Introduction to Security Proof of Cryptosystems

Similar documents
Advanced Cryptography

Improved Online/Offline Signature Schemes

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

CIS 5371 Cryptography. 8. Encryption --

Universal Padding Schemes for RSA

Lecture 15 - Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

Lecture 9 - Message Authentication Codes

Victor Shoup Avi Rubin. Abstract

Introduction. Digital Signature

Identity-Based Encryption from the Weil Pairing

Capture Resilient ElGamal Signature Protocols

Shor s algorithm and secret sharing

Proofs in Cryptography

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Elements of Applied Cryptography Public key encryption

An Introduction to the RSA Encryption Method

Computer Security: Principles and Practice

Overview of Public-Key Cryptography

Post-Quantum Cryptography #4

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

An Overview of Common Adversary Models

Security Arguments for Digital Signatures and Blind Signatures

A Factoring and Discrete Logarithm based Cryptosystem

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

Lukasz Pater CMMS Administrator and Developer

Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc Theoretical Computer Science Konstantinos Vamvourellis

Lecture 13: Factoring Integers

The Mathematics of the RSA Public-Key Cryptosystem

RSA Attacks. By Abdulaziz Alrasheed and Fatima

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

CSCE 465 Computer & Network Security

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

Paillier Threshold Encryption Toolbox

RSA Question 2. Bob thinks that p and q are primes but p isn t. Then, Bob thinks Φ Bob :=(p-1)(q-1) = φ(n). Is this true?

Lecture 6 - Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Lecture Notes on Cryptography

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Public Key Cryptography: RSA and Lots of Number Theory

Lecture 3: One-Way Encryption, RSA Example

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Guaranteed Slowdown, Generalized Encryption Scheme, and Function Sharing

Digital Signatures. Prof. Zeph Grunschlag

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

1 Message Authentication

Signature Schemes. CSG 252 Fall Riccardo Pucella

Privacy-Providing Signatures and Their Applications. PhD Thesis. Author: Somayeh Heidarvand. Advisor: Jorge L. Villar

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

1 Signatures vs. MACs

Study of algorithms for factoring integers and computing discrete logarithms

Lecture 2: Complexity Theory Review and Interactive Proofs

RSA Encryption. Tom Davis October 10, 2003

Lecture 25: Pairing-Based Cryptography

Chapter 12. Digital signatures Digital signature schemes

The application of prime numbers to RSA encryption

Cryptography and Network Security

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Cryptography and Network Security Chapter 9

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

On Factoring Integers and Evaluating Discrete Logarithms

LUC: A New Public Key System

VoteID 2011 Internet Voting System with Cast as Intended Verification

Public Key (asymmetric) Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

CS 758: Cryptography / Network Security

MACs Message authentication and integrity. Table of contents

Crittografia e sicurezza delle reti. Digital signatures- DSA

Non-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak

Computing exponents modulo a number: Repeated squaring

Non-interactive and Reusable Non-malleable Commitment Schemes

Lecture 5 - CPA security, Pseudorandom functions

Message Authentication Code

Chosen-Ciphertext Security from Identity-Based Encryption

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

Index Calculation Attacks on RSA Signature and Encryption

The Exact Security of Digital Signatures How to Sign with RSA and Rabin

Public Key Cryptography. Performance Comparison and Benchmarking

Cryptography. Jonathan Katz, University of Maryland, College Park, MD

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

DIGITAL SIGNATURES 1/1

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Transcription:

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007

Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to prove the security of cryptosystems. However, most cryptosystems have not been able to find a suitable way to prove their security based on the standard notions of problem reduction. Recently random oracle model has been proposed for the prove of the security of cryptosystems. In this talk, I will use examples to illustrate the prove of the security of the cryptosystems by using random oracle model.

Introduction A cryptosystem C is defined by (P, C, K, E, D), where 1. P is a finite set of pliantexts, 2. C is a finite set of cyphertext, 3. K is a finite set of keys, 4. E is a finite set of encryption functions, and 5. D is a finite set of decryption functions. 1

RSA Cryptosystem n = p q; p, q: large distinct primes P = C = Z n K = {(n, e, d) e d 1 (mod φ(n))} e k (x) = x e mod n d k (y) = y d mod n 2

To prove a cryptosystem C is secure we must 1. formally define the security requirements of C, and 2. show that C satisfies the security requirements. 3

The security of RSA RSA is secure if for every y C it is hard to compute x, x e y (mod n). By the above definition, RSA is not secure, since 1 e 1 (mod n) Any acceptable security definitions to make RSA secure? Is RSA secure? 4

How to Show a Problem is Hard? L = 4600000000 365 86400 4700000000 1000000000 < 10 36 Show that it needs at least L computational steps to solve the problem. Time complexity T (n), or space complexity S(n), of a problem. Lower bound of a problem. Very few problems lower bounds have been proved. 5

How to Show a Problem is Hard? Show that the most efficient algorithm known today to solve the problem needs at least L computational steps. Some problems are hard to solve by the best known algorithms. NP-Complete problems: No polynomial time algorithms have been discovered. Factoring an integer, Discrete logarithm problem: O(e α(log n)β (log log n) (1 β) ), where β = 1/3 for number field sieve. 6

Problem Reduction 1. select a problem P which is known to be hard to solve, 2. reduce the problem P to the security of C. Since P is hard to solve, the cryptosystem C is hard to break. This is called problem reduction. 7

Problem Reduction A p B: problem A is polynomial time reducible to problem B if 1. Given an instance I A of A we can construct an instance I B of B such that the solution B(I B ) can be converted into the solution A(I A ). 2. Both the construction of the instance and the conversion of the solution can be done in polynomial time. 8

This is called many-one reduction. If A p B then problem B is harder to solve than A. A p B if A p B and B p A. 9

Problem Reduction, an Example Let n = p q, where p and q are unknown distinct primes. Problem A: factor n Problem B: solve x 2 a (mod n) for x Theorem 1 A p B. 10

A p B: Assume B can be solved in polynomial time, Then the following is a polynomial time probabilistic algorithm to factor n. input: an integer n output: a factor of n method: 1. Randomly select an integer y. 2. If d = gcd(y, n) > 1 then d is a factor of n; stop. 3. Compute a = y 2 mod n. 4. Solve x 2 a (mod n) for x by using algorithm B. 5. If x = ±y then fail; otherwise gcd(x + y, n) is a factor of n. 11

B p A: Assume A can be solved in polynomial time. The following is an algorithm to solve x 2 a (mod n) for x in polynomial time. input: two integers a and n output: x, x 2 a (mod n) method: 1. Factor n = pq by using algorithm A. 2. Solve x 2 p a (mod p) for x p. 3. Solve x 2 q a (mod q) for x q. 4. Compute x such that x mod p = x p and x mod q = x q by using Chinese remainder theorem. 12

Turing Reduction and Oracle Computation An oracle O B is a hypothetical algorithm for solving problem B. To show that a problem A is solvable by a Turing machine with oracle O B is the same as to show A p B The oracle can be called many times. 13

Public-Key Cryptosystem A public-key encryption scheme consists of 1. key generation algorithm K: It is a probabilistic algorithm. On input the security parameter w, K generates public key k p and secrete key k s. 2. encryption algorithm E kp : On input a message m, E kp computes the ciphertext c = E kp (m). The encryption algorithm may be probabilistic. That is, in addition to the message m, it can take a random number r as its input. 3. decryption algorithm D ks : On input a ciphertext c, D ks computes the original message m. 14

Semantically Secure A public key cryptosystem is semantically secure if no polynomialtime attacker can learn any information about the plaintext from the ciphertext. 15

Define a game G played by two players A and B. 1. A selects two messages m 0 and m 1, and sends them to B. 2. B randomly selects one of the message m j {m 0, m 1 } to encode. The ciphertext c = E kp (m j ) is then given to the A. 3. A determines which one of the messages whose encryption is c, that is. c = E kp (m 0 ) or c = E kp (m 1 ). A wins if A can determine the message whose encryption is c; otherwise B wins. 16

Semantically Secure A cryptosystem is semantically secure if the game G is a fair game for both players. That is, A has no strategy with the probability of winning 1 2 + ɛ for any ɛ > 0. In the above game, A should be regarded as a polynomial-time probabilistic Turing machine. That is, A can use only a limited computing resources. 17

Random Oracles As mentioned above, it is difficult to find a problem reduction to show that a cryptosystem is secure. In some cases, we can show that a cryptosystem is secure by adding more oracles. These additional oracles are usually hash functions. On input x, the hash function usually responds a random number. On some specific input, the response is a special number which is useful to solve the hard problem. 18

An Example Define a cryptosystem C as follows. 1. public functions: f: one-way trap-door function, and h: random number generator. 2. encryption: E kp (m, r) = (f(r), m h(r)), where r is a random number. 3. decryption: (exercise) The one-way trap-door function f is considered to be hard to invert without the trap-door (key). 19

Theorem 2 The cryptosystem C is semantically secure. Assume that there is an attacker A with probability of winning 1 2 + ɛ, then there is a Turing machine with random oracle O (or a hash function h) which can invert the one-way trap-door function f with probability of success ɛ. There are two oracles, the attacker A and the random oracle O. Note that ɛ should be non-negligible. That is, ɛ 1/p(w), where p(w) is a polynomial of the security parameter w. 20

Construct a Turing machine, T with oracle A and O. On input f and y, T finds r such that f(r) = y. 1. The oracle O. Whenever A makes a query to h(r) (a) If f(r) = y then print r and stop. (b) Otherwise return a random number t. 2. The attacker A. Play the role of A in the game G. 3. After receiving the two messages m 0 and m 1 from A, T randomly selects an s and let c = (y, s). 21

We need to show that 1. the random oracle O (or a hash function h) is consistent, and 2. c = (y, s) is the encryption of m 0 or m 1. (Recall that E kp (m, r) = (f(r), m h(r))) 3. the algorithm will succeed with probability ɛ in inverting the function f. 22

Digital Signature Scheme A signature scheme consists of 1. key generation algorithm K It is a probabilistic algorithm. On input the security parameter w, K generates public key k p and secrete key k s. 2. signing algorithm S ks On input a message m, S ks computes the signature u = S ks (m). The signing algorithm may be probabilistic. 3. verification algorithm V kp On input a signature u and m, V kp (u, m) = 1 if and only if u is a valid signature of m. 23

An Example Define a signature scheme S as follows. 1. public functions: f: one-way trap-door function h: one-way hash function 2. signature: u = S ks (m) = f 1 (h(m)) 3. verification: V kp (u, m) = 1 if and only if f(u) = h(m). 24

Polynomial Time Attacker of S An attacker of the signature scheme S is an probabilistic polynomial time algorithm F that can compute a valid signature u for a message m. The attacker F must call hash function for the signature of the message m. In addition, F can also ask for the signature of messages other than m. 25

Theorem 3 The signature scheme S is secure. Assume that there is an attacker F with probability of success ɛ, then there is a random oracle O (or a hash function h) that can be used to invert the one-way trap-door function f with probability of success ɛ/r, where r is the number of queries to the random oracle. Assume that F makes r queries to the random oracle, and that it must query h(m) before it can compute the signature of m. 26

Given f and y, find r such that f(r) = y. O for h(r): 1. Randomly chooses s [1, r]. 2. Checks if f(r) = y or not. If it is, then print r and stop; otherwise (a) if i = s then return y. (b) if i s then choose a random number t and return f(t). S for the signature: 1. if m = m s then fail; stop; 2. if m m s, it returns t; 27

We need to show that the random oracle is consistent and the algorithm will succeed with probability ɛ/r in inverting the function f. m : m 1 m 2 m s... m r u : t 1 t 2 r... t r h(m) : f(t 1 ) f(t 2 ) y... f(t r ) Recall that the signature of m is u = f 1 (h(m i )). 28

Summary of the Random Oracle Method To prove that a cryptosystem or a signature scheme is secure, we need to do the following steps. 1. Define the security requirements of the cryptosystem formally. 2. Find a hard problem. 3. Make assumptions that the attacker must do. 4. Use the attacker to solve the hard problem. 29

In the above, (1), (2), and (4) are the same as the standard problem reduction. If we make no assumptions on the attacker to break the cryptosystem, then the proof can be converted into a standard problem reduction. In standard problem reduction, we take the attacker as a black box. The theorem we proved in this way is the strongest one. 30

As mentioned before, standard problem reduction is difficult to find for almost all cryptosystems, signature schemes, and cryptographic protocols. However, if we make some assumptions on the attacking algorithm, then we can prove the security of some cryptosystems, signature schemes, or cryptographic protocols. The more assumptions we make, the weaker the theorems are. 31

Assumptions we can make on the attacking algorithm include 1. calls to the hash function, 2. calls to the signature function, 3. etc. In addition to the above assumptions, we can also rewrite the hash function, etc. In doing these, we must must make everything consistent. We should also make these functions provided by us look the same as the real functions to the attacking algorithm. 32

Since it is believed that the attacking algorithm should work for every reasonable hash functions, the attacking algorithm should also work for the function provided by us. What have we proved by using the random oracle model and play the role of generating the values for the hash function? We have shown that there exists a hash functions which, together with the attacking algorithm, can allow us to solve some hard problems. Since we believe that the attacking algorithm works for any reasonable hash functions, the attacking algorithm, if it exists, can be used to solve hard problems. 33

References 1. Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proceedings of the First ACM Conference on computer and Communication, pages 62 73, New York, November 1993. ACM Press. 2. Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28:270 299, 1984.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information