View
51
Download
0
Category
Preview:
DESCRIPTION
Provable Security vs. Efficiency in Cryptographic Algorithms. Rosario Gennaro IBM T.J.Watson Research Center. 2009 Estonian Winter School in Computer Science March 2009. Cryptography. The science of communication in the presence of an adversary Encryption Authentication. Yeah sure!. - PowerPoint PPT Presentation
Citation preview
© 2007 IBM Corporation
Cryptography Research Group
2009 Estonian Winter School in Computer Science
March 2009
Provable Security vs. Efficiency in Cryptographic Algorithms
Rosario GennaroIBM T.J.Watson Research Center
2
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Cryptography
The science of communication in the presence of an adversary– Encryption
– Authentication
message
???
Hi I am Alice
Yeahsure!
3
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Unconditional Security?
Cryptography (in practice) cannot achieve unconditional security– Shannon’s theorem for information-theoretic security
– To encrypt a message so that it is impossible to retrieve information about it– Must use keys longer than the message
– Example: one-time pad
– Message: n-bit string m– Key: n-bit random string k– Ciphertext: c = m k
– Alice and Bob need to exchange huge amount of random data in advance and keep it secret
Change focus– Instead of trying to make it impossible to break security (gain information about a
secret message, impersonate a good party)
– Make it very very hard
– Computationally infeasible
4
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Computational Assumptions
Security holds if – The adversary does not have the resources to perform a certain computational task
T
– The cryptographic scheme used requires the adversary to perform T in order to break security
5
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Modern Theoretical Cryptography
A focus on models, formal definitions and mathematical proofs to construct cryptographic schemes
– Provable security
– Reductionist approach
Four step process:– Model : communication channel, computational ability of parties and adversary, what is “legal”
and what is not
– Definition : what are we trying to achieve, precisely define security for a specific task (e.g. what is a secure digital signature?)
– Design : find an algorithm to implement the desired cryptographic functionality
– Proof : devise a proof such that if an adversary A
– in the model specified in (1)– breaks security as defined in (2)– of the algorithm designed in (3)– Then we can use A to build a new A’ to solve an assumed computationally hard problem T– A proof in this approach resembles a complexity theoretic reduction
6
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Common Cryptographic Tasks
Encryption– Confidentiality of messages
Authentication– Message provenance
Key exchange– A protocol for two parties to share a key so that they can encrypt and authenticate
messages to each other
Pseudo-Random Generation– An algorithm to stretch short random seeds into longer strings that look random
Hashing– Compress long messages into short digests
– Difficult to find two messages that hash to the same digest
Etc.
7
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Common Cryptographic Assumptions
Discrete logarithm [DH76]– A cyclic group G of order q generated by g
– Choose x at random in Zq and compute y=gx
– Given G,g,y find x
Diffie-Hellman Problem– Given ga,gb (for a,b random in Zq) compute (or decide) gab
Factoring [RSA78]– Choose two primes p,q and compute N=pq
– Given N find p,q
RSA – Compute e-roots modulo N
– Given a random y in ZN* find x such that xe=y mod N
8
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
General Cryptographic Assumptions
Try to capture the essence of computational hardness:
One-way function– f : {0,1}n {0,1}n
– Choose x at random and compute y=f(x)
– Given f and y compute x
Trapdoor variation– It is possible to invert f if a short trapdoor is known
9
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
A Picture Is Worth 1,000 Words
One wayFunction
CryptoAlgorithm
SimulatedCrypto
Algorithm
One wayFunction
y=f(x)
x
10
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
The Good And The Bad
Theoretically, Cryptography has been very successful – The 70s revolutionized the field
– In the 80s and 90s the field matured
– For almost any problem we have a provably secure solution based on minimal computational assumptions
Practically, not so much– Theoretical solutions are very inefficient
– For many problems all we have are “proofs of concept”
– In practice empirical (not provably secure) solutions are used
This series of lectures will explore this problem– Will try to understand the reasons behind this phenomenon
– Will explore ways to get around it
11
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Case Study: Pseudo-Random Generation
Model: – Parties are computationally bounded
– Polynomial time
Definition– A pseudorandom generator G is a deterministic algorithm
– Input: an n-bit string s (the seed)
– Output: an (n+k)-bit string G(s)
– The distribution G(s) for s random is computationally indistinguishable from the uniform distribution over (n+k)-bit strings
– For every polynomial time adversary A
– Probs[A(G(s))=1] ~ Proby[A(y)=1]
12
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Pseudo-Random Generation: Construction
Let f : {0,1}n {0,1}n be a OWP
A predicate b : {0,1}n {0,1} is hard-core for f if
– Given y=f(x) it is infeasible to guess b(x) with probability better than ½
– [GL89] Every OWP has a HCP
– <r,x> for a random n-bit string r
[BMY82] Pseudo-random generator
– Given a n-bit random seed x0
– Compute xi =f(xi-1 ) and bi = b(xi )
– Output b0 … bk-1 xk
Proof: if f is a OWP then the PRG is secure
f
PRGinput = x0
f
xi
xi+1 = f(xi )
bi
13
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Lecture 2
14
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Pseudo-Random Generation: Construction
Let f : {0,1}n {0,1}n be a OWP
A predicate b : {0,1}n {0,1} is hard-core for f if
– Given y=f(x) it is infeasible to guess b(x) with probability better than ½
– Every OWP has a HCP
[BMY82] Pseudo-random generator– Given a n-bit random seed x0
– Compute xi =f(xi-1 ) and bi = b(xi )
– Output b0 … bk-1 xk
Proof: if f is a OWP then the PRG is secure
Efficiency: one invocation of f for each pseudo-random bit
f
PRGinput = x0
f
xi
xi+1 = f(xi )
bi
15
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Improving PRGs: Large Hard-Core Functions
Let f : {0,1}n {0,1}n be a OWP
A function h : {0,1}n {0,1}m is hard-core for f if
– Given y=f(x) the string h(x) is indistinguishable from a m-bit random string
Improving the [BMY82] PRG– Given a n-bit random seed x0
– Compute xi =f(xi-1 ) and hi = h(xi )
– Output h0 … hk-1 xk
– One invocation of f yields m pseudo-random bits
Are there OWPs with large hard-core functions?
– Not in general
– The GL proof can be extended to O(log n) bits
f
PRGinput x0
f
xi
xi+1 = f(xi )
hi
16
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
A note about the construction
The PRG algorithm only uses f as an oracle
Does not care about how f works f
PRGinput = x0
f
xi
xi+1 = f(xi )
bi
17
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
y=f(x)
x
f
A note about the proof
f
PRG
SimulatedCrypto
Algorithm
Proof uses adversary only as an oracleDoes not care how A works
18
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Black-Box Constructions
One wayFunction
CryptoAlgorithm
SimulatedCrypto
Algorithm
One wayFunction
y=f(x)
x
Only input/output accessWe know nothing about how the black-box operates
19
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Why Black-Box Constructions [IR89]
Generic– Work for any one-way function
Focus on the computational hardness of the assumptions– Does not use other special properties
– E.g. homomorphic properties Focus on the existence of a successful adversary
– Does not care how the adversary works
– A single simulator for any adversary (with oracle access)
– rather than for every adversary a different simulator
Conceptually simple and elegant– Many constructions are black-box
20
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Impossibility Results
[IR89] introduces Black-Box Constructions to prove that key exchange cannot be based on one-way permutations
– A black-box reduction from the security of key exchange to one-way permutations is very unlikely
– Must contain a proof that P =/ NP
[Sim98] proves the impossibility of black-box constructions of full collision-resistant hashing based on one-way permutations
21
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Lower Bounds
[KSS99] Prove a lower bound on the efficiency of black-box constructions for target collision-resistant hashing based on one-way permutations
– If the hash function compresses k bits must invoke the OWP (k1/2) times.– Upper bound [NY89] is O(k)
[GT00] Tight lower bounds for black-box constructions of TCR hashing and pseudo-random generation based on OWP
– If the hash function compresses k bits it must invoke the OWP (k) times– If the pseudo-random generator stretches the seed by k bits it must invoke the OWP (k) times
– Matching upper bound [BMY82] of O(k)
[GGK03] Tight lower bounds for black-box constructions of encryptions and signatures
– Encrypting k bits requires (k) invocations to a trapdoor permutation– Verifying the signature on a k-bit message requires (k) invocations to a OWP– Matching known upper bounds [GM84,NY88]
[HHRS07] Tight lower bound on the round complexity of black-box constructions of statistically-hiding commitments based on OWP
22
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Pseudo-Random Generation: Lower Bound
Black-Box access– The PRG construction does not care
about the details of f
– Only input/output
We can replace f with a random permutation
– Think of it as an oracle which answers each query with a random string
– Adjusted for consistency and for a permutation
If a random permutation is one-way then the construction must still be secure
RandomFunction
PRG
f
xi
xi+1=f(xi)
bi
23
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Technical Theorem [IR89,GT00]
If f is a random permutation over n-bit strings
A circuit to invert it must have size (2n/c)
Intuition– Because the function is random
– The circuit given y, will find x only if it queries x
[GT00] proof uses Kolmogorov complexity approach
– Show that if a circuit of size S inverts a permutation
– Then can be described very succintly
– Only a few can be inverted
Corollary:– To achieve security against an adversary of size S
– It is sufficient to choose n = c log S
RandomFunction
f
xi yi = f(xi )
y=f(x)
x
(2n/
c)
24
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Proof (Intuition) of Technical Theorem [GT00]
LEMMA– Let A be a circuit that
– Makes at most q queries to a n-bit permutation – Probx [A((x))=x] >
– Then P has a short description: of size
– K=2 log (2n choose a) + log ( (2n – a)! )
– Where a = 2n / (q+1) Lemma yields the Theorem
– If A has size < 2n/5 and = 2-n/5 then only a tiny fractions of can be inverted (< 2-n )
Proof of the Lemma – Build a set Y { y : A(y) = -1(y) }
– |Y | > 2n / (q+1) = a
– The permutation is defined by Y, X = -1 (Y) and the value of on {0,1}n\X
– Therefore of size K
– The set X is computed by running A on each element y of Y
– Making sure that when computing A(y) all the queries of A to are already defined
25
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Pseudo-Random Generation: Lower Bound [GT00] Assume we want security against adversaries of size S
– Can use random permutation over n= c log S bits PRG takes a t-bit seed and outputs t+k bits
– Assume it makes q < k/n queries to the permutation Consider PRG’ that does not access the random permutation
– It takes a (t+qn)-bit seed
– Uses the first t bits to run PRG
– For each query uses n bits from the rest of the seed
– Outputs whatever PRG outputs
– It’s a generator as the output is longer than the seed t+k>t+qn
RandomPermutation
PRGt t+k
PRG’
tt+k
qn
26
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
The “Contradiction”
If a PRG makes too few queries
Then there exist PRGs that make no queries at all!
The existence of a PRG with small number of queries implies the unconditional existence of PRGs
– Among other things this implies that OWF exist
– P /= NP
27
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Inherent Inefficiency
If limited to black-box constructions– Relying simply on computational hardness
Then we must invoke the OWP many times– The invocation of the underlying crypto primitive is usually the most expensive part
– E.g. modular exponentiations
Use fast OWP– BBS generator
– OWP is f(x)=x2 bmod N
– Rate of PRG is 1 bit per modular multiplication
28
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Lecture 3
29
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Types of Black-Box Constructions
One wayFunction
CryptoAlgorithm
SimulatedCrypto
Algorithm
One wayFunction
y=f(x)
x
Fully Black-Box
Semi Black-Box
Weakly Black-Box
30
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Non black-box constructions?
Can we use the algebraic properties of underlying OWP– Unfortunately for both discrete log and RSA we know of no way of using their
properties
RSA and Discrete Log have hard-core bits– Either the generic GL bit or some well-specified bits of the input
– Usual trick can extend it to a O(log n) size hard-core function
We do not know how to use the special properties of these functions to get larger hard-core functions
– The best PRGs follow the same structure as the black-box one
31
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Discrete Logarithm
Consider the case of discrete log– A cyclic group G of order q generated by g
– Choose x at random in Zq and compute y=gx
– Given G,g,y find x
– Conjectured hard problem
Discrete log has a hard-core predicate– The generic GL hard-core bit
– If q is prime the LSB(x) is hard-core
32
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Tweak The Computational Assumption
Consider the following variation of the discrete log assumption– Choose x at random in [1..B] and compute y=gx
– Discrete Log with Short Exponents
– Let n=|q|, k=|B| and m=n-k
– Typically n ~ 1024, k~160
[PS98]– Assume that DLSE is hard
– Choose x at random in Zq , compute y=gx
– Then LSBm(x) is a hard-core function for discrete log
– m pseudo-random bits per modular exponentiations
– Forgetting about asymptotics for a minute
– 860 bits per modular exponentiation (~1500 modular multiplications)
– Still not as good as BBS
33
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Twist The Paradigm [G00]
Assume the DLSE is hard
Choose x at random in [1..B]
The value y=gx is computationally indistinguishable from a random value in G
Yields immediately a PRG from k bits to n bits
m pseudo-random bits per exponentiations with a small exponent– 860 bits per 240 multiplications
– Better than BBS
34
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
A Win-Win Situation?
Use specific properties of the underlying primitive to improve efficiency– If not possible for the original primitive– Understand what you need from the primitive and tweak the assumption to get better efficiency under this “tweak”
Can we trust these “tweaked” assumptions?– They must be chosen with care– Analyzed thoroughly– Must not be “too far” from the original assumption
If assumption is true we get better schemes– Consider efficiency of the reduction and potential “security loss” of the assumption
If assumption turns out to be false we learn something new about a computationally hard problem
– An efficient algorithm to solve the DLSE problem would give great insight into the mathematics of the general discrete log problem
I asked the question if a similar trick could be pulled on RSA/Factoring– [SPW] show that if we assume that factoring is hard when k bits of p,q are known– Then BBS can be implemented with k bits per iteration
35
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Some interesting questions
Better lower bounds for one-way functions?– Clearly our OWP lower bounds apply to OWF as well
– But in this case they are not tight anymore
– Complexity of OWF constructions is usually much higher
Lower Bounds for other measures of efficiency– Protocols round complexity [HHRS07]
– Domain expansion for TCR hashing?
– ha : {0,1}n {0,1}n-k
– Known constructions to expand the domain to mn bits require log m keys– Is that optimal?
There are constructions which are not black-box yet they are “generic”– E.g. the construction of chosen-ciphertext secure encryption from any trapdoor permutation
[DDN01]– The construction uses the circuit of the TP– By definition not black-box anymore
– Can we say something interesting about this type of constructions? Lower bounds? Impossibility results?
– Is Key Exchange from OWP impossible even for this type of constructions?
36
Cryptography Research Group
Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation
Thank you for your attention!
Recommended