Beruflich Dokumente
Kultur Dokumente
Alejandro Hevia
1/77
Introduction to Cryptography
Part I
Introduction
2/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
1 Introduction to Cryptography
What Cryptography is about
Classic Goals
3/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
4/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
4/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
Classic Problems/Goals
5/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
Integrity
6/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
Authenticity
7/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want...
... that no unauthorized person can learn any information about
the document (or message).
8/77
What Cryptography is about
Introduction to Cryptography
Classic Goals
9/77
Provable Security
Part II
Provable Security
10/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
11/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
12/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on the
primitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
13/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
K: Key generation
E: Encryption r 0 −→ K −→ (ke , kd )
D: Decryption
ke kd
↓ ↓
m −→
E −→ c −→ D −→ m or ⊥
r −→
14/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
15/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
15/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
16/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
DLogg (y ) = min{ x ≥ 0 | y = g x }
Exponenciation Function
The function DExpg : Zq → G , where q = |G |:
x → y = g x (easy, cubic)
y = g x → x (difficult, super-polynomial)
h i
$
Advdl
g (A) = Pr x ← Zq , y = g x : A(y ) = x
17/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
Reasonable estimates for RSA too, and lower bounds for DL in Z∗p
18/77
Provably Security: The Short Story
Provable Security
The need for Provable Security
One-way Function
The function f : Dom(f ) → Rec(f ),
x → y = f (x) (easy, polynomial-time)
y = f (x) → x (difficult for random x ∈ Dom(f ), at least
super-polynomial)
Resources of A:
Running time t (number of operations)
Number & length of queries (if in random oracle model)
19/77
Part III
Reductions
20/77
Algorithmic assumptions are necessary
21/77
But are algorithmic assumptions sufficient?
22/77
But are algorithmic assumptions sufficient?
IF Then
an adversary can break we can break the
⇒
the secrecy assumption!
22/77
But are algorithmic assumptions sufficient?
IF Then
an adversary can break we can break the
⇒
the secrecy assumption!
22/77
Proof by Reduction
Let P be a problem.
Let A be an adversary that breaks the scheme.
Then A can be used to solve P.
23/77
Proof by Reduction
Let P be a problem.
Let A be an adversary that breaks the scheme.
Then A can be used to solve P.
23/77
Provable Security?
A misleading name?
Not really proving a scheme secure but showing a reduction from
security of scheme to the security of the underlying assumption (or
primitive).
24/77
Provable Security?
A misleading name?
Not really proving a scheme secure but showing a reduction from
security of scheme to the security of the underlying assumption (or
primitive).
⇒ Reductionist security
24/77
Provably Secure Scheme
25/77
Complexity-theory vs. Exact Security vs. Practical
Given Build
A within time t, ⇒ Algorithm against P that runs
success in time t 0 = T (t) with success
probability probability 0 = R()
26/77
Complexity-theory Security
Given
Build
A within time t ⇒ Algorithm against P that runs
and success
in time t 0 = T (t, )
probability
27/77
Complexity-theory Security
Given
Build
A within time t ⇒ Algorithm against P that runs
and success
in time t 0 = T (t, )
probability
27/77
Complexity-theory Security
Given
Build
A within time t ⇒ Algorithm against P that runs
and success
in time t 0 = T (t, )
probability
27/77
Complexity-theory Security: Results
General Results
Under polynomial reductions, against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secure
encryption
2 One-way functions are enough for secure signatures
If only care about feasibility, these results close the chapter (no
more problems left)... but
the schemes for which these results were originally obtained
are rather inefficient,
looking into the complexity of the reduction may gives us
some insight
28/77
Exact Security
Given Build
A which on time t ⇒ Algorithm against P that runs
breaks scheme with in time t 0 = T (t, ) and works
probability with probability 0
29/77
Exact Security
Given Build
A which on time t ⇒ Algorithm against P that runs
breaks scheme with in time t 0 = T (t, ) and works
probability with probability 0
Why useful
From T (t) ≤ τ we can get bounds on minimal key sizes under
which the scheme is secure.
29/77
Measuring the Quality of the Reduction
30/77
Measuring the Quality of the Reduction
Tightness
A reduction is tight if t 0 ≈ t and 0 ≈ . Otherwise, if t 0 >> t or
0 << , the reduction is not tight.
30/77
Security Notions
Part IV
Security Notions
31/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Problem:
Authentication and no-repudiation (ie. signatures)
32/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Problem:
Authentication and no-repudiation (ie. signatures)
32/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Pr [ Vf (kv , m0 , σ 0 ) = 1 ]
33/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
34/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
↓ (m0 , σ 0 )
Adveuf-cma
Σ (A) = Pr [ Vf (kv , m0 , σ 0 ) = 1, for new m0 ]
(Existential unforgeability under chosen-message attacks)
35/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Security Models
36/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Security Models
36/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Security Models
36/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
37/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
[Bellare-Rogaway 94]
Somehow controversial: not really proof, only heuristic [Canetti 98,
04]
37/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
38/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Adveuf-cma
FDH (A) ≤ (qh + qs + 1) · Advow
f (B)
where
A runs in time t, makes qh queries to hash function (RO), and
qs signature queries.
Tf is the time to compute f (in the forward direction)
B runs in time t 0 = t + (qh + qs ) · Tf
39/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Adveuf-cma
FDH (A) ≤ (qh + qs + 1) · Advow
f (B)
where
A runs in time t, makes qh queries to hash function (RO), and
qs signature queries.
Tf is the time to compute f (in the forward direction)
B runs in time t 0 = t + (qh + qs ) · Tf
40/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Clearly
Adveuf-cma
FDH (A) = Pr [ S0 ]
41/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Pr [ S2 ] = Pr [ S1 ∧ GoodGuess ]
= Pr [ S1 | GoodGuess ] × Pr [ GoodGuess ]
1
≥ Pr [ S1 ] ×
qH + qS + 1
43/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
44/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
44/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
45/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
45/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Game G5 : except for the c-th query, all preimages are known.
Then, we can simulate signing oracle without f −1 .
Rule S (5) :
Lookup (m, s, r ) in H-List, and set σ ← s.
46/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Game G5 : except for the c-th query, all preimages are known.
Then, we can simulate signing oracle without f −1 .
Rule S (5) :
Lookup (m, s, r ) in H-List, and set σ ← s.
Since c-th query cannot be asked to hash oracle, then
Pr [ S5 ] = Pr [ S4 ].
46/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Game G5 : except for the c-th query, all preimages are known.
Then, we can simulate signing oracle without f −1 .
Rule S (5) :
Lookup (m, s, r ) in H-List, and set σ ← s.
Since c-th query cannot be asked to hash oracle, then
Pr [ S5 ] = Pr [ S4 ].
Moreover,
simulation can be done computing (qS + qH ) evaluations of f ,
signature forgery for y gives preimage for y :
Pr [ S5 ] = Advow
f (B)
46/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Advow
f (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
1
≥ × Pr [ S1 ]
qH + qS + 1
1
≥ × Pr [ S0 ]
qH + qS + 1
1
= × Adveuf-cma
FDH (A)
qH + qS + 1
Adveuf-cma
FDH (A) ≤ (qh + qs + 1) · Advow
f (B)
where
A runs in time t, makes qh queries to hash function (RO), and
qs signature queries.
Tf is the time to compute f (in the forward direction)
B runs in time t 0 = t + (qh + qs ) · Tf
48/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Adveuf-cma
FDH (A) ≤ (qh + qs + 1) · Advow
f (B)
where
A runs in time t, makes qh queries to hash function (RO), and
qs signature queries.
Tf is the time to compute f (in the forward direction)
B runs in time t 0 = t + (qh + qs ) · Tf
Adveuf-cma
FDH (A) ≤ (qh + qs + 1) · Advow
f (B)
B runs in time t 0 = t + (qh + qs ) · Tf
49/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
t 0 ≤ 2130 + 2110 · Tf .
50/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Adveuf-cma
FDH (A) ≤ qs · e · Advow
f (B)
51/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Problem:
Secrecy (ie. encryption)
52/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Attack model
53/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
55/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
56/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
57/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
57/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (called
partial-domain OW) was given for RSA-OAEP in the random
oracle model. [Fujisaki-OPS 00]
The result is
q
Advind-cca
RSA−OAEP (A) ≤ 2 · Advrsa
n,e (B))
59/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (called
partial-domain OW) was given for RSA-OAEP in the random
oracle model. [Fujisaki-OPS 00]
The result is
q
Advind-cca
RSA−OAEP (A) ≤ 2 · Advrsa
n,e (B))
60/77
Security Notion for Signature Schemes
Security Notions
Security Notion for Encryption Schemes
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Part V
Concluding Remarks
63/77
Concluding Remarks
64/77
Concluding Remarks
65/77
Concluding Remarks
66/77
Part VI
References
67/77
M. R. Albrecht, K. G. Paterson, and G. J. Watson.
Plaintext recovery attacks against ssh.
In Security and Privacy, 2009 30th IEEE Symposium on, pages
16–26. IEEE, 2009.
M. Bellare, T. Kohno, and C. Namprempre.
Breaking and provably repairing the SSH authenticated
encryption scheme: A case study of the
encode-then-encrypt-and-MAC paradigm.
ACMTISS: ACM Transactions on Information and System
Security, 7, 2004.
M. Bellare and P. Rogaway.
Random oracles are practical: A paradigm for designing
efficient protocols.
In ACM, editor, Proceedings of the 1st ACM conference on
Computer and communications security. ACM, Nov. 1993.
68/77
M. Bellare and P. Rogaway.
Optimal asymmetric encryption: How to encrypt with RSA.
In A. D. Santis, editor, Advances in Cryptology –
EUROCRYPT ’ 94, volume 950 of Lecture Notes in Computer
Science. Springer-Verlag, Berlin Germany, May 1994.
http://www-cse.ucsd.edu/users/mihir.
M. Bellare and P. Rogaway.
The exact security of digital signatures: How to sign with RSA
and Rabin.
In U. Maurer, editor, Advances in Cryptology – EUROCRYPT
’ 96, volume 1070 of Lecture Notes in Computer Science.
Springer-Verlag, Berlin Germany, May 1996.
69/77
M. Bellare and P. Rogaway.
The security of triple encryption and a framework for
code-based game-playing proofs.
In S. Vaudenay, editor, Advances in Cryptology –
EUROCRYPT ’ 2006, volume 4004 of Lecture Notes in
Computer Science, pages 409–426. Springer, 2006.
R. Canetti, O. Goldreich, and S. Halevi.
The random oracle methodology, revisited.
Journal of the ACM (JACM), 51(4):557–594, 2004.
J.-S. Coron, J. Patarin, and Y. Seurin.
The random oracle model and the ideal cipher model are
equivalent.
In Advances in Cryptology–CRYPTO 2008, pages 1–20.
Springer, 2008.
70/77
J. P. Degabriele, K. Paterson, and G. Watson.
Provable security in the real world.
Security & Privacy, IEEE, 9(3):33–41, 2011.
W. Diffie and M. Hellman.
New directions in cryptography.
IEEE Transactions on Information Theory, 22:644–654, 1978.
T. ElGamal.
A public key cryptosystem and signature scheme based on
discrete logarithms.
IEEE Transactions on Information Theory, 31:469–472, 1985.
71/77
A. Fiat and A. Shamir.
How to prove yourself: Practical solutions to identification and
signature problems.
In A. M. Odlyzko, editor, Advances in
Cryptology—CRYPTO ’86, volume 263 of Lecture Notes in
Computer Science, pages 186–194. Springer-Verlag, 1987,
11–15 Aug. 1986.
Fujisaki, Okamoto, Pointcheval, and Stern.
RSA-OAEP is secure under the RSA assumption.
Journal of Cryptology, 17, 2004.
E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern.
RSA-OAEP is still alive!
Report 2000/061, Cryptology ePrint Archive, Nov. 2000.
72/77
S. Goldwasser and S. Micali.
Probabilistic encryption.
Journal of Computer and System Science, 28:270–299, 1984.
S. Goldwasser, S. Micali, and R. Rivest.
A digital signature scheme secure against adaptive
chosen-message attacks.
Siam Journal of Computing, 17(2):281–308, Apr. 1988.
T. Holenstein, R. Künzler, and S. Tessaro.
The equivalence of the random oracle model and the ideal
cipher model, revisited.
In Proceedings of the 43rd annual ACM symposium on Theory
of computing, pages 89–98. ACM, 2011.
73/77
J. Jonsson.
An OAEP variant with a tight security proof, 2002.
This paper has not been published elsewhere.
jjonsson@rsasecurity.com 11764 received 18 Mar 2002.
A. K. Lenstra and E. R. Verheul.
Selecting cryptographic key sizes.
J. Cryptology, 14(4):255–293, 2001.
V. I. Nechaev.
Complexity of a determinate algorithm for the discrete
logarithm.
Mathematical Notes, 55(2):165–172, 1994.
Translated from Matematicheskie Zametki, 55(2):91–101,
1994.
74/77
P. Q. Nguyen.
Cryptanalysis vs. provable security.
In Information Security and Cryptology, pages 22–23. Springer,
2012.
K. G. Paterson and G. J. Watson.
Plaintext-dependent decryption: A formal security treatment
of ssh-ctr.
In Advances in Cryptology–EUROCRYPT 2010, pages
345–361. Springer, 2010.
D. Pointcheval.
Provable security for public key schemes.
In Catalano & Cramer & Damgard & Di Crescenzo &
Pointcheval & Takagi, Contemporary Cryptology. Birkhauser,
2005.
75/77
R. L. Rivest, A. Shamir, and L. Adleman.
A method for obtaining digital signature and public-key
cryptosystems.
Communications of the ACM, 21(2):120–126, 1978.
C. P. Schnorr.
Efficient identification and signatures for smart cards.
In Advances in Cryptology (CRYPTO ’89), pages 239–252,
Berlin - Heidelberg - New York, Aug. 1990. Springer.
V. Shoup.
Lower bounds for discrete logarithms and related problems.
In Proc. International Advances in Cryptology Conference –
EUROCRYPT ’97, pages 256–266, 1997.
76/77
V. Shoup.
Sequences of games: a tool for taming complexity in security
proofs.
Cryptology ePrint Archive, Report 2004/332, 2004.
http://www.shoup.net/papers/games.pdf".
S. Vaudenay.
Cryptanalysis of the chor - rivest cryptosystem.
J. Cryptology, 14(2):87–100, 2001.
77/77