YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

CPSC 467a: Cryptography and Computer Security Handout #18
Professor M. J. Fischer December 7, 2006



Study Guide for Final Examination

1 Exam Coverage

The final exam will cover the entire course but with greater emphasis on the topics of lectures 14–24 that were not covered by the midterm exam. The course content is presented in several different formats:

  1. In-person class lectures.
  2. Written lecture notes, available on the course web site.
  3. Written handouts, available on the course web site. I draw your attention to the four handouts on the more mathematical aspects of the course:
  4. Textbook (Trappe and Washington), relevant sections from chapters 8–10, 12–14.
  5. Supplementary textbook (Talbot and Welsh), sections 6.1–6.3, relevant sections from chapters 8–11.
  6. Other resources available in the library and on the web.
  7. Problem sets and solutions.

2 Review Outline

Below I give a list of topics, concepts, definitions, theorems, algorithms, and protocols that we have covered and that I expect you to know. This list is not inclusive, as I’m sure I have missed some things.

  1. Digital signatures.
    1. Definition of a digital signature.
      • Signature.
      • Authenticated (signed) message.
      • Signature function.
      • Verification predicate.
    2. RSA digital signature scheme.
      • Commutative cryptosystems.
      • Signatures from non-commutative cryptosystems.
    3. Security of digital signatures.
      • Kinds of forgery attacks.
      • Signing random messages.
      • Signing message digests.
      • Differences between conventional and digital signatures.
      • Disavowal.
  2. Message digest (hash) functions.
    1. Desired properties.
      • One-way property.
      • Weak collision-free property.
      • Strong collision-free property.
    2. Relations among properties.
  3. Combining signatures with encryption.
  4. ElGamal signature algorithm.
  5. Digital signature algorithm (DSA).
  6. Common hash functions.
    1. SHA–1.
    2. MD5.
  7. Extending fixed-length hash functions.
    1. Doubling the reduction amount.
    2. A general chaining method.
    3. Hash functions do not always look random.
  8. Birthday Attack.
    1. Birthday paradox.
    2. Relevance to hash functions.
  9. Hash from cryptosystem.
    1. Techniques for building hash from cryptosystem.
    2. Possible problems with this approach.
  10. Authentication using passwords.
    1. Passwords.
      • Insecure when sent in clear.
      • Bob learns Alice’s password during normal use.
    2. Secure password storage.
      • Problems securing storage.
      • Encrypted passwords.
    3. Dictionary attacks.
      • How does it work?
      • Salt.
      • Why does salt help?
  11. Authentication while preventing impersonation.
    1. Challenge-response authentication protocols.
      • Basic challenge-response idea.
      • Security problem having Alice sign random strings.
      • Attempts to patch basic protocol.
    2. Simplified Feige-Fiat-Shamir authentication protocol.
      • Relies on difficulty of finding square roots mod n = pq.
      • Alice’s secret is square root of public number.
      • Simple protocol must be repeated.
    3. Cheating Alice.
      • Must fool Bob on each of t rounds.
      • Ability to answer both challenges on some round implies can compute √ ----
  v-1.
      • Otherwise, success probability 12t.
    4. Cheating Bob.
      • Restricted query set limits cheating Bob’s power.
      • Cheating Bob only learns random quadratic residue and one square root.
  12. Interactive proofs.
    1. Secret cave protocol.
    2. ZKIP for graph isomorphism.
      • Graph isomorphism.
      • Isomorphism problem.
      • Prover (Alice).
      • Verifier (Bob).
      • Why doesn’t Bob learn Alice’s s secret?
    3. Relationship between ZKIP and secret splitting.
    4. Interactive proof of graph non-isomorphism.
      • Non-isomorphism problem is essentially different from isomorphism problem.
      • Form of protocol is quite different.
      • Probably not zero knowledge.
  13. Bit commitment.
    1. Definition.
      1. Commitment hides Alice’s bit.
      2. Alice can open her commitment.
      3. Alice can’t reveal incorrect value.
    2. Use of bit-commitment ideas in non-isomorphism protocol.
  14. Definition of zero knowledge via simulation.
    1. Zero-knowledge is property of Alice’s protocol only.
    2. Compares power of arbitrary algorithms:
      • That interact with Alice.
      • That do not interact with Alice.
    3. Alice’s protocol is zero knowledge if both kinds of algorithms have same power.
  15. Composing Zero-Knowledge Proofs.
    1. Serial execution.
      • Preserves zero knowledge.
      • Many interactions.
    2. Parallel execution.
      • Not provably zero knowledge.
      • More efficient, fewer interactions.
  16. Full Feige-Fiat-Shamir authentication protocol.
    1. Combines parallel and serial execution ideas.
    2. Provably zero knowledge when parallelism sufficiently restricted.
    3. Less bandwidth than parallel execution of simple protocol.
  17. Non-interactive “interactive” proofs.
    1. Alice simulates interactive proof; sends result to Bob.
    2. Bob needs assurance that Alice can’t “cook” challenge bits.
    3. Allows Bob to impersonate Alice to Carol by replaying proof.
    4. Feige-Fiat-Shamir signatures.
      • Based on non-interactive version of FFS protocol.
      • Uses hash function to generate query bits.
  18. Secret splitting.
    1. Splitting secret into two shares using XOR.
    2. Splitting secret into multiple shares.
      • Definition of what a (τ,k) threshold scheme is.
      • Lagrange interpolation
      • Shamir’s scheme based on polynomials.
      • Why fewer than τ shares give no information about secret.
    3. Extensions.
      • Verifiable secret sharing.
      • Fault tolerance.
  19. Bit-commitment problem.
    1. Terminology and concepts.
      • Commitment, blob, cryptographic envelope.
      • commit(b).
      • open(c).
    2. Commitment using symmetric cryptography.
      • Why one-time pad does not work for bit-commitment.
      • Commitment protocol using suitable symmetric cryptosystem.
      • Commitment protocol using hash functions.
      • Commitment protocol using PRSG.
    3. Abstract bit-commitment schemes.
      • Defining properties.
      • Generic protocol.
  20. Coin-flipping problem.
    1. Problem definition.
    2. Solution using blobs.
  21. Locked box paradigm.
    1. Coin-flipping using boxes with multiple locks.
    2. Commutative cryptosystems.
      • Definition.
      • RSA variation useful for implementing electronic locked boxes.
      • Security properties of the RSA variation.
    3. Coin-flipping protocol using commutative cryptosystems.
    4. Card dealing using locked boxes.
  22. Oblivious transfer.
    1. Oblivious transfer of a secret.
      • The problem.
      • Rabin’s protocol.
      • Potential problem with Rabin’s protocol.
      • Fix using zero-knowledge proof of knowledge of a square root.
    2. One-out-of-two oblivious transfer.
      • The problem.
      • Protocol using two PKS key pairs.
  23. Pseudorandom sequence generation.
    1. Concepts:
      • What is a PRSG?
      • Why does the seed need to be random?
      • What does it mean for a string to look random?
    2. Blum-Blum-Shub PRSG
      • Blum integers.
      • BBS algorithm.
  24. Notions of randomness.
    1. Indistinguishability.
      • Probabilistic polynomial time Turing machine.
      • Judges.
      • What it means to be a cryptographically strong PRSG.
    2. Next-bit prediction.
    3. Building a judge from a next-bit predictor.
    4. Previous-bit prediction.
    5. Construction of a next-bit predictor from a previous-bit predictor.
    6. Security of BBS PRSG.
  25. Kerberos.
    1. Parties involved: Trusted server, Alice, Bob.
    2. Uses symmetric cryptography only.
    3. Simplified protocol (see notes).
      • Nonce.
      • Timestamp.
      • Lifetime.
      • Ticket.
      • Authenticator.
      • Why is authenticator needed? Why isn’t a ticket enough?
    4. Security of Kerberos.
      • What kinds of attacks was Kerberos designed to resist?
      • What kinds of attacks is it possibly subject to?
    5. Practical considerations in real protocol.
  26. Secure shell (SSH)
    1. Purpose: secure communication between terminal and server.
    2. Asymmetric cryptography used for authentication and key exchange.
    3. Traffic encrypted with randomly-generated session key.
    4. Designed for ease of use.
  27. Secure socket layer (SSL)
    1. Encrypts traffic at the ISO transport layer.
    2. Basis for Transport Layer Security (TLS) protocol (compatible with SSLv3).
    3. Operates between peers.
    4. Uses X.503(v3) certificates to obtain public keys.
    5. Performs secure key exchange to establish a session key.
  28. Foundations of cryptography.
    1. Goal: To define carefully what “hard to compute” means.
    2. Negligible functions.
    3. Strong one-way functions.
    4. Functions assumed without proof to be strong one-way:
      1. Discrete log
      2. Factoring
    5. Theorem: Existence of strong one-way functions implies P⁄=NP .