on the impossibility of tight cryptographic reduc ons
play

On the Impossibility of Tight Cryptographic Reduc:ons Christoph - PowerPoint PPT Presentation

Oct 27, 2022 •350 likes •835 views

On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schge Ruhr-University Bochum EUROCRYPT 2016 1 Tight Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A

  1. On the Impossibility of Tight Cryptographic Reduc:ons Christoph Bader, Tibor Jager, Yong Li, Sven Schäge Ruhr-University Bochum EUROCRYPT 2016 1

  2. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient a/acker A implies efficient algorithm R that solves a “hard” problem P pk m i s i Q :mes (m*,s*) Adversary A 2

  3. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient adversary A implies efficient algorithm R that solves a “hard” problem P Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on Adversary A 3

  4. “Tight” Cryptographic Reduc:ons 1. Define a security model 2. Prove: efficient adversary A implies efficient algorithm R that solves a “hard” problem P Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on Adversary A Reduc:on R is :ght , if t R ≈ t A and succ R ≈ succ A 4

  5. Why is :ght security interes:ng? • Do schemes with :ght security exist ? – Inherent :ghtness lower bounds? • Tightness has impact on theore:cally- sound selec:on of parameters – “Non-:ght“ reduc:on => large parameters – Tight reduc:on => smaller parameters 5

  6. Why is :ght security interes:ng? • Do schemes with :ght security exist ? – Inherent :ghtness lower bounds? • Relevant for theore:cally-sound selec:on of parameters – “Non-:ght“ reduc:on � large parameters – Tight reduc:on � smaller parameters 6

  7. Many Tightly-Secure Cryptosystems Digital Signatures Iden:ty-based Encryp:on Katz-Wang (CCS 2003) Chen, Wee (Crypto 2013) • • Schäge (Eurocrypt 2011) Blazy, Kiltz, Pan (Eurocrypt 2014) • • ... ... • • Pseudorandom Func:ons Public-Key Encryp:on Naor-Reingold (FOCS 1997) Bellare, Boldyreva, Micali (Eurocrypt 2000) • • Lewko-Waters (CCS 2009) Hoeeinz, Jager (Crypto 2012) • • Jager (ePrint 2016) Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016) • • ... (best paper) • ... • Key Exchange Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015) • 7

  8. Many Tightly-Secure Cryptosystems Digital Signatures Iden:ty-based Encryp:on Katz-Wang (CCS 2003) Chen, Wee (Crypto 2013) • • Schäge (Eurocrypt 2011) Blazy, Kiltz, Pan (Eurocrypt 2014) • • ... ... • • Pseudorandom Func:ons Public-Key Encryp:on Naor-Reingold (FOCS 1997) Bellare, Boldyreva, Micali (Eurocrypt 2000) • • Lewko-Waters (CCS 2009) Hoeeinz, Jager (Crypto 2012) • • Jager (ePrint 2016) Gay, Hoeeinz, Kiltz, Wee (Eurocrypt 2016) • • ... (best paper) • ... • Key Exchange Bader, Hoeeinz, Jager, Kiltz, Li (TCC 2015) • Which proper:es must a cryptosystem (not) have to allow for a :ght security proof? 8

  9. Coron‘s Result* (1/2) (Eurocrypt 2002) • Digital signatures pk – single-user selng m i – unique signatures** Q :mes s i (m*,s*) * see also Kakvi and Kiltz, Eurocrypt 2012 9 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

  10. Coron‘s Result* (1/2) (Eurocrypt 2002) • Digital signatures pk – single-user selng m i – unique signatures** Q :mes s i (m*,s*) Result: If a signature scheme has unique signatures , then any security reduc:on “loses” a factor of at least 1/Q. * see also Kakvi and Kiltz, Eurocrypt 2012 10 ** generalized to re-randomizable signatures by Hoeeinz et al., PKC 2012

  11. Coron‘s Result (2/2) (Eurocrypt 2002) Reduc:on R Instance of P pk m i s i Q :mes (m*,s*) Solu:on 11

  12. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on 12

  13. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on Coron shows: If a signature scheme has unique signatures , then any reduc:on R implies an algorithm M that solves P • In :me t M ≈ t R ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 • With Q · 1 − | MsgSpace | 13

  14. Coron‘s Result (2/2) (Eurocrypt 2002) Meta-Reduc:on M Reduc:on R Instance of P Instance of P pk Simula:on of m i Adversary A s i Q :mes (m*,s*) Solu:on Solu:on Coron shows: If a signature scheme has unique signatures , then any reduc:on R implies an algorithm M that solves P “Annoying term” • In :me t M ≈ t R ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 • With Q · 1 − | MsgSpace | 14

  15. Limita:ons of Coron‘s Technique • Restricted but reasonable class of reduc:ons: – Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely complex analysis 15

  16. Limita:ons of Coron‘s Technique • Restricted but reasonable class of reduc:ons: – Treat adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely complex analysis ◆ − 1 ✓ Q ✏ M ≥ ✏ R − 1 “Annoying term” Q · 1 − | MsgSpace | • Only useful in selngs where Q << |MsgSpace| – Acceptable for [C`02, KK`12, HJK`12] – Makes applica:on to other sePngs difficult 16

  17. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N • Q signature queries • Corrupt N-1 users • Goal: :ght security in – Number of signatures Q (m*,s*) – Number of public keys N 17

  18. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users • Goal: :ght security in – Number of signatures Q (m*,s*) – Number of public keys N 18

  19. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Goal: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N 19

  20. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Desired: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N 20

  21. Mul:-User Security of Signatures • A receives N public keys pk 1 , ..., pk N (m i , j) • Q signature queries s i • Corrupt N-1 users j • Desired: :ght security in sk j – Number of signatures Q (m*,s*) – Number of public keys N Single-user security � mul:-user security But the reduc:on is not :ght , loses a factor 1/N 21

  22. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get 22

  23. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N 23

  24. Applying Coron’s technique to the mul:-user selng • To show that this loss is impossible to avoid: ✏ M ≥ ✏ R − 1 N • Applying [Coron 2002], we get Equal to N ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N Trivial bound , because of the “annoying term” 24

  25. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 25

  26. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 26

  27. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j 27

  28. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j No :ght security proof for “weak” security � No :ght security proof for any “stronger” no:on 28

  29. Weak Mul:-User Security pk 1 , ..., pk N • A receives N public keys • Corrupt users j • Signature queries sk i for i≠j • A has to compute sk j sk j No :ght security proof for “weak” security � No :ght security proof for any “stronger” no:on Makes sense for any public-key scheme! 29

  30. Our approach Goal: Prove that 1/N-loss is impossible to avoid 1. Define a weaker security defini:on – Counterintui:ve: Should be more difficult to prove impossibility of :ght reduc:ons! 2. New meta-reduc:on technique – No “annoying term” – Weakness of security defini:ons enables simple and clean analysis 3. Generalize this technique to other primi:ves 30

  31. Our result ◆ − 1 ✓ ✏ M ≥ ✏ R − 1 1 − N − 1 N · N • Restricted but reasonable class of reduc:ons: – Use adversary A as a black-box – Few advanced capabili:es (e.g. seq. rewinding) • Rela:vely simple analysis 31

  32. Tightness Bound: Intui:on Reduc:on R pk 1 , ..., pk N Instance of P j sk i for i≠j sk j Solu:on 32

  33. Tightness Bound: Intui:on Reduc:on R pk 1 , ..., pk N Instance of P j sk i for i≠j sk j Solu:on 1. Only one index j such that R can output sk i for all i≠j � R not :ght! 2. More than one j � P not “hard”! 33

Recommend

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an

Circumventing Impossibility Partial Synchrony Circumventing Impossibility Consensus is an important building block for fault-tolerant computing Universal: any deterministic fault-tolerant service can be implemented on top of it

349 views • 12 slides
The Northeastern U.S. Energy Future An 80% Reduc;on in

The Northeastern U.S. Energy Future An 80% Reduc;on in

The Northeastern U.S. Energy Future An 80% Reduc;on in GHG Emissions by 2050 Sandy TaC Director Environmental &amp; Sustainability Policy

322 views • 8 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika

A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika

A Tight Lower Bound for Entropy Flattening Yi-Hsiu Chen 1 os 1 Salil Vadhan 1 Jiapeng Zhang 2 Mika G o 1 Harvard University, USA 2 UC San Diego, USA June 23, 2018 1 / 18 Agenda 1 Problem Definition / Model 2 Cryptographic Motivations 3

627 views • 46 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice

The Author Setting, Definitions and Conditions Sen s Impossibility Theorem and Proof Critique and Ways Out Conclusion The Impossibility of a Paretian Liberal Christian Geist Project: Modern Classics in Social Choice Theory Institute

1.98k views • 15 slides
Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a

Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a

Quan%fying Impacts of Emission Reduc%ons on Environmental Jus%ce and Human Health in a Metropolitan Area Robyn Chatwin-Davies, Amir Hakami &amp; Adjoint Development Team Introduc%on Globally, ambient par?culate maBer (PM) pollu?on

424 views • 21 slides
Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr,

Test-Case Reduc-on for C Compiler Bugs John Regehr, Yang Chen, Pascal Cuoq, Eric Eide, Chucky Ellison, Xuejun Yang Background: Csmith [PLDI

797 views • 48 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June

An Impossibility Theorem Seminar Algorithms Kevin Chang Eindhoven University of Technology June 19, 2018 Contents Motivation Definitions The Impossibility Theorem Centroid-Based Clustering and Consistency Relaxing the Properties Table of

1.08k views • 96 slides
SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound

SVMpAUC-tight: A new algorithm for optimizing partial AUC based on a tight convex upper bound Harikrishna Narasimhan and Shivani Agarwal Department of Computer Science and Automation Indian Institute of Science, Bangalore Receiver Operating

1.12k views • 90 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint

Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint

1 Quan%fying Co-benefits of CO 2 Emission Reduc%ons in Canada and the United States: An Adjoint Sensi%vity Analysis Marjan Soltanzadeh, Amanda Pappin, Shunliu Zhao, Amir Hakami (Carleton University); MaA D. Turner, and Daven K. Henze (University

538 views • 33 slides
ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens

ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens

ADVOCATING FOR THE WORKING POOR Maxim imiz izing ing Income ome and Reduc ucing ing Expens enses es Julie McCormack, Amanda Montel, Gina Plata-Nino MARCH 4, 2020 1 Increasin sing Income me OBJECTIVES: Basic understanding of

751 views • 45 slides
Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a

Tight Gas in the Netherlands A Study Proposal EBN Exploration Day 23 May 2016 1 1 Why a Tight Gas Study Proposal The Netherlands contains circa 50 discoveries with about 100 200 bcm undevelopped gas in tight reservoirs Several

726 views • 5 slides
Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP)

Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP)

Ci City ty of Sha of Shafter er Community Emissi Community Emissions R ons Reduc eduction tion Pr Program ogram (CE (CERP) RP) De Development elopment Updated emission reduction and exposure reduction strategies for Committee

1.42k views • 88 slides
Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix

Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix

Chapter 2 Tight-frames An Introduction 1 Outline 1. Tight-frame 1. Tight-frame 2. Matrix Representation 2. Matrix Representation 2 1 Tight Frames 3 Construction of Haar Wavelet = + 4 2 Construction of Haar Wavelet 5 Construction

450 views • 16 slides
Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of

Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of

Disjoint-Access Parallelism: Impossibility, Possibility, and Cost of Transactional Memory Implementations Sebastiano Peluso 1 , Roberto Palmieri 1 , Paolo Romano 2 , Binoy Ravindran 1 and Francesco Quaglia 3 3 1 2

412 views • 26 slides
Consensus and Its Impossibility in Asynchronous Systems A Few Questions from Protocols We

Consensus and Its Impossibility in Asynchronous Systems A Few Questions from Protocols We

Consensus and Its Impossibility in Asynchronous Systems A Few Questions from Protocols We studied Was it necessary to assume that a node can detect failure of other nodes? What if we could not do that in a system? E.g., if delays

366 views • 22 slides
Termination Impossibility of any infinite sequence G 0 R G 1 R G 2 R . . . given a

Termination Impossibility of any infinite sequence G 0 R G 1 R G 2 R . . . given a

Modular Termination of Graph Transformation 1 Detlef Plump University of York, UK 1 In Graph Transformation, Specifications, and Nets: In Memory of Hartmut Ehrig . LNCS 10800, Springer, 2018 Termination Impossibility of any infinite sequence

215 views • 17 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Certificate of impossibility of Hilbert-Artin representation of given degree for definite

Certificate of impossibility of Hilbert-Artin representation of given degree for definite

Certificate of impossibility of Hilbert-Artin representation of given degree for definite polynomials and functions Feng Guo Key Laboratory of Mathematics Mechanization Chinese Academy of Sciences, Beijing North Carolina State University

568 views • 30 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides

More recommend