the computational and decisional diffie hellman
play

The computational and decisional Diffie-Hellman assumptions in - PowerPoint PPT Presentation

Feb 05, 2024 •6 likes •226 views

Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and David Pointcheval CNRS, Ecole Normale Sup erieure, INRIA, Paris

  1. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and David Pointcheval CNRS, ´ Ecole Normale Sup´ erieure, INRIA, Paris July 2010 Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 1 / 18

  2. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Motivation CryptoVerif is a prover for security protocols that is sound in the computational model produces proofs by sequences of games can give asymptotic or exact security results provides a generic method for specifying assumptions on cryptographic primitives Our goal: extend CryptoVerif to Diffie-Hellman key agreements. an important primitive; difficult for handle in formal protocol provers. Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 2 / 18

  3. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Outline 1 Decisional Diffie-Hellman (DDH) assumption, basic model. 2 Computational Diffie-Hellman (CDH) assumption, basic model. 3 Why this is not enough for protocols relying on Diffie-Hellman key agreements. 4 Computational Diffie-Hellman (CDH) assumption, extended model. 5 Decisional Diffie-Hellman (DDH) assumption, extended model. Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 3 / 18

  4. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Decisional Diffie-Hellman assumption Consider a multiplicative cyclic group G of order q , with generator g . A probabilistic polynomial-time adversary has a negligible probability of distinguishing ( g a , g b , g ab ) for random a , b ∈ Z ∗ q and ( g a , g b , g c ) for random a , b , c ∈ Z ∗ q Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 4 / 18

  5. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Decisional Diffie-Hellman assumption in CryptoVerif Consider a multiplicative cyclic group G of order q , with generator g . A probabilistic polynomial-time adversary has a negligible probability of distinguishing ( g a , g b , g ab ) for random a , b ∈ Z ∗ q and ( g a , g b , g c ) for random a , b , c ∈ Z ∗ q In CryptoVerif, ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ODH () := exp ( g , mult ( a , b ))) ≈ ! i ≤ N new a : Z ; new b : Z ; new c : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ODH () := exp ( g , c )) Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 4 / 18

  6. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Decisional Diffie-Hellman assumption in CryptoVerif ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ODH () := exp ( g , mult ( a , b ))) ≈ ! i ≤ N new a : Z ; new b : Z ; new c : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ODH () := exp ( g , c )) We replace g ab with g c for some fresh random number c , provided a and b are random numbers used only in g a , g b , and g ab . Application: semantic security of El Gamal (A. Chaudhuri). Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 5 / 18

  7. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Computational Diffie-Hellman assumption Consider a multiplicative cyclic group G of order q , with generator g . A probabilistic polynomial-time adversary has a negligible probability of computing g ab from g , g a , g b , for random a , b ∈ Z ∗ q . Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 6 / 18

  8. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Computational Diffie-Hellman assumption in CryptoVerif Consider a multiplicative cyclic group G of order q , with generator g . A probabilistic polynomial-time adversary has a negligible probability of computing g ab from g , g a , g b , for random a , b ∈ Z ∗ q . In CryptoVerif, this can be written ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ! i ′ ≤ N ′ OCDH ( z : G ) := z = exp ( g , mult ( a , b ))) ≈ ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ! i ′ ≤ N ′ OCDH ( z : G ) := false ) Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 6 / 18

  9. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Computational Diffie-Hellman assumption in CryptoVerif Consider a multiplicative cyclic group G of order q , with generator g . A probabilistic polynomial-time adversary has a negligible probability of computing g ab from g , g a , g b , for random a , b ∈ Z ∗ q . In CryptoVerif, this can be written ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ! i ′ ≤ N ′ OCDH ( z : G ) := z = exp ( g , mult ( a , b ))) ≈ ! i ≤ N new a : Z ; new b : Z ; ( OA () := exp ( g , a ) , OB () := exp ( g , b ) , ! i ′ ≤ N ′ OCDH ( z : G ) := false ) Application: semantic security of hashed El Gamal in the random oracle model (A. Chaudhuri). Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 6 / 18

  10. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Typical protocol using the Diffie-Hellman key agreement Assumptions on primitives: CDH + h is a hash function in the random oracle model or DDH + h is an entropy extractor A simplified form of a Diffie-Hellman key agreement protocol: g a Message 1. A → B : for random a g b Message 2. B → A : for random b The shared key is h ( g ab ) = h (( g a ) b ) = h (( g b ) a ) (Signatures omitted for simplicity.) Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 7 / 18

  11. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Typical protocol using the Diffie-Hellman key agreement in CryptoVerif ! iA ≤ N cA (); new a : Z ; cA � exp ( g , a ) � ; cA ( gb ) . let k = h ( exp ( gb , a )) in . . . | ! iB ≤ N cB (); new b : Z ; cB � exp ( g , b ) � ; cA ( ga ) . let k = h ( exp ( ga , b )) in . . . | ! iH ≤ nH cH ( x ); cH � h ( x ) � Cannot be transformed by the previous CDH/DDH equivalences, because a and b are chosen in parallel processes, not one after the other under the same replication. Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 8 / 18

  12. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Extending the formalization of CDH in CryptoVerif After applying the security assumption on the hash function h , h ( x ) returns a fresh random number if h ( x ) has not already been called, and the same result as the previous call otherwise. Hence h ( x ) is replaced with lookups that compare x with the other arguments of h . ! iA ≤ N cA (); new a : Z ; cA � exp ( g , a ) � ; cA ( gb ) . . . exp ( gb [ u ] , a [ u ]) = exp ( gb , a ) . . . exp ( ga [ u ′ ] , b [ u ′ ]) = exp ( gb , a ) . . . x [ u ′′ ] = exp ( gb , a ) . . . | ! iB ≤ N cB (); new b : Z ; cB � exp ( g , b ) � ; cA ( ga ) . . . exp ( gb [ u ] , a [ u ]) = exp ( ga , b ) . . . exp ( ga [ u ′ ] , b [ u ′ ]) = exp ( ga , b ) . . . x [ u ′′ ] = exp ( ga , b ) . . . | ! iH ≤ nH cH ( x ); . . . exp ( gb [ u ] , a [ u ]) = x . . . exp ( ga [ u ′ ] , b [ u ′ ]) = x . . . x [ u ′′ ] = x . . Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 9 / 18

  13. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Extending the formalization of CDH in CryptoVerif ! ia ≤ na new a : Z ; ( OA () := exp ( g , a ) , Oa () := a , ! iaCDH ≤ naCDH OCDHa ( m : G , j ≤ nb ) := m = exp ( g , mult ( b [ j ] , a ))) , ! ib ≤ nb new b : Z ; ( OB () := exp ( g , b ) , Ob () := b , ! ibCDH ≤ nbCDH OCDHb ( m : G , j ≤ na ) := m = exp ( g , mult ( a [ j ] , b ))) ≈ ! ia ≤ na new a : Z ; ( OA () := exp ( g , a ) , Oa () := a , ! iaCDH ≤ naCDH OCDHa ( m : G , j ≤ nb ) := if Ob [ j ] or Oa has been called then m = exp ( g , mult ( b [ j ] , a )) else false ) , ! ib ≤ nb new b : Z ; ( OB () := exp ( g , b ) , Ob () := b , ! ibCDH ≤ nbCDH OCDHb ( m : G , j ≤ na ) := (symmetric of OCDHa )) Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 10 / 18

  14. Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion Extending the formalization of CDH in CryptoVerif ! ia ≤ na new a : Z ; ( OA () := exp ( g , a ) , Oa () := a , ! iaCDH ≤ naCDH OCDHa ( m : G , j ≤ nb ) := m = exp ( g , mult ( b [ j ] , a ))) , ! ib ≤ nb new b : Z ; ( OB () := exp ( g , b ) , Ob () := b , ! ibCDH ≤ nbCDH OCDHb ( m : G , j ≤ na ) := m = exp ( g , mult ( a [ j ] , b ))) ≈ ! ia ≤ na new a : Z ; ( OA () := exp ( g , a ) , Oa () := let ka = mark in a , ! iaCDH ≤ naCDH OCDHa ( m : G , j ≤ nb ) := find u ≤ nb suchthat defined ( kb [ u ] , b [ u ]) ∧ b [ j ] = b [ u ] then m = exp ( g , mult ( b [ j ] , a )) else if defined ( ka ) then m = exp ( g , mult ( b [ j ] , a )) else false ) , ! ib ≤ nb new b : Z ; ( OB () := exp ( g , b ) , Ob () := let kb = mark in b , ! ibCDH ≤ nbCDH OCDHb ( m : G , j ≤ na ) := (symmetric of OCDHa )) Bruno Blanchet and David Pointcheval Diffie-Hellman in CryptoVerif July 2010 11 / 18

Recommend

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a

Lecture Outline Review of Diffie-Hellman key exchange Looking at Authentication from a number of perspectives Today: authenticating users, services Agreeing on Secret Keys Without Prior Arrangement Diffie-Hellman Key Exchange

1.07k views • 73 slides
Explain what an adversary would have to do to violate the Computational Diffie-Hellman assumption (

Explain what an adversary would have to do to violate the Computational Diffie-Hellman assumption (

Explain what an adversary would have to do to violate the Computational Diffie-Hellman assumption ( CDH ) Question #1 Why isnt raw RSA , E N ( M ) = M 3 mod N , a secure way to encrypt a plaintext M N ? Question #1 1 Explain what an

488 views • 6 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption: with

445 views • 17 slides
Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 7 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

810 views • 42 slides
Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography Asymmetric cryptography Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) Two keys: private (SK), public (PK) Encryption:

256 views • 22 slides
Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based

Diffie-Hellman, discrete logs, the NSA, and you J. Alex Halderman University of Michigan Based on joint work: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry,

879 views • 63 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic

High-speed Diffie-Hellman, part 2 D. J. Bernstein University of Illinois at Chicago Classic question about the Diffie-Hellman system: How quickly can we compute n th powers mod p ? Modular exponentiation. p ; Assume standard prime p =

684 views • 45 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA

1 C.c) DSA and Diffie-Hellman W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.73 DSA (Digital Signature Algorithm) standardized by NIST A) Generation of a key pair Select a prime q with 2 159 < q < 2 160 Select a

348 views • 11 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice

Diffie-Hellman not secure against Man-in-the-Middle-attack: Want to guarantee authenticity. Alice Mallory Bob Can achieve this with publc-key cryptography as well. g a a First example: Schnorr Signature g m m a 1024 bit

283 views • 3 slides
Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g

Diffie-Hellman not secure against Man-in-the-Middle-attack: Alice Mallory Bob g a a g m m g ma g ma g n n g b b g nb g nb g ma g ma , g nb g nb Eike Ritter Cryptography 2014/15 106

417 views • 9 slides
Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn

CSS441 Public Key Crypto Principles RSA Public Key Cryptography Diffie-Hellman Others CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

461 views • 29 slides
A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1

A Static Diffie-Hellman Attack on Several Direct Anonymous Attestation Schemes Ernie Brickell 1 Liqun Chen 2 Jiangtao Li 1 1. Intel Corporation, Hillsboro, Oregon, USA 2. Hewlett-Packard Laboratories, Bristol, UK InTrust 2012 Royal Holloway,

827 views • 17 slides
Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian ,

Measuring small subgroup attacks against Diffie-Hellman Luke Valenta , David Adrian , Antonio Sanso , Shaanan Cohney , Joshua Fried , Marcella Hastings , J. Alex Halderman , Nadia Heninger University of

461 views • 42 slides
On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger

Background and Motivation Main Algorithm and Results On the Static Diffie-Hellman Problem on Elliptic Curves over Extension Fields Robert Granger rgranger@computing.dcu.ie Claude Shannon Institute, UCD and DCU, Ireland ASIACRYPT, 8th December

655 views • 48 slides
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message

243 views • 20 slides
Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D.

Curve25519: Which public-key systems new Diffie-Hellman speed records are smallest? Fastest? D. J. Bernstein Real-world cost measures: Pentium cycles, Athlon cycles, Thanks to: etc. for generating keys, signing, University of Illinois at

541 views • 35 slides
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke Valenta, Benjamin

1.01k views • 34 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides
Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp

Fast FPGA Implementation of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve Philipp Koppermann, Fabrizio De Santis, Johann Heyszl and Georg Sigl History of High-Speed Curve Cryptography over Prime Fields 1 Point Addition on a

319 views • 16 slides
E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald

E -th roots and static Diffie-Hellman using index calculus Antoine Joux 1 Joint work with Reynald Lercier 2 , David Naccache 3 , Emmanuel Thom e 4 Elliptic Curve Cryptography 2008 Utrecht 1 DGA and UVSQ 2 DGA and IRMAR 3 ENS 4 INRIA Lorraine 1

538 views • 25 slides
The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian,

The LOGJAM attack Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thom e, Luke

674 views • 45 slides

More recommend