Provable Security vs. Efficiency in Cryptographic Algorithms

Provable Security vs. Efficiency in Cryptographic Algorithms Rosario Gennaro IBM T.J.Watson Research Center 2009 Estonian Winter School in Computer Science March 2009

Cryptography • The science of communication in the presence of an adversary • Encryption • Authentication Yeah sure! message ??? Hi I am Alice

Unconditional Security? • Cryptography (in practice) cannot achieve unconditional security • Shannon’s theorem for information-theoretic security • To encrypt a message so that it is impossible to retrieve information about it • Must use keys longer than the message • Example: one-time pad • Message: n-bit string m • Key: n-bit random string k • Ciphertext: c = m Å k • Alice and Bob need to exchange huge amount of random data in advance and keep it secret • Change focus • Instead of trying to make it impossible to break security (gain information about a secret message, impersonate a good party) • Make it very very hard • Computationally infeasible

Computational Assumptions • Security holds if • The adversary does not have the resources to perform a certain computational task T • The cryptographic scheme used requires the adversary to perform Tin order to break security

Modern Theoretical Cryptography • A focus on models, formal definitions and mathematical proofs to construct cryptographic schemes • Provable security • Reductionist approach • Four step process: • Model: communication channel, computational ability of parties and adversary, what is “legal” and what is not • Definition: what are we trying to achieve, precisely define security for a specific task (e.g. what is a secure digital signature?) • Design : find an algorithm to implement the desired cryptographic functionality • Proof: devise a proof such that if an adversary A • in the model specified in (1) • breaks security as defined in (2) • of the algorithm designed in (3) • Then we can use A to build a new A’ to solve an assumed computationally hard problem T • A proof in this approach resembles a complexity theoretic reduction

Common Cryptographic Tasks • Encryption • Confidentiality of messages • Authentication • Message provenance • Key exchange • A protocol for two parties to share a key so that they can encrypt and authenticate messages to each other • Pseudo-Random Generation • An algorithm to stretch short random seeds into longer strings that look random • Hashing • Compress long messages into short digests • Difficult to find two messages that hash to the same digest • Etc.

Common Cryptographic Assumptions • Discrete logarithm [DH76] • A cyclic group G of order q generated by g • Choose x at random in Zq and compute y=gx • Given G,g,y find x • Diffie-Hellman Problem • Given ga,gb(for a,b random in Zq) compute (or decide) gab • Factoring [RSA78] • Choose two primes p,q and compute N=pq • Given N find p,q • RSA • Compute e-roots modulo N • Given a random y in ZN* find x such that xe=y mod N

General Cryptographic Assumptions • Try to capture the essence of computational hardness: • One-way function • f : {0,1}n {0,1}n • Choose x at random and compute y=f(x) • Given f and y compute x • Trapdoor variation • It is possible to invert f if a short trapdoor is known

One way Function y=f(x) x A Picture Is Worth 1,000 Words One way Function Crypto Algorithm Simulated Crypto Algorithm

The Good And The Bad • Theoretically, Cryptography has been very successful • The 70s revolutionized the field • In the 80s and 90s the field matured • For almost any problem we have a provably secure solution based on minimal computational assumptions • Practically, not so much • Theoretical solutions are very inefficient • For many problems all we have are “proofs of concept” • In practice empirical (not provably secure) solutions are used • This series of lectures will explore this problem • Will try to understand the reasons behind this phenomenon • Will explore ways to get around it

Case Study: Pseudo-Random Generation • Model: • Parties are computationally bounded • Polynomial time • Definition • A pseudorandom generator G is a deterministic algorithm • Input: an n-bit string s (the seed) • Output: an (n+k)-bit string G(s) • The distribution G(s) for s random is computationally indistinguishable from the uniform distribution over (n+k)-bit strings • For every polynomial time adversary A • Probs[A(G(s))=1] ~ Proby[A(y)=1]

Pseudo-Random Generation: Construction • Let f : {0,1}n {0,1}n be a OWP • A predicate b : {0,1}n {0,1} is hard-core for f if • Given y=f(x) it is infeasible to guess b(x) with probability better than ½ • [GL89] Every OWP has a HCP • <r,x> for a random n-bit string r • [BMY82] Pseudo-random generator • Given a n-bit random seed x0 • Compute xi =f(xi-1 ) and bi = b(xi ) • Output b0 … bk-1 xk • Proof: if f is a OWP then the PRG is secure f f xi+1 = f(xi ) xi PRG input = x0 bi

Lecture 2

Pseudo-Random Generation: Construction • Let f : {0,1}n {0,1}n be a OWP • A predicate b : {0,1}n {0,1} is hard-core for f if • Given y=f(x) it is infeasible to guess b(x) with probability better than ½ • Every OWP has a HCP • [BMY82] Pseudo-random generator • Given a n-bit random seed x0 • Compute xi =f(xi-1 ) and bi = b(xi ) • Output b0 … bk-1 xk • Proof: if f is a OWP then the PRG is secure • Efficiency: one invocation of f for each pseudo-random bit f f xi+1 = f(xi ) xi PRG input = x0 bi

Improving PRGs: Large Hard-Core Functions • Let f : {0,1}n {0,1}n be a OWP • A function h : {0,1}n {0,1}m is hard-core for f if • Given y=f(x) the string h(x) is indistinguishable from a m-bit random string • Improving the [BMY82] PRG • Given a n-bit random seed x0 • Compute xi =f(xi-1 ) and hi = h(xi ) • Output h0 … hk-1 xk • One invocation of f yields m pseudo-random bits • Are there OWPs with large hard-core functions? • Not in general • The GL proof can be extended to O(log n) bits f f xi+1 = f(xi ) xi PRG input x0 hi

A note about the construction • The PRG algorithm only uses f as an oracle • Does not care about how f works f f xi+1 = f(xi ) xi PRG input = x0 bi

y=f(x) x A note about the proof f Proof uses adversary only as an oracle Does not care how A works f PRG Simulated Crypto Algorithm

y=f(x) x Black-Box Constructions One way Function Only input/output access We know nothing about how the black-box operates One way Function Crypto Algorithm Simulated Crypto Algorithm

Why Black-Box Constructions [IR89] • Generic • Work for any one-way function • Focus on the computational hardness of the assumptions • Does not use other special properties • E.g. homomorphic properties • Focus on the existence of a successful adversary • Does not care how the adversary works • A single simulator for any adversary (with oracle access) • rather than for every adversary a different simulator • Conceptually simple and elegant • Many constructions are black-box

Impossibility Results • [IR89] introduces Black-Box Constructions to prove that key exchange cannot be based on one-way permutations • A black-box reduction from the security of key exchange to one-way permutations is very unlikely • Must contain a proof that P =/ NP • [Sim98] proves the impossibility of black-box constructions of full collision-resistant hashing based on one-way permutations

Lower Bounds • [KSS99] Prove a lower bound on the efficiency of black-box constructions for target collision-resistant hashing based on one-way permutations • If the hash function compresses k bits must invoke the OWP W(k1/2) times. • Upper bound [NY89] is O(k) • [GT00] Tight lower bounds for black-box constructions of TCR hashing and pseudo-random generation based on OWP • If the hash function compresses k bits it must invoke the OWP W (k) times • If the pseudo-random generator stretches the seed by k bits it must invoke the OWP W (k) times • Matching upper bound [BMY82] of O(k) • [GGK03] Tight lower bounds for black-box constructions of encryptions and signatures • Encrypting k bits requires W (k) invocations to a trapdoor permutation • Verifying the signature on a k-bit message requires W (k) invocations to a OWP • Matching known upper bounds [GM84,NY88] • [HHRS07] Tight lower bound on the round complexity of black-box constructions of statistically-hiding commitments based on OWP

Pseudo-Random Generation: Lower Bound • Black-Box access • The PRG construction does not care about the details of f • Only input/output • We can replace f with a random permutation • Think of it as an oracle which answers each query with a random string • Adjusted for consistency and for a permutation • If a random permutation is one-way then the construction must still be secure Random Function f xi+1=f(xi) xi PRG bi

y=f(x) x Technical Theorem [IR89,GT00] Random Function • If f is a random permutation over n-bit strings • A circuit to invert it must have size W(2n/c) • Intuition • Because the function is random • The circuit given y, will find x only if it queries x • [GT00] proof uses Kolmogorov complexity approach • Show that if a circuit of size S inverts a permutation P • Then P can be described very succintly • Only a few P can be inverted • Corollary: • To achieve security against an adversary of size S • It is sufficient to choose n = c log S f xi yi = f(xi ) W (2n/c)

Proof (Intuition) of Technical Theorem [GT00] • LEMMA • Let A be a circuit that • Makes at most q queries to a n-bit permutation P • Probx [AP (P (x))=x] > e • Then P has a short description: of size • K=2 log (2n choose a) + log ( (2n – a)! ) • Where a = e 2n / (q+1) • Lemma yields the Theorem • If A has size < 2n/5 and e = 2-n/5 then only a tiny fractions of P can be inverted (< 2-n ) • Proof of the Lemma • Build a set Y Í { y : A(y) = P -1(y) } • |Y | > e 2n / (q+1) = a • The permutation P is defined by Y, X = P -1 (Y) and the value of P on {0,1}n\X • Therefore of size K • The set X is computed by running A on each element y of Y • Making sure that when computing AP (y) all the queries of A to P are already defined

Pseudo-Random Generation: Lower Bound [GT00] • Assume we want security against adversaries of size S • Can use random permutation over n= c log S bits • PRG takes a t-bit seed and outputs t+k bits • Assume it makes q < k/n queries to the permutation • Consider PRG’ that does not access the random permutation • It takes a (t+qn)-bit seed • Uses the first t bits to run PRG • For each query uses n bits from the rest of the seed • Outputs whatever PRG outputs • It’s a generator as the output is longer than the seed t+k>t+qn Random Permutation t PRG’ PRG t+k t t+k qn

The “Contradiction” • If a PRG makes too few queries • Then there exist PRGs that make no queries at all! • The existence of a PRG with small number of queries implies the unconditional existence of PRGs • Among other things this implies that OWF exist • P /= NP

Inherent Inefficiency • If limited to black-box constructions • Relying simply on computational hardness • Then we must invoke the OWP many times • The invocation of the underlying crypto primitive is usually the most expensive part • E.g. modular exponentiations • Use fast OWP • BBS generator • OWP is f(x)=x2 bmod N • Rate of PRG is 1 bit per modular multiplication

Lecture 3

y=f(x) x Types of Black-Box Constructions One way Function Fully Black-Box Semi Black-Box Weakly Black-Box One way Function Crypto Algorithm Simulated Crypto Algorithm

Non black-box constructions? • Can we use the algebraic properties of underlying OWP • Unfortunately for both discrete log and RSA we know of no way of using their properties • RSA and Discrete Log have hard-core bits • Either the generic GL bit or some well-specified bits of the input • Usual trick can extend it to a O(log n) size hard-core function • We do not know how to use the special properties of these functions to get larger hard-core functions • The best PRGs follow the same structure as the black-box one

Discrete Logarithm • Consider the case of discrete log • A cyclic group G of order q generated by g • Choose x at random in Zq and compute y=gx • Given G,g,y find x • Conjectured hard problem • Discrete log has a hard-core predicate • The generic GL hard-core bit • If q is prime the LSB(x) is hard-core

Tweak The Computational Assumption • Consider the following variation of the discrete log assumption • Choose x at random in [1..B] and compute y=gx • Discrete Log with Short Exponents • Let n=|q|, k=|B| and m=n-k • Typically n ~ 1024, k~160 • [PS98] • Assume that DLSE is hard • Choose x at random in Zq , compute y=gx • Then LSBm(x) is a hard-core function for discrete log • m pseudo-random bits per modular exponentiations • Forgetting about asymptotics for a minute • 860 bits per modular exponentiation (~1500 modular multiplications) • Still not as good as BBS

Twist The Paradigm [G00] • Assume the DLSE is hard • Choose x at random in [1..B] • The value y=gx is computationally indistinguishable from a random value in G • Yields immediately a PRG from k bits to n bits • m pseudo-random bits per exponentiations with a small exponent • 860 bits per 240 multiplications • Better than BBS

A Win-Win Situation? • Use specific properties of the underlying primitive to improve efficiency • If not possible for the original primitive • Understand what you need from the primitive and tweak the assumption to get better efficiency under this “tweak” • Can we trust these “tweaked” assumptions? • They must be chosen with care • Analyzed thoroughly • Must not be “too far” from the original assumption • If assumption is true we get better schemes • Consider efficiency of the reduction and potential “security loss” of the assumption • If assumption turns out to be false we learn something new about a computationally hard problem • An efficient algorithm to solve the DLSE problem would give great insight into the mathematics of the general discrete log problem • I asked the question if a similar trick could be pulled on RSA/Factoring • [SPW] show that if we assume that factoring is hard when k bits of p,q are known • Then BBS can be implemented with k bits per iteration

Some interesting questions • Better lower bounds for one-way functions? • Clearly our OWP lower bounds apply to OWF as well • But in this case they are not tight anymore • Complexity of OWF constructions is usually much higher • Lower Bounds for other measures of efficiency • Protocols round complexity [HHRS07] • Domain expansion for TCR hashing? • ha : {0,1}n  {0,1}n-k • Known constructions to expand the domain to mn bits require log m keys • Is that optimal? • There are constructions which are not black-box yet they are “generic” • E.g. the construction of chosen-ciphertext secure encryption from any trapdoor permutation [DDN01] • The construction uses the circuit of the TP • By definition not black-box anymore • Can we say something interesting about this type of constructions? Lower bounds? Impossibility results? • Is Key Exchange from OWP impossible even for this type of constructions?

Thank you for your attention!

Provable Security vs. Efficiency in Cryptographic Algorithms

Provable Security vs. Efficiency in Cryptographic Algorithms

Presentation Transcript

Introduction to Provable Security

Provable Security: Some Caveats

CRYPTOGRAPHIC ALGORITHMS

Cryptographic Security

Cryptographic Security

Multimedia Data Security and Cryptographic Algorithms

Cryptographic Security

Provable Security

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

Cryptographic Security

Computer Networking Security and Cryptographic Algorithms

Cryptographic Security

Cryptographic Security

Cryptographic Security

Cryptographic Algorithms

Provable Security – An Introduction

Introduction Overview of security techniques Cryptographic algorithms Digital signatures

Provable Security: Some Caveats

Cryptographic Security

Multimedia Data Security and Cryptographic Algorithms

Asymmetric Cryptographic Algorithms