Merkle s Puzzles. c Eli Biham - May 3, Merkle s Puzzles (8)

Similar documents
Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

Introduction to Cryptography CS 355

Diffie-Hellman key-exchange protocol

Chapter 4 MASK Encryption: Results with Image Analysis

TMA4155 Cryptography, Intro

The number theory behind cryptography

Block Ciphers Security of block ciphers. Symmetric Ciphers

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Public-key Cryptography: Theory and Practice

The Chinese Remainder Theorem

The Chinese Remainder Theorem

Yale University Department of Computer Science

Differential Cryptanalysis of REDOC III

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

CS 261 Notes: Zerocash

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Classical Cryptography

DUBLIN CITY UNIVERSITY

EE 418: Network Security and Cryptography

A STENO HIDING USING CAMOUFLAGE BASED VISUAL CRYPTOGRAPHY SCHEME

Generic Attacks on Feistel Schemes

Introduction to Cryptography

A New Compression Method for Encrypted Images

Lecture 39: GMW Protocol GMW

Diffie s Wireless Phone: Heterodyning-Based Physical-Layer Encryption

Generic Attacks on Feistel Schemes

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Secure Function Evaluation

MA 111, Topic 2: Cryptography

Security in Sensor Networks. Written by: Prof. Srdjan Capkun & Others Presented By : Siddharth Malhotra Mentor: Roland Flury

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

V.Sorge/E.Ritter, Handout 2

Enhanced Packet Delivery Techniques Using Crypto-Logic on Jamming Attacks for Wireless Communication Medium

A Practical Method to Achieve Perfect Secrecy

Unlinkability and Redundancy in Anonymous Publication Systems

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Chapter 7 GSM: Pan-European Digital Cellular System. Prof. Jang-Ping Sheu

Cryptanalysis of an Improved One-Way Hash Chain Self-Healing Group Key Distribution Scheme

CDMA Physical Layer Built-in Security Enhancement

Threshold Implementations. Svetla Nikova

Lecture 1: Introduction

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Distributed Settlers of Catan

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

ElGamal Public-Key Encryption and Signature

Avoiding Selective Attacks with using Packet Hiding Approaches in Wireless Network

DES Data Encryption standard

Chaos based Communication System Using Reed Solomon (RS) Coding for AWGN & Rayleigh Fading Channels

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Digital Image Watermarking by Spread Spectrum method

Data security (Cryptography) exercise book

Robust Key Establishment in Sensor Networks

Random Bit Generation and Stream Ciphers

Vernam Encypted Text in End of File Hiding Steganography Technique

Pseudorandom Number Generation and Stream Ciphers

4. Design Principles of Block Ciphers and Differential Attacks

A basic guitar is a musical string instrument with six strings. In standard tuning they have the notes E, A, D, G, B and E

CS70: Lecture 8. Outline.

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

Proceedings of Meetings on Acoustics

Drill Time: Remainders from Long Division

Dadmehr Rahbari, Yaghoub Farjami, Faranak Fotouhi Ghazvini

AES Encryption and Decryption in Microsoft.NET

Journal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Solutions for the Practice Final

Assignment 2. Due: Monday Oct. 15, :59pm

Related Ideas: DHM Key Mechanics

Local Area Networks NETW 901

OFDM Based Low Power Secured Communication using AES with Vedic Mathematics Technique for Military Applications

Quasi group based crypto-system

Device Pairing at the Touch of an Electrode

Wireless Network Security Spring 2016

DUBLIN CITY UNIVERSITY

Transform. Jeongchoon Ryoo. Dong-Guk Han. Seoul, Korea Rep.

Secure communications using the KLJN scheme

Quantum Cryptography Kvantekryptering

ISSN Vol.06,Issue.09, October-2014, Pages:

SECURITY OF CRYPTOGRAPHIC SYSTEMS. Requirements of Military Systems

Background Dirty Paper Coding Codeword Binning Code construction Remaining problems. Information Hiding. Phil Regalia

Information Security for Sensors by Overwhelming Random Sequences and Permutations

A Secure Image Encryption Algorithm Based on Hill Cipher System

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

LECTURE NOTES ON SUBLIMINAL CHANNEL & COMMUNICATION SYSTEM

Public Key Cryptography

A Simple Scheme for Visual Cryptography

Design and Implementation of Game Based Security Model to Secure the Information Contents

Jamming-resistant Key Establishment using Uncoordinated Frequency Hopping

Analysis of symmetric key establishment based on reciprocal channel quantization

Power Analysis Attacks on SASEBO January 6, 2010

ProxiMate : Proximity Based Secure Pairing using Ambient Wireless Signals

Stream Ciphers And Pseudorandomness Revisited. Table of contents

How to carbon date digital information! Jeremy Clark

Wireless Physical-Layer Security Performance of Uwb systems

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Random Sequences for Choosing Base States and Rotations in Quantum Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

Transcription:

Merkle s Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems, UMI Research press, 1982 Merkle, Secure Communications Over Insecure Channels, CACM, Vol. 21, No. 4, pp. 294-299, April 1978 c Eli Biham - May 3, 2005 206 Merkle s Puzzles (8)

Merkle s Puzzles Merkle s puzzles 1. The first hint that two parties have computational advantage over attackers 2. Exchanges keys over insecure channels 3. Uses puzzles c Eli Biham - May 3, 2005 207 Merkle s Puzzles (8)

Puzzles A Puzzle is a cryptogram, which is designed to be breakable Breaking the cryptogram reveals the puzzle information hidden in the plaintext A cryptogram can be encrypted using any secure cipher E. Examples: E = DES, E = AES The complexity of solving the puzzle can be chosen by selecting the size of the puzzle keys. For example, for 2 20 complexity, 20-bit puzzle keys can be used (the other key bits of E are fixed to some agreed value) The plaintext of the puzzle should include redundancy to allow the users to solve it. Such redundancy is included by incorporating an agreed fixed value S, whose length suffices to ensure uniqueness of the solved puzzle key c Eli Biham - May 3, 2005 208 Merkle s Puzzles (8)

Puzzles (cont.) Definition: A puzzle is E P K (S ID K) where denotes concatenation P K is an n-bit puzzle key S is an agreed fix value used in all the puzzles, whose length is at list n bits. It ensures uniqueness of the puzzle keys ID is an n-bit puzzle identifier, unique for each puzzle K is a random value, whose size equals the size of the required common key a keys of one of the puzzles will become the common key E is a block cipher with n-bit (or longer) keys, and sufficiently large blocks ID, K are kept secret, and the only way to recover them is to solve the puzzle c Eli Biham - May 3, 2005 209 Merkle s Puzzles (8)

Puzzles (cont.) Remark: We use two kinds of keys: The puzzle key P K is the key under which the puzzle is encrypted K is hidden in the puzzle, and becomes later the result of the protocol n is a security parameter that controls the difficulty of solving the puzzle c Eli Biham - May 3, 2005 210 Merkle s Puzzles (8)

The Protocol Basically the protocol is: 1. Alice generates a table of N = 2 n keys ID K ID 1. K 1. ID N K N 2. She sends the table to Bob where each row is hidden in a puzzle 3. Bob selects a row and tells Alice the ID of that row 4. Alice fetches the K of that row c Eli Biham - May 3, 2005 211 Merkle s Puzzles (8)

The Protocol (cont.) 1. A, B wish to select a common secret key 2. A, B agree on n and S, S n 3. A generates N = 2 n puzzles P 0, P 1,..., P N 1, where P i = E P Ki (S ID i K i ), P K i, K i are randomly chosen, and ID i is a unique identifier of the puzzle 4. A sends all the puzzles to B. The attacker E can listen to all the communication 5. B receives N puzzles, and selects one puzzle P i randomly 6. B solves P i by trying all N possible puzzle keys P K and verifying the redundancy S. B recovers the puzzle key P K i, and the secret values ID i, K i 7. B sends ID = ID i to A; A identifies the puzzle P i by ID 8. A, B agree that K = K i is the common secret key c Eli Biham - May 3, 2005 212 Merkle s Puzzles (8)

The Protocol (cont.) Complexity: A invests O(N) time for generating N puzzles B invests O(N) time for solving one puzzle The communication complexity is O(N) An attacker has to invest O(N 2 ) time to solve the puzzles c Eli Biham - May 3, 2005 213 Merkle s Puzzles (8)

The Protocol (cont.) Parameters: n = 20, N = 2 20 1000000 is sufficiently small such that computing and transmitting O(N) puzzles, and solving one puzzle, can be done relatively fast, but recovering the common key by an eavesdropper takes 10 12 2 40 steps In order to have security for periods of years and beyond, we need to choose n > 32 c Eli Biham - May 3, 2005 214 Merkle s Puzzles (8)

The Legal Users Advantage: The Protocol (cont.) Merkle s puzzles suggest that the legal users have computational advantage over attackers The advantage is quadratic (N for legal users versus N 2 for attacker) When a high security is required, such as n 32, the legal users have to invest a lot of time in the protocol Is there another scheme with an exponential advantage? We will discuss it in the next lecture c Eli Biham - May 3, 2005 215 Merkle s Puzzles (8)

Implementation Notes First notice that in most ciphers, the block size may not be large enough to contain S ID i K i. Therefore, some implementation changes may be necessary. We now show that although the protocol is secure, a careless implementation can be totally insecure. Implement the puzzles using DES, assuming n = 32. Let the puzzle be DES P K (S), DES P K (ID), DES P K (K). This is insecure: The attacker can encrypt DES P K (S) in advance under all possible P K s, correlate the first words of the puzzles to the P K s, and compute the ID for each puzzle. It can reduce the complexity to O(N). c Eli Biham - May 3, 2005 216 Merkle s Puzzles (8)

Implementation Notes (cont.) Possible solution: Encrypt the first word under K instead: DES K (S), DES P K (ID), DES P K (K) This is also insecure: After receiving ID, the attacker can encrypt ID under all possible P K s, correlate the puzzles and the P K s, compute K and verify correctness of S. The total complexity is also O(N). c Eli Biham - May 3, 2005 217 Merkle s Puzzles (8)

Implementation Notes (cont.) A Better Solution: Encrypt first two words under K: DES K (S), DES K (ID), DES P K (K) Or for S 0: DES P K (S K), DES P K (ID K), DES P K (K) Or: Use a cipher E with a sufficiently large block size, such as AES, where P K, S, ID are 32-bit values, and K is a 64-bit value. In this case a puzzle is simply AES P K (S ID K). But we cannot select a 128-bit K in this implementation. However, in order to distribute a 128-bit key, we can perform this implementation twice. c Eli Biham - May 3, 2005 218 Merkle s Puzzles (8)

Additional Notes The puzzles do not have to be secret to ensure a common secret key. Each user A can publish a set of puzzles in a public file, that everybody can read, but not modify. Then, every user B can select a puzzle and share a secret key with A B can authenticate A by sharing a key and asking A to encrypt some value that B selected. Only A can succeed, assuming the public file manager verifies ownership correctly. Even the manager cannot recover the keys! Mutual authentication: A, B can share two keys K A and K B, one using puzzles of A and one using puzzles of B, and then use K A K B as the common secret key c Eli Biham - May 3, 2005 219 Merkle s Puzzles (8)

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback