Update to Provable Security : Designs and Open Questions

Until very recently the development of cryptographic solutions for electronic commerce applications was done in an ad hoc manner. Notions of security for protocols that designers wished to meet were intuitive rather that rigorous. Schemes were designed that were subsequently broken, modifications were made to prevent specific attacks, and so the cycle would repeat. This is clearly an unsatisfactory methodology, since an adversary will devise its attacks after the scheme has been specified. In particular, it will try to take actions other than those envisioned by the designer. The idea of provable security is to formally define security notions for cryptographic problems. Once one has formal definition, one then designs schemes so that one can provide a mathematical justification for their security under the chosen definition. The way one does this is by showing how an algorithm to break the scheme could be used to solve some intractable problem. The conclusion is that, if the problem is indeed intractable, then the scheme must be secure under the chosen definition. This is preferable to an ad hoc approach because the result holds regardless of the strategy employed by the adversary when it attempts to break the scheme. The idea of provable security was first introduced by Goldwasser and Micali in 1984 in their paperProbabilistic Encryption. The cryptographic scheme that they treated in this work was public key encryption. Since then the principle has been applied extensively in a variety of contexts. In this report we survey the state of the art of provable security. We begin by giving a more indepth introduction to the subject and describing some of the major results that have been achieved. Having done this we discuss some of the most pressing open problems in the area. 2 ECRYPT — European NoE in Cryptology

[1]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[2]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[3]  Daniel M. Gordon,et al.  Discrete Logarithms in GF(P) Using the Number Field Sieve , 1993, SIAM J. Discret. Math..

[4]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[5]  Michael J. Freedman,et al.  Versatile padding schemes for joint signature and encryption , 2004, CCS '04.

[6]  J. Pollard A monte carlo method for factorization , 1975 .

[7]  Gerrit Bleumer,et al.  Random Oracle Model , 2005, Encyclopedia of Cryptography and Security.

[8]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[9]  Emmanuel Bresson,et al.  Group Diffie-Hellman Key Exchange Secure against Dictionary Attacks , 2002, ASIACRYPT.

[10]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[11]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[12]  United Kingdom Parliament,et al.  Electronic Communications Act 2000 , 2000 .

[13]  Emmanuel Bresson,et al.  The Group Diffie-Hellman Problems , 2002, Selected Areas in Cryptography.

[14]  David Pointcheval,et al.  Chosen-Ciphertext Security without Redundancy , 2003, ASIACRYPT.

[15]  NaorMoni,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004 .

[16]  Justin M. Reyneri,et al.  Fast Computation of Discrete Logarithms in GF(q) , 1982, CRYPTO.

[17]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[18]  Ernest F. Brickell,et al.  Design Validations for Discrete Logarithm Based Signature Schemes , 2000, Public Key Cryptography.

[19]  Mihir Bellare,et al.  The Exact Security of Digital Signatures - HOw to Sign with RSA and Rabin , 1996, EUROCRYPT.

[20]  Igor E. Shparlinski,et al.  On the Unpredictability of Bits of the Elliptic Curve Diffie--Hellman Scheme , 2001, CRYPTO.

[21]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[22]  Emmanuel Bresson,et al.  Constant Round Authenticated Group Key Agreement via Distributed Computation , 2004, Public Key Cryptography.

[23]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[24]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[25]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[26]  Victor S. Miller,et al.  Use of Elliptic Curves in Cryptography , 1985, CRYPTO.

[27]  Ronald Cramer,et al.  Modular Design of Secure yet Practical Cryptographic Protocols , 1997 .

[28]  Pascal Paillier,et al.  Impossibility Proofs for RSA Signatures in the Standard Model , 2007, CT-RSA.

[29]  Dongho Won,et al.  Cryptanalysis and Improvement of Password Authenticated Key Exchange Scheme between Clients with Different Passwords , 2004, ICCSA.

[30]  Birgit Pfitzmann,et al.  A Universally Composable Cryptographic Library , 2003, IACR Cryptol. ePrint Arch..

[31]  Junji Shikata,et al.  Unconditionally secure authenticated encryption , 2004 .

[32]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[33]  Yehuda Lindell,et al.  A Framework for Password-Based Authenticated Key Exchange , 2003, EUROCRYPT.

[34]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) , 2007, Journal of Cryptology.

[35]  Mihir Bellare,et al.  An Uninstantiable Random-Oracle-Model Scheme for a Hybrid-Encryption Problem , 2004, EUROCRYPT.

[36]  Jacques Stern,et al.  RSA-OAEP Is Secure under the RSA Assumption , 2001, Journal of Cryptology.

[37]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[38]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[39]  Birgit Pfitzmann,et al.  A General Composition Theorem for Secure Reactive Systems , 2004, TCC.

[40]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[41]  An example of proving UC-realization with formal methods ( extended abstract ) , 2006 .

[42]  Donald Byron Johnson,et al.  Formal Security Proofs for a Signature Scheme with Partial Message Recovery , 2001, CT-RSA.

[43]  Jacques Patarin,et al.  Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms , 1996, EUROCRYPT.

[44]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[45]  Tal Rabin,et al.  On the Security of Joint Signature and Encryption , 2002, EUROCRYPT.

[46]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[47]  A. K. Lenstra,et al.  The factorization of the ninth Fermat number , 1993 .

[48]  J. M. Pollard,et al.  Theorems on factorization and primality testing , 1974, Mathematical Proceedings of the Cambridge Philosophical Society.

[49]  Takakazu Satoh,et al.  Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves , 1998 .

[50]  Jacques Stern,et al.  Cryptanalysis of SFLASH with Slightly Modified Parameters , 2007, EUROCRYPT.

[51]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[52]  Hugo Krawczyk,et al.  Universally Composable Notions of Key Exchange and Secure Channels , 2002, EUROCRYPT.

[53]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[54]  N. Koblitz Elliptic curve cryptosystems , 1987 .

[55]  Mihir Bellare,et al.  Optimal Asymmetric Encryption-How to Encrypt with RSA , 1995 .

[56]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[57]  Victor Shoup,et al.  OAEP Reconsidered , 2001, CRYPTO.

[58]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[59]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[60]  Antoine Joux,et al.  The Function Field Sieve Is Quite Special , 2002, ANTS.

[61]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[62]  Dong Hoon Lee,et al.  Password-Authenticated Key Exchange between Clients with Different Passwords , 2002, ICICS.

[63]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[64]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[65]  Ueli Maurer,et al.  Towards the Equivalence of Breaking the Diffie-Hellman Protocol and Computing Discrete Logarithms , 1994, CRYPTO.

[66]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[67]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[68]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[69]  Nigel P. Smart,et al.  The Discrete Logarithm Problem on Elliptic Curves of Trace One , 1999, Journal of Cryptology.

[70]  Alfred Menezes,et al.  An Efficient Protocol for Authenticated Key Agreement , 2003, Des. Codes Cryptogr..

[71]  Junji Shikata,et al.  Equivalence between Semantic Security and Indistinguishability against Chosen Ciphertext Attacks , 2003, Public Key Cryptography.

[72]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[73]  Rainer Steinwandt,et al.  Password-Authenticated Constant-Round Group Key Establishment with a Common Reference String , 2006, IACR Cryptol. ePrint Arch..

[74]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[75]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[76]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[77]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[78]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[79]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[80]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[81]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[82]  Dan Boneh,et al.  Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes , 1996, CRYPTO.

[83]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[84]  Jesper Buus Nielsen,et al.  Separating Random Oracle Proofs from Complexity Theoretic Proofs: The Non-committing Encryption Case , 2002, CRYPTO.

[85]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[86]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[87]  Joe Kilian Advances in Cryptology — CRYPTO 2001 , 2001, Lecture Notes in Computer Science.

[88]  Amit Sahai,et al.  Positive Results and Techniques for Obfuscation , 2004, EUROCRYPT.

[89]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[90]  Krste Asanovic,et al.  Energy-aware lossless data compression , 2006, TOCS.

[91]  Yuliang Zheng,et al.  Digital Signcryption or How to Achieve Cost(Signature & Encryption) << Cost(Signature) + Cost(Encryption) , 1997, CRYPTO.

[92]  Jean-Sébastien Coron,et al.  Optimal Security Proofs for PSS and Other Signature Schemes , 2002, EUROCRYPT.

[93]  Antoine Joux,et al.  Separating Decision Diffie–Hellman from Computational Diffie–Hellman in Cryptographic Groups , 2003, Journal of Cryptology.

[94]  Rafail Ostrovsky,et al.  Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords , 2001, EUROCRYPT.

[95]  David Pointcheval,et al.  A Scalable Password-Based Group Key Exchange Protocol in the Standard Model , 2006, ASIACRYPT.

[96]  María Isabel González Vasco,et al.  (Password) Authenticated Key Establishment: From 2-Party to Group , 2007, TCC.

[97]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[98]  David Pointcheval,et al.  IPAKE: Isomorphisms for Password-Based Authenticated Key Exchange , 2004, CRYPTO.

[99]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[100]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.

[101]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[102]  Yehuda Lindell,et al.  Universally Composable Password-Based Key Exchange , 2005, EUROCRYPT.

[103]  Florian Hess,et al.  Efficient Identity Based Signature Schemes Based on Pairings , 2002, Selected Areas in Cryptography.

[104]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[105]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[106]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[107]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[108]  Emmanuel Bresson,et al.  New Security Results on Encrypted Key Exchange , 2003, Public Key Cryptography.

[109]  Adi Shamir Factoring Large Numbers with the Twinkle Device (Extended Abstract) , 1999, CHES.

[110]  Jeff Gilchrist,et al.  Factorization of a 512-Bit RSA Modulus , 2000, EUROCRYPT.

[111]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[112]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[113]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[114]  Shirley Dex,et al.  JR 旅客販売総合システム(マルス)における運用及び管理について , 1991 .

[115]  Emmanuel Bresson,et al.  Password-Based Group Key Exchange in a Constant Number of Rounds , 2006, Public Key Cryptography.

[116]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[117]  Gene Tsudik,et al.  Refinement and extension of encrypted key exchange , 1995, OPSR.

[118]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[119]  Victor Shoup,et al.  Using Hash Functions as a Hedge against Chosen Ciphertext Attack , 2000, EUROCRYPT.

[120]  David Chaum,et al.  Undeniable Signatures , 1989, CRYPTO.

[121]  Leonard M. Adleman,et al.  A subexponential algorithm for the discrete logarithm problem with applications to cryptography , 1979, 20th Annual Symposium on Foundations of Computer Science (sfcs 1979).

[122]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[123]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[124]  Sarvar Patel,et al.  Provably Secure Password-Authenticated Key Exchange Using Diffie-Hellman , 2000, EUROCRYPT.

[125]  Igor A. Semaev,et al.  Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p , 1998, Math. Comput..

[126]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[127]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[128]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[129]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[130]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[131]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[132]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[133]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[134]  Alexander W. Dent,et al.  A Designer's Guide to KEMs , 2003, IMACC.