on assumptions and the limits of cryptography
play

On Assumptions and the Limits of Cryptography Nils Fleischhacker - PowerPoint PPT Presentation

Jan 26, 2023 •835 likes •1.56k views

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2 2 So, how do we know all of this is secure? 2 The sad truth is: We dont! Not really. So, how do we know all of this is secure? 2 The

  1. On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018

  2. 2

  3. 2

  4. 2

  5. So, how do we know all of this is secure? 2

  6. The sad truth is: We don’t! Not really. So, how do we know all of this is secure? 2

  7. The Cryptographic Landscape 3

  8. The Cryptographic Landscape PKE DS 3

  9. The Cryptographic Landscape 2PC PKE DS 3

  10. The Cryptographic Landscape iO FHE 2PC PKE DS 3

  11. The Cryptographic Landscape iO FHE 2PC PKE DS Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  12. The Cryptographic Landscape iO FHE 2PC PKE LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  13. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  14. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  15. The Cryptographic Landscape FHE 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  16. The Cryptographic Landscape FHE Well this seems like a terrible idea! 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  17. One-Way Functions x f 4

  18. One-Way Functions y x f 4

  19. One-Way Functions y x f 4

  20. One-Way Functions y x f ??? 4

  21. Why We Need to Make Assumptions 5

  22. Why We Need to Make Assumptions ENC OWF 5

  23. Why We Need to Make Assumptions ENC MAC OWF 5

  24. Why We Need to Make Assumptions ENC MAC PKE OWF 5

  25. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC 5

  26. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC FHE 5

  27. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  28. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  29. Idea Behind Provable Security ENC 2PC MAC 6

  30. Idea Behind Provable Security ENC 2PC MAC 6

  31. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  32. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  33. Idea Behind Provable Security ENC Abstract B P Assumption 2PC MAC 6

  34. Determining Minimal Assumptions Statistical Security 7

  35. Determining Minimal Assumptions One-Way Functions Statistical Security 7

  36. Determining Minimal Assumptions Trapdoor Permutations One-Way Functions Statistical Security 7

  37. Determining Minimal Assumptions Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  38. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  39. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  40. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  41. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  42. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  43. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  44. Schnorr 2-Party Obfuscation Signatures Computation 8

  45. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] 8

  46. Schnorr Signatures ◮ Very simple, very efficient! 9

  47. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But 9

  48. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model 9

  49. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model ◮ Proof is extremely loose. 9

  50. Schnorr Signatures The security of Schnorr signatures cannot be reduced to the discrete logarithm assumption using a naturally restricted reduction in a less idealized model (NPROM). The result holds under the slightly stronger one-more discrete logarithm assumption. 10

  51. Schnorr Signatures The security of Schnorr signatures cannot be tightly reduced to any natural non-interactive assumption using a generic reduction. The result holds unconditionally. 11

  52. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Malicious PUFs Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] 12

  53. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. 13

  54. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions 13

  55. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. 13

  56. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. ◮ Cannot be copied. 13

  57. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful ? ? [BFSK11] Unconditional [OSVW13] 14

  58. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] Our Paper Our Paper Unconditional [OSVW13] 14

  59. Schnorr 2-Party Obfuscation Signatures Computation Stateless Malicious PUFs Most Natural Malicious PUFs Statistical Assumptions Security (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] [BBF16] 15

  60. Statistically Secure Obfuscation r O C ′ C 16

  61. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) 16

  62. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) ◮ (1 − ǫ ) -Approximate Correctness: For any circuit C , � C ′ ( x ) = C ( x ) � Pr ≥ 1 − ǫ ( n ) r,x 16

  63. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) 17

  64. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) ◮ (1 − δ ) -Correlation Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ δ ( n ) 17

  65. Why Do We Even Care About Approximate Correctness? Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 1 Allows PKE from OWF Statistical Distance δ 0 . 75 0 . 5 0 . 25 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 18

  66. Main Result ◮ If statistically secure, approximately correct iO (saiO) exists, then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ More Generally: If (1 − δ ) -statistically secure, (1 − ǫ ) -approximately correct correlation obfuscation (sacO) exists with δ ( n ) ≤ 1 3 − 2 1 3 ǫ ( n ) − poly ( n ) , then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ For very weak parameters, a trivial construction of sacO exists with δ ( n ) = 2 ǫ ( n ) . 19

  67. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

  68. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result Allows PKE from OWF 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 23, 2019 The

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 23, 2019 The

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 23, 2019 The sad truth is: At the moment we cant! Not really. Can we know whether all of this is secure? So, how do we know all of this is secure? 2 The sad

1.06k views • 76 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity

1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity

1. CDH and DDH One of the most important goals in Cryptography is to identify the exact complexity assumptions used by cryptographic protocols. CDH is where the Modern Cryptography originated. CDH implies difficulty of computing discrete

243 views • 23 slides
Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Cryptography Provable Security Encryption Assumptions Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange information securely Que peut nous garantir la cryptographie ? With the all-digital world, security

190 views • 4 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography & http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern

+ Mohammad Mahmoody Rafael Pass + Modern Cryptography and One-Way Functions Modern Cryptography is based on computational assumptions. [Shannon 1950s] easy OWFs, a central player: f {0,1} n {0,1} n Easy to compute f(x) Hard to find x

686 views • 24 slides
d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A

d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A

Section 2.6 d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A . College of Science r D MATHS 101: Calculus I Dr. Abdulla Eid (University of Bahrain) Infinite Limits 1 / 29 d 1 Finite limits

608 views • 29 slides
Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com>

Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com>

Bitcoin & Blockchain applied cryptography problems Adam Back <adam@blockstream.com> Cryptography adoption criteria Conservative security assumptions Or graceful security degradation Reasonably compact serialisation

1.18k views • 22 slides
Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left-

Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left-

Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left- hand limits and right-hand limits), infinite limits and limits at infinity. One-Sided Limits x 2 4 x 5. Consider lim x 5 One might

222 views • 3 slides
MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits

MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits

5/29/2013 MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits Limits 1 5/29/2013 Limits Limits Why? Dont they always agree? 2 2 Limits Limits

633 views • 18 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -> C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

453 views • 11 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR The Connected World CR 2 Information Storage CR 3 Increased Security Breaches 81% more in 2015 CR

1.46k views • 29 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris

1.39k views • 99 slides
IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.29k views • 95 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides

More recommend