Chapter 4: Intermediate Protocols Dulal C. Kar

Timestamping Services Tampering timestamps in a digital document is trivial We need a protocol for digital timestamping with the following desirable properties Data itself (not the medium) must be timestamped Must be impossible to change a single bit of the document without being caught Must be impossible to timestamp a document with a date and time from the present one (no back-dating possible)

Timestamping: Arbitrated Solution Trent: a trusted timestamping service Protocol: Alice sends a copy of the document to Trent Trent records the date and time and retains a copy of the document Problems No privacy Database would have to a huge one Potential errors in transmission or storage

Timestamping: Improved Arbitrated Solution Using one-way hash functions and digital signatures Protocol Alice produces a one-way hash of the document and transmits the hash to Trent Trent appends the date and time onto the hash and digitally signs the result Trent sends the signed hash with timestamp back to Alice Only problem Alice and Trent can still collude to produce any timestamp they want

Timestamping: Linking Protocol To solve the problem Link Alice’s timestamp with timestamp previously generated by Trent A: Alice’s name, Hn: Alice’s hash value, Tn-1: Previous timestamp Protocol Alice sends Trent Hn and A Trent sends back to Alice: Tn = SK(n, A, Hn, tn, In-1, Hn-1, Tn-1, Ln) Where Ln consists of the following hashed linking information: Ln = H(In-1, Hn-1, Tn-1, Ln-1) SK: signed with Trent’s private key n: nth timestamp tn : time parameter After Trent stamps the next document, he sends Alice the identification of the originator of that document In+1

Timestamping: Distributed Protocol It maybe impossible for Alice to get a copy of In-1’s timestamp Protocol (Without Trent) Using Hn as input, Alice generates a string of random values using a cryptographically secure pseudo-random-number generator: V1, V2, V3, . . . Vk and interprets each number as the identification, I of another person She sends Hn to each of these people Each person attaches date and time to hash value, signs it and sends it back to Alice Alice collects and stores all signatures as timestamp To fake, Alice has to convince all k people to cooperate, which is difficult if k is large enough

Subliminal Channel A covert communications channel between two or more parties Gustavus Simmons invented the concept of a subliminal channel using digital signature algorithm Protocol Alice generates an innocuous message Using a secret key shared with Bob, Alice signs the message in such a way that she hides her subliminal message in the signature Alice sends this to Bob via Walter (an adversary) Walter reads the message, checks the signature, and finds nothing amiss; he passes the signed message to Bob Bob checks the signature on the signed message Bob ignores the message and, using the secret key, he extracts the subliminal message Application Spy network A company can sign and embed subliminal messages in documents for tracking purposes

Undeniable Digital Signatures Normal digital signatures can be copied exactly and can be verified by anyone Undeniable signature (non-transferable signature) Unlike normal digital signatures, an undeniable signature cannot be verified without the signer’s consent Also, signer cannot falsely deny the signature Basic protocol Alice presents Bob with a signature Bob generates a random number and sends it to Alice Alice does a calculation using the random number and her private key and sends Bob the result. Alice could only do this calculation if the signature is valid. Bob confirms this Controlling who verifies her signature is a way for Alice to protect her personal privacy

Designated Confirmer Signatures Designated confirmer signatures allows a signer to designate someone else to verify his signature Suppose Alice signs a document Bob knows, Alice’s signature is valid but cannot convince it to a third party Alice can designate Carol as the confirmer. How? Alice uses Carol’s public key Carol can be A copyright office A government agent

Proxy Signatures How to allow someone to sign messages on your behalf? Properties Distinguishability Proxy signatures are distinguishable from normal signatures Unforgeability No one but original signer and designated proxy signer can create a valid proxy signature Proxy signer’s deviation A proxy signer cannot create a valid proxy signature not detected as a proxy signature Verifiability A verifier can be convinced of the original signer’s agreement from a proxy signature Identifiability Original signer can determine proxy signer’s identity from a proxy signature Undeniability Proxy signer cannot disavow an accepted proxy signature he created

Group Signatures Group signatures have the following properties Only members of the group can sign messages Receiver can verify the group signature Receiver must not know the identity of the signer in the group In case of dispute, the signer’s identity can be revealed

Group Signatures with a Trusted Arbitrator Trent generates a master list of public/private key pairs and gives each member a unique sub-list of private keys Trent publishes list of all public keys in random order To sign a document, a group member picks any key from his/her sub-list of private keys To verify, receiver picks corresponding public key from the master list In case of dispute, Trent knows which public key corresponds to which group member

Fail-Stop Digital Signatures If Eve forges Alice’s signatures after brute-force attack, then Alice can prove they are forgeries. How? Basic idea For every possible public key, there are many possible private keys Each of these private keys yields many different possible signatures Signer has only one private key and does not know any of the other private keys

Computing with Encrypted Data Alice wants Bob to compute f(x) for her but does not want to disclose x to Bob Called hiding information from an oracle Discussed in Section 23.6

Bit Commitment: Using Symmetric Cryptography Bob sends Alice a random-bit string , R. Alice sends Bob: EK(R,b) where K: random key and b: bit or bits to commit Note that Bob cannot decrypt the message. When it comes time for Alice to reveal her bit, Alice sends Bob: K Bob decrypts the message to reveal the bit. Bob checks his random string to verify the bit’s validity

Bit Commitment: Using One-Way Functions Alice sends Bob: H(R1, R2, b), R1 where R1, R2: random bit-strings, b: committed bit When it comes time for Alice to reveal her bit, Alice sends Bob original message: (R1,R2,b) Bob verifies with one-way function H It works since Alice cannot find another message (R1, R2’, b’) such that (R1, R2’, b’) = H(R1, R2, b)

Bit Commitment: Using Pseudo-Random-Sequence Generators Bob sends Alice a random-bit string: RB Alice generates a random seed for a pseudo-random-bit generator. For every bit in Bob’s random-bit string, she sends Bob either: a) Output of the generator if Bob’s bit is 0, or b) XOR of output of the generator and her bit b, if Bob’s bit is 1. When it comes time to reveal her bit, Alice sends Bob her random seed Bob completes step 2 to confirm Note: Blobs Strings that Alice sends to Bob to commit to a bit

Fair Coin Flips We need to do it fairly over a communication channel Need a protocol with properties Alice must flip the coin before Bob guesses Alice must not be able to re-flip the coin and change the result after hearing Bob’s guess Bob must not be able to know how the coin landed before making his guess

Coin Flipping Using One-Way Functions Alice sends y = f(x), where x is a random number Bob guesses whether x is even or odd and sends his guess to Alice If Bob’s guess is correct, the result is head otherwise it is tail. Alice sends the result (tail or head) and x to Bob Bob confirms that y = f(x) Security depends on the one-way function f(x)

Coin Flipping Using Public-Key Cryptography Assumption The algorithm commutes. DK1(EK2(EK1(M)))=EK2(M) Protocol Alice generates two messages M1=(RA, Head) and M2 = (RA, Tail) where RA: random number chosen by Alice Alice sends Bob: EA(M1) and EA(M2) where A: Alice’s public key Bob chooses EA(M1) or EA(M2) at random and sends Alice: EB(EA(M1)) or EB(EA(M2)) Alice decrypts it with her private key and sends it back to Bob: DA(EB(EA(M1))) = EB(M1) or EB(M2) Bob decrypts it to find M1 or M2 and send the result to Alice Alice reads the result and verifies RA is correct Both Alice and Bob reveal their key pairs so that both can verify that the other did not cheat

Anonymous Key Distribution Problem Setup a Key Distribution Center (server) to generate and distribute keys in such a way that no one, including the server, can figure out who got which key Protocol Alice generates a public/private key pair and keeps both keys secret KDC generates a continuous stream of keys KDC encrypts the keys, one by one by its own public key KDC transmits the encrypted keys, one by one, onto the network Alice chooses a key at random Alice encrypts the chosen key with her public key Alice waits a while (long enough so that the server has no idea which key she has chosen) and sends the double-encrypted key back to KDC KDC decrypts the double-encrypted key with its private key, leaving a key encrypted with Alice’s public key Server sends the encrypted key back to Alice Alice decrypts the key with her private key

Key Escrow Micali’s Fair Cryptosystem Break up the private key into n pieces and distribute each piece to different trusted authorities Each piece can be verified for correctness without reconstructing the private key If needed, court order can authorize law enforcement authorities to gather n pieces from trustees and construct the private key

Key Escrow Protocol Alice creates her private/public key pair. She splits the private key into several public pieces and private pieces Alice sends a public piece and corresponding private piece to each of the trustees. These messages must be encrypted. She also sends the public key to the KDC Each trustee, independently, performs a calculation on its public piece and its private piece for correctness. Each trustee stores the private piece somewhere secure and sends the public piece to the KDC KDC performs another calculation on the public pieces and the public key for correctness. It then signs the public key and either sends it back to Alice or posts it in a database somewhere.