1 / 15

Introduction to Provable Security

Introduction to Provable Security. Ian Forsyth. What is Provable Security?. Prove that no adversary exists which can break a scheme. How? Define notions of security so that we know what to aim for and what to expect.

kane
Download Presentation

Introduction to Provable Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Provable Security Ian Forsyth

  2. What is Provable Security? • Prove that no adversary exists which can break a scheme. • How? • Define notions of security so that we know what to aim for and what to expect. • Prove how the security of a scheme relates to the security of its primitives.

  3. Security Notions • How much information is an Adversary given? • None (no-message attack) • Access to a list of signatures (known-message attack) • Generated during an attack for messages of its choosing (adaptive-chosen-message-attack) • What is the Adversary’s goal? • Find the secret key (total break) • Forge a given message M (universal forgery) • Forge any message (existential forgery)

  4. Strongest Security Model • Prove that given whatever information an adversary desires, it is incapable of breaking the scheme in even the slightest way • I.e. Prove that a scheme is existentially unforgeable against an adaptive chosen message attack

  5. (t,e)-security • Prove that there does not exist any adversary which (t,e)-breaks a scheme • I.e. No algorithm exists which can break the scheme in time t with advantage e.

  6. Reduction Model MACHINE B Inputs to a hard problem ADVERSARY A Solution to a hard problem

  7. An Example: The Forking Lemma If there exists a probabilistic polynomial time Turing machine A which, under an adaptive chosen message attack, can existentially forge a signature in time t, with advantage e, then there exists a reduction which shows that using A we can construct a machine B which solves the Discrete Logarithm problem in time t’ ≤ 217t2/e with probability e’ ≥ 1/9.

  8. Tightness • TIGHT • t’/e’ = t/e • LOOSE • t’/e’ >> t/e

  9. Importance of Tightness • Tighter reductions prove that schemes are secure in smaller groups. • Benefits: • Better performance (faster calculations) • Smaller signature sizes (smaller bit lengths)

  10. Arguments for non-tight reductions • Even a non-tight reduction is better than nothing at all. • Even though the reduction is not tight, it is reasonable to expect that in the future a tighter reduction will be found (e.g. EDL) • Perhaps a tight reduction can be found by modifying the scheme slightly – and we can regard this reduction as a type of assurance about the original protocol

  11. A tight reduction may be obtained by relaxing the underlying hard problem • Maybe the notion of security is too strict and one should relax it a little as to make possible a tight reduction • Perhaps the scheme is secure in practice even though a tight reduction may not exist • Perhaps the scheme is in fact insecure, but an attack has not been discovered

  12. Inference to schemes with no reduction • Perhaps a tight reduction can be found by modifying the scheme slightly – and we can regard this reduction as a type of assurance about the original protocole.g. DSA

  13. Random Oracle • Assume that all random values are indeed random • Assume Adversary does not exploit any properties of the hash function • Assume that hash functions behave idealistically (random public functions) • Assumptions reduce the strength of a proof

  14. References • Mao, Wenbo., 2003, Modern Cryptography: Theory and Practice, Prentice Hall, PTR. • Pointcheval, David., Stern, Jacques., 1996, Security Proofs for Signature Schemes, Lecture Notes in Computer Science, vol 1070, pp 387+. • Chen, Liqun., Malone-Lee, John., 2005, Improved Identity-Based Signcryption, In Proceedings of Public Key Cryptography - PKC, LNCS 3386, pp. 362-379. See also Cryptology ePrint Archive, Report 2004/114. • Goh, Eu-Jin., Jarecki, Stanislaw., N.D., A Signature Scheme as Secure as the Diffie-Hellman Problem ,http://citeseer.csail.mit.edu/574357.html. • Bellare, Mihir., and Rogaway, Phillip., 1993, Random Oracles are Practical: a Paradigm for Designing Efficient Protocols, In 1st ACM Conference on Computer and Communications Security, pp. 62-73. • Koblitz, Neil., Menezes, Alfred., 2004, Another Look at"Provable Security", Cryptology ePrint Archive: Report 2004/152,http://eprint.iacr.org/2004/152. • Koblitz, Neil., Menezes, Alfred., 2006, Another Look at"Provable Security" II, Cryptology ePrint Archive: Report 2006/229,http://eprint.iacr.org/2006/229. • Goldwasser, S., Micali, S., 1984, Probabilistic Encryption, JCSS, Vol. 28, No. 2, pages 270--299. • Smart, Nigel., 2005, Provable Security: Designs and Open Questions, AZTEC deliverables, eCrypt,http://www.ecrypt.eu.org/documents.html. • Bellare, Mihir., 1998 Practice-oriented provable-security, In Proceedings of First International Workshop on Information Security (ISW 97), Lecture Notes in Computer Science1396, Springer, Berlin. • Various Authors, N.D. Provable Security, wikipedia,http://en.wikipedia.org/wiki/Provable\_security, Accessed: October20th 2006. • Schnorr, C.P., 1990, Efficient identification and signatures for smart cards, in G. Brassard, ed. Advances in Cryptology -- Crypto '89, 239-252, Springer-Verlag, Lecture Notes in Computer Science, nr 435.

  15. ProvSec2007International Conference on Provable Security 2007 October 29-31, 2007, Wollongong, Australia http://provsec07.sitacs.uow.edu.au

More Related