zenon/applied-cryptography
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
applied-cryptography/ass4/ass4.tex
Tobias Eidelpes fbee5b825e Initial commit
2022-06-10 13:37:13 +02:00

119 lines
10 KiB
TeX
Raw Blame History

\documentclass[a4paper,12pt]{article}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
\title{Applied Cryptography -- Assignment 4}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{May 25, 2022}
\begin{document}
\maketitle
\section*{Exercise 1}
\begin{enumerate}[label=(\alph*)]
\item A cryptosystem is post-quantum if there are no known attacks from adversaries with access to quantum computers. In other words, these systems do not rely on hard problems for which a quantum computer can find a solution efficiently.
\item We are interested in PQ cryptosystems because we want to be prepared for a future in which quantum computers are commonplace. Secure communication today depends on problems which are hard to solve. However, these problems are `easy' for quantum computers, which is why we have to base future cryptosystems on different problems, hence the interest in PQ cryptosystems.
\item The main advantage of PQ cryptography is that the algorithms can be executed on the devices we carry around today. Quantum cryptography needs specialized devices which can make use of the quantum mechanics used for Quantum Key Distribution, for example.
\item We assume that the special characters are:
\begin{verbatim}
! @ # $ % ^ & * ( ) ` - = [ ] \ ; ' , . / ~ _ + { } | : " < > ?
\end{verbatim}
We have 52 letters and 32 symbols. A 10 character password under this charset has $84^{10}$ possible combinations. Grover's algorithm allows search in $\mathcal{O}(\sqrt{n})$ (i.e. quadratic speedup over classical algorithms) and therefore finds a solution after $\sqrt{84^{10}} = 84^5$ tries. With current hardware, the password would be broken almost instantaneously.
\item If the adversary does not have a quantum computer, it will take $84^{10}\approx 2^{64}$ tries to get the password. A large computing cluster could maybe achieve around $2^{33}$ attempts per second. With this amount of computing power, the password would be found within $2^{64}/(2^{33}\cdot 86400\cdot 365) = 68$ years. This gives an average of 34 years to find the password.
\item The required length for 128 bits of security is double the intended amount of security, so $2^{128\cdot 2} = 2^{256}$. The symmetric key should be at least 256 bits long.
\item NIST recommends in their publication SP 800-57 Part 1 Rev. 5 a RSA keysize of 3072 to achieve 128 bits of security. Shor's algorithm allows a quantum adversary to factor integers in $\mathcal{O}(n^3)$. Bernstein et al. estimate in their paper \emph{Post-quantum RSA} that the key must be around 1 TB big ($2^{43}$ bits) to achieve comparable security to today.
\item The Learning with Errors (LWE) problem asks for the recovery of a secret $s\in\mathbb{Z}_q^n$ from a sequence of random linear equations with $s$ as the unknown variable. These linear equations are not exact but random. The following sequence is an example:
\begin{align*}
14s_1 + 15s_2 + 5s_3 + 2s_4&\approx 8\mod 17 \\
13s_1 + 14s_2 + 14s_3 + 6s_4&\approx 16\mod 17 \\
6s_1 + 10s_2 + 13s_3 + 1s_4&\approx 3\mod 17
\end{align*}
Each equation is correct but has a small error associated with it. The errors introduced into the equations are normally distributed. To solve the problem, we must recover $s$.
The secret value $s$ is the private key of the cryptosystem. To obtain the public key, we take $m$ random numbers and add them to a list $a$. We iterate over $a$ and construct a second list $b$. The values in $b$ are dependent on the values in $a$, the private key $s$ and a randomly sampled error $e$ from a normal distribution. The two lists $a$ and $b$ are the public key and can be distributed freely.
To encrypt a bit $M$, we calculate the tuple $(u,v)$:
\begin{align*}
u &= \sum_{i=1}^{m}{a_i} \\
v &= \sum_{i=1}^{m}{b_i} + \frac{q}{2}M
\end{align*}
$M$ is obtained again in the decryption step:
\[
M =
\begin{cases}
0\;\mathrm{if}\;v-su < \frac{q}{2} \\
1\;\mathrm{if}\;v-su \geq\frac{q}{2}
\end{cases}
\]
\end{enumerate}
\section*{Exercise 2}
\begin{enumerate}[label=(\alph*)]
\item The generalization uses 256-bit messages, thus $H_0$ should output a 256-bit length.
\item Each signature contains a message $M$ of 256 bytes = 0.25KiB, public key pk of $2 \cdot 256 \cdot 256$ bytes = 128 KiB and the Lamport's OTS signature $\text{Sign}_{sk}()$ of $256 \cdot 256$ bytes = 64 KiB. Each signature contains the previous signature except for the first signature.
The signature of the 12-th message is $(0.25\text{KiB} + 128\text{KiB} + 64\text{KiB}) \cdot 12 = 2307\text{KiB}$
\item In this scheme, the next public key is announced in the signature. Because of this, it is harder to create a forgery because the verifier reverifies the whole chain of signatures.
The disadvantage compared to MSS is that each signature requires the data of all previous signatures, which causes the signature to keep growing in size.
\item A forgery can be made because the next public key is removed from the signature:
\begin{enumerate}[label=\arabic*.]
\item The adversary requests a signature for message $M_1$ from the signing oracle.
\item The signing oracle returns
\[ \sigma_1 = (M_1, \text{pk}_2,\text{Sign}_{\text{sk}_1}(M_1), \sigma_0) \]
\item The adversary replaces the first pk with the second pk:
\[ \sigma'_1 = (M_1, \text{pk}_1, \text{Sign}_{\text{sk}_1}(M_1), \sigma_0) \]
\item The adversary forges a signature by reusing the first signature:
\[ \sigma'_2 = (M_1, \text{pk}_2, \text{Sign}_{\text{sk}_1}(M_1), \sigma_1) \]
\end{enumerate}
$\sigma'_2$ is a different signature for the same message $M_1$, thus a forgery was made.
\item The new signature looks like: $(M_i, \text{pk}_i, \text{pk}_{i+1}, \text{Sign}_{\text{sk}_1}(H_0(M_i, \text{pk}_{i+1})))$. Because the public key must be provided when verifying and the verifier has no knowledge of previous signatures, the adversary can provide a different key. A forgery can be made offline by using the same signature and hashing algorithm and creating the signature like above.
\item The adversary requests signature: $(M_1, \text{pk}_2, \text{Sign}_{\text{sk}_1}(H_0(M_1, \text{pk}_{2})), \sigma_0)$. The adversary then finds a second preimage $H_0(M, \text{pk}) = H_0(M', \text{pk})$. Since it results in the same signature using the same key, we get a correct signature, thus the adversary made a forgery.
\item The scheme can be made more efficient using the Merkle tree. In the current scheme, all previous signatures are provided which results in the chain increasing in size of time, whereas the Merkle tree only requires the hashes for the unused keys. Just like in the Merkle tree scheme, the signer returns the hashes for unknown values in the tree. The signature will look as follows:
$(M_i, , \text{pk}_i, \text{Sign}_{\text{sk}_i}(H_0(M_i, \text{pk}_m, \text{pk}_{i})), H_1, ..., H_j)$. The root node of the tree, $\text{pk}_m$ is already verified, and the hashes $H_0$ to $H_j$ are the leaves that have hashed unrevealed keys. The use of the Merkle tree removes the possibility of creating infinite signatures, but decreased the overall size, while still allowing the signatures to be authenticated.
\end{enumerate}
\section*{Exercise 3}
\begin{enumerate}[label=(\alph*)]
\item Attack 1: Machine A communicates to compromised machine E to shut itself off, but instead this command goes to machine B.
Attack 2: Alice deposits an amount on her account through bank B. Bank B thinks that Eve E deposited the money.
\item The SIGMA-I protocol lets the initiator verify the identity of the responder first. Machine E's attempt fails because machine E does not have access to the symmetric key for generating $K_M$ and $K_E$. This is because the signature prevents a MitM attack. E can only succeed if it creates a valid ciphertext containing a forged signature and MAC tag which is not feasible.
\item In case of attack 1, Alice thinks the responder is Eve and Bob thinks the initiator is Alice. When the identity of the receiver was sent, Eve was not able to forward Alice's signature to Bob because Eve is included in the signature. When the sender is included in the signature, Eve can resign Bob's signature to include Eve's own identity because this matches with what Alice knows. As for Bob, the received message came from Alice so this would also be correct. The same is true for attack 2.
\item The idea, where Alice and Bob put the shared key $K_{A,B}$ in their respective signatures, does not work. If Eve is in the middle, she can first forward Alice's $(Alice; A)$ message to Bob. Bob will then calculate his signature $\sigma_B = \mathsf{Sign}_{sk_B}(A,B,K_{B,A})$ and send $(Bob;B;\sigma_B)$ to Eve. Eve takes the signature inputs and constructs a new signature $\sigma_E = \mathsf{Sign}_{sk_E}(A,B,K_{B,A})$ with her private key. This signature is forwarded to Alice with $(Eve;B;\sigma_E)$. Alice verifies the signature with Eve's public key and constructs the signature $\sigma_A = \mathrm{Sign}_{sk_A}(B,A,K_{A,B})$ with her private key. Eve forwards this signature as is to Bob and Bob verifies it with Alice's public key.
Not only does Alice think she is talking to Eve and Bob thinks he is talking to Alice, they have also shared their secret key with Eve in the process. All subsequent communication encrypted with that same shared key is now compromised because Eve can decrypt everything.
If the identities are encrypted with the shared key, Eve will still be able to carry out the identity misbinding attack. Eve receives the shared key from Bob (assuming that it is sent in clear) and will therefore always be able to decrypt everything encrypted with that key. She can also encrypt her own identity with the shared key and it will look legitimate to Alice.
\end{enumerate}
\end{document}
Reference in New Issue View Git Blame Copy Permalink