introduction to provable security
play

Introduction to Provable Security Alejandro Hevia Dept. of Computer - PowerPoint PPT Presentation

Dec 02, 2022 •143 likes •1.15k views

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

  1. Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian´ opolis October 17, 2013 1/77

  2. Introduction to Cryptography Part I Introduction 2/77

  3. What Cryptography is about Introduction to Cryptography Classic Goals Introduction to Cryptography 1 What Cryptography is about Classic Goals 3/77

  4. What Cryptography is about Introduction to Cryptography Classic Goals What Cryptography is about Cryptography is the discipline that studies systems (schemes, protocols) that preserve their functionality (their goal) even under the presence of an active disrupter. 4/77

  5. What Cryptography is about Introduction to Cryptography Classic Goals What Cryptography is about Cryptography is the discipline that studies systems (schemes, protocols) that preserve their functionality (their goal) even under the presence of an active disrupter. 4/77

  6. What Cryptography is about Introduction to Cryptography Classic Goals Classic Problems/Goals Integrity: Messages have not been altered Authenticity: Message comes from sender Secrecy: Message not known to anybody else 5/77

  7. What Cryptography is about Introduction to Cryptography Classic Goals Integrity Alice wants to be sure that a message has not been modified. Analogy with mail We want to know that the envelope has not been opened 6/77

  8. What Cryptography is about Introduction to Cryptography Classic Goals Authenticity There are two types: Case 1: Bob wants to interactively prove his identity to Alice. (eg. talking by phone) Case 2: Bob wants to prove his identity non-interactively to Alice. If the proof can convice a third party (judge), it’s a signature . 7/77

  9. What Cryptography is about Introduction to Cryptography Classic Goals Secrecy We want to 1 Store a document 2 Send a message We want... ... that no unauthorized person can learn any information about the document (or message). 8/77

  10. What Cryptography is about Introduction to Cryptography Classic Goals Cryptography: A Brief History Until 1918: Ancient history Ciphers based on sustitution and permutations Secrecy = Secrecy of the Mechanism 1918-1975: Technical period: Cipher Machines (Enigma) Fast, automated permutations and substitutions. 1976: Modern Cryptography, Given a scheme, use assumptions (eg. one-way functions) to show evidence of security (a proof?). 9/77

  11. Provable Security Part II Provable Security 10/77

  12. Provably Security: The Short Story Provable Security The need for Provable Security Provably Security: The Short Story Originated in the late 80’s Encryption [Goldwasser, Micali 84] Signatures [Goldwasser, Micali, Rivest 88] Popular using ideal substitutes Random oracles vs. hash functions [Fiat, Shamir 86, Bellare-Rogaway 93] Generic groups vs. Eliptic curves [Nechaev 94; Shoup 97] Ideal ciphers vs. Block ciphers [Nechaev 94; Shoup 97] Proven useful to analyze a complex scheme in terms of the primitives used, in a modular fashion [Bellare-Kohno-Namprempre 04, Paterson et al. 10] Now a common requirement to support emerging standards (IEEE P1363, ISO, Cryptrec, NESSIE). 11/77

  13. Provably Security: The Short Story Provable Security The need for Provable Security The need for Provable Security Common approach to evaluate security: Cryptanalysis driven 1 Found an interesting cryptographic goal 2 Propose a solution 3 Search for an attack (ie. bug) 4 If one found, go back to step 2. After many iterations... declare it secure. Problems: When do we stop? Results not always trustworthy Chor-Rivest knapsack scheme took 10 years to be totally broken! 12/77

  14. Provably Security: The Short Story Provable Security The need for Provable Security Provable Security The Recipe 1 Define goal of scheme (or adversary) 2 Define attack model 3 Give a protocol 4 Define complexity assumptions (or assumptions on the primitive) 5 Provide a proof by reduction 6 Verify proof 7 Interpret proof 13/77

  15. Provably Security: The Short Story Provable Security The need for Provable Security The Need of Computational Assumptions Consider asymmetric cryptography (Diffie Hellman, 76) An encryption scheme AS = ( K , E , D ) is composed by three algorithms: K : Key generation r ′ − → K − → ( k e , k d ) E : Encryption D : Decryption k e k d ↓ ↓ m − → E − → D − → c − → m or ⊥ r − → 14/77

  16. Provably Security: The Short Story Provable Security The need for Provable Security Unconditional secrecy is not possible The ciphertext c = E k e ( m ; r ) is uniquely determined by The public encryption key k e The message m The random coins r So, at least exhaustive search is possible! 15/77

  17. Provably Security: The Short Story Provable Security The need for Provable Security Unconditional secrecy is not possible The ciphertext c = E k e ( m ; r ) is uniquely determined by The public encryption key k e The message m The random coins r So, at least exhaustive search is possible! ⇒ unconditional secrecy is impossible We need complexity (algorithmic) assumptions. 15/77

  18. Provably Security: The Short Story Provable Security The need for Provable Security Integer Factoring and RSA Multiplication vs. Factorization One-way p , q → n = p · q is easy (cuadratic) function n = p · q → p , q is hard (super-polynomial) RSA Function [Rivest-Shamir-Adleman 78] The function f : Z n → Z n , where n = pq , for a fixed exponent e : x → x e mod n (easy, cubic) y = x e mod n → x (difficult without p , q ) but easy x = y d mod n if trapdoor d = e − 1 mod φ ( n ) is known. We measure the advantage of any inverting adversary A by � n , y = x e mod n : A ( y ) = x � $ Adv rsa ← Z ∗ n , e ( A ) = Pr x 16/77

  19. Provably Security: The Short Story Provable Security The need for Provable Security The Discrete Logarithm Let G = ( � g � , × ) be any finite cyclic group. For any y ∈ G , we define min { x ≥ 0 | y = g x } DLog g ( y ) = Exponenciation Function The function DExp g : Z q → G , where q = | G | : x → y = g x (easy, cubic) y = g x → x (difficult, super-polynomial) � ← Z q , y = g x : A ( y ) = x � $ Adv dl g ( A ) = Pr x 17/77

  20. Provably Security: The Short Story Provable Security The need for Provable Security How hard are these problems? Estimates for integer factorization [Lenstra-Verheul 2000] Modulus MIPS-years Operations (bits) (log 2 ) (log 2 ) 512 13 58 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Reasonable estimates for RSA too, and lower bounds for DL in Z ∗ p 18/77

  21. Provably Security: The Short Story Provable Security The need for Provable Security Generalization: One-way functions One-way Function The function f : Dom ( f ) → Rec ( f ), x → y = f ( x ) (easy, polynomial-time) y = f ( x ) → x (difficult for random x ∈ Dom ( f ), at least super-polynomial) The advantage of an inverting adversary A is thus � � $ Adv ow f ( A ) = Pr x ← Dom ( f ) , y = f ( x ) : A ( y ) = x Resources of A : Running time t (number of operations) Number & length of queries (if in random oracle model) 19/77

  22. Part III Reductions 20/77

  23. Algorithmic assumptions are necessary Recall that for RSA n = pq : public modulus. e : public exponent. d = e − 1 mod φ ( n ): private exponent. E n , e ( m ) = m e mod n and D n , d ( c ) = c d mod n Underlying hard problem: $ ← Z ∗ Computing m from c = E n , e ( m ), for m n . Easy fact If the RSA problem is easy, secrecy does not hold: anybody (not only the owner of the trapdoor) can recover m from c . 21/77

  24. But are algorithmic assumptions sufficient ? We want the guarantee that an assumption is enough for security. 22/77

  25. But are algorithmic assumptions sufficient ? We want the guarantee that an assumption is enough for security. For example, in the case of encryption IF Then an adversary can break we can break the ⇒ the secrecy assumption! 22/77

  26. But are algorithmic assumptions sufficient ? We want the guarantee that an assumption is enough for security. For example, in the case of encryption IF Then an adversary can break we can break the ⇒ the secrecy assumption! This is a reductionist proof . 22/77

  27. Proof by Reduction Let P be a problem. Let A be an adversary that breaks the scheme. Then A can be used to solve P . 23/77

  28. Proof by Reduction Let P be a problem. Let A be an adversary that breaks the scheme. Then A can be used to solve P . New algorithm for P Instance I Solution of P − → − → of I Adversary A If so, we say solving P reduces to breaking the scheme. Conclusion: If P untractable then scheme is unbreakable 23/77

  29. Provable Security? A misleading name? Not really proving a scheme secure but showing a reduction from security of scheme to the security of the underlying assumption (or primitive). 24/77

  30. Provable Security? A misleading name? Not really proving a scheme secure but showing a reduction from security of scheme to the security of the underlying assumption (or primitive). ⇒ Reductionist security 24/77

  31. Provably Secure Scheme Before calling a scheme provably secure , we need 1 To make precise the algorithmic assumptions (some given) 2 To define the security notions to be guaranteed (next) Security goal Attack model 3 A reduction! 25/77

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer

Higher order Fourier analysis and algebraic property testing Hamed Hatami School of Computer Science McGill University July 22, 2019 Hamed Hatami (McGill Universities) Higher order Fourier analysis and algebraic property testing July 22,

824 views • 78 slides
in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work

in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work

Erasures vs. Errors in Property Testing and Local List Decoding Sofya Raskhodnikova Boston University Joint work with Noga Ron-Zewi ( Haifa University ) Nithin Varma ( Boston University ) 1 Goal: study of sublinear algorithms resilient to

593 views • 25 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at

Edwards coordinates for elliptic curves, part 2 D. J. Bernstein University of Illinois at Chicago (Joint work with Tanja Lange) Cohen Schoof ECPC Lenstra ECM Miller Bosma Koblitz Goldwasser/Kilian ECC

294 views • 27 slides
An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS

An Extended GHKM Algorithm for Inducing -SCFG Peng Li, Yang Liu and Maosong Sun THUNLP&CSS Tsinghua University, China Outline l Background l Rule extraction algorithm l Modeling l Experiments l Conclusion 2 Outline l

664 views • 40 slides
Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy

Groth-Sahai proof system Olivier Blazy Ecole normale sup erieure Jan. 21st 2011 O. Blazy (ENS) Groth-Sahai proof system Jan. 21st 2011 1 / 38 Contents Introduction 1 Groth-Sahai proof system 2 Non-Interactive Zero-Knowledge

879 views • 74 slides
Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser

Secret Ninja Testing with HALO Software Engineering 1 Jonathan Bell, Swapneel Sheth, Gail Kaiser Department of Computer Science, Columbia University New York, NY 10027 {jbell, swapneel, kaiser}@cs.columbia.edu 1. There is no connection

367 views • 17 slides
Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2

Bounded-Communication Leakage Resilience via Parity-Resilient Circuits Vipul Goyal 1 Yuval Ishai 2 , 3 Hemanta K. Maji 4 Amit Sahai 3 Alexander A. Sherstov 3 1 Microsoft Research, India 2 Technion 3 University of California, Los Angeles 4 Purdue

488 views • 21 slides

More recommend