Kentucky Presentation November, 2006 Cryptography from an art to a science Ganesh Sundaram

Kentucky Presentation November, 2006 Reality check Dramatic growth in the use of cryptographic protocols and algorithms  Internet transactions, wireless, storage, etc.. Everyone has their favorite protocol and algorithm  Security by secrecy! Little or no analysis phase  Common complaints include: DES is “too slow”… “I don’t need anything strong”…DES does not fit requirements of “my application” Public key methods “computationally intensive” Little or no analysis leads to a conundrum  Even “alleged” algorithms have been compromised Public relations disaster, costly replacement/recall

Kentucky Presentation November, 2006 Tacit realization Cryptography is more than just encryption  Security is more than just privacy Speed and low complexity very important  From a cost and user experience perspective But cannot keep “re-inventing” algorithms  Just using “confusion and diffusion” principles doesn’t work Need thorough analysis  But don’t have time for thorough analysis (needed it yesterday phenomenon!) Public key cryptography is “good” but cannot be used all the time  Arguably scalable and “well analyzed” but there is some truth to the “computationally inefficient” complaint

Kentucky Presentation November, 2006 More than just encryption & privacy.. Entity and message authentication  Has the user paid his bill?  Has someone tampered with data? Key exchange, generation, management,…  Need keys for everything Pseudorandom generators  One-time-pad style encryption, challenge response protocols Pseudorandom functions, permutations  Session key generation, Block ciphers Etc.

Kentucky Presentation November, 2006 Problem Can we create cryptographic primitives rapidly, to suit different applications, but yet eliminate the long analysis phase?

Kentucky Presentation November, 2006 Don’t invent new stuff Old is good?  Well analyzed algorithms that withstand test of time  But need so many things and have so little time Enter proof theoretic cryptography  Affirmative answer to the problem we stated earlier Create new cryptographic primitives to suit applications based on “old primitives” Eliminate analysis phase Provide a “proof” of security!

Kentucky Presentation November, ft view: proof theoretic approach Start: Choose a “hard problem” Create: Develop procedure “based on” the hard problem to suit requirements of application Given: Requirements Prove: Provide proof of security; often translates to showing that if there is a break in the procedure developed, then there is a solution to hard problem

Kentucky Presentation November, 2006 Example Start: Discrete logarithm problem Create: We will discuss this in some detail today Given: Design pseudorandom generator Prove: We will sketch a proof! Prove that: If there is an “efficient” algorithm to predict the next bit then there is an “efficient” algorithm to solve discrete log problem!

Kentucky Presentation November, 2006 Before that… What is a pseudorandom generator?  Naive definition: Sequence of numbers that are unpredictable  What is unpredictable? Given the first “n” bits, cannot predict the (n+1)-st bit with probability greater than 0.5 –Cannot predict == cannot predict “efficiently”  Describing “efficiently” requires a framework Framework due to Yao as well as Blum-Micali (early 80’s) –Notion of “computational entropy”, different from information theoretic entropy Subsequent work by Levin, Goldreich, etc.

Kentucky Presentation November, 2006 Finite fields and discrete log problem Let p be a prime number Let (Z/(p))* represent the set {1,2,….,(p-1)}  I.e., set of nonzero integers modulo p  Forms a cyclic group under multiplication modulo p  Let g be a generator of this cyclic group  Every element y in the set can be represented as g^x i.e., y = g^x for some x between 1 and p-1 Discrete log problem: Given y and g, find x. We will use this problem to create a pseudorandom generator

Kentucky Presentation November, 2006 Rest of this talk Construction and sketch of proof History and references Kindly allow me to use the whiteboard! Time permits  Another example: Converting pseudorandom functions to pseudorandom permutations Extension: Variable length block ciphers

Kentucky Presentation November, 2006 PRF to PRP: Luby Rackoff ciphers x[1…n] x[n+1…2n] R f2f2 S T  R S f3f3  Original work by Luby and Rackoff  Seminal paper: led to a lot of research Some references:  Patarin Multiple rounds  Naor-Reingold Use hash functions  Patel-Ramzan-Sundaram Char p versions (p>2) f1f1 

Kentucky Presentation November, 2006 The VIL-FIL problem statement Existing cryptographic primitives operate on fixed-input- lengths (FIL); e.g., DES operates on 64-bit blocks In practice one needs to operate on inputs of all sizes; e.g., network packet sizes vary… Therefore, it would be nice if primitives worked on variable- input-lengths (VIL). But, it’s undesirable to design primitives “from scratch.” “Crypto Operations” done only by the FIL primitive. The security of the VIL primitive should provably follow from the security of the FIL primitive. Q: Can we use FIL primitive as building block for VIL primitive?

Kentucky Presentation November, 2006 FIL to VIL SPRP Scheme x[1…n] x[n+1…b] h1h1 y[1…n] y[n+1…b] f1f1 S T  S f2f2  h -1 2 Essentially, we did the Naor-Reingold construction but with an unbalanced Feistel and with round functions of VIL PRFs (which can be constructed using FIL PRP). h 1, h 2 chosen from pairwise independent permutation family; i.e., for all x ≠ y, a ≠ b Pr h [h(x)=a, h(y)=b] ≤  f 1, f 2 are PRFs; it’s easy to create variable input and output length PRFs from a fixed input length one.

Kentucky Presentation November, 2006 ? Thank You! Questions? ? TIME EXPIRED