another look at provable security
play

Another Look at Provable Security Alfred Menezes (joint work with - PowerPoint PPT Presentation

Feb 17, 2023 •399 likes •1.32k views

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

  1. Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 – 1

  2. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . – 2

  3. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . Question: What security assurances does the proof provide when protocol P is deployed in practice? – 2

  4. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . Question: What security assurances does the proof provide when protocol P is deployed in practice? This talk will examine three difficulties with assessing security proofs: (i) Tightness of the proof; (ii) Multi-user setting; (iii) Non-uniform complexity model. For concreteness, I will focus on MAC schemes. – 2

  5. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. – 3

  6. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. – 3

  7. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. – 3

  8. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” – 3

  9. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” • Anonymous referee (in reference to our criticisms of the field of leakage resilience): “What, one must wonder, lies behind this desire to commit infanticide?” – 3

  10. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” • Anonymous referee (in reference to our criticisms of the field of leakage resilience): “What, one must wonder, lies behind this desire to commit infanticide?” ◮ Disclaimer: No babies were killed in preparation for this talk. – 3

  11. Does Tightness Matter? – 4

  12. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. – 5

  13. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. ◮ The reduction R is tight if T ′ ≈ T and ǫ ′ ≈ ǫ . – 5

  14. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. ◮ The reduction R is tight if T ′ ≈ T and ǫ ′ ≈ ǫ . It is non-tight if T ≪ T ′ or if ǫ ≫ ǫ ′ . ◮ The tightness gap is ( T ′ ǫ ) / ( Tǫ ′ ) . – 5

  15. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. – 6

  16. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . – 6

  17. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. – 6

  18. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. ◮ Conclusion: RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 20 . The tightness gap is 2 60 . – 6

  19. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. ◮ Conclusion: RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 20 . The tightness gap is 2 60 . ◮ If we desire the assurance that RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 80 , we need to select N so that T ′ /ǫ ′ ≤ 2 140 . That is, we should use at least a 4000-bit modulus N . ◮ However, no one would take such a recommendation seriously. – 6

  20. Identity-based encryption schemes ◮ Boyen [2008] compares the tightness of the reductions for the Boneh-Franklin (BF), Sakai-Kasahara (SK), and Boneh-Boyen (BB1) IBE schemes. – 7

  21. Identity-based encryption schemes ◮ Boyen [2008] compares the tightness of the reductions for the Boneh-Franklin (BF), Sakai-Kasahara (SK), and Boneh-Boyen (BB1) IBE schemes. ◮ The reduction for BB1 is significantly tighter than the reduction for BF, which in turn is significantly tighter than that for SK. ◮ However, all three reductions are in fact highly non-tight — the tightness gap being (at least) linear, quadratic and cubic in the number of random oracle queries made by the adversary for BB1, BF and SK, respectively. – 7

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Competiton With the support of DILCRAH (Inter-Ministerial Delegation to the Fight Against Racism,

Competiton With the support of DILCRAH (Inter-Ministerial Delegation to the Fight Against Racism,

Competiton With the support of DILCRAH (Inter-Ministerial Delegation to the Fight Against Racism, Anti-Semitism and Anti-LGBT Hate) Universal D eclaration of Human Rights (UDHR) HUMAN RIGHTS : ONE ARTICLE / ONE FILM October 2019 |May 2020

178 views • 3 slides
PLEASANT RIDGE EXHIBIT 136 Wind Turbine Meeting Notes ...... May 28, 2013 Boone County Zoning

PLEASANT RIDGE EXHIBIT 136 Wind Turbine Meeting Notes ...... May 28, 2013 Boone County Zoning

PLEASANT RIDGE EXHIBIT 136 Wind Turbine Meeting Notes ...... May 28, 2013 Boone County Zoning Meeting My name is Ted Hartke. I am a professional engineer and professional land surveyor, and I own Hartke Engineering and Surveying, Inc. My dad, Phil,

74 views • 3 slides
Negotiating and Navigating the Fraud Exception in Private Company Acquisitions Key Considerations

Negotiating and Navigating the Fraud Exception in Private Company Acquisitions Key Considerations

Presenting a live 90-minute webinar with interactive Q&A Negotiating and Navigating the Fraud Exception in Private Company Acquisitions Key Considerations For Drafting a Fraud Exception to an M&A Contractual Indemnification Provision

435 views • 26 slides
All Bets Off: Negotiating and Navigating the Fraud Exception in Private Company M&A THURSDAY,

All Bets Off: Negotiating and Navigating the Fraud Exception in Private Company M&A THURSDAY,

Presenting a live 90-minute webinar with interactive Q&A All Bets Off: Negotiating and Navigating the Fraud Exception in Private Company M&A THURSDAY, FEBRUARY 7, 2013 1pm Eastern | 12pm Central | 11am Mountain | 10am

294 views • 28 slides
Brussels Forum March 20, 2015 Remarks and Presentation of BF Young Writers Award / A Conversation

Brussels Forum March 20, 2015 Remarks and Presentation of BF Young Writers Award / A Conversation

Brussels Forum March 20, 2015 Remarks and Presentation of BF Young Writers Award / A Conversation The Hon. Didier Dr. Karen Donfried: I have the great pleasure of introducing the deputy prime minister and foreign minister of Belgium, The

356 views • 7 slides
Ministry of Justice Balancing Rights and Responsibilities Minister of Justice Hon. Delroy Chuck,

Ministry of Justice Balancing Rights and Responsibilities Minister of Justice Hon. Delroy Chuck,

Ministry of Justice Balancing Rights and Responsibilities Minister of Justice Hon. Delroy Chuck, QC, MP SECTORAL PRESENTATION 2019/2020 May 21, 2019 Building a First Class Justice System Falmouth Courthouse, Trelawny Government of Jamaica

1.1k views • 28 slides
SECTORAL PRESENTATION 2018/2019 MINISTER OF JUSTICE HON. DELROY CHUCK, QC MAY 22, 2018 1

SECTORAL PRESENTATION 2018/2019 MINISTER OF JUSTICE HON. DELROY CHUCK, QC MAY 22, 2018 1

SECTORAL PRESENTATION 2018/2019 MINISTER OF JUSTICE HON. DELROY CHUCK, QC MAY 22, 2018 1 ACKNOWLEDGEMENTS Mr. Speaker, it is an extraordinary privilege for me to represent the people of the great constituency of North East St. Andrew in

464 views • 28 slides
5 September 2012 My talk today is on the United States, Iran, and Israel. On this first slide we

5 September 2012 My talk today is on the United States, Iran, and Israel. On this first slide we

5 September 2012 My talk today is on the United States, Iran, and Israel. On this first slide we see a group of Iranian nuclear scientists grouped around the president of Iran. The Iranian nuclear program represents the greatest foreign policy

566 views • 17 slides

More recommend