Provable Security in the Computational Model
I – Basic Notions
David Pointcheval MPRI – Paris
Ecole normale superieure,´ CNRS & INRIA
ENS/CNRS/INRIA Cascade David Pointcheval 1/71 Outline
Cryptography
Provable Security
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 2/71 Cryptography Outline
Cryptography Introduction Kerckhoffs’ Principles Formal Notations
Provable Security
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 3/71 Secrecy of Communications
One ever wanted to communicate secretly
The treasure Bob is under Alice …/...
ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications
One ever wanted to communicate secretly
The treasure Bob is under Alice …/...
ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications
One ever wanted to communicate secretly
The treasure Bob is under Alice …/...
ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications
One ever wanted to communicate secretly
The treasure Bob is under Alice …/...
ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Secrecy of Communications
One ever wanted to communicate secretly
The treasure Bob is under Alice …/...
With the all-digital world, security needs are even stronger
ENS/CNRS/INRIA Cascade David Pointcheval 4/71 Old Methods
Substitutions and permutations Security relies on the secrecy of the mechanism
ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods
Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation
ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods
Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation
Alberti’s disk Mono-alphabetical Substitution
ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods
Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation
Alberti’s disk Wheel – M 94 (CSP 488) Mono-alphabetical Substitution Poly-alphabetical Substitution
ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Old Methods
Substitutions and permutations Security relies on the secrecy of the mechanism Scytale - Permutation
Alberti’s disk Wheel – M 94 (CSP 488) Mono-alphabetical Substitution Poly-alphabetical Substitution
ENS/CNRS/INRIA Cascade David Pointcheval 5/71 Outline
Cryptography Introduction Kerckhoffs’ Principles Formal Notations
Provable Security
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 6/71 Kerckhoffs’ Principles (1)
La Cryptographie Militaire (1883) Le systeme` doit etreˆ materiellement,` sinon mathematiquement,´ indechiffrable´
The system should be, if not theoretically unbreakable, unbreakable in practice
−→ If the security cannot be formally proven, heuristics should provide some confidence.
ENS/CNRS/INRIA Cascade David Pointcheval 7/71 Kerckhoffs’ Principles (1)
La Cryptographie Militaire (1883) Le systeme` doit etreˆ materiellement,` sinon mathematiquement,´ indechiffrable´
The system should be, if not theoretically unbreakable, unbreakable in practice
−→ If the security cannot be formally proven, heuristics should provide some confidence.
ENS/CNRS/INRIA Cascade David Pointcheval 7/71 Kerckhoffs’ Principles (2)
La Cryptographie Militaire (1883) Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvenient´ tomber entre les mains de l’ennemi
Compromise of the system should not inconvenience the correspondents
−→ The description of the mechanism should be public
ENS/CNRS/INRIA Cascade David Pointcheval 8/71 Kerckhoffs’ Principles (2)
La Cryptographie Militaire (1883) Il faut qu’il n’exige pas le secret, et qu’il puisse sans inconvenient´ tomber entre les mains de l’ennemi
Compromise of the system should not inconvenience the correspondents
−→ The description of the mechanism should be public
ENS/CNRS/INRIA Cascade David Pointcheval 8/71 Kerckhoffs’ Principles (3)
La Cryptographie Militaire (1883) La clef doit pouvoir en etreˆ communiquee´ et retenue sans le secours de notes ecrites,´ et etreˆ changee´ ou modifiee´ au gre´ des correspondants
The key should be rememberable without notes and should be easily changeable
−→ The parameters specific to the users (the key) should be short
ENS/CNRS/INRIA Cascade David Pointcheval 9/71 Kerckhoffs’ Principles (3)
La Cryptographie Militaire (1883) La clef doit pouvoir en etreˆ communiquee´ et retenue sans le secours de notes ecrites,´ et etreˆ changee´ ou modifiee´ au gre´ des correspondants
The key should be rememberable without notes and should be easily changeable
−→ The parameters specific to the users (the key) should be short
ENS/CNRS/INRIA Cascade David Pointcheval 9/71 Use of (Secret) Key
A shared information (secret key) between the sender and the receiver parameterizes the mechanism:
• Vigenere:` each key letter tells the shift • Enigma: connectors and rotors
ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key
A shared information (secret key) between the sender and the receiver parameterizes the mechanism:
• Vigenere:` each key letter tells the shift • Enigma: connectors and rotors
ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key
A shared information (secret key) between the sender and the receiver parameterizes the mechanism:
• Vigenere:` each key letter tells the shift • Enigma: connectors and rotors
ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Use of (Secret) Key
A shared information (secret key) between the sender and the receiver parameterizes the mechanism:
• Vigenere:` each key letter tells the shift • Enigma: connectors and rotors
Security looks better: but broken (Alan Turing et al.)
ENS/CNRS/INRIA Cascade David Pointcheval 10/71 Symmetric Encryption
Principles 2 and 3 define the concepts of symmetric cryptography:
1k G k k k
m E c D m
Secrecy It is impossible/hard to recover m from c only (without k)
Security It is heuristic only: 1st principle
ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Symmetric Encryption
Principles 2 and 3 define the concepts of symmetric cryptography:
1k G k k k
m E c D m
Secrecy It is impossible/hard to recover m from c only (without k)
Security It is heuristic only: 1st principle
ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Symmetric Encryption
Principles 2 and 3 define the concepts of symmetric cryptography:
1k G k k k
m E c D m
Secrecy It is impossible/hard to recover m from c only (without k)
Security It is heuristic only: 1st principle
ENS/CNRS/INRIA Cascade David Pointcheval 11/71 Perfect Secrecy?
Any security indeed vanished with statistical attacks!
ENS/CNRS/INRIA Cascade David Pointcheval 12/71 Perfect Secrecy?
Any security indeed vanished with statistical attacks! Perfect secrecy? Is it possible?
ENS/CNRS/INRIA Cascade David Pointcheval 12/71 Perfect Secrecy?
Any security indeed vanished with statistical attacks! Perfect secrecy? Is it possible?
Perfect Secrecy The ciphertext does not reveal any (additional) information about the plaintext: no more than known before
• a priori information about the plaintext, defined by the distribution probability of the plaintext • a posteriori information about the plaintext, defined by the distribution probability of the plaintext, given the ciphertext
Both distributions should be perfectly identical
ENS/CNRS/INRIA Cascade David Pointcheval 12/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
Which message is encrypted in the ciphertext c ∈ {0, 1}n?
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
Which message is encrypted in the ciphertext c ∈ {0, 1}n? For any candidate m ∈ {0, 1}n, the key k = c ⊕ m would lead to c
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 One-Time Pad Encryption
Vernam’s Cipher (1929) • Encryption of m ∈ {0, 1}n under the key k ∈ {0, 1}n: m = 1 0 0 1 0 1 1 plaintext ⊕ XOR (+ modulo 2) k = 1 1 0 1 0 0 0 key = random mask = c = 0 1 0 0 0 1 1 ciphertext • Decryption of c ∈ {0, 1}n under the key k ∈ {0, 1}n: c ⊕ k = (m ⊕ k) ⊕ k = m ⊕ (k ⊕ k) = m
Which message is encrypted in the ciphertext c ∈ {0, 1}n? For any candidate m ∈ {0, 1}n, the key k = c ⊕ m would lead to c ⇒ no information about m is leaked with c!
ENS/CNRS/INRIA Cascade David Pointcheval 13/71 Information Theory
Drawbacks • The key must be as long as the plaintext • This key must be used once only (one-time pad)
Theorem (Shannon – 1949) To achieve perfect secrecy, A and B have to share a common string truly random and as long as the whole communication.
Thus, the above one-time pad technique is optimal. . .
ENS/CNRS/INRIA Cascade David Pointcheval 14/71 Information Theory
Drawbacks • The key must be as long as the plaintext • This key must be used once only (one-time pad)
Theorem (Shannon – 1949) To achieve perfect secrecy, A and B have to share a common string truly random and as long as the whole communication.
Thus, the above one-time pad technique is optimal. . .
ENS/CNRS/INRIA Cascade David Pointcheval 14/71 Information Theory
Drawbacks • The key must be as long as the plaintext • This key must be used once only (one-time pad)
Theorem (Shannon – 1949) To achieve perfect secrecy, A and B have to share a common string truly random and as long as the whole communication.
Thus, the above one-time pad technique is optimal. . .
ENS/CNRS/INRIA Cascade David Pointcheval 14/71 Practical Secrecy
Perfect Secrecy vs. Practical Secrecy • No information about the plaintext m is in the ciphertext c without the knowledge of the key k ⇒ information theory No information about the plaintext m can be extracted from the ciphertext c, even for a powerful adversary (unlimited time and/or unlimited power): perfect secrecy • In practice: adversaries are limited in time/power ⇒ complexity theory
ENS/CNRS/INRIA Cascade David Pointcheval 15/71 Practical Secrecy
Perfect Secrecy vs. Practical Secrecy • No information about the plaintext m is in the ciphertext c without the knowledge of the key k ⇒ information theory No information about the plaintext m can be extracted from the ciphertext c, even for a powerful adversary (unlimited time and/or unlimited power): perfect secrecy • In practice: adversaries are limited in time/power ⇒ complexity theory
ENS/CNRS/INRIA Cascade David Pointcheval 15/71 Practical Secrecy
Perfect Secrecy vs. Practical Secrecy • No information about the plaintext m is in the ciphertext c without the knowledge of the key k ⇒ information theory No information about the plaintext m can be extracted from the ciphertext c, even for a powerful adversary (unlimited time and/or unlimited power): perfect secrecy • In practice: adversaries are limited in time/power ⇒ complexity theory
Shannon also showed that combining appropriately permutations and substitutions can hide information: extracting information from the ciphertext is time consuming
ENS/CNRS/INRIA Cascade David Pointcheval 15/71 Modern Symmetric Encryption: DES and AES
Combination of substitutions and permutations
DES (1977) AES (2001) Data Encryption Standard Advanced Encryption Standard
ENS/CNRS/INRIA Cascade David Pointcheval 16/71 Modern Symmetric Encryption: DES and AES
Combination of substitutions and permutations
DES (1977) AES (2001) Data Encryption Standard Advanced Encryption Standard
ENS/CNRS/INRIA Cascade David Pointcheval 16/71 Modern Symmetric Encryption: DES and AES
Combination of substitutions and permutations
DES (1977) AES (2001) Data Encryption Standard Advanced Encryption Standard
ENS/CNRS/INRIA Cascade David Pointcheval 16/71 Modern Symmetric Encryption: DES and AES
Combination of substitutions and permutations
DES (1977) AES (2001) Data Encryption Standard Advanced Encryption Standard
ENS/CNRS/INRIA Cascade David Pointcheval 16/71 Modern Symmetric Encryption: DES and AES
Combination of substitutions and permutations
DES (1977) AES (2001) Data Encryption Standard Advanced Encryption Standard
ENS/CNRS/INRIA Cascade David Pointcheval 16/71 Outline
Cryptography Introduction Kerckhoffs’ Principles Formal Notations
Provable Security
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 17/71 Symmetric Encryption: Formalism
Symmetric Encryption – Secret Key Encryption One secret key only shared by Alice and Bob: this is a common parameter for the encryption and the decryption algorithms This secret key has a symmetric capability
1k G k k k
m E c D m
ENS/CNRS/INRIA Cascade David Pointcheval 18/71 Symmetric Encryption: Formalism
Symmetric Encryption – Secret Key Encryption One secret key only shared by Alice and Bob: this is a common parameter for the encryption and the decryption algorithms This secret key has a symmetric capability
1k G k k k
m E c D m
The secrecy of the key k guarantees the secrecy of communications but requires such a common secret key!
ENS/CNRS/INRIA Cascade David Pointcheval 18/71 Symmetric Encryption: Formalism
Symmetric Encryption – Secret Key Encryption One secret key only shared by Alice and Bob: this is a common parameter for the encryption and the decryption algorithms This secret key has a symmetric capability
1k G k k k
m E c D m
The secrecy of the key k guarantees the secrecy of communications but requires such a common secret key!
How can we establish such a common secret key? Or, how to avoid it?
ENS/CNRS/INRIA Cascade David Pointcheval 18/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
Alice The treasure is under …/...
Bob
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
Alice
Bob
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
Alice
Bob
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
Alice
Bob
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Intuition [Diffie-Hellman 1976]
Secrecy • The recipient only should be able to open the message • No requirement about the sender
Why would the sender need a secret key to encrypt a message?
Alice
Bob
The treasure is under …/...
ENS/CNRS/INRIA Cascade David Pointcheval 19/71 Asymmetric Encryption: Formalism
Public Key Cryptography – Diffie-Hellman (1976) • Bob’s public key is used by Alice as a parameter to encrypt a message to Bob • Bob’s private key is used by Bob as a parameter to decrypt ciphertexts
Asymmetric cryptography extends the 2nd principle:
1k G (pk,sk) pk sk
m E c D m
ENS/CNRS/INRIA Cascade David Pointcheval 20/71 Asymmetric Encryption: Formalism
Public Key Cryptography – Diffie-Hellman (1976) • Bob’s public key is used by Alice as a parameter to encrypt a message to Bob • Bob’s private key is used by Bob as a parameter to decrypt ciphertexts
Asymmetric cryptography extends the 2nd principle:
1k G (pk,sk) pk sk
m E c D m
The secrecy of the private key sk guarantees the secrecy of communications
ENS/CNRS/INRIA Cascade David Pointcheval 20/71 Provable Security Outline
Cryptography
Provable Security Definition Computational Assumptions Some Reductions
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 21/71 What is a Secure Cryptographic Scheme/Protocol?
• Symmetric encryption: The secrecy of the key k guarantees the secrecy of communications • Asymmetric encryption: The secrecy of the private key sk guarantees the secrecy of communications
• What does mean secrecy? → Security notions have to be formally defined • How to guarantee above security claims for concrete schemes? → Provable security
ENS/CNRS/INRIA Cascade David Pointcheval 22/71 What is a Secure Cryptographic Scheme/Protocol?
• Symmetric encryption: The secrecy of the key k guarantees the secrecy of communications • Asymmetric encryption: The secrecy of the private key sk guarantees the secrecy of communications
• What does mean secrecy? → Security notions have to be formally defined • How to guarantee above security claims for concrete schemes? → Provable security
ENS/CNRS/INRIA Cascade David Pointcheval 22/71 What is a Secure Cryptographic Scheme/Protocol?
• Symmetric encryption: The secrecy of the key k guarantees the secrecy of communications • Asymmetric encryption: The secrecy of the private key sk guarantees the secrecy of communications
• What does mean secrecy? → Security notions have to be formally defined • How to guarantee above security claims for concrete schemes? → Provable security
ENS/CNRS/INRIA Cascade David Pointcheval 22/71 What is a Secure Cryptographic Scheme/Protocol?
• Symmetric encryption: The secrecy of the key k guarantees the secrecy of communications • Asymmetric encryption: The secrecy of the private key sk guarantees the secrecy of communications
• What does mean secrecy? → Security notions have to be formally defined • How to guarantee above security claims for concrete schemes? → Provable security
ENS/CNRS/INRIA Cascade David Pointcheval 22/71 What is a Secure Cryptographic Scheme/Protocol?
• Symmetric encryption: The secrecy of the key k guarantees the secrecy of communications • Asymmetric encryption: The secrecy of the private key sk guarantees the secrecy of communications
• What does mean secrecy? → Security notions have to be formally defined • How to guarantee above security claims for concrete schemes? → Provable security
ENS/CNRS/INRIA Cascade David Pointcheval 22/71 Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme • then one can break a well-known hard problem
ENS/CNRS/INRIA Cascade David Pointcheval 23/71 Provable Security
One can prove that:
• if an adversary is able to break the cryptographic scheme • then one can break a well-known hard problem
→ hard →solution instance
ENS/CNRS/INRIA Cascade David Pointcheval 23/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
Security Game Oracles
Adversary Challenger 0 / 1
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 General Method
Computational Security Proofs In order to prove the security of a cryptographic scheme/protocol, one needs
• a formal security model (security notions) • acceptable computational assumptions (hard problems) • a reduction: if one can break the security notions, then one can break the hard problem
Security Game Reduction S Oracles Oracles im u la to r
In s ta n c e
S o Adversary Challenger Adversary Challenger lu 0 / 1 tio n
ENS/CNRS/INRIA Cascade David Pointcheval 24/71 Outline
Cryptography
Provable Security Definition Computational Assumptions Some Reductions
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 25/71 Integer Factoring [Lenstra-Verheul 2000]
Integer Factoring • Given n = pq • Find p and q
Year Required Complexity n bitlength before 2000 64 768 before 2010 80 1024 before 2020 112 2048 before 2030 128 3072 192 7680 256 15360
Note that the reduction may be lossy: extra bits are then required
ENS/CNRS/INRIA Cascade David Pointcheval 26/71 Integer Factoring Records
Integer Factoring • Given n = pq • Find p and q
Digits Date Details 129 April 1994 Quadratic Sieve 130 April 1996 Algebraic Sieve 140 February 1999 155 August 1999 512 bits 160 April 2003 200 May 2005 232 December 2009 768 bits
ENS/CNRS/INRIA Cascade David Pointcheval 27/71 Integer Factoring Variants
RSA [Rivest-Shamir-Adleman 1978] ? • Given n = pq, e and y ∈ Zn • Find x such that y = xe mod n
Note that this problem is hard without the prime factors p and q, but becomes easy with them: if d = e−1 mod ϕ(n), then x = y d mod n
Flexible RSA [Baric-Pfitzmann and Fujisaki-Okamoto 1997] ? • Given n = pq and y ∈ Zn • Find x and e > 1 such that y = xe mod n
Both problems are assumed as hard as integer factoring: the prime factors are a trapdoor to find solutions
ENS/CNRS/INRIA Cascade David Pointcheval 28/71 Integer Factoring Variants
RSA [Rivest-Shamir-Adleman 1978] ? • Given n = pq, e and y ∈ Zn • Find x such that y = xe mod n
Note that this problem is hard without the prime factors p and q, but becomes easy with them: if d = e−1 mod ϕ(n), then x = y d mod n
Flexible RSA [Baric-Pfitzmann and Fujisaki-Okamoto 1997] ? • Given n = pq and y ∈ Zn • Find x and e > 1 such that y = xe mod n
Both problems are assumed as hard as integer factoring: the prime factors are a trapdoor to find solutions
ENS/CNRS/INRIA Cascade David Pointcheval 28/71 Integer Factoring Variants
RSA [Rivest-Shamir-Adleman 1978] ? • Given n = pq, e and y ∈ Zn • Find x such that y = xe mod n
Note that this problem is hard without the prime factors p and q, but becomes easy with them: if d = e−1 mod ϕ(n), then x = y d mod n
Flexible RSA [Baric-Pfitzmann and Fujisaki-Okamoto 1997] ? • Given n = pq and y ∈ Zn • Find x and e > 1 such that y = xe mod n
Both problems are assumed as hard as integer factoring: the prime factors are a trapdoor to find solutions
ENS/CNRS/INRIA Cascade David Pointcheval 28/71 Discrete Logarithm
Discrete Logarithm Problem • Given G = hgi a cyclic group of order q, and y ∈ G • Find x such that y = gx
? Possible groups: G ∈ (Zp, ×), or an elliptic curve
(Computational) Diffie Hellman Problem • Given G = hgi a cyclic group of order q, and X = gx , Y = gy • Find Z = gxy
The knowledge of x or y helps to solve this problem (trapdoor)
ENS/CNRS/INRIA Cascade David Pointcheval 29/71 Discrete Logarithm
Discrete Logarithm Problem • Given G = hgi a cyclic group of order q, and y ∈ G • Find x such that y = gx
? Possible groups: G ∈ (Zp, ×), or an elliptic curve
(Computational) Diffie Hellman Problem • Given G = hgi a cyclic group of order q, and X = gx , Y = gy • Find Z = gxy
The knowledge of x or y helps to solve this problem (trapdoor)
ENS/CNRS/INRIA Cascade David Pointcheval 29/71 Success Probabilities
For any computational problem P, we quantify the quality of an adversary A by its success probability in finding the solution:
SuccP (A) = Pr[A(instance) → solution].
We quantify the hardness of the problem by the success probability of
the best adversary within time t: Succ(t) = max|A|≤t {Succ(A)}. Note that the probability space can be restricted: some inputs are fixed, and others only are randomly chosen. Discrete Logarithm Problem We usually fix the group G = hgi of order q, and the generator g, but x is randomly chosen: Succdlp(A) = Pr [A(gx ) → x]. G R x←Zq
ENS/CNRS/INRIA Cascade David Pointcheval 30/71 Success Probabilities
For any computational problem P, we quantify the quality of an adversary A by its success probability in finding the solution:
SuccP (A) = Pr[A(instance) → solution].
We quantify the hardness of the problem by the success probability of
the best adversary within time t: Succ(t) = max|A|≤t {Succ(A)}. Note that the probability space can be restricted: some inputs are fixed, and others only are randomly chosen. Discrete Logarithm Problem We usually fix the group G = hgi of order q, and the generator g, but x is randomly chosen: Succdlp(A) = Pr [A(gx ) → x]. G R x←Zq
ENS/CNRS/INRIA Cascade David Pointcheval 30/71 Success Probabilities
For any computational problem P, we quantify the quality of an adversary A by its success probability in finding the solution:
SuccP (A) = Pr[A(instance) → solution].
We quantify the hardness of the problem by the success probability of
the best adversary within time t: Succ(t) = max|A|≤t {Succ(A)}. Note that the probability space can be restricted: some inputs are fixed, and others only are randomly chosen. Discrete Logarithm Problem We usually fix the group G = hgi of order q, and the generator g, but x is randomly chosen: Succdlp(A) = Pr [A(gx ) → x]. G R x←Zq
ENS/CNRS/INRIA Cascade David Pointcheval 30/71 Success Probabilities
For any computational problem P, we quantify the quality of an adversary A by its success probability in finding the solution:
SuccP (A) = Pr[A(instance) → solution].
We quantify the hardness of the problem by the success probability of
the best adversary within time t: Succ(t) = max|A|≤t {Succ(A)}. Note that the probability space can be restricted: some inputs are fixed, and others only are randomly chosen. Discrete Logarithm Problem We usually fix the group G = hgi of order q, and the generator g, but x is randomly chosen: Succdlp(A) = Pr [A(gx ) → x]. G R x←Zq
ENS/CNRS/INRIA Cascade David Pointcheval 30/71 Decisional Problem
(Decisional) Diffie Hellman Problem • Given G = hgi a cyclic group of order q, and X = gx , Y = gy , as well as a candidate Z ∈ G • Decide whether Z = gxy
The adversary is called a distinguisher (outputs 1 bit). A good distinguisher should behave in significantly different manners according to the input distribution:
ddh(A) = Pr[A( , , ) = | = xy ] AdvG X Y Z 1 Z g R − Pr[A(X, Y , Z ) = 1|Z ← G]
ENS/CNRS/INRIA Cascade David Pointcheval 31/71 Outline
Cryptography
Provable Security Definition Computational Assumptions Some Reductions
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 32/71 DDH ≤ CDH ≤ DLP
CDH ≤ DLP Let A be an adversary against the DLP within time t, then we build an adversary B against the CDH: given X and Y , B runs A on X, 0 that outputs x0 (correct or not); then B outputs Y x . The running time t0 of B is the same as A, plus one exponentiation:
cdh( 0) ≥ cdh(B) = Pr[B( , ) → xy = x ] SuccG t SuccG X Y g Y = Pr[A(X) → x] = Succdlp(A) G
Taking the maximum on the adversaries A:
Succcdh(t + τ ) ≥ Succdlp(t) G exp G
ENS/CNRS/INRIA Cascade David Pointcheval 33/71 DDH ≤ CDH ≤ DLP
CDH ≤ DLP Let A be an adversary against the DLP within time t, then we build an adversary B against the CDH: given X and Y , B runs A on X, 0 that outputs x0 (correct or not); then B outputs Y x . The running time t0 of B is the same as A, plus one exponentiation:
cdh( 0) ≥ cdh(B) = Pr[B( , ) → xy = x ] SuccG t SuccG X Y g Y = Pr[A(X) → x] = Succdlp(A) G
Taking the maximum on the adversaries A:
Succcdh(t + τ ) ≥ Succdlp(t) G exp G
ENS/CNRS/INRIA Cascade David Pointcheval 33/71 DDH ≤ CDH ≤ DLP
DDH ≤ CDH Let A be an adversary against the CDH within time t, we build an adversary B against the DDH: given X, Y and Z, B runs A on (X, Y ), that outputs Z 0; then B outputs 1 if Z 0 = Z and 0 otherwise. B A Advddh( ) The running time of is the same as : G t is greater than
Advddh(B) = Pr[B → 1|Z = gxy ] − Pr[B → 1|Z ←R ] G G
xy R = Pr[A(X, Y ) → Z |Z = g ] − Pr[A(X, Y ) → Z|Z ← G]
xy R = Pr[A(X, Y ) → g ] − Pr[A(X, Y ) → Z |Z ← G]
= Succcdh(A) − 1/q G Taking the maximum on the adversaries A: ddh( ) ≥ cdh( ) − / AdvG t SuccG t 1 q ENS/CNRS/INRIA Cascade David Pointcheval 34/71 DDH ≤ CDH ≤ DLP
DDH ≤ CDH Let A be an adversary against the CDH within time t, we build an adversary B against the DDH: given X, Y and Z, B runs A on (X, Y ), that outputs Z 0; then B outputs 1 if Z 0 = Z and 0 otherwise. B A Advddh( ) The running time of is the same as : G t is greater than
Advddh(B) = Pr[B → 1|Z = gxy ] − Pr[B → 1|Z ←R ] G G
xy R = Pr[A(X, Y ) → Z |Z = g ] − Pr[A(X, Y ) → Z|Z ← G]
xy R = Pr[A(X, Y ) → g ] − Pr[A(X, Y ) → Z |Z ← G]
= Succcdh(A) − 1/q G Taking the maximum on the adversaries A: ddh( ) ≥ cdh( ) − / AdvG t SuccG t 1 q ENS/CNRS/INRIA Cascade David Pointcheval 34/71 Distribution Indistinguishability
Indistinguishabilities
Let D0 and D1, two distributions on a finite set X:
• D0 and D1 are perfectly indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = 0 a∈D1 a∈D0 x∈X
• D0 and D1 are statistically indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = negl() a∈D1 a∈D0 x∈X
ENS/CNRS/INRIA Cascade David Pointcheval 35/71 Distribution Indistinguishability
Indistinguishabilities
Let D0 and D1, two distributions on a finite set X:
• D0 and D1 are perfectly indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = 0 a∈D1 a∈D0 x∈X
• D0 and D1 are statistically indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = negl() a∈D1 a∈D0 x∈X
ENS/CNRS/INRIA Cascade David Pointcheval 35/71 Distribution Indistinguishability
Indistinguishabilities
Let D0 and D1, two distributions on a finite set X:
• D0 and D1 are perfectly indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = 0 a∈D1 a∈D0 x∈X
• D0 and D1 are statistically indistinguishable if
X Dist(D0, D1) = Pr [a = x] − Pr [a = x] = negl() a∈D1 a∈D0 x∈X
ENS/CNRS/INRIA Cascade David Pointcheval 35/71 Distribution Indistinguishability
Computational Indistinguishability
Let D0 and D1, two distributions on a finite set X,
• a distinguisher A between D0 and D1 is characterized by its advantage
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0
• the computational indistinguishability of D0 and D1 is measured by AdvD0,D1 (t) = max{AdvD0,D1 (A)} |A|≤t
ENS/CNRS/INRIA Cascade David Pointcheval 36/71 Distribution Indistinguishability
Computational Indistinguishability
Let D0 and D1, two distributions on a finite set X,
• a distinguisher A between D0 and D1 is characterized by its advantage
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0
• the computational indistinguishability of D0 and D1 is measured by AdvD0,D1 (t) = max{AdvD0,D1 (A)} |A|≤t
ENS/CNRS/INRIA Cascade David Pointcheval 36/71 Distribution Indistinguishability
Computational Indistinguishability
Let D0 and D1, two distributions on a finite set X,
• a distinguisher A between D0 and D1 is characterized by its advantage
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0
• the computational indistinguishability of D0 and D1 is measured by AdvD0,D1 (t) = max{AdvD0,D1 (A)} |A|≤t
ENS/CNRS/INRIA Cascade David Pointcheval 36/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = 1]
− Pr[b ← 0; a ∈ Db : A(a) = 1]|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = 1]
− Pr[b ← 0; a ∈ Db : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = 1]
−1 + Pr[b ← 0; a ∈ Db : A(a) = 0]|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = 1]
−1 + Pr[b ← 0; a ∈ Db : A(a) = 0]|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = 1]
−1 + Pr[b ← 0; a ∈ Db : A(a) = 0]|
= |Pr[b ← 1; a ∈ Db : A(a) = b]
+ Pr[b ← 0; a ∈ Db : A(a) = b] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = b]
+ Pr[b ← 0; a ∈ Db : A(a) = b] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[b ← 1; a ∈ Db : A(a) = b]
+ Pr[b ← 0; a ∈ Db : A(a) = b] − 1|
= |Pr[a ∈ Db : A(a) = b ∧ b = 1]/ Pr[b = 1]
+ Pr[a ∈ Db : A(a) = b ∧ b = 0]/ Pr[b = 0] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[a ∈ Db : A(a) = b ∧ b = 1]/ Pr[b = 1]
+ Pr[a ∈ Db : A(a) = b ∧ b = 0]/ Pr[b = 0] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |Pr[a ∈ Db : A(a) = b ∧ b = 1]/ Pr[b = 1]
+ Pr[a ∈ Db : A(a) = b ∧ b = 0]/ Pr[b = 0] − 1|
= |2 × Pr[a ∈ Db : A(a) = b ∧ b = 1]
+2 × Pr[a ∈ Db : A(a) = b ∧ b = 0] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |2 × Pr[a ∈ Db : A(a) = b ∧ b = 1]
+2 × Pr[a ∈ Db : A(a) = b ∧ b = 0] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |2 × Pr[a ∈ Db : A(a) = b ∧ b = 1]
+2 × Pr[a ∈ Db : A(a) = b ∧ b = 0] − 1|
= |2 × Pr[a ∈ Db : A(a) = b] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
= |2 × Pr[a ∈ Db : A(a) = b] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Computational Indistinguishability
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D1 a∈D0 = |Pr[a ∈ D1 : A(a) = 1] − Pr[a ∈ D0 : A(a) = 1]|
Equivalent Notation
Let D0 and D1, two distributions on a finite set X,
D0,D1 Adv (A) = |2 × Pr[a ∈ Db : A(a) = b] − 1|
ENS/CNRS/INRIA Cascade David Pointcheval 37/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D0 a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D ,D Adv 0 1 (A) = Pr [A(a) = 1] − Pr [A(a) = 1] a∈D0 a∈D1
X Pra∈D [A(a) = 1 ∧ a = x] ≤ 0 − Pr [A(a) = 1 ∧ a = x] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [A(a) = 1 ∧ a = x] AdvD0,D1 (A) ≤ 0 − Pr [A(a) = 1 ∧ a = x] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [A(a) = 1 ∧ a = x] AdvD0,D1 (A) ≤ 0 − Pr [A(a) = 1 ∧ a = x] x∈X a∈D1
X Pra∈D [a = x|A(x) = 1] Pra∈D [A(x) = 1] ≤ 0 0 − Pr [a = x|A(x) = 1] Pr [A(x) = 1] x∈X a∈D1 a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x|A(x) = 1] Pra∈D [A(x) = 1] AdvD0,D1 (A) ≤ 0 0 − Pr [a = x|A(x) = 1] Pr [A(x) = 1] x∈X a∈D1 a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x|A(x) = 1] Pra∈D [A(x) = 1] AdvD0,D1 (A) ≤ 0 0 − Pr [a = x|A(x) = 1] Pr [A(x) = 1] x∈X a∈D1 a∈D1
X Pra∈D [a = x|A(x) = 1] ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x|A(x) = 1] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x|A(x) = 1] AdvD0,D1 (A) ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x|A(x) = 1] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x|A(x) = 1] AdvD0,D1 (A) ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x|A(x) = 1] x∈X a∈D1 a = x and A(x) = 1 are independent events
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x|A(x) = 1] AdvD0,D1 (A) ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x|A(x) = 1] x∈X a∈D1 a = x and A(x) = 1 are independent events
X Pra∈D [a = x] ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x] AdvD0,D1 (A) ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x] x∈X a∈D1
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
X Pra∈D [a = x] AdvD0,D1 (A) ≤ | Pr[A(x) = 1]| × 0 − Pr [a = x] x∈X a∈D1
X ≤ Pr [a = x] − Pr [a = x] a∈D0 a∈D1 x∈X
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D ,D X Adv 0 1 (A) ≤ Pr [a = x] − Pr [a = x] a∈D0 a∈D1 x∈X
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D ,D X Adv 0 1 (A) ≤ Pr [a = x] − Pr [a = x] a∈D0 a∈D1 x∈X ≤ Dist(D0, D1)
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D0,D1 Adv (A) ≤ Dist(D0, D1)
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Relations between Indistinguishability Notions
For any distinguisher A, we have
D0,D1 Adv (A) ≤ Dist(D0, D1)
Theorem
Dist(D0, D1) is the best advantage any adversary could get, even within an unbounded time.
D0,D1 ∀t, Adv (t) ≤ Dist(D0, D1).
ENS/CNRS/INRIA Cascade David Pointcheval 38/71 Hybrid Technique
Let us consider the distributions DA and DB:
x y1 xy1 yn xyn 2n+1 DA =(g ,g ,g ,. . . ,g ,g ) ⊆ G
x y1 z1 yn zn 2n+1 DB =(g ,g ,g ,...,g , g ) ⊆ G
AdvDA,DB (t)?
We define the hybrid distribution
x y1 xy1 yi xyi yi+1 zi+1 yn zn Di = (g , g , g ,..., g , g , g , g ,..., g , g )
D0 = DB Dn = DA.
ENS/CNRS/INRIA Cascade David Pointcheval 39/71 Hybrid Technique
Let us consider the distributions DA and DB:
x y1 xy1 yn xyn 2n+1 DA =(g ,g ,g ,. . . ,g ,g ) ⊆ G
x y1 z1 yn zn 2n+1 DB =(g ,g ,g ,...,g , g ) ⊆ G
AdvDA,DB (t)?
We define the hybrid distribution
x y1 xy1 yi xyi yi+1 zi+1 yn zn Di = (g , g , g ,..., g , g , g , g ,..., g , g )
D0 = DB Dn = DA.
ENS/CNRS/INRIA Cascade David Pointcheval 39/71 Hybrid Technique
Let us consider the distributions DA and DB:
x y1 xy1 yn xyn 2n+1 DA =(g ,g ,g ,. . . ,g ,g ) ⊆ G
x y1 z1 yn zn 2n+1 DB =(g ,g ,g ,...,g , g ) ⊆ G
AdvDA,DB (t)?
We define the hybrid distribution
x y1 xy1 yi xyi yi+1 zi+1 yn zn Di = (g , g , g ,..., g , g , g , g ,..., g , g )
D0 = DB Dn = DA.
ENS/CNRS/INRIA Cascade David Pointcheval 39/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
AdvDA,DB (A) = AdvDn,D0 (A)
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
AdvDA,DB (A) = AdvDn,D0 (A)
= Pr[A → 1] − Pr[A → 1] D0 Dn
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
D ,D Adv A B (A) = Pr[A → 1] − Pr[A → 1] D0 Dn
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
D ,D Adv A B (A) = Pr[A → 1] − Pr[A → 1] D0 Dn n X = Pr [A → 1] − Pr[A → 1] Di−1 Di i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp n D ,D X Adv A B (A) = Pr [A → 1] − Pr[A → 1] Di−1 Di i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp n D ,D X Adv A B (A) = Pr [A → 1] − Pr[A → 1] Di−1 Di i=1 n X = AdvDi ,Di−1 (A) i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
n X AdvDA,DB (A) = AdvDi ,Di−1 (A) i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp n X AdvDA,DB (A) = AdvDi ,Di−1 (A) i=1 n X ≤ ddh( 0) AdvG t i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
n X DA,DB (A) ≤ ddh( 0) Adv AdvG t i=1
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
n X DA,DB (A) ≤ ddh( 0) Adv AdvG t i=1 ≤ × ddh( 0) n AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
DA,DB (A) ≤ × ddh( 0) Adv n AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Hybrid Technique
Let A be an adversary within time t, against DA vs. DB. Given a DDH input (X, Y , Z), we generate the hybrid instance:
y1 y1 yi−1 yi−1 yi+1 zi+1 yn zn Ii = (X, g , X ,..., g , X , Y , Z, g , g ,..., g , g )
Note that • if Z = gxy , then I ∈ D ) i AdvDi ,Di−1 (A) ≤ Advddh(t0) R G 0 • if Z ← G, then I ∈ Di−1 where t ≤ t + 2(n − 1)τexp
DA,DB (A) ≤ × ddh( 0) Adv n AdvG t
Theorem
∀ , DA,DB ( ) ≤ × ddh( + ( − )τ ) t Adv t n AdvG t 2 n 1 exp
ENS/CNRS/INRIA Cascade David Pointcheval 40/71 Basic Security Notions Outline
Cryptography
Provable Security
Basic Security Notions Public-Key Encryption Variants of Indistinguishability Signatures
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 41/71 Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 42/71 Public-Key Encryption
Goal: Privacy/Secrecy of the plaintext
ENS/CNRS/INRIA Cascade David Pointcheval 42/71 OW − CPA
One-Wayness For a public-key encryption scheme S = (K, E, D), without the secrete key sk, it should be computationally impossible to recover the plaintext m from the ciphertext c:
ow R SuccS (A) = Pr[(sk, pk) ← K(); m ← M; c = Epk (m): A(pk, c) → m]
should be negligible.
Chosen-Plaintext Attacks In the public-key setting, the adversary has access to the encryption key (the public key), and thus can encrypt any plaintext of its choice: chosen-plaintext attack
ENS/CNRS/INRIA Cascade David Pointcheval 43/71 OW − CPA
One-Wayness For a public-key encryption scheme S = (K, E, D), without the secrete key sk, it should be computationally impossible to recover the plaintext m from the ciphertext c:
ow R SuccS (A) = Pr[(sk, pk) ← K(); m ← M; c = Epk (m): A(pk, c) → m]
should be negligible.
Chosen-Plaintext Attacks In the public-key setting, the adversary has access to the encryption key (the public key), and thus can encrypt any plaintext of its choice: chosen-plaintext attack
ENS/CNRS/INRIA Cascade David Pointcheval 43/71 OW − CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 OW − CPA Security Game
k k e G d
A
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 OW − CPA Security Game
k k e G d m* random r* random A
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 OW − CPA Security Game
k k e G d m* random r* random
m* c* r* E A
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 OW − CPA Security Game
k k e G d m* random r* random
m* c* r* E A
m
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 OW − CPA Security Game
k k e G d m* random r* random
m* c* r* E A
? m m* = m
ENS/CNRS/INRIA Cascade David Pointcheval 44/71 ElGamal Encryption [ElGamal 1985]
ElGamal Encryption The ElGamal encryption scheme EG is defined, in a group G = hgi of order q
R x • K(G, g, q): x ← Zq, and sk ← x and pk ← y = g R r r r • Epk (m): r ← Zq, c1 ← g and c2 ← y × m = pk × m. Then, the ciphertext is c = (c1, c2) x sk • Dsk (c) outputs c2/c1 = c2/c1
Theorem (ElGamal is OW − CPA)
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
ENS/CNRS/INRIA Cascade David Pointcheval 45/71 ElGamal Encryption [ElGamal 1985]
ElGamal Encryption The ElGamal encryption scheme EG is defined, in a group G = hgi of order q
R x • K(G, g, q): x ← Zq, and sk ← x and pk ← y = g R r r r • Epk (m): r ← Zq, c1 ← g and c2 ← y × m = pk × m. Then, the ciphertext is c = (c1, c2) x sk • Dsk (c) outputs c2/c1 = c2/c1
Theorem (ElGamal is OW − CPA)
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
ENS/CNRS/INRIA Cascade David Pointcheval 45/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← y = gx from K
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← y = gx from K
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← y = gx from K
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
∗ R r ∗ ∗ • The challenger chooses m ← M, sets c2 ← y × m and sends c = (c1, c2)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← y = gx from K
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
∗ R r ∗ ∗ • The challenger chooses m ← M, sets c2 ← y × m and sends c = (c1, c2)
• A receives c ← (c1, c2), and outputs m
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← y = gx from K
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
∗ R r ∗ ∗ • The challenger chooses m ← M, sets c2 ← y × m and sends c = (c1, c2)
• A receives c ← (c1, c2), and outputs m
∗ ow−cpa • Pr[m = m ] = SuccEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← X from B
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
∗ R r ∗ ∗ • The challenger chooses m ← M, sets c2 ← y × m and sends c = (c1, c2)
• A receives c ← (c1, c2), and outputs m
∗ ow−cpa • Pr[m = m ] = SuccEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← X from B
• B sets c1 ← Y
∗ R r ∗ ∗ • The challenger chooses m ← M, sets c2 ← y × m and sends c = (c1, c2)
• A receives c ← (c1, c2), and outputs m
∗ ow−cpa • Pr[m = m ] = SuccEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← X from B
• B sets c1 ← Y
R ∗ • B chooses c2 ← G (which virtually sets m ← c2/CDH(X, Y )), and sends c = (c1, c2)
• A receives c ← (c1, c2), and outputs m
∗ ow−cpa • Pr[m = m ] = SuccEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← X from B
• B sets c1 ← Y
R ∗ • B chooses c2 ← G (which virtually sets m ← c2/CDH(X, Y )), and sends c = (c1, c2)
• B receives m from A and outputs c2/m
∗ ow−cpa • Pr[m = m ] = SuccEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 ElGamal is OW − CPA: Proof
ow−cpa( ) ≤ cdh( ) SuccEG t SuccG t
Let A be an adversary against EG, we build an adversary B against CDH: let us be given a CDH instance (X, Y ) • A gets pk ← X from B
• B sets c1 ← Y
R ∗ • B chooses c2 ← G (which virtually sets m ← c2/CDH(X, Y )), and sends c = (c1, c2)
• B receives m from A and outputs c2/m
∗ ow−cpa • Pr[m = m ] = SuccEG (A) = Pr[ / = / ∗] = Pr[ / = ( , )] ≤ Succcdh( ) c2 m c2 m c2 m CDH X Y G t
ENS/CNRS/INRIA Cascade David Pointcheval 46/71 Is OW − CPA Enough?
For a yes/no answer or sell/buy order, one bit of information may be enough for the adversary! How to model that no bit of information leaks?
Semantic Security [Goldwasser-Micali 1984] For any predicate f , E(m) does not help to guess f (m), with better probability than f (m0) (for a random but private m0): in the game
(sk, pk) ← K();(M, f , state) ← A(pk);
0 R m, m ← M;c = Epk (m); p ← A(state, c)
then, sem 0 AdvS (A) = Pr[p = f (m)] − Pr[p = f (m )] .
ENS/CNRS/INRIA Cascade David Pointcheval 47/71 Is OW − CPA Enough?
For a yes/no answer or sell/buy order, one bit of information may be enough for the adversary! How to model that no bit of information leaks?
Semantic Security [Goldwasser-Micali 1984] For any predicate f , E(m) does not help to guess f (m), with better probability than f (m0) (for a random but private m0): in the game
(sk, pk) ← K();(M, f , state) ← A(pk);
0 R m, m ← M;c = Epk (m); p ← A(state, c)
then, sem 0 AdvS (A) = Pr[p = f (m)] − Pr[p = f (m )] .
ENS/CNRS/INRIA Cascade David Pointcheval 47/71 Semantic Security
A
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
A
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
D, Pred
A
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
m*, m' ← D D, Pred r random A
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
m*, m' ← D D, Pred r random m* c* r E A
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
m*, m' ← D D, Pred r random m* c* r E A
b
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Semantic Security
k k e G d
m*, m' ← D D, Pred r random m* c* r E A Pred(m*)=b vs. Pred(m')=b b
ENS/CNRS/INRIA Cascade David Pointcheval 48/71 Indistinguishability
Another equivalent formulation (if efficiently computable predicate): IND − CPA
After having chosen two plaintexts m0 and m1, upon receiving the encryption of mb (for a random bit b), it should be hard to guess which message has been encrypted: in the game
(sk, pk) ← K();(m0, m1, state) ← A(pk); R 0 b ← {0, 1};c = Epk (mb); b ← A(state, c)
then,
ind−cpa 0 0 AdvS (A) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0] 0 = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 49/71 IND − CPA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d
A
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d
m0 m1 A
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d b∈{0,1} r random m0 m1 A
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d b∈{0,1} r random m0 m1
* mb c r E A
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d b∈{0,1} r random m0 m1
* mb c r E A
b’
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 IND − CPA Security Game
k k e G d b∈{0,1} r random m0 m1
* mb c r E A
? b’ = b b’
ENS/CNRS/INRIA Cascade David Pointcheval 50/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p.
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p. Note that (if diff denotes the event that P(m) 6= P(m0))
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p. Note that (if diff denotes the event that P(m) 6= P(m0)) sem 0 Adv (A) = Pr[p = P(m)|c = E(m)] − Pr[p = P(m )|c = E(m)]
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
Let A be an adversary within time t against semantic security, we build an adversary B against indistinguishability: • B runs A to get D and a predicate P; R it gets m0, m1 ← D, and outputs them;
• the challenger encrypts mb in c • B runs A, to get the guess p of A about the predicate P on the plaintext in c; 0 • If P(m0) = P(m1), B outputs a random bit b , 0 • otherwise it outputs b such that P(mb0 ) = p. Note that (if diff denotes the event that P(m) 6= P(m0)) sem 0 Adv (A) = Pr[p = P(m)|c = E(m)] − Pr[p = P(m )|c = E(m)]
Pr[p = P(m)|c = E(m) ∧ diff] = × Pr[diff] 0 − Pr[p = P(m )|c = E(m) ∧ diff]
ENS/CNRS/INRIA Cascade David Pointcheval 51/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m1) = p|c = E(m0) ∧ diff]
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m1) = p|c = E(m0) ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m0) = p|c = E(m1) ∧ diff]
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m1) = p|c = E(m0) ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m0) = p|c = E(m1) ∧ diff] = Advsem(A) ≤ Advind(t0)
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1)
ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m1) = p|c = E(m0) ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m0) = p|c = E(m1) ∧ diff] = Advsem(A) ≤ Advind(t0) The running time t0 of B = one execution of A (time t), two sampling
from D (time τD), two evaluations of the predicate P (time τP )
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Indistinguishability implies Semantic Security
If diff denotes the event that P(m0) 6= P(m1) ind 0 0 Adv (B) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
Pr[b0 = 1|b = 1 ∧ diff] = × Pr[diff] 0 − Pr[b = 1|b = 0 ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m1) = p|c = E(m0) ∧ diff]
Pr[P(m ) = p|c = E(m ) ∧ diff] 1 1 = × Pr[diff] − Pr[P(m0) = p|c = E(m1) ∧ diff] = Advsem(A) ≤ Advind(t0) The running time t0 of B = one execution of A (time t), two sampling
from D (time τD), two evaluations of the predicate P (time τP ) sem ind Adv (t) ≤ Adv (t + 2τD + 2τP )
ENS/CNRS/INRIA Cascade David Pointcheval 52/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
sem 0 Adv (B) = Pr[p = P(m)] − Pr[p = P(m )]
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
sem 0 Adv (B) = Pr[p = P(m)] − Pr[p = P(m )] 0 = Pr[m = mp] − Pr[m = mp]
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
sem 0 Adv (B) = Pr[p = P(m)] − Pr[p = P(m )] 0 = Pr[m = mp] − Pr[m = mp] 0 = Pr[m = mb0 ] − Pr[m = mb0 ]
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
Let A be an adversary within time t against indistinguishability, we build an adversary B against semantic security:
• B runs A to get (m0, m1); ? it sets D = {m0, m1}, and P(m) = (m = m1); • the challenger chooses m, m0 ←R D, and encrypts m in c • B runs A, to get b0, that it forwards as its guess p
sem 0 Adv (B) = Pr[p = P(m)] − Pr[p = P(m )] 0 = Pr[m = mp] − Pr[m = mp] 0 = Pr[m = mb0 ] − Pr[m = mb0 ] ind 0 0 Adv (A) = Pr[b = 1|b = 1] − Pr[b = 1|b = 0]
where m = mb
ENS/CNRS/INRIA Cascade David Pointcheval 53/71 Semantic Security implies Indistinguishability
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md 0 0 = Pr[b = b ] − Pr[d = b ]
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md 0 0 = Pr[b = b ] − Pr[d = b ] 0 = Pr[b = b ] − 1/2
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md 0 0 = Pr[b = b ] − Pr[d = b ] 0 = Pr[b = b ] − 1/2 = Advind(A)/2 ≤ Advsem(t0)
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md 0 0 = Pr[b = b ] − Pr[d = b ] 0 = Pr[b = b ] − 1/2 = Advind(A)/2 ≤ Advsem(t0)
The running time t0 of B = one execution of A (time t)
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 Semantic Security implies Indistinguishability
sem 0 Adv (B) = Pr[m = mb0 ] − Pr[m = mb0 ]
= |Pr[mb = mb0 ] − Pr[md = mb0 ]| 0 where m = mb and m = md 0 0 = Pr[b = b ] − Pr[d = b ] 0 = Pr[b = b ] − 1/2 = Advind(A)/2 ≤ Advsem(t0)
The running time t0 of B = one execution of A (time t)
Advind(t) ≤ 2 × Advsem(t)
ENS/CNRS/INRIA Cascade David Pointcheval 54/71 ElGamal Encryption
ElGamal Encryption The ElGamal encryption scheme EG is defined, in a group G = hgi of order q
R x • K(G, g, q): x ← Zq, and sk ← x and pk ← y = g R r r r • Epk (m): r ← Zq, c1 ← g and c2 ← y × m = pk × m. Then, the ciphertext is c = (c1, c2) x sk • Dsk (c) outputs c2/c1 = c2/c1
Theorem (ElGamal is IND − CPA)
ind−cpa( ) ≤ × ddh( ) AdvEG t 2 AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 55/71 ElGamal Encryption
ElGamal Encryption The ElGamal encryption scheme EG is defined, in a group G = hgi of order q
R x • K(G, g, q): x ← Zq, and sk ← x and pk ← y = g R r r r • Epk (m): r ← Zq, c1 ← g and c2 ← y × m = pk × m. Then, the ciphertext is c = (c1, c2) x sk • Dsk (c) outputs c2/c1 = c2/c1
Theorem (ElGamal is IND − CPA)
ind−cpa( ) ≤ × ddh( ) AdvEG t 2 AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 55/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
x • A gets pk ← y = g from K, and outputs (m0, m1)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
x • A gets pk ← y = g from K, and outputs (m0, m1)
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
x • A gets pk ← y = g from K, and outputs (m0, m1)
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
R r ∗ • The challenger chooses b ← {0, 1}, sets c2 ← y × mb, and sends c = (c1, c2)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
x • A gets pk ← y = g from K, and outputs (m0, m1)
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
R r ∗ • The challenger chooses b ← {0, 1}, sets c2 ← y × mb, and sends c = (c1, c2) 0 • A receives c ← (c1, c2), and outputs b
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
x • A gets pk ← y = g from K, and outputs (m0, m1)
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
R r ∗ • The challenger chooses b ← {0, 1}, sets c2 ← y × mb, and sends c = (c1, c2) 0 • A receives c ← (c1, c2), and outputs b
0 ind−cpa • 2 × Pr[b = b] − 1 = AdvEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
∗ R ? r ∗ • The challenger chooses r ← Zq and sets c1 ← g
R r ∗ • The challenger chooses b ← {0, 1}, sets c2 ← y × mb, and sends c = (c1, c2) 0 • A receives c ← (c1, c2), and outputs b
0 ind−cpa • 2 × Pr[b = b] − 1 = AdvEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
• B sets c1 ← Y
R r ∗ • The challenger chooses b ← {0, 1}, sets c2 ← y × mb, and sends c = (c1, c2) 0 • A receives c ← (c1, c2), and outputs b
0 ind−cpa • 2 × Pr[b = b] − 1 = AdvEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
• B sets c1 ← Y R • B chooses b ← {0, 1}, sets c2 ← Z × mb, and sends c = (c1, c2) 0 • A receives c ← (c1, c2), and outputs b
0 ind−cpa • 2 × Pr[b = b] − 1 = AdvEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
• B sets c1 ← Y R • B chooses b ← {0, 1}, sets c2 ← Z × mb, and sends c = (c1, c2) • B receives b0 from A and outputs d = (b0 = b)
0 ind−cpa • 2 × Pr[b = b] − 1 = AdvEG (A)
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
• B sets c1 ← Y R • B chooses b ← {0, 1}, sets c2 ← Z × mb, and sends c = (c1, c2) • B receives b0 from A and outputs d = (b0 = b)
• |2 × Pr[b0 = b] − 1| ind−cpa = AdvEG (A), if Z = CDH(X, Y )
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
Let A be an adversary against EG, we build an adversary B against DDH: let us be given a DDH instance (X, Y , Z )
• A gets pk ← X from B, and outputs (m0, m1)
• B sets c1 ← Y R • B chooses b ← {0, 1}, sets c2 ← Z × mb, and sends c = (c1, c2) • B receives b0 from A and outputs d = (b0 = b)
• |2 × Pr[b0 = b] − 1| ind−cpa = AdvEG (A), if Z = CDH(X, Y ) = 0, otherwise
ENS/CNRS/INRIA Cascade David Pointcheval 56/71 ElGamal is IND − CPA: Proof
As a consequence,
0 ind−cpa • |2 × Pr[b = b|Z = CDH(X, Y )] − 1| = AdvEG (A)
0 R • 2 × Pr[b = b|Z ← G] − 1 = 0
Pr[d = 1|Z = CDH(X, Y )] ind−cpa AdvEG (A) = 2 × R − Pr[d = 1|Z ← G] = × ddh(B) ≤ × ddh( ) 2 AdvG 2 AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 57/71 ElGamal is IND − CPA: Proof
As a consequence,
0 ind−cpa • |2 × Pr[b = b|Z = CDH(X, Y )] − 1| = AdvEG (A)
0 R • 2 × Pr[b = b|Z ← G] − 1 = 0
Pr[d = 1|Z = CDH(X, Y )] ind−cpa AdvEG (A) = 2 × R − Pr[d = 1|Z ← G] = × ddh(B) ≤ × ddh( ) 2 AdvG 2 AdvG t
ENS/CNRS/INRIA Cascade David Pointcheval 57/71 RSA Encryption [Rivest-Shamir-Adleman 1978]
RSA Encryption The RSA encryption scheme RSA is defined by
• K(1k ): p and q two random k-bit prime integers, and an exponent e (possibly fixed, or not): sk ← d = e−1 mod ϕ(n) and pk ← (n, e) e • Epk (m): the ciphertext is c = m mod n d • Dsk (c): the plaintext is m = c mod n
Theorem (RSA is OW − CPA, but. . . )
ow−cpa rsa SuccRSA (t) ≤ Succ (t) A deterministic encryption scheme cannot be IND − CPA
ENS/CNRS/INRIA Cascade David Pointcheval 58/71 RSA Encryption [Rivest-Shamir-Adleman 1978]
RSA Encryption The RSA encryption scheme RSA is defined by
• K(1k ): p and q two random k-bit prime integers, and an exponent e (possibly fixed, or not): sk ← d = e−1 mod ϕ(n) and pk ← (n, e) e • Epk (m): the ciphertext is c = m mod n d • Dsk (c): the plaintext is m = c mod n
Theorem (RSA is OW − CPA, but. . . )
ow−cpa rsa SuccRSA (t) ≤ Succ (t) A deterministic encryption scheme cannot be IND − CPA
ENS/CNRS/INRIA Cascade David Pointcheval 58/71 RSA Encryption [Rivest-Shamir-Adleman 1978]
RSA Encryption The RSA encryption scheme RSA is defined by
• K(1k ): p and q two random k-bit prime integers, and an exponent e (possibly fixed, or not): sk ← d = e−1 mod ϕ(n) and pk ← (n, e) e • Epk (m): the ciphertext is c = m mod n d • Dsk (c): the plaintext is m = c mod n
Theorem (RSA is OW − CPA, but. . . )
ow−cpa rsa SuccRSA (t) ≤ Succ (t) A deterministic encryption scheme cannot be IND − CPA
ENS/CNRS/INRIA Cascade David Pointcheval 58/71 Outline
Cryptography
Provable Security
Basic Security Notions Public-Key Encryption Variants of Indistinguishability Signatures
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 59/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1 Find stage
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1 Find stage
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b Guess stage
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Indistinguishability vs. Find-then-Guess [Bellare-Desai-Jokipii-Rogaway 1997]
FtG − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and chooses 2 messages m0 and m1 Find stage
• The challenger returns the encryption c of mb under pk • The adversary outputs its guess b0 on the bit b Guess stage
ftg−cpa ind−cpa 0 AdvS (A) = AdvS (A) = 2 × Pr[b = b] − 1
Note: the adversary has access to the following oracle, only once:
LRb(m0, m1): outputs the encryption of mb under pk
ENS/CNRS/INRIA Cascade David Pointcheval 60/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Left-or-Right Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
LoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk,
and asks LR on any pair (m0, m1) of its choice
• The challenger answers using LRb • The adversary outputs its guess b0 on the bit b
lor−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 61/71 Find-then-Guess vs. Left-or-Right
Theorem (FtG ∼n LoR)
ftg−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ftg−cpa ∀t, AdvS (t) ≤ n × AdvS (t)
where n is the number of LR queries
LoR ⇒ FtG is clear FtG ⇒ LoR: hybrid distribution of the sequence of bits b
• The Left distribution is (0, 0,..., 0) ∈ {0, 1}n, for the LR queries • The Right distribution is (1, 1,..., 1) ∈ {0, 1}n, for the LR queries i n−i n • Hybrid distribution: Di = (0,..., 0, 1,..., 1) = 0 1 ∈ {0, 1}
lor−cpa ftg−cpa Dist(D0, Dn) = AdvS (A) Dist(Di , Di+1) ≤ AdvS (t)
ENS/CNRS/INRIA Cascade David Pointcheval 62/71 Find-then-Guess vs. Left-or-Right
Theorem (FtG ∼n LoR)
ftg−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ftg−cpa ∀t, AdvS (t) ≤ n × AdvS (t)
where n is the number of LR queries
LoR ⇒ FtG is clear FtG ⇒ LoR: hybrid distribution of the sequence of bits b
• The Left distribution is (0, 0,..., 0) ∈ {0, 1}n, for the LR queries • The Right distribution is (1, 1,..., 1) ∈ {0, 1}n, for the LR queries i n−i n • Hybrid distribution: Di = (0,..., 0, 1,..., 1) = 0 1 ∈ {0, 1}
lor−cpa ftg−cpa Dist(D0, Dn) = AdvS (A) Dist(Di , Di+1) ≤ AdvS (t)
ENS/CNRS/INRIA Cascade David Pointcheval 62/71 Find-then-Guess vs. Left-or-Right
Theorem (FtG ∼n LoR)
ftg−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ftg−cpa ∀t, AdvS (t) ≤ n × AdvS (t)
where n is the number of LR queries
LoR ⇒ FtG is clear FtG ⇒ LoR: hybrid distribution of the sequence of bits b
• The Left distribution is (0, 0,..., 0) ∈ {0, 1}n, for the LR queries • The Right distribution is (1, 1,..., 1) ∈ {0, 1}n, for the LR queries i n−i n • Hybrid distribution: Di = (0,..., 0, 1,..., 1) = 0 1 ∈ {0, 1}
lor−cpa ftg−cpa Dist(D0, Dn) = AdvS (A) Dist(Di , Di+1) ≤ AdvS (t)
ENS/CNRS/INRIA Cascade David Pointcheval 62/71 Find-then-Guess vs. Left-or-Right
Theorem (FtG ∼n LoR)
ftg−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ftg−cpa ∀t, AdvS (t) ≤ n × AdvS (t)
where n is the number of LR queries
LoR ⇒ FtG is clear FtG ⇒ LoR: hybrid distribution of the sequence of bits b
• The Left distribution is (0, 0,..., 0) ∈ {0, 1}n, for the LR queries • The Right distribution is (1, 1,..., 1) ∈ {0, 1}n, for the LR queries i n−i n • Hybrid distribution: Di = (0,..., 0, 1,..., 1) = 0 1 ∈ {0, 1}
lor−cpa ftg−cpa Dist(D0, Dn) = AdvS (A) Dist(Di , Di+1) ≤ AdvS (t)
ENS/CNRS/INRIA Cascade David Pointcheval 62/71 Find-then-Guess vs. Left-or-Right
Theorem (FtG ∼n LoR)
ftg−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ftg−cpa ∀t, AdvS (t) ≤ n × AdvS (t)
where n is the number of LR queries
LoR ⇒ FtG is clear FtG ⇒ LoR: hybrid distribution of the sequence of bits b
• The Left distribution is (0, 0,..., 0) ∈ {0, 1}n, for the LR queries • The Right distribution is (1, 1,..., 1) ∈ {0, 1}n, for the LR queries i n−i n • Hybrid distribution: Di = (0,..., 0, 1,..., 1) = 0 1 ∈ {0, 1}
lor−cpa ftg−cpa Dist(D0, Dn) = AdvS (A) Dist(Di , Di+1) ≤ AdvS (t)
ENS/CNRS/INRIA Cascade David Pointcheval 62/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Real-or-Random Indistinguishability [Bellare-Desai-Jokipii-Rogaway 1997]
RoR − CPA • The challenger flips a bit b • The challenger runs the key generation algorithm (sk, pk) ← K() • The adversary receives the public key pk, and asks RR on any message m of its choice
• The challenger answers using RRb:
• if b = 0, the RR0 encrypts m Real • if b = 1, the RR1 encrypts a random message Random • The adversary outputs its guess b0 on the bit b
ror−cpa 0 AdvS (A) = 2 × Pr[b = b] − 1
ENS/CNRS/INRIA Cascade David Pointcheval 63/71 Left-or-Right vs. Real-Random
Theorem (LoR ∼ RoR)
ror−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ror−cpa ∀t, AdvS (t) ≤ 2 × AdvS (t)
R LoR ⇒ RoR is clear (using m0 = m and m1 ← M)
RoR ⇒ LoR: B flips a bit d, and uses md for the RR oracle, then forwards A’s answer Pr[d ← B|Real] = Pr[d ← A] Pr[d ← B|Random] = 1/2
Advlor(A) = |2 × Pr[d ← A] − 1| = |2 × Pr[d ← B|Real] − 2 × Pr[d ← B|Random]| ≤ 2 × Advror(B)
ENS/CNRS/INRIA Cascade David Pointcheval 64/71 Left-or-Right vs. Real-Random
Theorem (LoR ∼ RoR)
ror−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ror−cpa ∀t, AdvS (t) ≤ 2 × AdvS (t)
R LoR ⇒ RoR is clear (using m0 = m and m1 ← M)
RoR ⇒ LoR: B flips a bit d, and uses md for the RR oracle, then forwards A’s answer Pr[d ← B|Real] = Pr[d ← A] Pr[d ← B|Random] = 1/2
Advlor(A) = |2 × Pr[d ← A] − 1| = |2 × Pr[d ← B|Real] − 2 × Pr[d ← B|Random]| ≤ 2 × Advror(B)
ENS/CNRS/INRIA Cascade David Pointcheval 64/71 Left-or-Right vs. Real-Random
Theorem (LoR ∼ RoR)
ror−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ror−cpa ∀t, AdvS (t) ≤ 2 × AdvS (t)
R LoR ⇒ RoR is clear (using m0 = m and m1 ← M)
RoR ⇒ LoR: B flips a bit d, and uses md for the RR oracle, then forwards A’s answer Pr[d ← B|Real] = Pr[d ← A] Pr[d ← B|Random] = 1/2
Advlor(A) = |2 × Pr[d ← A] − 1| = |2 × Pr[d ← B|Real] − 2 × Pr[d ← B|Random]| ≤ 2 × Advror(B)
ENS/CNRS/INRIA Cascade David Pointcheval 64/71 Left-or-Right vs. Real-Random
Theorem (LoR ∼ RoR)
ror−cpa lor−cpa ∀t, AdvS (t) ≤ AdvS (t) lor−cpa ror−cpa ∀t, AdvS (t) ≤ 2 × AdvS (t)
R LoR ⇒ RoR is clear (using m0 = m and m1 ← M)
RoR ⇒ LoR: B flips a bit d, and uses md for the RR oracle, then forwards A’s answer Pr[d ← B|Real] = Pr[d ← A] Pr[d ← B|Random] = 1/2
Advlor(A) = |2 × Pr[d ← A] − 1| = |2 × Pr[d ← B|Real] − 2 × Pr[d ← B|Random]| ≤ 2 × Advror(B)
ENS/CNRS/INRIA Cascade David Pointcheval 64/71 Outline
Cryptography
Provable Security
Basic Security Notions Public-Key Encryption Variants of Indistinguishability Signatures
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 65/71 Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 66/71 Signature
Goal: Authentication of the sender
ENS/CNRS/INRIA Cascade David Pointcheval 66/71 EUF − NMA
Existential Unforgeability For a signature scheme SG = (K, S, V), without the secrete key sk, it should be computationally impossible to generate a valid pair (m, σ):
euf SuccSG(A) = Pr[(sk, pk) ← K(); (m, σ) ← A(pk): Vpk (m, σ) = 1]
should be negligible.
No-Message Attacks In the public-key setting, the adversary has access to the verification key (the public key), but not necessarily to valid signatures: no-message attack
ENS/CNRS/INRIA Cascade David Pointcheval 67/71 EUF − NMA
Existential Unforgeability For a signature scheme SG = (K, S, V), without the secrete key sk, it should be computationally impossible to generate a valid pair (m, σ):
euf SuccSG(A) = Pr[(sk, pk) ← K(); (m, σ) ← A(pk): Vpk (m, σ) = 1]
should be negligible.
No-Message Attacks In the public-key setting, the adversary has access to the verification key (the public key), but not necessarily to valid signatures: no-message attack
ENS/CNRS/INRIA Cascade David Pointcheval 67/71 EUF − NMA Security Game
A
ENS/CNRS/INRIA Cascade David Pointcheval 68/71 EUF − NMA Security Game
k k v G s
A
ENS/CNRS/INRIA Cascade David Pointcheval 68/71 EUF − NMA Security Game
k k v G s
A (m,σ)
ENS/CNRS/INRIA Cascade David Pointcheval 68/71 EUF − NMA Security Game
k k v G s
A (m,σ)
V(kv,m,σ)?
ENS/CNRS/INRIA Cascade David Pointcheval 68/71 RSA Signature [Rivest-Shamir-Adleman 1978]
RSA Signature The RSA signature scheme RSA is defined by
• K(1k ): p and q two random k-bit prime integers, and an exponent v (possibly fixed, or not): sk ← s = v −1 mod ϕ(n) and pk ← (n, v) s • Ssk (m): the signature is σ = m mod n v • Vpk (m, σ) checks whether m = σ mod n
Theorem (RSA is not EUF − NMA) The plain RSA signature is not secure at all!
ENS/CNRS/INRIA Cascade David Pointcheval 69/71 RSA Signature [Rivest-Shamir-Adleman 1978]
RSA Signature The RSA signature scheme RSA is defined by
• K(1k ): p and q two random k-bit prime integers, and an exponent v (possibly fixed, or not): sk ← s = v −1 mod ϕ(n) and pk ← (n, v) s • Ssk (m): the signature is σ = m mod n v • Vpk (m, σ) checks whether m = σ mod n
Theorem (RSA is not EUF − NMA) The plain RSA signature is not secure at all!
ENS/CNRS/INRIA Cascade David Pointcheval 69/71 Conclusion Outline
Cryptography
Provable Security
Basic Security Notions
Conclusion
ENS/CNRS/INRIA Cascade David Pointcheval 70/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71 Conclusion
• Provable security provides guarantees on the security level • But strong security notions have to be defined • encryption: • indistinguishability is not enough • some information may leak • signature: some signatures may be available
• We will provide stronger security notions Proofs will become more intricate! • We will provide new proof techniques
ENS/CNRS/INRIA Cascade David Pointcheval 71/71