provable security
play

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July - PDF document

Oct 06, 2023 •260 likes •666 views

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

  1. Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale supérieure Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 2

  2. Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 3 Cryptography: 3 Goals Cryptography: 3 Goals • Integrity: Messages have not been altered • Authenticity: Message - sender relation • Secrecy: Message unknown to anybody else David Pointcheval Provable Security - Introduction - 4

  3. Integrity Integrity To be sure that a message has not been modified (accidentally but intentionally too!) David Pointcheval Provable Security - Introduction - 5 Authentication (1) Authentication (1) Interactively prove his identity David Pointcheval Provable Security - Introduction - 6

  4. Authentication (2) Authentication (2) • Non-interactively prove his identity as the sender of a message • If this proof can even convince a third party: signature David Pointcheval Provable Security - Introduction - 7 Secrecy Secrecy • Store a document • Send a message so that nobody else can learn any information about it David Pointcheval Provable Security - Introduction - 8

  5. Cryptography: 3 Periods Cryptography: 3 Periods • Ancient period: until 1918 • Technical period: from 1919 until 1975 • Paradoxical period : from 1976 until David Pointcheval Provable Security - Introduction - 9 Ancient Period Ancient Period Substitutions and permutations Alberti’s cipher disk Jefferson’s wheel cipher Security = Secrecy of the Mechanisms David Pointcheval Provable Security - Introduction - 10

  6. Technical Period Technical Period Cipher Machines Automatism of permutations and substitutions But no proof Enigma of better security! David Pointcheval Provable Security - Introduction - 11 Paradoxical Period Paradoxical Period • Symmetric Cryptography • Asymmetric Cryptography One-way Functions ⇒ Security Proofs David Pointcheval Provable Security - Introduction - 12

  7. Kerckhoffs’ Principles Principles Kerckhoffs’ In 1883, in “La Cryptographie Militaire” Kerckhoffs wrote: • the system should be, if not theoretically unbreakable, unbreakable in practice • compromise of the system should not inconvenience the correspondents • the key should be rememberable without notes and should be easily changeable • etc … David Pointcheval Provable Security - Introduction - 13 Symmetric Encryption Symmetric Encryption Encryption Algorithm, � Decryption Algorithm, � k k � � c m m Security = secrecy: impossible to recover m from c only (without k ) Security : heuristic David Pointcheval Provable Security - Introduction - 14

  8. Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 15 Two Keys… Two Keys… secrecy Asymmetric Alice Bob Cryptography authenticity Diffie-Hellman 1976 Asymmetric Encryption: Bob owns two “keys” – A public key (encryption k e ) ⇒ known by everybody so that anybody can encrypt (included Alice) a message for him – A private key (decryption k d ) ⇒ known by Bob only to help him to decrypt David Pointcheval Provable Security - Introduction - 16

  9. Encryption / decryption Encryption / decryption attack attack Granted Bob’s public key, Alice can lock the safe, with the message inside ( encrypt the message ) Excepted Bob, granted his private key ( Bob can decrypt ) Alice sends the safe to Bob no one can unlock it ( impossible to break ) David Pointcheval Provable Security - Introduction - 17 Encryption Scheme Encryption Scheme 3 algorithms : • - key generation • - encryption ω ( k e ,k d ) • - decryption k d k e m c m r David Pointcheval Provable Security - Introduction - 18

  10. Conditional Secrecy Conditional Secrecy The ciphertext comes from c = � k e ( m ; r ) • The encryption key k e is public • A unique m satisfies the relation (with possibly several r ) At least exhaustive search on m and r can lead to m , maybe a better attack! ⇒ unconditional secrecy impossible Algorithmic assumptions David Pointcheval Provable Security - Introduction - 19 Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 20

  11. � � � � Integer Factoring and RSA Integer Factoring and RSA • Multiplication/Factorization : One-Way – p, q n = p.q easy (quadratic) Function – n = p.q p, q difficult (super-polynomial) • RSA Function, from n (with n=pq ) n in for a fixed exponent e Rivest-Shamir-Adleman 1978 – x x e mod n easy (cubic) � � � � � � � � � � – y=x e mod n x difficult (without p or q ) � x = y d mod n where d = e -1 mod ϕ ( n ) trapdoor key difficult encryption to break decryption David Pointcheval Provable Security - Introduction - 21 The RSA Problems The RSA Problems • Let n=pq where p and q are large primes • The RSA problem: for a fixed exponent e [ ] � � Succ rsa ( ) Pr mod ( ) = = e = y x n y x , n e � � ∈ y n • The Flexible RSA problem: [ ] � � Succ fl - rsa ( ) Pr mod ( ) ( , ) = = e = y x n y x e n � � ∈ y n with the restriction for e to be prime David Pointcheval Provable Security - Introduction - 22

  12. The Discrete Logarithm The Discrete Logarithm • Let � = (< g >, × ) be any finite cyclic group • For any y ∈ � , one defines Log g ( y ) = min{ x ≥ 0 | y = g x } • One-way function → y = g x – x easy (cubic) – y = g x → x difficult (super-polynomial) [ ] � � Succ dl ( ) Pr ( ) = = = x y x y g g � ∈ x q David Pointcheval Provable Security - Introduction - 23 Any Trapdoor …? Any Trapdoor …? • The Discrete Logarithm is difficult and no information could help! • The Diffie-Hellman Problem (1976): • Given A=g a and B=g b • Compute DH ( A,B ) = C=g ab Clearly CDH ≤ DL: with a =Log g A , C=B a [ ] � � Succ cdh ( ) Pr ( , ) , , = = = a = b = ab A B C A g B g C g g � , ∈ a b q David Pointcheval Provable Security - Introduction - 24

  13. � � Another DL-based Problem Another DL-based Problem The Decisional Diffie-Hellman Problem : • Given A, B and C in <g> • Decide whether C = DH ( A,B ) Clearly DDH ≤ CDH ≤ DL [ ] � Pr ( , , ) = 1 = , = , = a b c A B C A g B g C g , , ∈ � a b c Adv ddh ( ) [ ] = q g � Pr ( , , ) 1 , , − = = a = b = ab A B C A g B g C g , ∈ a b q David Pointcheval Provable Security - Introduction - 25 Complexity Estimates Complexity Estimates Estimates for integer factoring Lenstra-Verheul 2000 Modulus Mips-Year Operations ( log 2 ) (en log 2 ) (bits) Record 512 13 58 Aug 1999 Mile-stone 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Can be used for RSA too � * Lower-bounds for DL in p David Pointcheval Provable Security - Introduction - 26

  14. Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 27 Algorithmic Assumptions Algorithmic Assumptions necessary necessary • n=pq : public modulus RSA Encryption e : public exponent ( m ) = m e mod n ( c ) = c d mod n • d=e -1 mod ϕ ( n ) : private If the RSA problem is easy, secrecy is not satisfied: anybody may recover m from c David Pointcheval Provable Security - Introduction - 28

  15. Algorithmic Assumptions Algorithmic Assumptions sufficient? sufficient? Security proofs give the guarantee that the assumption is enough for secrecy: • if an adversary can break the secrecy • one can break the assumption ⇒ “reductionist” proof David Pointcheval Provable Security - Introduction - 29 Proof by Reduction Proof by Reduction Reduction of a problem �� to an attack Atk : • Let be an adversary that breaks the scheme then can be used to solve � Instance � of � Solution of � � intractable ⇒ scheme unbreakable David Pointcheval Provable Security - Introduction - 30

  16. Provably Secure Scheme Provably Secure Scheme To prove the security of a cryptographic scheme, one has to make precise • the algorithmic assumptions • the security notions to be guaranteed • a reduction: an adversary can help to break the assumption David Pointcheval Provable Security - Introduction - 31 Practical Security Practical Security Algorithm Adversary against within t within t’ = T ( t ) • Complexity theory: T polynomial • Exact Security: T explicit • Practical Security: T small (linear) Eg : t’ = 4 t intractable within less than 2 80 operations ⇒ scheme unbreakable within less than 2 78 operations David Pointcheval Provable Security - Introduction - 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel | 30.08.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

1.28k views • 28 slides
Design Patterns I Encapsulation, Observer, and Decorator CS 370 SE Practicum, Cengiz Gnay

Design Patterns I Encapsulation, Observer, and Decorator CS 370 SE Practicum, Cengiz Gnay

Design Patterns I Encapsulation, Observer, and Decorator CS 370 SE Practicum, Cengiz Gnay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Gnay (Emory) Design Patterns I Spring 2014 1 / 9 Agenda Upcoming project

1.19k views • 35 slides
Function representation Functions in lisp are represented as lists with specific formats

Function representation Functions in lisp are represented as lists with specific formats

Function representation Functions in lisp are represented as lists with specific formats (function fname ) returns the list representing the function Three different formats, based on how the function was created Functions can be

378 views • 6 slides
Status for BUFFER MANAGEMENT Firmware FPGA Centric Dataflow Erdem Motuk 17 October 2019

Status for BUFFER MANAGEMENT Firmware FPGA Centric Dataflow Erdem Motuk 17 October 2019

Status for BUFFER MANAGEMENT Firmware FPGA Centric Dataflow Erdem Motuk 17 October 2019 Current status Immediate plans Proposed changes 2 The buffer management block has been developed and debugged independently from the other

372 views • 12 slides
Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical

Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical

Abduction and Induction Deduction, Abduction and Induction Abduction Mathematical Induction Steffen H olldobler Abduction and Induction (5th January 2009) 1 An Introductory Example: Abduction K | = G . We use the following

694 views • 34 slides
Regularizing objective functionals in semi-supervised learning Dejan Slep cev Carnegie Mellon

Regularizing objective functionals in semi-supervised learning Dejan Slep cev Carnegie Mellon

Regularizing objective functionals in semi-supervised learning Dejan Slep cev Carnegie Mellon University February 9, 2018. . 1 / 47 References S.,Thorpe, Analysis of p-Laplacian regularization in semi-supervised learning , arxiv

742 views • 48 slides
Towards Reconfigurable Rack-Scale Networking Tyler Szepesi , Bernard Wong, Tim Brecht, Sajjad Rizvi

Towards Reconfigurable Rack-Scale Networking Tyler Szepesi , Bernard Wong, Tim Brecht, Sajjad Rizvi

Towards Reconfigurable Rack-Scale Networking Tyler Szepesi , Bernard Wong, Tim Brecht, Sajjad Rizvi Cheriton School of Computer Science University of Waterloo April 21, 2015 1 Rack-Scale Computing A B C Traditional Rack: 10s of servers

369 views • 34 slides
Densest/Heaviest k -subgraph on Interval Graphs, Chordal Graphs and Planar Graphs Presented by

Densest/Heaviest k -subgraph on Interval Graphs, Chordal Graphs and Planar Graphs Presented by

Densest/Heaviest k -subgraph on Interval Graphs, Chordal Graphs and Planar Graphs Presented by Jian Li, Fudan University Mar 2007, HKUST May 8, 2006 1 / 25 Problem Definition: Densest k -Subgraph Problem(DS- k ): Input: G ( V, E ) , k &gt; 0 .

398 views • 25 slides

More recommend