Upload
laurence-webster
View
213
Download
0
Embed Size (px)
Citation preview
Kentucky Presentation
November, 2006
Cryptography from an art to a science
Ganesh Sundaram
Kentucky Presentation
November, 2006
Reality check
• Dramatic growth in the use of cryptographic protocols and algorithms Internet transactions, wireless, storage, etc..
• Everyone has their favorite protocol and algorithm Security by secrecy!
• Little or no analysis phase Common complaints include:
• DES is “too slow”… “I don’t need anything strong”…DES does not fit requirements of “my application”
• Public key methods “computationally intensive”
• Little or no analysis leads to a conundrum Even “alleged” algorithms have been compromised
• Public relations disaster, costly replacement/recall
Kentucky Presentation
November, 2006
Tacit realization
• Cryptography is more than just encryption Security is more than just privacy
• Speed and low complexity very important From a cost and user experience perspective
• But cannot keep “re-inventing” algorithms Just using “confusion and diffusion” principles doesn’t work
• Need thorough analysis But don’t have time for thorough analysis (needed it
yesterday phenomenon!)• Public key cryptography is “good” but cannot be used all the
time Arguably scalable and “well analyzed” but there is some
truth to the “computationally inefficient” complaint
Kentucky Presentation
November, 2006
More than just encryption & privacy..
• Entity and message authentication Has the user paid his bill? Has someone tampered with data?
• Key exchange, generation, management,… Need keys for everything
• Pseudorandom generators One-time-pad style encryption, challenge response
protocols• Pseudorandom functions, permutations
Session key generation, Block ciphers• Etc.
Kentucky Presentation
November, 2006
Problem
Can we create cryptographic primitives rapidly,
to suit different applications, but yet eliminate the
long analysis phase?
Kentucky Presentation
November, 2006
Don’t invent new stuff
• Old is good? Well analyzed algorithms that withstand test of time But need so many things and have so little time
• Enter proof theoretic cryptography Affirmative answer to the problem we stated earlier
• Create new cryptographic primitives to suit applications based on “old primitives”
• Eliminate analysis phase• Provide a “proof” of security!
Kentucky Presentation
November, 2006
10000 ft view: proof theoretic approach
Start: Choose a “hard problem”
Create: Develop procedure “based on” the hard problem to suit requirements of application
Given: Requirements
Prove: Provide proof of security; often translatesto showing that if there is a break in the proceduredeveloped, then there is a solution to hard problem
Kentucky Presentation
November, 2006
Example
Start: Discrete logarithm problem
Create: We will discuss this in some detail today
Given: Design pseudorandom generator
Prove: We will sketch a proof!
Prove that: If there is an “efficient” algorithm to predict the next bit
then there is an “efficient” algorithm to solve discrete log problem!
Kentucky Presentation
November, 2006
Before that…
• What is a pseudorandom generator? Naive definition: Sequence of numbers that are
unpredictable What is unpredictable?
• Given the first “n” bits, cannot predict the (n+1)-st bit with probability greater than 0.5
– Cannot predict == cannot predict “efficiently”
Describing “efficiently” requires a framework• Framework due to Yao as well as Blum-Micali (early 80’s)
– Notion of “computational entropy”, different from information theoretic entropy
• Subsequent work by Levin, Goldreich, etc.
Kentucky Presentation
November, 2006
Finite fields and discrete log problem
• Let p be a prime number• Let (Z/(p))* represent the set {1,2,….,(p-1)}
I.e., set of nonzero integers modulo p Forms a cyclic group under multiplication modulo p Let g be a generator of this cyclic group Every element y in the set can be represented as g^x
• i.e., y = g^x for some x between 1 and p-1
• Discrete log problem: Given y and g, find x.• We will use this problem to create a pseudorandom
generator
Kentucky Presentation
November, 2006
Rest of this talk
• Construction and sketch of proof• History and references• Kindly allow me to use the whiteboard!• Time permits
Another example: Converting pseudorandom functions to pseudorandom permutations•Extension: Variable length block
ciphers
Kentucky Presentation
November, 2006
PRF to PRP: Luby Rackoff ciphersx[1…n] x[n+1…2n]
x[n+1…2n] R
f2
S T
R S
f3
• Original work by Luby and Rackoff Seminal paper: led to a lot
of research• Some references:
Patarin• Multiple rounds
Naor-Reingold• Use hash functions
Patel-Ramzan-Sundaram• Char p versions (p>2)
f1
Kentucky Presentation
November, 2006
The VIL-FIL problem statement
• Existing cryptographic primitives operate on fixed-input-lengths (FIL); e.g., DES operates on 64-bit blocks
• In practice one needs to operate on inputs of all sizes; e.g., network packet sizes vary…
• Therefore, it would be nice if primitives worked on variable-input-lengths (VIL).
• But, it’s undesirable to design primitives “from scratch.”
“Crypto Operations” done only by the FIL primitive.The security of the VIL primitive should provably follow from the security of the FIL primitive.
Q: Can we use FIL primitive as building block for VIL primitive?
Kentucky Presentation
November, 2006
FIL to VIL SPRP Scheme
x[1…n] x[n+1…b]
h1
y[1…n] y[n+1…b]
f1
S T
y[n+1…b] S
f2
h-12
Essentially, we did the Naor-Reingold construction but with an unbalanced Feistel and with round functions of VIL PRFs (which can be constructed using FIL PRP).
h1, h2 chosen from pairwise independent
permutation family; i.e., for all x ≠ y, a ≠ b Prh[h(x)=a, h(y)=b] ≤
f1, f2 are PRFs; it’s easy to create
variable input and output length PRFs from a fixed input length one.
Kentucky Presentation
November, 2006
?Thank You! Questions?
?TIME
EXPIRED