1 provable security sebastian faust ruhr-universität bochum, germany
TRANSCRIPT
1
Provable Security
Sebastian FaustRuhr-Universität Bochum, Germany
≈ securing communication
EncryptEnc(k,m)
key k key k
Adv. Learns nothing about mAgree on a secret key k
2
nexttarget?de45#
Cryptography in the past
Modern cryptography
DecryptDec(k,C)
adversary
Much more than encryption…
sevenites now
public-key cryptography
e-cash electronic voting
multiparty-computations
mental poker
zero-knowledge
key agreement electronic auctionssignature schemes
3
How to analyze security?One approach: Analyze the security with respect to one attack
But: Adversary may find new attack
Resembles cat-and-mouse game
Cryptoscheme 1
secure against attack 1
Cryptoscheme 2
secure against new attack
…
fix new attack
Goal of modern cryptography:Hopefully stop cat-and-mouse game!
Show security against broad classes of adversaries
One important tool: security proofs
Why security proofs?
4
In many areas of computer science “proofs” are not essential
e.g., instead of proving that algorithm is efficient just simulate its behavior on ”typical“ inputs
In cryptography this is not true
Why?
Notion of “typical adversary” makes little sense
Proofs are useful! How does it work?
5
1. Security definitionWhat security property shall the scheme achieve?
message
Provable Security
Key K
Encrypt
ciphertext
???
Ciphertext shall „hide“ message
6
1. Security definitionWhat security property shall the scheme achieve?
Provable Security
2. AssumptionsWhat assumptions are needed for security?
3. ProofProve that scheme satisfies definition if assumption holds
Crypto scheme is secureIf assumption holdsprove
Secure against any attack within model!
Shows: only way to break the scheme is to break assumption
Really any attack?• If assumption holds• If attack is in the model
7
Why definitions?
Coming up with the right definition is non-trivial
Next: An example for public-key encryption
We need to know what we want in order to achieve it
Allows to compare schemes: some definitions may be stronger than others
Allows for proofs: security proof only meaningful with definition
8
Public key encryption (PKE)• A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec): • Gen is a key-generation randomized algorithm that takes as
input a security parameter 1n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public
key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private
key sk and the ciphertext c, and outputs a message m’.
Alice Bob
m c := Enc(pk,m) Dec(sk,c)
pk
m
sk
c := Enc(pk,m)
m
pk
Dec(sk, ) = mCorrectness:
9
How to define security
Alice Bob
m c := Enc(pk,m) Dec(sk,c)
pk sk
1. The threat model:
m
Describes what the adversary can see and do
Adversary has no knowledge about sk!
knows
2. The security goal:What does it mean to break scheme?
10
What is the security goal?
c := Encpk(m)
Attempt 1: adversary cannot compute m
pkoutputs
m
Q: Is this sufficient? A: No!
m1 ... m|m|/2 ? ... ?
Informal: adversary does not learn m
Enc(pk,m)m
Adversary does not learn entire m but would you consider this scheme secure?
Too weak security guarantee!
11
2. Attempt: Adv. learns nothing about m
Adversary knows that
m := “I love you” with prob. 0.5“I don’t love you” with prob. 0.5
m
But adversary may already know something about m
pkc := Encpk(m)
What is the security goal?Not really necessary to
learn “something”
Too strong security guarantee! unachievable
12
3. Attempt: Adv. learns nothing new about m
Adversary knows that
m := “I love you” with prob. 0.5“I don’t love you” with prob. 0.5
m
pkpk
c := Encpk(m)
Adversary still knows that
m := “I love you” with prob. 0.5“I don’t love you” with prob. 0.5
m
Makes sense: How to formalize it?
What is the security goal?
13
The semantic security game
pk
(pk,sk) = Gen(1n)
1nAdversary Challenger
Security parameter
1. Generate challenge keys
(pk,sk)pk
m0, m1m0 and m1
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c
Adversary knows that
b := “0” with prob. 0.5
“1” with prob. 0.5
14
The semantic security game
pk
(pk,sk) = Gen(1n)
1nAdversary Challenger
Security parameter
1. Generate challenge keys
(pk,sk)pk
m0, m1m0 and m1
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c
Adversary still knows that
b := “0” with prob. 0.5
“1” with prob. 0.5
We want: Adversary cannot guess bit b after seeing c
How to formalize?
15
The semantic security game
pk
(pk,sk) = Gen(1n)
1n
We want:
Adversary Challenger
Security parameter
1. Generate challenge keys
(pk,sk)pk
m0, m1m0 and m1
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c4. Adv. outputs bit b’
Pr[b=b’] ≤ 0.5 + ε
Adversary can always guess correctly with prob. 0.5
Must be “very small”!ε := advantage of adversary
16
A subtlety of the definition…
pk (pk,sk)pk
Choose messages of different length
Flip challenge bit b in {0,1}
Case 1: b = 0: c=Enc(pk,m0)Adv. outputs bit b’ = 0
Consider the following adversary:
m0
m1
m0
m1
c
c
Case 2: b = 1: c=Enc(pk,m1)Adv. outputs bit b’ = 1
Adversary wins always: Pr[b=b’] = 1We need:
|m0| = |m1|
17
The semantic security game
pk
(pk,sk) = Gen(1n)
1n
We want:
Adversary Challenger
Security parameter
1. Generate challenge keys
(pk,sk)pk
m0, m1m0 , m1 s.t. |m0|=|m1|
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c4. Adv. outputs bit b’
Pr[b=b’] ≤ 0.5 + small “means”Informal: “Learn nothing new from c about m except its length”
18
Example: Textbook RSA
Encryption Encpk(m) for m in ZN*:c := me mod N
RSA = (Gen, Enc, Dec):
Key generation Gen(1n) (pk,sk):- N=pq, where p,q primes s.t. |p|=|q|=n
- e is coprime to φ(N)
- d is s.t. ed = 1 (mod φ(N))
φ(N) = (p-1)(q-1)
pk = (N,e)
sk = (N,d)
sk pk pk
c
Decryption Decsk(c) :m’:= cd mod N
Correctness: cd mod N = med mod N = med mod φ(N) = m mod N
19
Textbook RSA semantically secure?
pk
(pk,sk) = ((N,e),(N,d))
1. Generate challenge keys
m0, m1m0 , m1 in ZN*
2. Choose messages
c = (mb)e mod N
2. Flip challenge bit b in {0,1}
3. Encrypt: c
4. Adv. outputs bit b’
How can adversary win the game?1. he just chooses any m0,m1 , 2. computes c0= (m0)e and c1= (m1)e himself3. If c = c0 output b’=0; otherwise b’=1.
Adversary wins with Pr[b=b’] = 1
Take home message: Encryption has to be randomized
What is the problem? Encryption is deterministic!
20
Randomized RSA encoding
Idea: before encrypting a message we usually encode it (adding some randomness).
Advantage: makes encryption non deterministic
Enc(N,e)(m;r) := (m||r)e mod N
This idea is used in real-life!
prevents the previous attacker
RSA OAEP in PKCS Encryption Standard
21
RSA OAEP
How to encrypt?
m
RSA
Encoding(m;r)
RSA(Encoding(m;r))
22
RSA OAEP
How to decrypt?
RSA-1(y)
ciphertext y
Check if the encoding is valid....
outputm
Encoding(m;r)
23
Security of the RSA OAEP?
It is randomized and resists simple adversary
But we do not only want resistance against one attack!
We want: Security against all “large class” of adversaries
Hope: Includes many realistic attacks
24
Semantic security
pk
(pk,sk) = Gen(1n)
1. Generate challenge keys
m0, m1m0 , m1 s.t. |m0|=|m1|
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c4. Adv. outputs bit b’
We say a PKE is semantically secure, if for a “large class” of adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”
What is “a large class”?What is “very small”?
25
Large class of adversaries?= All “efficient” adversaries
What does it mean?
Attacker is computationally-bounded
Ideas:1. “Attacker can use at most 1000 Intel i7 Processors for at most 100 years...”2. “Attacker can buy equipment worth 1 million euro and use it for 30 years..”.
it’s hard to reason formally about it
Alternative?
In other words:
26
Complexity theory
“Efficient computation” = Polynomial-time computable by probabilistic
algorithm
2. What is a probabilistic algorithm?
1. What is polynomial-time computable?
Algorithmx yLength of x:
n = |x|
Computes the output in T(n) = O(nc) steps (for a constant c).
Algorithmx y
Access to random coins in each step
r
Or: Additional randomness as input
What is a step?
Gives the adversary more power
27
What is a step? Model of computationCommon model: Poly-time Turing machine
Tapes contain values from finite
alphabet
Heads can move left and right depending on
content of tape, current state and
instructions
Poly-time Turing machine: Heads can make O(nc) moves
0 1 1 0 1 0 1 1 0 1
A probabilistic Turing Machine
has an additional tape with
random bits.
28
Advantages
1. Many models of computation (TM, RAMs, circuits,...) are “equivalent” up to a “polynomial reduction”.
Therefore we do need to specify the details of the model.
2. The formulas for running time get much simpler (we use asymptotics).
Disadvantage
Asymptotic results don’t tell us anything about security of the concrete systems.
However
Usually one can prove formally an asymptotic result and then argue informally that “the constants are reasonable”
(and can be calculated if one really wants).
Is this the right approach?
29
Semantic security
pk
(pk,sk) = Gen(1n)
1. Generate challenge keys
m0, m1m0 , m1 s.t. |m0|=|m1|
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c4. Adv. outputs bit b’
We say a PKE is semantically secure, if for all “large class” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”
PPT
What is “very small”?
30
What does “very small” mean?
“very small” =
„negligibe”=
approaches 0 faster than the inverse of any polynomial
FormallyA function µ : N → R is negligible in n if for every positive integer c there exists an integer N such that for all n > N
We call such a function negligible in n: negl(n)
31
Negligible or not?
f(n) := n-2 No, inverse poly. n-3 is always smaller
f(n) := 2-n Yes, for sufficient large n
f(n) := 2-n/2 Yes, for sufficient large n
f(n) := n-1000 No, n-1001 is always smaller
32
Semantic security
pk
(pk,sk) = Gen(1n)
1. Generate challenge keys
m0, m1m0 , m1 s.t. |m0|=|m1|
2. Choose messages
c = Encpk(mb)
2. Flip challenge bit b in {0,1}
3. Encrypt mb:c4. Adv. outputs bit b’
We say a PKE is semantically secure, if for all “reasonable” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”
PPT
What is “very small”?
negl(n)
Successful break: If adversary runs in PPT time and has advantage at least O(n-c) for some c.
33
Successful breaks?
Security parameter n = the length of the secret key sk
Suppose: sk is a random element of {0,1}n
Consider adversary that guesses k.
But: He is right with probability 2-n
This probability is negligible.
Consider adversary that enumerate all possible keys k
But: This takes time 2n (“brute fore attack”) This time is exponential.
How can we use the definition?
34
1. Security definitionWhat security property shall the scheme achieve?
Provable Security
2. AssumptionsWhat assumptions are needed for security?
3. ProofProve that scheme is secure against all PPT adversaries
35
How to reason about all PPT adversaries?
First attempt: Enumerate over all possible PPT adversariesNot possible: there are too many!
Second attempt: Base security on assumptionAssumptions holds for all PPT adversaries scheme is secure
for all PPT adversaries
We want:
Encryption
b’
For all PPT adversaries
Pr[b=b’] = 0.5 + negl(n)
AssumptionProof
Hold for all PPT adversaries
Secure against all PPT adversaries
36
Provable security is about relations between assumptions and security of cryptoschemes
then scheme X is secure.
Some “computationalassumption A”
holds
in this wehave to
“believe”
This we will prove
Examples of A:“Factoring is hard”“RSA assumption”
Examples of X:“semantic security”
37
Assumptions: Properties & Example
- simple & universal- well-undersood & easy to analyze
Assumption shall be…
Factoring studied for centuries!
Assumption: No PPT algorithm to compute p and q with negl(n) probability
Example: “Factoring is hard” oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = n
adversary
security parameter 1n
N
38
Is factoring necessary for RSA?Yes: Otherwise we can invert! How?
RSA sem. secure
implies Factoring must be hard
Given
Factors large integers in PPT
buildBreaks semantic security in PPT
N=pq
p, q
e,N=pq
m0, m1
Compute φ(N) =(p-1)(q-1)
Compute d = e-1 mod φ(N)
c = Encpk(mb)Decrypt: m’ = Dec(d,N)(c)
If m’ = m0 output 0; else 1
If runs in PPT, then also runs in PPT
Proof by Reduction:
Pr[b=b’] = Pr[ succeeds in factoring]
b’
build
39
Is hardness of factoring sufficient?
RSA OAEP semantically secure
impliesFactoring is
hardimplies??
Can we use the RSA function to build semantically secure encryption?
40
Rest of the talk
Goal: build semantically secure encryption based on RSA assumption
1. RSA assumption & harcore bits
2. Hardcore bits semantic security
3. RSA assumption existence of hardcore bits
impliesRSA assumption semantic security
oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• y – a random element of ZN* ,• e – a random element of Zφ(N)*
adversary
(y,e,N)
outputsx
We say that the adversary wins if x = RSA-1(e,N) (y) mod N = yd mod N
RSA assumptionAll PPT adversaries win above game with negligible probability.
security parameter 1k
RSA assumption (Game 1)
Factoring harder than RSA assumption41
LSB(x) In other words: LSB(x) = x mod 2
Hardcore bits of RSARSA assumption says: hard to compute x:=yd
Maybe it is easy to compute some predicate of x ?
(N,e,y) f(x)Example: Jacobi(x) := Jacobi(y)
Hardcore bits = “bits that are hardest to compute”
Hardcore bits of RSA: Least significant bit of x!
42
Hardcore bit: Game 2oracle
choose:• N = pq where p and q are random
primes such that |p| = |q| = k• y – a random element of ZN* ,• e – is random element of Zφ(N)*
adversary
(y,e,N)
outputsb
Adversary wins if b is the least significant bit of x= RSA-1(e,N) (y) mod N
security parameter 1k
We say that LSB is hardcore bit of RSA function if for all PPT adversaries, we have:
Pr[LSB(x)=b] ≤ 0.5 + negl(k)
43
44
Rest of the talk
Goal: build semantically secure encryption based on RSA assumption
1. RSA assumption & harcore bits
2. Hardcore bits semantic security
3. RSA assumption existence of hardcore bits
impliesRSA assumption semantic security
Why are hardcore bits useful?(N,e) – public key(N,d) – private key
Enc1(N,e)(b) = xe mod N, where x ZN* is random
such that LSB(x) = b.• b = 0 x = • b = 1 x =
Dec1(N,d)(y) = LSB(yd mod N)
1-Bit encryption from RSA hardcore bit:
r a n d o m 0
r a n d o m 1
45
Large ciphertext blow up: to encrypt 1 bit we need value from ZN*
46
Given
Breaks semantic security in PPT
build
Extracts LSB of x from y=xe in PPT
e, N
0, 1e,N=pq
y=xe
LSB is hardcore semantic secure
Proof by Reduction:
y
b’
i.e.: b‘ is correct
b’
implies
i.e.: LSB(x) = b‘
Suppose the LSB is a hardcore bit for RSA function.Then Enc is semantically secure.
If wins wins
Simulate environment
Wins in Game 2
CarolCharlie
47
Rest of the talk
Goal: build semantically secure encryption based on RSA assumption
1. RSA assumption & harcore bits
2. Hardcore bits semantic security
3. RSA assumption existence of hardcore bits
impliesRSA assumption semantic security
Suppose the RSA assumption holds.Then LSB of RSA function is a hardcore bit
RSA assumption hadcore bitTheorem
Proof by reductionSuppose we are given PPT
adversary that extracts the LSBWe build PPT adversary that inverts the RSA assumption
For simplicity suppose that this happens with
probability 1
(not: 0.5 + small)
y=xe LSB(x) y=xe x
How to recover from one bit x all bits of x ?48
Outline of reduction
(y,e,N)(y1,e,N)
LSB(x1)
(yt,e,N)
LSB(xt)
. . .x=yd
(y2,e,N)
LSB(x2)
49
Carol
Charlie
(y1)d := x1
Game 1
Game 2
Charlie can be used to compute
LSB of x:=yd mod N.
Can it also be used to computeLSB of c · x mod N = c · yd (for some c)?
(ce · y, e, N)
outputsb’ = LSB((ce· y)d) = LSB (ced · yd )
= LSB (c · yd ) = LSB (c · x)
First observation
50
How can Carol use this observation?
This works because ce · y is still a random value
Outline of the reduction
(y,e,N)(2ey,e,N)
LSB(2x)
(8ey,e,N)
LSB(8x)
. . .
x=yd
(4ey,e,N)
LSB(4x)
(2ey)d := 2edxed := 2x
Why is it useful?51
What does it tell us about x?
1 . . . N-1
2 4 . . . 2N-2
2 4 . . . N-1 1 . . . N-2
x
2x
2x mod N
= 2x = 2x - N
x≤(N-1)/2 x>(N-1)/2
Remember:N=pq is odd
even
Moral: x [1,...,(N-1)/2] iff 2x mod N is even
odd
How is it useful?
LSB(2x) reveals if 2x is odd or even
2(N-1)/2 = N-1 2((N-1)/2 +1) =N+1 mod N = 1
Suppose LSB(2x) was even
(2e · y, e, N)
LSB(2x mod N)
52
1 . . . N-1
4 . . . 4N-4
x
4x
4xmod N
= 4x = 4x - 3N
(N-1)/4
even
Moral: x [1,...,(N-1)/4] [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even
(N-1)/23(N-1)/4
4 . . . N-1 3 . . . N-2 2 . . . N-3 1 . . . N-4
= 4x - N = 4x – 2N
odd
even
odd
How is it useful?Suppose LSB(2x) was even
Suppose LSB(4x) was odd
(4e · y, e, N)
LSB(4x)
53
. . .
. . .
x
8x
8xmod N
= 8x
(N-1)/8
Moral: x [1,...,(N-1)/8] [(2N/8)+1,...,3(N-1)/8] [4(N/8)+1,...,5(N-1)/8] [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even
7(N-1)/8
= 8x-3N = 8x-4N
. . .
= 8x-N = 8x-2N = 8x-5N = 8x-6N = 8x-7N
even
odd
even
odd
even
odd
even
odd
How is it useful?Suppose LSB(8x) was even
54
1 N-1
. . .
calculateLSB((2e·y)d)= LSB(2x)
calculateLSB((8e·y)d)=LSB(8x)
calculateLSB((16e·y)d)=LSB(16x)
calculateLSB((4e·y)d)=LSB(4x)
0 10 1
0 1
So we can use bisection
Recover x
55
Putting things together
Hardness of RSA assumption
Existence of hardcore bits
Semantic security of encryption
56
ConclusionsProvable security is large ares of research
• More powerful threat model: active adversaries
• Many other primitives: signatures, symmetric crypto
• Many nice techniques
Is provable security useful in practice?
• Some of it yes: helps to get confidence in security(e.g., some standards are proven secure)
• Helps to reason about attacks at design-time
Are provable secure schemes unbreakable?
58
Example: Acoustic cryptanalysis, Crypto 2014
What is wrong? Idealized trust models
Computers emit noise due to vibration of their components
Send encrypted emails
Decrypt emails with secret key
If computer computes with secret key, then noise pattern depends on key extract key
Record noise
No!Crypto implementations get broken
Extract secret key from noise pattern
59
Model does not cover all real world attacks!
Model
60
Reality
Model does not cover all real world attacks!
Conclusions
Are provable secure schemes unbreakable?
It depends on the threat model!
Thanks to Stefan Dziembowski for providing some of the slides of this talk