Download presentation
Presentation is loading. Please wait.
Published byAlexia Goodman Modified over 9 years ago
1
Software Security Seminar - 1 Chapter 5. Advanced Protocols 2002. 7. 24. 조미성 Applied Cryptography
2
Software Security Seminar - 2 Contents 5.3 Blind Signatures 5.4 Identity-Based Public-Key Cryptography 5.5 Oblivious Transfer 5.6 Oblivious Signatures 5.7 Simultaneous Contract Signing 5.8 Digital Certified Mail 5.9 Simultaneous Exchange of Secrets
3
Software Security Seminar - 3 Completely Blind Signatures Alice Bob(notary) m, b (random factor) f(m)=m x b Sign(m)=g(Sign(f(m))) Sign(f(m)) - Properties 1. Bob’s signature on the document is valid 2. Bob cannot correlate the signed document with the act of signing the document
4
Software Security Seminar - 4 Blind Signatures - Bob can know what he is signing, while still maintaining the useful properties of a blind signature Cut-and-choose technique Alice Bob m 1, b 1, … m n, b n f(m i )=m i x b i choose n-1 f(m i ) at random (n-1) b 1, b 2, …, b n Sign(m j )=g(Sign(f(m j ))) Sign(f(m j )) secure against Alice cheating
5
Software Security Seminar - 5 5.4 Identity-Based Public-Key Cryptography Identity-based Cryptosystems = Non-interactive Key sharing system Alice wants to send a secure message to Bob without getting his public key from a key server - Bob’s public key is based on his name and network address public key = identity ex) mail system - Trent issues private keys to users based on their identity - Design a system in such a way that a collusion of dishonest users cannot forge a key
6
Software Security Seminar - 6 5.5 Oblivious Transfer Alice will send Bob one of two messages. Bob will receive one, and Alice will not know which. Alice Bob (m 1, m 2 ) (pk 1, sk 1 ), (pk 2, sk 2 ) pk 1, pk 2 K:symmetric key E pk i (K) D sk 1 ( E pk i (K)), D sk 2 (E pk i (K)) E K (m 1 ), E G (m 2 ) D K (E K (m 1 ))= m 1, D K (E G (m 2 )) sk 1, sk 2
7
Software Security Seminar - 7 Alice has n different messages. Bob can choose one of the n messages for Alice to sign, and Alice will have no way of knowing which one she signed. Alice has one message. Bob can choose one of n keys for Alice to use in signing the message, and Alice will have no way of knowing which key she used. 5.6 Oblivious Signatures
8
Software Security Seminar - 8 Contract Signing with an Arbitrator Alice Trend Bob Sign A (C) Sign B (C) Sign A (C), Sign A (C) Sign B (Sign A (C)), Sign B (Sign A (C)) Sign B (Sign A (C)) Simultaneous Contract Signing without an Arbitrator (Face-to- Face) - Alice signs the first letter of her name and passes the contract to Bob - Bob signs the first letter of her name and passes the contract to Alice … 5.7 Simultaneous Contract Signing
9
Software Security Seminar - 9 Simultaneous Contract Signing without an Arbitrator(Not Face-to-Face) - Alice and Bob agree on a date by which the signing protocol should be completed. - Alice and Bob decide on a probability difference (a, b) that they are willing to live with. - Alice sends Bob a signed message with p=a - Bob sends Alice a signed message with p=a+b … - continue this steps until both have received message with p=1 or until the date agreed has passed 5.7 Simultaneous Contract Signing(Conti.)
10
Software Security Seminar - 10 Simultaneous Contract Signing without an Arbitrator(Using Cryptography) 1) select 2n DES keys randomly, grouped in pairs. 2) generate n pairs of messages, Li and Ri (i=1, …, n) (contain a digital signature and a timestamp) 3) encrypt their message pairs in each of the DES key pairs 4) send each other their pile of 2n encrypted messages 5) send each other every key pair using the oblivious transfer protocol for each pair 6) decrypt the message haves that they can, using the keys they received 7) send each other the first bits of all 2n DES keys … 8) decrypt the remaining halves of the message pairs and the contract is signed 9) exchange the private keys used during the oblivious transfer protocol 5.7 Simultaneous Contract Signing(Conti.)
11
Software Security Seminar - 11 Alice’s attack - send Bob nonsense bit strings in step 4) - disrupt half 1/ - send Bob random bit in step 8) - just go along with step 8) until she has enough bits of the keys to mount a brute-force attack and then stop transmitting bits it’s problem if one of the parties has significantly more computing power than the other - send Bob identical messages in step 5) 5.7 Simultaneous Contract Signing(Conti.)
12
Software Security Seminar - 12 Suppose Alice wants to send a message to Bob, but does not want him to read it without signing a receipt 1) Alice encrypts her message using a random DES key K and send it to Bob. 2) Alice generates n pairs (Ki, Ki K) of DES keys 3) Alice encrypts a dummy message with each of 2n keys 4) Alice sends the whole pile of encrypted messages to Bob 5) Bob generates n pairs of random DRS keys 6) Bob generates n pairs of messages that indicates a valid receipt 7) Bob encrypts each of his message pairs with DES key pairs 8) Bob sends the whole pile of message pairs to Alice 9) Alice and Bob send each other every key pairs using the oblivious transfer 5.8 Digital Certified Mail
13
Software Security Seminar - 13 10) Both Alice and Bob decrypt the halves and make sure that the decrypted messages are valid 11) Alice and Bob each the first bits of all 2n DES keys 12) repeat step 11) until all the bits of all the DES keys have been transferred 13) Alice and Bob decrypt the remaining halves of the message pairs 14) Alice and Bob exchange the private keys used during the oblivious transfer 5.8 Digital Certified Mail(Conti.)
14
Software Security Seminar - 14 Alice and Bob exchange secrets (A, B) simultaneously Modify the certified mail protocol Alice’s message A Bob’s message B This protocol allows Alice and Bob to exchange secrets simultaneously, but says nothing about the quality of the secrets excahnged 5.9 Simultaneous Exchange of Secrets
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.