Basic key exchange

Basic key exchange

As we all know, the key between the receivers and senders is a difficult problem which make us confused. So early years , the cryptologists had already thinked that everyone would have others’ keys in a key cycle, such as the figure 1:

Obviously, from the fig.1,we learn that the method of saving others’ keys are inefficient, every user have O(n) keys.
Then, there is an another ways which we can use the third party—**Online trusted third Party(TTP)**By this way, every user only remembers one key(fig.2).

there is no doubt that the TTP obeys a toy protocol.Suppose Alice wants a shared key with Bob.At the beginning ,Alice send the messages and her keys to TTP,then TTP choose random key - $k_{ab}$, TTP would send the E($k_{a}$,”A,B”||$k_{ab}$),same as Bob be a sender.(E,D) is CPA secure, that means eavesdropper learns nothing about $k_{ab}$.But at the same time, we think that it is insecure against active attacks.

---

Here we need to review what is CPA.

CPA-chosen plaintext attack
The attacker send some plaintext to encryption oracle.The oracle will encrypt these messages ,then send results to adversary.By the way the adversary can learn about keys and use these keys to encrypt any messages what he want.Such as he sends two different messages to oracle, then oracle will encrypt one of them.If the adversary guesses which the encrypted plaintext is, that means the attack is successful.

Why we said that the TTP is CPA secure?

Because when the Alice(sender) send message to Bob,Bob never know anything about Alice’keys.What the adversary only knows possibly is any keys of TTP.So we think that TTP motion is CPA secure.

---

NOW we review what the active attacks means

active attack is a broad concept.There are many attacks, such as replay attacks, DOS.

Why we said that TTP is insecure against replay attacks?

Because attacker can record session between Alice and merchant Bob.For example Alice wants to buy a book,when Bob receives Alice’s request, he would response the answer with a book.But, during this process, attacker can record session. And attacker could pretend be Alice to get the same book(Attacker replays session to Bob), finally Bob thinks Alice is ordering another copy of book.So we said that TTP is insecure against replay attacks.

Now we think about another method so that we do not need to depends on an online trusted third party.Since 1970s the public-key cryptography is got attention.There are mainly Merkle(1974),Diffie-Hellman(1976) and RSA(1977) in this field.Now we will describe it in detail.

---

Merkle Puzzles

The idea is mainly Puzzles.For example:E(k,m) is a symmetric system with $\ k \in \{0,1\}^{128}$.And we define

$$P =0^{96}||b_1,...b_{32}$$ And the goal is finding P by trying all $2^{32}$possibilities. Now we will describe the process in detail. Alice prepare $2^{32}$puzzles.And she will send puzzles as a form $$E(0^{96}||P_i,"Puzzle\#x_i"||k_i)$$ When Bob chooses a puzzle to solve,he would send the $x_i$ to Alice . Then Alice had already known $x_i$, she would know the key $k_i$.By the way, we know that ,Alice and Bob spend O(n) (one for preparing n puzzles, another solve one puzzle),but for eavesdropper he had to love n puzzles and each puzzle takes time n to solve,so $O(n^2)$.
Although Merkle Puzzles had already solved the problem that depending on online trusted third party, quadratic gap($O(n^2)$) is not secure enough to against attacks.And while we can’t figure out a better gap to solve the problem, roughly speaking, quadratic gap is possible if we treat cipher as a black box oracle.

---

The Diffie-Hellman protocol

Now we consider exponential gap.The idea using prime concept is described as follows:
Suppose a fixed large prime p(e.g. 600 digits), a fixed integer g in $\{1,...,p\}$.
Now Alice selects a integer a in $\{1,...,p-1\}$, then she sends $g^a\ mod\ p$ to Bob, and Bob select a integer b in $\{1,...,p-1\}$,the he sends $g^b\ mod\ p$ to Alice.And how to determine the shared key.That is $g^{ab}\ mod\ p$.
Proof:

$$B^a\ (mod\ p ) = g^{ba}\ (mod\ p) = A^b\ (mod\ p )$$

Why we said the DH protocol is secure?

Here we don’t discuss the adversary’s attack, The idea that DH protocol is secure can be thought that for attacker it will pay a huge price. For example , if p is a n bits long,the cost of computing $D(g^a,g^b) = g^{ab}\ mod\ p$ is about $e^{O(\sqrt[3] n)}$.(Warning : $\sqrt[3] n$ has coefficient).But because of the increase of the cipher key size, the modulus size is also increased.So for module size oversized question, we introduce elliptic curves.But the protocol is insecure against man-in-the-middle attack(active attacks).

Insecure against man-in-middle

Suppose Alice sends $g^a$ to Bob,but when adversary obtains the result he will change into $g^{a'}$ and send it to Bob.Then Bob sends$g^b$ to Alice,the adversary will change into $g^{b'}$ and send it to Alice.The first process the adversary gets $g^{a'b}$,the next process the adversary gets $g^{ab'}$.So we said that the DH protocol can not against man-in-middle.

---

Public-key encryption

we define that a public-key encryption system is a triple of algorithms(G,E,D).
G(): randomized alg.outputs a key pair(pk,sk)（public key,private key）
E(pk,m):randomized alg.that takes $m \in M$ and output $c \in C$
D(sk,c): randomized alg.that takes $c \in C$ and output $m \in M$ or $\bot$
And the property of public-key encryption is concistency:

$$\forall (pk,sk)\ output\ by\ G:$$ $$\forall m\in M: D(sk,E(pk,m)) = m$$
The process can be described as follows:
Alice sends pk and message m to Bob,then Bob encrypts m by using pk.Finally,Bod sends the result to Alice, and Alice would decrypt it by using sk.
But public-key encryption is insecure against man in the middle attack.The principle is similar to the DH protocol mentioned above.

How to construct the public-key protocol

---