140 lines
11 KiB
TeX
140 lines
11 KiB
TeX
\chapter{Security Proofs in Cryptography}
|
|
|
|
Provable security is a subfield of cryptography where constructions are proven secure with regards to a security model.
|
|
To illustrate this notion, let us take the example of public-key encryption schemes.
|
|
This primitive consists in three algorithms:~\textit{key generation}, \textit{encryption} and \textit{decryption}.
|
|
These algorithms acts according to their names.
|
|
Naturally, the question of ``how to define the security of this set of algorithms'' rises.
|
|
To answer this question, we have to define the power of the adversary, and its goal.
|
|
In cryptography, many ways have been used to define this (random oracle model, universal composability ($\UC$)~\cite{Can01}\ldots) which give rise to stronger security guarantees.
|
|
If one may look for the strongest security for its construction, there are known impossibility results in strong models.
|
|
For instance, in the $\UC$ model, it is impossible to realize two-party computation~\cite{Yao86} without honest set-up~\cite{CKL06}, while it is possible in the standard model~\cite{LP07}.
|
|
|
|
In this chapter, we will focus on the computational complexity elements we need to define properly the security models we will use in this thesis.
|
|
Then we will define these security models.
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%
|
|
% Security Reductions %
|
|
%%%%%%%%%%%%%%%%%%%%%%%
|
|
\section{Security Reductions}
|
|
|
|
Provable security focuses on providing constructions for which the security is guaranteed by a security proof, or security reduction.
|
|
The name ``reduction'' comes from computational complexity.
|
|
In this field of computer science, research focuses on defining equivalence classes for problems, based on the necessary amount of resources to solve them.
|
|
In order to define lower bound for the complexity of some problems, a classical way of doing this is to provide a construction that goes from an instance of a problem $A$ to an instance of problem $B$ such that if a solution of $B$ is found, then so is a solution of $A$ as well.
|
|
This amounts to say that problem $B$ is at least as hard as problem $A$ up to the complexity of the transformation.
|
|
For instance, Cook shown that satisfiability of boolean formulas is at least as hard as every problem in $\NP$~\cite{Coo71} up to a polynomial-time transformation.
|
|
|
|
Let us now define more formally the notions of reduction and computability using the computational model of Turing machines.
|
|
|
|
\begin{definition}[Turing Machine] \label{de:turing-machine} \index{Turing machine}
|
|
A $k$-tape Turing Machine (TM) is described by a triple $M = (\Gamma, Q, \delta)$ containing:
|
|
\begin{itemize}
|
|
\item A finite set $\Gamma$, called the \textit{tape alphabet}, that contains symbols that the TM uses in its tapes. In particular, $\Gamma$ contains a \textit{blank symbol} ``$\square$'', and ``$\triangleright$'' that denotes the beginning of a tape.
|
|
\item A finite set $Q$ called the \textit{states} of the TM. It contains special states $q_{start}$, $q_{halt}$, called respectively the \textit{initial state} and the \textit{halt state}.
|
|
\item A function $\delta: (Q \backslash \{q_{halt}\}) \times \Gamma^{k-1} \to Q \times \Gamma^{k-1} \times \{ \leftarrow, \downarrow, \rightarrow \}^k$, called the \textit{transition function}, that describes the behaviour of the internal state of the machine and the TM heads.\\
|
|
\smallskip
|
|
Namely, $\delta(q, a_1, \ldots, a_{k-1}) = (r, b_2, \ldots, b_k, m_1, \ldots, m_k)$ means that upon reading symbols $(a_1, \ldots, a_{k-1})$ on tapes $1$ to $k-1$ (where the first tape is the input tape, and the $k$-th tape is the output tape) on state $q$, the TM will move to state $r$, write $b_2, \ldots, b_k$ on tapes $2$ to $k$ and move its heads according to $m_1, \ldots, m_k$.
|
|
\end{itemize}
|
|
|
|
A TM $M$ is said to \emph{compute} a function $f: \Sigma^\star \to \Gamma^\star$, if for any finite input $x \in \Sigma^\star$ on tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, $M$ halts in a finite number of steps with $f(x)$ written on its output tape $T_k$.
|
|
|
|
A TM $M$ is said to \emph{recognize} a language $L \subseteq \Sigma^\star$ if on a finite input $x \in \Sigma^\star$ written on its input tape $T_1$, blank tapes $T_2, \ldots, T_k$ with a beginning symbol $\triangleright$ and initial state $q_{start}$, the machine $M$ eventually ends on the state $q_{halt}$ with $1$ written on its output tape if and only if $x \in L$.
|
|
|
|
A TM $M$ is said to run in $T(n)$-time if, on any input $x$, it eventually stops within $T(|x|)$ steps.
|
|
|
|
A TM $M$ is said to run in $S(n)$-space if, on any input $x$, it eventually stops and had write at most $S(|x|)$ memory cells in its working tapes.
|
|
\end{definition}
|
|
|
|
Turing machines are a computational model that proved useful in complexity theory as it is convenient to evaluate the running time of a Turing machine, which amounts to bound the number of steps the machine can make.
|
|
Similarly, the working tapes works analogously to the memory of a program, and then counting the number of cells the machine uses is equivalent to evaluate the amount of memory the program requires.
|
|
|
|
From these considerations, it is possible to describe the time and space complexity of a program from the definition of Turing machines.
|
|
In our context, we will work with Turing machine that runs in polynomial-time and space, as polynomials benefit from good stability properties (sum, product, composition, \ldots{}).
|
|
|
|
\begin{definition}[\textsf{P}~\cite{Rab60}] \index{Complexity classes!P@\textsf{P}}
|
|
The class \textsf{P} describes the set of languages that can be recognized by a Turing machine running in time $T(n) = \bigO(\poly)$.
|
|
\end{definition}
|
|
|
|
In theoretical computer science, the class \textsf{P} is often considered as the set of ``easy'' problems.
|
|
These problems are considered easy in the sense that the growth of the cost to solve them is asymptotically negligible in front of other functions such as exponential.
|
|
In this context, it is reasonable to consider the computational power of an adversary as polynomial (or quasi-polynomial) in time and space.
|
|
As cryptographic algorithms are not deterministic, we also have to consider the probabilistic version of the computation model.
|
|
|
|
\begin{definition}[Probabilistic Turing machine] \label{de:probabilistic-tm} \index{Turing machine!Probabilistic Turing machine}
|
|
A \emph{probabilistic Turing machine} is a Turing machine with two different transition functions $\delta_0$ and $\delta_1$, where at each step, a random coin is tossed to pick $\delta_0$ or $\delta_1$ with probability $1/2$ independently of all the previous choices.
|
|
|
|
The machine only outputs \texttt{accept} and \texttt{reject} depending on the content of the output tape at the end of the execution.
|
|
We denote by $M(x)$ the random variable corresponding to the value $M$ writes on its output tape at the end of its execution.
|
|
\end{definition}
|
|
|
|
\begin{definition}[\textsf{PP}~{\cite{Gil77}}] \index{Complexity classes!PP@\textsf{PP}}
|
|
The class \textsf{PP} describes the set of languages $L \subseteq \Sigma^\star$ that a Turing machine $M$ recognizes such that the TM $M$ stops in time $\poly[|x|]$ on every input $x$ and
|
|
\[ \begin{cases}
|
|
\Pr\left[ M(x) = 1 \mid x \in L \right] > \frac12\\
|
|
\Pr\left[ M(x) = 0 \mid x \notin L \right] > \frac12
|
|
\end{cases}. \]
|
|
|
|
In the following $\ppt$ stands for ``probabilistic polynomial time''.
|
|
\end{definition}
|
|
|
|
We defined complexity classes that corresponds to natural sets of programs that are of interest for us, but now how to work with it?
|
|
That's why we'll now define the principle of polynomial time reduction.
|
|
|
|
\begin{definition}[Polynomial time reduction] \label{de:pt-reduction} \index{Reduction!Polynomial time}
|
|
A language $A \subseteq \bit^\star$ is \emph{polynomial-time reducible to} a language $B \subseteq \bit^\star$, denoted by $A \redto B$, if there is a \emph{polynomial-time computable} function $f: \bit^\star \to \bit^\star$ such that for every $x \in \bit^\star$, $x \in A$ if and only if $f(x) \in B$.
|
|
\end{definition}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\input fig-poly-red
|
|
\caption{Illustration of a polynomial-time reduction~{\cite[Fig. 2.1]{AB09}}} \label{fig:poly-reduction}
|
|
\end{figure}
|
|
|
|
In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ to solve $A$.
|
|
This is illustrated in Figure~\ref{fig:poly-reduction}.
|
|
|
|
We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction.
|
|
Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then this problem is also in \textsf{P} (resp. \textsf{PP}).
|
|
|
|
Until know, we mainly focus on the running time of the algorithms.
|
|
In cryptology, it is also important to consider the success probability of algorithms:
|
|
an attack is successful if the probability that it succeed is noticeable.
|
|
|
|
\index{Negligible function}
|
|
\scbf{Notation.} Let $f : \NN \to [0,1]$ be a function. The function $f$ is called \emph{negligible} if $f(n) = n^{-\omega(1)}$, and this is written $f(n) = \negl[n]$. Non-negligible functions are called \emph{noticeable} functions. And if $f = 1- \negl[n]$, $f$ is called \emph{overwhelming}.
|
|
|
|
Once that we define the notions related to the core of the proof, we have to define the objects on what we work on.
|
|
Namely, defining what we want to prove, and the hypotheses on which we rely, also called ``hardness assumption''.
|
|
|
|
The details of the hardness assumptions we use are given in Chapter~\ref{chap:structures}. Nevertheless, some notions are common to these and are evoked here.
|
|
|
|
The amount of confidence one can put in a hardness assumption is given by many criteria.
|
|
|
|
First of all, a weaker assumption is preferred to a stronger one if it is possible.
|
|
To illustrate this, let us consider the two following assumptions:
|
|
|
|
\begin{definition}[Discrete logarithm] \label{de:DLP}
|
|
\index{Discrete Logarithm!Assumption}
|
|
\index{Discrete Logarithm!Problem}
|
|
The \emph{discrete algorithm problem} is defined as follows. Let $(\GG, \cdot)$ be a cyclic group of order $p$.
|
|
Given $g,h \in \GG$, the goal is to find an integer $a \in \Zp$ such that: $g^a = h$.
|
|
|
|
The \textit{discrete logarithm assumption} is the intractability of this problem.
|
|
\end{definition}
|
|
|
|
\begin{definition}[Decisional Diffie Hellman] \label{de:DDH} \index{Discrete Logarithm!Decisional Diffie-Hellman}
|
|
Let $\GG$ be a cyclic group of order $p$. The \emph{decisional Diffie-Hellman} ($\DDH$) problem is the following.
|
|
Given $(g, g_1, g_2, g_3) = (g, g^a, g^b, g^c) \in \GG^4$, the goal is to decide if $c = ab$ or if $c$ is sampled uniformly in $\GG$.
|
|
|
|
The \textit{\DDH assumption} is the intractability of the problem for any $\ppt$ algorithm.
|
|
\end{definition}
|
|
|
|
The discrete logarithm assumption is implied by the decisional Diffie-Hellman assumption for instance.
|
|
Indeed, if one is able to solve the discrete logarithm problem, then it suffices to compute the discrete logarithm of $g_1$, let say $\alpha$, and then check whether $g_2^\alpha = g_3$.
|
|
This is why it is preferable to work with the discrete logarithm assumption if it is possible.
|
|
For instance, there is no security proofs for the El Gamal encryption scheme from DLP.
|
|
|
|
\section{Random-Oracle Model, Standard Model and Half-Simulatability}
|
|
|