1 Provable Security Sebastian Faust Ruhr-Universität Bochum, Germany

Provable Security

Sebastian FaustRuhr-Universität Bochum, Germany

≈ securing communication

EncryptEnc(k,m)

key k key k

Adv. Learns nothing about mAgree on a secret key k

nexttarget?de45#

Cryptography in the past

Modern cryptography

DecryptDec(k,C)

adversary

Much more than encryption…

sevenites now

public-key cryptography

e-cash electronic voting

multiparty-computations

mental poker

zero-knowledge

key agreement electronic auctionssignature schemes

How to analyze security?One approach: Analyze the security with respect to one attack

But: Adversary may find new attack

Resembles cat-and-mouse game

Cryptoscheme 1

secure against attack 1

Cryptoscheme 2

secure against new attack

fix new attack

Goal of modern cryptography:Hopefully stop cat-and-mouse game!

Show security against broad classes of adversaries

One important tool: security proofs

Why security proofs?

In many areas of computer science “proofs” are not essential

e.g., instead of proving that algorithm is efficient just simulate its behavior on ”typical“ inputs

In cryptography this is not true

Notion of “typical adversary” makes little sense

Proofs are useful! How does it work?

1. Security definitionWhat security property shall the scheme achieve?

message

Provable Security

Encrypt

ciphertext

Ciphertext shall „hide“ message

Provable Security

2. AssumptionsWhat assumptions are needed for security?

3. ProofProve that scheme satisfies definition if assumption holds

Crypto scheme is secureIf assumption holdsprove

Secure against any attack within model!

Shows: only way to break the scheme is to break assumption

Really any attack?• If assumption holds• If attack is in the model

Why definitions?

Coming up with the right definition is non-trivial

Next: An example for public-key encryption

We need to know what we want in order to achieve it

Allows to compare schemes: some definitions may be stronger than others

Allows for proofs: security proof only meaningful with definition

Public key encryption (PKE)• A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec): • Gen is a key-generation randomized algorithm that takes as

input a security parameter 1n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public

key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private

key sk and the ciphertext c, and outputs a message m’.

Alice Bob

m c := Enc(pk,m) Dec(sk,c)

c := Enc(pk,m)

Dec(sk, ) = mCorrectness:

How to define security

Alice Bob

m c := Enc(pk,m) Dec(sk,c)

1. The threat model:

Describes what the adversary can see and do

Adversary has no knowledge about sk!

2. The security goal:What does it mean to break scheme?

What is the security goal?

c := Encpk(m)

Attempt 1: adversary cannot compute m

pkoutputs

Q: Is this sufficient? A: No!

m1 ... m|m|/2 ? ... ?

Informal: adversary does not learn m

Enc(pk,m)m

Adversary does not learn entire m but would you consider this scheme secure?

Too weak security guarantee!

2. Attempt: Adv. learns nothing about m

Adversary knows that

m := “I love you” with prob. 0.5“I don’t love you” with prob. 0.5

But adversary may already know something about m

pkc := Encpk(m)

What is the security goal?Not really necessary to

learn “something”

Too strong security guarantee! unachievable

3. Attempt: Adv. learns nothing new about m

c := Encpk(m)

Adversary still knows that

Makes sense: How to formalize it?

What is the security goal?

The semantic security game

(pk,sk) = Gen(1n)

1nAdversary Challenger

Security parameter

1. Generate challenge keys

(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)

2. Flip challenge bit b in {0,1}

3. Encrypt mb:c

b := “0” with prob. 0.5

“1” with prob. 0.5

(pk,sk) = Gen(1n)

1nAdversary Challenger

Security parameter

(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)

3. Encrypt mb:c

Adversary still knows that

b := “0” with prob. 0.5

“1” with prob. 0.5

We want: Adversary cannot guess bit b after seeing c

How to formalize?

(pk,sk) = Gen(1n)

We want:

Adversary Challenger

Security parameter

(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)

3. Encrypt mb:c4. Adv. outputs bit b’

Pr[b=b’] ≤ 0.5 + ε

Adversary can always guess correctly with prob. 0.5

Must be “very small”!ε := advantage of adversary

A subtlety of the definition…

pk (pk,sk)pk

Choose messages of different length

Flip challenge bit b in {0,1}

Case 1: b = 0: c=Enc(pk,m0)Adv. outputs bit b’ = 0

Consider the following adversary:

Case 2: b = 1: c=Enc(pk,m1)Adv. outputs bit b’ = 1

Adversary wins always: Pr[b=b’] = 1We need:

|m0| = |m1|

(pk,sk) = Gen(1n)

We want:

Adversary Challenger

Security parameter

(pk,sk)pk

m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)

Pr[b=b’] ≤ 0.5 + small “means”Informal: “Learn nothing new from c about m except its length”

Example: Textbook RSA

Encryption Encpk(m) for m in ZN*:c := me mod N

RSA = (Gen, Enc, Dec):

Key generation Gen(1n) (pk,sk):- N=pq, where p,q primes s.t. |p|=|q|=n

- e is coprime to φ(N)

- d is s.t. ed = 1 (mod φ(N))

φ(N) = (p-1)(q-1)

pk = (N,e)

sk = (N,d)

sk pk pk

Decryption Decsk(c) :m’:= cd mod N

Correctness: cd mod N = med mod N = med mod φ(N) = m mod N

Textbook RSA semantically secure?

(pk,sk) = ((N,e),(N,d))

m0, m1m0 , m1 in ZN*

2. Choose messages

c = (mb)e mod N

3. Encrypt: c

4. Adv. outputs bit b’

How can adversary win the game?1. he just chooses any m0,m1 , 2. computes c0= (m0)e and c1= (m1)e himself3. If c = c0 output b’=0; otherwise b’=1.

Adversary wins with Pr[b=b’] = 1

Take home message: Encryption has to be randomized

What is the problem? Encryption is deterministic!

Randomized RSA encoding

Idea: before encrypting a message we usually encode it (adding some randomness).

Advantage: makes encryption non deterministic

Enc(N,e)(m;r) := (m||r)e mod N

This idea is used in real-life!

prevents the previous attacker

RSA OAEP in PKCS Encryption Standard

RSA OAEP

How to encrypt?

Encoding(m;r)

RSA(Encoding(m;r))

RSA OAEP

How to decrypt?

RSA-1(y)

ciphertext y

Check if the encoding is valid....

outputm

Encoding(m;r)

Security of the RSA OAEP?

It is randomized and resists simple adversary

But we do not only want resistance against one attack!

We want: Security against all “large class” of adversaries

Hope: Includes many realistic attacks

Semantic security

(pk,sk) = Gen(1n)

m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)

We say a PKE is semantically secure, if for a “large class” of adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

What is “a large class”?What is “very small”?

Large class of adversaries?= All “efficient” adversaries

What does it mean?

Attacker is computationally-bounded

Ideas:1. “Attacker can use at most 1000 Intel i7 Processors for at most 100 years...”2. “Attacker can buy equipment worth 1 million euro and use it for 30 years..”.

it’s hard to reason formally about it

Alternative?

In other words:

Complexity theory

“Efficient computation” = Polynomial-time computable by probabilistic

algorithm

2. What is a probabilistic algorithm?

1. What is polynomial-time computable?

Algorithmx yLength of x:

n = |x|

Computes the output in T(n) = O(nc) steps (for a constant c).

Algorithmx y

Access to random coins in each step

Or: Additional randomness as input

What is a step?

Gives the adversary more power

What is a step? Model of computationCommon model: Poly-time Turing machine

Tapes contain values from finite

alphabet

Heads can move left and right depending on

content of tape, current state and

instructions

Poly-time Turing machine: Heads can make O(nc) moves

0 1 1 0 1 0 1 1 0 1

A probabilistic Turing Machine

has an additional tape with

random bits.

Advantages

1. Many models of computation (TM, RAMs, circuits,...) are “equivalent” up to a “polynomial reduction”.

Therefore we do need to specify the details of the model.

2. The formulas for running time get much simpler (we use asymptotics).

Disadvantage

Asymptotic results don’t tell us anything about security of the concrete systems.

However

Usually one can prove formally an asymptotic result and then argue informally that “the constants are reasonable”

(and can be calculated if one really wants).

Is this the right approach?

Semantic security

(pk,sk) = Gen(1n)

m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)

We say a PKE is semantically secure, if for all “large class” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

What is “very small”?

What does “very small” mean?

“very small” =

„negligibe”=

approaches 0 faster than the inverse of any polynomial

FormallyA function µ : N → R is negligible in n if for every positive integer c there exists an integer N such that for all n > N

We call such a function negligible in n: negl(n)

Negligible or not?

f(n) := n-2 No, inverse poly. n-3 is always smaller

f(n) := 2-n Yes, for sufficient large n

f(n) := 2-n/2 Yes, for sufficient large n

f(n) := n-1000 No, n-1001 is always smaller

Semantic security

(pk,sk) = Gen(1n)

m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)

We say a PKE is semantically secure, if for all “reasonable” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

What is “very small”?

negl(n)

Successful break: If adversary runs in PPT time and has advantage at least O(n-c) for some c.

Successful breaks?

Security parameter n = the length of the secret key sk

Suppose: sk is a random element of {0,1}n

Consider adversary that guesses k.

But: He is right with probability 2-n

This probability is negligible.

Consider adversary that enumerate all possible keys k

But: This takes time 2n (“brute fore attack”) This time is exponential.

How can we use the definition?

Provable Security

2. AssumptionsWhat assumptions are needed for security?

3. ProofProve that scheme is secure against all PPT adversaries

How to reason about all PPT adversaries?

First attempt: Enumerate over all possible PPT adversariesNot possible: there are too many!

Second attempt: Base security on assumptionAssumptions holds for all PPT adversaries scheme is secure

for all PPT adversaries

We want:

Encryption

For all PPT adversaries

Pr[b=b’] = 0.5 + negl(n)

AssumptionProof

Hold for all PPT adversaries

Secure against all PPT adversaries

Provable security is about relations between assumptions and security of cryptoschemes

then scheme X is secure.

Some “computationalassumption A”

in this wehave to

“believe”

This we will prove

Examples of A:“Factoring is hard”“RSA assumption”

Examples of X:“semantic security”

Assumptions: Properties & Example

- simple & universal- well-undersood & easy to analyze

Assumption shall be…

Factoring studied for centuries!

Assumption: No PPT algorithm to compute p and q with negl(n) probability

Example: “Factoring is hard” oracle

choose:• N = pq where p and q are random

primes such that |p| = |q| = n

adversary

security parameter 1n

Is factoring necessary for RSA?Yes: Otherwise we can invert! How?

RSA sem. secure

implies Factoring must be hard

Factors large integers in PPT

buildBreaks semantic security in PPT

e,N=pq

m0, m1

Compute φ(N) =(p-1)(q-1)

Compute d = e-1 mod φ(N)

c = Encpk(mb)Decrypt: m’ = Dec(d,N)(c)

If m’ = m0 output 0; else 1

If runs in PPT, then also runs in PPT

Proof by Reduction:

Pr[b=b’] = Pr[ succeeds in factoring]

Is hardness of factoring sufficient?

RSA OAEP semantically secure

impliesFactoring is

hardimplies??

Can we use the RSA function to build semantically secure encryption?

Rest of the talk

Goal: build semantically secure encryption based on RSA assumption

1. RSA assumption & harcore bits

2. Hardcore bits semantic security

3. RSA assumption existence of hardcore bits

impliesRSA assumption semantic security

oracle

primes such that |p| = |q| = k• y – a random element of ZN* ,• e – a random element of Zφ(N)*

adversary

(y,e,N)

outputsx

We say that the adversary wins if x = RSA-1(e,N) (y) mod N = yd mod N

RSA assumptionAll PPT adversaries win above game with negligible probability.

security parameter 1k

RSA assumption (Game 1)

Factoring harder than RSA assumption41

LSB(x) In other words: LSB(x) = x mod 2

Hardcore bits of RSARSA assumption says: hard to compute x:=yd

Maybe it is easy to compute some predicate of x ?

(N,e,y) f(x)Example: Jacobi(x) := Jacobi(y)

Hardcore bits = “bits that are hardest to compute”

Hardcore bits of RSA: Least significant bit of x!

Hardcore bit: Game 2oracle

primes such that |p| = |q| = k• y – a random element of ZN* ,• e – is random element of Zφ(N)*

adversary

(y,e,N)

outputsb

Adversary wins if b is the least significant bit of x= RSA-1(e,N) (y) mod N

security parameter 1k

We say that LSB is hardcore bit of RSA function if for all PPT adversaries, we have:

Pr[LSB(x)=b] ≤ 0.5 + negl(k)

Rest of the talk

Why are hardcore bits useful?(N,e) – public key(N,d) – private key

Enc1(N,e)(b) = xe mod N, where x ZN* is random

such that LSB(x) = b.• b = 0 x = • b = 1 x =

Dec1(N,d)(y) = LSB(yd mod N)

1-Bit encryption from RSA hardcore bit:

r a n d o m 0

r a n d o m 1

Large ciphertext blow up: to encrypt 1 bit we need value from ZN*

Breaks semantic security in PPT

Extracts LSB of x from y=xe in PPT

0, 1e,N=pq

LSB is hardcore semantic secure

Proof by Reduction:

i.e.: b‘ is correct

implies

i.e.: LSB(x) = b‘

Suppose the LSB is a hardcore bit for RSA function.Then Enc is semantically secure.

If wins wins

Simulate environment

Wins in Game 2

CarolCharlie

Rest of the talk

Suppose the RSA assumption holds.Then LSB of RSA function is a hardcore bit

RSA assumption hadcore bitTheorem

Proof by reductionSuppose we are given PPT

adversary that extracts the LSBWe build PPT adversary that inverts the RSA assumption

For simplicity suppose that this happens with

probability 1

(not: 0.5 + small)

y=xe LSB(x) y=xe x

How to recover from one bit x all bits of x ?48

Outline of reduction

(y,e,N)(y1,e,N)

LSB(x1)

(yt,e,N)

LSB(xt)

. . .x=yd

(y2,e,N)

LSB(x2)

Charlie

(y1)d := x1

Game 1

Game 2

Charlie can be used to compute

LSB of x:=yd mod N.

Can it also be used to computeLSB of c · x mod N = c · yd (for some c)?

(ce · y, e, N)

outputsb’ = LSB((ce· y)d) = LSB (ced · yd )

= LSB (c · yd ) = LSB (c · x)

First observation

How can Carol use this observation?

This works because ce · y is still a random value

Outline of the reduction

(y,e,N)(2ey,e,N)

LSB(2x)

(8ey,e,N)

LSB(8x)

(4ey,e,N)

LSB(4x)

(2ey)d := 2edxed := 2x

Why is it useful?51

What does it tell us about x?

1 . . . N-1

2 4 . . . 2N-2

2 4 . . . N-1 1 . . . N-2

2x mod N

= 2x = 2x - N

x≤(N-1)/2 x>(N-1)/2

Remember:N=pq is odd

Moral: x [1,...,(N-1)/2] iff 2x mod N is even

How is it useful?

LSB(2x) reveals if 2x is odd or even

2(N-1)/2 = N-1 2((N-1)/2 +1) =N+1 mod N = 1

Suppose LSB(2x) was even

(2e · y, e, N)

LSB(2x mod N)

1 . . . N-1

4 . . . 4N-4

4xmod N

= 4x = 4x - 3N

(N-1)/4

Moral: x [1,...,(N-1)/4] [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even

(N-1)/23(N-1)/4

4 . . . N-1 3 . . . N-2 2 . . . N-3 1 . . . N-4

= 4x - N = 4x – 2N

How is it useful?Suppose LSB(2x) was even

Suppose LSB(4x) was odd

(4e · y, e, N)

LSB(4x)

8xmod N

(N-1)/8

Moral: x [1,...,(N-1)/8] [(2N/8)+1,...,3(N-1)/8] [4(N/8)+1,...,5(N-1)/8] [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even

7(N-1)/8

= 8x-3N = 8x-4N

= 8x-N = 8x-2N = 8x-5N = 8x-6N = 8x-7N

How is it useful?Suppose LSB(8x) was even

calculateLSB((2e·y)d)= LSB(2x)

calculateLSB((8e·y)d)=LSB(8x)

0 10 1

So we can use bisection

Recover x

Putting things together

Hardness of RSA assumption

Existence of hardcore bits

Semantic security of encryption

ConclusionsProvable security is large ares of research

• More powerful threat model: active adversaries

• Many other primitives: signatures, symmetric crypto

• Many nice techniques

Is provable security useful in practice?

• Some of it yes: helps to get confidence in security(e.g., some standards are proven secure)

• Helps to reason about attacks at design-time

Are provable secure schemes unbreakable?

Example: Acoustic cryptanalysis, Crypto 2014

What is wrong? Idealized trust models

Computers emit noise due to vibration of their components

Send encrypted emails

Decrypt emails with secret key

If computer computes with secret key, then noise pattern depends on key extract key

Record noise

No!Crypto implementations get broken

Extract secret key from noise pattern

Model does not cover all real world attacks!

Reality

Model does not cover all real world attacks!

Conclusions

Are provable secure schemes unbreakable?

It depends on the threat model!

Thanks to Stefan Dziembowski for providing some of the slides of this talk

1 Provable Security Sebastian Faust Ruhr-Universität Bochum, Germany

Documents

1 Dynamic Provable Data Possession

Provable Security RSA-PKCS Encryption - Signature

Provable Deterministic Leverage Score Sampling

Provable Security2

Goethe: Faust

Faust Lektion 6 Abschluss Zugänge Themen im Faust Wikitäten

Provable Protocols for Unlinkability

Provable Security

UNIVERSITÄTSBIBLIOTHEK BOCHUM€¦ · RUHR-UNIVERSITÄT BOCHUM UNIVERSITÄTSBIBLIOTHEK BOCHUM: LITERATURVERWALTUNG MIT CITAVI | beginnen INSTALLATION UND CAMPUSLIZENZ …

Provable Software Laboratory

Goethe’s Faust and Nineteenth-Century Music: Liszt’s Faust

Ruhr University Bochum€¦ · Ruhr University Bochum

Provable Security against Side-Channel Attacks

Provable Data Possession at Untrusted Stores

[Bill Faust, Michael Faust] Pitch Yourself Stando(BookFi.org)

Lecture 10: Pseudorandomness, Provable Security

Dynamic Provable Data Possession

Provable Representation Learning

Introduction to Provable Security...Introduction to Provable Security Introduction to Provable Security Alejandro Hevia Dept. of Computer Science, Universidad de Chile Advanced Crypto

Gete - Faust