Goldreich, and Halevi demonstrated [CGH ]. Nevertheless, their construction is rather arti cial and the impact of replacing the random oracle by a traditional hash function in a more conventional design is yet to be clearly outlined.
De nition . (Random Oracle)
A random oracle over f0; 1gn is an algorithm managing a table T , initially empty, which receives bit-strings x of arbitrary length as queries and answers as follow:
If T already contains an entry (x; y), then it simply returns y.
Otherwise, it picks a random y 2 f0; 1gn, inserts the pair (x; y) in T m and nally returns y.
2.7Proof Techniques
. . Hard Problems
Proofsofsecurity incryptographyareusuallyreductions. atis, theytransforman algorithm performing an attack on a system in a certain model to an adversary against a believed-to-be- hardcomputationalproblem, inthesensethatnoprobabilisticpolynomial-timeadversarycan solve it. However, in some sense cryptographic hard problems are harder than N P-Complete problems in the sense that they require that a randomly chosen instance of the problem is hard to solve where N P-Completeness deals with the same issue but for all problems. It then follows that P ̸= N P is not a su cient condition for the existence of these problems. However, if P = N P then no such problem would exist.
Typical conjectured hard problems include |
|
|
|
|
||
|
e Factorization Problem. For two prime numbers p and q, de ne n = pq. |
e |
||||
|
factoring problem is to recover p and q from n. Rabin’s cryptosystem is based on the |
|||||
|
assumption [Rab ]. Recovering the secret key in RSA [RSA ] is also as hard as solv- |
|||||
|
ing this problem. |
|
eth |
|
Given a hard to factor |
|
|
e RSA Problem. |
is is also known as the |
-root problem. |
|||
|
|
|
|
|||
|
integer n, an integer e < n such that gcd(e; φ(n)) = 1, and y 2R Zn, compute x such |
|||||
|
that xe = y (mod n). |
e reason this problem is named this way is because it is the |
||||
computational assumption on which the security of the RSA cryptosystem stands.
e Discrete Logarithm Problem. Given a generator g of a cyclic group G (typically
|
the multiplicative group of a nite eld or an elliptic curve group) and y 2R G, nd |
|
|
x such that gx = y. |
e security of the Elgamal cryptosystem against key recovery |
|
attacks rests on this problem. |
|
|
e Di e-Hellman Problem. is is the problem induced by the Di e-Hellman key |
|
|
agreement protocol. In this problem g a generator of a cyclic group G and x, y are two |
|
|
integers. e problem is, given g, gx, and gy, to recover gxy. |
|
.
|
|
|
|
|
e Decisional Di e-Hellman Problem. |
e DDH problem is to distinguish be- |
|
tweenaDi e-Hellmantriplet,i.e., (gx; gy; gxy),where g isageneratorofacyclicgroup G and x, y are randomly chosen integers, from a triplet (gx; gy; R), where R is a random uniformly distributed over G. e semantic security of the Elgamal cryptosystem relies on the hardness of this problem.
In the next two sections, we review classical techniques to reduce the security of a cryptosystem to a certain mathematical problem.
. . e Simulation Paradigm and Hybrid Arguments
Intuitively, the best way to express the property that a secure cryptographic functionality is required to not leak any information to an attacker interacting with it in a non-predictable way. e classical way to approach the problem is due to Goldwasser and Micali [GM ] who formalized this requirement by saying that the adversary does not learn any information from interacting with a system then it should be possible to replace all the responses computed by the system by adequate “fake” messages without e ectively disturbing the output of the adversary. Being independent from the cryptographic system, these fake messages can be generated by a third party that is called the simulator. For instance, we expect from a secure block cipher that ciphertexts are indistinguishable from random bit-strings so that we can de ne a simulator that replaces those ciphertexts by random elements.
is simulation is su cient when the adversary has only one access to the functionality, e.g., to an encryption oracle. However, the situation may be more complicated when the adversary produces adaptively chosen queries. e common technique to deal with these issues is to consider intermediate adversaries.
Now assume that the adversary is making a polynomially-bounded q queries to that encryption oracle and the goal is to obtain an adversary who only gets access to random elements and produces an indistinguishable output. We de ne q + 1 intermediate adversaries, denoted A0; : : : ; Ai; : : : ; Aq, called hybrids, such that the i rst queries of Ai are handled by the encryption oracle and the rest of them are processed by the simulator. e idea is to show that if Ai and Ai+1 produce indistinguishable distributions, in the sense that the distance between the two output distributions is negligible, then by triangle inequality A0 and Aq produce indistinguishable distributions. To conclude, the latest two algorithms respectively correspond to the one that only accesses the “real” oracle and to the one that accesses the simulator. e proof technique in its whole is called a hybrid argument.
. . e Game Proof Methodology
Itis o enthe case that a cryptosystem relies onmore thanone assumptionto be proven secure. For these kind of systems, the simulation paradigm shows its limitations as it results in proofs
.
|
|
that are o en complex to follow and verify.
Instead, thegameproofmethodologyallowstotreateachcaseatoncebyconsideringanumber of “intermediate games”. e proof starts by considering a game, denoted Game , played by an adversary A against a challenger that simulates the environment for A and ensures that she follows the game description. e adversary then wins at the end if an event S0 occur. e proof consists of iteratively tweaking the game until we obtain an adversary literally attack-
ing a mathematical problem. Si denotes the event that the adversary wins in Game i. |
ree |
di erent types of transitions are usually considered [Sho ]. |
|
Transitions based on indistinguishability. In such a transition, a small change is made that, if detected by the adversary, would imply an e cient method of distinguishing between two distributions that are indistinguishable (either statistically or computationally).
Transitions based on failure events. In such a transition, we argue that Games i and i + 1 proceed identically unless a certain “failure event” E occurs. Using the di erence Lemma, it can be shown that the statistical distance between the two games, i.e.,
Pr[Si] Pr[Si+1], can be bounded by Pr[E]. erefore, as long as E occurs with negligible probability, the transition goes unnoticed to the adversary.
Bridging Games. ese transitions are generally used to make the proof simpler by reformulating how certain quantities or variables are computed.
.
Part I
THE SECURITY OF RFID PRIMITIVES