the fundamental goal of provable security d j bernstein
play

The fundamental goal of provable security D. J. Bernstein - PDF document

Sep 24, 2022 •528 likes •623 views

The fundamental goal of provable security D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Lets focus on what provable security is trying to do. Lets not get distracted by current

  1. The fundamental goal of “provable security” D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Let’s focus on what “provable security” is trying to do. Let’s not get distracted by current obstacles: proof errors, looseness, limited models, etc. Surely these can all be fixed. Let’s look at an example ✿ ✿ ✿

  2. Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈ ( ①❀ ② ) = 4 ① 9 ② mod ♣ for suitable ranges of ① and ② . Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm.

  3. Chaum–van Heijst–Pfitzmann, Crypto 1991: choose ♣ sensibly; define ❈ ( ①❀ ② ) = 4 ① 9 ② mod ♣ for suitable ranges of ① and ② . Simple, beautiful, structured. Very easy security reduction: finding ❈ collision implies computing a discrete logarithm. Typical exaggerations: ❈ is “provably secure”; ❈ is “cryptographically collision-free”; “security follows from rigorous mathematical proofs”.

  4. This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE.

  5. This is very bad cryptography. Horrible security for its speed. Far worse security record than “unstructured” compression- function designs such as BLAKE. How did we figure this out? Cryptanalysis! Security losses in ❈ include 1922 Kraitchik (index calculus); 1986 Coppersmith–Odlyzko– Schroeppel (NFS predecessor); 1993 Gordon (general DL NFS); 1993 Schirokauer (faster NFS); 1994 Shor (quantum poly time).

  6. A security reduction can be a useful guide to cryptanalysts : “to attack ❈ , focus on DL.”

  7. A security reduction can be a useful guide to cryptanalysts : “to attack ❈ , focus on DL.” But if you advertise the “provable security” of ❈ to cryptographic users then you’re a snake-oil salesman. “Provable security” has very little correlation with actual security, maybe even negative correlation: ❈ ’s structure helps the proof but also helps attackers . “If it’s provably secure, it’s probably not” —Lars Knudsen

  8. Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective of being able to give security reductions.” —Ivan Damg˚ ard

  9. Not everyone agrees: “The only reasonable approach is to construct cryptographic systems with the objective of being able to give security reductions.” —Ivan Damg˚ ard This approach produces papers but does not produce security. From a security perspective, the only reasonable objective is to construct cryptographic systems that will survive cryptanalysis . Users should select cryptographic systems based on cryptanalysis .

Recommend

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal

Another Look at Provable Security Alfred Menezes (joint work with Sanjit Chatterjee, Neal Koblitz, Palash Sarkar) EUROCRYPT 2012 1 Provable security Goal: To prove that a protocol P is secure with respect to a computational problem or

1.32k views • 91 slides
Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher

Bart Preneel September 2007 Cryptographic Algorithm Engineering and Provable Security Outline Cryptographic Algorithm Engineering and Provable Security Crypto refresher Basic concepts Foundations of Security Analysis and

958 views • 31 slides
Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de

Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto School, Florian opolis October 17, 2013 1/77 Introduction to Cryptography Part I

1.15k views • 99 slides
Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David

Provable Security in Cryptography ----- DL-based Systems ECC - Sept 24th 2002 - Essen David Pointcheval Ecole normale suprieure France Summary Summary The Methodology of Provable Security Complexity Assumptions

351 views • 24 slides
Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2

Beyond Provable Security: Verifiable IND-CCA Security of OAEP Gilles Barthe 1 Benjamin Grgoire 2 Yassine Lakhnech 3 Santiago Zanella Beguelin 1 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - Mditerrane, France 2 VERIMAG, CNRS

675 views • 14 slides
Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of

Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of

Invulnerable software D. J. Bernstein University of Illinois at Chicago Public goal of computer-security research: Protection of the average home computer; critical-infrastructure computers; and everything in between. Public goal of

728 views • 36 slides
Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong

Revisiting MAC Forgeries, Weak Keys and Provable Security of GCM Bo Zhu, Yin Tan and Guang Gong University of Waterloo, Canada CANS 2013 Nov 20, 2013 1 of 28 MAC Forgeries, Weak Keys and Provable Security of GCM Galois/Counter Mode (GCM)

957 views • 56 slides
Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com

Provable Security against Side-Channel Attacks Matthieu Rivain matthieu.rivain@cryptoexperts.com MCrypt Seminar Aug. 11th 2014 Outline 1 Introduction 2 Modeling side-channel leakage 3 Achieving provable security against SCA

1.62k views • 92 slides
Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927

Security dangers of the NIST curves Daniel J. Bernstein, Tanja Lange http://xkcd.com/927 http://xkcd.com/927 But our goal today isnt unification; its security. We come to bury the standard, not to praise it. Why do people choose

572 views • 31 slides
Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David

Group Key Exchange and Provable Security joint work with E. Bresson and O. Chevassut David Pointcheval Dpartement dInformatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Overview Provable

365 views • 21 slides
Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security

Summary Summary Security Proofs ---- Asymmetric Encryption Introduction without Redundancy Provable Security Asymmetric Encryption Rennes January 2004 New Schemes Joint work with Duong Hieu Phan David Pointcheval David Pointcheval

638 views • 8 slides
On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1

PAKEs Dragonfly Results Conclusion On the Provable Security of the Dragonfly protocol Jean Lancrenon 1 Marjan krobot 1 1 Interdisciplinary Centre for Security, Reliability and Trust University of Luxembourg ISC 2015 1 / 18 PAKEs

915 views • 65 slides
AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated

1. Why we created AEZ AEZ v2 2. Enciphering-based AE 3. Robust-AE 4. Accelerated provable-security Authenticated Encryption 5. Components FF0 and EME4 by Enciphering 6. AEZ Extensions Viet Tung Hoang Ted Krovetz

721 views • 31 slides
Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation

Outline Introduction Preliminaries Impossible differential Conclusion Provable Security Evaluation of Structures against Impossible Differential and Zero Correlation Linear Cryptanalysis Jian Guo Nanyang Technological University, Singapore

796 views • 51 slides
Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval

Provable Security Introduction Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Introduction Asymmetric Cryptography Computational Assumptions Security

498 views • 31 slides
Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of

Provable Security Against Differential and Linear Cryptanalysis Kaisa Nyberg Department of Information and Computer Science Aalto University FSE 2012 March 19, 2012 Introduction CRADIC Linear Hull SPN and Two Strategies Highly

757 views • 47 slides
Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier

Provable Security Authenticated Key Exchange Joint work with Emmanuel Bresson and Olivier Chevassut Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Key Agreement and

299 views • 19 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with

Provable security of Internet cryptography protocols Douglas Stebila Based on joint works with Florian Bergsma, Katriel Cohn-Gordon, Cas Cremers, Ben Dowling, Marc Fischlin, Felix Gnther, Luke Garratt, Florian Kohlar, Jrg Schwenk Funding

899 views • 72 slides
Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at

Some thoughts on security after ten years of qmail 1.0 D. J. Bernstein University of Illinois at Chicago The bug-of-the-month club Every few months CERT announces Yet Another Security Hole In Sendmailsomething that lets local or even

592 views • 31 slides
How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel

How Secure and Quick is QUIC? Provable Security and Performance Analyses Robert Lychev * , Samuel Jero + , Alexandra Boldyreva * , and Cristina Nita-Rotaru ++ * Georgia Institute ++ Northeastern + Purdue of T echnology University University 1

536 views • 31 slides
Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK

Probability in Cryptography Two Tools: H-Coefficient and 2 Some Constructions and Applications Tools for Symmetric Key Provable Security Mridul Nandi Indian Statistical Institute, Kolkata ASK Workshop, Changsha 10 Dec. 2017 1 / 72

1.48k views • 71 slides

More recommend