MATHEMATICSMATHEMATICSCRYPTOLOGYSECURITY

Jacques SternSeptember 4 2009

Jacques SternÉcole normale supérieureAgence Nationale de la RechercheAgence Nationale de la RechercheINGENICO

1968-20091968 2009

1968-2009: scientific overview1968 2009: scientific overviewStarted with mathsStarted with mathsWent to cryptology following inspiringfollowing inspiring discovery of RSAW l t h ll d bWas later challenged by real world security iissuesWill tell story by means y yof examplesTaking a historicalTaking a historical perspective

Mathematics: Borel setsMathematics: Borel sets

L i Ni l L l blLusin, Nicolas: Leçons sur les ensembles analytiques et leurs applications préface yde M. Henri Lebesgue, Paris : Gauthier-Villars, 1930.Villars, 1930.Lusin’s continuum problem: Is it possible t b ild t fi it f B lto build a transfinite sequence of 1א Borel sets, all of bounded rank in the Borel hierarchy?

Николай Николаевич Лузин1883-1950

Answer(s) to LusinAnswer(s) to LusinPositi e ans er in F Ha sdorffPositive answer in F. Hausdorff, Summen von 1א Mengen, Fund. 1Math. 26 (1936), 241-255. Negative answer in J Stern

Felix Hausdorff1868-1942

Negative answer in J. Stern, Lusin's restricted continuum

bl A l f M th ti J Stproblem, Annals of Mathematics, ser. 2, vol. 120 (1984) 7-37

Jacques Stern

Which mathematics?Which mathematics?

Tools developped by Gödel and Kurt Gödel

pp yCohen for so-called “independence proofs”

Kurt Gödel1906-1978

independence proofsAlso, tools for “coding” Borel

t b t i il t CSPaul Cohen1934-2007sets by trees, very similar to CS. 1934 2007

Cryptology :EncryptionCryptology :Encryption

M i t d bMessage is encrypted by means of an encryption Secret key

algorithm, Ciphertext is Cleartext Cipher

t tECiphertext is

recovered at the receiving end by a decryption

text

end by a decryption algorithm

DCiphertext ClearSecret key needs to be previously

DCiphertext Cleartext

needs to be previously agreed upon Secret key

Cryptology: public keyInvented 1976 Whit Diffie &

Marty HellmanEliminatesprevious agreement Public key

Marty Hellman

p gbetween partiesAchieved 1978

Cleartext Ciphert t

EAchieved 1978 (RSA)

text

DCiphertext ClearDCiphertext Cleartext

Adi Shamir,Private key

Adi Shamir, Ron Rivest & Len Adleman

A t i t h i ldAsymmetric cryptography yields signaturessignatures

A l i D t thApplying D to the message m creates a « signature » D

Verification only requires use of the public keyof the public keyThis « proof » can be

E

forwarded to 3rd parties

RSA: which maths?RSA: which maths?

modulus n and exponent en product of two primes p qn product of two primes p qEncryption of x is

y= xe mod n Decryption of iDecryption of y is

x=yd mod n yd computed from p,q (secrets)

d 1 d φ( ) ( 1)( 1)e.d = 1 mod φ(n)= (p-1)(q-1)

The roots of RSA: back in 1763

Kings:Louis XVF d i k IIFrederick IIЕкатерина IIЕкатерина II ВеликаяG IVGeorge IV

Th t f RSA 1763The roots of RSA: 1763

King of Leonard Euler King of mathematicians?

1707-1783

Leonard Euler

The roots of RSATheoremata Arithmetica Novo MethodoNovo Methodo DemonstrataNovi CommentariiCommentarii Academiae Scientarum PetropolitanaePetropolitanae8, 1763, 74-104

The roots of RSA

Go to page 83Go to page 83Looks like: the numbers of < nintegers primeintegers prime to n is equal to φ(n)= (p-1)(q-1)Next goNext go theorem 10 on pages 99-100

The roots of RSA

Go to page 83Go to page 83Looks like: the numbers of numbers primenumbers prime to n is equal to φ(n)= (p-1)(q-1)Next go toNext go to pages

How to practice RSA? pM a

G HM = m||0…0

dG & Hhash functions

r brandom r hash functions

OAEP standard: Bellare and Rogaway 991994

Mihir Bellare & Phil Rogaway

How to practice RSA? pClaim: same security as RSA 2000 : proof acknowledged incorrect! 2001: correct proof in: E Fujisaki T2001: correct proof in: E. Fujisaki, T.

Okamoto, D. Pointcheval, J. Stern RSA–OAEP is Secure under the RSA AssumptionOAEP is Secure under the RSA Assumption, J. of Cryptology, 2004, 81–104.

T. Okamoto, D. Pointcheval, J. Stern

Which maths?Which maths?Method of “pro able sec rit ”Method of “provable security” based on Complexity theory & Turing machinesMinkovski’s Geometry ofMinkovski s Geometry of numbers Alan Turing

1912 1954HermannMinkovski 1912-1954Minkovski1864-1909

Security: real world challengesSecurity: real world challenges

EMV authentication is performed by having a card sign a random challengehaving a card sign a random challenge generated by the terminal. The signature is checked using public datais checked using public data.

Random “challenge” Random “challenge” 

“Signed” challenge 

Alternati es to RSA in this setting?Alternatives to RSA in this setting?

SFLASH proposed by Patarin and al.SFLASH proposed by Patarin and al.Multivariate cryptography b d A l i l bibased on A polynomials over a binary finite field F(2n)Patented, selected by Nessie Consortium, and recommended for low-cost smartand recommended for low cost smart cards.

Attack against SFLASHgBroken in Vivien Dubois, Pierre-Alain Fouque, Adi Shamir, Jacques Stern, Practical Cryptanalysis of SFLASHPractical Cryptanalysis of SFLASH, Proceedings of Crypto 2007, 1-12.

Pi Al i F Adi Sh i & J St

Sylvester

Pierre-Alain Fouque Adi Shamir & Jacques Stern

1814-1897

Cryptanalysis based onCryptanalysis based on « skew symmetric » matrices

S i f h dSecurity: software vs. hardwareTheory

software is– software is insecure in most environments

soft

environments– should sit on a

i f hardpiece of dedicated h d i

hard

hardware in a protected

i tenvironment

Practice: a more intricate picturePractice: a more intricate pictureSoftware and

domains

Software and hardware are part of a longer chain

data

of a longer chainSuppliers, comms, data users enter

Dsoftdata, users enter the picture; also time framesh d time frames Security is at

hard

ythe weakest link

S chain

time

Security: Massive Data Breach (2009)y ( )

d d d d iNeeded: end-to-end encryption

Preserving format of CCNsBased on standard encryption (DES,AES)Supported by provable securitySupported by provable securityWork in progress Uses maths again

C l iConclusion

St t d ith thStarted with mathsBecame a user of (mostly) ( y)XVIIIth and XIXth century mathsmathsTo solve real world

it isecurity issues