cryptographic reductions classification and applications
play

Cryptographic Reductions: Classification and Applications to Ideal - PowerPoint PPT Presentation

Nov 10, 2022 •174 likes •933 views

Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher Three Ways to Argue for Cryptographic Security Cryptanalysis

  1. Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

  2. Cryptographic Reductions: Classification and Applications to Ideal Models Paul Baecher

  3. Three Ways to Argue for Cryptographic Security Cryptanalysis Empirically evaluate real-world primitives Information-theoretic arguments Disregard any resource limitations Provable security from assumptions Efficient attackers only 1

  4. Three Ways to Argue for Cryptographic Security Provable security from assumptions Efficient attackers only 1

  5. Provable Security Follows a Common Structure Construction “To encrypt with � construction � , take the message and. . . ” 2

  6. Provable Security Follows a Common Structure Construction “To encrypt with � construction � , take the message and. . . ” Security proof Thm: If � assumption � , then � construction � secure. 2

  7. Provable Security Follows a Common Structure Construction “To encrypt with � construction � , take the message and. . . ” Security proof Thm: If � assumption � , then � construction � secure in the � ideal model � . 2

  8. Provable Security Follows a Common Structure Construction “To encrypt with � construction � , take the message and. . . ” Security proof Thm: If � assumption � , then � construction � secure in the � ideal model � . Idealized primitive 2

  9. Ideal Models Provide the “Best Possible” Primitive Ideal model Real life Random oracle MD5, SHA3, . . . Ideal cipher DES, AES, . . . 3

  10. Ideal Models Provide the “Best Possible” Primitive Ideal model Real life Random oracle MD5, SHA3, . . . Ideal cipher DES, AES, . . . Pick a random function from the set of all functions from k to n bits. 3

  11. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . 4

  12. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive 4

  13. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive � constr 1 � 4

  14. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive � constr 1 � � constr 2 � 4

  15. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive � constr 1 � � constr 2 � AES 4

  16. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive � constr 1 � � constr 2 � DES 4

  17. Comparing Two Constructions with Ideal-Model Proofs is Difficult If � assump � , then � constr 1 � If � assump � , then � constr 2 � secure in the � ideal model � . secure in the � ideal model � . Idealized primitive � constr 1 � ? � constr 2 � DES 4

  18. Comparisons Might Still Be Possible Without Fully Understanding Ideal Primitives Can we compare constructions relative to each other? How do popular constructions compare? 5

  19. Oracle reducibility enables sound comparisons of cryptographic constructions whose proofs are in ideal models. 6

  20. Outline [BF11,BFFS13] Oracle reducibility A versatile comparison paradigm Ideal-cipher comparisons Blockcipher-based compression functions Random-oracle comparisons ElGamal-type encryption schemes 7

  21. Outline [BF11,BFFS13] Oracle reducibility A versatile comparison paradigm Ideal-cipher comparisons Blockcipher-based compression functions Random-oracle comparisons ElGamal-type encryption schemes 7

  22. What Makes � constr 1 � Secure Also Makes � constr 2 � Secure Idealized primitive � constr 1 � � constr 2 � 8

  23. What Makes � constr 1 � Secure Also Makes � constr 2 � Secure Idealized primitive � constr 1 � � constr 2 � E 8

  24. What Makes � constr 1 � Secure Can be Adjusted to Make � constr 2 � Secure Idealized primitive � constr 2 � � constr 1 � 9

  25. What Makes � constr 1 � Secure Can be Adjusted to Make � constr 2 � Secure Idealized primitive � constr 2 � � constr 1 � E 9

  26. What Makes � constr 1 � Secure Can be Adjusted to Make � constr 2 � Secure Idealized primitive � constr 2 � � constr 1 � E T ( E ) 9

  27. Formally Defining [ B F11, B FFS13] Oracle Reducibility Direct reducibility Free reducibility Any oracle O that makes C O There exists T s.t. any oracle 1 secure also makes C O that makes C O 2 secure 1 secure also makes C T O secure 2 10

  28. Formally Defining [ B F11, B FFS13] Oracle Reducibility Direct reducibility Free reducibility Any oracle O that makes C O There exists T s.t. any oracle ⇒ 1 secure also makes C O that makes C O 2 secure 1 secure also makes C T O secure 2 10

  29. Outline Oracle reducibility A versatile comparison paradigm Ideal-cipher comparisons [BFFS13] Blockcipher-based compression functions Random-oracle comparisons ElGamal-type encryption schemes 11

  30. Compression Functions Securely Shrink Their Input Building block for hash functions K 2 n -to- n compression Built from a blockcipher M E Design from [PGV93] Collision resistant if E ideal E ( K , M ) ⊕ M Proof due to [BRSS10] 12

  31. PGV Functions 1 2 3 4 5 6 7 8 9 10 11 12 13

  32. PGV Functions [ B FFS13] Fall Into Two Groups 1 4 2 3 5 8 6 7 9 12 10 11 direct reducibility within direct reducibility within 13

  33. PGV Functions [ B FFS13] Fall Into Two Groups 1 4 2 3 separation (direct) 5 8 � 6 7 reducibility (free) 9 12 10 11 13

  34. PGV Functions [ B FFS13] Fall Into Two Groups f r e e r e d u c t i o n 1 4 2 3 separation (direct) 5 8 � 6 7 reducibility (free) 9 12 10 11 13

  35. Free Reduction From PGV 2 to PGV 1 M M K K 1 2 1 secure ⇒ PGV T E PGV E There exists T s.t. for any E : secure 2 E 14

  36. Free Reduction From PGV 2 to PGV 1 M M K K 1 2 1 secure ⇒ PGV T E PGV E There exists T s.t. for any E : secure 2 T E ( K , M ) := E ( K , M ) ⊕ K E 14

  37. Free Reduction From PGV 2 to PGV 1 M M K K 1 2 1 secure ⇒ PGV T E PGV E There exists T s.t. for any E : secure 2 T E ( K , M ) := E ( K , M ) ⊕ K M K E E 14

  38. Free Reduction From PGV 2 to PGV 1 M M K K 1 2 1 secure ⇒ PGV T E PGV E There exists T s.t. for any E : secure 2 T E ( K , M ) := E ( K , M ) ⊕ K M T K E 14

  39. Free Reduction From PGV 2 to PGV 1 M M K K 1 2 1 secure ⇒ PGV T E PGV E There exists T s.t. for any E : secure 2 T E ( K , M ) := E ( K , M ) ⊕ K M M T T ≡ K K E E 14

  40. PGV Functions [ B FFS13] Fall Into Two Groups 1 4 2 3 separation (direct) 5 8 � 6 7 reducibility (free) 9 12 10 11 15

  41. Groups are Incomparable, No Clear Winner No direct reducibility from #1 to #2 Or vice versa Free reducibility “switches” group But no simultaneous security for both 16

  42. Groups are Incomparable, No Clear Winner � #1 secure E s.t. No direct reducibility from #1 to #2 #2 ??? Or vice versa Free reducibility “switches” group But no simultaneous security for both 16

  43. Groups are Incomparable, No Clear Winner � #1 secure E s.t. No direct reducibility from #1 to #2 #2 ??? Or vice versa T Free reducibility “switches” group � #1 ??? T ( E ) s.t. But no simultaneous security for both #2 secure 16

  44. Groups are Incomparable, No Clear Winner � #1 secure T ( T ( E )) s.t. No direct reducibility from #1 to #2 #2 ??? Or vice versa T Free reducibility “switches” group � #1 ??? T ( E ) s.t. But no simultaneous security for both #2 secure 16

  45. Outline Oracle reducibility A versatile comparison paradigm Ideal-cipher comparisons Blockcipher-based compression functions Random-oracle comparisons [BF11] ElGamal-type encryption schemes 17

  46. Cryptographic Constructions Often Undergo Iterative Improvements Feasibility result Not practical, but it works Practical result Simpler, tighter, faster, . . . Further improvements Milder or fewer assumptions 18

  47. Cryptographic Constructions Often Undergo Iterative Improvements Further improvements Milder or fewer assumptions 18

  48. An “Improved” Construction May be Worse in Other Ways If a 1 holds, then C ′ is secure If a 1 and a 2 hold, then C is ? < secure in � ideal model � . in � ideal model � . 19

Recommend

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
Conception of a language for cryptographic reductions L. Ducas, Master Thesis Conception of a

Conception of a language for cryptographic reductions L. Ducas, Master Thesis Conception of a

L. Ducas, Master Thesis Conception of a language 1. Introduction 2 3 4 for cryptographic reductions Supervisor : M. Baudet Presentation Master thesis of Lo Ducas, supervised by Mathieu Baudet (ANSSI). Conception of a language for

521 views • 27 slides
Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de

Cryptographic applications of codes in rank metric Cryptographic applications of codes in rank metric Pierre Loidreau CELAr and Universit e de Rennes Pierre.Loidreau@m4x.org June 16th, 2009 Cryptographic applications of codes in rank

498 views • 33 slides
Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power

Introduction Arithmetic in GF ( 2 m ) Summary - results, comments, future prospects Arithmetic operators on GF ( 2 m ) for cryptographic applications: performance - power consumption - security tradeoffs Danuta Pamua 17th December 2012

695 views • 32 slides
The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya

The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya

The Learning with Rounding Problem: Reductions and Applications Alon Rosen IDC Herzliya (Thanks: Chris Peikert) Mysore Park Theory Workshop August 15, 2013 1 / 20 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 } k D

1.3k views • 89 slides
Other Related Problems Applications Classification Instance Classification Object Detection +

Other Related Problems Applications Classification Instance Classification Object Detection +

Image Segmentation Goal: Label every pixel with its semantic category * Other Related Problems Applications Classification Instance Classification Object Detection + Localization Segmentation Background Subtraction Cut-and-paste

642 views • 23 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Cryptographic Tools for Privacy, Compliance &amp; Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance &amp; Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance &amp; Efficiency in Blockchain Applications Fernando Krell, PhD Columbia U. Lead Cryptography Engineer, Findora Public-Ledgers/Blockchains R 1:... R 2:... R 3:... R 4:... ... Append only Database

359 views • 34 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Mining Algorithms for New Applications: Modifying vs. Reductions Sanjoy Dasgupta Russell

Mining Algorithms for New Applications: Modifying vs. Reductions Sanjoy Dasgupta Russell

Mining Algorithms for New Applications: Modifying vs. Reductions Sanjoy Dasgupta Russell Impagliazzo Ragesh Jaiswal Credit: Some of todays slides are due to Miles Jones CSE 101, Spring 2020, Week 2 Algorithm Mining Algorithms

400 views • 35 slides
Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their

Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their

Cryptographic Hash Functions Cryptographic Hash Functions and their many applications and their many applications Shai Halevi IBM Research IBM Research Shai Halevi USENIX Security USENIX Security August 2009 August 2009

665 views • 55 slides
Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot Dipartimento di Informatica, Sistemistica e Comunicazione, Universit degli Studi Milano - Bicocca, l.mariot@campus.unimib.it Nice, April 16, 2014 Luca

826 views • 56 slides
Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal

Polynomial-time reductions We have seen several reductions: Polynomial-time reductions Informal explanation of reductions: We have two problems, X and Y. Suppose we have a black-box solving problem X in polynomial-time. Can we use the black-box

1.38k views • 32 slides
Classification Classification and Prediction Classification: predict categorical class labels

Classification Classification and Prediction Classification: predict categorical class labels

Classification Classification and Prediction Classification: predict categorical class labels Build a model for a set of classes/concepts Classify loan applications (approve/decline) Prediction: model continuous-valued functions

554 views • 31 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
Future Cryptographic Requirements from Mobile Applications Chris Mitchell, Kenny Paterson and

Future Cryptographic Requirements from Mobile Applications Chris Mitchell, Kenny Paterson and

Future Cryptographic Requirements from Mobile Applications Chris Mitchell, Kenny Paterson and Vaia Sdralia Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK. Some Trends in Mobile Telecoms &gt;

460 views • 5 slides
Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus

Reductions So far, two reductions that preserve the CS 611 meaning of a lambda calculus Advanced Programming Languages expression: Andrew Myers ( x e ) ( x e { x / x }) (if x FV e ) Cornell University

359 views • 3 slides
Question Classification II Ling573 NLP Systems and Applications May 6, 2014 Roadmap

Question Classification II Ling573 NLP Systems and Applications May 6, 2014 Roadmap

Question Classification II Ling573 NLP Systems and Applications May 6, 2014 Roadmap Question classification variations: Sequence classifiers Sense information improvements Enhanced Answer Type Inference Using Sequential

464 views • 18 slides
Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap

Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap

Question Classification Ling573 NLP Systems and Applications April 22, 2014 Roadmap Question classification variations: Classification with diverse features SVM classifiers Sequence classifiers Question Classification:

1.14k views • 96 slides
Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions

CS 301 Lecture 20 Reductions Stephen Checkoway April 9, 2018 1 / 17 Reductions Reductions are a way of saying, If problem B can be solved, then problem A can as well 2 / 17 Reductions Reductions are a way of saying, If problem B

640 views • 28 slides
Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot

University of Milano-Bicocca Department of Informatics, Systems and Communications Open problems in the design of cryptographic applications based on Cellular Automata Luca Mariot luca.mariot@disco.unimib.it Delft June 19, 2018 Context

329 views • 21 slides
Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle

Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle

Codes with locality: constructions and applications to cryptographic protocols Julien Lavauzelle cole Polytechnique &amp; INRIA Saclay, Universit Paris-Saclay PhD defense 30/11/2018 Outline 1. Codes with locality Locality in coding

1.54k views • 104 slides

More recommend