provable security in cryptography dl based systems ecc
play

Provable Security in Cryptography ----- DL-based Systems ECC - - PDF document

Aug 15, 2022 •103 likes •351 views

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

  1. Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale supérieure France Summary Summary • The Methodology of “Provable Security” • Complexity Assumptions • Encryption • Signature • Conclusions David Pointcheval Provable Security in Cryptography - 2

  2. Provable Security in Cryptography ----- DL-based Systems Provable Security David Pointcheval Ecole normale supérieure France Provable Security Security: a : a Short Short Story Story Provable • Originated in the late 80’s – encryption [GM86] – signature [GMR88] • Increased applicability using ideal substitutes – random oracles vs hash functions [FS86, BR93] – generic groups vs elliptic curves [Na94,Sh97] – ideal ciphers vs block ciphers [BPR EC’00] • Now requested to support emerging standards (IEEE P1363, ISO, Cryptrec, NESSIE) David Pointcheval Provable Security in Cryptography - 4

  3. The Need for Provable Security The Need for Provable Security • “Textbook” cryptosystems cannot be used as such (homomorphic properties, …) • Practitioners need formatting rules to ensure interoperability ⇒ Paddings are used in practice: heuristic – PKCS#1 V 1.5 - Encrypt [Bl98] ������� – PKCS#1 V 2.0 - Encrypt [Ma01] – ISO 9796-1 - Signature [CNS99, CHJ99] David Pointcheval Provable Security in Cryptography - 5 The Limits Limits of of Provable Provable Security Security The • Provable security does not yield proofs – proofs are relative (to computational assumptions) – proofs often use ideal models (ROM, ICM, GM) Meaning is debatable - ROM [CGH98] - GM [SPMS C’02] – proofs are not formal objects Time is needed for acceptance. • Still, provable security is a means to provide some form of guarantee that a scheme is not flawed David Pointcheval Provable Security in Cryptography - 6

  4. Provable Security Security Provable 1 - Define goal of adversary 2 - Define security model 3 - Define complexity assumptions 4 - Provide a proof by reduction 5 - Check proof 6 - Interpret proof David Pointcheval Provable Security in Cryptography - 7 Proof by Reduction Reduction Proof by to an attack Atk : Reduction of a problem • Let be an adversary that breaks the scheme then can be used to solve Instance of Solution of intractable ⇒ scheme unbreakable David Pointcheval Provable Security in Cryptography - 8

  5. ✂ � ✁ � � � Provable Security in Cryptography ----- DL-based Systems Assumptions David Pointcheval Ecole normale supérieure France Integer Factoring and RSA Integer Factoring and RSA • Multiplication/Factorization : One-Way n = p.q easy (quadratic) – p, q Function – n = p.q p, q difficult (super-polynomial) • RSA Function, from n (with n=pq ) n in for a fixed exponent e Rivest-Shamir-Adleman ‘78 x e mod n easy (cubic) � – x � � � � � � � � � � – y=x e mod n x difficult (without p or q ) x = y d mod n where d = e -1 mod ϕ ( n ) trapdoor [ ] = = = e y x y x n Succ rsa ( ) Pr ( ) mod n e , x ∈ n David Pointcheval Provable Security in Cryptography - 10

  6. � The Discrete Logarithm The Discrete Logarithm • Let � = (< g >, × ) be any finite cyclic group • For any y ∈ � , one defines Log g ( y ) = min{ x ≥ 0 | y = g x } • One-way function → y = g x – x easy (cubic) – y = g x → x difficult (super-polynomial) [ ] � � = = = x y x y g Succ dl ( ) Pr ( ) g � ∈ x q David Pointcheval Provable Security in Cryptography - 11 Any Trapdoor …? Any Trapdoor …? • The Discrete Logarithm is difficult and no information could help! • The Diffie-Hellman Problem (1976): • Given A=g a and B=g b • Compute DH ( A,B ) = C=g ab Clearly CDH ≤ DL: with a =Log g A , C=B a [ ] = = = a = b = ab A B C A g B g C g cdh Succ ( ) Pr ( , ) , , g ∈ a b , q David Pointcheval Provable Security in Cryptography - 12

  7. Other DL-based DL-based Problems Problems Other The Decisional Diffie-Hellman Problem : • Given A, B and C in <g> • Decide whether C = DH ( A,B ) The Gap Diffie-Hellman Problem : Okamoto-Pointcheval PKC‘01 Solve the computational problem, with access to a decisional oracle Weak curves: DDH is easy, because of pairing, then GDH=CDH David Pointcheval Provable Security in Cryptography - 13 Complexity Estimates Complexity Estimates Estimates for integer factoring [LV PKC’00] Modulus Mips-Year Operations (bits) ( log 2 ) (en log 2 ) 512 13 58 Mile-stone 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Can be used for RSA too * Lower-bounds for DL in p David Pointcheval Provable Security in Cryptography - 14

  8. Provable Security in Cryptography ----- DL-based Systems Encryption David Pointcheval Ecole normale supérieure France Encryption Scheme Encryption Scheme 3 algorithms : • - key generation • - encryption • - decryption k d k e m c m or ⊥ r OW-Security: it is impossible to get back m just from c , k e , (without k d ) and David Pointcheval Provable Security in Cryptography - 16

  9. Weaker Goals of Adversary Weaker Goals of Adversary • Perfect Secrecy: the ciphertext and public data do not reveal any information about the plaintext (but maybe the size) Information Theoretical sense ⇒ Impossible • Semantic Security (Indistinguishability): no polynomial adversary can learn any information about the plaintext from the IND ciphertext and public data (but the size) David Pointcheval Provable Security in Cryptography - 17 Security Models Security Models • Chosen Plaintext: (basic scenario) in the public-key setting, any adversary can get the encryption of any plaintext of his CPA choice (by encrypting it by himself) • Chosen Ciphertext (adaptively): the adversary has furthermore access to a decryption oracle which decrypts CCA2 any ciphertext of his choice, but the specific challenge David Pointcheval Provable Security in Cryptography - 18

  10. � � IND-CCA2 IND-CCA2 k e k d c CCA1 b ∈ {0,1} m 0 m or ⊥ r random m 1 � m b c * c ≠ c * r CCA2 m or ⊥ ? b’ = b b’ David Pointcheval Provable Security in Cryptography - 19 Main Security Notions Main Security Notions • IND-CCA2: (the strongest - [BDPR C’98] )   k ← m m s ( , , ) ( ) − = m m c s b e 2 Pr 1 ( , , , )  0 1 1  ← c m r 2 0 1 ( , )   r b b , = Advantage negligible • OW-CPA: (the weakest) [ ] = = c m c m;r Pr ( ) ( ) = Success negligible m r , David Pointcheval Provable Security in Cryptography - 20

  11. Practical Cryptosystems Practical Cryptosystems • Integer Factoring-based: RSA [RSA78] – OW-CPA = RSA (modular e -th roots) – IND ? No, because of determinism – CCA2 ? No, because of multiplicativity • DL-based: El Gamal [EG85] – OW-CPA = CDH – IND-CPA = DDH – CCA2 ? No, because of multiplicativity David Pointcheval Provable Security in Cryptography - 21 Generic Conversions Generic Conversions • Any trapdoor one-way function leads to a OW-CPA cryptosystem • But OW-CPA not enough • How to reach IND-CCA2 ? ⇒ generic conversions from weakly secure schemes to strongly secure cryptosystems David Pointcheval Provable Security in Cryptography - 22

  12. � OAEP OAEP Bellare Bellare- -Rogaway Rogaway EC‘ EC‘94 94 Let f be a trapdoor one-way permutation, with G → {0,1} n and H → {0,1} s M M = m ||0 k G H r random r t � ( m,r ) : Compute s,t then return c=f ( s || t ) � ( c ) : Compute s || t = f -1 ( c ), invert OAEP, then check redundancy David Pointcheval Provable Security in Cryptography - 23 OAEP: Security Level OAEP: Security Level In 1994, Bellare and Rogaway proved that • the OAEP construction provides an IND-CPA cryptosystem under the OW of f • it is plaintext-aware (PA94) Widely believed: IND-CPA + PA94 ⇒ IND-CCA2 But IND-CPA + PA94 ⇒ IND-CCA1 only We improved PA94 into PA98 [BDPR C’98] IND-CPA + PA98 ⇒ IND-CCA2 But… PA98 of OAEP never studied David Pointcheval Provable Security in Cryptography - 24

  13. OAEP: Security Level OAEP: Security Level Until 2000, OAEP was anyway believed to provide an IND-CCA2 cryptosystem under the OW of f But Shoup showed a counter-example [Sh C’01] A stronger assumption about f is required: under the partial-domain OW of f , OAEP provides an IND-CCA2 cryptosystem [FOPS C’01] OW: f ( x ) → x hard PD-OW: f ( x , y ) → x hard David Pointcheval Provable Security in Cryptography - 25 RSA- -OAEP: Interpretation OAEP: Interpretation RSA ( ) ( ) ind ≤ × + + t t q q q k rsa 3 Adv ( ) 2 Succ 2 2 n e H G H , Security bound: 2 75 , and 2 55 hash queries If one can break the scheme within time T , one can invert RSA within time T’ ≤ 2 T + 2 q H (2 q G + q H ) k 3 ≤ 2 × 2 75 + 6 × 2 110 k 3 < 2 113 k 3 modulus: 1024 bits → 2 143 ( NFS : 2 80 ) ✕ 2048 bits → 2 146 ( NFS : 2 111 ) ✕ 4096 bits → 2 149 ( NFS : 2 149 ) ✓ David Pointcheval Provable Security in Cryptography - 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Cryptography Provable Security Encryption Assumptions Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange information securely Que peut nous garantir la cryptographie ? With the all-digital world, security

190 views • 4 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA, Probabilistic Encryption, Provable Security Against Efficiency of RSA 2 Passive Attacks Security of RSA 3 Mathematical Security of RSA Renate Scheidler

410 views • 7 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases by age

Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases by age

Javier Benito Director Pediatric Emergency Department Cruces University Hospital Bilbao Basque Country - Spain Chairman Spanish Society of PEM Current numbers of Spain Cases in Spain Confirmed cases Deaths Recovered COVID-19 Cases

749 views • 20 slides
Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information

Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information

Succinct Data Structures for NLP-at-Scale Matthias Petri Trevor Cohn Computing and Information Systems The University of Melbourne, Australia first.last@unimelb.edu.au November 20, 2016 Who are we? Trevor Cohn, University of Melbourne

2.2k views • 176 slides
Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor

Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor

Variable Long-Term Trends in 100+ Mineral Prices John T. Cuddington William J. Coulter Professor of Mineral Economics Colorado School of Mines August 16-17, 2012 Rio de Janeiro, Brazil Conference on The Economics and Econometrics of

333 views • 30 slides
Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010

Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010

Working on Krita:Fun&amp;Profit Luk Tvrd 02.07.2010 | T ampere, Finland | Akademy 2010 Luk Tvrd Who I am Alumnus of VB-TU Ostrava, Czech Republic How did I get involved in Krita GSoC 2008: Sumi-e brush engine

669 views • 22 slides
Mobile Ad hoc Networking Carlos de Morais Cordeiro and Dharma P. Agrawal OBR Research Center for

Mobile Ad hoc Networking Carlos de Morais Cordeiro and Dharma P. Agrawal OBR Research Center for

Mobile Ad hoc Networking Carlos de Morais Cordeiro and Dharma P. Agrawal OBR Research Center for Distributed and Mobile Computing, ECECS University of Cincinnati, Cincinnati, OH 45221-0030 USA {cordeicm, dpa}@ececs.uc.edu Abstract

841 views • 63 slides
Outline Synchronous Programming Introduction of Reactive Systems The Data-Flow Language Lustre

Outline Synchronous Programming Introduction of Reactive Systems The Data-Flow Language Lustre

Outline Synchronous Programming Introduction of Reactive Systems The Data-Flow Language Lustre The Imperative Language Esterel Compilation of Synchronous Languages Nicolas Halbwachs Verification and Automatic Testing of Synchronous

371 views • 26 slides
Linguistic Research Infrastructure Information event October 11, 2019 LiRI team members

Linguistic Research Infrastructure Information event October 11, 2019 LiRI team members

Linguistic Research Infrastructure - LiRI Linguistic Research Infrastructure Information event October 11, 2019 LiRI team members 10/18/2019 Title of the presentation, Author Page 1 Linguistic Research Infrastructure - LiRI Introduction

1.03k views • 61 slides
GLIF Akira Kato Univ. of Tokyo/WIDE Project kato@wide.ad.jp

GLIF Akira Kato Univ. of Tokyo/WIDE Project kato@wide.ad.jp

GLIF Akira Kato Univ. of Tokyo/WIDE Project kato@wide.ad.jp Dark Fiber based Networks National Lambda Rail is operational in U.S. http://www.nlr.net/ Dark Fibers from Level3

1.02k views • 27 slides

More recommend