This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: CS 6903 Modern Cryptography February 2, 2011 Lecture 1: Introduction Instructor: Nitesh Saxena Scribe: Agilan R, Praveen R, Raghavan M 1 “Provable Security” Methodology Let us assume that we have a Cryptographic Primitive P (e.g., an Encryption scheme such as RSA) which is based on some Assumption A (e.g., in case of RSA the assumption is the factoring of huge numbers is NP problem). We would like to prove that if A holds then the Primitive P will be secure (based on some security notion). We say that P is secure if ∀ Adversary A ( T , p ) that tries to break the primitive P, where Here: • p : the probability of succuess of breaking the primitve • T : Execution time of the algorithm. then either Time T is exponential (e.g., T ≥ 2 80 .C ) or the probability of success of the Algorithm p is negligible (e.g., p ≤ 1 2 80 ). If Theorem: X: ”P is Secure” Y: ”A Holds”. The aim is to prove that if Y is true then X is true i.e. Y implies X ( Y ⇒ X ). [The concept of “Provable Security” can also be illustrated using the following example: Say we have a Cryptographic appliction(e.g SSL) which is based on a cryptographic primitive( in case of SSL- RSA Encryption). To prove that the application is secure we have to prove that the the primitive is secure.] This means that a primitive is secure if for all the adversary algorithms which attempt to break the security of the primitve either take exponential time or the probabibilty of its sucess is negligible. Proof Technique: Instead of proving, Y ⇒ X (1) 1-1 we will be proving its contrapositive, i.e, ¬ X ⇒ ¬ Y (2) ¬ X: ”P is not secure” ¬ Y: ”A does not hold” This means that in order to prove Y ⇒ X, we can prove in the following way it’s con- trapositive. If ∃ an adversary A (T,p) which can break primitive P, we must prove that ∃ another adversary B ( T ,p ) which invalidates the Assumtion A. If we can construct B by making use of A , we are done. However, we must make sure that B is an efficient algorithm and its probability of success is comparable to that of A . We know that A has probability of success p and it takes time T for execution. Also let us say that the B (called the “Reduction algorithm”) is such that it succeeds with a probability p and Execution time T . Then, we can relate p to p in some way, and T will be related to T in some way, because B runs A as a subroutine. Let’s say that that B succeeds with probability, p = p η (3) and time complexity for the Algorithm, T = T + Δ (4) where Δ and η are positive numbers. We want to minimize the value of Δ and also reduce η as much as possible. ( T ,p ) → β ( A )): With typical security parameters, execution time and probability are related to the Reduction of the Adversary Algorithm as follows: T ≥ 2 80 × C ⇒ T ≥ 2 80 × C- Δ (5) p ≤ 1 2 80 ⇒ p ≤ η 2 80 . (6) In case η = 2 30 then p = 1 2 50 . To compensate for the high η value we need to increase the key size has to be increased to110 in order to get the equivalent security of 2...
View Full Document
This note was uploaded on 03/05/2011 for the course COMPUTER S 6903 taught by Professor Nitesh during the Spring '11 term at NYU Poly.
- Spring '11