Security Models Lecture 2 Computational Security

(1)

Security Models Lecture 2

Computational Security

Pascal Lafourcade

2020-2021

(2)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(3)

Security Models Lecture 2 Computational Security Simple Examples of Reduction Proof Technique

Reduction Proof Technique

How to prove that an encryption scheme E is secure ?

• If an adversary A breaks the encryption scheme E

• Then A can be used it to solve P in polynomial time.

3

Conclusion: Under this assumption there does not exist an adversary in polynomial time which can break the security of the scheme.

Application: ElGamal is IND-CPA secure under DDH assumption.

Consider an adversary breaking IND-CPA game for ElGamal

then he can solve DDH

(4)

Reduction Proof Technique

How to prove that an encryption scheme E is secure ?

1

Hypothesis: HARD problem P (RSA, DL,DDH,CDH)

2

Reduction:

• If an adversary A breaks the encryption scheme E

• Then A can be used it to solve P in polynomial time.

3

Conclusion: Under this assumption there does not exist an adversary in polynomial time which can break the security of the scheme.

Consider an adversary breaking IND-CPA game for ElGamal

then he can solve DDH

(5)

Reduction Proof Technique

How to prove that an encryption scheme E is secure ?

1

Hypothesis: HARD problem P (RSA, DL,DDH,CDH)

2

Reduction:

• If an adversary A breaks the encryption scheme E

• Then A can be used it to solve P in polynomial time.

3

Conclusion: Under this assumption there does not exist an adversary in polynomial time which can break the security of the scheme.

Application: ElGamal is IND-CPA secure under DDH assumption.

Consider an adversary breaking IND-CPA game for ElGamal

then he can solve DDH

(6)

Definitions (recall)

Adv

^DL

(A) = Pr h

A(g

^x

) → x

x ←

^R

[1, q] i Adv

^CDH

(A) = Pr

h

A(g

^x

, g

^y

) → g

^xy

x, y ←

^R

[1, q]

i

Adv

^DDH

(A) = Pr h

A(g

^x

, g

^y

, g

^xy

) → 1

x, y ←

^R

[1, q] i

−Pr h

A(g

^x

, g

^y

, g

^r

) → 1

x, y , r ←

^R

[1, q] i

(7)

DL implies CDH

Proof of CDH ≤ DL

We denote by X = g

^x

, Y = g

^y

Hence Z = g

^xy

= (g

^x

)

^y

= X

^y

We have solved CDH

(8)

DL implies CDH

Proof of CDH ≤ DL

We denote by X = g

^x

, Y = g

^y

Consider there is an adversary A who breaks DL.

We have solved CDH

(9)

DL implies CDH

Proof of CDH ≤ DL

We denote by X = g

^x

, Y = g

^y

Consider there is an adversary A who breaks DL.

Using A for breaking DL, we get y

(10)

Proof of CDH ≤ DL

We denote by X = g

^x

, Y = g

^y

Consider there is an adversary A who breaks DL.

Using A for breaking DL, we get y

Hence Z = g

^xy

= (g

^x

)

^y

= X

^y

We have solved CDH

(11)

Experiments

Exp

^ddh−1

(A) x, y ←

^R

[1, q]

returnA(g

^x

, g

^y

, g

^xy

) Exp

^ddh−0

(A)

x, y, z ←

^R

[1, q]

returnA(g

^x

, g

^y

, g

^z

)

(12)

CDH implies DDH

Adversary B(X , Y , Z ):

if Z = A(X , Y ) then return 1 else return 0

Adv

^DDH

(B) = Pr[Exp

^DDH−1

(B) = 1] − Pr[Exp

^DDH−0

(B) = 1]

Pr h

B(g

^x

, g

^y

, g

^xy

) → 1

x, y ←

^R

[1, q] i

− Pr h

B(g

^x

, g

^y

, g

^r

) → 1

x, y , r ←

^R

[1, q] i Adv

^CDH

(A) −

¹_q

The number of elements in G is supposed large hence 1/q is negligible.

As the DDH assumption holds, the advantage of B is negligible. Hence

the advantage of A against CDH is also negligible and the CDH

assumption holds.

(13)

CDH implies DDH

Let A be an adversary against the CDH assumption and B against DDH

Adversary B(X , Y , Z ):

if Z = A(X , Y ) then return 1 else return 0

Pr h

B(g

^x

, g

^y

, g

^xy

) → 1

x, y ←

^R

[1, q] i

− Pr h

B(g

^x

, g

^y

, g

^r

) → 1

x, y , r ←

^R

[1, q] i Adv

^CDH

(A) −

¹_q

The number of elements in G is supposed large hence 1/q is negligible.

As the DDH assumption holds, the advantage of B is negligible. Hence

the advantage of A against CDH is also negligible and the CDH

assumption holds.

(14)

CDH implies DDH

Let A be an adversary against the CDH assumption and B against DDH

Adversary B(X , Y , Z ):

if Z = A(X , Y ) then return 1 else return 0

Adv

^DDH

(B) = Pr[Exp

^DDH−1

(B) = 1] − Pr[Exp

^DDH−0

(B) = 1]

Pr h

B(g

^x

, g

^y

, g

^xy

) → 1

x, y ←

^R

[1, q] i

− Pr h

B(g

^x

, g

^y

, g

^r

) → 1

x, y, r ←

^R

[1, q] i Adv

^CDH

(A) −

¹_q

The number of elements in G is supposed large hence 1/q is negligible.

As the DDH assumption holds, the advantage of B is negligible. Hence

the advantage of A against CDH is also negligible and the CDH

(15)

Example: RSA

public private

n = pq d = e

⁻¹

mod φ(n) e (public key) (private key)

RSA Encryption

• E (m) = m

^e

mod n

• D(c) = c

^d

mod n

OW-CPA = RSA problem by definition!

(16)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(17)

Chiffrement par bloc

• m, un message clair

• c , le chiffr´ e de m

• |m| = |c | = n bits m

sk Enc

c

sk Dec

m

(18)

Mode ECB (Electronic CodeBook )

Let |m| = k · n, k > 1.

m = (m

₁

, . . . , m

_k

), |m

_i

| = n bits.

m

i

sk Enc

c

_i

c

i

sk Dec

m

_i

(19)

Mode CBC (Cipher Block Chaining )

Encryption:

Enc m

0

sk

c

₀

Enc m

1

sk

c

₁

IV

· · · · Enc m

n

sk

c

_n

If the first block has index 1, C

i

= E

K

(P

i

⊕ C

i−1

), C

0

= IV

P

_i

= D

_K

(C

_i

) ⊕ C

i−1

, C

0

= IV

(20)

Mode CBC (Cipher Block Chaining )

Decryption:

Dec

m

0

sk

c

0

Dec

m

1

sk

c

1

IV

· · · · Dec

m

n

sk

c

n

(21)

Mode CFB (Cipher FeedBack )

Encryption:

Enc

c

0

sk

m

₀

Enc

c

1

sk

m

₁

IV

· · · · Enc

c

n

sk

m

_n

C

i

= E

K

(C

i−1

) ⊕ P

i

P

_i

= E

_K

(C

i−1

) ⊕ C

_i

C

₀

= IV

(22)

Mode CFB (Cipher FeedBack )

Decryption:

Enc

m

0

sk

c

₀

Enc

m

1

sk

c

₁

IV

· · · · Enc

m

n

sk

c

_n

(23)

Mode OFB (Output FeedBack )

Encryption:

Enc

c

0

sk

m

₀

Enc

c

1

sk

m

₁

IV

· · · · Enc

c

n

sk

m

_n

C

i

= P

i

⊕ O

i

P

_i

= C

_i

⊕ O

_i

O

_i

= E

_K

(O

i−1

)

O

0

= IV

(24)

Mode OFB (Output FeedBack )

Decryption:

Enc

m

₀

sk

c

0

Enc

m

₁

sk

c

1

IV

· · · · Enc

m

_n

sk

c

n

(25)

Counter Mode (CTR)

C

0

= IV

C

i

= P

i

⊕ E

_k

(IV + i − 1)

P

i

= C

i

⊕ E

_k

(IV + i − 1)

(26)

ECB vs Others

(27)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(28)

History

• Proposed in 1998 by Ronald Cramer and Victor Shoup

• First efficient scheme proven to be IND-CCA2 in standard model.

• Extension of Elgamal Cryptosystem.

• Use of a collision-resistant hash function

Ronald Cramer and Victor Shoup. ”A practical public key

cryptosystem provably secure against adaptive chosen ciphertext

attack.” in proceedings of Crypto 1998, LNCS 1462.

(29)

Key Generation

• G a cyclic group of order q with two distinct, random generators g

1

, g

2

• Pick 5 random values (x

1

, x

2

, y

1

, y

2

, z) in {0, . . . , q − 1}

• c = g

₁^x¹

g

₂^x²

, d = g

₁^y¹

g

₂^y²

, h = g

₁^z

• Public key: (c, d , h), with G , q, g

₁

, g

₂

• Secret key: (x

1

, x

2

, y

1

, y

2

, z )

(30)

Encryption of m ∈ G with (G , q, g ₁ , g ₂ , c , d , h)

• Pick a random k ∈ {0, . . . , q − 1}

• Calculate: u

₁

= g

₁^k

, u

₂

= g

₂^k

• e = h

^k

m

• α = H(u

₁

, u

₂

, e)

• v = c

^k

d

^kα

• Ciphertext: (u

1

, u

2

, e, v)

(31)

Decryption of (u ₁ , u ₂ , e , v ) with (x ₁ , x ₂ , y ₁ , y ₂ , z )

• Compute α = H(u

₁

, u

₂

, e)

• Verify u

₁^x¹

u

₂^x²

(u

^y₁¹

u

₂^y²

)

^α

= v

• m = e /(u

^z₁

) It works because

u

₁^z

= g

₁^kz

= h

^k

m = e/h

^k

(32)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(33)

Security Models Lecture 2 Computational Security Key Privacy

Key Privacy or Key Anonymity

(34)

Security Models Lecture 2 Computational Security Key Privacy

Key Privacy or Key Anonymity

(35)

Key Privacy or Key Anonymity

SOLUTION

(36)

IKA-XXX Games

Given an encryption scheme S = (K, E, D). An adversary is a pair A = (A

₁

, A

₂

) of polynomial-time probabilistic algorithms,

b ∈ {0, 1}.

Let IKA

^b_CPA

(A) be the following algorithm:

• (pk

0

, sk

0

) ← K(η); (pk

^R ₁

, sk

1

) ← K(η).

^R

• (s, m) ← A

^R ₁

(η, pk

0

, pk

1

)

• Sample b ← {0,

^R

1}.

• b

⁰

← A

^R ₂

(η, pk , s , E(pk

_b

, m))

• return b

⁰

.

Adv

^IKAS,A^XXX

(η) =

Pr [b

⁰

←

^R

IKA

¹_XXX

(A) : b

⁰

= 1] − Pr [b

⁰

←

^R

IKA

⁰_XXX

(A) : b

⁰

= 1]

(37)

Example of Key-privacy or anonymity

• El Gamal and Cramer-Shoup are IKA secure under DDH assumption

• RSA trapdoor permutation is not anonymous

• variant of RSA-OAEP is IKA secure under assumption RSA is one-way

Reference : Key-Privacy in Public-Key Encryption by Mihir Bellare,

Alexandra Boldyreva, Anand Desai, and David Pointcheval

(38)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(39)

Digital Signature

Syntax: algorithms (KGen, Enc, Dec) such that:

• KGen(1

^λ

) : given security parameters, outputs tuple, (sk , pk ) consisting of a private/public key

• Sign(sk; m): given plaintext and secret key, outputs signature σ

• Vf(pk; m, σ) : given message, signature and public key,

outputs a bit 1 if σ checks for m, 0 otherwise

(40)

Signature Security

Correctness:

• For all tuples (sk,pk) = KGen(1

^λ

) and for all messages m ∈ M, it must hold that Vf( pk; m, Sign(sk, m)) = 1

• Sometimes we degrade it to -correctness in which the verification of a signed message fails with probability EUF-CMA:

Adversary can’t forge fresh signature (sk , pk ) = KGen(1

^λ

)

(m, σ) = A

^Sign(∗)

(pk , 1

^λ

)

Storelist Q = {(m

₁

, σ

1

), . . . , (m

k

, σ

k

)} of queries to Sign

A wins iff (m, ∗) 6∈ Q and Vf (pk , m, σ) = 1

(41)

RSA signature is Not EUF-CMA

Recall

pk = (n, e) and sk = d σ = m

^d

mod n

verify : m = σ

^e

mod n

Attack 1 : Pick a random string s compute m

⁰

= s

^e

mod N outputs (m

⁰

, s) as forgery.

Attack2 : goal forge a signature for a given message m Pick m

₁

randomly, ask σ

₁

= m

^d₁

mod n

Compute m

₂

such that m

₁

m

₂

= m mod N, and ask σ

₂

= m

^d₂

mod n

Output (m, σ

₁

σ

₂

mod N)

(42)

How to get EUF-CMA : Probabilistic Full-Domain-Hash RSA (PFRSA)

Sign: σ = (r, s) = (r, y

^d

mod n), where y = H(r ||m) and r random

Verification : s

^e

= H(r ||m)

(43)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(44)

Security Models Lecture 2 Computational Security Brithday Paradox

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

P (at least 1 collision) = 1 − P(no collision) Probability of no collision

• Try 1 : 1 − 0

• Try 2 : 1 − 1/2

^k

• Try 3 : 1 − 2/2

^k

• .. .

• Try q : 1 − (q − 1)/2

^k

P (no collision) =

i=q

Y

i=1

(1 − i/2

^k

)

(45)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

Try 2 : 1 − 1/2

• Try 3 : 1 − 2/2

^k

• .. .

• Try q : 1 − (q − 1)/2

^k

P (no collision) =

i=q

Y

i=1

(1 − i/2

^k

)

(46)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

• Try 1 : 1 − 0

Try 3 : 1 − 2/2

• .. .

• Try q : 1 − (q − 1)/2

^k

P (no collision) =

i=q

Y

i=1

(1 − i/2

^k

)

(47)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

• Try 1 : 1 − 0

• Try 2 : 1 − 1/2

^k

• .. .

• Try q : 1 − (q − 1)/2

^k

P (no collision) =

i=q

Y

i=1

(1 − i/2

^k

)

(48)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

• Try 1 : 1 − 0

• Try 2 : 1 − 1/2

^k

• Try 3 : 1 − 2/2

^k

• Try q : 1 − (q − 1)/2

^k

P (no collision) =

i=q

Y

i=1

(1 − i/2

^k

)

(49)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

• Try 1 : 1 − 0

• Try 2 : 1 − 1/2

^k

• Try 3 : 1 − 2/2

^k

• .. .

• Try q : 1 − (q − 1)/2

^k

i=1

(50)

Birthday Paradox : Hash Function

Let an Hash function H : D → 2

^k

Na¨ıve Collision

With 2

^k

+ 1 try there is a collision

P (at least 1 collision) = 1 − P (no collision) Probability of no collision

• Try 1 : 1 − 0

• Try 2 : 1 − 1/2

^k

• Try 3 : 1 − 2/2

^k

• .. .

• Try q : 1 − (q − 1)/2

^k

i=q

(51)

Birthday Paradox : Hash Function

P(at least 1 collision) = 1 − P (no collision) Using 1 − x ≈ e

^−x

we have

1 − e

⁻^P^i=qⁱ⁼¹^(1−i/2^k⁾

= 1 − e

^{−q(q−1)/2}^k+1

(52)

If you want a probability of to have a collision

Need ot solve

= 1 − e

^{−q(q−1)/2}^k+1

q(q − 1) = 2

^k+1

ln(1/(1 − )

k ≈ sqrt(2

^k+1

ln(1/(1 − )) Examples

• =

¹₂

⇒ k ≈ 1.177sqrt(2

^k+1

)

• =

³₄

⇒ k ≈ 1.665sqrt(2

^k+1

)

• = 0.9 ⇒ k ≈ 2.146sqrt(2

^k⁺¹

)

Remark: if 2

^k+1

is 365 among 1.77sqrt (365) approx 23

(53)

Outline

1 Simple Examples of Reduction Proof Technique 2 Modes

3 Cramer-Shoup Cryptosystem 4 Key Privacy

5 Signature

6 Brithday Paradox 7 Tools

8 Conclusion

(54)

Several Tools for computational proofs

• CryptoVerif

• Easycrypt

• F*

Example: Prove properties of primitives in EasyCrypt, and use

them to prove protocols in CryptoVerif.

(55)

CryptoVerif by Bruno Blanchet (2006)

Automatic tool for the automatic reasoning about security protocols

¹

• Messages are bitstrings

• Cryptographic primitives are functions from bitstrings to bitstrings

• The adversary is a probabilistic Turing machine Version 2.04, released on Nov. 30, 2020

1http://cryptoverif.inria.fr/

(56)

CryptoVerif

• generates proofs by sequences of games.

• proves secrecy, authentication, and indistinguishability properties.

• works for N sessions (polynomial in the security parameter), with an active adversary.

• gives a bound on the probability of an attack (exact security).

• has an automatic proof strategy and can also be manually

guided.

(57)

Included

A generic method for specifying properties of cryptographic primitives:

• MACs (message authentication codes)

• symmetric encryption

• public-key encryption

• signatures

• hash functions,

• Diffie-Hellman key agreements

• ...

(58)

Workflow of CryptoVerif

Prepare the input file containing

• the specification of the protocol to study (initial game),

• the security assumptions on the cryptographic primitives,

• the security properties to prove.

Run CryptoVerif CryptoVerif outputs

the sequence of games that leads to the proof, a succinct

explanation of the transformations performed between games, an

upper bound of the probability of success of an attack.

(59)

F* (2016)

A general-purpose functional programming language with effects aimed at program verification.

https://www.fstar-lang.org/

Semi-automated verification system

Interactive proof assistant based on dependent types

F* is programmed in F*, but not (yet) verified

(60)

Project Everest

verify and deploy new, efficient HTTPS stack

• miTLS*: Verified reference implementation of TLS (1.2 and 1.3)

• HACL*: High-Assurance Cryptographic Library

• Vale: Verified Assembly Language for Everest

(61)