on assumptions and the limits of cryptography

On Assumptions and the Limits of Cryptography Nils Fleischhacker - PowerPoint PPT Presentation

Jan 26, 2023 •835 likes •1.56k views

On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018 2 2 2 So, how do we know all of this is secure? 2 The sad truth is: We dont! Not really. So, how do we know all of this is secure? 2 The

  1. On Assumptions and the Limits of Cryptography Nils Fleischhacker Bochum, January 24, 2018

  2. 2

  3. 2

  4. 2

  5. So, how do we know all of this is secure? 2

  6. The sad truth is: We don’t! Not really. So, how do we know all of this is secure? 2

  7. The Cryptographic Landscape 3

  8. The Cryptographic Landscape PKE DS 3

  9. The Cryptographic Landscape 2PC PKE DS 3

  10. The Cryptographic Landscape iO FHE 2PC PKE DS 3

  11. The Cryptographic Landscape iO FHE 2PC PKE DS Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  12. The Cryptographic Landscape iO FHE 2PC PKE LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  13. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  14. The Cryptographic Landscape iO FHE 2PC PKE Multi-Linear LWE DS Maps Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  15. The Cryptographic Landscape FHE 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  16. The Cryptographic Landscape FHE Well this seems like a terrible idea! 2PC PKE iO LWE DS Oblivious Transfer Trapdoor Permutations Trapdoor Permutations One-way Functions 3

  17. One-Way Functions x f 4

  18. One-Way Functions y x f 4

  19. One-Way Functions y x f 4

  20. One-Way Functions y x f ??? 4

  21. Why We Need to Make Assumptions 5

  22. Why We Need to Make Assumptions ENC OWF 5

  23. Why We Need to Make Assumptions ENC MAC OWF 5

  24. Why We Need to Make Assumptions ENC MAC PKE OWF 5

  25. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC 5

  26. Why We Need to Make Assumptions ENC MAC PKE OWF 2PC FHE 5

  27. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  28. Why We Need to Make Assumptions ENC MAC P � = NP PKE OWF 2PC FHE 5

  29. Idea Behind Provable Security ENC 2PC MAC 6

  30. Idea Behind Provable Security ENC 2PC MAC 6

  31. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  32. Idea Behind Provable Security ENC Assumption 2PC MAC 6

  33. Idea Behind Provable Security ENC Abstract B P Assumption 2PC MAC 6

  34. Determining Minimal Assumptions Statistical Security 7

  35. Determining Minimal Assumptions One-Way Functions Statistical Security 7

  36. Determining Minimal Assumptions Trapdoor Permutations One-Way Functions Statistical Security 7

  37. Determining Minimal Assumptions Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  38. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  39. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  40. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  41. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  42. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  43. Determining Minimal Assumptions . . . Fully Homomorphic Encryption . . . Oblivious Transfer Trapdoor Permutations One-Way Functions Statistical Security 7

  44. Schnorr 2-Party Obfuscation Signatures Computation 8

  45. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] 8

  46. Schnorr Signatures ◮ Very simple, very efficient! 9

  47. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But 9

  48. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model 9

  49. Schnorr Signatures ◮ Very simple, very efficient! ◮ Proven secure under the discrete log assumption. [PS96] But ◮ Proof in the Random Oracle Model ◮ Proof is extremely loose. 9

  50. Schnorr Signatures The security of Schnorr signatures cannot be reduced to the discrete logarithm assumption using a naturally restricted reduction in a less idealized model (NPROM). The result holds under the slightly stronger one-more discrete logarithm assumption. 10

  51. Schnorr Signatures The security of Schnorr signatures cannot be tightly reduced to any natural non-interactive assumption using a generic reduction. The result holds unconditionally. 11

  52. Schnorr 2-Party Obfuscation Signatures Computation Most Natural Malicious PUFs Assumptions (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] 12

  53. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. 13

  54. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions 13

  55. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. 13

  56. Secure Two-Party Computation from PUFs ◮ The idea: Use secure hardware to overcome impossibility of information theoretically secure 2-PC. ◮ Use Physically Uncloneable Functions ◮ Behave like random functions. ◮ Cannot be copied. 13

  57. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful ? ? [BFSK11] Unconditional [OSVW13] 14

  58. Secure Computation from PUFs Honest Malicious Malicious Stateless Stateful [BFSK11] Our Paper Our Paper Unconditional [OSVW13] 14

  59. Schnorr 2-Party Obfuscation Signatures Computation Stateless Malicious PUFs Most Natural Malicious PUFs Statistical Assumptions Security (tightly) Discrete Logarithm Assumption [FF13,FJS14] [DFKLS14] [BBF16] 15

  60. Statistically Secure Obfuscation r O C ′ C 16

  61. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) 16

  62. Statistically Secure Obfuscation r O C ′ C ◮ Perfect Correctness: For any circuit C ∀ x : C ′ ( x ) = C ( x ) ◮ (1 − ǫ ) -Approximate Correctness: For any circuit C , � C ′ ( x ) = C ( x ) � Pr ≥ 1 − ǫ ( n ) r,x 16

  63. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) 17

  64. Statistically Secure Obfuscation r O C ′ C ◮ Indistinguishability Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ negl ( n ) ◮ (1 − δ ) -Correlation Obfuscator: For any pair of circuits, such that C 1 ≡ C 2 and | C 1 | = | C 2 | SD ( O ( C 1 ) , O ( C 2 )) ≤ δ ( n ) 17

  65. Why Do We Even Care About Approximate Correctness? Because approximate obfuscation is useful! [MMNPs16,SW14,Hol06] 1 Allows PKE from OWF Statistical Distance δ 0 . 75 0 . 5 0 . 25 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 18

  66. Main Result ◮ If statistically secure, approximately correct iO (saiO) exists, then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ More Generally: If (1 − δ ) -statistically secure, (1 − ǫ ) -approximately correct correlation obfuscation (sacO) exists with δ ( n ) ≤ 1 3 − 2 1 3 ǫ ( n ) − poly ( n ) , then either one-way functions do not exist, or NP ⊆ AM ∩ coAM. ◮ For very weak parameters, a trivial construction of sacO exists with δ ( n ) = 2 ǫ ( n ) . 19

  67. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

  68. The Landscape of Correlation Obfuscation 1 Achievable with Trivial Construction 0 . 9 Ruled out by Negative Result Allows PKE from OWF 0 . 8 Statistical Distance δ 0 . 7 0 . 6 0 . 5 0 . 4 0 . 3 0 . 2 0 . 1 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 Correctness Error ǫ 20

Recommend

City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions

City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions

City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits Lions Clubs City Limits

374 views • 23 slides
Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left-

Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left-

Different Types of Limits Besides ordinary, two-sided limits, there are one-sided limits (left- hand limits and right-hand limits), infinite limits and limits at infinity. One-Sided Limits x 2 4 x 5. Consider lim x 5 One might

222 views • 3 slides
MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits

MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits

5/29/2013 MAT 166 Calculus for Bus/Soc Chapter 3 Notes Limits The Deriviative David J. Gisch Limits Limits 1 5/29/2013 Limits Limits Why? Dont they always agree? 2 2 Limits Limits

633 views • 18 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

454 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El

Public-Key Cryptography Public-Key Cryptography Lecture 9 Public-Key Cryptography Lecture 9 El Gamal Encryption Public-Key Cryptography Lecture 9 El Gamal Encryption Public-Key Encryption from Trapdoor OWP Public-Key Cryptography Lecture

2.11k views • 163 slides
Limits (the size of the pie) allocation limits minimum reliability flow of supply Limits

Limits (the size of the pie) allocation limits minimum reliability flow of supply Limits

Limits (the size of the pie) allocation limits minimum reliability flow of supply Limits Implement climate minimum change flows multiple bands/ blocks Multiple bands/block How and where to set the limits? Reliability of supply

816 views • 26 slides
Medical Programs Overview Table 1. Caption Medical SNAP TANF Programs Income Limits Income

Medical Programs Overview Table 1. Caption Medical SNAP TANF Programs Income Limits Income

SNAP , TANF and Medical Programs Overview Table 1. Caption Medical SNAP TANF Programs Income Limits Income Limits Income limits Resource Resource Resource Limits Limits Limits Deductions Deductions Deductions 10/25/2017 2 SNAP

433 views • 14 slides
Scope & Limits of Scope & Limits of Scope & Limits of Legal Authority Legal

Scope & Limits of Scope & Limits of Scope & Limits of Legal Authority Legal

Lesson 4. Scope & Limits of Authority January 20, 2004 Scope & Limits of Scope & Limits of Scope & Limits of Legal Authority Legal Authority Legal Authority Lesson No. 4 ENV H 471 Environmental Health Regulation Winter

669 views • 7 slides
Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia

Cryptography Public Key Cryptography Concepts of Public Key Cryptography Public Key Cryptography Cryptography School of Engineering and Technology CQUniversity Australia Prepared by Steven Gordon on 20 Feb 2020, public.tex, r1803 1

422 views • 7 slides
Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography

Modern cryptography CSCI 470: Web Science Keith Vertanen Overview Modern cryptography Symmetric cryptography DES 3DES AES Asymmetric cryptography Diffie-Hellman key exchange 2 Modern cryptography Moving into

338 views • 16 slides
Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Cryptography Lecture 8

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Cryptography Lecture 8

Public-Key Cryptography Public-Key Cryptography Lecture 8 Public-Key Cryptography Lecture 8 Public-Key Encryption from Trapdoor OWP Public-Key Cryptography Lecture 8 Public-Key Encryption from Trapdoor OWP CCA Security El Gamal Encryption

1.78k views • 162 slides
Limits of sub semigroups of C and Siegel enrichments Ismael Bachy 22 novembre 2010 Limits of

Limits of sub semigroups of C and Siegel enrichments Ismael Bachy 22 novembre 2010 Limits of

Limits of closed sub semigroups of C Conformal Enrichments Limits of sub semigroups of C and Siegel enrichments Ismael Bachy 22 novembre 2010 Limits of sub semigroups of C and Siegel enrichments Ismael Bachy Limits of closed sub

575 views • 23 slides
d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A

d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A

Section 2.6 d Limits at infinity and infinite limits i E 2 Lectures a l l u d b Dr. Abdulla Eid A . College of Science r D MATHS 101: Calculus I Dr. Abdulla Eid (University of Bahrain) Infinite Limits 1 / 29 d 1 Finite limits

608 views • 29 slides
Modeling Limits Jaroslav Neetil Patrice Ossona de Mendez Charles University CAMS, CNRS/EHESS

Modeling Limits Jaroslav Neetil Patrice Ossona de Mendez Charles University CAMS, CNRS/EHESS

Structural Limits FO-limits? Going further Modeling Limits Jaroslav Neetil Patrice Ossona de Mendez Charles University CAMS, CNRS/EHESS LIA STRUCO Praha, Czech Republic Paris, France IHP 2018 Structural Limits FO-limits?

572 views • 35 slides
Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of

T-79.159 Cryptography and Data Security Lecture 9: Secret Sharing, Threshold Cryptography, MPC Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing,

1.45k views • 33 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR

Cryptography & Network Security Introduction Introduction Chester Rebeiro IIT Madras CR The Connected World CR 2 Information Storage CR 3 Increased Security Breaches 81% more in 2015 CR

1.46k views • 29 slides
1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

1 Diffie-Hellman exponential key exchange Diffie-Hellman exponential key exchange Alice has

Symmetric cryptography Both parties must agree on a secret key, K message is encrypted, sent, decrypted at other side E K (P) D K (C) Secure Communication Bob Alice Key distribution must be secret otherwise messages can be

553 views • 10 slides
S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of

S-Box Decompositions and some Applications L eo Perrin January 28, 2019, Nancy My Area of Research: Symmetric Cryptography From Russia With Love Cryptanalysis of a Theorem Conclusion Curriculum Currently : post-doc at SECRET in Inria Paris

1.39k views • 99 slides
IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF

IETF Security Tutorial Radia Perlman March, 2007 (radia.perlman@sun.com) 1 Why an IETF Security Tutorial? Security is important in all protocols; not just protocols in the security area IETF specs mandated to have a security

1.29k views • 95 slides
Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University

Multivariate Public Key Cryptography Jintai Ding University of Cincinnati Technical University of Darmstadt 1 1. General Introduction 2. Multivariate public key cryptosystems 3. Challenges 2 1 General Introduction In June 2006, in Belgium,

1.06k views • 68 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides

More recommend