provable security vs. efficiency in cryptographic algorithms

© 2007 IBM Corporation

Cryptography Research Group

2009 Estonian Winter School in Computer Science

March 2009

Provable Security vs. Efficiency in Cryptographic Algorithms

Rosario GennaroIBM T.J.Watson Research Center

2


Provable Security vs. Efficiency in Cryptographic Algorithms – EWSCS – March 2009 © 2007 IBM Corporation

Cryptography

The science of communication in the presence of an adversary– Encryption

– Authentication

message

???

Hi I am Alice

Yeahsure!

3



Unconditional Security?

Cryptography (in practice) cannot achieve unconditional security– Shannon’s theorem for information-theoretic security

– To encrypt a message so that it is impossible to retrieve information about it– Must use keys longer than the message

– Example: one-time pad

– Message: n-bit string m– Key: n-bit random string k– Ciphertext: c = m k

– Alice and Bob need to exchange huge amount of random data in advance and keep it secret

Change focus– Instead of trying to make it impossible to break security (gain information about a

secret message, impersonate a good party)

– Make it very very hard

– Computationally infeasible

4



Computational Assumptions

Security holds if – The adversary does not have the resources to perform a certain computational task

T

– The cryptographic scheme used requires the adversary to perform T in order to break security

5



Modern Theoretical Cryptography

A focus on models, formal definitions and mathematical proofs to construct cryptographic schemes

– Provable security

– Reductionist approach

Four step process:– Model : communication channel, computational ability of parties and adversary, what is “legal”

and what is not

– Definition : what are we trying to achieve, precisely define security for a specific task (e.g. what is a secure digital signature?)

– Design : find an algorithm to implement the desired cryptographic functionality

– Proof : devise a proof such that if an adversary A

– in the model specified in (1)– breaks security as defined in (2)– of the algorithm designed in (3)– Then we can use A to build a new A’ to solve an assumed computationally hard problem T– A proof in this approach resembles a complexity theoretic reduction

6



Common Cryptographic Tasks

Encryption– Confidentiality of messages

Authentication– Message provenance

Key exchange– A protocol for two parties to share a key so that they can encrypt and authenticate

messages to each other

Pseudo-Random Generation– An algorithm to stretch short random seeds into longer strings that look random

Hashing– Compress long messages into short digests

– Difficult to find two messages that hash to the same digest

Etc.

7



Common Cryptographic Assumptions

Discrete logarithm [DH76]– A cyclic group G of order q generated by g

– Choose x at random in Zq and compute y=gx

– Given G,g,y find x

Diffie-Hellman Problem– Given ga,gb (for a,b random in Zq) compute (or decide) gab

Factoring [RSA78]– Choose two primes p,q and compute N=pq

– Given N find p,q

RSA – Compute e-roots modulo N

– Given a random y in ZN* find x such that xe=y mod N

8



General Cryptographic Assumptions

Try to capture the essence of computational hardness:

One-way function– f : {0,1}n {0,1}n

– Choose x at random and compute y=f(x)

– Given f and y compute x

Trapdoor variation– It is possible to invert f if a short trapdoor is known

9



A Picture Is Worth 1,000 Words

One wayFunction

CryptoAlgorithm

SimulatedCrypto

Algorithm

One wayFunction

y=f(x)

x

10



The Good And The Bad

Theoretically, Cryptography has been very successful – The 70s revolutionized the field

– In the 80s and 90s the field matured

– For almost any problem we have a provably secure solution based on minimal computational assumptions

Practically, not so much– Theoretical solutions are very inefficient

– For many problems all we have are “proofs of concept”

– In practice empirical (not provably secure) solutions are used

This series of lectures will explore this problem– Will try to understand the reasons behind this phenomenon

– Will explore ways to get around it

11



Case Study: Pseudo-Random Generation

Model: – Parties are computationally bounded

– Polynomial time

Definition– A pseudorandom generator G is a deterministic algorithm

– Input: an n-bit string s (the seed)

– Output: an (n+k)-bit string G(s)

– The distribution G(s) for s random is computationally indistinguishable from the uniform distribution over (n+k)-bit strings

– For every polynomial time adversary A

– Probs[A(G(s))=1] ~ Proby[A(y)=1]

12



Pseudo-Random Generation: Construction

Let f : {0,1}n {0,1}n be a OWP

A predicate b : {0,1}n {0,1} is hard-core for f if

– Given y=f(x) it is infeasible to guess b(x) with probability better than ½

– [GL89] Every OWP has a HCP

– <r,x> for a random n-bit string r

[BMY82] Pseudo-random generator

– Given a n-bit random seed x0

– Compute xi =f(xi-1 ) and bi = b(xi )

– Output b0 … bk-1 xk

Proof: if f is a OWP then the PRG is secure

f

PRGinput = x0

f

xi

xi+1 = f(xi )

bi

13



Lecture 2

14



Pseudo-Random Generation: Construction


A predicate b : {0,1}n {0,1} is hard-core for f if

– Given y=f(x) it is infeasible to guess b(x) with probability better than ½

– Every OWP has a HCP

[BMY82] Pseudo-random generator– Given a n-bit random seed x0

– Compute xi =f(xi-1 ) and bi = b(xi )

– Output b0 … bk-1 xk

Proof: if f is a OWP then the PRG is secure

Efficiency: one invocation of f for each pseudo-random bit

f

PRGinput = x0

f

xi

xi+1 = f(xi )

bi

15



Improving PRGs: Large Hard-Core Functions


A function h : {0,1}n {0,1}m is hard-core for f if

– Given y=f(x) the string h(x) is indistinguishable from a m-bit random string

Improving the [BMY82] PRG– Given a n-bit random seed x0

– Compute xi =f(xi-1 ) and hi = h(xi )

– Output h0 … hk-1 xk

– One invocation of f yields m pseudo-random bits

Are there OWPs with large hard-core functions?

– Not in general

– The GL proof can be extended to O(log n) bits

f

PRGinput x0

f

xi

xi+1 = f(xi )

hi

16



A note about the construction

The PRG algorithm only uses f as an oracle

Does not care about how f works f

PRGinput = x0

f

xi

xi+1 = f(xi )

bi

17



y=f(x)

x

f

A note about the proof

f

PRG

SimulatedCrypto

Algorithm

Proof uses adversary only as an oracleDoes not care how A works

18



Black-Box Constructions

One wayFunction

CryptoAlgorithm

SimulatedCrypto

Algorithm

One wayFunction

y=f(x)

x

Only input/output accessWe know nothing about how the black-box operates

19



Why Black-Box Constructions [IR89]

Generic– Work for any one-way function

Focus on the computational hardness of the assumptions– Does not use other special properties

– E.g. homomorphic properties Focus on the existence of a successful adversary

– Does not care how the adversary works

– A single simulator for any adversary (with oracle access)

– rather than for every adversary a different simulator

Conceptually simple and elegant– Many constructions are black-box

20



Impossibility Results

[IR89] introduces Black-Box Constructions to prove that key exchange cannot be based on one-way permutations

– A black-box reduction from the security of key exchange to one-way permutations is very unlikely

– Must contain a proof that P =/ NP

[Sim98] proves the impossibility of black-box constructions of full collision-resistant hashing based on one-way permutations

21



Lower Bounds

[KSS99] Prove a lower bound on the efficiency of black-box constructions for target collision-resistant hashing based on one-way permutations

– If the hash function compresses k bits must invoke the OWP (k1/2) times.– Upper bound [NY89] is O(k)

[GT00] Tight lower bounds for black-box constructions of TCR hashing and pseudo-random generation based on OWP

– If the hash function compresses k bits it must invoke the OWP (k) times– If the pseudo-random generator stretches the seed by k bits it must invoke the OWP (k) times

– Matching upper bound [BMY82] of O(k)

[GGK03] Tight lower bounds for black-box constructions of encryptions and signatures

– Encrypting k bits requires (k) invocations to a trapdoor permutation– Verifying the signature on a k-bit message requires (k) invocations to a OWP– Matching known upper bounds [GM84,NY88]

[HHRS07] Tight lower bound on the round complexity of black-box constructions of statistically-hiding commitments based on OWP

22



Pseudo-Random Generation: Lower Bound

Black-Box access– The PRG construction does not care

about the details of f

– Only input/output

We can replace f with a random permutation

– Think of it as an oracle which answers each query with a random string

– Adjusted for consistency and for a permutation

If a random permutation is one-way then the construction must still be secure

RandomFunction

PRG

f

xi

xi+1=f(xi)

bi

23



Technical Theorem [IR89,GT00]

If f is a random permutation over n-bit strings

A circuit to invert it must have size (2n/c)

Intuition– Because the function is random

– The circuit given y, will find x only if it queries x

[GT00] proof uses Kolmogorov complexity approach

– Show that if a circuit of size S inverts a permutation

– Then can be described very succintly

– Only a few can be inverted

Corollary:– To achieve security against an adversary of size S

– It is sufficient to choose n = c log S

RandomFunction

f

xi yi = f(xi )

y=f(x)

x

(2n/

c)

24



Proof (Intuition) of Technical Theorem [GT00]

LEMMA– Let A be a circuit that

– Makes at most q queries to a n-bit permutation – Probx [A((x))=x] >

– Then P has a short description: of size

– K=2 log (2n choose a) + log ( (2n – a)! )

– Where a = 2n / (q+1) Lemma yields the Theorem

– If A has size < 2n/5 and = 2-n/5 then only a tiny fractions of can be inverted (< 2-n )

Proof of the Lemma – Build a set Y { y : A(y) = -1(y) }

– |Y | > 2n / (q+1) = a

– The permutation is defined by Y, X = -1 (Y) and the value of on {0,1}n\X

– Therefore of size K

– The set X is computed by running A on each element y of Y

– Making sure that when computing A(y) all the queries of A to are already defined

25



Pseudo-Random Generation: Lower Bound [GT00] Assume we want security against adversaries of size S

– Can use random permutation over n= c log S bits PRG takes a t-bit seed and outputs t+k bits

– Assume it makes q < k/n queries to the permutation Consider PRG’ that does not access the random permutation

– It takes a (t+qn)-bit seed

– Uses the first t bits to run PRG

– For each query uses n bits from the rest of the seed

– Outputs whatever PRG outputs

– It’s a generator as the output is longer than the seed t+k>t+qn

RandomPermutation

PRGt t+k

PRG’

tt+k

qn

26



The “Contradiction”

If a PRG makes too few queries

Then there exist PRGs that make no queries at all!

The existence of a PRG with small number of queries implies the unconditional existence of PRGs

– Among other things this implies that OWF exist

– P /= NP

27



Inherent Inefficiency

If limited to black-box constructions– Relying simply on computational hardness

Then we must invoke the OWP many times– The invocation of the underlying crypto primitive is usually the most expensive part

– E.g. modular exponentiations

Use fast OWP– BBS generator

– OWP is f(x)=x2 bmod N

– Rate of PRG is 1 bit per modular multiplication

28



Lecture 3

29



Types of Black-Box Constructions

One wayFunction

CryptoAlgorithm

SimulatedCrypto

Algorithm

One wayFunction

y=f(x)

x

Fully Black-Box

Semi Black-Box

Weakly Black-Box

30



Non black-box constructions?

Can we use the algebraic properties of underlying OWP– Unfortunately for both discrete log and RSA we know of no way of using their

properties

RSA and Discrete Log have hard-core bits– Either the generic GL bit or some well-specified bits of the input

– Usual trick can extend it to a O(log n) size hard-core function

We do not know how to use the special properties of these functions to get larger hard-core functions

– The best PRGs follow the same structure as the black-box one

31



Discrete Logarithm

Consider the case of discrete log– A cyclic group G of order q generated by g

– Choose x at random in Zq and compute y=gx

– Given G,g,y find x

– Conjectured hard problem

Discrete log has a hard-core predicate– The generic GL hard-core bit

– If q is prime the LSB(x) is hard-core

32



Tweak The Computational Assumption

Consider the following variation of the discrete log assumption– Choose x at random in [1..B] and compute y=gx

– Discrete Log with Short Exponents

– Let n=|q|, k=|B| and m=n-k

– Typically n ~ 1024, k~160

[PS98]– Assume that DLSE is hard

– Choose x at random in Zq , compute y=gx

– Then LSBm(x) is a hard-core function for discrete log

– m pseudo-random bits per modular exponentiations

– Forgetting about asymptotics for a minute

– 860 bits per modular exponentiation (~1500 modular multiplications)

– Still not as good as BBS

33



Twist The Paradigm [G00]

Assume the DLSE is hard

Choose x at random in [1..B]

The value y=gx is computationally indistinguishable from a random value in G

Yields immediately a PRG from k bits to n bits

m pseudo-random bits per exponentiations with a small exponent– 860 bits per 240 multiplications

– Better than BBS

34



A Win-Win Situation?

Use specific properties of the underlying primitive to improve efficiency– If not possible for the original primitive– Understand what you need from the primitive and tweak the assumption to get better efficiency under this “tweak”

Can we trust these “tweaked” assumptions?– They must be chosen with care– Analyzed thoroughly– Must not be “too far” from the original assumption

If assumption is true we get better schemes– Consider efficiency of the reduction and potential “security loss” of the assumption

If assumption turns out to be false we learn something new about a computationally hard problem

– An efficient algorithm to solve the DLSE problem would give great insight into the mathematics of the general discrete log problem

I asked the question if a similar trick could be pulled on RSA/Factoring– [SPW] show that if we assume that factoring is hard when k bits of p,q are known– Then BBS can be implemented with k bits per iteration

35



Some interesting questions

Better lower bounds for one-way functions?– Clearly our OWP lower bounds apply to OWF as well

– But in this case they are not tight anymore

– Complexity of OWF constructions is usually much higher

Lower Bounds for other measures of efficiency– Protocols round complexity [HHRS07]

– Domain expansion for TCR hashing?

– ha : {0,1}n {0,1}n-k

– Known constructions to expand the domain to mn bits require log m keys– Is that optimal?

There are constructions which are not black-box yet they are “generic”– E.g. the construction of chosen-ciphertext secure encryption from any trapdoor permutation

[DDN01]– The construction uses the circuit of the TP– By definition not black-box anymore

– Can we say something interesting about this type of constructions? Lower bounds? Impossibility results?

– Is Key Exchange from OWP impossible even for this type of constructions?

36



Thank you for your attention!

provable security vs. efficiency in cryptographic algorithms

Documents