only by revealing for whom they voted C = EKUR [EKUD [EKUG [“Badnarik” || R1] R2] R3] • Voters can prove to someone else for whom they voted • If Orange doesn’t like result, can still disrupt election 12 April 2005 University of Virginia CS 588 27 C1 Auditing Muxes C2 “Nader” M1 “Nader” M2 “Nader” C3 M3 “Nader” M4 C4 Republicrat Party Democrican Party Orange Party Send inputs to next 2 muxes D mux picks n random inputs Asks R to prove they were done correctly How does R prove it? 12 April 2005 University of Virginia CS 588 28 Auditing Muxes C1 C2 “Nader” M1 “Nader” M2 “Nader” C3 M3 “Nader” M4 Republicrat Party C4 Democrican Party Orange Party Inputi = EKUR [EKUD [EKUG [v || R1] R2] R3] Outputj = EKUD [EKUG [v || R1] R2] If R reveals j and R3, D can check EKUR [Outputj || R3] = Inputi 12 April 2005 University of Virginia CS 588 29 Auditing Tradeoffs • For every audit, one input-output mapping is revealed • The more audits, the more likelihood of catching cheater • What if each mux audits ½ of the values? 12 April 2005 University of Virginia CS 588 30 Catching Cheaters • Probability a mux can cheats on k votes without getting caught = ½k • Probability a voters vote is revealed to eavesdropper m muxes Note: unaudited votes only be one of n/2 possible outputs! ½m • If muxes collude, all bets are off 12 April 2005 University of Virginia CS 588 31 Faculty Candidate talk tomorrow: Yih-Chun Hu (CMU, Berkeley) Securing Network Routing Olsson 011, 3:30PM 12 April 2005 University of Virginia CS 588 32