Cryptographic Schemes and Their Security

Numerous cryptographic schemes have been proposed to meet various sirable security and performance requirements. It is very important to de-sign robust and versatile cryptographic schemes which can serve as sound security primitives. However, many schemes were subsequently found to be flawed, and were then either modified to withstand the new attacks or totally abandoned. The designers do all they can to think a lot of attacks and fight for those attacks one by one. Baek [6] gives a good example is that Bleichenbacher’s attack [17] on the RSA [69] encryption standard PKCS #1 which was implemented in the widely-used Secure Socket Layer (SSL) pro-tocol. It seems the attacked PKCS #1 had been constructed through intuitive heuristics rather than a rigorous analysis. Via that intuitive heuristics analy-sis, we call those schemes are attack-response secure. Consequently,

Bleichen-bacher’s attack suggests that the heuristic approach to design cryptographic schemes can be risky and the security of cryptographic schemes should be evaluated very carefully before they are deployed.

How do we know that a cryptographic scheme be secure? A sound ap-proach to evaluating the security of cryptographic schemes or protocols al-ready exists. This approach is called “provable security” and stems from Goldwasser and Micali’s [35] pioneering work on public key encryption schemes that hides all partial information about plaintext. According to Stinson [79], the provable security approach can be described as follows:

“This approach is to provide evidence of security by reducing the security of the cryptosystem to some well-studied problem that is thought to be difficult. For example, it may be able to prove a statement of the type ‘a given cryptosystem is secure if a given integer N cannot be factored.’ Cryptosystems of this type are sometimes called provably secure.”

A reductionist approach to evaluate the security of cryptographic schemes is popular. One shows with mathematical rigor that any attacker that can break the cryptographic scheme can be transformed into an efficient algo-rithm to solve the underlying well-studied problem, e.g., integer factoriza-tion problem, discrete logarithm problem, that is widely believed to be very hard. We call such assumption is the existence primitive cryptographic as-sumptions. Are those assumptions are correct? The answer will give at least until the famous P=NP question is resolved. Unfortunately, the current^? state of the art in the theory of computational complexity is such that one cannot hope to prove the truth of these computational hardness assump-tions [33].

Turning this logic around: Via the reduction, we have constructed an algo-rithm that solves the underlying well-studied problem. However, we know that the problem is difficult. We give an concept in Figure 1.1 as follows.

n = p · q

-Algorithm A₁ : 1. · · · ;

2. Call Algorithm A₂; 3. · · · ;

-p, q

Figure 1.1: Reduction approach

Algorithm A₁: an algorithm for solving integer factorization problem, Algorithm A₂: an algorithm for braking cryptographic scheme.

A security proof in this style, in addition to the name reduction to contradic-tion, is also called a reduction proof. Via that analysis, we call the scheme is provably secure in the standard model [35, 79]. We give the notation in the theory of computational complexity [56] as follows. A ≤p B: problem A is reducible to B in a polynomial-time if (1) Given an instanceIAof A we can construct an instanceIBof B such that the solution B(IB) can be converted into the solution A(IA), and (2) Both the construction of the instance and the conversion of the solutions can be done in polynomial time.

If A ≤p B, then problem A is no harder to solve than B. If A ≤p B and B ≤p A, two problems are equal, denoted as A ≡p B. Back to the crypto-graphic schemes, the notation in the theory of computational complexity is as follows.

[Theorem]

primitive cryptographic assumptions≤p breaking cryptographic scheme

[Proof ]

If there is an algorithm A₂ can break the cryptographic scheme, then we can con-struct an algorithm A₁ to break (solve) the primitive cryptographic assumption (hardness problem).

To design a cryptographic scheme and prove it secure in this way is no easy task, especially if one wants to have a practical cryptographic scheme. The provable security approach was beginning to be applied to the analysis of practical schemes, it was found that a major stumbling block to providing security proofs for these schemes involved the modelling of one-way crypto-graphic hash functions. Such functions were used in many schemes, i.e. for the purpose of collision-resistant compression (hashing) of information be-fore the application of a digital signature, for producing authentication, for checking validity of chiphertexts, and other cryptographic values without leaking information on the secret hashed value via the hash function out-put. To make this task more manageable, an ideal hash function [12] named random oracle is proposed. It is a powerful and imaginary function, which is deterministic and efficient and has uniform output values. This result of this approach is a reduction proof in the above sense, but the proof is only valid in a parallel universe where random oracle exists. We call the scheme via the above analysis is provably secure in the random oracle model.

[Theorem]

primitive cryptographic assumptions∧ random oracle

≤p breaking cryptographic scheme

[Proof ]

If there is an algorithm A₂ can break the cryptographic scheme in the random or-acle model, then we can construct an algorithm A₁ to break (solve) the primitive cryptographic assumption (hardness problem).

The existence of random oracle is not a hardness assumption like integer fac-torization problem. In the real word, random oracles are replaced by hash functions (or pseudo-random functions) using in schemes which are prov-ably secure in the random oracle model. However, an random oracle model-based technique for security proof is a useful test-bed and often gives a bet-ter performance [7]; cryptographic schemes which do not perform well on the test-bed should be dumped.

The following are two important properties for reduction to contradiction [55].

• The reduction should be efficient (in a polynomial-time). For example, an algorithm A₂ breaking the cryptographic scheme in 10⁻⁶ seconds and the reduction is required 2³ of the security parameter 1024-bit to construct an algorithm A₁ solving the hard problem. Then the time complexity for the reduction is at the level of 1024⁸ = 2⁸⁰. The time complexity of A₁for solving the hard problem is 38 billion years.

• The assumptions which are required for a cryptographic scheme should be as weak as possible. Weaker assumptions are easier to satisfy using more practical and available cryptographic constructions, which pro-vide a higher security confidence than those using stronger assump-tions.

works taking this approach and it has become a paradigm of cryptographic research. As a consequence, and possibly affected by the negative results on the security of the past cryptographic standards, e.g, [1], [40], and [17], to-day’s standard organizations such as ISO-IEC [73], P1363 [63], and NESSIE [29] strongly recommend that a precise security analysis based on the prov-able security approach should be included in a proposal of new crypto-graphic schemes or protocols.