provable security in cryptography dl based systems ecc
play

Provable Security in Cryptography ----- DL-based Systems ECC - - PDF document

Aug 15, 2022 •103 likes •351 views

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

  1. Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale supérieure France Summary Summary • The Methodology of “Provable Security” • Complexity Assumptions • Encryption • Signature • Conclusions David Pointcheval Provable Security in Cryptography - 2

  2. Provable Security in Cryptography ----- DL-based Systems Provable Security David Pointcheval Ecole normale supérieure France Provable Security Security: a : a Short Short Story Story Provable • Originated in the late 80’s – encryption [GM86] – signature [GMR88] • Increased applicability using ideal substitutes – random oracles vs hash functions [FS86, BR93] – generic groups vs elliptic curves [Na94,Sh97] – ideal ciphers vs block ciphers [BPR EC’00] • Now requested to support emerging standards (IEEE P1363, ISO, Cryptrec, NESSIE) David Pointcheval Provable Security in Cryptography - 4

  3. The Need for Provable Security The Need for Provable Security • “Textbook” cryptosystems cannot be used as such (homomorphic properties, …) • Practitioners need formatting rules to ensure interoperability ⇒ Paddings are used in practice: heuristic – PKCS#1 V 1.5 - Encrypt [Bl98] ������� – PKCS#1 V 2.0 - Encrypt [Ma01] – ISO 9796-1 - Signature [CNS99, CHJ99] David Pointcheval Provable Security in Cryptography - 5 The Limits Limits of of Provable Provable Security Security The • Provable security does not yield proofs – proofs are relative (to computational assumptions) – proofs often use ideal models (ROM, ICM, GM) Meaning is debatable - ROM [CGH98] - GM [SPMS C’02] – proofs are not formal objects Time is needed for acceptance. • Still, provable security is a means to provide some form of guarantee that a scheme is not flawed David Pointcheval Provable Security in Cryptography - 6

  4. Provable Security Security Provable 1 - Define goal of adversary 2 - Define security model 3 - Define complexity assumptions 4 - Provide a proof by reduction 5 - Check proof 6 - Interpret proof David Pointcheval Provable Security in Cryptography - 7 Proof by Reduction Reduction Proof by to an attack Atk : Reduction of a problem • Let be an adversary that breaks the scheme then can be used to solve Instance of Solution of intractable ⇒ scheme unbreakable David Pointcheval Provable Security in Cryptography - 8

  5. ✂ � ✁ � � � Provable Security in Cryptography ----- DL-based Systems Assumptions David Pointcheval Ecole normale supérieure France Integer Factoring and RSA Integer Factoring and RSA • Multiplication/Factorization : One-Way n = p.q easy (quadratic) – p, q Function – n = p.q p, q difficult (super-polynomial) • RSA Function, from n (with n=pq ) n in for a fixed exponent e Rivest-Shamir-Adleman ‘78 x e mod n easy (cubic) � – x � � � � � � � � � � – y=x e mod n x difficult (without p or q ) x = y d mod n where d = e -1 mod ϕ ( n ) trapdoor [ ] = = = e y x y x n Succ rsa ( ) Pr ( ) mod n e , x ∈ n David Pointcheval Provable Security in Cryptography - 10

  6. � The Discrete Logarithm The Discrete Logarithm • Let � = (< g >, × ) be any finite cyclic group • For any y ∈ � , one defines Log g ( y ) = min{ x ≥ 0 | y = g x } • One-way function → y = g x – x easy (cubic) – y = g x → x difficult (super-polynomial) [ ] � � = = = x y x y g Succ dl ( ) Pr ( ) g � ∈ x q David Pointcheval Provable Security in Cryptography - 11 Any Trapdoor …? Any Trapdoor …? • The Discrete Logarithm is difficult and no information could help! • The Diffie-Hellman Problem (1976): • Given A=g a and B=g b • Compute DH ( A,B ) = C=g ab Clearly CDH ≤ DL: with a =Log g A , C=B a [ ] = = = a = b = ab A B C A g B g C g cdh Succ ( ) Pr ( , ) , , g ∈ a b , q David Pointcheval Provable Security in Cryptography - 12

  7. Other DL-based DL-based Problems Problems Other The Decisional Diffie-Hellman Problem : • Given A, B and C in <g> • Decide whether C = DH ( A,B ) The Gap Diffie-Hellman Problem : Okamoto-Pointcheval PKC‘01 Solve the computational problem, with access to a decisional oracle Weak curves: DDH is easy, because of pairing, then GDH=CDH David Pointcheval Provable Security in Cryptography - 13 Complexity Estimates Complexity Estimates Estimates for integer factoring [LV PKC’00] Modulus Mips-Year Operations (bits) ( log 2 ) (en log 2 ) 512 13 58 Mile-stone 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Can be used for RSA too * Lower-bounds for DL in p David Pointcheval Provable Security in Cryptography - 14

  8. Provable Security in Cryptography ----- DL-based Systems Encryption David Pointcheval Ecole normale supérieure France Encryption Scheme Encryption Scheme 3 algorithms : • - key generation • - encryption • - decryption k d k e m c m or ⊥ r OW-Security: it is impossible to get back m just from c , k e , (without k d ) and David Pointcheval Provable Security in Cryptography - 16

  9. Weaker Goals of Adversary Weaker Goals of Adversary • Perfect Secrecy: the ciphertext and public data do not reveal any information about the plaintext (but maybe the size) Information Theoretical sense ⇒ Impossible • Semantic Security (Indistinguishability): no polynomial adversary can learn any information about the plaintext from the IND ciphertext and public data (but the size) David Pointcheval Provable Security in Cryptography - 17 Security Models Security Models • Chosen Plaintext: (basic scenario) in the public-key setting, any adversary can get the encryption of any plaintext of his CPA choice (by encrypting it by himself) • Chosen Ciphertext (adaptively): the adversary has furthermore access to a decryption oracle which decrypts CCA2 any ciphertext of his choice, but the specific challenge David Pointcheval Provable Security in Cryptography - 18

  10. � � IND-CCA2 IND-CCA2 k e k d c CCA1 b ∈ {0,1} m 0 m or ⊥ r random m 1 � m b c * c ≠ c * r CCA2 m or ⊥ ? b’ = b b’ David Pointcheval Provable Security in Cryptography - 19 Main Security Notions Main Security Notions • IND-CCA2: (the strongest - [BDPR C’98] )   k ← m m s ( , , ) ( ) − = m m c s b e 2 Pr 1 ( , , , )  0 1 1  ← c m r 2 0 1 ( , )   r b b , = Advantage negligible • OW-CPA: (the weakest) [ ] = = c m c m;r Pr ( ) ( ) = Success negligible m r , David Pointcheval Provable Security in Cryptography - 20

  11. Practical Cryptosystems Practical Cryptosystems • Integer Factoring-based: RSA [RSA78] – OW-CPA = RSA (modular e -th roots) – IND ? No, because of determinism – CCA2 ? No, because of multiplicativity • DL-based: El Gamal [EG85] – OW-CPA = CDH – IND-CPA = DDH – CCA2 ? No, because of multiplicativity David Pointcheval Provable Security in Cryptography - 21 Generic Conversions Generic Conversions • Any trapdoor one-way function leads to a OW-CPA cryptosystem • But OW-CPA not enough • How to reach IND-CCA2 ? ⇒ generic conversions from weakly secure schemes to strongly secure cryptosystems David Pointcheval Provable Security in Cryptography - 22

  12. � OAEP OAEP Bellare Bellare- -Rogaway Rogaway EC‘ EC‘94 94 Let f be a trapdoor one-way permutation, with G → {0,1} n and H → {0,1} s M M = m ||0 k G H r random r t � ( m,r ) : Compute s,t then return c=f ( s || t ) � ( c ) : Compute s || t = f -1 ( c ), invert OAEP, then check redundancy David Pointcheval Provable Security in Cryptography - 23 OAEP: Security Level OAEP: Security Level In 1994, Bellare and Rogaway proved that • the OAEP construction provides an IND-CPA cryptosystem under the OW of f • it is plaintext-aware (PA94) Widely believed: IND-CPA + PA94 ⇒ IND-CCA2 But IND-CPA + PA94 ⇒ IND-CCA1 only We improved PA94 into PA98 [BDPR C’98] IND-CPA + PA98 ⇒ IND-CCA2 But… PA98 of OAEP never studied David Pointcheval Provable Security in Cryptography - 24

  13. OAEP: Security Level OAEP: Security Level Until 2000, OAEP was anyway believed to provide an IND-CCA2 cryptosystem under the OW of f But Shoup showed a counter-example [Sh C’01] A stronger assumption about f is required: under the partial-domain OW of f , OAEP provides an IND-CCA2 cryptosystem [FOPS C’01] OW: f ( x ) → x hard PD-OW: f ( x , y ) → x hard David Pointcheval Provable Security in Cryptography - 25 RSA- -OAEP: Interpretation OAEP: Interpretation RSA ( ) ( ) ind ≤ × + + t t q q q k rsa 3 Adv ( ) 2 Succ 2 2 n e H G H , Security bound: 2 75 , and 2 55 hash queries If one can break the scheme within time T , one can invert RSA within time T’ ≤ 2 T + 2 q H (2 q G + q H ) k 3 ≤ 2 × 2 75 + 6 × 2 110 k 3 < 2 113 k 3 modulus: 1024 bits → 2 143 ( NFS : 2 80 ) ✕ 2048 bits → 2 146 ( NFS : 2 111 ) ✕ 4096 bits → 2 149 ( NFS : 2 149 ) ✓ David Pointcheval Provable Security in Cryptography - 26

Recommend

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable

Cryptography Game-based Proofs Assumptions BLS Signature BF IB-Encryption Conclusion Outline Security Proofs 1 Cryptography Introduction using the Game-based Methodology Provable Security Game-based Methodology 2 Game-based Approach

345 views • 12 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs

Cryptography Game-based Proofs Assumptions BF IB-Encryption Conclusion Outline The Game-based Methodology 1 Cryptography for Computational Security Proofs Introduction Provable Security David Pointcheval 2 Game-based Methodology

722 views • 10 slides
Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange

Cryptography Provable Security Encryption Assumptions Security of Communications What Can Cryptography Guarantee? One ever wanted to exchange information securely Que peut nous garantir la cryptographie ? With the all-digital world, security

190 views • 4 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA,

Outline Review of RSA 1 CPSC 418/MATH 318 Introduction to Cryptography More on RSA, Probabilistic Encryption, Provable Security Against Efficiency of RSA 2 Passive Attacks Security of RSA 3 Mathematical Security of RSA Renate Scheidler

410 views • 7 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of

Tweaking Code-Based Cryptography for Embedded Systems DIMACS Workshop on The Mathematics of Post-Quantum Cryptography Tim Gneysu, Ingo von Maurich 1/12/2015 Horst Grtz Institute for IT-Security, Ruhr-Universitt Bochum, Germany Motivation

920 views • 70 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides
Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago &amp; Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

623 views • 9 slides
Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions

666 views • 40 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key

Security in Distributed Systems Introduction Cryptography Authentication Key exchange Computer Science Lecture 18, page 1 Network Security Intruder may eavesdrop remove, modify, and/or insert messages read and

361 views • 11 slides
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography

Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1 Tennodai, Tsukuba Ibaraki, 305-8573,

896 views • 58 slides
T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP

T-79.159 Cryptography and Data Security Lecture 11: Security systems using public keys 11.1 PGP Kaufman et al: Ch 17, 11.2 SSL/TLS 18, 19 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy Email encryption program

566 views • 8 slides
Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111

Security for Operating Systems: Cryptography, Authentication, and Protecting OS Resources CS 111 Operating Systems Peter Reiher Lecture 18 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for

1.06k views • 62 slides
Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with

Sponge-based PRNGs A Provable Security Perspective Stefano Tessaro UCSB Base on joint work with Peter Gai (IST Austria) wr0ng Paris, April 30, 2017 The Sponge Construction [BDP V A08] M {0,1}* M 1 M 2 M L r-bit blocks: r 0 H (M)

820 views • 42 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size &amp; speed

1.39k views • 97 slides
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides

More recommend