Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Sample Applications of Computational Number Theory in Cryptography Author & Instructor: Mohammad Sadeq Dousti 1 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0. For further information, please consult: o o sa/4.0/legalcode sa/4.0/legalcode Copyright Notice 2 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Applications to RSA RSA is not a secure encryption Goldwasser–Micali Cryptosystem Commitment schemes Coin flipping over the phone Oblivious transfer Applications to CFF/CFPs Outline 3 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Applications to RSA 4 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Applications to RSA (Cont’d) 5 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 RSA leaks partial information about the message 6 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 GM is an encryption scheme. o We will define encryption schemes later. o Informally, the do not leak even partial information. GM uses a Blum integer n as public key. The private keys are the factorization of n. GM encrypts one bit at a time. Goldwasser–Micali Cryptosystem 7 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Goldwasser–Micali Cryptosystem (Cont’d) 8 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 A commitment scheme is a security protocol between two parties S (sender) and R (receiver), which has two phases: o Commit o Decommit (or reveal) Informally: o In the commit phase, S sends a secret value to R, in such a way that R learns nothing about . o In the decommit phase, S reveals the secret value to R. - In this phase, it is required that S cannot change the value he committed to. Commitment schemes 9 / 18
Introduction to Modern Cryptography Sharif University Spring S generates a random Blum integer N. 2. S encrypts his secret: c = GM(N, ). 3. Commitment: S sends (N, c) to R. 4. Decommitment: S reveals the randomness used in GM(N, ) to R. The above approach works as long as S acts honestly. What if S chooses N as a non-Blum integer? Using GM to construct a commitment S should prove to R that he picked N honestly. The proof must leak nothing about the factors of N to R. The idea behind zero-knowledge proofs: Proofs that leak nothing but the validity of the statement being proven. S should prove to R that he picked N honestly. The proof must leak nothing about the factors of N to R. The idea behind zero-knowledge proofs: Proofs that leak nothing but the validity of the statement being proven. 10 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Alternative to ZK proofs: Sending decomposition of N 1. S generates a random Blum integer N. 2. S encrypts his secret: c = GM(N, ). 3. Commitment: S sends (N, c) to R. 4. Decommitment: S sends the factors of N to R. “R verifies that N is a Blum integer, and decrypts .” 1. S generates a random Blum integer N. 2. S encrypts his secret: c = GM(N, ). 3. Commitment: S sends (N, c) to R. 4. Decommitment: S sends the factors of N to R. “R verifies that N is a Blum integer, and decrypts .” 11 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Assignment 1: Prove that it is a computational binding (assuming log g h modulo p is unknown) and perfect hiding commitment. Assignment 2: Argue that simultaneous perfect binding & perfect hiding are impossible in commitments. A computational binding & perfect hiding commitment 12 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Coin flipping over the phone 13 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Application 1: Exchange of secrets o Two parties want to exchange their secrets. o Neither is willing to reveal his secret before the other one does so. Application 2: Contract signing o Two parties want to sign a contract. o Neither is willing to sign before the other one does so. These applications gave rise to two flavors of OT. They were shown to be “equivalent.” OT is sufficiently strong to enable any two-party protocol to be performed. Oblivious Transfer (OT) 14 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Flavor 1: Sender S has a secret message m. He wants to “obliviously” transfer it to receiver R. o R receives m with probability ½. o S cannot guess whether R received m or not. Flavor 1: Sender S has a secret message m. He wants to “obliviously” transfer it to receiver R. o R receives m with probability ½. o S cannot guess whether R received m or not. OT Flavors 15 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 The above protocol requires ZK proofs to be secure against both cheating senders and receivers. Assignment: Describe how S can cheat. Do the same for R. We omit an example for OT Flavor 2 for conciseness. OT Flavor 1 16 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 Constructing CFF/CFP based on factoring 17 / 18
Introduction to Modern Cryptography Sharif University Spring 2015 [Gol01] O. Goldreich. Foundations of Cryptography Volume 1: Basic Tools. Cambridge University Press, [KL08] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols. CRC Press, [GB08] S. Goldwasser and M. Bellare. Lecture Notes on Cryptography References 18 / 18