zenon/applied-cryptography
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Tobias Eidelpes 2022-06-10 13:37:13 +02:00
commit fbee5b825e
21 changed files with 742 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ass1/.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.out
ass1.pdf
*.synctex.gz

9
ass1/README.md Normal file
View File

@ -0,0 +1,9 @@
# Applied Cryptography Assignment 1
This assignment is about Symmetric Cryptography.
## Goal
The goal of this assignment is to understand lower and
upper-bounding advantages, in performing generic attacks and
in authenticated encryption.

107
ass1/ass1.tex Normal file
View File

@ -0,0 +1,107 @@
\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 1}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{March 2, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
\item Consider a setting in which an adversary $\mathcal{A}$ calls upon a second adversary $\mathcal{B}$. If $\mathcal{A}$ wants to sign a message, it asks $\mathcal{B}$ who will in turn ask its oracle for a tag. $\mathcal{B}$ will keep track of all the queries made from $\mathcal{A}$. $\mathcal{B}$ will then pass the response from its oracle on to $\mathcal{A}$. If $\mathcal{A}$ makes a verification query, $\mathcal{B}$ checks if the given tag matches the message by querying its own oracle. If the tag matches and $\mathcal{A}$ has not made a signing query to $\mathcal{B}$ containing the message, $\mathcal{B}$ will return 1. Otherwise it returns 0. With this setting in mind, the first term of the unforgeability bound for $\mathsf{MAC}$ is a probabilistic event where the chance that $\mathcal{A}$ creates a forgery is dependent on the amount of verification queries $q_v$. The second term constitutes the security of the underlying pseudorandom function. If the pseudorandom function is \enquote{broken}, the attacker will gain a significant advantage when mounting a forgery attack.
\item $ \text{Adv}^{\text{prf}}_{\text{MAC}}(\mathcal{A}) = \text{Pr}\Big(\mathcal{A}^{MAC_K} = 1\Big) - \text{Pr}\Big(\mathcal{A^{RO}} = 1\Big)$\\
It is obvious and given that the output of $\text{MAC}_K(M)$ has an equal left and right half, thus $\text{Pr}\Big(\mathcal{A}^{MAC_K} = 1\Big)$ = 1.\\
The probability that $\mathcal{RO}$ has an equal left and right part is $2^{-\frac{n}{2}}$, because half of the bits have to match, thus $\text{Pr}\Big(\mathcal{A^{RO}} = 1\Big) = 2^{-\frac{n}{2}}$\\
The advantage becomes $ \text{Adv}^{\text{prf}}_{\text{MAC}}(\mathcal{A}) = 1 - 2^{-\frac{n}{2}}$
\end{enumerate}
\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
\item $\text{Pr}_K(H_L (M) \oplus H_L (M') = T ) \leq 2^{-n}$\\
If we extend $H_L$ we get $\text{Pr}_K(L \otimes M \oplus L \otimes M' = T ) \leq 2^{-n}$\\
$= \text{Pr}_K((M \oplus M') \otimes L = T ) \leq 2^{-n}$\\
The security still depends on the L of size n, thus it holds that it is $2^{-n}$-XOR-universal
\item $M_1 = 0$\\
$T_1 = \text{MAC}_K(M_1) = (0 \otimes L) \oplus F_K(N) = F_K(N)$\\
$M_2 = 1$\\
$T_2 = \text{MAC}_K(M_2) = (1 \otimes L) \oplus F_K(N) = F_K(N) \oplus L$\\
$L = T_1 \oplus T_2$\\
Using these steps we now posses the hash-key $L$ and the permutation $F_K(N)$. Since the attacker can re-use the nonce $N$, we can create our own tags using the same data:\\
$M_3; \ T_3 = \text{MAC}_K(M_3) = (M_3 \otimes L) \oplus F_K(N)$\\
Lastly: $\text{VFY}_K(M_3, T_3) = \top$
\end{enumerate}
\section*{Exercise 3}
\begin{enumerate}[label=(\alph*)]
\item The interface of $E^{-1}$ takes as input cipher text $C$ and tag $T$. It first validates if $T$ is correct. This is typically implemented using a MAC-function, which depends on either the plain text or ciphertext (depends on implementation approach). If it is incorrect it will only output $\bot$ and nothing else to prevent leakage of data. If is correct it outputs $\top$ together with the plaintext, $M$.
\item $\Delta_{\mathcal{D}}(\text{AE}_K,\text{AE}^{-1}_K\ ;\ \$, \bot) \leq \Delta_{\mathcal{D}}(\text{AE}[p],\text{AE}[p]^{-1}\ ;\ \$, \bot) +
\Delta_{\mathcal{D}}(\text{E}_K,\text{E}^{-1}_K\ ;\ \mathcal{P}, \mathcal{P}^{-1})$\\\\
The distinguishing advantage of the AE construction using our E primitive is less than or equal to the advantage construction using the ideal random permutation, plus the advantage of our primitive.
\item According to the scheme, the nonce and key are concatenated and used as input to the block cipher. The output is split to create the ciphertext and the tag, but in reality they are both pieces of the ciphertext. In the real-world Authenticated Encryption scheme, the attacker can re-use the nonce and the message, thus recreating the same tag. In the ideal version of Authenticated Encryption the nonce is always random, so the same message will result in a different tag.\\\\
$\Delta_{\mathcal{D}}(\text{AE}[p],\bot\ ;\ \$, \bot) = |\text{Pr}\Big(\mathcal{A}^{AE} = 1\Big) - \text{Pr}\Big(\mathcal{A^{RO}} = 1\Big)|$
$\Delta_{\mathcal{D}}(\text{AE}[p],\bot\ ;\ \$, \bot) = |1 - q_m2^{-128}|$
\end{enumerate}
\section*{Exercise 4}
An attacker is able to choose the tag $T$ for both online evaluations of $\widetilde{E}_K$ and offline evaluations of $E$. Furthermore, if the tag $T$ is always chosen to be the same for two evaluations of $\widetilde{E}_K$ and $E$, the difference in the ciphertexts is the key: $C_1\oplus C_2 = K$. After $2^{k/2}$ evaluations of the block cipher and the primitive, the chance that an attacker obtains the correct key $K$ by XORing the ciphertexts is high.
\[ \widetilde{E}_K(M, 0^k\oplus K) = C_1 \]
\[ E(M, 0^k) = C_2 \]
\[ K = C_1\oplus C_2 \]
\section*{Exercise 5}
\begin{enumerate}[label=(\alph*)]
\item Polynomial associated with \enquote{2}:
\[ X \]
Polynomial associated with \enquote{3}:
\[ X + 1 \]
Polynomial associated with \enquote{7}:
\[ X^2 + X + 1 \]
\item
\[ X^3\cdot (X^4+X^2+1) = X^7+X^5+X^3 = 10101000 \]
\[ (X^4+X^3)\cdot (X^4+X^2+1) = X^8+X^7+X^6+X^5+X^4+X^3 = 000111111000 \]
\item
\[ X\cdot X^{127} \pmod{X^{128}+X^7+X^2+X+1} = X^{128} \]
\item $\mathsf{XEX}_K$ does not use $2,3,5$ as masks, because $3^2 = 5$ in the group $\mathbb{F}^*_{2^n}$:
\[ 3^2 = (X+1)^2 = X^2 + 1 = 5. \]
\end{enumerate}
\section*{Exercise 6}
\begin{enumerate}[label=(\alph*)]
\item
\item The attack to distinguish this scheme is as follows:\\
$F_K(M_1) = \widetilde{E}_K(1, M_1) = T_1$\\
$F_K(M_1||T_1) = \widetilde{E}_K(2, \widetilde{E}_K(1, M_1) \oplus \widetilde{E}_K(1, M_1)) = \widetilde{E}_K(2, 0) = T_2$\\
$F_K(M'_1) = \widetilde{E}_K(1, M'_1) = T'_1$\\
$F_K(M'_1||T_1) = \widetilde{E}_K(2, \widetilde{E}_K(1, M'_1) \oplus \widetilde{E}_K(1, M'_1)) = \widetilde{E}_K(2, 0) = T'_2$\\
For this PRF construction, $T_2 = T'_2$\\
This means it is easy to create a forgery by reusing the tag. From one query.
\end{enumerate}
\end{document}

BIN
ass1/assignment1.pdf Normal file
View File

Binary file not shown.

7
ass2/.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.out
ass2.pdf
*.synctex.gz

8
ass2/README.md Normal file
View File

@ -0,0 +1,8 @@
# Applied Cryptography Assignment 2
This assignment is about Symmetric Cryptography.
## Goal
The goal of this assignment is to understand the security of
hash functions and sponge as well as duplex functions.

103
ass2/ass2.tex Normal file
View File

@ -0,0 +1,103 @@
\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 2}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{March 16, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
Assume that we have a message $M = M_0\|M_1\|M_2\|M_3$. Passing this message through the modified Merkle-Damgård construction, we get the following:
\[ M_0\xrightarrow{M_1}\underbrace{F(M_0,M_1)}_{h_1}\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
Suppose we take the intermediate calculation of $h_1 = F(M_0,M_1)$ and prepend it to a second message $N = h_1\|M_2\|M_3$, resulting in the following:
\[ h_1\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
Both messages $M$ and $N$---although different---will output the same hash $h_3$.
\section*{Exercise 2}
Assuming that $\mathcal{H}$ is not collision resistant, then there exists a PPT adversary $\mathcal{A}$ who can find two distinct messages $M$ and $M'$ such that $\mathcal{H}(M)=\mathcal{H}(M')$. A second adversary $\mathcal{B}$ can break the collision resistance of $F$. $\mathcal{B}$ runs $\mathcal{A}$ as follows:
\begin{enumerate}
\item $\mathcal{B}$ takes the collision found by $\mathcal{A}$ and defines $M_1,\dots,M_4$ as well as the intermediate hash values $h_1,h_2$ and the final hash value $h$. The same goes for message $M'$: $M'_1,\dots,M'_4$ and $h'_1,h'_2,h'$.
\item $\mathcal{B}$ checks if $h = F(F(M_1,M_2),F(M_3,M_4))$ and $h' = F(F(M'_1,M'_2),F(M'_3,M'_4))$ is a collision. If it is a collision, $\mathcal{B}$ outputs it.
\item Next, $\mathcal{B}$ checks if $h_2 = F(M_3,M_4)$ and $h'_2 = F(M'_3,M'_4)$ is a collision. If so, $\mathcal{B}$ outputs it.
\item Finally, $\mathcal{B}$ checks if $h_1 = F(M_1,M_2)$ and $h'_1 = F(M'_1,M'_2)$ is a collision and outputs it if true.
\end{enumerate}
Since $\mathcal{A}$ can find a valid collision $M,M'$ in $\mathcal{H}$, $\mathcal{B}$ must necessarily also find a collision in $F$. However, $F$ is collision resistant and therefore adversary $\mathcal{B}$ cannot exist. This violates the original assumption and therefore $\mathcal{H}$ is collision resistant.\hfill$\blacksquare$
\section*{Exercise 3}
To cause a collision, the last permutation function before the squeezing phase should result in the same rate and capacity bits. By performing the algorithm locally using the same primitive, $P$, the attacker obtains the rate and capacity bits.\\\\
For this attack to work, the attacker must find a collision in the capacity bits. We assume that this is feasible because the adversary has access to $N \approx 2c/2$ evaluations of the permutation.\\
For each block in the message $M_1 || M_2 || M_3 || L(M_1 || M_2 || M_3)$, we execute the permutation function $P_1(r,c), P_2(r,c), P_3(r,c), P_4(r,c)$. We find a collision in the output $c$ of $P_2(r,c)$\\\\
We cannot change the input of $P_4(r,c)$ directly, since it is part of the padding.\\
When we have a collision in $c$, we also need to have the same $r$ for the collision attack to work. Let ($r_2, c_2$) and ($r'_2, c'_2$) be both the output of $P_2(r,c)$ in a collision.\\
$M_3$ = $r_2 \oplus r'_2$\\
$P_3(r_2 \oplus M_3, c_2) = P_3(r'_2 \oplus M_3, c'_2)$\\
Since length encoding produces the same output we have a collision.
\section*{Exercise 4}
\begin{enumerate}[label=(\alph*)]
\item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
It is given that $c = 256$ and $n = 256$, thus:\\
$N^2/2^{257} + N/2^{256}$. When doing $N = 2^{128}$ evaluations, we get\\ $(2^{128})^2/2^{257} + 2^{128}/2^{256} = 2^{-1} + 2^{-128} \approx 0.5$, which is the average amount.
\item The goal is to find a message $M'$ so that H($M'$) = $h$\\
First, we make $N = 2^{128}$ evaluations. So that on average we have a inner collision for $c$ after these $N$ evaluations.\\
We want a second preimage and not a collision attack. When we do $2^{128}$ evaluations for a short message, we only get a collision of two random messages. To get a probable collision in the inner state of $c$ when $M'$ is hashed we need to do $2^{128}$ evaluations with a message length close to $2^{c/2}$.\\
When the collision is found using $M'$, the rest of the original message's intermediate values for $M'$ are appended in the sponge. Also, a value is XOR'ed to the rate bites to match the rate bits of the original message.\\
This will produce $h$ thus a second preimage is created.
\item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
We know that $c = 256$ and $n = 88$, thus:\\
$N^2/2^{257} + N/2^{88}$. When doing $N = 2^{87}$ evaluations, we get\\ $(2^{87})^2/2^{257} + 2^{87}/2^{88} = 2^{-83} + 2^{-1} \approx 0.5$, which is the average amount.\\
Opposed to 4.a, the security is upper-bounded by $n$ instead of $c$.
\item Since the security is upper-bounded by $n$, we can do the attack by evaluating the whole hash function $N = 2^{87}$ times. On average this will output a hash $h' = H(M)$ because it is a classical attack against $\mathcal{RO}$. Thus, $N^{-87}$
\end{enumerate}
\section*{Exercise 5}
\begin{enumerate}[label=(\alph*)]
\item An attacker encrypts two messages $M$ and $M'$ with the same key and nonce. The first encryption query outputs ciphertext $C$ and the second query ciphertext $C'$. After XORing the two ciphertexts $C\oplus C'$, the result (the difference) can be XORed again with the plaintext message $M$. The result will be the plaintext message $M'$ and thus the attacker can distinguish.
\item An attacker makes two queries. The first query contains associated data $A$ with $|A| < r$ and looks like the following: $(C, T) = E_K(N, A, M)$. The second query contains no associated data and a message $M' = A\|10^*\|M$: $(C', T') = E_K(N,\epsilon,M')$. The encryption of both messages will pass through the same sequence of internal values and output the same tag ($T=T'$). Additionally, the ciphertext $C'$ will have $C$ as its suffix.
Using these properties an attacker can mount a forgery attack with one query as follows:
\begin{enumerate}[label=\arabic*.]
\item He constructs a message $M' = A\|10^{r-|A|-1}\|M$ where $|A| < r$.
\item He makes the query $(C', T') = E_K(N,\epsilon,M')$.
\item He sets $C$ to the last $|M|$ bits of $C'$ and the tag $T = T'$ and returns $C$ and $T$.
\end{enumerate}
\end{enumerate}
\section*{Exercise 6}
\begin{enumerate}[label=(\alph*)]
\item The attacker would require $\frac{2k}{\lambda} = n$ construction queries. It is assumed that secret state $S$ equals the capacity-bits.\\
Thus, $P(S \oplus (M||0^c))$ will be evaluated $n$ times with $n$ distinct messages. After this, enough bits are leaked to recover the key.
\item The first permutation is the same for both encryption calls because the input is only the key. So during the first permutation an attacker only learns $\lambda$ bits. Then the nonce is introduced in the second permutation which will leak $\lambda$ bits for every call since the nonce and thus the input is always different. In total we would leak $3\lambda$ bits of the secret state $S$ but only $\lambda$ bits of the key $K$.
\item
\item The secret state is always different for every separate evaluation because the nonce is unique. Thus an attacker may only learn a constant number $\lambda$ of bits in the worst case and not gain additional information for every repeated evaluation.
\end{enumerate}
\end{document}

BIN
ass2/assignment2.pdf Normal file
View File

Binary file not shown.

7
ass3/.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.out
ass3.pdf
*.synctex.gz

8
ass3/README.md Normal file
View File

@ -0,0 +1,8 @@
# Applied Cryptography Assignment 3
This assignment is about Public Key Cryptography.
## Goal
The goal of this assignment is to understand the security of public key
encryption, digital signatures and Σ-protocols.

177
ass3/ass3.tex Normal file
View File

@ -0,0 +1,177 @@
\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 3}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{May 11, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
\item We know that $C_2$ is uniformly distributed because this algorithm uses the multiplicative group of $\mathbb{Z}^{*}_p$ with order $p - 1$. If $k$ is truly randomly chosen from $< p-1$, then $y^k = g^{kx}$ is uniformly distributed in $\mathbb{Z}^{*}_p$. Multiplication with $M$ will still hold that it is uniformly distributed, because $M$ is also part of the group.
\item The decryption of the cryptosystem works in the following way:
\[ M\leftarrow g^{kx}\cdot g^{-kx}\cdot M \]
In order for an attacker to be able to invert a ciphertext, he must therefore be able to calculate the value $g^{kx}$. Since $g$, $g^k$ and $g^x$ are known to the attacker and $g^{kx}$ is unknown, it is an instantiation of the CDH problem. Assuming that the CDH is hard, the probability that an attacker can invert the cryptosystem is not negligible. The cryptosystem is thus \textsf{OW-CPA} secure.
\item From the slides, we know that $C = M^e_1 \cdot M^e_2$. For this algorithm we can express this in $C = g^{xk} \cdot M$. We perform the man-in-the-middle attack:\\
$c = C/i^e, i \in \{1,2,...2^{l/2}\}$. If $c$ is not in the group of generator $g$, we have found $M$
\item Malice knows $C_1$ and $C_2$ after she has intercepted the ciphertext pair. She can then choose a random $R\xleftarrow{\$}\mathbb{Z}^*_N$ and computes $C'\leftarrow C_2\cdot R$. She will now send $(C_1,C')$ to Alice who decrypts the message and obtains $MR$. Because Malice chose $R$ earlier, she now has access to the original plaintext message $M$.
\end{enumerate}
\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
\item The steps to calculate the signature pair $(r,s)$ are as follows:
\begin{enumerate}[label=\arabic*.]
\item Choose a random $k\xleftarrow{\$}\mathbb{Z}_{p-1}$.
\item Compute $r\leftarrow g^k\mod p$.
\item Compute $s\leftarrow (M-xr)k^{-1}\mod (p-1)$.
\item If $s = 0$, go to 1.
\end{enumerate}
\item An existential forgery can be made as follows:
\begin{enumerate}[label=\arabic*.]
\item Choose a random $k\xleftarrow{\$}\mathbb{Z}_{p-1}$.
\item Calculate $r\leftarrow g^ky\mod p$.
\item Calculate $s\leftarrow -r\mod (p-1)$.
\item The tuple $(r,s)$ is a valid forgery for the message $M = ks\mod (p-1)$.
\end{enumerate}
\end{enumerate}
\section*{Exercise 3}
The modified Pedersen bit commitment scheme is computationally binding and perfectly hiding. The proof for the binding property is by contradiction. Assuming that the commitment is not binding, i.e., we can create a second identical commitment with a different bit $B$ as follows:
\[ \mathsf{Comm}(pk,B,R_0) = \mathsf{Comm}(pk,1-B,R_1) = g^{R_0}\cdot h^{B+R_0} = g^{R_1}\cdot h^{1-B+R_1} \]
then \[ \log_g h = \frac{R_0-R_1}{R_0+R_1+1} \]
which contradicts with the assumption that $\log_g h$ is unknown to the parties and implies that the discrete logarithm problem is not hard. Therefore, the modified Pedersen bit commitment scheme is computationally binding.
The commitment scheme is (perfectly?) hiding because ...
\section*{Exercise 4}
A sigma-protocol is a three move protocol that satisfies the properties of completeness, special soundness and special honest verifier ZK. The protocol described in this exercise is a three move protocol. To see if this protocol is complete, we can rewrite the check $g^{z_1}_1 g^{z_2}_2 \stackrel{?}{=} ah^{ch}$ at the verifier:\\
\begin{align*}
g^{z_1}_1 g^{z_2}_2 &= ah^{ch} \text{ (mod }p) \\
g^{z_1}_1 g^{z_2}_2 &= g^{r1}_1 g^{r2}_2 \cdot (g^{w_1}_1 g^{w_2}_2)^{\text{ch}} \text{ (mod }p) \\
g^{z_1}_1 g^{z_2}_2 &= g^{r1}_1 g^{r2}_2 \cdot g^{\text{ch}w_1}_1 g^{\text{ch}w_2}_2 \text{ (mod }p) \\
g^{z_1}_1 g^{z_2}_2 &= g^{r1+\text{ch}w_1}_1 g^{r2+\text{ch}w_2}_2 \text{ (mod }p) \\
\end{align*}
From this we can see that $g^{z_1}_1 = g^{r1+\text{ch}w_1}_1 \rightarrow z_1 = r_1 + \text{ch}w_1$ and $g^{z_2}_2 = g^{r2+\text{ch}w_2}_2 \rightarrow z_2 = r_2 + \text{ch}w_2$. Since the prover and verifier can correctly execute the calculation and protocol, it is complete.\\\\
To prove that is has special soundness, we check if there is a way to retrieve sk ($w_1, w_2$) with non-negligible probability using two transcripts with the same commitment and different challenge:\\
\begin{align*}
z_1 - z_1' &= r_1 + \text{ch}w_1 - r_1 + \text{ch}'w_1 \\
z_1 - z_1' &= \text{ch}w_1 + \text{ch}'w_1 \\
z_1 - z_1' &= w_1(\text{ch} + \text{ch}') \\
\frac{z_1 - z_1'}{\text{ch} + \text{ch}'} &= w_1 \text{ and respectively }
\frac{z_2 - z_2'}{\text{ch} + \text{ch}'} = w_2
\end{align*}
$w_1$ and $w_2$ can be extracted with probability 1.\\
For honest verifier (Special HVZK), the distributions of the real transcripts and the simulated transcripts are the same. A valid transcript occurs with probability 1/2q for this protocol because two values are calculated. From this, we can say this is a $\Sigma$-protocol
\section*{Exercise 5}
\begin{enumerate}[label=(\alph*)]
\item The two secrets $R$ and $R'$ are the same because $R = [a]Q = [a][b]G$ and $R' = [b]P = [b][a]G$. Due to the commutative property, it does not matter if the point $G$ was first added to itself $a$ times and then $b$ times or first $b$ times and then $a$ times, that is $[a][b]G = [b][a]G$.
\item
\begin{enumerate}[label=\roman*.]
\item The command \texttt{E.cardinality()} shows the cardinality of $E(\mathbb{F}_p)$ to be 19.
\item The command \texttt{G.order()} gives 19. This is a good generator because the order of the point is the same as the curve's cardinality.
\item Alice's public key can be obtained with the command \texttt{P = 6*G} and $P = (16,13)$.
\item The shared secret $R = (10,11)$.
\item Bob's secret key is $b = 9$ because $[9](16,13) = (10,11)$, which is again the shared secret $R= (10,11)$.
\end{enumerate}
\item
\begin{enumerate}[label=\roman*.]
\item The value of $n/q = 8$, which is the cofactor. This factor should ideally be 1, but 4 and 8 are also generally accepted. This value implies that the generator can only generate an eighth of the curve's points, but it is sufficient because the prime order is large enough.
\item Our public key is \scriptsize
\begin{align*}
Px &= 37048414743519733025193263783831109212639304451100804104094977507780325771837 \\
Py &= 7948348303373633531074340512410840174332123202786516445812187645996223942543
\end{align*}
\normalsize
\item The shared secret is \scriptsize
\begin{align*}
Rx &= 12694057863029409910518855127562537703457904794426889564008604777220378465981 \\
Ry &= 13554456243083127232280450417120767460444645552951962238781744328587077080733
\end{align*}
\normalsize
\end{enumerate}
\end{enumerate}
\section*{Exercise 6}
\begin{enumerate}[label=(\alph*)]
\item Taking step c) from the verifying process:
\begin{align*}
X &= u_1G + u_2Q \\
X &= u_1G + u_2dG \\
X &= G(u_1+u_2d) \\
X &= G(hs^{-1} + rs^{-1}d) \\
X &= Gs^{-1}(h+rd) \\
X &= G((h+rd)k^{-1})^{-1}(h+rd) \\
X &= G(h+rd)^{-1}k(h+rd) \\
X &= kG
\end{align*}
The end result corresponds to the verification step e) where the first coordinate of $X$ is compared to the first coordinate of $kG$ calculated in step a) of the signing process. Therefore, ECDSA is correct for valid signatures.
\item The missing value $s$ for the signature $(r,s)$ can be calculated with $s = (h+ar)\cdot k^{-1}$ where $h$ is the hash of the message, $a$ Alice's secret, $r$ the previously calculated value and $k$ a random element of the field. The \texttt{int(k)} is necessary because \texttt{Fq.random\_element()} returns a ring object in Sage and multiplication with the elliptic curve point field $G$ is not defined. We thus get for the signature: \footnotesize
\begin{align*}
r &= 5080577922972882666513496014001877803493172471854768672263945088855495166288 \\
s &= 2637073733489748487924358892773309827435174182541522647977484900993507962816
\end{align*}
\normalsize
\item \footnotesize
\begin{align*}
r &= 1937039209107375661240824524720359737526758893291527738179502027465721858973 \\
s &= 2378717659329096634003140914832681825704082798955072152387029183634726006141 \\
u_1 &= 2911255932974061329969560309874680588580402019356170911152661181249118748824 \\
u_2 &= 2007528059246574562394093177126027656604930319942217580674640487635635869328 \\
x_1 &= 16411050363771900089187197650806348219240991612051342950183403904036630360951 \\
y_1 &= 20675209945797904937674417570524604472445689810721811044409633748696176799258
\end{align*}
\normalsize
It is the case that $x_1\mod q\equiv r$ and the signature is therefore valid.
\item If we know that both signatures have been created with the same $k$, we know that the relation between $s_1$ and $s_2$ is the difference between the two message hashes divided by $k$.
\begin{align*}
s_1 &= \frac{h_1+dR}{k}\quad\text{with } r_1=r_2=R \\
s_2 &= \frac{h_2+dR}{k}\quad\text{with } r_1=r_2=R \\
k &= \frac{h_1+dR}{s_1} = \frac{h_2+dR}{s_2} \\
k &= \frac{h_1-h_2}{s_1-s_2} \\
s_1-s_2 &= \frac{h_1-h_2}{k}
\end{align*}
\item The security of the signature is compromised once we know that the signer used the same $k$ for multiple signatures. Knowing this, it is possible to solve the equation from (d) for $d$ (the private key) and since all the other inputs are known, the private key is easily calculated.
\begin{align*}
k &= \frac{h_1+dR}{s_1} = \frac{h_2+dR}{s_2}\quad\text{with } r_1=r_2=R \\
\frac{h_1+dR}{s_1} &= \frac{h_2+dR}{s_2} \\
s_2h_1 + s_2dR &= s_1h_2 + s_1dR \\
s_2h_1 - s_1h_2 &= dR(s_1-s_2) \\
d &= (s_2h_1-s_1h_2)\cdot (R(s_1-s_2))^{-1}
\end{align*}
\item We take the same values for $r$, $s$, $u_1$ and $u_2$ from c). We then compute $X = \mathsf{int}(u_1)\cdot G + \mathsf{int}(u_2)\cdot Q_{oh no}$ and obtain $X = (x_1,y_1)$:
\footnotesize
\begin{align*}
x_1 &= 16411050363771900089187197650806348219240991612051342950183403904036630360951 \\
y_1 &= 20675209945797904937674417570524604472445689810721811044409633748696176799258
\end{align*}
\normalsize
Here we can already see that $x_1$ is the same as in c) and $x_1\mod q$ is therefore again the same as $r$ and the signature is valid.
\item The point $T$ is special because it has a very low order of 8. Multiplying $T$ by 8 will thus result in the identity element. If the normal point $Q_b$ and the special point $T$ are added and multiplied by 8, the result is the same as just multiplying the normal point $Q_b$ by 8. The point $T$ does not contribute to the end result.
The point $Q_{oh no}$ works as a public key because it is simply the next point in the subgroup generated by the generator $G$. The secret is just one step bigger.
\item Monero uses key images for spent outputs to determine if the output had already been spent before. The point $Q_b$ is used to create a key image for an unspent output and the transaction is submitted to the chain. The signature will verify correctly and the transaction is accepted. An attacker can use the second point $Q_{oh no}$ to construct a different key image for the same (seemingly) unspent output. Since the key image is also valid and verifies correctly, the transaction will again be accepted, allowing the adversary to double spend.
\item
\end{enumerate}
\end{document}

BIN
ass3/assignment3.pdf Normal file
View File

Binary file not shown.

7
ass4/.gitignore vendored Normal file
View File

@ -0,0 +1,7 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.out
ass4.pdf
*.synctex.gz

9
ass4/README.md Normal file
View File

@ -0,0 +1,9 @@
# Applied Cryptography Assignment 4
This assignment is about Public Key Cryptography.
## Goal
The goal of this assignment is to understand post-quantum cryptography at a high
level and hash based signatures and authenticated key exchange at a deeper
level.

118
ass4/ass4.tex Normal file
View File

@ -0,0 +1,118 @@
\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 4}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{May 25, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
\item A cryptosystem is post-quantum if there are no known attacks from adversaries with access to quantum computers. In other words, these systems do not rely on hard problems for which a quantum computer can find a solution efficiently.
\item We are interested in PQ cryptosystems because we want to be prepared for a future in which quantum computers are commonplace. Secure communication today depends on problems which are hard to solve. However, these problems are `easy' for quantum computers, which is why we have to base future cryptosystems on different problems, hence the interest in PQ cryptosystems.
\item The main advantage of PQ cryptography is that the algorithms can be executed on the devices we carry around today. Quantum cryptography needs specialized devices which can make use of the quantum mechanics used for Quantum Key Distribution, for example.
\item We assume that the special characters are:
\begin{verbatim}
! @ # $ % ^ & * ( ) ` - = [ ] \ ; ' , . / ~ _ + { } | : " < > ?
\end{verbatim}
We have 52 letters and 32 symbols. A 10 character password under this charset has $84^{10}$ possible combinations. Grover's algorithm allows search in $\mathcal{O}(\sqrt{n})$ (i.e. quadratic speedup over classical algorithms) and therefore finds a solution after $\sqrt{84^{10}} = 84^5$ tries. With current hardware, the password would be broken almost instantaneously.
\item If the adversary does not have a quantum computer, it will take $84^{10}\approx 2^{64}$ tries to get the password. A large computing cluster could maybe achieve around $2^{33}$ attempts per second. With this amount of computing power, the password would be found within $2^{64}/(2^{33}\cdot 86400\cdot 365) = 68$ years. This gives an average of 34 years to find the password.
\item The required length for 128 bits of security is double the intended amount of security, so $2^{128\cdot 2} = 2^{256}$. The symmetric key should be at least 256 bits long.
\item NIST recommends in their publication SP 800-57 Part 1 Rev. 5 a RSA keysize of 3072 to achieve 128 bits of security. Shor's algorithm allows a quantum adversary to factor integers in $\mathcal{O}(n^3)$. Bernstein et al. estimate in their paper \emph{Post-quantum RSA} that the key must be around 1 TB big ($2^{43}$ bits) to achieve comparable security to today.
\item The Learning with Errors (LWE) problem asks for the recovery of a secret $s\in\mathbb{Z}_q^n$ from a sequence of random linear equations with $s$ as the unknown variable. These linear equations are not exact but random. The following sequence is an example:
\begin{align*}
14s_1 + 15s_2 + 5s_3 + 2s_4&\approx 8\mod 17 \\
13s_1 + 14s_2 + 14s_3 + 6s_4&\approx 16\mod 17 \\
6s_1 + 10s_2 + 13s_3 + 1s_4&\approx 3\mod 17
\end{align*}
Each equation is correct but has a small error associated with it. The errors introduced into the equations are normally distributed. To solve the problem, we must recover $s$.
The secret value $s$ is the private key of the cryptosystem. To obtain the public key, we take $m$ random numbers and add them to a list $a$. We iterate over $a$ and construct a second list $b$. The values in $b$ are dependent on the values in $a$, the private key $s$ and a randomly sampled error $e$ from a normal distribution. The two lists $a$ and $b$ are the public key and can be distributed freely.
To encrypt a bit $M$, we calculate the tuple $(u,v)$:
\begin{align*}
u &= \sum_{i=1}^{m}{a_i} \\
v &= \sum_{i=1}^{m}{b_i} + \frac{q}{2}M
\end{align*}
$M$ is obtained again in the decryption step:
\[
M =
\begin{cases}
0\;\mathrm{if}\;v-su < \frac{q}{2} \\
1\;\mathrm{if}\;v-su \geq\frac{q}{2}
\end{cases}
\]
\end{enumerate}
\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
\item The generalization uses 256-bit messages, thus $H_0$ should output a 256-bit length.
\item Each signature contains a message $M$ of 256 bytes = 0.25KiB, public key pk of $2 \cdot 256 \cdot 256$ bytes = 128 KiB and the Lamport's OTS signature $\text{Sign}_{sk}()$ of $256 \cdot 256$ bytes = 64 KiB. Each signature contains the previous signature except for the first signature.
The signature of the 12-th message is $(0.25\text{KiB} + 128\text{KiB} + 64\text{KiB}) \cdot 12 = 2307\text{KiB}$
\item In this scheme, the next public key is announced in the signature. Because of this, it is harder to create a forgery because the verifier reverifies the whole chain of signatures.
The disadvantage compared to MSS is that each signature requires the data of all previous signatures, which causes the signature to keep growing in size.
\item A forgery can be made because the next public key is removed from the signature:
\begin{enumerate}[label=\arabic*.]
\item The adversary requests a signature for message $M_1$ from the signing oracle.
\item The signing oracle returns
\[ \sigma_1 = (M_1, \text{pk}_2,\text{Sign}_{\text{sk}_1}(M_1), \sigma_0) \]
\item The adversary replaces the first pk with the second pk:
\[ \sigma'_1 = (M_1, \text{pk}_1, \text{Sign}_{\text{sk}_1}(M_1), \sigma_0) \]
\item The adversary forges a signature by reusing the first signature:
\[ \sigma'_2 = (M_1, \text{pk}_2, \text{Sign}_{\text{sk}_1}(M_1), \sigma_1) \]
\end{enumerate}
$\sigma'_2$ is a different signature for the same message $M_1$, thus a forgery was made.
\item The new signature looks like: $(M_i, \text{pk}_i, \text{pk}_{i+1}, \text{Sign}_{\text{sk}_1}(H_0(M_i, \text{pk}_{i+1})))$. Because the public key must be provided when verifying and the verifier has no knowledge of previous signatures, the adversary can provide a different key. A forgery can be made offline by using the same signature and hashing algorithm and creating the signature like above.
\item The adversary requests signature: $(M_1, \text{pk}_2, \text{Sign}_{\text{sk}_1}(H_0(M_1, \text{pk}_{2})), \sigma_0)$. The adversary then finds a second preimage $H_0(M, \text{pk}) = H_0(M', \text{pk})$. Since it results in the same signature using the same key, we get a correct signature, thus the adversary made a forgery.
\item The scheme can be made more efficient using the Merkle tree. In the current scheme, all previous signatures are provided which results in the chain increasing in size of time, whereas the Merkle tree only requires the hashes for the unused keys. Just like in the Merkle tree scheme, the signer returns the hashes for unknown values in the tree. The signature will look as follows:
$(M_i, , \text{pk}_i, \text{Sign}_{\text{sk}_i}(H_0(M_i, \text{pk}_m, \text{pk}_{i})), H_1, ..., H_j)$. The root node of the tree, $\text{pk}_m$ is already verified, and the hashes $H_0$ to $H_j$ are the leaves that have hashed unrevealed keys. The use of the Merkle tree removes the possibility of creating infinite signatures, but decreased the overall size, while still allowing the signatures to be authenticated.
\end{enumerate}
\section*{Exercise 3}
\begin{enumerate}[label=(\alph*)]
\item Attack 1: Machine A communicates to compromised machine E to shut itself off, but instead this command goes to machine B.
Attack 2: Alice deposits an amount on her account through bank B. Bank B thinks that Eve E deposited the money.
\item The SIGMA-I protocol lets the initiator verify the identity of the responder first. Machine E's attempt fails because machine E does not have access to the symmetric key for generating $K_M$ and $K_E$. This is because the signature prevents a MitM attack. E can only succeed if it creates a valid ciphertext containing a forged signature and MAC tag which is not feasible.
\item In case of attack 1, Alice thinks the responder is Eve and Bob thinks the initiator is Alice. When the identity of the receiver was sent, Eve was not able to forward Alice's signature to Bob because Eve is included in the signature. When the sender is included in the signature, Eve can resign Bob's signature to include Eve's own identity because this matches with what Alice knows. As for Bob, the received message came from Alice so this would also be correct. The same is true for attack 2.
\item The idea, where Alice and Bob put the shared key $K_{A,B}$ in their respective signatures, does not work. If Eve is in the middle, she can first forward Alice's $(Alice; A)$ message to Bob. Bob will then calculate his signature $\sigma_B = \mathsf{Sign}_{sk_B}(A,B,K_{B,A})$ and send $(Bob;B;\sigma_B)$ to Eve. Eve takes the signature inputs and constructs a new signature $\sigma_E = \mathsf{Sign}_{sk_E}(A,B,K_{B,A})$ with her private key. This signature is forwarded to Alice with $(Eve;B;\sigma_E)$. Alice verifies the signature with Eve's public key and constructs the signature $\sigma_A = \mathrm{Sign}_{sk_A}(B,A,K_{A,B})$ with her private key. Eve forwards this signature as is to Bob and Bob verifies it with Alice's public key.
Not only does Alice think she is talking to Eve and Bob thinks he is talking to Alice, they have also shared their secret key with Eve in the process. All subsequent communication encrypted with that same shared key is now compromised because Eve can decrypt everything.
If the identities are encrypted with the shared key, Eve will still be able to carry out the identity misbinding attack. Eve receives the shared key from Bob (assuming that it is sent in clear) and will therefore always be able to decrypt everything encrypted with that key. She can also encrypt her own identity with the shared key and it will look legitimate to Alice.
\end{enumerate}
\end{document}

BIN
ass4/assignment4.pdf Normal file
View File

Binary file not shown.

9
ass5/.gitignore vendored Normal file
View File

@ -0,0 +1,9 @@
*.aux
*.fdb_latexmk
*.fls
*.log
*.out
*.bbl
*.blg
ass5.pdf
*.synctex.gz

9
ass5/README.md Normal file
View File

@ -0,0 +1,9 @@
# Applied Cryptography Assignment 5
This assignment is about Symmetric and Asymmetric Cryptography.
## Goal
The goal of this assignment is to understand protocols and
frameworks such as the Double Ratchet protocol and the Noise
framework. Forward and backward secrecy as well as common attacks on TLS will be studied as well.

121
ass5/ass5.tex Normal file
View File

@ -0,0 +1,121 @@
\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage{apacite}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 5}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{June 8, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
\item \emph{Forward secrecy} states that even if an adversary would get ahold of long-term secrets, they would not be able to decrypt past communication. This is commonly achieved using session keys.
\emph{Backward secrecy}, on the other hand, is the opposite of forward secrecy. If long-term secrets are compromised, future communication should still be secret. This property is sometimes termed as \emph{self-healing} because a protocol is able to recover quickly from a compromise.
\item In order for Diff-Hellman to provide forward secrecy, the generated keys must be ephemeral as opposed to static.
\item Yes, it does provide forward secrecy because a new message key is generated from the previous chain key via \textsf{KDF}. If one message key gets leaked, the adversary is able to decrypt the ciphertext which was encrypted with that specific message key but not the other ciphertexts. If the adversary also gains access to the long-term secret $K$, the scheme is broken because all message and chain keys can be recomputed from the secret $K$.
Backward secrecy is also satisfied if only one $MK_i$ is leaked. Since the attacker does not have access to the chain keys, they are unable to compute the next message key.
\item If an attacker gets ahold of a chain key $CK_i$ at some point in time, all future communication is compromised because all subsequent chain and message keys depend on the leaked one.
\item Bob sends two messages back to Alice in the image from the assignment. If the third message ($N=3$) arrives \emph{before} the second message ($N=2$), Alice has to compute the key derivation twice to decrypt the third message. She now has to hold the key material for the second message in store until the message arrives. Alternatively, she could delete the keys for the second message after a certain amount of time has elapsed. Either way, this scenario is not desirable at all because the key material is sensitive and would allow an attacker to compromise all future communication if it were leaked.
\item Alice performs the following steps to decrypt $c_2$:
\begin{enumerate}[label=\arabic*.]
\item $SS_1\leftarrow B_{1}^{a_0}\pmod p$
\item $RK_1, CK_0^s\leftarrow\mathsf{KDF}(RK_0, SS_1)$
\item $CK_1^s, MK_1\leftarrow\mathsf{KDF}(CK_0^s)$
\item $m_2\leftarrow\mathsf{Dec}(MK_1,c_2)$
\end{enumerate}
She performs similar steps for $c_3$:
\begin{enumerate}[label=\arabic*.]
\item $CK_2^s, MK_2\leftarrow\mathsf{KDF}(CK_1^s)$
\item $m_3\leftarrow\mathsf{Dec}(MK_2,c_3)$
\end{enumerate}
$RK_i$ serves as the root chain in the Diffie-Hellman ratchet. The root keys are inputs to the next sending/receiving chain keys. $CK_i$ are chain keys which allow participants to derive individual message keys. The chain keys themselves are derived from the outputs of the Diffie-Hellman key exchange. Finally, $MK_i$ are the message keys used to encrypt individual messages.
\item In order for Alice to send a message back, she has to derive a new key pair from Bob's public key $B_1$. The new key pair allows her to generate a new sending/receiving chain from which a new message key will be generated. The new public key is again advertised to Bob with the increased nonce $N$ and the encrypted message.
\item If an attacker gets access to $RK_i$, they can encrypt and decrypt messages for as long as they want.
If an attacker gets access to $CK_i$, they can encrypt and decrypt messages as long as the root key has not been `forwarded' to the next one. Communication between the two parties would be compromised until one of the two responds to a message and the receiver updates the key pair.
If an attacker gets access to $MK_i$, they will only be able to decrypt one single message. Previous or future communication is not compromised.
\item The first ratchet (symmetric-key ratchet) happens when a new message key is derived from the chain key. Unfortunately, the naive protocol does not have a second ratchet because the chain keys are not updated with fresh Diffie-Hellman outputs.
\item Yes, this version is less secure. If the attacker gets ahold of one $MK_i$, they can derive all subsequent message keys and all future communication is compromised.
\end{enumerate}
\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
\item The official nonce size for AES-GCM is 96 bits.
\item The effective nonce size for AES-GCM in Noise is 64 bits because the first 32 bits are encoded zeros.
\item A lower sized nonce has a higher probability producing the same value when combined with the counter, which could lead to an attack.
\item Wireguard uses BLAKE2s for hashing.
\item The output size for HMAC as used in Wireguard is 256 bits. The maximal key size is technically unlimited, but the key has to be hashed into the HMAC construction. Otherwise, the key is limited to the block size which is 256 bits.
\item BLAKE2s is already a keyed hash and it is unnecessary to use it in combination with HMAC if it is not used in HKDF. Therefore, just using BLAKE2s is sufficient.
\item In an HMAC construction, if the key is just one byte longer than the block size, the key and the hashed key produce the same digest for the same message. Therefore, to avoid this possibility, it might be advisable to directly use the keyed variant of BLAKE2s instead of the HMAC-BLAKE2s construction.
\end{enumerate}
\section*{Exercise 3}
\begin{enumerate}[label=(\alph*)]
\item When the standard (RFC 2313, 8.1) is used for encryption, then the message block is generated as follows:
|| 00 || 02 || padding string || 00 || data block ||\\
Let $n, e$ be an RSA public key and let $p, q, d$ be the corresponding private key.\\
The padding string are non-zero pseudo-random generated bytes with length\\
$k - 3 - |D|$, where $k$ is the byte length of $n$ and $|D|$ the byte length of data $D$.
The padding string is at least 8 bytes long.
\item The paper mentions that from previous research, that when the least significant bit of the plaintext can be predicted using an algorithm, then another algorithm exists that can decrypt the whole ciphertext. The attacker is able to ask the oracle if their chosen ciphertext is PKCS compliant. The method described in the paper tries to narrow down the range of which RPCS conforming messages exist, and then further narrow down the range of which the decrypted message exists. When the ranges overlap with only one value, the plaintext is acquired.
\item The blinding step means that the ciphertext is multiplied by by a encrypted random integer. RSA has the property that from decrypted data, the attack can retrieve the original message. In this attack, if the ciphertext already is PKCS conforming, then $s_0 = 1$.
\item After a positive answer from the oracle that it is PKCS conforming, a new interval is found for $m_0$, $s_i$ and $r$ where (mod $n$) $\equiv rn$. This is then used to further reduce the interval for finding the plaintext.
\item According to the paper, the probability that the first two bytes are 00 and 02 is $2^{-16} < \text{Pr}(A) < 2^{-8}$. Another property of PKCS is that the padding string must contain at least 8 non-zero bytes followed by a zero byte. The paper says that this probability is $0.18 < \text{Pr}(P|A) < 0.97$, hence we have $0.18 \cdot 2^{-16} < \text{Pr}(P|A) < 0.97 \cdot 2^{-8}$.
\item The latest version of TLS, 1.3 does not support RSA for key exchange so the following only holds for version 1.2 or lower.\\
Older versions of TLS use PKCS version 1.5 to encrypt RSA messages for the key exchange. It is possible to downgrade the used TLS version by modifing the version agreement through a MitM attack. Before agreeing on the final secret, the client generates 46 random bytes that acts as the premaster secret (PMS). The premaster secret is encrypted using the PKCS v1.5 padding.\\
The Bleichenbacher attack can take place whem the MitM attacker intercepts the encrypted PMS, which is the ciphertext. The attacker can then blind this ciphertext by generating the random integer and following the rest of the attack.
\begin{center}
\begin{tabular}{l c l c l}
Client & & Attacker (MitM) & & Server \\ \hline
ClientHello & $\longrightarrow$ & TLS downgrade & $\longrightarrow$ & ClientHello (downgraded) \\
RSA Key (server) & $\longleftarrow$ & & $\longleftarrow$ & RSA Key (server) \\
PMS $\xleftarrow{\$} \mathbb{Z}/N\mathbb{Z}$ & & & & \\
c = E(PMS, key$_{server}$) & $\longrightarrow$ & $(s_i)^e \cdot c$ & $\longrightarrow$ & verify($(s_i)^e \cdot c$) \\ \hline \hline
& & Continue attack & $\xleftarrow{SUCCESS}$ & \\ \hline \hline
& & Continue attack & $\xleftarrow{ERROR}$ & \\ \hline
Finished (changed) & $\longleftarrow$ & Match downgraded data & $\longleftarrow$ & Finished \\
\end{tabular}
\end{center}
\item
\begin{itemize}
\item DROWN \cite{drown2016} : This is an attack method used on TLS 1.2. This method works when servers also support an older version like SSLv2, which has more vulnerabilities. In many instances, the same shared key is used in both new and older versions of the protocol, so when the attacker retrieves this key, the packets of the old protocol can be recreated to the newer version using the same shared key, thus breaking newer versions of the protocol.
\item Morpheus \cite{morpheus2021}: This article goes deeper in the practical aspects of the classic attack. Because of the 30 second network timeout, the man in the middle attack must be performed fast. This article discusses how the process can be parallelized by attack servers with the same key certificate.
\item Fault Attacks on qDSA Signatures \cite{takahashi2018}: This method uses fault injections to do a full secret key recovery on ECDSA and Schnorr signatures. It uses partially revealed nonces for range reduction and then recovers the key using the Bleichenbacher attack.
\end{itemize}
\end{enumerate}
\bibliographystyle{apalike}
\bibliography{refs}
\end{document}

BIN
ass5/assignment5.pdf Normal file
View File

Binary file not shown.

36
ass5/refs.bib Normal file
View File

@ -0,0 +1,36 @@
@article{drown2016,
title = "DROWN: Breaking TLS using SSLv2",
author = "Nimrod Aviram, Sebastian Schinzel",
year = "2016",
institution = "Department of Electrical Engineering, Tel Aviv University, Münster University of Applied Sciences",
month = "01",
Date-Added = "2016-01-11 10:05:52",
note = "\url{https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_aviram.pdf}"
}
@article{takahashi2018,
title = "New Bleichenbacher Records: Fault Attacks on qDSA Signatures2",
author = "Akira Takahashi, Mehdi Tibouchi and Masayuki Abe",
year = "2018",
institution = "Kyoto University, NTT Secure Platform Laboratories",
note = "\url{https://eprint.iacr.org/2018/396.pdf}"
}
@inproceedings{morpheus2021,
author = {Yahyazadeh, Moosa and Chau, Sze Yiu and Li, Li and Hue, Man Hong and Debnath, Joyanta and Ip, Sheung Chiu and Li, Chun Ngai and Hoque, Endadul and Chowdhury, Omar},
title = {Morpheus: Bringing The (PKCS) One To Meet the Oracle},
year = {2021},
isbn = {9781450384544},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3460120.3485382},
doi = {10.1145/3460120.3485382},
abstract = {This paper focuses on developing an automatic, black-box testing approach called Morpheus to check the non-compliance of libraries implementing PKCS#1-v1.5 signature verification with the PKCS#1-v1.5 standard. Non-compliance can not only make implementations vulnerable to Bleichenbacher-style RSA signature forgery attacks but also can induce interoperability issues. For checking non-compliance, Morpheus adaptively generates interesting test cases and then takes advantage of an oracle, a formally proven correct implementation of PKCS#1-v1.5 signature standard, to detect non-compliance in an implementation under test. We have used Morpheus to test 45 implementations of PKCS#1-v1.5 signature verification and discovered that 6 of them are susceptible to variants of the Bleichenbacher-style low public exponent RSA signature forgery attack, 1 implementation has a buffer overflow, 33 implementations have incompatibility issues, and 8 implementations have minor leniencies. Our findings have been responsibly disclosed and positively acknowledged by the developers.},
booktitle = {Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security},
pages = {24742496},
numpages = {23},
keywords = {non-compliance checking, reference implementation, PKCS#1 signature verification, adaptive combinatorial testing},
location = {Virtual Event, Republic of Korea},
series = {CCS '21},
note = "\url{https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8835216}"
}