the fundamental goal of provable security d j bernstein
play

The fundamental goal of provable security D. J. Bernstein - PDF document

Sep 24, 2022 •528 likes •623 views

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

  1. The fundamental goal of “provable security” D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Let’s focus on what “provable security” is trying to do. Let’s not get distracted by current obstacles: proof errors, looseness, limited models, etc. Surely these can all be fixed. Let’s look at an example ✿ ✿ ✿

  2. Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈ ( ①❀ ② ) = 4 ① 9 ② mod ♣ for suitable ranges of ① and ② . Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm.

  3. Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈ ( ①❀ ② ) = 4 ① 9 ② mod ♣ for suitable ranges of ① and ② . Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm. Typical exaggerations: ❈ is “provably secure”; ❈ is “cryptographically collision-free”; “security follows from rigorous mathematical proofs”.

  4. This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE.

  5. This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE. How did we figure this out? Cryptanalysis! Security losses in ❈ include 1922 Kraitchik (index calculus); 1986 Coppersmith–Odlyzko– Schroeppel (NFS predecessor); 1993 Gordon (general DL NFS); 1993 Schirokauer (faster NFS); 1994 Shor (quantum poly time).

  6. A security reduction can be a useful guide to cryptanalysts : “to attack ❈ , focus on DL.”

  7. A security reduction can be a useful guide to cryptanalysts : “to attack ❈ , focus on DL.” But if you advertise the “provable security” of ❈ to cryptographic users then you’re a snake-oil salesman. “Provable security” has very little correlation with actual security, maybe even negative correlation: ❈ ’s structure helps the proof but also helps attackers . “If it’s provably secure, it’s probably not” —Lars Knudsen

  8. Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective of being able to give security reductions.” —Ivan Damg˚ ard

  9. Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective of being able to give security reductions.” —Ivan Damg˚ ard This approach produces papers but does not produce security. From a security perspective, the only reasonable objective is to construct cryptographic systems that will survive cryptanalysis . Users should select cryptographic systems based on cryptanalysis .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of

Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of

Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of computer-security research: Protection of the average home computer; critical-infrastructure computers; and everything in between. Public goal of

728 views • 36 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. (NASB) Gen 49:17 Dan

Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. (NASB) Gen 49:17 Dan

Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. (NASB) Gen 49:17 Dan shall be a serpent in the way, a horned snake in the path, that bites the horses heels, so that his rider falls backward. (NASB) Gen 49:18,

305 views • 12 slides
Natural Language Processing Spring 2017 Unit 3: Tree Models Lectures 9-11: Context-Free Grammars

Natural Language Processing Spring 2017 Unit 3: Tree Models Lectures 9-11: Context-Free Grammars

Natural Language Processing Spring 2017 Unit 3: Tree Models Lectures 9-11: Context-Free Grammars and Parsing required hard Professor Liang Huang optional liang.huang.sh@gmail.com Big Picture only 2 ideas in this course: Noisy-Channel and

1.08k views • 69 slides
Young tableaux and snakes Yuliy Baryshnikov joint work with Dan Romik (Hebrew University)

Young tableaux and snakes Yuliy Baryshnikov joint work with Dan Romik (Hebrew University)

Young tableaux and snakes Yuliy Baryshnikov joint work with Dan Romik (Hebrew University) Motivation A Young tableaux is a filling of Young diagram consisting of n boxes with numbers 1 , . . . , n increasing top-to-down and left-to-right. 1

731 views • 72 slides
Brownian disks and excursions of tree-indexed Brownian motion Jean-Franois Le Gall Universit

Brownian disks and excursions of tree-indexed Brownian motion Jean-Franois Le Gall Universit

Brownian disks and excursions of tree-indexed Brownian motion Jean-Franois Le Gall Universit Paris-Sud Workshop on Statistical Mechanics, Les Diablerets Supported by ERC Advanced Grant 740943 G EO B ROWN Jean-Franois Le Gall (Universit

452 views • 44 slides
Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters or Rabbits Part 1:

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters or Rabbits Part 1:

Introductory Course for Commercial Dealers of Guinea Pigs, Hamsters or Rabbits Part 1: Introduction to APHIS Animal Care and the Regulatory Process Learning Objectives By the end of this unit you should be able to: 1. Briefly describe how

686 views • 47 slides
Snake Table: A Dynamic Pivot Table for Streams of k-NN Searches Juan Manuel Barrios*, Benjamin

Snake Table: A Dynamic Pivot Table for Streams of k-NN Searches Juan Manuel Barrios*, Benjamin

Snake Table: A Dynamic Pivot Table for Streams of k-NN Searches Juan Manuel Barrios*, Benjamin Bustos *, Tomas Skopal^ * KDW+PRISMA, University of Chile ^ SIRET, Charles University in Prague SISAP 2012, Toronto - Canada, August 2012 Motivation

991 views • 71 slides
The Evolution of Hadoop at Spotify Rafal Wojdyla (rav@spotify.com) Josh Baer (jbx@spotify.com)

The Evolution of Hadoop at Spotify Rafal Wojdyla (rav@spotify.com) Josh Baer (jbx@spotify.com)

The Evolution of Hadoop at Spotify Rafal Wojdyla (rav@spotify.com) Josh Baer (jbx@spotify.com) @l_phant @ravwojdyla Technical Product Owner Data Engineer Hadoop Squad Hadoop Squad Overview Growing Pains Gaining Focus The

774 views • 51 slides
Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. Gen 49:17, Dan shall

Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. Gen 49:17, Dan shall

Gen 49:16, Dan shall judge his people, as one of the tribes of Israel. Gen 49:17, Dan shall be a serpent in the way, a horned snake in the path, that bites the horses heels, so that his rider falls backward. Gen 49:18, For Thy

481 views • 21 slides

More recommend