Cryptography Provable Security Encryption Assumptions Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange information securely Que peut nous garantir la cryptographie ? With the all-digital world, security needs are even stronger. . . In your pocket David Pointcheval Ecole normale sup´ erieure But also at home Fondation Sciences Math´ ematiques de Paris September 27th, 2011 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 2/14 Cryptography Provable Security Encryption Assumptions Cryptography Provable Security Encryption Assumptions First Encryption Mechanisms Common Parameter The goal of encryption is to hide a message A shared information (secret key) between the sender and the receiver parameterizes the public mechanism Enigma : Substitutions and permutations choice of the connectors Security relies on and the rotors the secrecy of the mechanism Scytale ⇒ How to widely use them? Permutation � www.maritime.org c Security looks better: but broken (Alan Turing et al. ) ⇒ Security analysis is required Alberti’s disk Wheel – M 94 (CSP 488) Mono-alphabetical Substitution Poly-alphabetical Substitution David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 3/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 4/14
Cryptography Provable Security Encryption Assumptions Cryptography Provable Security Encryption Assumptions Practical Secrecy What is a Secure Cryptographic Scheme? What does security mean? → Formal security notions Perfect Secrecy vs. Practical Secrecy How to guarantee above security claims? → Provable security No information about the plaintext m can be extracted Computational Security Proofs from the ciphertext c , even for a powerful adversary a formal security model (security notions) (unlimited time and/or unlimited power): perfect secrecy a reduction: if one (Adversary) can break the security notions, ⇒ information theory then one (Simulator + Adversary) can break a hard problem In practice: adversaries are limited in time/power acceptable computational assumptions (hard problems) ⇒ complexity theory We thus model all the players (the legitimate ones and the adversary) Security Game Reduction S Oracles Oracles i m u l a t o r as Probabilistic Polynomial Time Turing Machines: I computers that run programs n s t a n c e S o Adversary Challenger Adversary Challenger l u 0 / 1 t i o n Proof by contradiction David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 5/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 6/14 Cryptography Provable Security Encryption Assumptions Cryptography Provable Security Encryption Assumptions Integer Factoring Reduction Records Security Game Reduction S Oracles Oracles i m u l a t o r Given n = pq − → Find p and q I Digits Date Bit-Length n s t a n c e 130 April 1996 431 bits S o Adversary Challenger Adversary Challenger l u 0 / 1 t i o n 140 February 1999 465 bits 155 August 1999 512 bits Adversary running time t Algorithm running time T = f ( t ) 160 April 2003 531 bits Lossy reduction: T = k 3 × t 200 May 2005 664 bits Modulus Adversary Algorithm Best Known 232 December 2009 768 bits Bit-length Complexity Complexity Complexity t < 2 110 T < 2 143 2 112 k = 2048 Complexity t < 2 110 T < 2 146 2 128 k = 3072 768 bits → 2 64 op. 3072 bits → 2 128 op. t < 2 110 T < 2 146 2 150 k = 4096 1024 bits → 2 80 op. 4096 bits → 2 150 op. Tight reduction: T ≈ t 2048 bits → 2 112 op. 7680 bits → 2 192 op. With k = 2048 and t < 2 110 , one gets T < 2 110 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 7/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 8/14
Cryptography Provable Security Encryption Assumptions Cryptography Provable Security Encryption Assumptions Public-Key Encryption RSA-OAEP (PKCS #1 v2.1) [Bellare-Rogaway – Eurocrypt ’94] The Plain RSA Encryption [Rivest-Shamir-Adleman 1978] Goal: Privacy/Secrecy of the plaintext G ( 1 k ) : n = pq , sk ← d = e − 1 mod ϕ ( n ) and pk ← ( n , e ) E ( pk , m ) = c = m e mod n ; D ( sk , c ) = m = c d mod n G k e k d b ∈ {0,1} Deterministic and malleable: randomness and redundancy r random c D m m 0 m is the message to encrypt m 1 A m b E c * r is the additional randomness to r c ≠ c * D make encryption probabilistic m ? b’ b’ = b 00 . . . 00 is redundancy to be checked at decryption time No adversary can distinguish a ciphertext of m 0 from a ciphertext of m 1 . IND - CPA Then, c = RSA ( X � Y ) Even with an access to the decryption oracle Theorem (IND-CCA Security [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01] ) (to model leakage of information). IND - CCA RSA-OAEP is IND-CCA secure under the RSA assumption David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 9/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 10/14 Cryptography Provable Security Encryption Assumptions Cryptography Provable Security Encryption Assumptions RSA-OAEP Security Proof [Fujisaki-Okamoto-Pointcheval-Stern – Crypto ’01] Classical Assumptions c = f ( X � Y ) Main Assumptions To get information on m , H ( X ) queried Integer Factoring = ⇒ partial inversion of f Modular Roots (Square roots and e -th roots) c = RSA ( X � Y ) Discrete Logarithm (in Finite Fields and in Elliptic Curves) RSA: partial inversion and full inversion are equivalent (but at a loss) Properties If an adversary breaks IND - CCA within time t , one can break RSA Advantages: easy to implement, and widely used within time T ≈ 2 t + 3 q H 2 k 3 ( q H = number of Hashing queries ≈ 2 60 ) Drawbacks: (2 112 ) t < 2 110 T < 2 155 k = 2048 large modulus: = ⇒ Factoring and DL in finite fields require larger and larger keys (2 150 ) t < 2 110 T < 2 158 k = 4096 > 4096 bits! They are all subject to quantum attacks [Shor 1997] REACT-RSA Alternatives: Post-Quantum Cryptography [Okamoto-Pointcheval – CT-RSA ’01] E ( pk , m , r ) = ( c 1 = r e mod n , c 2 = G ( r ) ⊕ m , c 3 = H ( r , m , c 1 , c 2 )) Error-Correcting Codes Systems of Multi-Variate Equations Security reduction between IND − CCA and the RSA assumption: ⇒ 2048-bit RSA moduli provide 2 110 security Lattices T ≈ t = David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 11/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 12/14
Cryptography Provable Security Encryption Assumptions Lattice-Based Cryptography Conclusion With provable security, one can precisely get: Lattice Problems the security games one wants to resist against any adversary Shortest Vector the security level, according to the resources of the adversary Small Basis (Reduced) But, it is under some assumptions: Closest Vector the best attacks against the underlying problems Properties no leakage of information excepted from the given oracles Worst-case/Average-case Cryptographers’ goals are thus Reductions analysis of the underlying problems / new problems No quantum attack known realistic and strong security notions (games) Related Problems Cryptographic Primitives accurate model for leakage of information (oracle access) Learning With Errors Identity Based Encryption tight security reductions Knapsack Problem Fully Homomorphic Encryption Implementations and uses must satisfy the constraints! David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 13/14 David Pointcheval – ENS Fondation Sciences Math´ ematiques de Paris 14/14
Recommend
More recommend
