INTRODUCTION TO PROVABLE
SECURITY
Models, Adversaries, Reductions
CRYPTOGRAPHY / CRYPTOLOGY
โfrom Greek ฮบฯฯ ฯฯฯฯ kryptรณs, "hidden, secret";
and ฮณฯฮฌฯฮตฮนฮฝ graphein, "writing", or -ฮปฮฟฮณฮฏฮฑ -logia, "study",
respectivelyโ
โis the practice and study of techniques for secure
communication in the presence of third parties
(called adversaries).โ
Source : www.wikipedia.org
SOME CRYPTOGRAPHIC GOALS
Confidentiality
Content of conversation remains hidden
Authenticity
Message is really sent by specific sender
Integrity
Message has not been modified
Privacy:
Sensitive (user) data remains hidden
Covertcy
The fact that a conversation is taking place is hidden
โฆ.
SECURITY BY TRIAL-AND-ERROR
Identify goal (e.g. confidentiality in P2P networks)
Design solution โ the strategy:
Propose protocol
Search for an attack
If attack found, fix (go to first step)
After many iterations or some time, halt
Output: resulting scheme
Problems:
What is โmanyโ iterations/ โsomeโ time?
Some schemes take time to break: MD5, RC4โฆ
PROVABLE SECURITY
Identify goal. Define security:
Syntax of the primitive: e.g. algorithms (KGen, Sign, Vf)
Adversary (e.g. can get signatures for arbitrary msgs.)
Security conditions (e.g. adv. canโt sign fresh message)
Propose a scheme (instantiate syntax)
Define/choose security assumptions
Properties of primitives / number theoretical problems
Prove security โ 2 step algorithm:
Assume we can break security of scheme (adv. ๐ด)
Then build โReductionโ (adv. ๐ต) breaking assumption
PART II
THE PROVABLE SECURITY METHOD
THE ESSENCE OF PROVABLE SECURITY
Core question: what does โsecureโ mean?
โSecure encryptionโ vs. โSecure signature schemeโ
Step 1: Define your primitive (syntax)
Signature Scheme: algorithms (KGen, Sign, Vf)
* KGen(1๐พ) outputs (sk, pk)
* Sign(sk,m) outputs S (prob.)
* Vf(pk,m,S) outputs 0 or 1 (det.)
Say a scheme is secure against all known attacks
โฆ will it be secure against a yet unknown attack?
THE ESSENCE OF PROVABLE SECURITY
Step 2: Define your adversary
Adversaries ๐ด can: know public information: ๐พ, pk
get no message/signature pair
get list of message/signature pairs
submit arbitrary message to sign
Step 3: Define the security condition
Adversary ๐ด can output fresh (m,S) which verifies,
with non-negligible probability (as a function of ๐พ)
THE ESSENCE OF PROVABLE SECURITY
Step 4: Propose a protocol
Instantiate the syntax given in Step 1.
E.g. give specific algorithms for KGen, Sign, Vf.
Step 5: Choose security assumptions
For each primitive in the protocol, choose assumptions
โข Security Assumptions (e.g. IND-CCA encryption)
โข Number Theoretical Assumptions (e.g. DDH, RSA)
THE ESSENCE OF PROVABLE SECURITY
Step 6: Prove security
For each property you defined in steps 1-3:
โข Assume there exists an adversary ๐ด breaking
that security property with some probability ๐
โข Construct reduction ๐ต breaking underlying
assumption with probability f(๐)
HOW REDUCTIONS WORK
Reasoning:
If our protocol/primitive is insecure, then the
assumption is broken
But the assumption holds (by definition)
Conclusion: The protocol cannot be insecure
Caveat:
Say an assumption is broken (e.g. DDH easy to solve)
What does that say about our protocol?
Security assumptions are baseline
We donโt know!
PART III
ASSUMPTIONS
WE NEED COMPUTATIONAL ASSUMPTIONS
Correctness: if parameters are well generated,
well-signed signatures always verify.
Take our signature schemes (KGen, Sign, Vf)
KGen1๐
Signsk
pk
m
๐
Vf 0/1
WE NEED COMPUTATIONAL ASSUMPTIONS
Unforgeability: no adversary can produce
signature for a fresh message m*
Take our signature schemes (KGen, Sign, Vf)
KGen1๐
Signsk
pk
m
๐
Vf 0/1
But any ๐ด can guess ๐ ๐ with probability เต1 2|๐ ๐|
WE NEED COMPUTATIONAL ASSUMPTIONS
Unforgeability: no adversary can produce
signature for a fresh message m*
Take our signature schemes (KGen, Sign, Vf)
KGen1๐
Signsk
pk
m
๐
Vf 0/1
And any ๐ด can guess valid ๐ with probability เต1 2|๐|
SOME COMPUTATIONAL ASSUMPTIONS
Of the type: It is โhardโ to compute ๐ฅ starting from ๐ฆ.
How hard?
Usually no proof that the assumption holds
Mostly measured with respect to โbest attackโ
Sometimes average-case, sometimes worst-case
Relation to other assumptions:
A 1 โโโ A 2: break A 2 => break A 1
A 1 โโโ A 2: break A 1 => break A 2
A 1 โโ A 2: both conditions hold
stronger
weaker
equivalent
EXAMPLES: DLOG, CDH, DDH
Background:
Finite field F, e.g. Z*p = {1, 2, โฆ , p-1} for prime p
Multiplication, e.g. modulo p: 2 ๐ โ 2 = 2๐ โ 4 = ๐ โ 4
Element ๐ of prime order ๐| (๐ โ 1) :
๐๐ = 1 (mod ๐) AND ๐๐ โ 1 mod ๐ โ ๐ < ๐
Cyclic group G = < ๐ > = {1, ๐, ๐2โฆ๐๐โ1}
DLog problem:
Pick ๐ฅ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ (mod ๐).
Given ๐, ๐, ๐, ๐ find ๐ฅ.
Assumed hard.
EXAMPLES: DLOG, CDH, DDH
DLog problem:
Pick ๐ฅ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ (mod ๐).
Given ๐, ๐, ๐, ๐ find ๐ฅ.
Assumed hard.
EXAMPLES: DLOG, CDH, DDH
DLog problem:
Pick ๐ฅ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ (mod ๐).
Given ๐, ๐, ๐, ๐ find ๐ฅ.
Assumed hard.
CDH problem:
Pick ๐ฅ, ๐ฆ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ mod ๐ ;
๐ = ๐๐ฆ (mod ๐).
Given ๐, ๐, ๐, ๐, ๐ find ๐๐ฅ๐ฆ.
Just to remind you: ๐๐๐ = ๐ฟ๐ = ๐๐ โ ๐ฟ๐ = ๐๐+๐
Solve D-LOG โ Solve CDH
Solve CDH โ Solve D-LOG
EXAMPLES: DLOG, CDH, DDH
DLog problem:
Pick ๐ฅ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ (mod ๐).
Given ๐, ๐, ๐, ๐ find ๐ฅ.
CDH problem:
Pick ๐ฅ, ๐ฆ โ๐ {1, โฆ , ๐}. Compute ๐ = ๐๐ฅ mod ๐ ;
๐ = ๐๐ฆ (mod ๐).
Given ๐, ๐, ๐, ๐, ๐ find ๐๐ฅ๐ฆ.
DDH problem:
Pick ๐ฅ, ๐ฆ, ๐ง โ๐ {1, โฆ , ๐}. Compute ๐, ๐ as above
Given ๐, ๐, ๐, ๐, ๐ distinguish ๐๐ฅ๐ฆ from ๐๐ง.
HOW TO SOLVE THE DLOG PROBLEM
In finite fields mod ๐: Brute force (guess ๐ฅ) โ O(๐) Baby-step-giant-step: memory/computation tradeoff;
O( ๐)
Pohlig-Hellman: small factors of ๐; O(log๐ ๐ (log ๐ + ๐))
Pollard-Rho (+PH): O( ๐) for biggest factor ๐ of ๐
NFS, Pollard Lambda, โฆ
Index Calculus: exp( ln ๐1
3 ln(ln(๐))2
3)
Elliptic curves
Generic: best case is BSGS/Pollard-Rho
Some progress on Index-Calculus attacks recently
PARAMETER SIZE VS. SECURITY
Date Sym. RSA
modulus
DLog
Key
DLog
Group
EC
GF(p)
Hash
<2020 100 2048 200 2048 200 200
<2030 128 2048 200 2048 256 256
>2030 128 3072 200 3072 256 256
Date Sym. RSA
modulus
DLog
Key
DLog
Group
EC
GF(p)
Hash
2015 128 2048 224 2048 224 SHA-224+
2016 128 2048 256 2048 256 SHA-256+
<2021 128 3072 256 3072 256 SHA-256+
ANSSI
BSI
PART IV
SECURITY MODELS
IDEAL PROVABLE SECURITY
Given protocol ๐, assumptions ๐ป1, โฆ , ๐ป๐
Proof
under ๐ฏ๐, โฆ ,๐ฏ๐
Real world
using ๐
Ideal
world
โReal Worldโ is hard to describe mathematically
PROVABLE SECURITY
Two-step process:
Real world
using ๐
Modelled world
using ๐
PROVABLE SECURITY
Ideal
world
Modelled
world
Proof
under ๐ฏ๐, โฆ ,๐ฏ๐
COMPONENTS OF SECURITY MODELS
Adversarial ร -priori knowledge & computation:
Who is my adversary? (outsider, malicious party, etc.)
What does my adversary learn?
Adversarial interactions (party-party, adversary-
party, adversary-adversary โ sometimes)
What can my adversary learn
How can my adversary attack?
Adversarial goal (forge signature, find key,
distinguish Alice from Bob)
What does my adversary want to achieve?
GAME-BASED SECURITY
Participants
Adversary ๐ด plays a game against a challenger ๐ถAdversary = attacker(s), has all public information
Challenger = all honest parties, has public
information and secret information
Attack
Oracles: ๐ด makes oracle queries to ๐ถ to learn information
Test: special query by ๐ด to ๐ถ to which ๐ด responds
sometimes followed by more oracle queries
Win/Lose: a bit output by ๐ถ at the end of the game
MEASURING ADVERSARIAL SUCCESS
Winning a game; winning condition:
Depends on relation ๐ on (โ,< game >), with < game > =
full game input (of honest parties and ๐ด )
Finally, ๐ด outputs ๐ฅ, wins if (๐ฅ, < game >) โ ๐
Success probability:
What is the probability that ๐ด โwinsโ the game?
What is the probability measured over? (e.g. randomness
in < game >, sometimes probability space for keys, etc.)
Advantage of Adversary:
How much better is ๐ด than a trivial adversary?
ADVERSARIAL ADVANTAGE
Forgery type games:
๐ด has to output a string of a โlongerโ size
Best trivial attacks: guess the string or guess the key
Advantage:
Adv ๐ด = Prob[๐ด wins the game]
Distinguishability-type games: ๐ด must distinguish between 2 things: left/right,
real/random
Best trivial attacks: guess the bit (probability ฮค1 2)
Advantage (different ways of writing it):
Adv ๐ด = Prob ๐ด wins the game โ ฮค1 2
Adv ๐ด = 2 | Prob ๐ด wins the game โ ฮค1 2 |
SECURITY MODELS โ CONCLUSIONS
Requirements:
Realistic models: capture โrealityโ well, making
proofs meaningful
Precise definitions: allow quantification/classification
of attacks, performance comparisons for schemes,
generic protocol-construction statements
Exact models: require subtlety and finesse in
definitions, in order to formalize slight relaxations of
standard definitions
Provable security is an art, balancing strong security
requirements and security from minimal assumptions
EXAMPLE: PSEUDORANDOMNESS
Perfect confidentiality exists:
Given by the One-Time Pad
๐ โ ๐โ ๐
XOR operation hides plaintext m entirely
Disadvantages:
Need long keys (as long as plaintext)
Have to generate them at every encryption
Generating long randomness:
Use a pseudorandom generator!
PRGS
Principle:
Start from small, truly random bitstring ๐ , generate
large pseudorandom strings
PRG: {0,1}๐โ {0,1}๐, for m โช n
Security (intuitive):
The adversary gets to see many output strings
In practice: PRGs used for randomness in encryption,
signature schemes, key-exchangeโฆ
Adversaryโs goals (examples):
Predict next/former random number
โCancel outโ randomness
SECURE PRGS
Ideally PRG output should look โrandomโ
Formally:
Allow A to see either truly random or PRG output
The adversary wins if it distinguishes them
Security game:
Challenger picks seed of generator (A does not get it)
Challenger chooses a secret bit ๐
A can request random values
If ๐ = 1 then Challenger returns ๐ฅโ${0,1}๐
If ๐ = 0 then Challenger returns ๐ฅ โ PRG(๐ )
A must output a guess bit ๐
Winning condition: A wins iff. ๐ = ๐
THE SECURITY DEFINITION
๐ โ${0,1}๐
๐โ$0,1
๐ โ ๐ด๐บ๐๐๐ (๐, ๐)
๐ด wins iff ๐ = ๐
Success probability is at least ยฝ . Why ?
(๐, ๐)-secure PRG:
A pseudorandom generator PRG is (๐, ๐)-secure if,
and only if, an adversary making at most ๐ queries to
Gen๐ wins w.p. at most 1
2+ ๐
Gen๐()
โข If ๐ = 1, return ๐ฅโ${0,1}๐
โข Else, return ๐ฅ โ PRG(๐ )
PART V
PROOFS OF SECURITY
PROOFS BY REDUCTION
Say we have a primitive P
We make assumptions ๐1, ๐2
Goal: prove that if ๐1, ๐2 hold, then P is secure
Statement: If there exists an adversary ๐ด against P,
then there exists adversaries ๐ต1, ๐ต2 against
assumptions ๐1, ๐2, such that:
Adv ๐ด โค ๐(Adv ๐ต1 , Adv(๐ต2))
Idea: if Adv(๐ด) is significant, then so is at least one of
Adv ๐ต1 , Adv ๐ต2 , breaking at least one assumption
REDUCING SECURITY TO HARD PROBLEM
Hard problem of the form: given Input, find Output
Designed primitive has some game-based definition
โข ๐ด gets to query a challenger ๐ถโข ๐ถ gets to set up the system
โข There is a test phase
โข ๐ด will eventually answer the test and win/lose
Strategy: use ๐ด to construct solver ๐ต for hard problem
โข ๐ต gets Input
โข ๐ต uses Input to run ๐ด on some instance of ๐ดโs game
โข Finally, ๐ต receives ๐ดโs answer to its test
โข ๐ต processes ๐ดโs response into some Output
REDUCTIONS
๐ต = ๐ถ๐ด ๐ดHard Problem
Input
Setup infoGame
setup
Query
ResponseProcess
Request test
Test
Embed
problem
Final responseOutput
CONSTRUCTING A REDUCTION
๐ด acts as a black-box algorithm (we donโt know how it
works in order to win its game)
๐ต can send to ๐ด whatever it wants. However:
We want to bound ๐ตโs winning probability on ๐ดโs
But, ๐ด can only win if the game input is coherent
So ๐ต must simulate coherent input/output to ๐ดโs queries
Also, ๐ต must ultimately solve a hard problem
To produce correct output, ๐ดโs test response must give
๐ต the correct output with very high probability
REDUCTIONS
๐ต = ๐ถ๐ด ๐ดHard Problem
Input
Setup infoGame
setup
Query
ResponseProcess
Request test
Test
Embed
problem
Final responseOutput
Related
REDUCTION TO SECURITY OF COMPONENT
Component also has game-based definition
Designed primitive has some game-based definition
โข ๐ด gets to query a challenger ๐ถโข ๐ถ gets to set up the system
โข There is a test phase
โข ๐ด will eventually answer the test and win/lose
Strategy: use ๐ด to construct solver ๐ต for hard problem
โข ๐ต gets Setup info and can query its challenger
โข ๐ต embeds its game in some instance of ๐ดโs game
โข Finally, ๐ต receives ๐ดโs answer to its test
โข ๐ต processes ๐ดโs response into a test response of its own
REDUCTIONS
๐ต = ๐ถ๐ด ๐ด๐ถ๐ตSetup ๐ตโs
Game Setup ๐ดโs gameInject
setup
Query
ResponseProcess
Request test
Test
Embed
challenge
Final responseReponse
Query
Response
Request test
Test
EXAMPLE: BIGGER PRG
Say we have a secure pseudorandom generator:
๐บsmall: {0,1}๐โ {0,1}๐
We want to construct a bigger PRG:
๐บbig: {0,1}๐โ {0,1}2๐
Instantiating ๐บbig:
Setup: choose ๐ โ${0,1}๐
Evaluation: ๐บbig ๐ โ ๐บsmall ๐ | ๐บsmall(๐ )
Claim: If ๐ฎ๐ฌ๐ฆ๐๐ฅ๐ฅ is secure, then so is ๐ฎ๐๐ข๐
SECURITY OF OUR DESIGN
Statement: For any ๐, ๐big -adversary ๐ด against the
security of ๐บbig, there exists a (2๐, ๐small)-adversary ๐ต
against the security of ๐บsmall such that:
๐big โค ๐small
Both adversaries play the same game:
๐ โ${0,1}๐
๐โ$0,1
๐ โ ๐ด๐บ๐๐๐ (๐, ๐)
๐ด wins iff ๐ = ๐
Gen๐()
โข If ๐ = 1, return ๐ฅโ${0,1}๐
โข Else, return ๐ฅ โ PRG(๐ )
CONSTRUCTING THE REDUCTION
๐ต = ๐ถ๐ด ๐ด๐ถ๐ต
Setup doneSetup done
Query
Guess bit ๐Output ๐
Query Gen๐
๐ โ${0,1}๐
๐โ$0,1
๐ฅ1
โข If ๐ = 1, return ๐ฅโ${0,1}๐
โข Else, return ๐ฅ โ Gsmall(๐ )
Query Gen๐
๐ฅ2 ๐ฅ1 | ๐ฅ2
ANALYSIS OF THE REDUCTION
Number of queries:
For each query, ๐ด expects a 2๐ response, whereas ๐ดonly gets ๐ bits from its challenger
Thus ๐ต needs twice as many queries as ๐ด
Accuracy of ๐ตโs simulation of ๐ถ๐ด In ๐ดโs game if ๐ = 1, ๐ด gets 2๐ truly random bits
And if ๐ = 0, it expects ๐บsmall ๐ | ๐บsmall(๐ )
๐ต queries its own challenger for output
If ๐ถ๐ต drew bit ๐ = 1, it outputs ๐ truly random bits
Else, it outputs ๐บsmall ๐
The simulation is perfect: Pr ๐ต wins = Pr[๐ด wins]
EXERCISES
Why does this proof fail if we have two secure
PRGs: ๐บ1, ๐บ2: {0,1}๐โ {0,1}๐ and we construct
๐บ: {0,1}๐โ {0,1}2๐ as follows:
Setup: choose ๐ โ${0,1}๐
Evaluation: ๐บ ๐ โ ๐บ1 ๐ | ๐บ2(๐ )
Will the proof work if ๐บ ๐ โ ๐บ1 ๐ โ ๐บ2(๐ ) ?