## Computational Security for Cryptography (2009)

### BibTeX

@MISC{Pointcheval09computationalsecurity,

author = {David Pointcheval},

title = {Computational Security for Cryptography},

year = {2009}

}

### OpenURL

### Abstract

Since the appearance of public-key cryptography in the Diffie-Hellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, this initially was a purely theoretical work: very few practical schemes could be proven in this so-called “standard model ” because such a security level rarely meets with efficiency. Ten years ago, Bellare and Rogaway proposed a trade-off to achieve some kind of validation of efficient schemes, by identifying some concrete cryptographic objects with ideal random ones. The most famous identification appeared in the so-called “randomoracle model”. More recently, another direction has been taken to prove the security of efficient schemes in the standard model (without any ideal assumption) by using stronger computational assumptions. In these lectures, we focus on practical asymmetric protocols together with their “reductionist” security proofs. We cover the two main goals that public-key cryptography is devoted to solve: authentication with digital signatures, and confidentiality with public-key encryption schemes.

### Citations

2929 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...e: authentication with digital signatures, and confidentiality with public-key encryption schemes. 1 Introduction Since the beginning of public-key cryptography, with the seminal Diffie-Hellman paper =-=[25]-=-, many suitable algorithmic problems for cryptography have been proposed and many cryptographic schemes have been designed, together with more or less heuristic proofs of their security relative to th... |

1419 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...it is by now usual to identify hash functions with ideal random functions, in the so-called “random-oracle model”, informally introduced by Fiat and Shamir [28], and formalized by Bellare and Rogaway =-=[10]-=-. Similarly, block ciphers are identified with families of truly random permutations in the “ideal cipher model” [9]. A few years ago, another kind of idealization was introduced in cryptography, the ... |

1231 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... reductions. However, their aim was essentially theoretical. They were indeed trying to minimize the required assumptions on the primitives (one-way functions or permutations, possibly trapdoor, etc) =-=[37, 35, 52, 71]-=- without considering practicality. Therefore, they just needed to design a scheme with polynomial algorithms, and to exhibit 1polynomial reductions from the basic assumption on the primitive into an ... |

1080 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser, Micali, et al.
(Show Context)
Citation Context ...N. 115.1.2 The Schnorr Signature Scheme In 1986 a new paradigm for signature schemes was introduced. It is derived from fair zero-knowledge identification protocols involving a prover and a verifier =-=[36]-=-, and uses hash functions in order to create a kind of virtual verifier. The first application was derived from the Fiat–Shamir [28] zero-knowledge identification protocol, based on the hardness of ex... |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...ith ideal (or black-box) ones. For example, it is by now usual to identify hash functions with ideal random functions, in the so-called “random-oracle model”, informally introduced by Fiat and Shamir =-=[28]-=-, and formalized by Bellare and Rogaway [10]. Similarly, block ciphers are identified with families of truly random permutations in the “ideal cipher model” [9]. A few years ago, another kind of ideal... |

863 | A Digital Signature Scheme Secure Against Adaptive ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...l to achieve: which adversary’s goal one wants to be intractable, under which kind of attack. At the beginning of the 1980’s, such security notions have been defined for encryption [35] and signature =-=[37, 38]-=-, and provably secure schemes have been suggested. However, those proofs had a theoretical impact only, because both the proposed schemes and the reductions were completely unpractical, yet polynomial... |

792 | Jun: Di®erential Power Analysis
- Kocher, Ja®e, et al.
- 1999
(Show Context)
Citation Context ...nsider timing attacks [44], where the adversary tries to extract the secrets from the computational time. Some other attacks analyze the electrical energy required by a computation to get the secrets =-=[45]-=-, or to make the primitive fail on some computation [13, 16]. They are not captured either by this model. 3 A First Formalism In this section we describe more formally what a signature scheme and an e... |

662 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ... hand, assuming the tamper-resistance of some devices, such as smart cards, the random-oracle model is equivalent to the standard model, which simply requires the existence of pseudo-random functions =-=[34, 51]-=-. As a consequence, almost all the standards bodies by now require designs provably secure, at least in that model, thanks to the security validation of very efficient protocols. 2.5 The General Frame... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...texts of any size could be encrypted using this conversion (see Figure 15), with a very high speed rate. 407 Conclusion 10 years ago, Cramer and Shoup proposed the first schemes, for both encryption =-=[23]-=- and signature [24], with formal security proofs in the standard model (without any ideal assumption). The encryption scheme achieves IND-CCA under the sole DDH assumption, which says that the DDH pro... |

476 | Timing Attacks on Implementations of Diffie-Hellman
- Kocher
(Show Context)
Citation Context ... access to the cryptographic primitive, but as a black-box. It can ask any query of its choice, and the box always answers correctly, in constant 4time. Such a model does not consider timing attacks =-=[44]-=-, where the adversary tries to extract the secrets from the computational time. Some other attacks analyze the electrical energy required by a computation to get the secrets [45], or to make the primi... |

470 | Relations Among Notions of Security for Public-Key Encryption Schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context ...reductionist” sense. 1.4 Related Work These notes present a survey, based on several published papers, from the author, with often several co-authors: about signature [67, 69, 68, 17, 84], encryption =-=[7, 3, 62, 59, 32, 33]-=- and provably secure constructions [61, 63, 65, 64, 66]. Many other papers are also cited and rephrased, which present efficient provably secure constructions. Among the bibliography list presented at... |

470 | Non-malleable cryptography
- Dolev, Dwork, et al.
(Show Context)
Citation Context ...← A1(pk), 2 × Pr b,r c = Epk(mb;r) : A2(m0,m1,s,c) = b ] − 1, (A), formally where the adversary A is seen as a 2-stage attacker (A1, A2), should be negligible. A later notion is non-malleability (NM) =-=[26]-=-. To break it, the adversary, given a ciphertext, tries to produce a new ciphertext such that the plaintexts are meaningfully related. This notion is stronger than the above semantic security, but it ... |

352 | The exact security of digital signatures - How to sign with RSA and Rabin - Bellare, Rogaway - 1996 |

332 |
A public key cryptosystem and a signature scheme based on discrete logarithms
- Gamal
- 1985
(Show Context)
Citation Context ... s = (m − xr)/K mod p − 1 → (r,s) is a signature of m V: Verification of (m,r,s) check whether g m ? = y r r s mod p → Yes/No Figure 2: The El Gamal Signature Scheme. on the El Gamal signature scheme =-=[27]-=-, the first DL-based signature scheme designed in 1985 and depicted on Figure 2. Whereas existential forgeries were known for that scheme, it was believed to prevent universal forgeries. The first ana... |

324 | On the Importance of Checking Cryptographic Protocols for Faults
- Boneh, DeMillo, et al.
- 1997
(Show Context)
Citation Context ... extract the secrets from the computational time. Some other attacks analyze the electrical energy required by a computation to get the secrets [45], or to make the primitive fail on some computation =-=[13, 16]-=-. They are not captured either by this model. 3 A First Formalism In this section we describe more formally what a signature scheme and an encryption scheme are. Moreover, we make precise the security... |

255 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
- 1998
(Show Context)
Citation Context ...y the way, flaws have been shown in the “generic model” [84] on practical schemes, and the “random-oracle model” is not equivalent to the standard one either. Several gaps have already been exhibited =-=[19, 54, 6]-=-. However, all the counter-examples in the randomoracle model are pathological, counter-intuitive and not natural. Therefore, in the sequel, we focus on security analyses in this model, for real and n... |

249 | Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS
- Bleichenbacher
(Show Context)
Citation Context ...whether it is a valid ciphertext or not. Such a weak oracle, involved in the so-called reaction attacks [39] or Validity-Checking Attack (VCA), had been enough to break some famous encryption schemes =-=[15, 42]-=-. • A plaintext-checking oracle which, on input a pair (m,c), answers whether c encrypts the message m. This attack has been termed the Plaintext-Checking Attack (PCA) [59]. • The decryption oracle it... |

247 | Differential fault analysis of secret key cryptosystems,” CRYPTO ’97
- Biham, Shamir
(Show Context)
Citation Context ... extract the secrets from the computational time. Some other attacks analyze the electrical energy required by a computation to get the secrets [45], or to make the primitive fail on some computation =-=[13, 16]-=-. They are not captured either by this model. 3 A First Formalism In this section we describe more formally what a signature scheme and an encryption scheme are. Moreover, we make precise the security... |

216 | Optimal asymmetric encryption { How to encrypt with RSA
- Bellare, Rogaway
(Show Context)
Citation Context ...ts with a trapdoor one-way permutation onto X, one could hope the ciphertext to be an element in X, without anything else. In 1994, Bellare and Rogaway proposed such a more compact generic conversion =-=[11]-=-, in the random-oracle model, the “Optimal Asymmetric Encryption Padding” (OAEP, see Figure 10), obtained from a trapdoor one-way permutation f onto {0,1} k , whose inverse is denoted by f −1 . We m 0... |

180 | Secure Integration of Asymmetric and Symmetric Encryption Schemes
- Fujisaki, Okamoto
- 1999
(Show Context)
Citation Context ...el. While applying this conversion to the above El Gamal encryption (see Section 6.1), one obtains an IND-CCA encryption scheme relative to the DDH problem. Later, independently, Fujisaki and Okamoto =-=[31]-=- and the author [62] proposed better generic conversions since they apply to any OW-CPA scheme to make it into an IND-CCA one, still in the random-oracle model. This high security level is just at the... |

172 | Collision-free accumulators and fail-stop signature schemes without trees
- Baric, Pfitzmann
- 1997
(Show Context)
Citation Context ...sole DDH assumption, which says that the DDH problem is intractable. The signature scheme prevents existential forgeries, even against adaptive chosen-message attacks, under the Strong RSA assumption =-=[2, 29]-=-, which claims the intractability of the Flexible RSA problem: Given an RSA modulus N and any y ∈ Z⋆ N , produce x and a prime integer e such that y = xe mod N. Both schemes are very nice because they... |

161 | Signature Schemes Based on the Strong RSA Assumption
- Cramer, Shoup
(Show Context)
Citation Context ...ould be encrypted using this conversion (see Figure 15), with a very high speed rate. 407 Conclusion 10 years ago, Cramer and Shoup proposed the first schemes, for both encryption [23] and signature =-=[24]-=-, with formal security proofs in the standard model (without any ideal assumption). The encryption scheme achieves IND-CCA under the sole DDH assumption, which says that the DDH problem is intractable... |

135 | RSA– OAEP is secure under the RSA assumption
- Fujisaki, Okamoto, et al.
(Show Context)
Citation Context ...reductionist” sense. 1.4 Related Work These notes present a survey, based on several published papers, from the author, with often several co-authors: about signature [67, 69, 68, 17, 84], encryption =-=[7, 3, 62, 59, 32, 33]-=- and provably secure constructions [61, 63, 65, 64, 66]. Many other papers are also cited and rephrased, which present efficient provably secure constructions. Among the bibliography list presented at... |

122 | On the exact security of full domain hash
- Coron
- 2000
(Show Context)
Citation Context ...1, 63, 65, 64, 66]. Many other papers are also cited and rephrased, which present efficient provably secure constructions. Among the bibliography list presented at the end, we would like to insist on =-=[10, 11, 12, 22, 82, 83]-=-. We thus refer the reader to the original papers for more details. 2 Security Proofs and Security Arguments 2.1 Computational Assumptions In both symmetric and asymmetric scenarios, many security not... |

108 | Public-key encryption in a multi-user setting: Security proofs and improvements
- Bellare, Boldyreva, et al.
- 2000
(Show Context)
Citation Context ...y extends to the multi-user setting: if an encryption scheme is semantically secure in the classical sense, it is also semantically secure in multi-user scenarios, against both passive [3] and active =-=[5]-=- adversaries. 7NM-CPA NM-CCA IND-CPA IND-CCA OW-CPA OW-VCA OW-CCA OW IND NM – One-Wayness – Indistinguishability (a.k.a. Semantic Security) – Non-Malleability CPA VCA CCA – Chosen-Plaintext Attack – ... |

83 | How to Enhance the Security of Public-Key Encryption at Minimum
- FUJISAKI, OKAMOTO
(Show Context)
Citation Context ...hich is the case of the RSA function. However, the only trapdoor problem known in the DL-setting is the Diffie-Hellman problem, and it does not provide any bijection. Thus, first Fujisaki and Okamoto =-=[30]-=- proposed a generic conversion from any IND-CPA scheme into an IND-CCA one, in the random-oracle model. While applying this conversion to the above El Gamal encryption (see Section 6.1), one obtains a... |

78 | Solving Simultaneous Modular Equations of Low Degree
- H̊astad
- 1988
(Show Context)
Citation Context ...ted under different keys to be sent to many people (e.g. broadcast of encrypted data). This may provide many useful data for an adversary. For example, RSA is well-known to be weak in such a scenario =-=[40, 79]-=-, namely with a small encryption exponent, because of the Chinese Remainders Theorem. But once again, semantic security has been shown to be the appropriate security level, since it automatically exte... |

65 | GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks
- Bellare, Palacio
(Show Context)
Citation Context ...ted time less than CqhT, for some constant C. This result has been more recently extended to the transformation of any identification scheme secure against passive adversaries into a signature scheme =-=[8]-=-. Brickell, Vaudenay, Yung and the author also extended the forking lemma technique [69, 17] to many variants of El Gamal [27] and DSA [55], such as the Korean Standard KCDSA [43]. However, the origin... |

36 | A Knapsack Type Public Key Cryptosystem Based on Arithmetic
- Chor, Rivest
(Show Context)
Citation Context ... cryptanalytic attacks for several years has often been considered as a kind of validation procedure, but some schemes take a long time before being broken. An example is the Chor-Rivest cryptosystem =-=[21, 48]-=-, based on the knapsack problem, which took more than 10 years to be totally broken [86], whereas before this attack it was believed to be strongly secure. As a consequence, the lack of attacks at som... |

35 |
A “paradoxical” solution to the signature problem
- Goldwasser, Micali, et al.
- 1984
(Show Context)
Citation Context ... reductions. However, their aim was essentially theoretical. They were indeed trying to minimize the required assumptions on the primitives (one-way functions or permutations, possibly trapdoor, etc) =-=[37, 35, 52, 71]-=- without considering practicality. Therefore, they just needed to design a scheme with polynomial algorithms, and to exhibit 1polynomial reductions from the basic assumption on the primitive into an ... |

32 | Extended notions of security for multicast public key cryptosystems, in
- Baudron, Pointcheval, et al.
(Show Context)
Citation Context ...reductionist” sense. 1.4 Related Work These notes present a survey, based on several published papers, from the author, with often several co-authors: about signature [67, 69, 68, 17, 84], encryption =-=[7, 3, 62, 59, 32, 33]-=- and provably secure constructions [61, 63, 65, 64, 66]. Many other papers are also cited and rephrased, which present efficient provably secure constructions. Among the bibliography list presented at... |

30 | Reaction attacks against several public-key cryptosystems
- Hall, Goldberg, et al.
- 1999
(Show Context)
Citation Context ...ll access to some oracles: • A validity-checking oracle which, on input a ciphertext c, answers whether it is a valid ciphertext or not. Such a weak oracle, involved in the so-called reaction attacks =-=[39]-=- or Validity-Checking Attack (VCA), had been enough to break some famous encryption schemes [15, 42]. • A plaintext-checking oracle which, on input a pair (m,c), answers whether c encrypts the message... |

27 |
Practice-oriented provable security
- Bellare
- 1997
(Show Context)
Citation Context ...ent paradigm is provided by the concept of “provable” security. A significant line of research has tried to provide proofs in the framework of complexity theory (a.k.a. “reductionist” security proofs =-=[4]-=-): the proofs provide reductions from a well-studied problem (RSA or the discrete logarithm) to an attack against a cryptographic protocol. At the beginning, people just tried to define the security n... |

26 | Design validations for discrete logarithm based signature schemes
- Brickell, Pointcheval, et al.
(Show Context)
Citation Context ...h some security analyses in the “reductionist” sense. 1.4 Related Work These notes present a survey, based on several published papers, from the author, with often several co-authors: about signature =-=[67, 69, 68, 17, 84]-=-, encryption [7, 3, 62, 59, 32, 33] and provably secure constructions [61, 63, 65, 64, 66]. Many other papers are also cited and rephrased, which present efficient provably secure constructions. Among... |

18 |
The Development of the Number Field Sieve, Volume 1554
- LENSTRA, LENSTRA
- 1993
(Show Context)
Citation Context ... factoring. However, on a 1024-bit number (k = 2 10 ), it provides an algorithm that requires 2 125 basic operations, which is much more than the complexity of the best current algorithm, such as NFS =-=[46]-=-, which needs less than 2 100 (see Section 4). Therefore, such a reduction would just be meaningful for numbers above 4096 bits (since with k = 2 12 , 2 145 < 2 149 , where 2 149 is the estimate effor... |

17 | On the power of misbehaving adversaries and security analysis of the original EPOC
- Joye, Quisquater, et al.
(Show Context)
Citation Context ...whether it is a valid ciphertext or not. Such a weak oracle, involved in the so-called reaction attacks [39] or Validity-Checking Attack (VCA), had been enough to break some famous encryption schemes =-=[15, 42]-=-. • A plaintext-checking oracle which, on input a pair (m,c), answers whether c encrypts the message m. This attack has been termed the Plaintext-Checking Attack (PCA) [59]. • The decryption oracle it... |

15 | Formal Security Proofs for a Signature Scheme with Partial Message Recovery. 2000. Available at http://www.cacr.math.uwaterloo
- Brown, Johnson
(Show Context)
Citation Context ...group, is defined by a black-box: a new element necessarily comes from the addition (or the subtraction) of two already known elements. It is by now called the “generic model”. Some more recent works =-=[77, 18]-=- even require several ideal models together to provide some new validations. 1.3 Outline of the Notes In the next section, we explain and motivate more about exact security proofs, and we introduce th... |

15 | Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method
- Joux, Lercier
- 2002
(Show Context)
Citation Context ...ments. However, for subgroups of Z⋆ p , some better techniques can be applied. The best algorithm is based on sieving on number fields, as for the factorization. The General Number Field Sieve method =-=[41]-=- has a super-polynomial, but sub-exponential, complexity in O(exp((1.923+o(1))(ln p) 1/3 (ln ln p) 2/3 )). It was used to establish the last record, in April 2001 as well, by computing discrete logari... |

8 |
Generating El Gamal Signatures without Knowing the Secret Key
- Bleichenbacher
- 1996
(Show Context)
Citation Context ...eme designed in 1985 and depicted on Figure 2. Whereas existential forgeries were known for that scheme, it was believed to prevent universal forgeries. The first analysis, from Daniel Bleichenbacher =-=[14]-=-, showed such a universal forgery when the generator g is not properly chosen. The second one, from Jacques Stern and the author [67], proved the security against existential forgeries under adaptive ... |

5 | A Separation between the Random-Oracle Model and the Standard Model for a Hybrid Encryption
- Bellare, Boldyreva, et al.
- 2003
(Show Context)
Citation Context ...y the way, flaws have been shown in the “generic model” [84] on practical schemes, and the “random-oracle model” is not equivalent to the standard one either. Several gaps have already been exhibited =-=[19, 54, 6]-=-. However, all the counter-examples in the randomoracle model are pathological, counter-intuitive and not natural. Therefore, in the sequel, we focus on security analyses in this model, for real and n... |

4 |
Factorization of a 512-bit RSA Modulus
- Putnam, Zimmermann
- 2000
(Show Context)
Citation Context ...mplexity in O(exp((1.923 + o(1))(ln n) 1/3 (ln ln n) 2/3 )). It has been used to establish the main record, in august 1999, by factoring a 155-digit integer (512 bits), product of two 78-digit primes =-=[20]-=-. The factored number, called RSA155, was taken from the “RSA Challenge List”, which is used as a yardstick for the security of the 8RSA cryptosystem (see later). The latter is used extensively in ha... |