1 provable security sebastian faust ruhr-universität bochum, germany

1

Provable Security

Sebastian FaustRuhr-Universität Bochum, Germany

≈ securing communication

EncryptEnc(k,m)

key k key k

Adv. Learns nothing about mAgree on a secret key k

2

nexttarget?de45#

Cryptography in the past

Modern cryptography

DecryptDec(k,C)

adversary

Much more than encryption…

sevenites now

public-key cryptography

e-cash electronic voting

multiparty-computations

mental poker

zero-knowledge

key agreement electronic auctionssignature schemes

3

How to analyze security?One approach: Analyze the security with respect to one attack

But: Adversary may find new attack

Resembles cat-and-mouse game

Cryptoscheme 1

secure against attack 1

Cryptoscheme 2

secure against new attack

…

fix new attack

Goal of modern cryptography:Hopefully stop cat-and-mouse game!

Show security against broad classes of adversaries

One important tool: security proofs

Why security proofs?

4

In many areas of computer science “proofs” are not essential

e.g., instead of proving that algorithm is efficient just simulate its behavior on ”typical“ inputs

In cryptography this is not true

Why?

Notion of “typical adversary” makes little sense

Proofs are useful! How does it work?

5

1. Security definitionWhat security property shall the scheme achieve?

message

Provable Security

Key K

Encrypt

ciphertext

???

Ciphertext shall „hide“ message

6


Provable Security

2. AssumptionsWhat assumptions are needed for security?

3. ProofProve that scheme satisfies definition if assumption holds

Crypto scheme is secureIf assumption holdsprove

Secure against any attack within model!

Shows: only way to break the scheme is to break assumption

Really any attack?• If assumption holds• If attack is in the model

7

Why definitions?

Coming up with the right definition is non-trivial

Next: An example for public-key encryption

We need to know what we want in order to achieve it

Allows to compare schemes: some definitions may be stronger than others

Allows for proofs: security proof only meaningful with definition

8

Public key encryption (PKE)• A public-key encryption (PKE) scheme is a triple (Gen, Enc, Dec): • Gen is a key-generation randomized algorithm that takes as

input a security parameter 1n and outputs a key pair (pk,sk). Enc is an encryption algorithm that takes as input the public

key pk and a message m, and outputs a ciphertext c, Dec is an decryption algorithm that takes as input the private

key sk and the ciphertext c, and outputs a message m’.

Alice Bob

m c := Enc(pk,m) Dec(sk,c)

pk

m

sk

c := Enc(pk,m)

m

pk

Dec(sk, ) = mCorrectness:

9

How to define security

Alice Bob

m c := Enc(pk,m) Dec(sk,c)

pk sk

1. The threat model:

m

Describes what the adversary can see and do

Adversary has no knowledge about sk!

knows

2. The security goal:What does it mean to break scheme?

10

What is the security goal?

c := Encpk(m)

Attempt 1: adversary cannot compute m

pkoutputs

m

Q: Is this sufficient? A: No!

m1 ... m|m|/2 ? ... ?

Informal: adversary does not learn m

Enc(pk,m)m

Adversary does not learn entire m but would you consider this scheme secure?

Too weak security guarantee!

11

2. Attempt: Adv. learns nothing about m

Adversary knows that

m := “I love you” with prob. 0.5“I don’t love you” with prob. 0.5

m

But adversary may already know something about m

pkc := Encpk(m)

What is the security goal?Not really necessary to

learn “something”

Too strong security guarantee! unachievable

12

3. Attempt: Adv. learns nothing new about m



m

pkpk

c := Encpk(m)

Adversary still knows that


m

Makes sense: How to formalize it?

What is the security goal?

13

The semantic security game

pk

(pk,sk) = Gen(1n)

1nAdversary Challenger

Security parameter

1. Generate challenge keys

(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)

2. Flip challenge bit b in {0,1}

3. Encrypt mb:c


b := “0” with prob. 0.5

“1” with prob. 0.5

14


pk

(pk,sk) = Gen(1n)

1nAdversary Challenger

Security parameter


(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)


3. Encrypt mb:c

Adversary still knows that

b := “0” with prob. 0.5

“1” with prob. 0.5

We want: Adversary cannot guess bit b after seeing c

How to formalize?

15


pk

(pk,sk) = Gen(1n)

1n

We want:

Adversary Challenger

Security parameter


(pk,sk)pk

m0, m1m0 and m1

2. Choose messages

c = Encpk(mb)


3. Encrypt mb:c4. Adv. outputs bit b’

Pr[b=b’] ≤ 0.5 + ε

Adversary can always guess correctly with prob. 0.5

Must be “very small”!ε := advantage of adversary

16

A subtlety of the definition…

pk (pk,sk)pk

Choose messages of different length

Flip challenge bit b in {0,1}

Case 1: b = 0: c=Enc(pk,m0)Adv. outputs bit b’ = 0

Consider the following adversary:

m0

m1

m0

m1

c

c

Case 2: b = 1: c=Enc(pk,m1)Adv. outputs bit b’ = 1

Adversary wins always: Pr[b=b’] = 1We need:

|m0| = |m1|

17


pk

(pk,sk) = Gen(1n)

1n

We want:

Adversary Challenger

Security parameter


(pk,sk)pk

m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)



Pr[b=b’] ≤ 0.5 + small “means”Informal: “Learn nothing new from c about m except its length”

18

Example: Textbook RSA

Encryption Encpk(m) for m in ZN*:c := me mod N

RSA = (Gen, Enc, Dec):

Key generation Gen(1n) (pk,sk):- N=pq, where p,q primes s.t. |p|=|q|=n

- e is coprime to φ(N)

- d is s.t. ed = 1 (mod φ(N))

φ(N) = (p-1)(q-1)

pk = (N,e)

sk = (N,d)

sk pk pk

c

Decryption Decsk(c) :m’:= cd mod N

Correctness: cd mod N = med mod N = med mod φ(N) = m mod N

19

Textbook RSA semantically secure?

pk

(pk,sk) = ((N,e),(N,d))


m0, m1m0 , m1 in ZN*

2. Choose messages

c = (mb)e mod N


3. Encrypt: c

4. Adv. outputs bit b’

How can adversary win the game?1. he just chooses any m0,m1 , 2. computes c0= (m0)e and c1= (m1)e himself3. If c = c0 output b’=0; otherwise b’=1.

Adversary wins with Pr[b=b’] = 1

Take home message: Encryption has to be randomized

What is the problem? Encryption is deterministic!

20

Randomized RSA encoding

Idea: before encrypting a message we usually encode it (adding some randomness).

Advantage: makes encryption non deterministic

Enc(N,e)(m;r) := (m||r)e mod N

This idea is used in real-life!

prevents the previous attacker

RSA OAEP in PKCS Encryption Standard

21

RSA OAEP

How to encrypt?

m

RSA

Encoding(m;r)

RSA(Encoding(m;r))

22

RSA OAEP

How to decrypt?

RSA-1(y)

ciphertext y

Check if the encoding is valid....

outputm

Encoding(m;r)

23

Security of the RSA OAEP?

It is randomized and resists simple adversary

But we do not only want resistance against one attack!

We want: Security against all “large class” of adversaries

Hope: Includes many realistic attacks

24

Semantic security

pk

(pk,sk) = Gen(1n)


m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)



We say a PKE is semantically secure, if for a “large class” of adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

What is “a large class”?What is “very small”?

25

Large class of adversaries?= All “efficient” adversaries

What does it mean?

Attacker is computationally-bounded

Ideas:1. “Attacker can use at most 1000 Intel i7 Processors for at most 100 years...”2. “Attacker can buy equipment worth 1 million euro and use it for 30 years..”.

it’s hard to reason formally about it

Alternative?

In other words:

26

Complexity theory

“Efficient computation” = Polynomial-time computable by probabilistic

algorithm

2. What is a probabilistic algorithm?

1. What is polynomial-time computable?

Algorithmx yLength of x:

n = |x|

Computes the output in T(n) = O(nc) steps (for a constant c).

Algorithmx y

Access to random coins in each step

r

Or: Additional randomness as input

What is a step?

Gives the adversary more power

27

What is a step? Model of computationCommon model: Poly-time Turing machine

Tapes contain values from finite

alphabet

Heads can move left and right depending on

content of tape, current state and

instructions

Poly-time Turing machine: Heads can make O(nc) moves

0 1 1 0 1 0 1 1 0 1

A probabilistic Turing Machine

has an additional tape with

random bits.

28

Advantages

1. Many models of computation (TM, RAMs, circuits,...) are “equivalent” up to a “polynomial reduction”.

Therefore we do need to specify the details of the model.

2. The formulas for running time get much simpler (we use asymptotics).

Disadvantage

Asymptotic results don’t tell us anything about security of the concrete systems.

However

Usually one can prove formally an asymptotic result and then argue informally that “the constants are reasonable”

(and can be calculated if one really wants).

Is this the right approach?

29

Semantic security

pk

(pk,sk) = Gen(1n)


m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)



We say a PKE is semantically secure, if for all “large class” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

PPT

What is “very small”?

30

What does “very small” mean?

“very small” =

„negligibe”=

approaches 0 faster than the inverse of any polynomial

FormallyA function µ : N → R is negligible in n if for every positive integer c there exists an integer N such that for all n > N

We call such a function negligible in n: negl(n)

31

Negligible or not?

f(n) := n-2 No, inverse poly. n-3 is always smaller

f(n) := 2-n Yes, for sufficient large n

f(n) := 2-n/2 Yes, for sufficient large n

f(n) := n-1000 No, n-1001 is always smaller

32

Semantic security

pk

(pk,sk) = Gen(1n)


m0, m1m0 , m1 s.t. |m0|=|m1|

2. Choose messages

c = Encpk(mb)



We say a PKE is semantically secure, if for all “reasonable” adversaries, we have: Pr[b=b’] ≤ 0.5 + “very small”

PPT

What is “very small”?

negl(n)

Successful break: If adversary runs in PPT time and has advantage at least O(n-c) for some c.

33

Successful breaks?

Security parameter n = the length of the secret key sk

Suppose: sk is a random element of {0,1}n

Consider adversary that guesses k.

But: He is right with probability 2-n

This probability is negligible.

Consider adversary that enumerate all possible keys k

But: This takes time 2n (“brute fore attack”) This time is exponential.

How can we use the definition?

34


Provable Security

2. AssumptionsWhat assumptions are needed for security?

3. ProofProve that scheme is secure against all PPT adversaries

35

How to reason about all PPT adversaries?

First attempt: Enumerate over all possible PPT adversariesNot possible: there are too many!

Second attempt: Base security on assumptionAssumptions holds for all PPT adversaries scheme is secure

for all PPT adversaries

We want:

Encryption

b’

For all PPT adversaries

Pr[b=b’] = 0.5 + negl(n)

AssumptionProof

Hold for all PPT adversaries

Secure against all PPT adversaries

36

Provable security is about relations between assumptions and security of cryptoschemes

then scheme X is secure.

Some “computationalassumption A”

holds

in this wehave to

“believe”

This we will prove

Examples of A:“Factoring is hard”“RSA assumption”

Examples of X:“semantic security”

37

Assumptions: Properties & Example

- simple & universal- well-undersood & easy to analyze

Assumption shall be…

Factoring studied for centuries!

Assumption: No PPT algorithm to compute p and q with negl(n) probability

Example: “Factoring is hard” oracle

choose:• N = pq where p and q are random

primes such that |p| = |q| = n

adversary

security parameter 1n

N

38

Is factoring necessary for RSA?Yes: Otherwise we can invert! How?

RSA sem. secure

implies Factoring must be hard

Given

Factors large integers in PPT

buildBreaks semantic security in PPT

N=pq

p, q

e,N=pq

m0, m1

Compute φ(N) =(p-1)(q-1)

Compute d = e-1 mod φ(N)

c = Encpk(mb)Decrypt: m’ = Dec(d,N)(c)

If m’ = m0 output 0; else 1

If runs in PPT, then also runs in PPT

Proof by Reduction:

Pr[b=b’] = Pr[ succeeds in factoring]

b’

build

39

Is hardness of factoring sufficient?

RSA OAEP semantically secure

impliesFactoring is

hardimplies??

Can we use the RSA function to build semantically secure encryption?

40

Rest of the talk

Goal: build semantically secure encryption based on RSA assumption

1. RSA assumption & harcore bits

2. Hardcore bits semantic security

3. RSA assumption existence of hardcore bits

impliesRSA assumption semantic security

oracle


primes such that |p| = |q| = k• y – a random element of ZN* ,• e – a random element of Zφ(N)*

adversary

(y,e,N)

outputsx

We say that the adversary wins if x = RSA-1(e,N) (y) mod N = yd mod N

RSA assumptionAll PPT adversaries win above game with negligible probability.

security parameter 1k

RSA assumption (Game 1)

Factoring harder than RSA assumption41

LSB(x) In other words: LSB(x) = x mod 2

Hardcore bits of RSARSA assumption says: hard to compute x:=yd

Maybe it is easy to compute some predicate of x ?

(N,e,y) f(x)Example: Jacobi(x) := Jacobi(y)

Hardcore bits = “bits that are hardest to compute”

Hardcore bits of RSA: Least significant bit of x!

42

Hardcore bit: Game 2oracle


primes such that |p| = |q| = k• y – a random element of ZN* ,• e – is random element of Zφ(N)*

adversary

(y,e,N)

outputsb

Adversary wins if b is the least significant bit of x= RSA-1(e,N) (y) mod N

security parameter 1k

We say that LSB is hardcore bit of RSA function if for all PPT adversaries, we have:

Pr[LSB(x)=b] ≤ 0.5 + negl(k)

43

44

Rest of the talk






Why are hardcore bits useful?(N,e) – public key(N,d) – private key

Enc1(N,e)(b) = xe mod N, where x ZN* is random

such that LSB(x) = b.• b = 0 x = • b = 1 x =

Dec1(N,d)(y) = LSB(yd mod N)

1-Bit encryption from RSA hardcore bit:

r a n d o m 0

r a n d o m 1

45

Large ciphertext blow up: to encrypt 1 bit we need value from ZN*

46

Given

Breaks semantic security in PPT

build

Extracts LSB of x from y=xe in PPT

e, N

0, 1e,N=pq

y=xe

LSB is hardcore semantic secure

Proof by Reduction:

y

b’

i.e.: b‘ is correct

b’

implies

i.e.: LSB(x) = b‘

Suppose the LSB is a hardcore bit for RSA function.Then Enc is semantically secure.

If wins wins

Simulate environment

Wins in Game 2

CarolCharlie

47

Rest of the talk






Suppose the RSA assumption holds.Then LSB of RSA function is a hardcore bit

RSA assumption hadcore bitTheorem

Proof by reductionSuppose we are given PPT

adversary that extracts the LSBWe build PPT adversary that inverts the RSA assumption

For simplicity suppose that this happens with

probability 1

(not: 0.5 + small)

y=xe LSB(x) y=xe x

How to recover from one bit x all bits of x ?48

Outline of reduction

(y,e,N)(y1,e,N)

LSB(x1)

(yt,e,N)

LSB(xt)

. . .x=yd

(y2,e,N)

LSB(x2)

49

Carol

Charlie

(y1)d := x1

Game 1

Game 2

Charlie can be used to compute

LSB of x:=yd mod N.

Can it also be used to computeLSB of c · x mod N = c · yd (for some c)?

(ce · y, e, N)

outputsb’ = LSB((ce· y)d) = LSB (ced · yd )

= LSB (c · yd ) = LSB (c · x)

First observation

50

How can Carol use this observation?

This works because ce · y is still a random value

Outline of the reduction

(y,e,N)(2ey,e,N)

LSB(2x)

(8ey,e,N)

LSB(8x)

. . .

x=yd

(4ey,e,N)

LSB(4x)

(2ey)d := 2edxed := 2x

Why is it useful?51

What does it tell us about x?

1 . . . N-1

2 4 . . . 2N-2

2 4 . . . N-1 1 . . . N-2

x

2x

2x mod N

= 2x = 2x - N

x≤(N-1)/2 x>(N-1)/2

Remember:N=pq is odd

even

Moral: x [1,...,(N-1)/2] iff 2x mod N is even

odd

How is it useful?

LSB(2x) reveals if 2x is odd or even

2(N-1)/2 = N-1 2((N-1)/2 +1) =N+1 mod N = 1

Suppose LSB(2x) was even

(2e · y, e, N)

LSB(2x mod N)

52

1 . . . N-1

4 . . . 4N-4

x

4x

4xmod N

= 4x = 4x - 3N

(N-1)/4

even

Moral: x [1,...,(N-1)/4] [(N/2)+1,...,3(N-1)/4] iff 4x mod N is even

(N-1)/23(N-1)/4

4 . . . N-1 3 . . . N-2 2 . . . N-3 1 . . . N-4

= 4x - N = 4x – 2N

odd

even

odd

How is it useful?Suppose LSB(2x) was even

Suppose LSB(4x) was odd

(4e · y, e, N)

LSB(4x)

53

. . .

. . .

x

8x

8xmod N

= 8x

(N-1)/8

Moral: x [1,...,(N-1)/8] [(2N/8)+1,...,3(N-1)/8] [4(N/8)+1,...,5(N-1)/8] [6(N/8)+1,...,7(N-1)/8] iff 8x mod N is even

7(N-1)/8

= 8x-3N = 8x-4N

. . .

= 8x-N = 8x-2N = 8x-5N = 8x-6N = 8x-7N

even

odd

even

odd

even

odd

even

odd

How is it useful?Suppose LSB(8x) was even

54

1 N-1

. . .

calculateLSB((2e·y)d)= LSB(2x)

calculateLSB((8e·y)d)=LSB(8x)



0 10 1

0 1

So we can use bisection

Recover x

55

Putting things together

Hardness of RSA assumption

Existence of hardcore bits

Semantic security of encryption

56

ConclusionsProvable security is large ares of research

• More powerful threat model: active adversaries

• Many other primitives: signatures, symmetric crypto

• Many nice techniques

Is provable security useful in practice?

• Some of it yes: helps to get confidence in security(e.g., some standards are proven secure)

• Helps to reason about attacks at design-time

Are provable secure schemes unbreakable?

58

Example: Acoustic cryptanalysis, Crypto 2014

What is wrong? Idealized trust models

Computers emit noise due to vibration of their components

Send encrypted emails

Decrypt emails with secret key

If computer computes with secret key, then noise pattern depends on key extract key

Record noise

No!Crypto implementations get broken

Extract secret key from noise pattern

59

Model does not cover all real world attacks!

Model

60

Reality

Model does not cover all real world attacks!

Conclusions

Are provable secure schemes unbreakable?

It depends on the threat model!

Thanks to Stefan Dziembowski for providing some of the slides of this talk

1 provable security sebastian faust ruhr-universität bochum, germany

Documents

security definition

security proofs

public key pk

security property

security parameter

key pair pk

message provable security

public key encryption