Add to collection(s) Add to saved
  1. No category

Slide - Cristina Onete

advertisement 
Commitment Schemes and
Identification/Authentication
Cristina Onete
maria-cristina.onete@irisa.fr
Rennes, 23/10/2014
 Commitment Schemes
Bob
Alice
Alice
Bob
 Example:
•
•
Alice and Bob must agree who will clean tonight
They are at their offices. Each tosses a coin & they call:
 If tosses are the same, then Alice cleans
 If tosses are different, then Bob cleans
•
Who talks first?
Cristina Onete ||
06/11/2014
||
2
 Commitment Schemes
Alice
Bob
Alice
Bob
 Alice and Bob toss
•
Alice talks first
Bob says he tossed the same value
•
Bob talks first
Alice says she tossed the opposite value
 How can we avoid this?
Cristina Onete ||
06/11/2014
||
3
 Commitment Schemes
Bob
cleans
Alice
Bob
 Commitment: an envelope with a strange seal
•
Alice talks first
•
Commit phase: she hides toss in envelope, gives it to Bob
•
Bob reveals toss
•
Reveal phase: Alice tells Bob how to unseal envelope
Cristina Onete ||
06/11/2014
||
4
 Commitment Schemes
Alice
Bob
 Properties:
•
Hiding: The content of the envelope is not visible
Bob doesn’t know anything about Alice’s toss
•
Binding: Alice can’t change the content in the envelope
Alice can’t cheat after getting Bob’s toss
Cristina Onete ||
06/11/2014
||
5
 Commitment Schemes
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
Input 𝑥
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Formally: 𝐶𝑜𝑚𝑚𝑖𝑡: {0,1}𝑘 × {0,1}∗ → {0,1}∗
 Commitment hiding:
Dist 𝑤 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥1 , 𝑤
≈ Dist 𝑤 (𝐶𝑜𝑚𝑚𝑖𝑡(𝑥2 , 𝑤))
 Commitment binding:
∀ 𝑥1 , 𝑥2 ∈ 0,1 ∗ : Prob 𝑤, 𝑤 ′ ← 𝜀: 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥1 , 𝑤 = 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥2 , 𝑤 ′
Cristina Onete ||
06/11/2014
≪1
||
6
 Pedersen Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ {0,1}
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field, ℎ = 𝑔 𝑠 ∈ 𝐺𝑝∗ \ {1}, 𝑠 unknown
 Commitment of input value 𝑥 ∈ {0,1}:
• Choose random witness 𝑤 ←𝑅 {1, … , 𝑝 − 1}
• Compute 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔𝑤 ℎ 𝑥
′
 Binding: from 𝑔𝑤 ℎ 𝑥 = 𝑔𝑤 ℎ1−𝑥 , we have ℎ1−2𝑥 = 𝑔𝑤−𝑤
Thus we have 𝑠 = log 𝑔 ℎ =
𝑤−𝑤′
1−2𝑥
′
Impossible
Cristina Onete ||
06/11/2014
||
7
 Pedersen Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ {0,1}
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field, ℎ = 𝑔 𝑠 ∈ 𝐺𝑝∗ \ {1}, 𝑠 unknown
 Commitment of input value 𝑥 ∈ {0,1}:
• Choose random witness 𝑤 ←𝑅 {1, … , 𝑝 − 1}
• Compute 𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔𝑤 ℎ 𝑥
 Hiding: Dist 𝑤 𝐶𝑜𝑚𝑚𝑖𝑡 𝑔𝑤
≈ Dist 𝑤 (𝐶𝑜𝑚𝑚𝑖𝑡(𝑔𝑤 ℎ))
Cristina Onete ||
06/11/2014
||
8
 DLog-based Commitments
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
𝑥 ∈ 𝑍𝑞
……………………
Random 𝑤
𝑥, 𝑤
Alice
Bob
Check
𝑎 = 𝐶𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑤)
 Setup: 𝑝 prime, 𝑞 | (𝑝 − 1) prime, 𝑔 ∈ 𝑍𝑝∗ with ord 𝑔 = 𝑞
 Commitment of input value 𝑥 ∈ 𝑍𝑞 :
𝐶𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑤 = 𝑔 𝑥 𝑚𝑜𝑑 𝑝
(no randomness)
 Computationally hiding: DLog
 Perfectly binding by construction
Cristina Onete ||
06/11/2014
||
9
 Exercise 1
 Consider a hash function H
 Use the commitment scheme
Commit 𝑥, 𝑤 = 𝐻(𝑥, 𝑤)
 Is this commitment binding if H is one-way?
 If H is one-way, is this commitment hiding?
Cristina Onete ||
06/11/2014
||
10
 Exercise 2
 Let 𝑥 ∈ {0,1}
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field, ℎ = 𝑔 𝑠 ∈ 𝐺𝑝∗ \ {1}, 𝑠 unknown
 Use the commitment scheme
Commit 𝑥, 𝑤 = (𝑔𝑤 , ℎ𝑤+𝑥 ), for 𝑤 ←𝑅 {0, … , 𝑝 − 1}
 Is this commitment binding?
 Is this commitment hiding?
 What happens if the value s is known?
Cristina Onete ||
06/11/2014
||
11
 Exercise 3
 Setup: 𝐺𝑝∗ = < 𝑔 >, prime field. Let 𝑥 ∈ < 𝑔 >
 Use the commitment scheme
Commit 𝑥, 𝑤 = 𝑔𝑤 𝑥, for 𝑤 ←𝑅 {0, … , 𝑝 − 1}
 Is this commitment hiding?
 Is this commitment binding?
Cristina Onete ||
06/11/2014
||
12
 Identification & Authentication
ID
Prover
Verifier
 Goal (identification):
•
The prover wants to convince the verifier she is who she pretends to be
•
Example: interview/application/exam
 Goal (authentication):
•
•
Prover wants to prove she’s legitimate
Example: owner of a house, student at University, etc
Cristina Onete ||
06/11/2014
||
13
 Challenge-Response
 Two-move protocol
•
•
Verifier starts, sending a challenge
Prover sends a response
•
Based on the challenge-response, the verifier must make his
decision
challenge
response
Prover
Verifier
Cristina Onete ||
06/11/2014
||
14
 Challenge-Response
Shared
challenge
response
Prover
Verifier
 Symmetric authentication:
•
Verifier stores a keyring of many keys (each corresponding
to one prover)
•
Goal of challenge-response: verifier can decide whether the
prover is legitimate or not
•
•
Property 1: a legitimate prover can always authenticate
Property 2: an illegitimate prover can never authenticate
Cristina Onete ||
06/11/2014
||
15
 Challenge-Response
Shared
challenge
response
Prover
Verifier
 Exercise 4:
•
Can the verifier always send the same challenge 𝑐ℎ𝑔?
•
Can the set of possible challenges be small?
•
The response should be a function of the secret key and the
challenge: 𝑟𝑠𝑝 ≔ 𝑓(𝐾, 𝑐ℎ𝑔).
•
Can we use 𝑟𝑠𝑝 ≔ 𝐾 + 𝑐ℎ𝑔? Can we use 𝑟𝑠𝑝 ≔ 𝐾 + 𝑐ℎ𝑔 𝑚𝑜𝑑 𝑝 ?
•
Can we use a function that is one-way? Like 𝐻(𝐾)𝑐ℎ𝑔 ?
Cristina Onete ||
06/11/2014
||
16
 Challenge-Response
challenge
response
Prover
Verifier
 Exercise 5:
•
Design a challenge-response protocol using a symmetric
encryption function
•
•
•
Now use a PK encryption scheme
Use a pseudo-random hash function
Now use a signature scheme
•
Use a commitment scheme and a 1-way hash function
Cristina Onete ||
06/11/2014
||
17
 Exercises
𝑐ℎ𝑔 ←𝑅 𝑍𝑛∗
𝑟𝑠𝑝 = 𝐻𝐾 (𝑐ℎ𝑔)
Prover
Verifier
 Exercise 6:
•
Use the protocol above, assuming the hash function produces pseudo-random outputs
•
Imagine the verifier stores a large number of symmetric
keys 𝐾𝑖 (of possible legitimate provers). What is the problem
with this?
What is a simple denial-of-service attack that an attacker
can run against a verifier who stores very many keys?
•
Cristina Onete ||
06/11/2014
||
18
 Exercises
𝑐ℎ𝑔
𝑟𝑠𝑝
Prover
Verifier
 Exercise 7:
•
A mutual authentication protocol is one in which both parties
can verify the legitimacy of their partner
•
Start from a basic 2-move challenge-response protocol. Can
you think of a 3-move protocol that ensures MUTUAL
authentication?
•
Design a mutual authentication protocol using only a (keyed)
hash function. What are the required properties?
Cristina Onete ||
06/11/2014
||
19
 Exercise 8: the age game
 One of your friends, a girl, asks you to guess her age
 You know the penalty for guessing she is too old: she’ll
kick you and punch you, and probably then kill you
 So you say: I bet you I know your age. But you have to
give me your ID card to check it. If it’s right, I will prove
to you that I knew your age. If I am wrong, I’m buying
you flowers, chocolates, and an expensive dinner
•
Use a commitment scheme. The idea is that you want to be
able to prove that your guess was right (if the number you
guessed is at most her age – as you will see from her ID)
or withold any information about your guess (if you
guessed wrongly). That way, she will at least not know how
old you thought she was
Cristina Onete ||
06/11/2014
||
20
Thanks!
CIDRE
Related documents
Slide - Cristina Onete
Slide - Cristina Onete
BLOOM`S TAXONOMY
BLOOM`S TAXONOMY
A Survey of Trust in Social Networks
A Survey of Trust in Social Networks
Algorithms Midterm 2011
Algorithms Midterm 2011
ACE Hardware
ACE Hardware
Polyglot: An Extensible Compiler Framework for Java
Polyglot: An Extensible Compiler Framework for Java
pptx
pptx
Variables – Chapter 10
Variables – Chapter 10
Download
advertisement