Provable security. Michel Abdalla

Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS

Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only possible if parties possess information (called keys) not known to adversary 2

Two main security goals in data communication Adversary Sender Receiver 10110 10110 10110 Pi Privacy: prevent exposure of transmitted data Adversary Sender 10110 1 11110 10110 Receiver Authenticity/Integrity: prevent modification of transmitted data 3

Symmetric encryption (a.k.a. private-key encryption) Adversary Sender Receiver M E C C M? D Secret Information (key) 4

Vernam cipher / One-time pad Sender M C C M Receiver Key Good: ciphertext reveals no more information about the plaintext than what was known a priori [Shannon] Bad: key size message size 5

Modern cryptography Computational security: System can be broken in principle, but it would take a lot of computing time Small keys Public-key cryptography Security usually relies on some known computationally hard mathematical problems (e.g. the scheme is secure if factoring is hard) 6

How can we be confident that a given cryptosystem is secure? Try to find an attack Yes Attack found No Insecure? Prove that t breaking cryptosystem t is as hard as solving an underlying well-known computational problem Attack found Yes Underlying computational problem is easy (unlikely) 7

Computational problems conjectured to be hard NP-complete problems Factoring large composites Computing discrete logs Basis for cryptography Diffie-Hellman problem 8

Provable security impacts practice Proven secure schemes are in standards like SSL, SSH, and IPSEC Product developers, security architects and users turn to theoreticians to tell them: which systems to use how different cryptosystems compare 9

Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 10

When are algorithmic i assumptions sufficient? Security proofs give the guarantee that the assumption is sufficient i for secrecy: IF an adversary can break the secrecy THEN one can break the assumption proof by reduction 11

Proof by Reduction Let A be an adversary that breaks the scheme Then A can be used to solve a hard problem P Instance I of P A Solution of I P intractable scheme is secure 12

Provably Secure Scheme To prove the security of a cryptographic scheme, one has to precise The algorithmic assumptions E.g., Factoring, computational Diffie-Hellman The security notions being achieved According to the scheme and primitive A reduction Show how to use adversary to break assumptions 13

Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 14

Factorization and RSA Multiplication/Factorization: p, q N=p q N = p.q p, q easy (quadratic) difficult (super-polynomial) RSA Function, from Z N in Z N (with N=pq) for a fixed exponent e [RSA 1978] x x e mod N easy (cubic) y=x e mod N x difficult (without p or q) x = y d mod N where d = e -1 mod φ(n) 15

The RSA problems Let n=pq where p and q are large primes The RSA problem: for a fixed exponent e = y = x n y = x rsa e Succ ne, ( A ) Pr mod ( ) y A * Z n The Flexible RSA problem: with the restriction for e to be prime fl-rsa e Succ n ( A ) = Pr y= x mod na ( y ) = ( xe, ) * y Z n 16

Other RSA variants Let n=pq where p and q are large primes The Rabin Problem Given y, find x such that y = x 2 mod n (if it exists) This problem is equivalent to integer factoring The Dependent RSA Problems Given x e mod n, find (x+1) e mod n For small e: equivalent to RSA Given x e mod n and y e mod n, decide whether y = x+1 mod n 17

Residue Problems Let n=pq where p and q are large primes The Quadratic Residuosity Given yinz Z * n, decide whether there exists x such that y = x 2 mod n The High Residuosity Problem (Paillier) Given y in Z * n2, decide whether there exists x such that y = x n mod n 2 18

Discrete-log-based assumptions: Background Fix a cyclic group G This means: there is an element g G which generates G G={g 0, g 1,, g G -1 } The discrete log of y G is the unique integer i {0,1,, G -1} such that y=g i * E.g.: if p is prime, then Z p is a cyclic group of order p-1 * Eg:Z E.g.: 17 ={1,,16} 16} is a cyclic group and 3 is a generator The discrete log of 14 base 3 in Z * 17 is 9 because 3 9 = 19683 14 mod 17 19

Discrete log assumption (DL) Fix a cyclic group G Eg E.g., G=Z * p, where p=2q+1 and q is a large prime DL problem: g u g Algorithm u Assumption: there is no practical algorithm to solve the discrete log gproblem in G 20

Computational Diffie-Hellman assumption (CDH) Fix a cyclic group G * E.g., G = Z p, where p=2q+1 and q is a large prime CDH problem: u v g u g v g Algorithm g uv Assumption: there is no practical algorithm to solve the computational Diffie-Hellman problem in G 21

Decisional Diffie-Hellman assumption (DDH) DDH problem: g u g v g g uv b=0 Algorithm g $ b=1 b b=b? yes no Win Lose Assumption: there is no practical algorithm that wins with probability significantly better than ½ 22

Success probabilities dl Succ ( ) Pr ( ) x y x y g = = = A A Succ ( ) Pr ( ) q g x y x y g = = = A A Z cdh, Succ ( ) Pr (, ),, q a b ab g ab AB CA g B g C g = = = = = A A Z,, 1 ),, ( Pr ) ( Ad,, ddh c b a c b a g C g B g A C B A q A A Z,, 1 ),, ( Pr ) ( Adv,,, ddh ab b a b a g g C g B g A C B A q q A A Z 23

Relation among assumptions P NP sing Str rength Increa DL - Discrete Log CDH - Computational Diffie-Hellman DDH - Decisional Diffie-Hellman 24

Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 25

Ideal Models Ideal random hash function Random-oracle model Ideal symmetric encryption Ideal-cipher model 26

The Random-Oracle Model [BR93] Perhaps the most used ideal model in cryptography The hash function is modeled as a perfectly random function Hash function is replaced with a random oracle Each query is answered with a random value from the domain The oracle is stateful and returns the same answer if a given query is asked twice 27

Modeling a Random Oracle The usual way to model a random oracle H is to maintain a list Λ H which contains all query-response pairs (x,ρ) Λ H is initially set to an empty list If a query x is asked of H and (x,ρ) Λ H for some ρ, then ρ is returned If a query x is asked of H and there is no ρ such that t (x,ρ) Λ H, then a random ρ is drawn from the appropriate range (x,ρ) is appended to Λ H ρ is returned 28

Two equivalent views of a random oracle H is a random function a query x to H is answered with H(x) ρ 1, ρ 2,... is a random sequence a new query x to H is answered by the next element in the sequence 29

The random-permutation model Similar to the random-oracle model, but with a permutation instead of a function A permutation P is modeled as a perfectly random permutation Λ P is initially set to an empty list If a query x is asked of P or a query y is asked of P -1 and d( (x,y) Λ Λ P, then the corresponding value is returned Otherwise, a new random value (y or x) is chosen, (x,y) is appended to Λ P, and y or x is returned 30

The ideal-cipher model An extension of the random-permutation model A block cipher is seen as a family of truly random and independent permutations (for each key) The simulation works as follows: Λ C is initially set to an empty list If a query (k,m) is asked of E or a query (k,c) is asked of D=E -1 and (k,m,c) Λ C, then the corresponding value is returned Otherwise, a new random value (c or m) is drawn from the appropriate range, (k,m,c) is appended to Λ C, and c or m is returned 31

Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 32

The game-playing technique: Motivation Widely used in cryptographic proofs Easy to employ Can be used in the standard model as well as in ideal models Can lead to new results Three-key triple-encryption [BR06] Less error-prone Easier to verify 33

Game-based proofs [Shoup,BR] A game is conceptualization of the interaction of the adversary with its environment The proof is defined as a sequence of games Initial game is the real attack environment Proof proceeds by stepwise refinement of the original game The difference in probability bilit of an event S between consecutive games is usually upper-bounded by the probability of a bad event E Success probability of adversary in final game is equal or negligibly close to target probability 34

Code-based game playing [BR] Game is seen as an actual program that is run with an adversary Oracles are seen as procedure calls Bad events are Boolean variables Fundamental lemma: If two games are identical until the variable bad is set, then the difference in the probabilities of a given outcome is bounded by the probability that bad gets set (in either game) 35

Shoup s approach Games are seen as probability spaces and random variables defined over them Bad events do not need to be explicitly announced Games are defined on a common probability space Game modification can be seen as a rewriting rule of the probability distribution of the variables 36

The difference lemma [Shoup] Modifications of the probability space may impact the success probabilities Probability space P unchanged unless a bad event E happens Difference lemma: Let S, S, E be events defined in some probability distribution, and S E S E. Then, Pr[S] Pr[S ] Pr[E] Pr[S ] - Pr[S] = Pr[S E] + Pr[S E] -Pr[S E] -Pr[S E] = Pr[S E] Pr[E] + Pr[S E] Pr[ E] -Pr[S E] Pr[E] - Pr[S E] Pr[ E] = Pr[S E] - Pr[S E] Pr[E] Pr[E] 37

Game transitions Indistinguishability of distributions Detection by the adversary would imply py an efficient method of distinguishing between two indistinguishable distributions (statistically or computationally) Failures and bad events Distance follows from the difference lemma Poisoned points Rewriting of variables Restating how certain quantities can be computed in a completely equivalent way Swapping dependent and independent variables Code motion 38

Plan Security proof methodology Algorithmic assumptions Ideal models Game playing technique Case studies 39

Case studies ElGamal Encryption Hybrid Encryption 40

Example 1: ElGamal encryption To formally prove the security of ElGamal l encryption, we need to: Define security primitive: PKE Define security model: IND-CPA Specify security assumption: DDH Provide a proof of security: Show that if one breaks the security of the ElGamal encryption scheme, then one has to break the DDH assumption 41

ElGamal: A DDH-based encryption scheme Secret Key: v Public Key: g, g v Generator Ephemeral Key Public Key Plaintext g u g v Message Exponentiation Exponentiation g uv Multiplication g u Message g uv 42

Public-key encryption (PKE) Sender Receiver M E C C M? D Public key Secret key Goal: it should be hard for an adversary to get information about M from C 43

IND-CPA security model: Privacy against chosen-plaintext attacks A scheme is IND-CPA secure when, for any two messages M 0 and M 1 chosen by the adversary after seeing the public key pk: Adversary cannot tell apart the encryption E(pk,M 0 ) of M 0 from the encryption E(pk,MM 1 ) of M 1 44

IND-CPA security experiment: Privacy against chosen-plaintext attacks Adversary pk (sk,pk) KeyGen(1 k ) m 0,m 1 b {0,1} C C Enc(pk,m b ) b b = b? YES NO Win Lose 45

IND-CPA security experiment: Privacy against chosen-plaintext attacks Adversary pk Initialize(1 k ) m 0,m 1 Enc(pk,m b ) C b Finalize(b) Win Lose 46

Security statement Theorem: The ElGamal encryption scheme is semantically secure against chosen-plaintext attacks (IND-CPA) if the DDH problem is hard 47

Proof idea Given an adversary A against the IND-CPA security of ElGamal encryption scheme, show how to build an adversary B for the DDH problem Adversary A Adversary B A PKE DDH 48

Reduction proof g, g u, g v, W pk = (g, g v ) Adversary B Adversary A M 0, M 1 b {0,1} C=(g u, W M b ) b b If b =b, then b =0 else b =1 49

Case study 2: Hybrid encryption Let AE = (AKG, AE, AD) be an asymmetric encryption scheme Let SE = (SKG, SE, SD) be an symmetric encryption scheme Hybrid encryption scheme HE = (HKG, HE, HD) HKG AKG HE(m): k SKG; C 1 AE(pk,k); C 2 SE(k,m) HD ( C 1,C 2 ) : k AD(sk,C 1 ); m SD(k,C 2 ) 50

Security statement Theorem: The hybrid encryption scheme is semantically secure against chosenplaintext attacks (IND-CPA) if the both the asymmetric and symmetric encryption schemes are IND-CPA 51

Proof by games The proof is defined as a sequence of games Game 0 - the original attack Adversary outputs (m 0,m 1 ), gets C * 1,C * 2 = HE(m b ) and outputs b Adversary wins if b=b Pr[S 0 ]=ε ε Game 1 C * 1 and C * 2 are computed using different k values C * 1 = AE(pk,k ) and C * 2 = SE(k,m b ) 1 2 b Pr[S 0 ] - Pr[S 1 ] Adv AE () ε 1 Game 2 - C * 2 encrypts a random message C * 2 = SE(k,$) Pr[S 1 ] - Pr[S 2 ] Adv SE () ε 2 Pr[S 2 ] = 0 52

Game 0 pk Adversary A M 0, M 1 b {0,1} k $ C* =(AE(k), SE(k,M b )) b If b =b, then A wins else A loses 53

Game 1 pk Adversary A M 0, M 1 b {0,1} k $; k $ C* =(AE(k ), SE(k,M b )) b If b =b, then A wins else A loses 54

Game 2 pk Adversary A M 0, M 1 b {0,1} M $; k $; k $ C* =(AE(k ), SE(k,$)) b If b =b, then A wins else A loses 55

Hybrid Encryption: Summary Pr[S 0 ] = Adv HE ind-cpa (A) = ε Pr[S 1 ] - Pr[S 0 ] Adv AE ind-cpa (B) = ε 1 Pr[S - ind-cpa 2 ] Pr[S 1 ] Adv SE (C) = ε 2 Pr[S 2 ] = 0 Pr[S 0 ] = Adv ind-cpa HE (A) Adv ind-cpa AE (B) + Adv ind-cpa SE (C) ε 1 + ε 2 56

Acknowledgements Some of slides on provable security were provided d by David Pointcheval The slides about asymmetric encryption are part of Mihir Bellare s course on Modern Cryptography 57