The Key-Distribution Problem A Public-Key Solution

Introduction Key-Distribution Diffie-Hellman Exchange
The key-distribution problem

A public-key solution
Foundations of Cryptography
Computer Science Department
Wellesley College
Fall 2016
Table of contents
Introduction
Key-Distribution
Diffie-Hellman Exchange
The key-distribution problem
Security services
Confidentiality
• Private-key cryptography
Protection of data from
requires shared,unauthorized
secret keysdisclosure.
between eachAuthentication
pair of
Assurance that the
communicatingorigin
parties.
of a communication is
correctly identified.
Integrity
• How are all these keys
Only authorized entities are
shared in the first
able place?
to modify resources.
Nonrepudiation
• In situations where Protection
a large again denial
by one of the parties.
number of parties must
Access control
pairwise, secretly Prevention of
unauthorized use of a
communicate, many
resource.
schemes do not scale well.
Intro to cryptology 1-5
Key storage and secrecy
• When there are U

employees, the number of
secret
✓ ◆keys is
U
= ⇥(U 2 ) and every
2
employee holds U 1 keys.
• The situation is worse when
employees must
communicate with remote
databases, servers, and so
forth.
• All these keys need must be
securely store.
Open systems
• Private-key cryptography
can be used to solve the
problem of secure
communication in ”closed”
systems where it is possible
to distribute secret keys via
physical means.
• What happens when parties
cannot physically meet, or
where parties have transient
interactions?
Key distribution centers (KDC)

All employees share a key with the
KDC.
1. When Alice wants to communicate
with Bob, she encrypts, using the
secret key she shares with KDC: ‘
Alice wishes to communicate
with Bob’
2. The KDC chooses a new random
key, called the session key and
sends this to Alice (encrypted using
Alice’s shared key) and Bob
(encrypted using Bob’s shared key).
3. Alice and Bob communicate using
the session key and destroy it when
they are done.
Good news/Bad news

Plus side:
1. Each employee needs to store only
one secret key. Limited storage
devices, such as smart cards, could
be used.
2. When an employee joins the
organization all that must be done
is set up a secret-key with the
KDC. No other employees need be
updated.
Minus side:
1. A successful attack on the KDC
results in a complete break of
security for all parties.
2. When the KDC is down, secure
communications come to a halt.
The state of a↵airs before 1976

After 1976, a new kid on the block

In 1976, Whitfield Diffie and Martin Hellman published a paper
titled ”New Directions in Cryptography” in which they proposed a
completely new cryptographic paradigm.
Addressing the limitations of private-key encryption*
1. Public-key allows key distribution to be done over public

channels. Initial deployment and system maintenance is
simplified.
2. Public-key vastly reduces the need to store many di↵erent
secret keys. Even if a large number of pairs want to
communicate secretly, each party needs store only one key:
her own.
3. Finally, public-key is suitable for open environments where
parties who have never previously interacted can communicate
secretly.
*There are a fair number of details glossed over here, e.g., ensuring authentic
distribution of public keys in the first place.
Digital signatures
In addition to the public-key encryption, Diffie and Hellman
introduced a public-key analogue to message authentication codes,
call digital signatures.
*Not only does this scheme prevent undetected tampering of a message,

authenticity can be verified by anyone knowing the public key of the sender.
Nonrepudiation: Alice cannot deny her signature.
Public-key implementation
• Although Diffie and Hellman

introduced public-key
encryption and digital
signatures, they did not
provide an implementation
of either.
• A year later, Ron Rivest, Adi
Shamir, and Len Adleman
proposed the RSA problem
and presented the first
public-key encryption and
digital signature schemes.
Implements of war
• Diffie and Hellman (and

others publishing in
cryptography) were under
threat of prosecution.
• Under the International
Traffic in Arms Regulations,
technical literature on
cryptography was considered
an implement of war.
Interactive key exchange
• Finally, in their now famous

paper, Diffie and Hellman
provided an implementation
of an interactive key
exchange.
• An interactive key exchange
protocol is a method
whereby parties who do not
share any secret information
can generate a shared,
secret key by communicating
over a public channel.
The setting
Alice and Bob run some protocol ⇧ in order to generate a shared

secret.
• Beginning with a security parameter 1n , Alice and Bob choose
(independent) random coins and run protocol ⇧:
• At the end of the protocol, Alice and Bob output keys
kA , kB 2 {0, 1}n , respectively.
• The basic correctness requirement is that kA = kB for all
choices of random coins.*
*Thus, we can speak of the key k = kA = kB .
A definition of security
The key-exchange experiment KEeav
A,⇧ (n):
1. Two parties holding 1n execute protocol ⇧ resulting in a
transcript trans containing all the messages sent by the
parties, and a key k that is output by each of the parties.
2. A random bit b {0, 1} is chosen. If b = 0 then choose
k̂ n
{0, 1} uniformly at random, and if b = 1 set k̂ := k.
3. A is given trans and k̂, and outputs a bit b 0 .
4. The output of the experiment is defined to be 1 if b 0 = b, and
0 otherwise.
Definition 10.1 A key-exchange protocol ⇧ is secure in the presence
of an eavesdropper if for every probabilistic polynomial-time
adversary A there exists a negligible function negl such that
1
Pr[KEeav
A,⇧ (n) = 1]  + negl(n).
2
The Diffie-Hellman key-exchange protocol*
Construction 10.2.
• Common input: The security input 1n
• The protocol:
1. Alice runs G(1n ) to obtain (G, q, g ).
2. Alice chooses x Zq uniformly at random, and computes
x
hA := g .
3. Alice sends (G, q, g , hA ) to Bob.
4. Bob receives (G, q, g , hA ). He chooses y Zq uniformly at
y
random and computes hB := g . Bob sends hB to Alice and
outputs the key kB := hAy .
5. Alice receives hB and outputs the key kA := hBx .
*Checking correctness is easy.
Security of the Diffie-Hellman exchange
• At a bare bones minimum, in

order for the Diffie-Hellman
exchange to be secure it is
necessary for the discrete
logarithm problem to be hard
relative to G.
• However, this is not sufficient
since is may be possible to
compute the key kA = kB
without explicitly finding x or y .
• What is required is that g xy be
indistinguishable from random
for any adversary given g , g x ,
and g y .
Decisional Diffie-Hellman (DDH) problem once more
The decisional Diffie-Hellman (DDH) problem is to distinguish

DHg (h1 , h2 ) from a random group element for randomly chosen
h1 , h2 .
Definition 8.63. We say that the DDH problem is hard relative to

G if for all probabilistic polynomial-time algorithms A there exists
a negligible function negl such that
|Pr[A(G, q, g , g x , g y , g z ) = 1] Pr[A(G, q, g , g x , g y , g xy ) = 1]|  negl(n),
where in each case the probabilities are taken over the experiment
in which G(1n ) outputs (G, q, g ), and the random x, y , z 2 Zq are
chosen.
Proof of security
Theorem 10.3. If the decisional Diffie-Hellman problem is hard

relative to G, then the Diffie-Hellman key-exchange protocol ⇧ is
secure in the presence of an eavesdropper (with respect to the
experiment KEˆ eav
A,⇧ .
Proof. Let A be a PPT adversary. Since

Pr[b = 0] = Pr[b = 1] = 1/2, we have
h eav i
Pr KEˆ A,⇧ (n) = 1
1 h eav i 1 h eav i
ˆ ˆ
= · Pr KEA,⇧ (n) = 1 | b = 1 + · Pr KEA,⇧ (n) = 1 | b = 0 .
2 2
ˆ eav
*Here KE A,⇧ stands for a modified experiment where if b = 0 the adversary is
given k̂ G chosen uniformly at random.

The adversary’s goal
In experiment KE ˆ eav
A,⇧ (n), adversary A receives (G, q, g , hA , hB , k̂),
where (G, q, g , hA , hB ) is the transcript of the protocol execution,
and k̂ is either the actual key g xy (if b = 1) or a random group
element (if b = 0).
Distinguishing between these two cases is exactly equivalent to

solving the decisional Diffie-Hellman problem.*
*So are we really doing anything here?
Adversary’s probability of success
h eav i
ˆ A,⇧ (n) = 1
Pr KE
1 h eav i h eav i
= · Pr KEˆ A,⇧ (n) = 1 | b = 1 + 1 · Pr KE ˆ A,⇧ (n) = 1 | b = 0
2 2
1 1
= · Pr[A(G, g , q, g , g , g ) = 1] + · Pr[A(G, g , q, g x , g y , g z ) = 0]
x y xy
2 2
1 1
= · Pr[A(G, g , q, g , g , g ) = 1] + · (1 Pr[A(G, g , q, g x , g y , g z ) = 1])
x y xy
2 2
1 1
= + · (Pr[A(G, g , q, g , g , g ) = 1] Pr[A(G, g , q, g x , g y , g z ) = 1])
x y xy
2 2
1 1
 + · |Pr[A(G, g , q, g x , g y , g xy ) = 1] Pr[A(G, g , q, g x , g y , g z ) = 1]| .
2 2
If the decisional Diffie-Hellman assumption is hard relative to G, this the
absolute value in the final line is bounded by some negligible runction negl, and
h eav i
ˆ A,⇧ (n) = 1  1 + 1 · negl(n).
Pr KE
2 2

The Key-Distribution Problem A Public-Key Solution

Uploaded by

Copyright:

Available Formats

The Key-Distribution Problem A Public-Key Solution

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Key-Distribution Problem A Public-Key Solution

Uploaded by

Copyright:

Available Formats

Introduction Key-Distribution Diffie-Hellman Exchange