Provable Security Introduction Lawrence Berkeley National Lab - PDF document

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale supérieure Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • Random-Oracle Model • Conclusion David Pointcheval Provable Security - Introduction - 2

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • Random-Oracle Model • Conclusion David Pointcheval Provable Security - Introduction - 3 Cryptography: 3 Goals Cryptography: 3 Goals • Integrity: Messages have not been altered • Authenticity: Message - sender relation • Secrecy: Message is unknown to anybody else David Pointcheval Provable Security - Introduction - 4

Integrity Integrity To make sure that a message has not been modified (not only accidentally but also intentionally!) David Pointcheval Provable Security - Introduction - 5 Authentication (1) Authentication (1) To interactively prove his identity David Pointcheval Provable Security - Introduction - 6

Authentication (2) Authentication (2) • To non-interactively prove his identity as being the sender of the message • If this proof can even convince a third party: signature David Pointcheval Provable Security - Introduction - 7 Secrecy Secrecy • Store a document • Send a message so that nobody else can learn any information about it David Pointcheval Provable Security - Introduction - 8

Cryptography: 3 Periods Cryptography: 3 Periods • Ancient period: before 1918 • Technical period: between 1919 and 1975 • Paradoxical period : after 1976 David Pointcheval Provable Security - Introduction - 9 Ancient Period Ancient Period Substitutions and permutations Alberti’s cipher disk Jefferson’s wheel cipher Security = Secrecy of the mechanisms David Pointcheval Provable Security - Introduction - 10

Technical Period Technical Period Cipher Machines Automatism of permutations and substitutions But there’s no proof Enigma of better security! David Pointcheval Provable Security - Introduction - 11 Paradoxical Period Paradoxical Period • Symmetric Cryptography • Asymmetric Cryptography One-way Functions ⇒ Security Proofs David Pointcheval Provable Security - Introduction - 12

Kerckhoffs’ Principles Principles Kerckhoffs’ In 1883, in “La Cryptographie Militaire” Kerckhoffs wrote: • the system should be, if not theoretically unbreakable, unbreakable in practice • corruption of the system should not inconvenience the correspondents • the key should be memorable without any notes and should be easily changeable • etc … David Pointcheval Provable Security - Introduction - 13 General Security Model General Security Model • The algorithms are public • Only a short parameter (the secret key ) can be kept secret Can a scheme be secure? David Pointcheval Provable Security - Introduction - 14

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • Random-Oracle Model • Conclusion David Pointcheval Provable Security - Introduction - 15 Two Keys… Two Keys… secrecy Asymmetric Alice Bob Cryptography authenticity Diffie-Hellman 1976 Asymmetric Encryption: Bob owns two “keys” – A public key (encryption k e ) ⇒ known by everybody so that anybody can encrypt (included Alice) a message – A private key (decryption k d ) ⇒ known by Bob only to help him to decrypt David Pointcheval Provable Security - Introduction - 16

Encryption / Decryption Decryption Encryption / Attack Attack Granted Bob’s public key, � � � � � � � � � Alice can lock the safe, � � � � � with the message inside � � ( encrypt the message ) Excepted Bob, granted his private key ( Bob can decrypt ) Alice sends the safe to Bob nobody else can unlock it ( impossible to break ) David Pointcheval Provable Security - Introduction - 17 Encryption Scheme Encryption Scheme 3 algorithms : • � - key generation • � - encryption � ω ( k e ,k d ) • � - decryption k d k e m � c � m r David Pointcheval Provable Security - Introduction - 18

Conditional Secrecy Conditional Secrecy The ciphertext comes from c = � k e ( m ; r ) • The encryption key k e is public • A unique message m satisfies the relation (with possibly several random r ) At least an exhaustive search on m and r can lead to m , maybe a better attack! ⇒ unconditional secrecy is impossible Algorithmic assumptions David Pointcheval Provable Security - Introduction - 19 Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • Random-Oracle Model • Conclusion David Pointcheval Provable Security - Introduction - 20

Integer Factoring and RSA Integer Factoring and RSA • Multiplication/Factorization : One-Way – p, q � n = p.q easy (quadratic) Function – n = p.q � p, q difficult (super-polynomial) • RSA Function, from � n in � n (with n=pq ) for a fixed exponent e Rivest-Shamir-Adleman 1978 – x � x e mod n easy (cubic) � � � � � � � � � � – y=x e mod n � x difficult (without p or q ) � x = y d mod n where d = e -1 mod ϕ ( n ) trapdoor key difficult encryption to break decryption David Pointcheval Provable Security - Introduction - 21 The Discrete Logarithm The Discrete Logarithm • Let � = (< g >, × ) be any finite cyclic group • For any y ∈ � , one defines Log g ( y ) = min{ x ≥ 0 | y = g x } • One-way function – x → y = g x easy (cubic) – y = g x → x difficult (super-polynomial) David Pointcheval Provable Security - Introduction - 22

Any Trapdoor …? Any Trapdoor …? • The Discrete Logarithm is difficult and no information can help! • The Diffie-Hellman Problem (1976): • Given A=g a and B=g b • Compute DH ( A,B ) = C=g ab Clearly CDH ≤ DL: with a =Log g A , C=B a David Pointcheval Provable Security - Introduction - 23 Complexity Estimates Complexity Estimates Estimates for integer factoring Lenstra-Verheul 2000 Modulus Mips-Year Operations ( log 2 ) (en log 2 ) (bits) Record 512 13 58 Aug 1999 Milestone 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Can be used for RSA too � * Lower-bounds for DL in p David Pointcheval Provable Security - Introduction - 24

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • Random-Oracle Model • Conclusion David Pointcheval Provable Security - Introduction - 25 Algorithmic Assumptions Algorithmic Assumptions are necessary necessary are • n=pq : public modulus RSA Encryption � ( m ) = m e mod n e : public exponent � ( c ) = c d mod n • d=e -1 mod ϕ ( n ) : private If the RSA problem is easy, secrecy is not satisfied: anybody could recover m from c David Pointcheval Provable Security - Introduction - 26

Algorithmic Assumptions Algorithmic Assumptions are sufficient sufficient are Security proofs give the guarantee that the assumption is enough for secrecy: • if an adversary can break the secrecy • one can break the assumption ⇒ “reductionist” proof David Pointcheval Provable Security - Introduction - 27 Proof by Reduction Proof by Reduction Reduction of a problem �� to an attack Atk : • Let � be an adversary that breaks the scheme then � can be used to solve � Instance � of � � Solution to � � intractable ⇒ scheme unbreakable David Pointcheval Provable Security - Introduction - 28

Provably Secure Scheme Provably Secure Scheme To prove the security of a cryptographic scheme, one has to make precise • the algorithmic assumptions • the security notions to be guaranteed • a reduction: an adversary can help to break the assumption David Pointcheval Provable Security - Introduction - 29 Practical Security Practical Security Algorithm Adversary against � within t within t’ = T ( t ) • Complexity theory: T polynomial • Exact Security: T explicit • Practical Security: T small (linear) David Pointcheval Provable Security - Introduction - 30

Practical Security Practical Security Bad reduction : RSA-FDH If one forges a new signature within time t after q queries to the signing oracle, one can break RSA within time t’ = q × t Application : t = 2 75 and q = 2 40 ⇒ one breaks RSA within time t’ = 2 115 t’ > 2 58 : ✖ no contradiction RSA-512 t’ > 2 80 : ✖ no contradiction RSA-1024 t’ > 2 111 : ✖ no contradiction RSA-2048 t’ > 2 149 : ✔ CONTRADICTION RSA-4096 David Pointcheval Provable Security - Introduction - 31 Practical Security Practical Security Good reduction : RSA-PSS If one forges a new signature within time t after q queries to the signing oracle, one can break RSA within time t’ = 2 × t Application : t = 2 75 and q = 2 40 ⇒ one breaks RSA within time t’ = 2 76 t’ > 2 58 : ✖ no contradiction RSA-512 t’ > 2 80 : ✔ CONTRADICTION RSA-1024 ⇒ RSA-PSS is provably secure even for classical parameters David Pointcheval Provable Security - Introduction - 32