1 / 42

(Post-quantum) cryptography Security models, proofs and generic transforms

(Post-quantum) cryptography Security models, proofs and generic transforms. Andreas Hülsing Eindhoven University of Technology Executive School on Post-Quantum C ryptography July 2019, TU Eindhoven. Evaluation criteria for crypto. Performance Speed Size Cryptanalysis

jstorey
Download Presentation

(Post-quantum) cryptography Security models, proofs and generic transforms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. (Post-quantum) cryptography Security models, proofs and generic transforms Andreas Hülsing Eindhoven University of Technology Executive School on Post-Quantum CryptographyJuly 2019, TU Eindhoven

  2. Evaluation criteria for crypto • Performance • Speed • Size • Cryptanalysis • Maturity, quantity & quality • Are the relevant problems analyzed • Provable security • Standard model vs. (Q)ROM • Tight vs non-tight reduction • Implementation security • Possibility / availability of protected implementations Picture: By Rizkyharis - Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=52757933 https://huelsing.net

  3. How to build PKC (Computationally) hard problem Cryptanalysis ProofProblemhard Scheme secure DL RSA DDH QR PKC Scheme RSA-OAEP ECDSA DH-KE https://huelsing.net

  4. Security proofs (for the example of digital signatures)

  5. Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/DSA.jpg https://huelsing.net

  6. Security proofs Four dimensions • What are we looking at? • Signature scheme? MAC? Key evolving signatures... • Determines functionality • What do we want to prove? • EU-CMA, SU-CMA, FS-EU-CMA, EU-RMA... • Determines security guarantee • In which model can we give the proof? • Standard model vs ROM vs QROM • Heuristic model or not • Can we get a tight proof? • Reduction loss • Does proof say something for concrete parameters https://huelsing.net

  7. Existential unforgeability under adaptive chosen message attacks SK PK, 1n Mi SIGN (σi, Mi) (σ*, M*) Success if M* ≠ Mi , Ɐ i and Verify(pk,σ*,M*) = Accept https://huelsing.net

  8. Reduction Problem Transform Problem PK, 1n Mi SIGN Implement SIGN (σi, Mi) Solution (σ*, M*) Extract Solution https://huelsing.net

  9. Reduction: Implications To prove: „If can break [security] of [scheme] in time with probability then can solve [problem] in time with probability .” Implications: • If are polynomial functions (non-tight): “If [problem] is hard, [scheme] is secure.” • If are close to identity (tight): “The [scheme] is as hard to break as the problem.” https://huelsing.net

  10. Standard model vs. idealized model Standard model: Assume building block has property P (e.g., collision resistance). Use property in reduction. Idealized model: Assume a building block behaves perfectly (e.g. hash function behaves like truely random function). Replace building block by an oracle in reduction. https://huelsing.net

  11. Random Oracle Model (ROM) • Idealized Model • Perfectly Random Function Mj H(Mj) Mj H(Mj) RO https://huelsing.net

  12. How to implement RO? (In theory) ”Lazy Sampling”: • Keep list of • Given, search for • If exists, return • Else sample new from Range,using uniform distribution • Addto table • Return RO https://huelsing.net

  13. ROM security • Take scheme that uses cryptographic hash • For proof, replace hash by RO • Different flavors: Random function vs. Programmable RO https://huelsing.net

  14. Programmable RO Problem Transform Problem PK, 1n Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO Solution (σ*, M*) Extract Solution https://huelsing.net

  15. Programmable RO Problem Transform Problem PK, 1n Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) simulatedRO Solution (σ*, M*) Extract Solution https://huelsing.net

  16. ROM security • Take scheme that uses cryptographic hash • For proof, replace hash by RO • Different flavors: Random function vs. Programmable RO • Heuristic security argument • Allows to verify construction • Worked for ”Natural schemes” so far • However: Artificial counter examples exist! • Random oracles do not exist! https://huelsing.net

  17. Quantum security worlds [Gagliardoni’17]

  18. QS0: Classical security https://huelsing.net

  19. QS1: Post-quantum security https://huelsing.net

  20. QS1: Post-quantum security • Adversary can run local quantum computations • Adversary cannot communicate with honest parties using quantum states! • Local interfaces & oracles that do not contain secret information: Quantum access • Remote interfaces & secretly keyed oracles: Classical access https://huelsing.net

  21. QS2: Quantum security https://huelsing.net

  22. QS2: Quantum security • Adversary can run local quantum computations • Adversary can communicate with honest parties using quantum states! • Local interfaces & oracles that do not contain secret information: Quantum access • Remote interfaces & secretly keyed oracles: Quantum access • This assumes a world where users have quantum computers https://huelsing.net

  23. We care about QS1 for practical applications in the foreseeable future!!! https://huelsing.net

  24. QS1: Post-quantum security • Adversary can run local quantum computations • Adversary cannot communicate with honest parties using quantum states! • Local interfaces & oracles that do not contain secret information: Quantum access • Remote interfaces & secretly keyed oracles: Classical access What happens in ROM? https://huelsing.net

  25. Quantum-accessible ROM (QROM) Problem Transform Problem PK, 1n Mi SIGN Implement SIGN (σi, Mi) QRO Solution (σ*, M*) Extract Solution https://huelsing.net

  26. The QROM • ROM „lives“ in QS0. Wrong model for post-quantum security! • QROM: Adaption of ROM for QS1 – post-quantum security. • Proofs in QROM more involved as „looking at queries“ disturbes adversary -> complicates adaptive behavior • Only weak separation known (using squareroot speed-up of Grover) https://huelsing.net

  27. Generic transforms (for the example of KEM construction)

  28. How to build PKC (Computationally) hard problem Cryptanalysis ProofProblemhard Scheme secure DL RSA DDH QR Simple cryptographic scheme PKC Scheme RSA-OAEP ECDSA DH-KE https://huelsing.net

  29. Sdkfjölakjsödasjdföljasöldjföasjölakj plaintext Public key encryption (PKE) plaintext SKE.Dec PKE.Enc Bob’s pk Bob’s sk https://huelsing.net

  30. Public key encryption (PKE) is a probabilistic algorithm that outputs a key pair . : is a possibly probabilistic algorithm that on input of a public key and a message outputs a ciphertext. : is a deterministic algorithm that on input of a secret key and a ciphertext outputs a plaintext . Correctness: https://huelsing.net

  31. Weak passiv security (OW-CPA) https://huelsing.net

  32. Strong passiv security (IND-CPA) https://huelsing.net

  33. Active security (IND-CCA) • IND-CPA + access to decryption oracle • Decryption query for challenge ciphertext forbidden • Necessary if scheme gets used with non-ephemeral keys! • In practice, binary response (valid / invalid ciphertext) can be sufficient for attack. https://huelsing.net

  34. symmetric session key Sdkfjölakjsödasjdföljasöldjföasjölakj plaintext Bob’s pk Bob’s sk Hybrid encryption plaintext SKE.Dec SKE.Enc PKE.Enc PKE.Dec https://huelsing.net

  35. symmetric session key Sdkfjölakjsödasjdföljasöldjföasjölakj plaintext Bob’s pk Bob’s sk Key encapsulation (KEM) plaintext SKE.Dec SKE.Enc KEM.Enc KEM.Dec https://huelsing.net

  36. Key encapsulation (KEM) is a probabilistic algorithm that outputs a key pair . : is a possibly probabilistic algorithm that on input of a public key outputs a session key and an encapsulation . : is a deterministic algorithm that on input of a secret key and an encapsulation outputs a session key . Correctness: https://huelsing.net

  37. IND security models for KEM • IND: • Given a pair (c, k) decide if c is encapsulation of k or random • CPA: • Adversary gets pk and can hence generat encapsulations • CCA: • Adversary gets access to decapsulation oracle (which returns for challenge encapsulation) https://huelsing.net

  38. IND-CPA PKE -> IND-CCA KEM • Generic transform essentially going back to Fujisaki and Okamoto, CRYPTO‘99 IND-CPA PKE OW-CPA dPKE IND-CCA KEM https://huelsing.net

  39. IND-CPA PKE -> OW-CPA dPKET-Transform [HHK17] Start from IND-CPA secure with probabilistic Enc and a hash function . Build OW-CPA secure with deterministic : • Tight security reduction in ROM • Non-tight security reduction in QROM Randomness https://huelsing.net

  40. OW-CPA dPKE -> IND-CCA KEM-Transform [HHK17] Start from OW-CPA secure PRF F, and hash function . Build IND-CCA secure KEM https://huelsing.net

  41. Summary • Security proof security proof • Only tight proofs say something about the security of parameters • Only standard model & QROM proofs say something about post-quantum security • Generic transforms can save you a lot of work • Sufficient to construct OW-CPA dPKE for IND-CCA KEM with tight QROM proof • Sufficient to construct IND-CPA PKE for IND-CCA KEM with QROM proof https://huelsing.net

  42. Thank you! Questions? https://huelsing.net

More Related