Document Sample
secure Powered By Docstoc
					        Provable Security – An Introduction
                         Kenny Paterson

                    Information Security Group
                Royal Holloway, University of London

October 15th 2007              Dagstuhl                1

•    Some history
•    Digital signatures as a case study
•    Scope of application for provable security
•    Strengths and weaknesses
•    Concluding remarks

 October 15th 2007        Dagstuhl                2
The Ad Hoc Approach
• The prevailing approach until quite recently:
       – Prof. A proposes a protocol (e.g. for key agreement).
              • He shows that some obvious attacks are ruled out.
              • Problem of “friendly cryptanalysis”.
       – After a while, Ph.D. student B comes along and finds a clever
         attack not anticipated by Prof. A.
       – PhD student B also proposes a fix to the scheme of Prof. A
         (and gets her PhD).
       – A bit later, Dr. C shows another attack that applies to the fixed
       – Repeat ad nauseam.
• Good for publications and PhD theses, probably bad

 October 15th 2007                     Dagstuhl                          3
Shannon and the One-time Pad

• Claude Shannon, “Communication Theory of
  Secrecy Systems”, Bell System Technical
  Journal, Vol 28, Oct 1949, pp 656-715.
       – Put symmetric key encryption on a firm theoretical
       – Analysed the security of the one-time pad:
              • M=m1m2 …mt – the message bits to be encrypted
              • K=k1k2… kt    – a sequence of random key bits.
              • C=c1c2… ct    – the ciphertext, where:
                     ci=mi + ki mod 2

 October 15th 2007                  Dagstuhl                     4
Shannon and the One-time Pad
• Shannon proved that the security of the one-
  time pad encryption system is unconditional
       – Provided K is uniformly random and is never re-
       – Security irrespective of the computing power of the
       – Proof uses concepts of entropy and information
         introduced by Shannon in 1948.
• So provable security is not a new subject.
• But use of one-time pad creates a serious key
  management problem…

 October 15th 2007            Dagstuhl                         5
Washington-Moscow Hotline

     “The USSR shall provide for preparation and delivery of keying tapes to
     the terminal point of the link in the United States for reception of
     messages from the USSR. The United States shall provide for the
     preparation and delivery of keying tapes to the terminal point of the link
     in the USSR for reception of messages from the United States. Delivery of
     prepared keying tapes to the terminal points of the link shall be effected
     through the Embassy of the USSR in Washington (for the terminal of the
     link in the USSR) and through the Embassy of the United States in
     Moscow (for the terminal of the link in the United States).”

     Extracted from “Memorandum of Understanding Between the
     United States of America and the Union of Soviet Socialist
     Republics Regarding the Establishment of a Direct
     Communications Link; June 20, 1963”.

 October 15th 2007                   Dagstuhl                               6
From Shannon to the 1990s
•       Cryptography began to develop into a subject of
        academic study in the mid-late 1970’s.
•       Key events:
       –      Development of US national standard for encryption (DES),
       –      (Public) discovery of public key cryptography, Diffie and
              Hellman, 1976.
       –      RSA algorithm, Rivest, Shamir, Adleman, 1977.
•       Until the late 1980’s, most analysis was conducted
        using the ad hoc approach.
       –      With exceptions such as Shannon’ work noted.
•       In the early 1990’s provable security came to the fore.

 October 15th 2007                   Dagstuhl                             7
Security Models and Proofs
Typical approach:
• Define (generically) the functionality of the
   cryptographic scheme.
       –      Encryption, signature, message authentication, authenticated
              key exchange,…
•       Define the capabilities of the adversary.
•       Define the goal of the adversary.

•       Propose a concrete scheme (realise functionality).
•       Provide a proof that any adversary against the
        scheme can be used to produce an algorithm to break
        some computational problem.
•       Assume that the computational problem and its
        hardness have been well-studied.

 October 15th 2007                   Dagstuhl                           8
Digital Signatures

 •      We will use digital signatures as a case-study
        to illustrate this process.
       – Initial work for signatures by Goldwasser, Micali,
         Rivest, 1988.
 •      Informally:
       – Signer produces signatures using a private key,
         verifier can check signatures using a matching
         public key.
       – Anyone can verify, but only legitimate signer with
         the private key can sign.
       – No-one other than the legitimate signer should be
         able to produce signatures.
 October 15th 2007            Dagstuhl                        9
Functionality of Digital Signatures
 •      Functionality of a digital signature scheme is
        described by three algorithms:
       – Key Generation:
              •      Given a security parameter k, produces a key-pair
       – Sign:
              •      Given a message M and the private key SK, produces a
                     signature S.
       – Verify:
              •      Given a message M, signature S, and public key PK,
                     outputs 1 or 0 (corresponding to valid or invalid).
       – Consistency requirement: if S was generated using
         the Sign algorithm on M and SK, then Verify on
         input S, M and PK outputs 1 (and 0 otherwise).
 October 15th 2007                       Dagstuhl                          10
RSA Signatures

•       Key Generation(k):
       – N=pq, PK= N,e, SK=d with ed=1 mod (p-1)(q-1)
       – Assume N has k bits.
•       Sign:
       – S=H(M)d mod N
       – Here H is a collision-resistant hash function
         mapping messages of arbitrary length onto
         messages of some fixed length.
       – Precise definition of H to follow.
•       Verify:
       – Compare H(M) with Se mod N
 October 15th 2007            Dagstuhl                   11
The Role of the Security Parameter
 •      Key generation, sign and verify modelled by
        probabilistic, polynomial-time algorithms (in the
        security parameter k).
       –      Sign and Verify may be deterministic (e.g. RSA).
 •      Can think of them as Turing machines equipped with
        random tapes.
 •      k can informally be thought of as defining the size (in
        bits) of the various parameters of the scheme.
 •      More formally, provides a means to measure
        properties of algorithms and adversaries in the
        framework of polynomial-time algorithms.
 •      Concrete security as an alternative.

 October 15th 2007                   Dagstuhl                    12
Security of Digital Signatures
 •      We can model the capabilities of an adversary in
        various ways:
       –      Adversary is given the public key only.
       –      Adversary is given the public key and signatures on various
       –      Adversary is given the public key and access to a signature
              oracle giving him signatures for messages of his choice.
       –      Adversary as above, and choice of messages adaptive.
 •      We can define the adversarial goal in various ways:
       –      Adversary has to find the private key.
       –      Adversary has to produce a signature on any message
              (universal forgery).
       –      Adversary has to produce a signature on some message
              (existential forgery).
 October 15th 2007                    Dagstuhl                          13
Security of Digital Signatures
 •      Most conservative approach: take the strongest
        capabilities in combination with the weakest goal.
 •      For signatures: EUF-CMA, Existential UnForgeability
        against (adaptive) Chosen-Message Attacks.
 •      Model attack as a game between adversary and
       –      Challenger supplies public key PK to adversary.
       –      Adversary is an arbitrary algorithm which receives PK, makes
              signing oracle queries on messages of its choice and finally
              outputs a message M and a string S.
       –      Adversary wins the game if S is a valid signature on M and M
              was not the subject of any signing query during the game.

 October 15th 2007                   Dagstuhl                          14
Security of Digital Signatures

              Adversary                    Challenger

              Sign query   1                 Sign
              Sign query   2                 Sign

              Sign query   St                Sign


 October 15th 2007              Dagstuhl                15
Security of Digital Signatures
 •      Adversary wins this game if S is a valid signature for
        M and if adversary did not make sign query on M.
 •      We say that a signature scheme is secure if there is
        no polynomial-time adversary having a non-negligible
        success probability in this game.
       –      Polynomial time as a function of security parameter k.
       –      Probability of success measured over randomness used by
       –      Negligible means smaller than 1/p(k) for any polynomial p for
              all sufficiently large k(p).

 October 15th 2007                    Dagstuhl                          16
Security of RSA Signatures

 •      Sign: S=H(M)d mod N
 •      Verify: Compare H(M) with Se mod N

 •      We cannot (currently) prove security without
        making an additional assumption about the
        hardness of some computational problem.
 •      For RSA, the appropriate problem is the RSA
        inversion problem:
       – Given N, e and a value X, find X1/e mod N.
       – Believed, but not known, to be as hard as factoring.

 October 15th 2007            Dagstuhl                    17
Proving Security of RSA Signatures
 •      Main ideas:
       –      Replace challenger with a simulator which tries to solve RSA
              inversion problem.
              •      Simulator is given N, e and a value X.
       –      Model hash function by a random oracle.
              •      A random function with access to function mediated by
       –      Simulator now provides values of hash function to adversary.
              •      Adversary makes hash queries in addition to usual signing
       –      Simulator must provide simulation of challenger that is
              indistinguishable for the adversary.
       –      Can do so in such a way that simulator can answer all signing
              queries AND use adversary’s forgery to solve the RSA
              inversion problem!
              •      Simulate responses to hash queries with values satisfying
                     H(M)=Se except one response, which is set to X.

 October 15th 2007                          Dagstuhl                             18
Security of Digital Signatures

              Adversary                     inversion
              Sign query    1
                            M               of signing
             Hash query     2
                            H(M2)              and
             Sign query     St

                           M,S                            X1/e

 October 15th 2007               Dagstuhl                        19
Security Reductions

 • There’s really no such thing as a security proof
   in cryptography, only security reductions:
       – “If an adversary can break this scheme, then we can
         construct an algorithm to solve some computational
       – Since the computational problem is assumed to be
         hard, we conclude that the scheme is secure.
       – Reduction concept borrowed from computational
         complexity theory.
       – Information-theoretic basis for security is possible
         but less common for schemes to be used in
 October 15th 2007            Dagstuhl                    20
Scope of Application
 • Provable security approach has been widely applied to
   basic cryptographic primitives:
       – Encryption, signature, message authentication, key exchange.
       – Symmetric and asymmetric.
       – Plus many variations: threshold, proxy, blind, designated
         verifier, deniable,…
       – Identity-based and usual public key settings, certificateless

 • Also used to study more complex primitives:
       – Group signatures, broadcast encryption, auction protocols, e-
         cash systems, and even general multi-party secure

 October 15th 2007                Dagstuhl                           21
Strengths and Weaknesses

• Security model and proof now almost de
  rigueur in academic cryptography papers.
• ProvabIe security having increasing influence
  on cryptographic standards and practice.
       – ISO, PKCS, ANSI
       – DAA in Trusted Computing, IKE
• The provable security paradigm has both
  strengths and weaknesses…

 October 15th 2007          Dagstuhl              22

• Builds security from bottom-up.
       – Security for high-level primitives phrased in terms of
         hardness of some low-level mathematical problem.
• Obtain a clear, well-defined and self-contained
  statement of basis for security.
       – e.g. hardness of integer factorisation, hardness of
         discrete logarithm problem in a particular class of
       – Hard problems can then be studied in isolation by
         experts (e.g. computational number theorists).
       – A form of layering or “separation of concerns”.

 October 15th 2007             Dagstuhl                        23
• Modelling steps clarify what is (and is not) expected of
  cryptographic primitives.
       – Clarify functionality of primitive AND its security.
       – Reduces possibility of unanticipated attack (c.f. heuristic
• Quantities in proof can be used to drive selection of
  parameters in real-world applications.
       – Can relate time and success probability for solving hard
         problem to that of adversary in breaking scheme.
       – Requires detailed accounting of adversarial actions and
         simulator’s responses.
       – Often ignored in practice, with proof used as guide only.

 October 15th 2007                  Dagstuhl                           24
• Provable security approach allows a degree of
       – Composition results have been slow in coming, but
         universal composability offers an interesting way
       – Modular approach of Bellare, Canetti, Krawczyk for
         key exchange.
              • Allows re-use of protocol components and easy
                construction of protocols with “semi-automatic” security
• Allows study of relationships between different
  security notions for a given primitive, and
  between different primitives.
 October 15th 2007                    Dagstuhl                             25

• The proof of security may not be correct.
• Related to “cultural” effects:
       – Main venue for publication is conferences.
       – Tight reviewing schedules, little time for referees to
         check details of proofs.
       – Proofs often placed in appendices to meet page
         limits, or relegated to the “full version”.
       – Standards of rigour arguably not as high as in pure

 October 15th 2007             Dagstuhl                       26
Example: RSA-OAEP

       – RSA = RSA!
       – OAEP = Optimal Asymmetric Encryption Padding
       – A method for transforming “raw” RSA encryption into
         a method offering suitably strong security
         guarantees (IND-CCA security)
       – Solving a long-standing open problem.
       – Proposed and proved secure by Bellare and
         Rogaway (1994).
       – Widely standardised (e.g. in SET).

 October 15th 2007           Dagstuhl                    27
Example: RSA-OAEP

                     m                     0             r

                     s = (m||0) + G(r)

                                                    t = r + H(s)

        x                    s                            t

                                 xe modulo N

 October 15th 2007                       Dagstuhl                       28
Example: RSA-OAEP

• Bellare and Rogaway (1994) proved that an
  adversary who can break RSA-OAEP (in a
  well-defined and strong sense) can solve the
  RSA-inversion problem.
• Proof actually works for any trapdoor one-way
• The proof was well-written, the construction
  simple and the result was rightly celebrated.

 October 15th 2007    Dagstuhl                29
Example: RSA-OAEP

• But Shoup (2001) discovered a flaw in Bellare
  and Rogaway’s proof.
• The proof was in the literature for seven years
  before the problem was spotted.
• Fortunately, Shoup and Fujiskai et al. were
  able to repair the proof.
• Simpler constructions with security proofs were
  subsequently discovered.

 October 15th 2007    Dagstuhl                 30

• The reduction from the adversary to the
  computational problem may not be “tight”.
       – Time and success probability of algorithm to solve
         underlying hard problem may not be closely related
         to time and success probability of adversary.
       – Can only get meaningful security for scheme by
         increasing security parameter k, leading to much
         less efficient schemes.
       – Or ignore this and work with usual sizes of
         cryptographic parameters and use proof only as a
         heuristic guide?

 October 15th 2007           Dagstuhl                    31
Example: Blum-Blum-Shub
• Blum-Blum-Shub pseudo-random bit generator:
       –   N =pq is an RSA modulus with p,q = 3 mod 4.
       –   Initial seed x_0
       –   xi = (xi-1)2 mod N
       –   Output the j least significant bits of xi
• The larger j is, the faster we can generate bits.
• Security result: assuming factoring N is intractable,
  j=O(loglogN) bits can be securely extracted per
       –   Vazirani and Vazirani;
       –   Alexi, Chor, Goldreich and Schnorr;
       –   Fischlin and Schnorr;
       –   Sidorenko and Schoenmakers.
 October 15th 2007                  Dagstuhl              32
Example: Blum-Blum-Shub

• IETF RFC 1750 (Eastlake et al.) states:
  “If you use no more than the log2log2(xi) low
  order bits, then predicting any additional bits
  from a sequence generated in this manner is
  provable [sic] as hard as factoring N.”
• Is this statement justified by the security proof?

 October 15th 2007      Dagstuhl                  33
Example: Blum-Blum-Shub
• Analysis by Koblitz and Menezes:
       – Take the best bounds on security and hardness of factoring
         known in the literature.
       – Apply them for j=9 and N with 768 bits, extracting M=109 bits
         from the generator.
       – Allowing a success probability of 0.01 for the adversary, what
         is the time bound on the adversary?
       – Answer: 2-264
       – Yes, that is a negative sign in the exponent!
• Concrete security analysis does not always give us
  results that are useful in practice.
• In this instance, we need N with > 10000 bits for useful
  security guarantee.

 October 15th 2007                 Dagstuhl                           34

• The underlying computational problem might
  turn out to be easier than expected.
       – Significant advances in algorithms for integer
         factorisation and discrete logs are rare, but do
       – The pairing-based cryptography zoo of hard
              •      BDHP, BDHE, q-BDHI, q-SDH,…
              •      Decisional variants, gap variants, multi-input variants.
              •      Dozens of new problems, all assumed to be hard.
              •      But these problems have much a shorter track record than

 October 15th 2007                        Dagstuhl                         35
Further Weaknesses

• The model itself may not be correct.
       – The “right” models for apparently simple primitives
         like encryption have taken a long time to emerge.
       – Good models for more complex primitives are hard
         to establish.
       – Proxy signatures, certificateless encryption,
         intrusion-resilient cryptography as examples.
       – How do we know when the model is finally right?

 October 15th 2007            Dagstuhl                     36
Further Weaknesses

• The model of security may not be
  comprehensive enough to take into account all
  practical attacks.
       – Side-channel attacks on SSL/TLS.

 October 15th 2007          Dagstuhl         37
Side-channel Analysis of SSL/TLS

• SSL/TLS uses symmetric cryptography as the
  workhorse for bulk data protection.
• The plaintext data is integrity-protected first,
  then encrypted.
       – c.f Horton principle.
• Typically using the HMAC algorithm and a
  block cipher in CBC-mode.
• This combination was claimed to be proven
  secure in an appropriate model by Krawczyk
  (Crypto 2001).

 October 15th 2007               Dagstuhl        38
Side-channel Analysis of SSL/TLS

• Vaudenay (Eurocrypt 2002) introduced the
  notion of a padding oracle attack.
       – CBC mode operates on blocks of data.
       – Plaintext first needs to be padded with redundant
         data to make it fit into blocks.
       – A padding oracle tells an attacker whether or not a
         ciphertext was correctly padded.
       – Vaudenay showed that an attacker can leverage
         such an oracle to decrypt arbitrary ciphertexts.
              • Provided the oracle is available.
              • For certain padding schemes in CBC mode.

 October 15th 2007                  Dagstuhl               39
Side-channel Analysis of SSL/TLS

• Canvel et al. (Crypto 2003) showed that
  SSL/TLS as implemented in OpenSSL reveals
  a padding oracle.
       – Time difference in generation of error messages for
         failure of padding and failure of MAC (checked later
         than padding).
       – Error messages are in encrypted form and only
         differ in time by a few milliseconds.
       – Still enough of a cryptanalytic toe-hold to allow
         recovery of static authentication credentials in
         SSL/TLS-protected sessions.

 October 15th 2007            Dagstuhl                     40
Side-channel Analysis of SSL/TLS
• We have a security proof, so what went wrong?
• An example where the model in which the proof
  holds is not sufficiently broad to capture all
  practical attacks.
       – Padding oracle not part of security model.

• (Worse, Krawczyk’s proof does not actually
  apply to the combination of MAC and CBC-
  mode used in SSL/TLS!
       – Proof assumes PAD, then MAC, then CBC
              • Needed to get MAC to sit inside a single block.
       – SSL/TLS mandates MAC, PAD, then CBC).
 October 15th 2007                    Dagstuhl                    41
Further Weaknesses
• A security proof is no guarantee of correct

• A protocol with a proof may not compose well with
  further protocols to produce a secure system.

• A security proof using Random Oracles may not give
  security when the random function is instantiated with a
  real hash function.
       – Pathological examples of this have been produced.
       – But schemes with proofs in the standard model tend to be less

• A scheme with a security proof may be less efficient
  than an ad hoc design.
 October 15th 2007                Dagstuhl                          42
Concluding Remarks
• Provable security provides a means to rigorize
  cryptography, replacing ad hoc approach.

• It’s far from perfect, but it’s the best formal approach for
  cryptography that we have at the moment.

• Many of the weaknesses are not unique to the provable
  security approach.

• The scope of security proofs is increasing to cover
  side-channel attacks of various kinds and to
  encompass more complex primitives and systems.
 October 15th 2007          Dagstuhl                       43

Shared By:
yaofenjin yaofenjin http://