Provable Security Introduction Lawrence Berkeley National Lab - - PDF document

David Pointcheval LIENS-CNRS Ecole normale supérieure

Provable Security Introduction

Lawrence Berkeley National Lab August 2003

Provable Security - Introduction - 2 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 3 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 4 David Pointcheval

Cryptography: 3 Goals Cryptography: 3 Goals

• Integrity:

Messages have not been altered

• Authenticity:

Message - sender relation

• Secrecy:

Message is unknown to anybody else

Provable Security - Introduction - 5 David Pointcheval

Integrity Integrity

To make sure that a message has not been modified

(not only accidentally but also intentionally!)

Provable Security - Introduction - 6 David Pointcheval

Authentication (1) Authentication (1)

To interactively prove his identity

Provable Security - Introduction - 7 David Pointcheval

Authentication (2) Authentication (2)

• To non-interactively prove his identity

as being the sender of the message

• If this proof can even convince

a third party: signature

Provable Security - Introduction - 8 David Pointcheval

Secrecy Secrecy

• Store a document
• Send a message

so that nobody else can learn any information about it

Provable Security - Introduction - 9 David Pointcheval

Cryptography: 3 Periods Cryptography: 3 Periods

• Ancient period: before 1918
• Technical period: between 1919 and 1975
• Paradoxical period : after 1976

Provable Security - Introduction - 10 David Pointcheval

Ancient Period Ancient Period

Substitutions and permutations Security = Secrecy of the mechanisms

Alberti’s cipher disk Jefferson’s wheel cipher

Provable Security - Introduction - 11 David Pointcheval

Technical Period Technical Period

Cipher Machines Automatism

• f permutations

and substitutions Enigma But there’s no proof

• f better security!

Provable Security - Introduction - 12 David Pointcheval

Paradoxical Period Paradoxical Period

• Symmetric Cryptography
• Asymmetric Cryptography

One-way Functions

⇒ Security Proofs

Provable Security - Introduction - 13 David Pointcheval

Kerckhoffs’ Kerckhoffs’ Principles Principles

In 1883, in “La Cryptographie Militaire” Kerckhoffs wrote:

• the system should be, if not theoretically

unbreakable, unbreakable in practice

• corruption of the system should not

inconvenience the correspondents

• the key should be memorable without

any notes and should be easily changeable

• etc …

Provable Security - Introduction - 14 David Pointcheval

General Security Model General Security Model

• The algorithms are public
• Only a short parameter (the secret key)

can be kept secret Can a scheme be secure?

Provable Security - Introduction - 15 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 16 David Pointcheval

Two Keys… Two Keys…

Asymmetric Cryptography

Diffie-Hellman 1976

– A private key (decryption kd)

to help him to decrypt

Alice Bob

secrecy authenticity

Asymmetric Encryption: Bob owns two “keys”

– A public key (encryption ke)

so that anybody can encrypt a message ⇒ known by everybody (included Alice) ⇒ known by Bob only

Provable Security - Introduction - 17 David Pointcheval

Encryption / Encryption / Decryption Decryption Attack Attack

Granted Bob’s public key, Alice can lock the safe, with the message inside (encrypt the message)

• Alice sends the safe to Bob

nobody else can unlock it (impossible to break) Excepted Bob, granted his private key (Bob can decrypt)

Provable Security - Introduction - 18 David Pointcheval

Encryption Scheme Encryption Scheme

3 algorithms :

• - key generation
• - encryption
• - decryption

(ke,kd)

• ω

kd ke

• r

c m m

Provable Security - Introduction - 19 David Pointcheval

Conditional Secrecy Conditional Secrecy

The ciphertext comes from c = ke(m;r)

• The encryption key ke is public
• A unique message m satisfies the relation

(with possibly several random r)

Algorithmic assumptions

At least an exhaustive search on m and r can lead to m, maybe a better attack! ⇒ unconditional secrecy is impossible

Provable Security - Introduction - 20 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 21 David Pointcheval

encryption difficult to break decryption

Integer Factoring and RSA Integer Factoring and RSA

• Multiplication/Factorization :

– p, q n = p.q easy (quadratic) – n = p.q p, q difficult (super-polynomial) One-Way Function trapdoor

key

• RSA Function, from n in n (with n=pq)

for a fixed exponent e

Rivest-Shamir-Adleman 1978

– x xe mod n easy (cubic) – y=xe mod n x difficult (without p or q) x = yd mod n where d = e-1 mod ϕ(n)

Provable Security - Introduction - 22 David Pointcheval

The Discrete Logarithm The Discrete Logarithm

• Let = (<g>, ×) be any finite cyclic group
• For any y∈, one defines

Logg(y) = min{x ≥ 0 | y = gx}

• One-way function

– x → y = gx easy (cubic) – y = gx → x difficult (super-polynomial)

Provable Security - Introduction - 23 David Pointcheval

Any Trapdoor …? Any Trapdoor …?

• The Discrete Logarithm is difficult

and no information can help!

• The Diffie-Hellman Problem (1976):
• Given A=ga and B=gb
• Compute DH(A,B) = C=gab

Clearly CDH ≤ DL: with a=LoggA, C=Ba

Provable Security - Introduction - 24 David Pointcheval

Record Aug 1999 201 156 8192 149 104 4096 111 66 2048 80 35 1024 58 13 512 Operations

(en log2)

Mips-Year

(log2)

Modulus

(bits)

Complexity Estimates Complexity Estimates

Estimates for integer factoring Lenstra-Verheul 2000 Can be used for RSA too Lower-bounds for DL in

* p

• Milestone

Provable Security - Introduction - 25 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 26 David Pointcheval

Algorithmic Assumptions Algorithmic Assumptions are are necessary necessary

• n=pq : public modulus

e : public exponent

• d=e-1 mod ϕ(n) : private

RSA Encryption (m) = me mod n (c) = cd mod n If the RSA problem is easy, secrecy is not satisfied: anybody could recover m from c

Provable Security - Introduction - 27 David Pointcheval

Algorithmic Assumptions Algorithmic Assumptions are are sufficient sufficient

Security proofs give the guarantee that the assumption is enough for secrecy:

• if an adversary can break the secrecy
• one can break the assumption

⇒ “reductionist” proof

Provable Security - Introduction - 28 David Pointcheval

Proof by Reduction Proof by Reduction

Reduction of a problem to an attack Atk:

• Let be an adversary that breaks the scheme
• Instance
• f

intractable ⇒ scheme unbreakable Solution to then can be used to solve

Provable Security - Introduction - 29 David Pointcheval

Provably Secure Scheme Provably Secure Scheme

To prove the security of a cryptographic scheme, one has to make precise

• the algorithmic assumptions
• the security notions to be guaranteed
• a reduction:

an adversary can help to break the assumption

Provable Security - Introduction - 30 David Pointcheval

Practical Security Practical Security

• Complexity theory: T polynomial
• Exact Security: T explicit
• Practical Security: T small (linear)

Adversary within t Algorithm against within t’ = T (t)

Provable Security - Introduction - 31 David Pointcheval

Practical Security Practical Security

Bad reduction: RSA-FDH

If one forges a new signature within time t after q queries to the signing oracle,

• ne can break RSA within time t’ = q × t

Application: t = 275 and q = 240 ⇒ one breaks RSA within time t’ = 2115

RSA-512 t’ > 258: ✖ no contradiction RSA-1024 t’ > 280: ✖ no contradiction RSA-2048 t’ > 2111: ✖ no contradiction RSA-4096 t’ > 2149: ✔ CONTRADICTION

Provable Security - Introduction - 32 David Pointcheval

Practical Security Practical Security

Good reduction: RSA-PSS

If one forges a new signature within time t after q queries to the signing oracle,

• ne can break RSA within time t’ = 2 × t

Application: t = 275 and q = 240 ⇒ one breaks RSA within time t’ = 276

RSA-512 t’ > 258: ✖ no contradiction RSA-1024 t’ > 280: ✔ CONTRADICTION

⇒ RSA-PSS is provably secure even for classical parameters

Provable Security - Introduction - 33 David Pointcheval

Security Notions Security Notions

According to the requirements, one defines

• the goals of an adversary
• the capabilities of an adversary,

i.e. the available information

Provable Security - Introduction - 34 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 35 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples

Provable Security - Introduction - 36 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples

Provable Security - Introduction - 37 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

kd ke

• m

c m

Security = secrecy: it is impossible to recover the message m from the public information (i.e from c, but without kd)

• Encryption Algorithm,
• Decryption Algorithm,

Provable Security - Introduction - 38 David Pointcheval

Basic Secrecy Basic Secrecy

• kd

ke

• r

m c* m’ m random r random

m’ = m

? One-Wayness (OW) :

without the private key, it is computationally impossible to recover the plaintext

Provable Security - Introduction - 39 David Pointcheval

Strong Secrecy Strong Secrecy

Semantic Security (IND - Indistinguishability) :

GM 1984

the ciphertext reveals no more information about the plaintext to a (computationally bounded) adversary

Not enough if one already has some information about m :

• “Subject: XXXXX”
• “My answer is XXX” (XXX = Yes/No)

Provable Security - Introduction - 40 David Pointcheval

I Indistinguishability ndistinguishability

• m1

m0

kd ke

• r

mb c* b’ b∈{0,1} r random

b’ = b

?

Provable Security - Introduction - 41 David Pointcheval

Basic Attacks Basic Attacks

• Chosen-Plaintext Attacks (CPA)

In the public-key cryptography setting, the adversary can encrypt any message

• f his choice, granted the public key

⇒ the basic attack

Provable Security - Introduction - 42 David Pointcheval

Improved Attacks Improved Attacks

• More information: oracle access

– reaction attacks the oracle answers, on c, whether the ciphertext c is valid or not – plaintext-checking attacks the oracle answers, on a pair (m,c), whether the plaintext m is really encrypted in c or not (whether m = (c))

Provable Security - Introduction - 43 David Pointcheval

Strong Strong Attacks Attacks

• Chosen-Ciphertext Attacks (CCA)

The adversary has access to the strongest oracle: the decryption oracle (with the natural restriction not to use it on the challenge ciphertext) The adversary can obtain the plaintext of any ciphertext of his choice (excepted the challenge) – non-adaptive (CCA1)

NY 1990

• nly before receiving the challenge

– adaptive (CCA2)

RS 1991

unlimited oracle access

Provable Security - Introduction - 44 David Pointcheval

IND-CCA2 IND-CCA2

• c

m or ⊥ m1 m0

kd ke

• r

mb c* b’ b∈{0,1} r random

• c ≠ c*

m or ⊥

b’ = b

?

CCA2 CCA1

Provable Security - Introduction - 45 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples

Provable Security - Introduction - 46 David Pointcheval

RSA Encryption RSA Encryption

• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key
• d = e-1 mod ϕ(n) : private key

n m m

e mod

) ( =

• n

c c

d mod

) ( =

• OW-CPA = RSA problem

Nothing to prove = definition

Provable Security - Introduction - 47 David Pointcheval

• = (<g>, ×) group of order q
• x : private key
• y=gx : public key

) , ( ) , ( ) ; ( d c m y g a m

a a

→ =

• x

c d d c / ) , ( =

• El

El Gamal Gamal Encryption Encryption

OW-CPA = CDH Assumption IND-CPA = DDH Assumption

Provable Security - Introduction - 48 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Example

Provable Security - Introduction - 49 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Example

Provable Security - Introduction - 50 David Pointcheval

Authentication Authentication

• Signature Algorithm,
• Verification Algorithm,

kv ks

• m

σ 0/1 m

Security: impossible to forge a valid σ without ks

Provable Security - Introduction - 51 David Pointcheval

Basic Goal Basic Goal

Existential Forgery:

without the private key, it is computationally impossible to forge a valid message-signature pair

Provable Security - Introduction - 52 David Pointcheval

Basic Attacks Basic Attacks

• No-Message Attacks

In the public-key cryptography setting, the adversary knows the verification key, and can therefore verify any signature

• Known-Message Attacks (KMA)

Message-signature pairs are aimed at being published: the adversary has thus access to a list of message-signature pairs ⇒ the basic attack

Provable Security - Introduction - 53 David Pointcheval

Chosen-Message Attacks Chosen-Message Attacks

• Chosen-Message Attacks (CMA)

In the list of message-signature pairs, the messages are adaptively chosen by the adversary ⇒ the strongest attack

Provable Security - Introduction - 54 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Example

Provable Security - Introduction - 55 David Pointcheval

RSA Signature RSA Signature

• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key
• d = e-1 mod ϕ(n) : private key

) mod ( ) , (

?

n m m

e =

=

• n

m m

d mod

) ( =

• Existential Forgery = easy!

Provable Security - Introduction - 56 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 57 David Pointcheval

Strong Security Notions Strong Security Notions

Signature: difficult to obtain security against existential forgeries Encryption: difficult to reach CCA security Maybe possible, but with inefficient schemes Inefficient schemes are not useful in practice: Everybody wants security, but only if it is transparent

Provable Security - Introduction - 58 David Pointcheval

The Random Oracle Model The Random Oracle Model

• Introduced by Bellare-Rogaway

ACM-CCS ‘93

• The most admitted model
• It consists in considering some functions

as perfectly random functions,

• r replacing them by random oracles:

– each new query is returned a random answer – a given query asked twice receives twice the same answer

In practice, instantiated by hash functions

Provable Security - Introduction - 59 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• Random-Oracle Model
• Conclusion

Provable Security - Introduction - 60 David Pointcheval

Provable Security Provable Security

• Originated in the late 80’s

– encryption [GM86] – signature [GMR88]

• Increased applicability using ideal substitutes

– random oracles vs. hash functions [FS86, BR93] – generic groups vs. elliptic curves [Na94,Sh97] – ideal ciphers vs. block ciphers [BPR EC’00]

• Now required by cryptographic standards

(IEEE P1363, ISO, Cryptrec, NESSIE)

Provable Security - Introduction - 61 David Pointcheval

• “Textbook” cryptosystems cannot

be used as such (homomorphic properties, …)

• Engineers need formatting rules

to ensure interoperability ⇒ Paddings are used in practice: heuristic

– PKCS #1 V 1.5 - Encrypt [Bl98] – PKCS #1 V 1.5 - Signature ISO 9796-1 - Signature [CNS99, CHJ99]

The Need for Provable Security The Need for Provable Security

• Provable Security - Introduction - 62

David Pointcheval

The Limits of Provable Security The Limits of Provable Security

• Provable security does not provide proofs

in the mathematical sense:

– proofs are relative (to computational assumptions) – proofs often use ideal models (ROM, ICM, GM) Meaning is debatable - ROM [CGH98]

• GM [SPMS C’02]

– proofs are not formal objects Time is needed for acceptance.

• Still, provable security has provided some

good guarantee that a scheme is not flawed