Kentucky Presentation November, 2006 Cryptography from an art to a science Ganesh Sundaram

Kentucky Presentation

November, 2006

Cryptography from an art to a science

Ganesh Sundaram


November, 2006

Reality check

• Dramatic growth in the use of cryptographic protocols and algorithms Internet transactions, wireless, storage, etc..

• Everyone has their favorite protocol and algorithm Security by secrecy!

• Little or no analysis phase Common complaints include:

• DES is “too slow”… “I don’t need anything strong”…DES does not fit requirements of “my application”

• Public key methods “computationally intensive”

• Little or no analysis leads to a conundrum Even “alleged” algorithms have been compromised

• Public relations disaster, costly replacement/recall


November, 2006

Tacit realization

• Cryptography is more than just encryption Security is more than just privacy

• Speed and low complexity very important From a cost and user experience perspective

• But cannot keep “re-inventing” algorithms Just using “confusion and diffusion” principles doesn’t work

• Need thorough analysis But don’t have time for thorough analysis (needed it

yesterday phenomenon!)• Public key cryptography is “good” but cannot be used all the

time Arguably scalable and “well analyzed” but there is some

truth to the “computationally inefficient” complaint


November, 2006

More than just encryption & privacy..

• Entity and message authentication Has the user paid his bill? Has someone tampered with data?

• Key exchange, generation, management,… Need keys for everything

• Pseudorandom generators One-time-pad style encryption, challenge response

protocols• Pseudorandom functions, permutations

Session key generation, Block ciphers• Etc.


November, 2006

Problem

Can we create cryptographic primitives rapidly,

to suit different applications, but yet eliminate the

long analysis phase?


November, 2006

Don’t invent new stuff

• Old is good? Well analyzed algorithms that withstand test of time But need so many things and have so little time

• Enter proof theoretic cryptography Affirmative answer to the problem we stated earlier

• Create new cryptographic primitives to suit applications based on “old primitives”

• Eliminate analysis phase• Provide a “proof” of security!


November, 2006

10000 ft view: proof theoretic approach

Start: Choose a “hard problem”

Create: Develop procedure “based on” the hard problem to suit requirements of application

Given: Requirements

Prove: Provide proof of security; often translatesto showing that if there is a break in the proceduredeveloped, then there is a solution to hard problem


November, 2006

Example

Start: Discrete logarithm problem

Create: We will discuss this in some detail today

Given: Design pseudorandom generator

Prove: We will sketch a proof!

Prove that: If there is an “efficient” algorithm to predict the next bit

then there is an “efficient” algorithm to solve discrete log problem!


November, 2006

Before that…

• What is a pseudorandom generator? Naive definition: Sequence of numbers that are

unpredictable What is unpredictable?

• Given the first “n” bits, cannot predict the (n+1)-st bit with probability greater than 0.5

– Cannot predict == cannot predict “efficiently”

Describing “efficiently” requires a framework• Framework due to Yao as well as Blum-Micali (early 80’s)

– Notion of “computational entropy”, different from information theoretic entropy

• Subsequent work by Levin, Goldreich, etc.


November, 2006

Finite fields and discrete log problem

• Let p be a prime number• Let (Z/(p))* represent the set {1,2,….,(p-1)}

I.e., set of nonzero integers modulo p Forms a cyclic group under multiplication modulo p Let g be a generator of this cyclic group Every element y in the set can be represented as g^x

• i.e., y = g^x for some x between 1 and p-1

• Discrete log problem: Given y and g, find x.• We will use this problem to create a pseudorandom

generator


November, 2006

Rest of this talk

• Construction and sketch of proof• History and references• Kindly allow me to use the whiteboard!• Time permits

Another example: Converting pseudorandom functions to pseudorandom permutations•Extension: Variable length block

ciphers


November, 2006

PRF to PRP: Luby Rackoff ciphersx[1…n] x[n+1…2n]

x[n+1…2n] R

f2

S T

R S

f3

• Original work by Luby and Rackoff Seminal paper: led to a lot

of research• Some references:

Patarin• Multiple rounds

Naor-Reingold• Use hash functions

Patel-Ramzan-Sundaram• Char p versions (p>2)

f1


November, 2006

The VIL-FIL problem statement

• Existing cryptographic primitives operate on fixed-input-lengths (FIL); e.g., DES operates on 64-bit blocks

• In practice one needs to operate on inputs of all sizes; e.g., network packet sizes vary…

• Therefore, it would be nice if primitives worked on variable-input-lengths (VIL).

• But, it’s undesirable to design primitives “from scratch.”

“Crypto Operations” done only by the FIL primitive.The security of the VIL primitive should provably follow from the security of the FIL primitive.

Q: Can we use FIL primitive as building block for VIL primitive?


November, 2006

FIL to VIL SPRP Scheme

x[1…n] x[n+1…b]

h1

y[1…n] y[n+1…b]

f1

S T

y[n+1…b] S

f2

h-12

Essentially, we did the Naor-Reingold construction but with an unbalanced Feistel and with round functions of VIL PRFs (which can be constructed using FIL PRP).

h1, h2 chosen from pairwise independent

permutation family; i.e., for all x ≠ y, a ≠ b Prh[h(x)=a, h(y)=b] ≤

f1, f2 are PRFs; it’s easy to create

variable input and output length PRFs from a fixed input length one.


November, 2006

?Thank You! Questions?

?TIME

EXPIRED

Documents

Kentucky Presentation November, 2006 Cryptography from an art to a science Ganesh Sundaram