Introduction to Provable Security...Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto
Post on 12-Jul-2020
27 Views
Preview:
Transcript
Introduction to Provable Security
Introduction to Provable Security
Alejandro Hevia
Dept of Computer ScienceUniversidad de Chile
Advanced Crypto School FlorianopolisOctober 17 2013
177
Introduction to Cryptography
Part I
Introduction
277
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
1 Introduction to CryptographyWhat Cryptography is aboutClassic Goals
377
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to Cryptography
Part I
Introduction
277
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
1 Introduction to CryptographyWhat Cryptography is aboutClassic Goals
377
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
1 Introduction to CryptographyWhat Cryptography is aboutClassic Goals
377
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
What Cryptography is about
Cryptography is the discipline that studies systems (schemesprotocols) that preserve their functionality (their goal) even underthe presence of an active disrupter
477
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Classic ProblemsGoals
Integrity Messages have not been altered
Authenticity Message comes from sender
Secrecy Message not known to anybody else
577
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Integrity
Alice wants to be sure that a message has not been modified
Analogy with mail
We want to know that the envelope has not been opened
677
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Authenticity
There are two typesCase 1 Bob wants to interactively prove his identity to Alice(eg talking by phone)
Case 2 Bob wants to prove his identity non-interactively to AliceIf the proof can convice a third party (judge) itrsquos a signature
777
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Secrecy
We want to
1 Store a document
2 Send a message
We want
that no unauthorized person can learn any information aboutthe document (or message)
877
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Introduction to CryptographyWhat Cryptography is aboutClassic Goals
Cryptography A Brief History
Until 1918 Ancient history
Ciphers based on sustitution and permutationsSecrecy = Secrecy of the Mechanism
1918-1975 Technical period Cipher Machines (Enigma)
Fast automated permutations and substitutions
1976 Modern Cryptography
Given a scheme use assumptions (eg one-way functions) toshow evidence of security (a proof)
977
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable Security
Part II
Provable Security
1077
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provably Security The Short Story
Originated in the late 80rsquos
Encryption [Goldwasser Micali 84]Signatures [Goldwasser Micali Rivest 88]
Popular using ideal substitutes
Random oracles vs hash functions [Fiat Shamir 86Bellare-Rogaway 93]Generic groups vs Eliptic curves [Nechaev 94 Shoup 97]Ideal ciphers vs Block ciphers [Nechaev 94 Shoup 97]
Proven useful to analyze a complex scheme in terms of theprimitives used in a modular fashion[Bellare-Kohno-Namprempre 04 Paterson et al 10]
Now a common requirement to support emerging standards(IEEE P1363 ISO Cryptrec NESSIE)
1177
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The need for Provable Security
Common approach to evaluate security Cryptanalysis driven
1 Found an interesting cryptographic goal
2 Propose a solution
3 Search for an attack (ie bug)
4 If one found go back to step 2
After many iterations declare it secureProblems
When do we stop
Results not always trustworthy
Chor-Rivest knapsack scheme took 10 years to be totallybroken
1277
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Provable Security
The Recipe
1 Define goal of scheme (or adversary)
2 Define attack model
3 Give a protocol
4 Define complexity assumptions (or assumptions on theprimitive)
5 Provide a proof by reduction
6 Verify proof
7 Interpret proof
1377
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Need of Computational Assumptions
Consider asymmetric cryptography (Diffie Hellman 76)An encryption scheme AS = (K E D) is composed by threealgorithms
K Key generation
E Encryption
D Decryption
r prime minusrarr K minusrarr (ke kd)
ke kddarr darr
m minusrarrr minusrarr E minusrarr c minusrarr D minusrarr m or perp
1477
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possible
rArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Unconditional secrecy is not possible
The ciphertext c = Eke (m r) is uniquely determined by
The public encryption key ke
The message m
The random coins r
So at least exhaustive search is possiblerArr unconditional secrecy is impossible
We need complexity (algorithmic) assumptions
1577
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Integer Factoring and RSA
Multiplication vs Factorization
p q rarr n = p middot q is easy (cuadratic)
n = p middot q rarr p q is hard (super-polynomial)
One-way
function
RSA Function [Rivest-Shamir-Adleman 78]
The function f Zn rarr Zn where n = pq for a fixed exponent e
x rarr xe mod n (easy cubic)
y = xe mod n rarr x (difficult without p q)
but easy x = yd mod n if trapdoor d = eminus1 mod φ(n) is known
We measure the advantage of any inverting adversary A by
Advrsane(A) = Pr[
x$larr Zlowastn y = xe mod n A(y) = x
]1677
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
The Discrete Logarithm
Let G = (〈g〉times) be any finite cyclic groupFor any y isin G we define
DLogg (y) = min x ge 0 | y = g x
Exponenciation Function
The function DExpg Zq rarr G where q = |G |x rarr y = g x (easy cubic)
y = g x rarr x (difficult super-polynomial)
Advdlg (A) = Pr[
x$larr Zq y = g x A(y) = x
]
1777
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
How hard are these problems
Estimates for integer factorization [Lenstra-Verheul 2000]
Modulus MIPS-years Operations(bits) (log2) (log2)
512 13 58
1024 35 80
2048 66 111
4096 104 149
8192 156 201
Reasonable estimates for RSA too and lower bounds for DL in Zlowastp
1877
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable SecurityProvably Security The Short StoryThe need for Provable Security
Generalization One-way functions
One-way Function
The function f Dom(f )rarr Rec(f )
x rarr y = f (x) (easy polynomial-time)
y = f (x) rarr x (difficult for random x isin Dom(f ) at leastsuper-polynomial)
The advantage of an inverting adversary A is thus
Advowf (A) = Pr[
x$larr Dom(f ) y = f (x) A(y) = x
]Resources of A
Running time t (number of operations)
Number amp length of queries (if in random oracle model)
1977
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Part III
Reductions
2077
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Algorithmic assumptions are necessary
Recall that for RSA
n = pq public modulus
e public exponent
d = eminus1 mod φ(n) private exponent
Ene(m) = me mod n and Dnd(c) = cd mod n
Underlying hard problem
Computing m from c = Ene(m) for m$larr Zlowastn
Easy fact
If the RSA problem is easy secrecy does not hold anybody (notonly the owner of the trapdoor) can recover m from c
2177
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
But are algorithmic assumptions sufficient
We want the guarantee that an assumption is enough for security
For example in the case of encryption
IF
an adversary can breakthe secrecy
rArr
Then
we can break theassumption
This is a reductionist proof
2277
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Proof by Reduction
Let P be a problem
Let A be an adversary that breaks the scheme
Then A can be used to solve P
Instance Iof P minusrarr
New algorithm for P
Adversary
A
Solutionminusrarr of I
If so we say solving P reduces to breaking the schemeConclusion If P untractable then scheme is unbreakable
2377
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provable Security
A misleading name
Not really proving a scheme secure but showing a reduction fromsecurity of scheme to the security of the underlying assumption (orprimitive)
rArr Reductionist security
2477
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Provably Secure Scheme
Before calling a scheme provably secure we need
1 To make precise the algorithmic assumptions (some given)2 To define the security notions to be guaranteed (next)
Security goalAttack model
3 A reduction
2577
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Complexity-theory vs Exact Security vs Practical
The interpretation of the reduction matters
Given
A within time tsuccessprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t) with successprobability εprime = R(ε)
The reduction requires showing T (for simplicity suppose Rdepends only linearly in ε)
Complexity theory T polynomial
Exact security T explicit
Practical security T small (linear)
Each gives us a way to interpret reduction results
2677
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversary
which really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Complexity-theory Security
Given
A within time tand successprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε)
Assumption P is hard = ldquono polynomial time algorithmrdquo
Reduction T is polynomial in t and ε
Security result There is no polynomial time adversarywhich really means that there is no attack if the parametersare large enough
Not always meaningful as when analyzing block ciphers
2777
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Complexity-theory Security Results
General Results
Under polynomial reductions against polynomial-time adversaries
1 Trapdoor one-way permutations are enough for secureencryption
2 One-way functions are enough for secure signatures
If only care about feasibility these results close the chapter (nomore problems left) but
the schemes for which these results were originally obtainedare rather inefficient
looking into the complexity of the reduction may gives ussome insight
2877
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Exact Security
Given
A which on time tbreaks scheme withprobability ε
rArrBuild
Algorithm against P that runsin time t prime = T (t ε) and workswith probability εprime
Assumption Solving P requires N operations (say time τ)
Reduction exact cost for T as a function of t ε and otherparameters (eg the key sizes)
Security result There is no adversary (for scheme) withintime t such that t prime = T (t ε) le τ
Why useful
From T (t) le τ we can get bounds on minimal key sizes underwhich the scheme is secure
2977
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Measuring the Quality of the Reduction
How much is lost in the reduction How much of the ldquopowerrdquo ofadversary A breaking the scheme remains in the algorithm breakingthe problem P
Tightness
A reduction is tight if t prime asymp t and εprime asymp ε Otherwise if t prime gtgt t orεprime ltlt ε the reduction is not tight
The tightness gap is (t primeε)(tεprime) = (t primeεprime)(tε)
We want tight reductions or at least reductions with smalltightness gap
3077
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security Notions
Part IV
Security Notions
3177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notion
We need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Examples
Problem
Authentication and no-repudiation (ie signatures)
How do we come up with a security notionWe need to think and define
1 Security goal of the scheme (= Opposite to Adversaryrsquos goal)
Property that needs to be guaranteed
2 Attack model
Attack venues what the adversary can and cannot doLeaked information what the adversary can know from honestusers (often modeled by oracles)
3277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Signature Schemes (Authentication)
Goal Existential Forgery
The adversary wins if it forges a valid message-signature pairwithout private key
Adversary does a good job (or the scheme is insecure) if
given the verification key kv
outputs a pair mprime σprime of message and its signature
such that the following probability is large
Pr [ Vf (kv mprime σprime) = 1 ]
3377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Possible Attack Models
No-Message Attack (NKA) adversary only knows theverification key
Known-Message Attack (KMA) adversary also can accesslist of messagesignature pairs
Chosen-Message Attack (CMA) adversary can choose themessages for which he can see the messagesignature pairsStrongest attack
3477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for Signature Schemes EUF-CMA
[Goldwasser Micali Rivest 1988]Given signature scheme Σ = (KSignVf )
(kv ks)$larr K(middot)
kv darr
Adversary
darr (mprime σprime)
mminusrarrσlarrminusmiddotmiddotmiddotminusrarrlarrminus
ks darr
Signing Oracle
σ larr Sign(ks m)
Adveuf-cmaΣ (A) = Pr [ Vf (kv m
prime σprime) = 1 for new mprime ]
(Existential unforgeability under chosen-message attacks)3577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Models
Sometimes it is helpful to consider models where some tools(primitives) used by cryptographic schemes such as
Hash functions
Block ciphers
Finite groups
are considered to be ideal that is the adversary can only use(attack) them in a certain way
rArr Idealized Security Models
Hash function rarr Random oracle
Block ciphers rarr Ideal cipher
Finite groups rarr Generic group
Standard model no idealized primitives (sort of)
3677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)
Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Model Random Oracle
Arguably the most used idealized model to prove security ofpractical schemes [Bellare-Rogaway 93]Hash function H 0 1lowast rarr Rec(H) is analized as it were aperfectly random function
Each new query receives a random answer in Rec(H)
The same query asked twice receives the same answer twice
But for actual scheme H is replaced by cryptographic hashfunction (SHA-1RIPEMD-160 etc)Examples of use
1 Signature schemes Full-Domain Hash [Bellare-Rogaway 96]Schnorr [Schnorr 89]
2 Encryption schemes OAEP-based constructions[Bellare-Rogaway 94]
Somehow controversial not really proof only heuristic [Canetti 9804]
3777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
An Example of Exact Security
Full-Domain Hash Signatures
Full-Domain Hash Signature [Bellare-Rogaway 1993]
Scheme FDH is (KSV) as follows
K Key Generation returns (f f minus1) where
Public key f X rarr X a trapdoor one-way permutation onto XPrivate key f minus1
S Signature of m returns σ larr f minus1(H(m))
V Verification of (m σ) returns true if f (σ) = H(m)
3877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]
Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security Full-Domain Hash Signatures
Theorem (FDH is EUF-CMA in the RO model)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
[Bellare-Rogaway 1993 1996]Proof (reduction)
3977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Signatures amp Game-based proofs
We use a game-based proofs technique[Shoup 2004 Bellare-Rogaway 2004]
1 Define sequence of games G0G1 G5 of games orexperiments
2 All games in the same probability space
3 Rules on how the view of the game is computed differs
4 Successive games are very similar typically with slightlydifferent distribution probabilities
5 G0 is the actual security game (EUF-CMA)
6 G5 is the game for the underlying assumption (OW)
7 We relate the probabilities of the events that define theadvantages in G0 and G5 via all the intermediate games
4077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (05)
(courtesy of [Pointcheval 2005])
Game G0 the real euf-cma game with signing oracle and a randomoracle but we also provide a verification oracle Vf
Verification oracle Vf (m σ)
Return true if H(m) = f (σ) The game ends when adversary sends(m σ) here
Let S0 be the event
ldquoA outputs a pair (m σ) for which Vf returns truerdquo
ClearlyAdveuf-cma
FDH (A) = Pr [ S0 ]
4177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (15)
Game G1 as G0 but oracles are simulated as below
Hashing oracle H(q)
Create an initially empty list called H-List
If (q r) isin H-List return r
Otherwise reply using
Rule H(1) r$larr X and add record (q r) to H-List
Signing oracle S(m)
r larr H(m)Reply using
Rule S(1) σ larr f minus1(r)
Verification oracle Vf (m σ)
r larr H(m)Return true if r = f (σ)
Game ends when oracle calledLet S1 be the event ldquoVf returns true in G1rdquoClearly Pr [ S1 ] = Pr [ S0 ]
4277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (25)
Game G2 as G1 but where
c$larr 1 qH + qS + 1
Let c prime = index of first query where message mprime (the one forwhich A outputs a forgery) was sent to the hashing oracle byA
If c 6= c prime then abort
Sucess verification is within the game rArr the adversary must queryhis output message m
Pr [ S2 ] = Pr [ S1 and GoodGuess ]
= Pr [ S1 |GoodGuess ]times Pr [ GoodGuess ]
ge Pr [ S1 ]times 1
qH + qS + 1
4377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (35)
Game G3 as G2 but now use the following rule in the hashingoracle
Let y be the challenge from which we want to extract apreimage x by f
Rule H(3)
If this is the c-th query set r larr y Otherwise choose random Add record (qperp r) to H-List
Since position y is chosen uniformly at random Pr [ S3 ] = Pr [ S2 ]
4477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (45)
Game G4 as G3 but modify simulation of hashing oracle (whichmay be used in signing queries)
Rule H(4)
If this is the c-th query set r larr y and s larr perp
Otherwise choose random s$larr X compute r larr f (s)
Add record (q s r) to H-List
Since position y is random f is permutation and s is randomPr [ S4 ] = Pr [ S3 ]
4577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]
Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofs (55)
Game G5 except for the c-th query all preimages are knownThen we can simulate signing oracle without f minus1
Rule S(5)
Lookup (m s r) in H-List and set σ larr s
Since c-th query cannot be asked to hash oracle thenPr [ S5 ] = Pr [ S4 ]Moreover
simulation can be done computing (qS + qH) evaluations of f
signature forgery for y gives preimage for y
Pr [ S5 ] = Advowf (B)
where B = G5 runs in time t + (qS + qH)Tf
4677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Exact Security FDH Sigs amp Game-based proofsconclusion
Combining the relations from previous games
Advowf (B) = Pr [ S5 ] = Pr [ S4 ] = Pr [ S3 ] = Pr [ S2 ]
ge 1
qH + qS + 1times Pr [ S1 ]
ge 1
qH + qS + 1times Pr [ S0 ]
=1
qH + qS + 1times Adveuf-cma
FDH (A)
Game-playing proofs In general games can have differentdistributions and this gaps are included in the concrete securityrelation See [Bellare-Rogaway 2004]
4777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result
4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Interpreting Exact Security FDH Signatures
Letrsquos go back to our first result
Theorem (FDH is EUF-CMA)
Let FDH be the FDH signature scheme using one-way permutationf (for example f =RSA)For each adversary A there exist an adversary B such that
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
where
A runs in time t makes qh queries to hash function (RO) andqs signature queries
Tf is the time to compute f (in the forward direction)
B runs in time t prime = t + (qh + qs) middot Tf
How should we interpret this result4877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result
Suppose feasible security bounds for any adversary are
at most 275 operations (t)
at most 255 hash queries (qh) and
at most 230 signing queries (qs)
Adveuf-cmaFDH (A) le (qh + qs + 1) middot Advow
f (B)
B runs in time t prime = t + (qh + qs) middot Tf
The result now says
Interpreting the Result
If one can break the scheme with time t then one can invert fwithin time t prime le (qh + qs + 1)(t + (qh + qs) middotTf ) le 2130+ 2110 middotTf
4977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Interpreting the Result (cont)
Thus inverting f can be done in time
t prime le 2130 + 2110 middot Tf
Recall that Tf = O(k3) operations if k = |n| and e small
We compare it with known bounds on inverting RSA (namelyfactoring using the best known inverting algorithm the NumberField Sieve (NFS) for f =RSA
1024 bits rarr t prime le 2140 but NFS takes 280
2048 bits rarr t prime le 2143 but NFS takes 2111
4096 bits rarr t prime le 2146 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 4096
5077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Full-Domain Hash Improved Reduction
There is a better reduction [Coron 2000]
Adveuf-cmaFDH (A) le qs middot e middot Advow
f (B)
where B runs in time t prime = t + (qh + qs + 1) middotTf if A runs in time tand makes qh qs queriesSolving inverting f can be done in time t prime le 230 middot t + 285 middot Tf and
1024 bits rarr t prime le 2105 but NFS takes 280
2048 bits rarr t prime le 2107 but NFS takes 2111 ok
4096 bits rarr t prime le 2109 but NFS takes 2149 ok
rArr RSA-FDH is secure for keys at least 2048
5177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notions Encryption Schemes
Problem
Secrecy (ie encryption)
Goal cannot be too strong
Perfect Secrecy not possible ciphertext (info-theoretically)reveals information about the plaintext
Goal Indistinguishability (Semantic Security) Informal
Given the ciphertext and the encryption key the adversary cannottell apart two same-length but different messages encrypted underthe scheme even if chose the messages himself
5277
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Attack model
Chosen-Plaintext Attack (CPA) adversary can get theencryption of any plaintext of his choice
Chosen-Ciphertext Attack (CCA or CCA2) adversary alsohas access to a decryption oracle which (adaptively) decryptsany ciphertext of his choice except one specific ciphertext(called the challenge)
Strongest attack
5377
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Security Notion for (Asymmetric) Encryption IND-CCA
Given (asymmetric) encryption scheme AS = (K E D)
b$larr 0 1 (ke kd)
$larr K(middot)
Challenger
clowast larr Eke (mb)
m0 larrm1 larr
clowastminusrarr
bprime larr
ke darr
Adversary cminusrarrm or perplarrminusmiddot middot middotminusrarrlarrminus
c 6=clowastminusrarrm or perplarrminusminusrarrlarrminus
CCA1
mlarr Dkd (c)
CCA2
mlarr Dkd (c)
Advind-ccaAS (A) = Pr[
(m0m1)larr AD(ke) clowast larr Eke (mb) bprime = b]
(Indistinguishability against chosen-ciphertext attacks)5477
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
A Weaker Security Notion OW-CPA
It may be helpful to consider a weaker security goal too
Consider the game
Let m be a random message chosen from message space M
From ciphertext c = Eke (m) adversary A must recover m
A scheme AS is One-Way under chosen-plaintext attack if nofeasible adversary A can win the above game with reasonableprobability
Accordingly we measure the advantage of A as
Advow-cpaAS (A) = Pr[
m$larrM c larr Eke (m) |A(ke c) = m
]
5577
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Goals Achieved by Practical Encryption Schemes
Integer Factoring-based RSA [Rivest-Shamir-Adleman 78]
OW-CPA = RSA (modular e-th roots)Itrsquos not IND-CPA nor IND-CCA since itrsquos deterministic
Discrete-Log-based ElGamal [ElGamal 78]
OW-CPA = CDH (Computational Diffie-Hellman)IND-CPA = DDH (Decisional Diffie-Hellman)Itrsquos not IND-CCA because of multiplicativity
Obs CDH and DDH are weaker problems that DLog(DDH reduces to CDH which reduces to DLog)
5677
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCA
Generic conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Achieving Stronger Goals
We would like to obtain IND-CCA
What we know at this point
Any trapdoor one-way function may yield a OW-CPAencryption scheme
OW-CPA not enough to IND-CPA nor IND-CCA
So how do we obtain IND-CCAGeneric conversion from weakly secure to strongly secure schemes
5777
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
f -OAEP [Bellare-Rogaway 1994]
Let f be a trapdoor one-way permutation n k0 k1 integers suchthat n gt k0 + k1 with
G 0 1k0 rarr 0 1nminusk0
H 0 1nminusk0 rarr 0 1k0
E(m r) Compute x y then return c = f (x ||y)
D(c) Compute x ||y = f minus1(c) invert OAEP then checkredundancy
5877
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e small
Solving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight
5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
RSA-OAEP
A (good) reduction from a variant of OW-CPA (calledpartial-domain OW) was given for RSA-OAEP in the randomoracle model [Fujisaki-OPS 00]The result is
Advind-ccaRSAminusOAEP(A) le 2 middot
radicAdvrsa
ne (B))
where B runs in time t prime = 2 middot t + qH(2 middot qG + qH) middot k2 if A runs intime t and makes qH qG queries to oracles H y G respectively k isthe modulus size and e smallSolving inverting f can be done in timet prime le 276 + 6 middot 2110k2 le 2113 middot k2 and
1024 bits rarr t prime le 2133 but NFS takes 280 no
2048 bits rarr t prime le 2135 but NFS takes 2111 no
4096 bits rarr t prime le 2137 but NFS takes 2149 ok
rArr RSA-OAEP is secure for keys at least 4096 not tight5977
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++
A new padding scheme OAEP++ was proposed by Jonsson (2002)The one-time pad on the OAEP (xor between random r and outputof H) is replaced by a strong block cipher (ideal cipher model)
Ideal Cipher Model
Consider block cipher E as a family of perfectly random andindependent permutations
6077
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Improving the reduction f -OAEP++ (cont)
Advantage Bound
The relation (bound) between the IND-CCA-advantage off -OAEP++ and the OW-CPA advantage of f =RSA is moreinvolved but esentially linear
As before suppose feasible security bounds for any adversaryattacking f =RSA are
at most 275 operations (t)
at most 255 hash (qH qG ) and ideal cipher queries (qE )
Result if one can break RSA-OAEP++ on time t one can invertk-bit-modulus RSA in time t prime le t + qE middot k2 le 275 + 255 middot k2 and
1024 bits rarr t prime le 276 but NFS takes 280 ok
2048 bits rarr t prime le 278 but NFS takes 2111 ok
4096 bits rarr t prime le 280 but NFS takes 2149 ok
rArr RSA-OAEP++ is secure for keys 1024 or more6177
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Security NotionsSecurity Notion for Signature SchemesSecurity Notion for Encryption Schemes
Revisiting the Assumptions
Classical Assumptions
Integer Factoring
Discrete Logarithm (in Finite Fields and in Elliptic Curves)
Modular Roots (Square roots and e-th roots)
Advantages Easy to implement widely usedDrawbacks Require large keys if in Finite Fields They are allsubject to quantum attacks
Alternatives Post-Quantum Cryptography
Error-Correcting Codes
Hash-based schemes
Systems of Multi-Variate Equations
Lattices
6277
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Concluding Remarks
Part V
Concluding Remarks
6377
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Concluding Remarks
Limits and Benefits of Provable Security
Provably security does not yield proofs
Proofs are relative (to computational assumptions) and to thedefinition of the schemersquos goal
Proofs often done in ideal models (Random Oracle ModelIdeal Cipher Model Generic Group Model) with debatablemeaning [Canetti 98 04] [Coron 08 Holenstein et al 11]
Definitions (models) need time for review and acceptance
Example proofs for several modes for SSH authenticatedencryption [Bellare-Kohno-Namprempre 04] then (one mode)attacked [Albrecht 09] then proofs (for the other mode) in abetter model [Paterson et al 10]Are we back in time now with model attacks remodelCrypto as physics [Nguyen 12 Degabriele et al 11]
6477
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Concluding Remarks
Limits and Benefits of Provable Security
Still provable security
provides some form of guarantee that the scheme is not flawed
Motivates us to spell out (clarify) definitions and modelsformally a process that in itself may help us to betterunderstand the problem
Gives well-defined reductions from which we can (and must)distill practical implications of the result (exact security)
is fun -)
6577
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Concluding Remarks
Acknowledgements and References
Thanks to ASCrypto organizers for the opportunity to give thisshort tutorial
Further information
Contemporary Cryptology Provable Security for Public KeySchemes David Pointcheval Advanced Course onContemporary Cryptology Advanced Courses CRM BarcelonaPages 133-189 Birkhuser Publishers 2005
On the Role of Definitions in and Beyond CryptographyPhillip Rogaway Manuscript available from his web page
Practice-Oriented Provable-Security Mihir Bellare Inproceedings of First International Workshop on InformationSecurity (ISWrsquo97) LNCS vol 1396 Springer-Verlag 1999
Some slides courtesy of David Pointcheval (thanks)
6677
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
Part VI
References
6777
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
M R Albrecht K G Paterson and G J WatsonPlaintext recovery attacks against sshIn Security and Privacy 2009 30th IEEE Symposium on pages16ndash26 IEEE 2009
M Bellare T Kohno and C NamprempreBreaking and provably repairing the SSH authenticatedencryption scheme A case study of theencode-then-encrypt-and-MAC paradigmACMTISS ACM Transactions on Information and SystemSecurity 7 2004
M Bellare and P RogawayRandom oracles are practical A paradigm for designingefficient protocolsIn ACM editor Proceedings of the 1st ACM conference onComputer and communications security ACM Nov 1993
6877
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
M Bellare and P RogawayOptimal asymmetric encryption How to encrypt with RSAIn A D Santis editor Advances in Cryptology ndashEUROCRYPT rsquo 94 volume 950 of Lecture Notes in ComputerScience Springer-Verlag Berlin Germany May 1994httpwww-cseucsdeduusersmihir
M Bellare and P RogawayThe exact security of digital signatures How to sign with RSAand RabinIn U Maurer editor Advances in Cryptology ndash EUROCRYPTrsquo 96 volume 1070 of Lecture Notes in Computer ScienceSpringer-Verlag Berlin Germany May 1996
6977
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
M Bellare and P RogawayThe security of triple encryption and a framework forcode-based game-playing proofsIn S Vaudenay editor Advances in Cryptology ndashEUROCRYPT rsquo 2006 volume 4004 of Lecture Notes inComputer Science pages 409ndash426 Springer 2006
R Canetti O Goldreich and S HaleviThe random oracle methodology revisitedJournal of the ACM (JACM) 51(4)557ndash594 2004
J-S Coron J Patarin and Y SeurinThe random oracle model and the ideal cipher model areequivalentIn Advances in CryptologyndashCRYPTO 2008 pages 1ndash20Springer 2008
7077
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
J P Degabriele K Paterson and G WatsonProvable security in the real worldSecurity amp Privacy IEEE 9(3)33ndash41 2011
W Diffie and M HellmanNew directions in cryptographyIEEE Transactions on Information Theory 22644ndash654 1978
T ElGamalA public key cryptosystem and signature scheme based ondiscrete logarithmsIEEE Transactions on Information Theory 31469ndash472 1985
7177
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
A Fiat and A ShamirHow to prove yourself Practical solutions to identification andsignature problemsIn A M Odlyzko editor Advances inCryptologymdashCRYPTO rsquo86 volume 263 of Lecture Notes inComputer Science pages 186ndash194 Springer-Verlag 198711ndash15 Aug 1986
Fujisaki Okamoto Pointcheval and SternRSA-OAEP is secure under the RSA assumptionJournal of Cryptology 17 2004
E Fujisaki T Okamoto D Pointcheval and J SternRSA-OAEP is still aliveReport 2000061 Cryptology ePrint Archive Nov 2000
7277
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
S Goldwasser and S MicaliProbabilistic encryptionJournal of Computer and System Science 28270ndash299 1984
S Goldwasser S Micali and R RivestA digital signature scheme secure against adaptivechosen-message attacksSiam Journal of Computing 17(2)281ndash308 Apr 1988
T Holenstein R Kunzler and S TessaroThe equivalence of the random oracle model and the idealcipher model revisitedIn Proceedings of the 43rd annual ACM symposium on Theoryof computing pages 89ndash98 ACM 2011
7377
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
J JonssonAn OAEP variant with a tight security proof 2002This paper has not been published elsewherejjonssonrsasecuritycom 11764 received 18 Mar 2002
A K Lenstra and E R VerheulSelecting cryptographic key sizesJ Cryptology 14(4)255ndash293 2001
V I NechaevComplexity of a determinate algorithm for the discretelogarithmMathematical Notes 55(2)165ndash172 1994Translated from Matematicheskie Zametki 55(2)91ndash1011994
7477
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
P Q NguyenCryptanalysis vs provable securityIn Information Security and Cryptology pages 22ndash23 Springer2012
K G Paterson and G J WatsonPlaintext-dependent decryption A formal security treatmentof ssh-ctrIn Advances in CryptologyndashEUROCRYPT 2010 pages345ndash361 Springer 2010
D PointchevalProvable security for public key schemesIn Catalano amp Cramer amp Damgard amp Di Crescenzo ampPointcheval amp Takagi Contemporary Cryptology Birkhauser2005
7577
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
R L Rivest A Shamir and L AdlemanA method for obtaining digital signature and public-keycryptosystemsCommunications of the ACM 21(2)120ndash126 1978
C P SchnorrEfficient identification and signatures for smart cardsIn Advances in Cryptology (CRYPTO rsquo89) pages 239ndash252Berlin - Heidelberg - New York Aug 1990 Springer
V ShoupLower bounds for discrete logarithms and related problemsIn Proc International Advances in Cryptology Conference ndashEUROCRYPT rsquo97 pages 256ndash266 1997
7677
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
V ShoupSequences of games a tool for taming complexity in securityproofsCryptology ePrint Archive Report 2004332 2004httpwwwshoupnetpapersgamespdf
S VaudenayCryptanalysis of the chor - rivest cryptosystemJ Cryptology 14(2)87ndash100 2001
7777
- Introduction to Provable Security
- Introduction
- Introduction to Cryptography
- What Cryptography is about
- Classic Goals
- Provable Security
- Provable Security
- Provably Security The Short Story
- The need for Provable Security
- Reductions
- Security Notions
- Security Notions
- Security Notion for Signature Schemes
- Security Notion for Encryption Schemes
- Concluding Remarks
- Concluding Remarks
- References
top related