provable security · – x xe mod n easy (cubic) – y=xe mod n x difficult (without p or q) x = yd...

David PointchevalLIENS-CNRSEcole normale supérieure

Provable SecurityIntroduction

UCL - Louvain-la-Neuve

Monday, July 8th, 2002

Provable Security - Introduction - 2David Pointcheval

SummarySummary

• Introduction• Asymmetric Cryptography• Computational Assumptions• Security Proofs• Encryption and Signature• New Assumptions• New Formalism


SummarySummary



Cryptography: 3 GoalsCryptography: 3 Goals

• Integrity:Messages have not been altered

• Authenticity:Message - sender relation

• Secrecy:Message unknown to anybody else


IntegrityIntegrity

To be sure that a messagehas not been modified(accidentally but intentionally too!)


Authentication (1)Authentication (1)

Interactively prove his identity


Authentication (2)Authentication (2)

• Non-interactively prove his identityas the sender of a message

• If this proof can even convincea third party: signature


SecrecySecrecy

• Store a document

• Send a message

so that nobody else can learnany information about it


Cryptography: 3 PeriodsCryptography: 3 Periods

• Ancient period: until 1918• Technical period: from 1919 until 1975• Paradoxical period : from 1976 until


Ancient PeriodAncient Period

Substitutions and permutations

Security =Secrecy of the Mechanisms

Alberti’scipher disk

Jefferson’s wheel cipher


Technical PeriodTechnical Period

Cipher Machines

Automatismof permutationsand substitutions

EnigmaBut no proof

of better security!


Paradoxical PeriodParadoxical Period

• Symmetric Cryptography• Asymmetric Cryptography

One-way Functions

⇒ Security Proofs


Kerckhoffs’Kerckhoffs’ Principles Principles

In 1883, in “La Cryptographie Militaire”Kerckhoffs wrote:

• the system should be, if not theoreticallyunbreakable, unbreakable in practice

• compromise of the system should notinconvenience the correspondents

• the key should be rememberable withoutnotes and should be easily changeable

• etc …


Symmetric EncryptionSymmetric Encryption

kk

� �m c m

Encryption Algorithm, �Decryption Algorithm, �

Security = secrecy: impossible to recover m from c only (without k)

Security : heuristic


SummarySummary



Two Keys…Two Keys…

AsymmetricCryptography

Diffie-Hellman 1976

– A private key (decryption kd)to help him to decrypt

Alice Bobsecrecy

authenticity

Asymmetric Encryption:Bob owns two “keys”

– A public key (encryption ke)so that anybody can encrypt

a message for him⇒ known by everybody

(included Alice)

⇒ known by Bob only


Encryption / decryptionEncryption / decryptionattackattackGranted Bob’s public key,

Alice can lock the safe,with the message inside

(encrypt the message)

Alice sends the safe to Bobno one can unlock it(impossible to break)

Excepted Bob,granted his private key(Bob can decrypt)


Encryption SchemeEncryption Scheme

3 algorithms :• - key generation• - encryption• - decryption

(ke,kd)ω

kdke

rc mm


Conditional SecrecyConditional Secrecy

The ciphertext comes from c = �ke(m;r)

• The encryption key ke is public

• A unique m satisfies the relation(with possibly several r)

Algorithmic assumptions

At least exhaustive search on m and rcan lead to m, maybe a better attack!

⇒ unconditional secrecy impossible


SummarySummary



encryptiondifficult

to break decryption

Integer Factoring and RSAInteger Factoring and RSA

• Multiplication/Factorization :– p, q � n = p.q easy (quadratic)– n = p.q � p, q difficult (super-polynomial)

One-WayFunction

trapdoorkey

��

• RSA Function, from n in n (with n=pq)for a fixed exponent e Rivest-Shamir-Adleman 1978

– x � xe mod n easy (cubic)

– y=xe mod n � x difficult (without p or q)x = yd mod n where d = e-1 mod ϕ(n)


The RSA ProblemsThe RSA Problems

• Let n=pq where p and q are large primes• The RSA problem: for a fixed exponent e

[ ]xynxy e

yen

n

===∈

)(modPr)(Succ rsa, ��

��

• The Flexible RSA problem:

[ ]),()(modPr)(Succ rsa-fl exynxy e

yn

n

===∈

��

with the restriction for e to be prime


The Discrete LogarithmThe Discrete Logarithm

• Let � = (<g>, ×) be any finite cyclic group• For any y∈�, one defines

Logg(y) = min{ x ≥ 0 | y = gx}• One-way function

– x → y = gx easy (cubic)– y = gx → x difficult (super-polynomial)

[ ]x

xg gyxy

q

===∈

)(Pr)(Succdl��

�


Any Trapdoor …?Any Trapdoor …?

• The Discrete Logarithm is difficultand no information could help!

• The Diffie-Hellman Problem (1976):

• Given A=ga and B=gb

• Compute DH(A,B) = C=gab

Clearly CDH ≤ DL: with a=LoggA, C=Ba

[ ]abba

bag gCgBgACBA

q

=====∈

,,),(Pr)(Succ,

cdh��

�


Another DL-based ProblemAnother DL-based Problem

The Decisional Diffie-Hellman Problem:

• Given A, B and C in <g>

• Decide whether C = DH(A,B)

Clearly DDH ≤ CDH ≤ DL

[ ][ ] ,,1),,(Pr

,,1),,(Pr)(Adv

,

,,ddhabba

ba

cba

cba

ggCgBgACBA

gCgBgACBA

q

q

====−

=====

∈

∈

�

�

��

�


RecordAug 1999

20115681921491044096111662048803510245813512

Operations(en log2)

Mips-Year(log2)

Modulus(bits)

Complexity EstimatesComplexity Estimates

Estimates for integer factoring Lenstra-Verheul 2000

Can be used for RSA tooLower-bounds for DL in *

p�

Mile-stone


SummarySummary



Algorithmic AssumptionsAlgorithmic Assumptionsnecessarynecessary

• n=pq : public moduluse : public exponent

• d=e-1 mod ϕ(n) : private

RSA Encryption(m) = me mod n

(c) = cd mod n

If the RSA problem is easy,secrecy is not satisfied:anybody may recover m from c


Algorithmic AssumptionsAlgorithmic Assumptionssufficient?sufficient?

Security proofs give the guarantee thatthe assumption is enough for secrecy:

• if an adversary can break the secrecy• one can break the assumption

⇒ “reductionist” proof


Proof by ReductionProof by Reduction

Reduction of a problem ��to an attack Atk:

• Let be an adversary that breaks the scheme

Instance� of �

� intractable ⇒ scheme unbreakable

Solutionof �

then can be used to solve �


Provably Secure SchemeProvably Secure Scheme

To prove the security of a cryptographicscheme, one has to make precise

• the algorithmic assumptions• the security notions to be guaranteed• a reduction:

an adversary can helpto break the assumption


Practical SecurityPractical Security

• Complexity theory: T polynomial• Exact Security: T explicit• Practical Security: T small (linear)Eg : t’ = 4t

intractable within less than 280 operations⇒ scheme unbreakable

within less than 278 operations

Adversarywithin t

Algorithmagainst

within t’ = T (t)


Security NotionsSecurity Notions

According to the needs, one defines• the goals of an adversary• the means of an adversary,

i.e. the available information


SummarySummary



Asymmetric EncryptionAsymmetric Encryption

• Formal Security Model• Examples• Provable Security






kdke

� �m c m

Security = secrecy: impossibleto recover m from public information(i.e from c, but without kd)

• Encryption Algorithm, �• Decryption Algorithm, �


Basic SecrecyBasic Secrecy

• One-Wayness (OW) :without the private key, it is computationally

impossible to recover the plaintext

[ ])(),(Pr)(Succ,

m;rcmcrm

ow === ek

Not enough if one already has someinformation about m :

• “Subject: XXXXX”

• “My answer is XXX” (XXX = Yes/No)


Strong SecrecyStrong Secrecy

• Semantic Security (IND - Indistinguishability) :GM 1984

the ciphertext reveals no more informationabout the plaintext to a polynomial adversary

1Pr2 ),(

)(),,(),,,( 110

102,

−

←←

=rmc

smmbscmm

bbr

ek

=)(Advind


Non-MalleabilityNon-Malleability

• Non-Malleability (NM):DDN 1991

No polynomial adversary can derive, from aciphertext c= (m;r), a second one c’= (m’ ;r’ )so that the plaintexts m and m’ are meaningfullyrelated

non-malleability⇓

semantic security⇓

one-wayness


Basic AttacksBasic Attacks

• Chosen-Plaintext Attacks (CPA)In public-key cryptography setting,

the adversary can encrypt any messageof his choice, granted the public key

⇒ the basic attack


Improved AttacksImproved Attacks

• More information: oracle access– reaction attacks

oracle which answers, on c,whether the ciphertext c is valid or not

– plaintext-checking attacksoracle which answers, on a pair (m,c),whether the plaintext m is reallyencrypted in c or not (whether m = (c))


StrongStrong Attacks Attacks

• Chosen-Ciphertext Attacks (CCA)The adversary has access to the strongest oracle:

the decryption oracle (with the natural restrictionnot to use it on the challenge ciphertext)

The adversary can obtain the plaintext of anyciphertext of his choice (excepted the challenge)

– non-adaptive (CCA1) NY 1990

only before receiving the challenge– adaptive (CCA2) RS 1991

unlimited oracle access


RelationsRelations BDPR C-1998BDPR C-1998

Implications and separations

NM-CPA ⇐ NM-CCA1 ⇐ NM-CCA2⇓ ⇓

IND-CPA ⇐ IND-CCA1⇐ IND-CCA2

strong security: CCA

minimalsecurity

weak security

⇓OW-CPA





RSA EncryptionRSA Encryption

• n = pq, product of large primes

• e, relatively prime to ϕ(n) = (p-1)(q-1)

• n, e : public key• d = e-1 mod ϕ(n) : private key

nmm e mod)( = ncc d mod)( =

OW-CPA = RSA problem

Nothing to prove = definition


• = (<g>, ×) group of order q• x : private key• y=gx : public key

),(),();( dcmygam aa →= xcddc /),( =

OW-CPA = CDH AssumptionIND-CPA = DDH Assumption

To be proven to see the restrictions

ElEl Gamal Gamal Encryption Encryption





� is given as input � = (<g>, ×) and (A,B)• y ← A and c ← B• choose a random value d : � (y,(c,d)) → m• output d/m If m is correct, DH(A,B)=d/m

Succcdh (�) = Succow(� )

),(),();( dcmygam aa →=�xcddc /),( =�

[ ])(),()),(,(Pr)(Succ,

m;adcmdcyrm

ow�=== ��

ElEl Gamal Gamal: OW-CPA: OW-CPA


� is given as input�� = (<g>, ×) and (A, B, C)• y ← A and c ← B: � � (y) → (m0, m1)• b ∈{0,1} and d ← C mb: � 2(c,d) → b’• output β = (b=b’ )

Let us assume that m0, m1 ∈ �:– If C=DH(A,B), Pr[b=b’ ] = Pr[ � (c,d) = b]– If C≠DH(A,B), Pr[b=b’ ] = 1/2

ElEl Gamal Gamal: IND-CPA: IND-CPA

1Pr2)(Adv );(),(

)(),,( )),,(,,( 110

102,

−=

←←

=amdc

ysmmbsdcmmind

bba �

��


If the messages are encoded into :– If C=DH(A,B), Pr[b=b’ ] = Pr[�(c,d) = b]– If C≠DH(A,B), Pr[b=b’ ] = 1/2

ElEl Gamal Gamal: IND-CPA (: IND-CPA (Cnt’dCnt’d))

[ ][ ] [ ][ ] [ ][ ] [ ]0 1'Pr1 1'Pr

0 'Pr1 'Pr

10 'Pr1 'Pr

1'Pr2)(Adv

==−====≠−===

−==+===−==

bbbb

bbbbbb

bbbbbb

bb�

[ ] [ ][ ] )(Adv

2

1

2

1 'Pr

),(CDH 1Pr),(CDH 1Pr)(Advddh

�

�

indbb

BACBAC

=−==

≠=−===

Thus,Advind(t) ≤ 2 Advddh (t’ )


Signature SchemesSignature Schemes

• Formal Security Model• Examples





AuthenticationAuthentication

• Signature Algorithm, �• Verification Algorithm, �

kvks

��

m σ0/1

m

Security: impossible to forgea valid σ without ks


Basic GoalBasic Goal

• Existential Forgery:without the private key,

it is computationally impossible to forgea valid message-signature pair

[ ]),()(1),(Pr)(Succ mmef === vk


Basic AttacksBasic Attacks

• No-Message AttacksIn the public-key cryptography setting,

the adversary knows the verification key,and can thus verify any signature

• Known-Message Attacks (KMA)Message-signature pairs are aimed

to be published: the adversary has thusaccess to a list of message-signature pairs

⇒ the basic attack


Chosen-Message AttacksChosen-Message Attacks

• Chosen-Message Attacks (CMA)In the list of message-signature pairs,

the messages are adaptively chosenby the adversary

⇒ the strongest attack


Probabilistic SignaturesProbabilistic Signatures

• With probabilistic schemes,several signatures may be associatedto a given message

• Existential Forgery: produce a signature σfor a new message m (not in the list Λ)

• Malleability: produce a new pair (m,σ)∉Λ maybe for an already signed message

((m,σ’) is in Λ for some σ’ ≠ σ)Non-malleability

⇒ resistance to existential forgeries


Probabilistic Signatures (Probabilistic Signatures (Cnt’dCnt’d))

• Chosen-Message Attacks (CMA)the adversary can ask any message of his

choice, maybe the same several times(this may give more information

with probabilistic schemes)

• Single-OccurrenceChosen-Message Attacks (SO-CMA)

each message can be asked at most once





RSA SignatureRSA Signature

• n = pq, product of large primes

• e, relatively prime to ϕ(n) = (p-1)(q-1)

• n, e : public key• d = e-1 mod ϕ(n) : private key

)mod(),(?

nmm e ==�nmm d mod)( =�

Existential Forgery = easy!


GHR SignatureGHR Signature

• n = pq, product of large primes• y ∈ n

*

• n, y : public key• p,q or ϕ(n) : private key

)mod()(?

nyxm,e,x e ==)mod,()( nyem d=

If p function from into primes

Existential Forgery = Flexible RSA Problem

p, functione=p(m)d=e-1 mod ϕ(n)


SummarySummary



Strong Security NotionsStrong Security Notions

Signature: difficult to obtain securityagainst existential forgeries

Encryption: difficult to reach CCA securityMaybe possible, but with inefficient schemesInefficient schemes are unuseful in practice:

Everybody wants security,but only if it is transparent


Ideal ModelsIdeal Models

⇒ one makes some ideal assumptions:– ideal random hash function:

random oracle model

– ideal symmetric encryption:ideal cipher model

– ideal group:generic model (generic adversaries)


The Random Oracle ModelThe Random Oracle Model

• Introduced by Bellare-Rogaway ACM-CCS ‘93

• The most admitted model• It consists in considering some functions

as perfectly random functions,or replacing them by random oracles:

– each new query is returned a random answer– a same query asked twice receives twice

the same answer


Modeling a Random OracleModeling a Random Oracle

A usual way to model a random oracle His to maintain a list ΛH which containsall the query-answers (x,ρ):

• ΛH is initially set to an empty list• A query x to H is answered the following way

– if for some ρ, (x,ρ) ∈ ΛH, ρ is returned– otherwise,

sa random ρ is drawn from the appropriate ranges(x,ρ) is appended to ΛH

sρ is returned


The Generic ModelThe Generic Model

• It consists in considering the underlyinggroup as a generic one: (�,+) ≈ (� q,+)

• But the adversary has accessto the encoding of elements: �(Q)

• If one assumes that � = <P>,we define σ(x) = �(x.P)

σ(x ± y) = �((x ± y).P) = �(x.P ± y.P)

• Generic group: the encoding is random


Modeling a Generic GroupModeling a Generic GroupA usual way to model a generic group is to

maintain a list Λ which contains all (x, σ(x)):• Λ is initially set to ((1, σ(1)), (x, σ(x))): P and Y• A query σ1 ± σ2 to the group law is answered:

– First, because of the randomness of the encoding,there exist x1, x2, such that (x1, σ1), (x2, σ2) ∈ Λ

– If (x1 ± x2, σ) ∈ Λ for some σ, σ is returned– otherwise,

sa new random σ is drawns(x1 ± x2, σ) is appended to Λsσ is returned


Proofs in the Generic ModelProofs in the Generic Model

• Λ ← ((P1, σ1), (P2, σ2)):– (P1, σ1) = (1, σ1) encodes P, the generator– (P2, σ2) = (X, σ2) encodes Y, a random point

(Y = x.P),thus x is replaced by the unknown X

• For a query σi ± σj, one looks for(Pi, σi), (Pj, σj) ∈ Λ

– If (Pi ± Pj, σ) ∈ Λ for some σ, σ is returned

– Otherwise, Pk = Pi ± Pj, a new σ is drawn

(Pk, σ) is appended to Λ and σ is returned


Bad SimulationBad Simulation

• Λ ← ((P1 = 1, σ1), (P2 = X, σ2)): (P, Y = x.P)• For a query σi ± σj, one looks for

(Pi, σi), (Pj, σj) ∈ Λ– If (Pi ± Pj, σ) ∈ Λ for some σ, it is returned

– Otherwise, Pk = Pi ± Pj, a new σ is drawn

A problem arises if P ≠ P’ while P(x) = P’ (x)

But Q = P - P’ ≠ 0 is affine,then Pr[Q(x) = 0] ≤ 1/q


Bad Simulation (Bad Simulation (Cnt’dCnt’d))

• After n queries to the group law oracle,at most n+2 polynomials have been defined.

• The probability that a problem arisesis less than (n+1)(n+2)/2q


SummarySummary



ReductionReduction

Several problems 1, 2, 3, ... may be reducedto a given attack Atk:

• Let be an adversary that breaks the scheme,with probability ε on a probability space,defined by the internal coins, the externalones, the keys and the random oracles.

• We successively modify the probability space


ModificationsModifications

The modifications of the probability space mayimpact the success probability: ε = Pr[S]

• probability space unchanged⇒ the success probability is unchanged

• unchanged unless a bad event E happens– S is independent of E: ε’ ≥ ε × Pr[¬E]

ε’ = Pr[S’ ] = Pr[S’ ∧ E] + Pr[S’ ∧ ¬E]≥ Pr[S’ ∧ ¬E] = Pr[S’ | ¬E] Pr[¬E]≥ Pr[S] Pr[¬E] = ε × Pr[¬E]


Shoup’sShoup’s Lemma Lemma

The modifications of the probability space mayimpact the success probability: ε = Pr[S]

• unchanged unless a bad event E happens– S is not independent of E: | ε’ - ε | ≤ Pr[E]

| ε’ - ε | = | Pr[S’ ] - Pr[S] |= | Pr[S’ ∧E] + Pr[S’ ∧¬E]

- Pr[S’ ∧E] - Pr[S’ ∧¬E] |= | Pr[S’ | E] Pr[E] + Pr[S’ | ¬E] Pr[¬E]

- Pr[S| E] Pr[E] - Pr[S| ¬E] Pr[¬E] |= | Pr[S’ | E] - Pr[S| E] | × Pr[E] ≤ Pr[E]


We thus define a sequence of games:• Game 0 - the original attack - Pr[S0] = ε• Game 1 - relation between Pr[S0] and Pr[S1]

�

• Game i: which differs from Game i-1only if event E happens

Event E happens = problem � is broken⇒ Pr[E] ≤ Succ�(t’ )

where t’ is the running time of Game i⇒ relation between Pr[Si-1], Pr[Si], Succ�(t’ )

GamesGames


• Game n: the success probability is easyto determine

typically: Pr[Sn] = 0 or Pr[Sn] = 1/2or also Pr[Sn] ≤ q/2k

⇒ one gets an upper-bound on ε = Pr[S0]

Final GameFinal Game


• Such a kind of proof clearly points outcrucial points: the bad events to cancel

• The proof is easy to check/follow

ConclusionConclusion

provable security · – x xe mod n easy (cubic) – y=xe mod n x difficult (without p or q) x = yd...

Documents