another look at provable security
play

Another Look at Provable Security Alfred Menezes (joint work with - PowerPoint PPT Presentation

Feb 17, 2023 •399 likes •1.32k views

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

  1. Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 – 1

  2. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . – 2

  3. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . Question: What security assurances does the proof provide when protocol P is deployed in practice? – 2

  4. Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or primitive S . Provable security entails: 1. A security definition that captures the capabilities and goals of the adversary. 2. A statement of assumptions about S . 3. A reductionist security proof: S ≤ A , where A is a hypothetical adversary who breaks P . Question: What security assurances does the proof provide when protocol P is deployed in practice? This talk will examine three difficulties with assessing security proofs: (i) Tightness of the proof; (ii) Multi-user setting; (iii) Non-uniform complexity model. For concreteness, I will focus on MAC schemes. – 2

  5. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. – 3

  6. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. – 3

  7. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. – 3

  8. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” – 3

  9. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” • Anonymous referee (in reference to our criticisms of the field of leakage resilience): “What, one must wonder, lies behind this desire to commit infanticide?” – 3

  10. What this talk is about ◮ This talk is about practice-oriented provable security. • Understanding what security assurances are provided in practice. ◮ This talk is not about the foundations of cryptography. ◮ This talk is based on papers available at http://anotherlook.ca. • These papers are viewed by many as highly controversial. • Anonymous referee: “These papers have elicited a wide variety of reactions from the cryptographic community, ranging from visceral hatred to adulation.” • Anonymous referee (in reference to our criticisms of the field of leakage resilience): “What, one must wonder, lies behind this desire to commit infanticide?” ◮ Disclaimer: No babies were killed in preparation for this talk. – 3

  11. Does Tightness Matter? – 4

  12. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. – 5

  13. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. ◮ The reduction R is tight if T ′ ≈ T and ǫ ′ ≈ ǫ . – 5

  14. Tightness gap ◮ P = protocol, S = computational problem/primitive. ◮ Suppose A is an algorithm that breaks P . Suppose A takes time at most T and is successful with probability at least ǫ . ◮ A reduction of S to A (written S ≤ A ) is an algorithm R that solves S using A as a subroutine. ◮ Suppose that R takes time T ′ for a proportion at least ǫ ′ of the instances of S . ◮ Thus, if S is ( T ′ , ǫ ′ ) -secure, then P is ( T, ǫ ) -secure. ◮ The reduction R is tight if T ′ ≈ T and ǫ ′ ≈ ǫ . It is non-tight if T ≪ T ′ or if ǫ ≫ ǫ ′ . ◮ The tightness gap is ( T ′ ǫ ) / ( Tǫ ′ ) . – 5

  15. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. – 6

  16. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . – 6

  17. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. – 6

  18. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. ◮ Conclusion: RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 20 . The tightness gap is 2 60 . – 6

  19. Example of a non-tight reduction The classic Bellare-Rogaway proof for RSA-FDH in the random oracle model has a tightness gap of q , where q is the number of hash function queries. ◮ Let the RSA modulus N be a 1024-bit integer. ◮ Assumption: The RSA problem cannot be ( T ′ , ǫ ′ ) -solved for T ′ /ǫ ′ ≤ 2 80 . ◮ Suppose that a ( T, ǫ ) -forger A of RSA-FDH makes at most q = 2 60 hash-queries. Then the Bellare-Rogaway proof uses A to ( T, ǫ/ 2 60 ) -solve the RSA problem. ◮ Conclusion: RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 20 . The tightness gap is 2 60 . ◮ If we desire the assurance that RSA-FDH is ( T, ǫ ) -secure for T/ǫ ≤ 2 80 , we need to select N so that T ′ /ǫ ′ ≤ 2 140 . That is, we should use at least a 4000-bit modulus N . ◮ However, no one would take such a recommendation seriously. – 6

  20. Identity-based encryption schemes ◮ Boyen [2008] compares the tightness of the reductions for the Boneh-Franklin (BF), Sakai-Kasahara (SK), and Boneh-Boyen (BB1) IBE schemes. – 7

  21. Identity-based encryption schemes ◮ Boyen [2008] compares the tightness of the reductions for the Boneh-Franklin (BF), Sakai-Kasahara (SK), and Boneh-Boyen (BB1) IBE schemes. ◮ The reduction for BB1 is significantly tighter than the reduction for BF, which in turn is significantly tighter than that for SK. ◮ However, all three reductions are in fact highly non-tight — the tightness gap being (at least) linear, quadratic and cubic in the number of random oracle queries made by the adversary for BB1, BF and SK, respectively. – 7

Recommend

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel Jero + , Alexandra Boldyreva * , and Cristina Nita-Rotaru ++ * Georgia Institute ++ Northeastern + Purdue of T echnology University University 1

536 views • 31 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Encryption PKCS #1 v1.5 PKCS #1 v2.0 : OAEP Signature

286 views • 17 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides

More recommend