Introduction to Security Reduction

Transcription

1 springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN Ca. $ 109,00 Planned Discount group Professional Books (2) Product category Monograph Due st ed. 2018, 253 p. 4 illus. Guo, F., Susilo, W., Mu, Y., University of Wollongong, Wollongong, NSW, Australia Introduction to Security Reduction Security proofs are essential to public-key cryptography Illustrates important notions in security reductions Suitable for researchers and graduate students engaged with public-key cryptography This monograph illustrates important notions in security reductions and essential techniques in security reductions for group-based cryptosystems. Using digital signatures and encryption as examples, the authors explain how to program correct security reductions for those cryptographic primitives. Various schemes are selected and re-proven in this book to demonstrate and exemplify correct security reductions. This book is suitable for researchers and graduate students engaged with public-key cryptography. Order online at springer.com/booksellers Springer Customer Service Center LLC 233 Spring Street New York, NY USA T: SPRINGER NATURE ( ) or customerservice@springernature.com Prices and other details are subject to change without notice. All errors and omissions excepted. Americas: Tax will be added where applicable. Canadian residents please add PST, QST or GST. Please add $5.00 for shipping one book and $ 1.00 for each additional book. Outside the US and Canada add $ for first book, $5.00 for each additional book. If an order cannot be fulfilled within 90 days, payment will be refunded upon request. Prices are payable in US currency or its equivalent. ISBN / BIC: UMB / SPRINGER NATURE: SCI15009 Part of

2 Preface Security reduction is a very popular approach for proving security in public-key cryptography. With security reduction, roughly speaking, we can show that breaking a proposed scheme is as difficult as solving a mathematical hard problem. However, how to program a correct security reduction using an adversary s adaptive attack is rather complicated. The reason is that there is no universal security reduction for all proposed schemes. Security reductions given in cryptographic research papers are often hard for beginners to fully comprehend. To aid the beginners, some cryptography textbooks have illustrated how to correctly program security reductions with simpler examples. However, security reductions mentioned in research papers and previous textbooks are usually for specific schemes. The difference in security reductions for different schemes leads to confusion for the beginners. There is a need for a book that systematically introduces how to correctly program a security reduction for a cryptosystem, not for a specific scheme. With this in mind, we wrote this book, which we hope will help the reader understand how to correctly program a security reduction. The contents of this book, especially the foundations of security reductions, are based on our understanding and experience. The reader might find that the explanations of concepts are slightly different from those in other sources, because we have added some condiments to help the reader understand these concepts. For example, in a security reduction, the adversary is not a black-box adversary but a malicious adversary who has unbounded computational power. We thought this book would be completed within one year, but we underestimated its difficulty. It has taken more than four years to complete the writing of this book. There must still be errors that have not yet been found. We welcome any comments and suggestions. University of Wollongong, Australia Fuchun Guo, Willy Susilo, and Yi Mu May 2018 vii

3 Contents 1 Guide to This Book Notions, Definitions, and Models Digital Signatures Public-Key Encryption Identity-Based Encryption Further Reading Foundations of Group-Based Cryptography Finite Fields Definition Field Operations Field Choices Computations over a Prime Field Cyclic Groups Definitions Cyclic Groups of Prime Order Group Exponentiations Discrete Logarithms Cyclic Groups from Finite Fields Group Choice 1: Multiplicative Groups Group Choice 2: Elliptic Curve Groups Computations over a Group Bilinear Pairings Symmetric Pairing Asymmetric Pairing Computations over a Pairing Group Hash Functions Further Reading xi

4 xii Contents 4 Foundations of Security Reduction Introduction to Basic Concepts Mathematical Primitives and Superstructures Mathematical Problems and Problem Instances Cryptography, Cryptosystems, and Schemes Algorithm Classification Polynomial Time and Exponential Time Negligible and Non-negligible Insecure and Secure Easy and Hard Algorithm Classification Algorithms in Cryptography Hard Problems in Cryptography Security Levels Hard Problems and Hardness Assumptions Security Reductions and Security Proofs An Overview of Easy/Hard Problems Computational Easy Problems Computational Hard Problems Decisional Easy Problems Decisional Hard Problems How to Prove New Hard Problems Weak Assumptions and Strong Assumptions An Overview of Security Reduction Security Models Weak Security Models and Strong Security Models Proof by Testing Proof by Contradiction What Is Security Reduction? Real Scheme and Simulated Scheme Challenger and Simulator Real Attack and Simulation Attacks and Hard Problems Reduction Cost and Reduction Loss Loose Reduction and Tight Reduction Security Level Revisited Ideal Security Reduction An Overview of Correct Security Reduction What Should Bob Do? Understanding Security Reduction Successful Simulation and Indistinguishable Simulation Failed Attack and Successful Attack Useless Attack and Useful Attack Attack in Simulation Successful/Correct Security Reduction

5 Contents xiii Components of a Security Proof An Overview of the Adversary Black-Box Adversary What Is an Adaptive Attack? Malicious Adversary The Adversary in a Toy Game Adversary s Successful Attack and Its Probability Adversary s Computational Ability The Adversary s Computational Ability in a Reduction The Adversary in a Reduction What the Adversary Knows What the Adversary Never Knows How to Distinguish the Given Scheme How to Generate a Useless Attack Summary of Adversary An Overview of Probability and Advantage Definitions of Probability Definitions of Advantage Malicious Adversary Revisited Adaptive Choice Revisited Useless, Useful, Loose, and Tight Revisited Important Probability Formulas An Overview of Random and Independent What Are Random and Independent? Randomness Simulation with a General Function Randomness Simulation with a Linear System Randomness Simulation with a Polynomial Indistinguishable Simulation and Useful Attack Together Advantage and Probability in Absolutely Hard Problems An Overview of Random Oracles Security Proof with Random Oracles Hash Functions vs Random Oracles Hash List How to Program Security Reductions with Random Oracles Oracle Response and Its Probability Analysis Summary of Using Random Oracles Security Proofs for Digital Signatures Proof Structure Advantage Calculation Simulatable and Reducible Simulation of Secret Key Partition Tight Reduction and Loose Reduction Revisited Summary of Correct Security Reduction Security Proofs for Encryption Under Decisional Assumptions

6 xiv Contents Proof Structure Classification of Ciphertexts Classification of the Challenge Ciphertext Simulation of the Challenge Ciphertext Advantage Calculation Probability P T of Breaking the True Challenge Ciphertext Probability P F of Breaking the False Challenge Ciphertext Advantage Calculation Definition of One-Time Pad Examples of One-Time Pad Analysis of One-Time Pad Simulation of Decryption Simulation of Challenge Decryption Key Probability Analysis for P F Examples of Advantage Results for A K F and AI F Advantage Calculation Summary of Correct Security Reduction Security Proofs for Encryption Under Computational Assumptions Random and Independent Revisited One-Time Pad Revisited Solution to Hard Problem Revisited Simulation of Challenge Ciphertext Proof Structure Challenge Ciphertext and Challenge Hash Query Advantage Calculation Analysis of No Advantage Requirements of Decryption Simulation An Example of Decryption Simulation Summary of Correct Security Reduction Simulatable and Reducible with Random Oracles H-Type: Hashing to Group C-Type: Commutative I-Type: Inverse of Group Exponent Examples of Incorrect Security Reductions Example 1: Distinguishable Example 2: Useless Attack by Public Key Example 3: Useless Attack by Signature Examples of Correct Security Reductions One-Time Signature with Random Oracles One-Time Signature Without Random Oracles One-Time Signature with Indistinguishable Partition Summary of Concepts Concepts Related to Proof Preliminaries and Proof by Contradiction Security Reduction and Its Difficulty

7 Contents xv Simulation and Its Requirements Towards a Correct Security Reduction Other Confusing Concepts Digital Signatures with Random Oracles BLS Scheme BLS + Scheme BLS # Scheme BB RO Scheme ZSS Scheme ZSS + Scheme ZSS # Scheme BLS G Scheme Digital Signatures Without Random Oracles Boneh-Boyen Scheme Gentry Scheme GMS Scheme Waters Scheme Hohenberger-Waters Scheme Public-Key Encryption with Random Oracles Hashed ElGamal Scheme Twin Hashed ElGamal Scheme Iterated Hashed ElGamal Scheme Fujisaki-Okamoto Hashed ElGamal Scheme Public-Key Encryption Without Random Oracles ElGamal Scheme Cramer-Shoup Scheme Identity-Based Encryption with Random Oracles Boneh-Franklin Scheme Boneh-Boyen RO Scheme Park-Lee Scheme Sakai-Kasahara Scheme Identity-Based Encryption Without Random Oracles Boneh-Boyen Scheme Boneh-Boyen + Scheme Waters Scheme Gentry Scheme References