Provable Security Introduction UCL - Louvain-la-Neuve Monday, July - PDF document

Provable Security Introduction UCL - Louvain-la-Neuve Monday, July 8th, 2002 David Pointcheval LIENS-CNRS Ecole normale supérieure Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 2

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 3 Cryptography: 3 Goals Cryptography: 3 Goals • Integrity: Messages have not been altered • Authenticity: Message - sender relation • Secrecy: Message unknown to anybody else David Pointcheval Provable Security - Introduction - 4

Integrity Integrity To be sure that a message has not been modified (accidentally but intentionally too!) David Pointcheval Provable Security - Introduction - 5 Authentication (1) Authentication (1) Interactively prove his identity David Pointcheval Provable Security - Introduction - 6

Authentication (2) Authentication (2) • Non-interactively prove his identity as the sender of a message • If this proof can even convince a third party: signature David Pointcheval Provable Security - Introduction - 7 Secrecy Secrecy • Store a document • Send a message so that nobody else can learn any information about it David Pointcheval Provable Security - Introduction - 8

Cryptography: 3 Periods Cryptography: 3 Periods • Ancient period: until 1918 • Technical period: from 1919 until 1975 • Paradoxical period : from 1976 until David Pointcheval Provable Security - Introduction - 9 Ancient Period Ancient Period Substitutions and permutations Alberti’s cipher disk Jefferson’s wheel cipher Security = Secrecy of the Mechanisms David Pointcheval Provable Security - Introduction - 10

Technical Period Technical Period Cipher Machines Automatism of permutations and substitutions But no proof Enigma of better security! David Pointcheval Provable Security - Introduction - 11 Paradoxical Period Paradoxical Period • Symmetric Cryptography • Asymmetric Cryptography One-way Functions ⇒ Security Proofs David Pointcheval Provable Security - Introduction - 12

Kerckhoffs’ Principles Principles Kerckhoffs’ In 1883, in “La Cryptographie Militaire” Kerckhoffs wrote: • the system should be, if not theoretically unbreakable, unbreakable in practice • compromise of the system should not inconvenience the correspondents • the key should be rememberable without notes and should be easily changeable • etc … David Pointcheval Provable Security - Introduction - 13 Symmetric Encryption Symmetric Encryption Encryption Algorithm, � Decryption Algorithm, � k k � � c m m Security = secrecy: impossible to recover m from c only (without k ) Security : heuristic David Pointcheval Provable Security - Introduction - 14

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 15 Two Keys… Two Keys… secrecy Asymmetric Alice Bob Cryptography authenticity Diffie-Hellman 1976 Asymmetric Encryption: Bob owns two “keys” – A public key (encryption k e ) ⇒ known by everybody so that anybody can encrypt (included Alice) a message for him – A private key (decryption k d ) ⇒ known by Bob only to help him to decrypt David Pointcheval Provable Security - Introduction - 16

Encryption / decryption Encryption / decryption attack attack Granted Bob’s public key, Alice can lock the safe, with the message inside ( encrypt the message ) Excepted Bob, granted his private key ( Bob can decrypt ) Alice sends the safe to Bob no one can unlock it ( impossible to break ) David Pointcheval Provable Security - Introduction - 17 Encryption Scheme Encryption Scheme 3 algorithms : • - key generation • - encryption ω ( k e ,k d ) • - decryption k d k e m c m r David Pointcheval Provable Security - Introduction - 18

Conditional Secrecy Conditional Secrecy The ciphertext comes from c = � k e ( m ; r ) • The encryption key k e is public • A unique m satisfies the relation (with possibly several r ) At least exhaustive search on m and r can lead to m , maybe a better attack! ⇒ unconditional secrecy impossible Algorithmic assumptions David Pointcheval Provable Security - Introduction - 19 Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 20

� � � � Integer Factoring and RSA Integer Factoring and RSA • Multiplication/Factorization : One-Way – p, q n = p.q easy (quadratic) Function – n = p.q p, q difficult (super-polynomial) • RSA Function, from n (with n=pq ) n in for a fixed exponent e Rivest-Shamir-Adleman 1978 – x x e mod n easy (cubic) � � � � � � � � � � – y=x e mod n x difficult (without p or q ) � x = y d mod n where d = e -1 mod ϕ ( n ) trapdoor key difficult encryption to break decryption David Pointcheval Provable Security - Introduction - 21 The RSA Problems The RSA Problems • Let n=pq where p and q are large primes • The RSA problem: for a fixed exponent e [ ] � � Succ rsa ( ) Pr mod ( ) = = e = y x n y x , n e � � ∈ y n • The Flexible RSA problem: [ ] � � Succ fl - rsa ( ) Pr mod ( ) ( , ) = = e = y x n y x e n � � ∈ y n with the restriction for e to be prime David Pointcheval Provable Security - Introduction - 22

The Discrete Logarithm The Discrete Logarithm • Let � = (< g >, × ) be any finite cyclic group • For any y ∈ � , one defines Log g ( y ) = min{ x ≥ 0 | y = g x } • One-way function → y = g x – x easy (cubic) – y = g x → x difficult (super-polynomial) [ ] � � Succ dl ( ) Pr ( ) = = = x y x y g g � ∈ x q David Pointcheval Provable Security - Introduction - 23 Any Trapdoor …? Any Trapdoor …? • The Discrete Logarithm is difficult and no information could help! • The Diffie-Hellman Problem (1976): • Given A=g a and B=g b • Compute DH ( A,B ) = C=g ab Clearly CDH ≤ DL: with a =Log g A , C=B a [ ] � � Succ cdh ( ) Pr ( , ) , , = = = a = b = ab A B C A g B g C g g � , ∈ a b q David Pointcheval Provable Security - Introduction - 24

� � Another DL-based Problem Another DL-based Problem The Decisional Diffie-Hellman Problem : • Given A, B and C in <g> • Decide whether C = DH ( A,B ) Clearly DDH ≤ CDH ≤ DL [ ] � Pr ( , , ) = 1 = , = , = a b c A B C A g B g C g , , ∈ � a b c Adv ddh ( ) [ ] = q g � Pr ( , , ) 1 , , − = = a = b = ab A B C A g B g C g , ∈ a b q David Pointcheval Provable Security - Introduction - 25 Complexity Estimates Complexity Estimates Estimates for integer factoring Lenstra-Verheul 2000 Modulus Mips-Year Operations ( log 2 ) (en log 2 ) (bits) Record 512 13 58 Aug 1999 Mile-stone 1024 35 80 2048 66 111 4096 104 149 8192 156 201 Can be used for RSA too � * Lower-bounds for DL in p David Pointcheval Provable Security - Introduction - 26

Summary Summary • Introduction • Asymmetric Cryptography • Computational Assumptions • Security Proofs • Encryption and Signature • New Assumptions • New Formalism David Pointcheval Provable Security - Introduction - 27 Algorithmic Assumptions Algorithmic Assumptions necessary necessary • n=pq : public modulus RSA Encryption e : public exponent ( m ) = m e mod n ( c ) = c d mod n • d=e -1 mod ϕ ( n ) : private If the RSA problem is easy, secrecy is not satisfied: anybody may recover m from c David Pointcheval Provable Security - Introduction - 28

Algorithmic Assumptions Algorithmic Assumptions sufficient? sufficient? Security proofs give the guarantee that the assumption is enough for secrecy: • if an adversary can break the secrecy • one can break the assumption ⇒ “reductionist” proof David Pointcheval Provable Security - Introduction - 29 Proof by Reduction Proof by Reduction Reduction of a problem �� to an attack Atk : • Let be an adversary that breaks the scheme then can be used to solve � Instance � of � Solution of � � intractable ⇒ scheme unbreakable David Pointcheval Provable Security - Introduction - 30

Provably Secure Scheme Provably Secure Scheme To prove the security of a cryptographic scheme, one has to make precise • the algorithmic assumptions • the security notions to be guaranteed • a reduction: an adversary can help to break the assumption David Pointcheval Provable Security - Introduction - 31 Practical Security Practical Security Algorithm Adversary against within t within t’ = T ( t ) • Complexity theory: T polynomial • Exact Security: T explicit • Practical Security: T small (linear) Eg : t’ = 4 t intractable within less than 2 80 operations ⇒ scheme unbreakable within less than 2 78 operations David Pointcheval Provable Security - Introduction - 32