on the impossibility of tight cryptographic reduc ons
play

On the Impossibility of Tight Cryptographic Reduc:ons Christoph - PowerPoint PPT Presentation

Oct 27, 2022 •350 likes •835 views

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

  1. On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schäge Ruhr-University Bochum EUROCRYPT 2016 1

  2. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A implies efficient algorithm R that solves a “hard” problem P pk m i s i Q :mes (m*,s*) Adversary A 2

  3. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient adversary A implies efficient algorithm R that solves a “hard” problem P Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on Adversary A 3

  4. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient adversary A implies efficient algorithm R that solves a “hard” problem P Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on Adversary A Reduc:on R is :ght , if t R ≈ t A and succ R ≈ succ A 4

  5. Why is :ght security interes:ng? • Do schemes with :ght security exist ? – Inherent :ghtness lower bounds? • Tightness has impact on theore:cally- sound selec:on of parameters – “Non-:ght“ reduc:on => large parameters – Tight reduc:on => smaller parameters 5

  6. Why is :ght security interes:ng? • Do schemes with :ght security exist ? – Inherent :ghtness lower bounds? • Relevant for theore:cally-sound selec:on of parameters – “Non-:ght“ reduc:on � large parameters – Tight reduc:on � smaller parameters 6

  7. Many Tightly-Secure Cryptosystems Digital Signatures Iden:ty-based Encryp:on Katz-Wang (CCS 2003) Chen, Wee (Crypto 2013) • • Schäge (Eurocrypt 2011) Blazy, Kiltz, Pan (Eurocrypt 2014) • • ... ... • • Pseudorandom Func:ons Public-Key Encryp:on Naor-Reingold (FOCS 1997) Bellare, Boldyreva, Micali (Eurocrypt 2000) • • Lewko-Waters (CCS 2009) Hoeeinz, Jager (Crypto 2012) • • Jager (ePrint 2016) Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016) • • ... (best paper) • ... • Key Exchange Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015) • 7

  8. Many Tightly-Secure Cryptosystems Digital Signatures Iden:ty-based Encryp:on Katz-Wang (CCS 2003) Chen, Wee (Crypto 2013) • • Schäge (Eurocrypt 2011) Blazy, Kiltz, Pan (Eurocrypt 2014) • • ... ... • • Pseudorandom Func:ons Public-Key Encryp:on Naor-Reingold (FOCS 1997) Bellare, Boldyreva, Micali (Eurocrypt 2000) • • Lewko-Waters (CCS 2009) Hoeeinz, Jager (Crypto 2012) • • Jager (ePrint 2016) Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016) • • ... (best paper) • ... • Key Exchange Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015) • Which proper:es must a cryptosystem (not) have to allow for a :ght security proof? 8

  9. Coron‘s Result* (1/2) (Eurocrypt 2002) • Digital signatures pk – single-user selng m i – unique signatures** Q :mes s i (m*,s*) * see also Kakvi and Kiltz, Eurocrypt 2012 9 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

  10. Coron‘s Result* (1/2) (Eurocrypt 2002) • Digital signatures pk – single-user selng m i – unique signatures** Q :mes s i (m*,s*) Result: If a signature scheme has unique signatures , then any security reduc:on “loses” a factor of at least 1/Q. * see also Kakvi and Kiltz, Eurocrypt 2012 10 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

  11. Coron‘s Result (2/2) (Eurocrypt 2002) Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on 11

  12. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on 12

  13. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on Coron shows: If a signature scheme has unique signatures , then any reduc:on R implies an algorithm M that solves P • In :me t M ≈ t R ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 • With Q · 1 − | MsgSpace | 13

  14. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on Coron shows: If a signature scheme has unique signatures , then any reduc:on R implies an algorithm M that solves P “Annoying term” • In :me t M ≈ t R ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 • With Q · 1 − | MsgSpace | 14

  15. Limita:ons of Coron‘s Technique • Restricted but reasonable class of reduc:ons: – Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely complex analysis 15

  16. Limita:ons of Coron‘s Technique • Restricted but reasonable class of reduc:ons: – Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely complex analysis ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 “Annoying term” Q · 1 − | MsgSpace | • Only useful in selngs where Q << |MsgSpace| – Acceptable for [C`02, KK`12, HJK`12] – Makes applica:on to other sePngs difficult 16

  17. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N • Q signature queries • Corrupt N-1 users • Goal: :ght security in – Number of signatures Q (m*,s*) – Number of public keys N 17

  18. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users • Goal: :ght security in – Number of signatures Q (m*,s*) – Number of public keys N 18

  19. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Goal: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N 19

  20. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Desired: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N 20

  21. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Desired: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N Single-user security � mul:-user security But the reduc:on is not :ght , loses a factor 1/N 21

  22. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get 22

  23. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N 23

  24. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get Equal to N ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N Trivial bound , because of the “annoying term” 24

  25. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 25

  26. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 26

  27. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j 27

  28. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j No :ght security proof for “weak” security � No :ght security proof for any “stronger” no:on 28

  29. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j No :ght security proof for “weak” security � No :ght security proof for any “stronger” no:on Makes sense for any public-key scheme! 29

  30. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 30

  31. Our result ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N • Restricted but reasonable class of reduc:ons: – Use adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely simple analysis 31

  32. Tightness Bound: Intui:on Reduc:on R pk 1 , ..., pk N Instance of P j sk i for i≠j sk j Solu:on 32

  33. Tightness Bound: Intui:on Reduc:on R pk 1 , ..., pk N Instance of P j sk i for i≠j sk j Solu:on 1. Only one index j such that R can output sk i for all i≠j � R not :ght! 2. More than one j � P not “hard”! 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an important building block for fault-tolerant computing Universal: any deterministic fault-tolerant service can be implemented on top of it

349 views • 12 slides
The Northeastern U.S. Energy Future An 80% Reduc;on in

The Northeastern U.S. Energy Future An 80% Reduc;on in

The Northeastern U.S. Energy Future An 80% Reduc;on in GHG Emissions by 2050 Sandy TaC Director Environmental &amp; Sustainability Policy

322 views • 8 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika

A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika

A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika G o 1 Harvard University, USA 2 UC San Diego, USA June 23, 2018 1 / 18 Agenda 1 Problem Definition / Model 2 Cryptographic Motivations 3

627 views • 46 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Author Setting, Definitions and Conditions Sen s Impossibility Theorem and Proof Critique and Ways Out Conclusion The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice Theory Institute

1.98k views • 15 slides
Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a

Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a

Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a Metropolitan Area Robyn Chatwin-Davies, Amir Hakami &amp; Adjoint Development Team Introduc%on Globally, ambient par?culate maBer (PM) pollu?on

424 views • 21 slides
Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, Xuejun Yang Background: Csmith [PLDI

797 views • 48 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June 19, 2018 Contents Motivation Definitions The Impossibility Theorem Centroid-Based Clustering and Consistency Relaxing the Properties Table of

1.08k views • 96 slides
SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound Harikrishna Narasimhan and Shivani Agarwal Department of Computer Science and Automation Indian Institute of Science, Bangalore Receiver Operating

1.12k views • 90 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint

Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint

1 Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint Sensi%vity Analysis Marjan Soltanzadeh, Amanda Pappin, Shunliu Zhao, Amir Hakami (Carleton University); MaA D. Turner, and Daven K. Henze (University

538 views • 33 slides
ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens

ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens

ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens enses es Julie McCormack, Amanda Montel, Gina Plata-Nino MARCH 4, 2020 1 Increasin sing Income me OBJECTIVES: Basic understanding of

751 views • 45 slides
Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a Tight Gas Study Proposal The Netherlands contains circa 50 discoveries with about 100 200 bcm undevelopped gas in tight reservoirs Several

726 views • 5 slides
Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP)

Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP)

Ci City ty of Sha of Shafter er Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP) RP) De Development elopment Updated emission reduction and exposure reduction strategies for Committee

1.42k views • 88 slides
Quantum and Medium Effects in Resonant Leptogenesis Andreas Hohenegger with Tibor Frossard

Quantum and Medium Effects in Resonant Leptogenesis Andreas Hohenegger with Tibor Frossard

Quantum and Medium Effects in Resonant Leptogenesis Andreas Hohenegger with Tibor Frossard Mathias Garny Alexander Kartavtsev (arXiv: 0909.1559, 0911.4122, 1002.0331, 1112.642, in preparation ) cole Polytechnique Fdrale de Lausanne

228 views • 19 slides
Fairness in Capacitated Networks: a Polyhedral Approach G abor R etv ari, J ozsef J.

Fairness in Capacitated Networks: a Polyhedral Approach G abor R etv ari, J ozsef J.

Fairness in Capacitated Networks: a Polyhedral Approach G abor R etv ari, J ozsef J. B r o, Tibor Cinkler { retvari,biro,cinkler } @tmit.bme.hu High Speed Networks Laboratory Department of Telecommunications and Media

357 views • 31 slides
Prebiotic Evolution 1 Life, error threshold &amp; hypercycle Walter de Back Collegium Budapest

Prebiotic Evolution 1 Life, error threshold &amp; hypercycle Walter de Back Collegium Budapest

Prebiotic Evolution 1 Life, error threshold &amp; hypercycle Walter de Back Collegium Budapest Institute for Advanced Study - what is life? - the chemoton: tibor ganti - error threshold: catch-22 in evolution - hypercycles: coexisting

779 views • 15 slides
Weavings of the Cube and Other Polyhedra Tibor Tarnai Budapest Joint work with P.W. Fowler,

Weavings of the Cube and Other Polyhedra Tibor Tarnai Budapest Joint work with P.W. Fowler,

Weavings of the Cube and Other Polyhedra Tibor Tarnai Budapest Joint work with P.W. Fowler, S.D. Guest and F. Kovcs Contents Basket weaving in practice Weaving of the cube Geometrical approach Graph-theory based approach

986 views • 43 slides
Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a shelter? Si Gao Hua Chen Limin Fan Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

442 views • 40 slides
A Standard-Model Security Analysis of TLS-DHE Tibor Jager

A Standard-Model Security Analysis of TLS-DHE Tibor Jager

A Standard-Model Security Analysis of TLS-DHE Tibor Jager 1 , Florian Kohlar 2 , Sven Schge 3 , and Jrg Schwenk 2 1 Karlsruhe Ins-tute of Technology

763 views • 37 slides
On the Taylor models approach for solving ODEs Dr. Florian Bnger florian.buenger@tuhh.de

On the Taylor models approach for solving ODEs Dr. Florian Bnger florian.buenger@tuhh.de

Introduction Definition and arithmetic of Taylor models Algorithm for solving ODEs Accompanying methods Numerical examples On the Taylor models approach for solving ODEs Dr. Florian Bnger florian.buenger@tuhh.de Institute for Reliable

903 views • 40 slides
&quot;Addressing Flexibility in Energy System Models&quot; Petten, December 4-5, 2014 Stathis

&quot;Addressing Flexibility in Energy System Models&quot; Petten, December 4-5, 2014 Stathis

Introduction to the Workshop &quot;Addressing Flexibility in Energy System Models&quot; Petten, December 4-5, 2014 Stathis Peteves Head of Unit, Energy Technology Policy Outlook Joint Research Centre - Institute for Energy and Transport

363 views • 13 slides

More recommend