the design of cryptosystems the interplay between proofs
play

The Design of Cryptosystems: The Interplay between Proofs and - PowerPoint PPT Presentation

Oct 06, 2023 •216 likes •715 views

The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit at Weimar,

  1. The Design of Cryptosystems 1 Stefan Lucks The Design of Cryptosystems: The Interplay between Proofs and Attacks French-German-Singaporean Workshop on Applied Cryptography 3rd of December, 2010 Stefan Lucks Bauhaus-Universit¨ at Weimar, Germany

  2. The Design of Cryptosystems 2 Stefan Lucks Roadmap Example: Entity Recognition The Problem with Proofs The Jane Doe Protocol The Random Oracle Debate The Jane Doe Protocol (revisited) Summary

  3. The Design of Cryptosystems 3 Stefan Lucks

  4. The Design of Cryptosystems Example: Entity Recognition 4 Stefan Lucks Example: Entity Recognition The Problem with Proofs The Jane Doe Protocol The Random Oracle Debate The Jane Doe Protocol (revisited) Summary

  5. The Design of Cryptosystems Example: Entity Recognition 5 Stefan Lucks Example: Entity Recognition Alice Bob (Sender) (Receiver) ◮ Alice (“Jane Doe”) and Bob meet at a party. They make a bet. Others listen.

  6. The Design of Cryptosystems Example: Entity Recognition 5 Stefan Lucks Example: Entity Recognition Alice Bob (Sender) (Receiver) ◮ Alice (“Jane Doe”) and Bob meet at a party. They make a bet. Others listen. ◮ Much later, when it had turned out that Alice won, Bob receives a mail from “Jane Doe”: “Bob, please transfer the money I have won to . . . ◮ How can Bob verify that this mail is from Alice?

  7. The Design of Cryptosystems Example: Entity Recognition 6 Stefan Lucks Entity Recognition: More Formal Alice Bob (Sender) (Receiver) ◮ The initial communication may be observed – but not tampered with

  8. The Design of Cryptosystems Example: Entity Recognition 6 Stefan Lucks Entity Recognition: More Formal Alice Bob (Sender) (Receiver) ◮ The initial communication may be observed – but not tampered with ◮ Later , communication may be observed but also tampered with (read, modify, suppress, or re-send data).

  9. The Design of Cryptosystems Example: Entity Recognition 7 Stefan Lucks “Cheap” Symmetric Operations Hash Chain a 0 := H ( H ( . . . ( H ( a n )))) : an an−1 an−1 an−2 a1 a0

  10. The Design of Cryptosystems Example: Entity Recognition 7 Stefan Lucks “Cheap” Symmetric Operations Hash Chain a 0 := H ( H ( . . . ( H ( a n )))) : an an−1 an−1 an−2 a1 a0 Assumption (one-wayness): given a i − 1 : infeasible to find any a ′ with H ( a ′ ) = a i − 1

  11. The Design of Cryptosystems Example: Entity Recognition 7 Stefan Lucks “Cheap” Symmetric Operations Hash Chain Message Authentication Code (MAC) a 0 := H ( H ( . . . ( H ( a n )))) : secret message key an an−1 an−1 an−2 tag a1 a0 Assumption (one-wayness): given a i − 1 : infeasible to find any a ′ with H ( a ′ ) = a i − 1

  12. The Design of Cryptosystems Example: Entity Recognition 7 Stefan Lucks “Cheap” Symmetric Operations Hash Chain Message Authentication Code (MAC) a 0 := H ( H ( . . . ( H ( a n )))) : secret message key an an−1 an−1 an−2 tag a1 a0 Assumption (secure against existential Assumption (one-wayness): forgery): given a i − 1 : given many (tag,message) pairs: infeasible to find any a ′ with infeasible to forge tag for another H ( a ′ ) = a i − 1 message

  13. The Design of Cryptosystems Example: Entity Recognition 8 Stefan Lucks Protocols for Entity Recognition ◮ “Zero Common-Knowledge”: Weimerskirch, Westhoff, 2003. ◮ “Jane Doe”: (not yet using that name): Lucks, Zenner, Weimerskirch, Westhoff, 2005. ◮ “Jane Doe”: Lucks, Zenner, Weimerskirch, Westhoff, 2008.

  14. The Design of Cryptosystems Example: Entity Recognition 9 Stefan Lucks The Zero Common Knowledge Protocol ◮ one hash chain ( a 0 , a 1 , . . . ) for Alice, another one ( b 0 , b 1 , . . . ) for Bob. ◮ Bob knows a i − 1 , Alice knows b j − 1 . ◮ Alice authenticates m by tag := MAC a j + 1 ( m ), and a j . ◮ Bob verifies H ( a i ) = a i − 1 and responds b i . Alice verifies H ( b i ) = b i − 1 . ◮ Alice sends a j + 1 . Bob verifies H ( a j + 1 ) = a j and MAC a j + 1 ( m ) = tag.

  15. The Design of Cryptosystems Example: Entity Recognition 10 Stefan Lucks The Attack ◮ one hash chain ( a 0 , a 1 , . . . ) for Alice, another one ( b 0 , b 1 , . . . ) for Bob. ◮ Bob knows a i − 1 , Alice knows b j − 1 . ◮ Alice authenticates m by tag := MAC a j + 1 ( m ), and a j . ◮ Bob verifies H ( a i ) = a i − 1 and responds b i . Alice verifies H ( b i ) = b i − 1 . ◮ Alice sends a j + 1 . Eve does not deliver this to Bob.

  16. The Design of Cryptosystems Example: Entity Recognition 10 Stefan Lucks The Attack ◮ one hash chain ( a 0 , a 1 , . . . ) for Alice, another one ( b 0 , b 1 , . . . ) for Bob. ◮ Bob knows a i − 1 , Alice knows b j − 1 . ◮ Alice authenticates m by tag := MAC a j + 1 ( m ), and a j . ◮ Bob verifies H ( a i ) = a i − 1 and responds b i . Alice verifies H ( b i ) = b i − 1 . ◮ Alice sends a j + 1 . Eve does not deliver this to Bob. ◮ Next time, Alice will send tag := MAC( . . . ), and a j + 2 . ◮ Eve then knows a j + 1 and a j + 2 from Alice’s hash chain, which are unknown to Bob. ◮ This allows her to forge a message for Bob.

  17. The Design of Cryptosystems Example: Entity Recognition 11 Stefan Lucks Comments ◮ The Zero Common Knowledge Protocol has been published at SAC 2003 and proven secure! ◮ The proof makes the (implicit) assumption that messages are always delivered.

  18. The Design of Cryptosystems Example: Entity Recognition 11 Stefan Lucks Comments ◮ The Zero Common Knowledge Protocol has been published at SAC 2003 and proven secure! ◮ The proof makes the (implicit) assumption that messages are always delivered. ◮ We could “repair” this by making the assumption explicit . ◮ The proof would be theoretically sound, but (most probably) practically useless!

  19. The Design of Cryptosystems The Problem with Proofs 12 Stefan Lucks Example: Entity Recognition The Problem with Proofs The Jane Doe Protocol The Random Oracle Debate The Jane Doe Protocol (revisited) Summary

  20. The Design of Cryptosystems The Problem with Proofs 13 Stefan Lucks The Problem with Proofs ◮ Lars Knudsen: “If it is provably secure, it is probably not” ◮ Birgit Pfitzmann, Michael Waidner: “How To Break and Repair A ’Provably Secure’ Untraceable Payment System” , CRYPTO 1991 ◮ Birgit Pfitzmann, Matthias Schunter, Michael Waidner: “How to Break Another Provably Secure Payment System” , EUROCRYPT 1995: “Short statements of cryptographic properties (formal or informal) should always come with an explicit trust model, i.e., for whom a property is guaranteed, and which other participants have to be trusted to guarantee this.”

  21. The Design of Cryptosystems The Problem with Proofs 14 Stefan Lucks The Trinity of Cryptographic Security Proofs A cryptographic “Security Proof” is actually a trinity of 1. some definitions (trust model, cryptographic assumptions, . . . ), 2. a theorem, and 3. the proof itself.

  22. The Design of Cryptosystems The Problem with Proofs 14 Stefan Lucks The Trinity of Cryptographic Security Proofs A cryptographic “Security Proof” is actually a trinity of 1. some definitions (trust model, cryptographic assumptions, . . . ), 2. a theorem, and 3. the proof itself. ◮ Leave it to the theoreticians to verify the proof.

  23. The Design of Cryptosystems The Problem with Proofs 14 Stefan Lucks The Trinity of Cryptographic Security Proofs A cryptographic “Security Proof” is actually a trinity of 1. some definitions (trust model, cryptographic assumptions, . . . ), 2. a theorem, and 3. the proof itself. ◮ Leave it to the theoreticians to verify the proof. ◮ But understand that the theorem, with the associated definitions, is like a contract between ◮ a service provider (the crypto-designer) and ◮ a client (the application designer).

  24. The Design of Cryptosystems The Problem with Proofs 15 Stefan Lucks The Proof as a Contract ◮ obligations for the client , such as choosing primitives (MAC, Hash, . . . ), secure against well-defined classes of attack ◮ responsibility of the service provider (security against the specified class of attacks in the specified trust model) ◮ if the client follows her obligations, mathematical laws guarantee the promised security This is an extremely useful concept for Applied Cryptography! But the client must understand the contract!

  25. The Design of Cryptosystems The Jane Doe Protocol 16 Stefan Lucks Example: Entity Recognition The Problem with Proofs The Jane Doe Protocol The Random Oracle Debate The Jane Doe Protocol (revisited) Summary

  26. The Design of Cryptosystems The Jane Doe Protocol 17 Stefan Lucks The Jane Doe Protocol a a i i−1 b b i−1 i Alice ◮ Two hash chains ( a 0 , a 1 , . . . ) for Alice, and ( b 0 , b 1 , . . . ) for Bob. Initially, Alice knows b i − 1 and Bob knows a i − 1 . ◮ Later, Alice will reveal a i , and Bob will reveal b i .

  27. The Design of Cryptosystems The Jane Doe Protocol 17 Stefan Lucks The Jane Doe Protocol a a i i−1 b b i−1 i m, tag tag := MAC (m) a i Alice ◮ Two hash chains ( a 0 , a 1 , . . . ) for Alice, and ( b 0 , b 1 , . . . ) for Bob. Initially, Alice knows b i − 1 and Bob knows a i − 1 . ◮ Later, Alice will reveal a i , and Bob will reveal b i .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the

The RSA Algorithm Private-key cryptosystems: - Alice and Bob agree on the key before the communication - all cryptosystems we discussed so far - also called: symmetric-key cryptosystems Public-key cryptosystems (Chapter 6) : - what to do if

281 views • 4 slides
Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s

Cryptosystems from 1900 to 1975 Late Classical Cryptosystems From 1900 up to the mid-1970s Many important and storied examples. See: http://users.telenet.be/d.rijmenants/ Jim Royer Well talk about just one in detail: the one-time pad .

250 views • 6 slides
The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of

The impact of side-channel attacks on the design of cryptosystems D. J. Bernstein University of Illinois at Chicago The standard model of senders, receivers, attackers, etc.: 1. Parties perform computation, send messages to other parties.

550 views • 32 slides
Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric

Outline Yet More On Cryptography Symmetric cryptosystems CS 239 Asymmetric cryptosystems Computer Security Digital signatures January 30, 2006 Digital hashes Key recovery cryptosystems Lecture 4 Lecture 4 Page 1 Page

358 views • 11 slides
Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically

Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given the time Security Notions and computational resources. However,

307 views • 10 slides
Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to

Note: Log = logarithm, not Discrete-Log Based Public Key Cryptosystems Jim Royer September 25, 2018 Introduction to Cryptography 1 References Symmetric and Asymmetric Cryptosystems Public-Key Cryptosystems Based on the Discrete

436 views • 9 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The

Security Bounds for the Design of Code-based Cryptosystems M. Finiasz et N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

445 views • 31 slides
Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The

Security Bounds for the Design of Code-Based Cryptosystems M. Finiasz and N. Sendrier The Syndrome Decoding Problem e S r H n Syndrome Decoding (SD) Does e { 0 , 1 } n of weight w such that e H = S exist? NP-complete problem.

908 views • 31 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics,

Fault Attacks on Supersingular Isogeny Cryptosystems Yan Bo Ti Department of Mathematics, University of Auckland PQCrypto 2017, 26th of June 1/15 Outline 1 Preliminaries Introduction Supersingular isogenies SSI cryptosystems 2 Fault attack

378 views • 33 slides
Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan

CS 598 - COMPUTER SECURITY IN THE PHYSICAL WORLD Why Cryptosystems Fail? Ross J. Anderson - Communications of the ACM 1994 By Hassan Shahid Khan What are cryptosystems? - A suite of cryptographic algorithms (generation, encryption and

834 views • 16 slides
T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction

T-79.159 Cryptography and Data Security Lecture 2: 2.1 Classical cryptosystems 2.2.Introduction to modern cryptographic primitives Kaufman et al: Chapter 2 Stallings: Chapter 2 1 2.1 Classical Cryptosystems Ceasar Cipher, or Shift Cipher

555 views • 21 slides
The Chamber of Tax Consultants Re-introduction of Gift Tax- Section 56(2)(x) & Interplay of

The Chamber of Tax Consultants Re-introduction of Gift Tax- Section 56(2)(x) & Interplay of

The Chamber of Tax Consultants Re-introduction of Gift Tax- Section 56(2)(x) & Interplay of 50C and 50CA April 14, 2018 Presentation by: Yogesh A. Thar Contents Section 56(2)(x)- Implications Interplay between sections 50C and 56(2)(x)

533 views • 41 slides
User Interface Design In Windows using Blend General UI I guidelines 10 heuristics (Jakob

User Interface Design In Windows using Blend General UI I guidelines 10 heuristics (Jakob

User Interface Design In Windows using Blend General UI I guidelines 10 heuristics (Jakob Nielsen) 1. Visibility of system status 6. Recognition rather than recall 2. Match between system and the real world 7. Flexibility and efficiency of

241 views • 21 slides
The Linking Open Data Project Bootstrapping the Web of Data Tom Heath Talis Information Ltd, UK

The Linking Open Data Project Bootstrapping the Web of Data Tom Heath Talis Information Ltd, UK

The Linking Open Data Project Bootstrapping the Web of Data Tom Heath Talis Information Ltd, UK CATCH Programme and E-Culture Project Meeting on Metadata Interoperability Amsterdam, 29 February 2008 My Background studiedAt created memberOf

828 views • 38 slides
Cross-Language Explicit Semantic Analysis Nedim Lipka Maik Anderka Benno Stein Bauhaus

Cross-Language Explicit Semantic Analysis Nedim Lipka Maik Anderka Benno Stein Bauhaus

Cross-Language Explicit Semantic Analysis Nedim Lipka Maik Anderka Benno Stein Bauhaus University Weimar www.webis.de 1 Lipka@CLEF [ ] 01.10.09 Outline Retrieval Models The CL-ESA Retrieval Model CL-ESA at TEL@CLEF 2009

697 views • 20 slides
Transcending the Unaided, Individual Human Mind Understanding, Fostering, and Supporting

Transcending the Unaided, Individual Human Mind Understanding, Fostering, and Supporting

Wisdom is not the product of schooling but the lifelong attempt to acquire it. - Albert Einstein Transcending the Unaided, Individual Human Mind Understanding, Fostering, and Supporting Cultures of Participation Gerhard Fischer Center

857 views • 48 slides
On the Security of Tandem-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks Bauhaus-University

On the Security of Tandem-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks Bauhaus-University

Outline Introduction Security of Tandem-DM Concluding Remarks On the Security of Tandem-DM Ewan Fleischmann, Michael Gorski, Stefan Lucks Bauhaus-University Weimar February 23, 2009 Ewan Fleischmann, Michael Gorski, Stefan Lucks On the

771 views • 54 slides
WASDeTT-3 3rd Workshop on Academic/Advanced Software Development Tools and Techniques WASDeTT-3,

WASDeTT-3 3rd Workshop on Academic/Advanced Software Development Tools and Techniques WASDeTT-3,

WASDeTT-3 3rd Workshop on Academic/Advanced Software Development Tools and Techniques WASDeTT-3, Antwerp, Belgium September 20, 2010 This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

431 views • 19 slides
FINITE STATE MORPHOLOGY 24.05.19 Statistical Natural Language Processing 1 Morphology with FSAs

FINITE STATE MORPHOLOGY 24.05.19 Statistical Natural Language Processing 1 Morphology with FSAs

Jurafsky, D. and Martin, J. H. (2009): Speech and Language Processing. An Introduction to Natural Language Processing, Computational Linguistics and Speech Recognition . Second Edition. Pearson: New Jersey: Chapter 3 Transducers, Compact

902 views • 39 slides
Transfer Learning for Improving Model Predictions in Highly Configurable Software Pooyan

Transfer Learning for Improving Model Predictions in Highly Configurable Software Pooyan

Transfer Learning for Improving Model Predictions in Highly Configurable Software Pooyan Jamshidi, Miguel Velez , Christian Kstner, Norbert Siegmund, Prasad Kawthekar Highly Configurable Systems In Dynamic Environments [Credit to CMU

911 views • 60 slides

More recommend