190 likes | 510 Views
Introduction to Provable Security. Ian Forsyth. What is Provable Security?. Prove that no adversary exists which can break a scheme. How? Define notions of security so that we know what to aim for and what to expect.
E N D
Introduction to Provable Security Ian Forsyth
What is Provable Security? • Prove that no adversary exists which can break a scheme. • How? • Define notions of security so that we know what to aim for and what to expect. • Prove how the security of a scheme relates to the security of its primitives.
Security Notions • How much information is an Adversary given? • None (no-message attack) • Access to a list of signatures (known-message attack) • Generated during an attack for messages of its choosing (adaptive-chosen-message-attack) • What is the Adversary’s goal? • Find the secret key (total break) • Forge a given message M (universal forgery) • Forge any message (existential forgery)
Strongest Security Model • Prove that given whatever information an adversary desires, it is incapable of breaking the scheme in even the slightest way • I.e. Prove that a scheme is existentially unforgeable against an adaptive chosen message attack
(t,e)-security • Prove that there does not exist any adversary which (t,e)-breaks a scheme • I.e. No algorithm exists which can break the scheme in time t with advantage e.
Reduction Model MACHINE B Inputs to a hard problem ADVERSARY A Solution to a hard problem
An Example: The Forking Lemma If there exists a probabilistic polynomial time Turing machine A which, under an adaptive chosen message attack, can existentially forge a signature in time t, with advantage e, then there exists a reduction which shows that using A we can construct a machine B which solves the Discrete Logarithm problem in time t’ ≤ 217t2/e with probability e’ ≥ 1/9.
Tightness • TIGHT • t’/e’ = t/e • LOOSE • t’/e’ >> t/e
Importance of Tightness • Tighter reductions prove that schemes are secure in smaller groups. • Benefits: • Better performance (faster calculations) • Smaller signature sizes (smaller bit lengths)
Arguments for non-tight reductions • Even a non-tight reduction is better than nothing at all. • Even though the reduction is not tight, it is reasonable to expect that in the future a tighter reduction will be found (e.g. EDL) • Perhaps a tight reduction can be found by modifying the scheme slightly – and we can regard this reduction as a type of assurance about the original protocol
A tight reduction may be obtained by relaxing the underlying hard problem • Maybe the notion of security is too strict and one should relax it a little as to make possible a tight reduction • Perhaps the scheme is secure in practice even though a tight reduction may not exist • Perhaps the scheme is in fact insecure, but an attack has not been discovered
Inference to schemes with no reduction • Perhaps a tight reduction can be found by modifying the scheme slightly – and we can regard this reduction as a type of assurance about the original protocole.g. DSA
Random Oracle • Assume that all random values are indeed random • Assume Adversary does not exploit any properties of the hash function • Assume that hash functions behave idealistically (random public functions) • Assumptions reduce the strength of a proof
References • Mao, Wenbo., 2003, Modern Cryptography: Theory and Practice, Prentice Hall, PTR. • Pointcheval, David., Stern, Jacques., 1996, Security Proofs for Signature Schemes, Lecture Notes in Computer Science, vol 1070, pp 387+. • Chen, Liqun., Malone-Lee, John., 2005, Improved Identity-Based Signcryption, In Proceedings of Public Key Cryptography - PKC, LNCS 3386, pp. 362-379. See also Cryptology ePrint Archive, Report 2004/114. • Goh, Eu-Jin., Jarecki, Stanislaw., N.D., A Signature Scheme as Secure as the Diffie-Hellman Problem ,http://citeseer.csail.mit.edu/574357.html. • Bellare, Mihir., and Rogaway, Phillip., 1993, Random Oracles are Practical: a Paradigm for Designing Efficient Protocols, In 1st ACM Conference on Computer and Communications Security, pp. 62-73. • Koblitz, Neil., Menezes, Alfred., 2004, Another Look at"Provable Security", Cryptology ePrint Archive: Report 2004/152,http://eprint.iacr.org/2004/152. • Koblitz, Neil., Menezes, Alfred., 2006, Another Look at"Provable Security" II, Cryptology ePrint Archive: Report 2006/229,http://eprint.iacr.org/2006/229. • Goldwasser, S., Micali, S., 1984, Probabilistic Encryption, JCSS, Vol. 28, No. 2, pages 270--299. • Smart, Nigel., 2005, Provable Security: Designs and Open Questions, AZTEC deliverables, eCrypt,http://www.ecrypt.eu.org/documents.html. • Bellare, Mihir., 1998 Practice-oriented provable-security, In Proceedings of First International Workshop on Information Security (ISW 97), Lecture Notes in Computer Science1396, Springer, Berlin. • Various Authors, N.D. Provable Security, wikipedia,http://en.wikipedia.org/wiki/Provable\_security, Accessed: October20th 2006. • Schnorr, C.P., 1990, Efficient identification and signatures for smart cards, in G. Brassard, ed. Advances in Cryptology -- Crypto '89, 239-252, Springer-Verlag, Lecture Notes in Computer Science, nr 435.
ProvSec2007International Conference on Provable Security 2007 October 29-31, 2007, Wollongong, Australia http://provsec07.sitacs.uow.edu.au