Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH Helger Lipmaa University of Tartu, Estonia

up to now Basic intro Basic algebra Exponentiation Assumptions Algebra + assumptions: DL How to define assumptions (DL)

What can be done with DL? First idea: let s←ℤq be secret key and h=gˢ be public key computation of s from h is infeasible Use the keys to "encrypt", "sign", etc This lecture: more details

Key Exchange I want to send secret information to Bob, but he is in Jamaica Let us agree on a joint secret key for further communication

Key Exchange pkₐ pkb sk=SK(skₐ,pkb) sk=SK(skb,pkₐ) = sk skb,pkb Asymmetric, public key Asymmetric, public key skₐ,pkₐ skb,pkb pkₐ pkb sk=SK(skₐ,pkb) sk=SK(skb,pkₐ) = sk Symmetric, shared key

Key Exchange with dl s, h←gˢ t, f←gᵗ h f sk=SK(s,f) sk=SK(t,h) = sk

QUIZ SK (t, gˢ) = sk = SK (s, gᵗ) What could SK be? Hint: we are working in a group Use commutativity + efficient operations Answer: SK (s, h) = hˢ SK (t, gˢ) = gˢᵗ = gᵗˢ = SK (s, gᵗ)

Diffie-Hellman Key Exchange s, h←gˢ t, f←gᵗ h f sk=gˢᵗ = sk

DHKE: Formally DHKE.Setup (κ): h DHKE.Keygen (gk): f sk=gˢᵗ Choose a group G of order q where breaking DL has complexity 2^κ Choose a generator g of G Return gk ← desc (G) = (..., q, g) s,h=gˢ t,f←gᵗ h DHKE.Keygen (gk): sk = s ← ℤq pk ← gˢ Return (sk, pk) f sk=gˢᵗ DHKE.SK (gk, s, h): Return hˢ = sk

QUIZ: is dhke secure? Correct question: is DHKE what-secure under X assumption Three tasks: Formalize security of KE Decide on X Provide a proof by reduction (X holds => DHKE what-secure)

Security def: First try We already saw some issues in the last lecture ...so we won't concentrate on the same issues Random key, probabilistic algorithms, ...

DHKE: intuitive security s, h←gˢ t, f←gᵗ h f sk=gˢᵗ = sk ?

key recovery security Game KR(κ,KE,A) gk ← Setup(κ) (skₐ,pkₐ)←Keygen (gk) (skb,pkb)←Keygen (gk) sk* ← A (gk, pkₐ, pkb) If sk* = SK (gk, skₐ, pkb) return 1 else return 0 Three algorithms KE = (Setup, Keygen, SK) Adv[KR] := | Pr[KR = 1] - 1 / q | A ε-breaks KR (key recovery) security of KE iff Adv[KR] ≥ ε KE is (τ,ε)-KR secure iff no adversary ε- breaks KR security of KE in time ≤ τ KE is KR secure iff it is (poly(κ),negl(κ))- KR secure

SEcurity reduction? We would like to prove that DHKE is KR secure by reducing KR-security to DL assumption Unfortunately not known how to do it DL s gˢ SK gˢᵗ ? SK gᵗ t DL

New assumption: CDH DHKE was proposed together with the idea of public-key cryptography by Diffie and Hellman in 1976 No success in breaking it in any reasonable group where DL is hard Seems logical: introduce a tautological assumption CDH: Computational Diffie-Hellman "key recovery attack against DHKE is hard"

Def: CDH assumption Game CDH(G,A) gk ← Setup(κ) (skₐ,pkₐ)←Keygen (gk) (skb,pkb)←Keygen (gk) sk* ← A (gk, pkₐ, pkb) If sk* = SK (gk, skₐ, pkb) return 1 else return 0 Use (DHKE.Setup, DHKE.Keygen, DHKE.SK) Assume (for simplicity) that for any κ, Setup picks exactly one group G = G(κ) Adv[CDH] := | Pr[CDH = 1] - 1 / q | A ε-breaks CDH in group G iff Adv[CDH] ≥ ε G is (τ,ε)-CDH group iff no adversary ε-breaks CDH in G in time ≤ τ G is CDH group iff it is (poly(κ),negl(κ))-CDH group

remarks Clearly, CDH is secure in A group iff DHKE is KR secure in the same group τ = τ (κ) and ε = ε (κ) are functions of κ

QUIZ: CDH vs DL ? CDH DL ?

some contrived groups where DL holds but not CDH, ... QUIZ: CDH vs DL Answer: yes ? CDH hard DL hard ? some contrived groups where DL holds but not CDH, ... Answer: depends

Proof: CDH => DL Typical reduction Theorem. If G is a (τ + small, (1 - 1 / q) ε + (1 - 1 / q) / q)-CDH group, then it is also a (τ, ε)-DL group. Proof idea. Reduction to absurd: we show that if DL is easy in G, then CDH must also be easy in G. DL is easy => there exists an adversary D that breaks DL We show CDH is easy by constructing an adversary C that breaks CDH C can use help from adversary D, by sending inputs to D and receiving outputs Typical reduction

Intuitive proof Assume D can break DL given gˢ, outputs s with probability ε Construct adversary C that breaks CDH given gˢ, gᵗ, call D to compute s ← D (gˢ) return (gᵗ)ˢ = gˢᵗ But what is the success probability of C?

Security games CDH game: need to construct C DL game: D is given A challenger generates values from some fixed "valid" distributions and sends them to the adversary C A challenger generates values from some fixed "valid" distributions and sends them to the adversary D After some computation, C returns some value to the challenger After some computation, D returns some value to the challenger Depending on the input and the output, the challenger declares C to be either successful or not Depending on the input and the output, the challenger declares D to be either successful or not This is the only thing we know...

CDH game: need to construct C Security reduction CDH game: need to construct C DL game: D is given A challenger generates values from some fixed "valid" distributions and sends them to the adversary C A challenger generates values from some fixed "valid" distributions and sends them to the adversary D C After some computation, C returns some value to the challenger After some computation, D returns some value to the challenger Depending on the input and the output, the challenger declares C to be either successful or not C

Reduction: CDH => DL Exists Need to construct Exists Challenger C D s, t ← ℤq; h ← gˢ; f ← gᵗ (desc(G), h, f) Correct distribution for CDH (desc(G), h) remove 1 elem. Correct distribution for DL ... ;/* compute m */ if h = gᵐ return sk* ← fᵐ else return sk* ← ℤq if sk* = gˢᵗ return 1 else return 0 m sk*

Reduction: CDH => DL Assume D works in time τ and is successful with prob. ε + 1 / q Reduction: CDH => DL If D is successful then C is successful and takes time τ* =τ + small Challenger C D s, t ← ℤq; h ← gˢ; f ← gᵗ If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ* (desc(G), h, f) (desc(G),h) remove 1 elem. ... ;/* compute m */ if h = gᵐ return sk* ← fᵐ else return sk* ← ℤq if sk* = gˢᵗ return 1 else return 0 m sk*

reminder: probability Let A, B be two events Pr [A] - probability that A holds Pr [¬ A] - probability that A does not hold Pr [A | B] - conditional probability probability that A holds given that B holds Then Pr [A] = Pr [A | B] · Pr [B] + Pr [A | ¬B] · Pr [¬B]

Reduction: CDH => DL Assume D works in time τ and is successful with prob. ε + 1 / q Reduction: CDH => DL If D is successful then C is successful and takes time τ* =τ + small Challenger C D s, t ← ℤq; h ← gˢ; f ← gᵗ If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ* (desc(G), h, f) (desc(G),h) remove 1 elem. ... ;/* compute m */ if h = gᵐ return sk* ← fᵐ else return sk* ← ℤq Pr[C successful] = Pr[C successful | D successful] · Pr[D successful] + Pr[C successful | ¬D successful] · Pr [¬D successful] = 1 · (ε + 1 / q) + 1 / q · (1 - (ε + 1 / q)) = (1 - 1 / q) ε + (1 - 1 / q) / q + 1 / q =: ε* + 1 / q if sk* = gˢᵗ return 1 else return 0 m sk*

Reduction: CDH => DL Assume D works in time τ and is successful with prob. ε + 1 / q Reduction: CDH => DL If D is successful then C is successful and takes time τ* =τ + small Challenger C D s, t ← ℤq; h ← gˢ; f ← gᵗ If D is unsuccessful then C is successful with prob. 1 / q, and takes time τ* (desc(G), h, f) (desc(G),h) remove 1 elem. ... ;/* compute m */ if h = gᵐ return sk* ← fᵐ else return sk* ← ℤq Pr[C successful] = ε* + 1 / q if sk* = gˢᵗ return 1 else return 0 m Thus, if G is a (τ*, ε*)-CDH group then it is a (τ, ε)-DL group sk*

quiz: are we done? If not, why not? Is the achieved security sufficient? Answer: The fact that sk is unknown is not sufficient Adversary should have no information about sk

c + any information about sk leaks information about m DHKE in wild world h f s,h←gˢ t,f←gᵗ sk=gˢᵗ = sk XOR m c c + any information about sk leaks information about m One-time pad

DHKE: IND security is it sk or garbage? h f sk* sk=gˢᵗ sk=gˢᵗ = sk Intuition: if Eve has any information about sk, she should be able to distinguish real sk from random s,h←gˢ t,f←gᵗ h f sk=gˢᵗ sk* sk=gˢᵗ = sk is it sk or garbage?

IND(ISTINGUISHABILITY) security Game IND(κ,KE,A) gk ← Setup(κ) (skₐ,pkₐ)←Keygen (gk) (skb,pkb)←Keygen (gk) sk₀ ← SK (gk, skₐ, pkb) sk₁ ← G e ← {0, 1} e* ← A (gk,pkₐ,pkb,skₑ) Return e = e* ? 1 : 0 KE = (Setup, Keygen, SK) Adv[IND] := | Pr[IND = 1] - 1 / 2 | A ε-breaks IND security of KE iff Adv[IND] ≥ ε KE is (τ,ε)-IND secure iff no adversary ε- breaks IND security of KE in time ≤ τ KE is IND secure iff it is (poly(κ),negl(κ))- IND secure

SEcurity reduction? We would like to prove that DHKE is IND secure by reducing IND security to CDH assumption Not possible well-known groups where CDH holds but DHKE is not IND secure

ddh We introduce again a tautological assumption, DDH Decisional Diffie-Hellman, known since 70s => good ...in many groups DDH is extremely useful in many protocols Well-known groups where DDH does not hold pairing-based groups: CDH conjectured to be hard, but DDH trivially breakable interestingly, p-b groups are also extremely useful

DEF: DDH security Game DDH(G,A) Use (DHKE.Setup, DHKE.Keygen, DHKE.SK) gk ← Setup(κ) (skₐ,pkₐ)←Keygen (gk) (skb,pkb)←Keygen (gk) sk₀ ← SK (gk, pkₐ, pkb) sk₁ ← G e ← {0, 1} e* ← A (gk,pkₐ,pkb,skₑ) Return e = e* ? 1 : 0 Use (DHKE.Setup, DHKE.Keygen, DHKE.SK) Assume that for any κ, Setup picks exactly one group G = G(κ) Adv[DDH] := | Pr[DDH = 1] - 1 / 2 | A ε-breaks DDH in G iff Adv[DDH] ≥ ε G is a (τ,ε)-DDH group iff no PPT adversary A ε-breaks DDH in G in time ≤ τ G is a DDH group iff it is (poly(κ),negl(κ))- DDH group

DDH: Short form Fix a cyclic group G and its generator g Adversary has to distinguish between (g, gˢ, gᵗ, gˢᵗ) -- DDH tuple (g, gˢ, gᵗ, gᵐ) -- random tuple where s, t, m are random

DDH vs IND security Clearly, a group is DDH is secure iff DHKE is IND secure in the same group τ = τ (κ) and ε = ε (κ) are functions of κ

Home exercise:Very similar to previous proof. Finish! Find parameters Proof: DDH => CDH Theorem. If G is a (≈τ, ≈ε)-DDH group, then it is also a (τ, ε)-CDH group. Proof idea. Reduction to absurd: we show that if CDH is easy in G, then DDH must also be easy in G. CDH is easy => there exists an adversary D that breaks CDH We show DDH is easy by constructing an adversary C that breaks DDH C can use help from adversary D, by sending inputs to D and receiving outputs Home exercise:Very similar to previous proof. Finish! Find parameters

Beyond ind: semihonest vs malicious Actual security requirements even more stringent KR, IND security only demonstrate basic concepts We assumed Eve is semihonest Eavesdrops but does not change messages Malicious Eve: can change, inject, delete messages Alice and Bob need to authenticate each other "Authenticated Diffie-Hellman" Crucial notions Security of various protocols against malicious adversaries: second half of the course

What next? DDH is a very versatile assumption One can construct many useful protocols from it DDH Encryption Signatures ... E-voting CPIR E-cash

What next? Since many protocols are based on homomorphic encryption, the next lecture is about homomorphic encryption More precisely: Elgamal encryption

Study outcomes Key exchange DHKE in particular KR security and CDH IND security and DDH Reductions: how to do