modeling the security of cryptography part 1 secret key
play

Modeling the security of cryptography, part 1: secret-key - PDF document

Feb 24, 2024 •148 likes •861 views

Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven

  1. Modeling the security of cryptography, part 1: secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tanja Lange Technische Universiteit Eindhoven eprint.iacr.org/2012/318 “Non-uniform cracks in the concrete: the power of free precomputation”

  2. Cryptographic news Frequent news stories about cryptographic failures. Usually these stories are press releases from researchers: e.g., TLS disaster announced 2013.02.04 by Alfardan–Paterson. Occasionally these stories are reporting real-world attacks: e.g., 2012.05 announcement of Flame invading computers by forging code signatures by exploiting MD5 weaknesses.

  3. Provably secure cryptography Attacker cannot break the one-time pad. Easy proof that ciphertext reveals nothing about the plaintext. Seeing ciphertext does not improve attacker’s chance of guessing plaintext.

  4. Provably secure cryptography Attacker cannot break the one-time pad. Easy proof that ciphertext reveals nothing about the plaintext. Seeing ciphertext does not improve attacker’s chance of guessing plaintext. Attacker cannot break 1974 Gilbert–MacWilliams–Sloane message-authentication code. Easy proof that attacker’s forgery succeeds with chance ✔ ✎ , where ✎ is chosen by user.

  5. Real-world cryptography AES is much more popular than the one-time pad.

  6. Real-world cryptography AES is much more popular than the one-time pad. Key length for one-time pad is total message length. OK if sender and receiver met and exchanged USB sticks.

  7. Real-world cryptography AES is much more popular than the one-time pad. Key length for one-time pad is total message length. OK if sender and receiver met and exchanged USB sticks. Key length for AES: 128 bits. Many low-cost mechanisms to share 128-bit key through the Internet; see, e.g., ECDH in part 2.

  8. Core use of AES (“AES-CTR”): expand 128-bit key ❦ into huge string AES ❦ (0) ❀ AES ❦ (1) ❀ ✿ ✿ ✿ which seems to be indistinguishable from uniform, therefore safe as replacement for key of one-time pad. One-time pad encrypts; AES expands. Totally different features! Theme pushed much further in public-key crypto (part 2): many cool new features.

  9. The critical question Can attacker break AES? Definition of “break”: given random access to string of 2 135 bits, decide whether string is a uniform random string, or AES ❦ (0) ❀ AES ❦ (1) ❀ ✿ ✿ ✿ for a uniform random ❦ .

  10. The critical question Can attacker break AES? Definition of “break”: given random access to string of 2 135 bits, decide whether string is a uniform random string, or AES ❦ (0) ❀ AES ❦ (1) ❀ ✿ ✿ ✿ for a uniform random ❦ . If attacker has enough computer power, can obviously break AES: simply try all 2 128 AES keys.

  11. The critical question Can attacker break AES? Definition of “break”: given random access to string of 2 135 bits, decide whether string is a uniform random string, or AES ❦ (0) ❀ AES ❦ (1) ❀ ✿ ✿ ✿ for a uniform random ❦ . If attacker has enough computer power, can obviously break AES: simply try all 2 128 AES keys. Does attacker have this power?

  12. Approximate power in watts: 2 57 : Earth receives from the Sun.

  13. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface.

  14. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface. 2 44 : World power usage.

  15. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface. 2 44 : World power usage. 2 30 : PCs in a big botnet.

  16. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface. 2 44 : World power usage. 2 30 : PCs in a big botnet. 2 26 : One NSA data center.

  17. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface. 2 44 : World power usage. 2 30 : PCs in a big botnet. 2 26 : One NSA data center. Today’s state-of-the-art mass-market chips perform 2 58 float ops/year/watt, roughly 2 68 bit ops/year/watt.

  18. Approximate power in watts: 2 57 : Earth receives from the Sun. 2 56 : Earth’s surface. 2 44 : World power usage. 2 30 : PCs in a big botnet. 2 26 : One NSA data center. Today’s state-of-the-art mass-market chips perform 2 58 float ops/year/watt, roughly 2 68 bit ops/year/watt. Given such chips perfectly using all power received by Earth: 2 125 bit ops/year.

  19. Real attacker can’t actually use all power received by Earth. Assume that attacker is limited to 1 ❂ 1000 of Earth’s surface; i.e., 2 46 watts. Maybe attacker will build much better chips. For short term seems safe to assume no qubit ops, and ✔ 1000 ✂ better chips: ✔ 2 78 bit ops/year/watt. ✮ ✔ 2 124 bit ops/year. Seems safe to declare larger computations to be intractable.

  20. Checking an AES key guess takes ❃ 2 13 bit ops by best algorithm known. ✮ ❁ 2 111 key guesses/year. i.e.: chance ❁ 2 � 17 /year of finding your key.

  21. Checking an AES key guess takes ❃ 2 13 bit ops by best algorithm known. ✮ ❁ 2 111 key guesses/year. i.e.: chance ❁ 2 � 17 /year of finding your key. But is the attacker using this algorithm?

  22. Checking an AES key guess takes ❃ 2 13 bit ops by best algorithm known. ✮ ❁ 2 111 key guesses/year. i.e.: chance ❁ 2 � 17 /year of finding your key. But is the attacker using this algorithm? Maybe the attacker has figured out an algorithm that breaks AES using much less computation. How to address this risk?

  23. Cryptanalysis to the rescue! The cryptanalytic community studies AES, searching for better and better attacks. By now dozens of experts have studied AES in public, and their attack algorithms seem to have converged. ✮ Reasonable to hope that the attacker won’t find a noticeably better algorithm.

  24. Big scalability problem: Many cryptographic systems are of interest to users; AES-CTR is just one example. Example: AES-CBC-MAC for 3-block messages. Use AES ❦ (AES ❦ (AES ❦ ( ① ) + ② ) + ③ ) to authenticate ( ①❀ ②❀ ③ ). Is there any reason to think that AES-CBC-MAC is secure? Have the cryptanalysts actually studied AES-CBC-MAC?

  25. Security proofs to the rescue! Can prove secure: encryption+authentication using a long key.

  26. Security proofs to the rescue! Can prove secure: encryption+authentication using a long key. But cannot prove secure by any known technique, presumably by any technique: AES-CTR; AES-CBC-MAC; any other short-key system; key exchange (e.g., ECDH); public-key signatures; public-key encryption; fully homomorphic encryption; most of modern cryptography.

  27. Replacing cryptanalysis with proofs: hopeless.

  28. Replacing cryptanalysis with proofs: hopeless. But sometimes proofs can save time for cryptanalysts who are studying many systems. Imagine the following theorem: if AES-CTR is secure then AES-CBC-MAC is secure. This theorem can be useful guidance for cryptanalysts studying AES-CBC-MAC: look for AES-CTR attack, or attack outside security model, or error in the proof.

  29. To state such a theorem need to define “secure”. Early attempts at definitions used purely asymptotic notions; e.g., polynomial-time attacks against families of cryptosystems. Useless for formalizing security of AES, RSA-1024, etc.

  30. To state such a theorem need to define “secure”. Early attempts at definitions used purely asymptotic notions; e.g., polynomial-time attacks against families of cryptosystems. Useless for formalizing security of AES, RSA-1024, etc. 1994 Bellare–Kilian–Rogaway: concrete security definitions, concrete CBC security theorem. Many ( ❃ 1000?) followup papers: concrete theorems saying ❳ secure ✮ ❨ secure.

  31. AES is “( t❀ q❀ ✎ )-secure” ✱ every algorithm that takes time ✔ t and uses ✔ q queries has chance ✔ ✎ of PRP-breaking AES. Alternate notation, same concept: the “( t❀ q )-insecurity” of AES is at most ✎ . “PRP-breaking” AES means distinguishing AES output from output of a uniform random permutation. “PRF” variant: function instead of permutation.

  32. Attractive theorems. e.g., 1994 Bellare–Kilian–Rogaway: “ Adv prf CBC ♠ - ❋ ( q❀ t ) ✔ ❋ ( q ✵ ❀ t ✵ ) + q 2 ♠ 2 Adv prp 2 ❧ � 1 where q ✵ = ♠q and t ✵ = t + ❖ ( ♠q❧ ).”

  33. Attractive theorems. e.g., 1994 Bellare–Kilian–Rogaway: “ Adv prf CBC ♠ - ❋ ( q❀ t ) ✔ ❋ ( q ✵ ❀ t ✵ ) + q 2 ♠ 2 Adv prp 2 ❧ � 1 where q ✵ = ♠q and t ✵ = t + ❖ ( ♠q❧ ).” Conjectured bounds on security of specific ciphers that have survived cryptanalysis. e.g., 2005 Bellare–Rogaway: “ Adv prp � cpa ( ✁ ✁ ✁ ) AES ✔ ❝ 1 ✁ t❂❚ AES q + ❝ 2 ✁ 2 128 .” 2 128

  34. Completely standard in the concrete-security literature to formalize security of a cryptosystem ❳ as the nonexistence of a ✔ q -query time- ✔ t algorithm that breaks ❳ with success probability ❃✎ . Many specific conjectures assert ( q❀ t❀ ✎ )-security of various ❳ where ( q❀ t❀ ✎ ) is chosen to match the apparent limit of extensive cryptanalysis.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is

Cryptography Basics Network Security Instructor: Haojin Zhu 1 Cryptography What is cryptography? Related fields: Cryptography ("secret writing"): Making secret messages Turning plaintext (an ordinary readable message)

1.2k views • 57 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa

1.25k views • 34 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
Chapter 19 IP Security Cryptography and Network Security Chapter 19 If a secret piece of news

Chapter 19 IP Security Cryptography and Network Security Chapter 19 If a secret piece of news

Chapter 19 IP Security Cryptography and Network Security Chapter 19 If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death together with the man to whom the death, together with the man to whom the

418 views • 5 slides
Private-Key Cryptography traditional private/secret/single key cryptography uses one key

Private-Key Cryptography traditional private/secret/single key cryptography uses one key

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 9 Public Key Cryptography and RSA Dr. Loai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Dr. Loai Tawalbeh Fall 2005 Private-Key

242 views • 12 slides
RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext

RSA Cryptography basics of security / cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret) M = S(C) anyone else

796 views • 16 slides
Introduction to the theory of secret key cryptography Andreas H ulsing Eindhoven University

Introduction to the theory of secret key cryptography Andreas H ulsing Eindhoven University

Introduction to the theory of secret key cryptography Andreas H ulsing Eindhoven University of Technology 17 June 2019 Secret key encryption MAC Main primitives of secret key / symmetric cryptography High-level primitives Low-level

1.51k views • 114 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York

Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York

1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 1999-2000, Henning Schulzrinne c Last modified September 28, 2000 Slide 1 Secret

1.23k views • 16 slides
All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof

All iLabs and P2PSS Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 17ss 1 / 34

705 views • 44 slides
Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II

Security II: Cryptography Markus Kuhn Computer Laboratory Lent 2012 Part II http://www.cl.cam.ac.uk/teaching/1213/SecurityII/ 1 Related textbooks Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC,

887 views • 39 slides
Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats

Com puter Security Part Four Last tim e Cryptography Authentication Threats Key Management KDC Policy Symmetric keys Specification Asymmetric keys PKI Design Security Protocols Kerberos

617 views • 39 slides
SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

SECRET i. Is it the SECRET 2 - SECURITY RUN:2t1A.1.444 1. Is it the present British

COPY SECRET SECURITY INFORAI 718 CIWULE -- SUDJECT :uestions for Presentation toL_ London, England TO: Info:L 1. Per reference a, it is requested that you secure answers to the following questions fropel Are there any basic

385 views • 11 slides
Design Policy Update webinar Peter Twomey September 2020 August 2020 Agenda EPD283 Use of

Design Policy Update webinar Peter Twomey September 2020 August 2020 Agenda EPD283 Use of

Design Policy Update webinar Peter Twomey September 2020 August 2020 Agenda EPD283 Use of 300mm 2 cable 1 5 G5 Assessment: Stage 1 CP333 Distribution 6 2 G5 Assessment: Stage 2 Substation Earthing Design Summary of G5/5 and

237 views • 20 slides
Neutrino Tomography of the Earth with Icecube Andrea Donini

Neutrino Tomography of the Earth with Icecube Andrea Donini

Neutrino Tomography of the Earth with Icecube Andrea Donini (IFIC, Valencia) arXiv:1803.05901 in collabora8on with: S. Palomares-Ruiz J. Salvad PANE

828 views • 49 slides
Neutrinos from the Heavens & the Earth Neutrinos from the Heavens & the Earth J. A.

Neutrinos from the Heavens & the Earth Neutrinos from the Heavens & the Earth J. A.

Neutrinos from the Heavens & the Earth Neutrinos from the Heavens & the Earth J. A. Formaggio MIT Fermilab Neutrino Summer School What we will cover: What we will cover: Where do neutrinos come from? What we will cover: Where

1.45k views • 115 slides
Celestial Calculations Kabe Moen Washington University in St. Louis Kabe Moen Washington

Celestial Calculations Kabe Moen Washington University in St. Louis Kabe Moen Washington

Basic Questions The Earth the moon the sun the stars the unknown Celestial Calculations Kabe Moen Washington University in St. Louis Kabe Moen Washington University in St. Louis Basic Questions The Earth the moon the sun the stars the

965 views • 20 slides
Regulatory & Markets Update The State of Regulatory Reforms & Electric Markets &

Regulatory & Markets Update The State of Regulatory Reforms & Electric Markets &

Regulatory & Markets Update The State of Regulatory Reforms & Electric Markets & Educating America About Energy Coal Institute - Summer Trade Seminar Mike Nasi Partner, Jackson Walker LLP Director, Life:Powered STATE OF THE

579 views • 28 slides
social implications of the internet (I) the 'death of distance' where will we live, work, and

social implications of the internet (I) the 'death of distance' where will we live, work, and

social implications of the internet (I) the 'death of distance' where will we live, work, and learn? in the global village, stupid! 1 determinism once more ... this age of ours ... when the "Electric circuitry has overthrown the regime

344 views • 23 slides
Parallel Finite Element Simulations of Dynamic Earthquake Rupture and Seismic Wave Propagation

Parallel Finite Element Simulations of Dynamic Earthquake Rupture and Seismic Wave Propagation

Parallel Finite Element Simulations of Dynamic Earthquake Rupture and Seismic Wave Propagation Benchun Duan and Dunyu Liu Department of Geology and Geophysics D r Texas A&M University Fall, 2018 1 Earth Why Do Earthquakes Happen?

316 views • 6 slides
cse141: Introduction to Computer Architecture Steven Swanson Sanath Kumar Vineet Kumar

cse141: Introduction to Computer Architecture Steven Swanson Sanath Kumar Vineet Kumar

cse141: Introduction to Computer Architecture Steven Swanson Sanath Kumar Vineet Kumar Bharathan Balaji 1 Todays Agenda What is architecture? Why is it important? At the highest level, where is architecture today? Where is it

1.17k views • 83 slides

More recommend