mathematics cryptology security · mathematics cryptology security jacques stern september 4 2009...
TRANSCRIPT
MATHEMATICSMATHEMATICSCRYPTOLOGYSECURITY
Jacques SternSeptember 4 2009
Jacques SternÉcole normale supérieureAgence Nationale de la RechercheAgence Nationale de la RechercheINGENICO
1968-20091968 2009
1968-2009: scientific overview1968 2009: scientific overviewStarted with mathsStarted with mathsWent to cryptology following inspiringfollowing inspiring discovery of RSAW l t h ll d bWas later challenged by real world security iissuesWill tell story by means y yof examplesTaking a historicalTaking a historical perspective
Mathematics: Borel setsMathematics: Borel sets
L i Ni l L l blLusin, Nicolas: Leçons sur les ensembles analytiques et leurs applications préface yde M. Henri Lebesgue, Paris : Gauthier-Villars, 1930.Villars, 1930.Lusin’s continuum problem: Is it possible t b ild t fi it f B lto build a transfinite sequence of 1א Borel sets, all of bounded rank in the Borel hierarchy?
Николай Николаевич Лузин1883-1950
Answer(s) to LusinAnswer(s) to LusinPositi e ans er in F Ha sdorffPositive answer in F. Hausdorff, Summen von 1א Mengen, Fund. 1Math. 26 (1936), 241-255. Negative answer in J Stern
Felix Hausdorff1868-1942
Negative answer in J. Stern, Lusin's restricted continuum
bl A l f M th ti J Stproblem, Annals of Mathematics, ser. 2, vol. 120 (1984) 7-37
Jacques Stern
Which mathematics?Which mathematics?
Tools developped by Gödel and Kurt Gödel
pp yCohen for so-called “independence proofs”
Kurt Gödel1906-1978
independence proofsAlso, tools for “coding” Borel
t b t i il t CSPaul Cohen1934-2007sets by trees, very similar to CS. 1934 2007
Cryptology :EncryptionCryptology :Encryption
M i t d bMessage is encrypted by means of an encryption Secret key
algorithm, Ciphertext is Cleartext Cipher
t tECiphertext is
recovered at the receiving end by a decryption
text
end by a decryption algorithm
DCiphertext ClearSecret key needs to be previously
DCiphertext Cleartext
needs to be previously agreed upon Secret key
Cryptology: public keyInvented 1976 Whit Diffie &
Marty HellmanEliminatesprevious agreement Public key
Marty Hellman
p gbetween partiesAchieved 1978
Cleartext Ciphert t
EAchieved 1978 (RSA)
text
DCiphertext ClearDCiphertext Cleartext
Adi Shamir,Private key
Adi Shamir, Ron Rivest & Len Adleman
A t i t h i ldAsymmetric cryptography yields signaturessignatures
A l i D t thApplying D to the message m creates a « signature » D
Verification only requires use of the public keyof the public keyThis « proof » can be
E
forwarded to 3rd parties
RSA: which maths?RSA: which maths?
modulus n and exponent en product of two primes p qn product of two primes p qEncryption of x is
y= xe mod n Decryption of iDecryption of y is
x=yd mod n yd computed from p,q (secrets)
d 1 d φ( ) ( 1)( 1)e.d = 1 mod φ(n)= (p-1)(q-1)
The roots of RSA: back in 1763
Kings:Louis XVF d i k IIFrederick IIЕкатерина IIЕкатерина II ВеликаяG IVGeorge IV
Th t f RSA 1763The roots of RSA: 1763
King of Leonard Euler King of mathematicians?
1707-1783
Leonard Euler
The roots of RSATheoremata Arithmetica Novo MethodoNovo Methodo DemonstrataNovi CommentariiCommentarii Academiae Scientarum PetropolitanaePetropolitanae8, 1763, 74-104
The roots of RSA
Go to page 83Go to page 83Looks like: the numbers of < nintegers primeintegers prime to n is equal to φ(n)= (p-1)(q-1)Next goNext go theorem 10 on pages 99-100
The roots of RSA
Go to page 83Go to page 83Looks like: the numbers of numbers primenumbers prime to n is equal to φ(n)= (p-1)(q-1)Next go toNext go to pages
How to practice RSA? pM a
G HM = m||0…0
dG & Hhash functions
r brandom r hash functions
OAEP standard: Bellare and Rogaway 991994
Mihir Bellare & Phil Rogaway
How to practice RSA? pClaim: same security as RSA 2000 : proof acknowledged incorrect! 2001: correct proof in: E Fujisaki T2001: correct proof in: E. Fujisaki, T.
Okamoto, D. Pointcheval, J. Stern RSA–OAEP is Secure under the RSA AssumptionOAEP is Secure under the RSA Assumption, J. of Cryptology, 2004, 81–104.
T. Okamoto, D. Pointcheval, J. Stern
Which maths?Which maths?Method of “pro able sec rit ”Method of “provable security” based on Complexity theory & Turing machinesMinkovski’s Geometry ofMinkovski s Geometry of numbers Alan Turing
1912 1954HermannMinkovski 1912-1954Minkovski1864-1909
Security: real world challengesSecurity: real world challenges
EMV authentication is performed by having a card sign a random challengehaving a card sign a random challenge generated by the terminal. The signature is checked using public datais checked using public data.
Random “challenge” Random “challenge”
“Signed” challenge
Alternati es to RSA in this setting?Alternatives to RSA in this setting?
SFLASH proposed by Patarin and al.SFLASH proposed by Patarin and al.Multivariate cryptography b d A l i l bibased on A polynomials over a binary finite field F(2n)Patented, selected by Nessie Consortium, and recommended for low-cost smartand recommended for low cost smart cards.
Attack against SFLASHgBroken in Vivien Dubois, Pierre-Alain Fouque, Adi Shamir, Jacques Stern, Practical Cryptanalysis of SFLASHPractical Cryptanalysis of SFLASH, Proceedings of Crypto 2007, 1-12.
Pi Al i F Adi Sh i & J St
Sylvester
Pierre-Alain Fouque Adi Shamir & Jacques Stern
1814-1897
Cryptanalysis based onCryptanalysis based on « skew symmetric » matrices
S i f h dSecurity: software vs. hardwareTheory
software is– software is insecure in most environments
soft
environments– should sit on a
i f hardpiece of dedicated h d i
hard
hardware in a protected
i tenvironment
Practice: a more intricate picturePractice: a more intricate pictureSoftware and
domains
Software and hardware are part of a longer chain
data
of a longer chainSuppliers, comms, data users enter
Dsoftdata, users enter the picture; also time framesh d time frames Security is at
hard
ythe weakest link
S chain
time
Security: Massive Data Breach (2009)y ( )
d d d d iNeeded: end-to-end encryption
Preserving format of CCNsBased on standard encryption (DES,AES)Supported by provable securitySupported by provable securityWork in progress Uses maths again
C l iConclusion
St t d ith thStarted with mathsBecame a user of (mostly) ( y)XVIIIth and XIXth century mathsmathsTo solve real world
it isecurity issues