Provable Security Introduction UCL - Louvain-la-Neuve Monday, July - - PDF document

David Pointcheval LIENS-CNRS Ecole normale supérieure

Provable Security

Introduction

UCL - Louvain-la-Neuve Monday, July 8th, 2002

Provable Security - Introduction - 2 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 3 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 4 David Pointcheval

Cryptography: 3 Goals Cryptography: 3 Goals

• Integrity:

Messages have not been altered

• Authenticity:

Message - sender relation

• Secrecy:

Message unknown to anybody else

Provable Security - Introduction - 5 David Pointcheval

Integrity Integrity

To be sure that a message has not been modified

(accidentally but intentionally too!)

Provable Security - Introduction - 6 David Pointcheval

Authentication (1) Authentication (1)

Interactively prove his identity

Provable Security - Introduction - 7 David Pointcheval

Authentication (2) Authentication (2)

• Non-interactively prove his identity

as the sender of a message

• If this proof can even convince

a third party: signature

Provable Security - Introduction - 8 David Pointcheval

Secrecy Secrecy

• Store a document
• Send a message

so that nobody else can learn any information about it

Provable Security - Introduction - 9 David Pointcheval

Cryptography: 3 Periods Cryptography: 3 Periods

• Ancient period: until 1918
• Technical period: from 1919 until 1975
• Paradoxical period : from 1976 until

Provable Security - Introduction - 10 David Pointcheval

Ancient Period Ancient Period

Substitutions and permutations Security = Secrecy of the Mechanisms

Alberti’s cipher disk Jefferson’s wheel cipher

Provable Security - Introduction - 11 David Pointcheval

Technical Period Technical Period

Cipher Machines Automatism

• f permutations

and substitutions Enigma But no proof

• f better security!

Provable Security - Introduction - 12 David Pointcheval

Paradoxical Period Paradoxical Period

• Symmetric Cryptography
• Asymmetric Cryptography

One-way Functions

⇒ Security Proofs

Provable Security - Introduction - 13 David Pointcheval

Kerckhoffs’ Kerckhoffs’ Principles Principles

In 1883, in “La Cryptographie Militaire” Kerckhoffs wrote:

• the system should be, if not theoretically

unbreakable, unbreakable in practice

• compromise of the system should not

inconvenience the correspondents

• the key should be rememberable without

notes and should be easily changeable

• etc …

Provable Security - Introduction - 14 David Pointcheval

Symmetric Encryption Symmetric Encryption

k k

• m

c m

Encryption Algorithm, Decryption Algorithm, Security = secrecy: impossible to recover m from c only (without k) Security : heuristic

Provable Security - Introduction - 15 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 16 David Pointcheval

Two Keys… Two Keys…

Asymmetric Cryptography

Diffie-Hellman 1976

– A private key (decryption kd)

to help him to decrypt

Alice Bob

secrecy authenticity

Asymmetric Encryption: Bob owns two “keys”

– A public key (encryption ke)

so that anybody can encrypt a message for him ⇒ known by everybody (included Alice) ⇒ known by Bob only

Provable Security - Introduction - 17 David Pointcheval

Encryption / decryption Encryption / decryption attack attack

Granted Bob’s public key, Alice can lock the safe, with the message inside (encrypt the message) Alice sends the safe to Bob no one can unlock it (impossible to break) Excepted Bob, granted his private key (Bob can decrypt)

Provable Security - Introduction - 18 David Pointcheval

Encryption Scheme Encryption Scheme

3 algorithms :

• key generation
• - encryption
• - decryption

(ke,kd)

ω

kd ke

r c m m

Provable Security - Introduction - 19 David Pointcheval

Conditional Secrecy Conditional Secrecy

The ciphertext comes from c = ke(m;r)

• The encryption key ke is public
• A unique m satisfies the relation

(with possibly several r)

Algorithmic assumptions

At least exhaustive search on m and r can lead to m, maybe a better attack! ⇒ unconditional secrecy impossible

Provable Security - Introduction - 20 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 21 David Pointcheval

encryption difficult to break decryption

Integer Factoring and RSA Integer Factoring and RSA

• Multiplication/Factorization :

– p, q

• n = p.q easy (quadratic)

– n = p.q

• p, q difficult (super-polynomial)

One-Way Function trapdoor

key

• RSA Function, from

n in n (with n=pq)

for a fixed exponent e

Rivest-Shamir-Adleman 1978

– x

• xe mod n easy (cubic)

– y=xe mod n

• x difficult (without p or q)

x = yd mod n where d = e-1 mod ϕ(n)

Provable Security - Introduction - 22 David Pointcheval

The RSA Problems The RSA Problems

• Let n=pq where p and q are large primes
• The RSA problem: for a fixed exponent e

[ ]

x y n x y

e y e n

n

= = =

∈

) ( mod Pr ) ( Succrsa

,

• The Flexible RSA problem:

[ ]

) , ( ) ( mod Pr ) ( Succ

rsa

• fl

e x y n x y

e y n

n

= = =

∈

• with the restriction for e to be prime

Provable Security - Introduction - 23 David Pointcheval

The Discrete Logarithm The Discrete Logarithm

• Let = (<g>, ×) be any finite cyclic group
• For any y∈, one defines

Logg(y) = min{x ≥ 0 | y = gx}

• One-way function

– x → y = gx easy (cubic) – y = gx → x difficult (super-polynomial)

[ ]

x x g

g y x y

q

= = =

∈

) ( Pr ) ( Succdl

• Provable Security - Introduction - 24

David Pointcheval

Any Trapdoor …? Any Trapdoor …?

• The Discrete Logarithm is difficult

and no information could help!

• The Diffie-Hellman Problem (1976):
• Given A=ga and B=gb
• Compute DH(A,B) = C=gab

Clearly CDH ≤ DL: with a=LoggA, C=Ba

[ ]

ab b a b a g

g C g B g A C B A

q

= = = = =

∈

, , ) , ( Pr ) ( Succ

, cdh

Provable Security - Introduction - 25 David Pointcheval

Another DL-based Problem Another DL-based Problem

The Decisional Diffie-Hellman Problem:

• Given A, B and C in <g>
• Decide whether C = DH(A,B)

Clearly DDH ≤ CDH ≤ DL

[ ] [ ]

, , 1 ) , , ( Pr , , 1 ) , , ( Pr ) ( Adv

, , , ddh ab b a b a c b a c b a g

g C g B g A C B A g C g B g A C B A

q q

= = = = − = = = = =

∈ ∈

• Provable Security - Introduction - 26

David Pointcheval

Record Aug 1999 201 156 8192 149 104 4096 111 66 2048 80 35 1024 58 13 512 Operations

(en log2)

Mips-Year

(log2)

Modulus

(bits)

Complexity Estimates Complexity Estimates

Estimates for integer factoring Lenstra-Verheul 2000 Can be used for RSA too Lower-bounds for DL in

* p

• Mile-stone

Provable Security - Introduction - 27 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 28 David Pointcheval

Algorithmic Assumptions Algorithmic Assumptions necessary necessary

• n=pq : public modulus

e : public exponent

• d=e-1 mod ϕ(n) : private

RSA Encryption (m) = me mod n (c) = cd mod n If the RSA problem is easy, secrecy is not satisfied: anybody may recover m from c

Provable Security - Introduction - 29 David Pointcheval

Algorithmic Assumptions Algorithmic Assumptions sufficient? sufficient?

Security proofs give the guarantee that the assumption is enough for secrecy:

• if an adversary can break the secrecy
• one can break the assumption

⇒ “reductionist” proof

Provable Security - Introduction - 30 David Pointcheval

Proof by Reduction Proof by Reduction

Reduction of a problem to an attack Atk:

• Let be an adversary that breaks the scheme

Instance

• f

intractable ⇒ scheme unbreakable Solution

• f

then can be used to solve

Provable Security - Introduction - 31 David Pointcheval

Provably Secure Scheme Provably Secure Scheme

To prove the security of a cryptographic scheme, one has to make precise

• the algorithmic assumptions
• the security notions to be guaranteed
• a reduction:

an adversary can help to break the assumption

Provable Security - Introduction - 32 David Pointcheval

Practical Security Practical Security

• Complexity theory: T polynomial
• Exact Security: T explicit
• Practical Security: T small (linear)

Eg : t’ = 4t intractable within less than 280 operations ⇒ scheme unbreakable within less than 278 operations

Adversary within t Algorithm against within t’ = T (t)

Provable Security - Introduction - 33 David Pointcheval

Security Notions Security Notions

According to the needs, one defines

• the goals of an adversary
• the means of an adversary,

i.e. the available information

Provable Security - Introduction - 34 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 35 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples
• Provable Security

Provable Security - Introduction - 36 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples
• Provable Security

Provable Security - Introduction - 37 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

kd ke

• m

c m

Security = secrecy: impossible to recover m from public information (i.e from c, but without kd)

• Encryption Algorithm,
• Decryption Algorithm,

Provable Security - Introduction - 38 David Pointcheval

Basic Secrecy Basic Secrecy

• One-Wayness (OW) :

without the private key, it is computationally impossible to recover the plaintext

[ ]

) ( ) , ( Pr ) ( Succ

,

m;r c m c

r m

• w

= = =

e

k

Not enough if one already has some information about m :

• “Subject: XXXXX”
• “My answer is XXX” (XXX = Yes/No)

Provable Security - Introduction - 39 David Pointcheval

Strong Secrecy Strong Secrecy

• Semantic Security (IND - Indistinguishability) :

GM 1984

the ciphertext reveals no more information about the plaintext to a polynomial adversary

1 Pr 2

) , ( ) ( ) , , ( ) , , , (

1 1 1 2 ,

−

        ← ← = r m c s m m b s c m m

b b r e

k = ) ( Advind

Provable Security - Introduction - 40 David Pointcheval

Non-Malleability Non-Malleability

• Non-Malleability (NM):

DDN 1991

No polynomial adversary can derive, from a ciphertext c= (m;r), a second one c’= (m’;r’) so that the plaintexts m and m’ are meaningfully related

non-malleability ⇓ semantic security ⇓

• ne-wayness

Provable Security - Introduction - 41 David Pointcheval

Basic Attacks Basic Attacks

• Chosen-Plaintext Attacks (CPA)

In public-key cryptography setting, the adversary can encrypt any message

• f his choice, granted the public key

⇒ the basic attack

Provable Security - Introduction - 42 David Pointcheval

Improved Attacks Improved Attacks

• More information: oracle access

– reaction attacks

• racle which answers, on c,

whether the ciphertext c is valid or not – plaintext-checking attacks

• racle which answers, on a pair (m,c),

whether the plaintext m is really encrypted in c or not (whether m = (c))

Provable Security - Introduction - 43 David Pointcheval

Strong Strong Attacks Attacks

• Chosen-Ciphertext Attacks (CCA)

The adversary has access to the strongest oracle: the decryption oracle (with the natural restriction not to use it on the challenge ciphertext) The adversary can obtain the plaintext of any ciphertext of his choice (excepted the challenge) – non-adaptive (CCA1)

NY 1990

• nly before receiving the challenge

– adaptive (CCA2)

RS 1991

unlimited oracle access

Provable Security - Introduction - 44 David Pointcheval

Relations Relations

BDPR C-1998 BDPR C-1998 Implications and separations NM-CPA ⇐ NM-CCA1⇐ NM-CCA2 ⇓ ⇓ IND-CPA ⇐ IND-CCA1⇐ IND-CCA2 strong security: CCA minimal security weak security ⇓ OW-CPA

Provable Security - Introduction - 45 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples
• Provable Security

Provable Security - Introduction - 46 David Pointcheval

RSA Encryption RSA Encryption

• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key
• d = e-1 mod ϕ(n) : private key

n m m

e mod

) ( = n c c

d mod

) ( =

OW-CPA = RSA problem Nothing to prove = definition

Provable Security - Introduction - 47 David Pointcheval

• = (<g>, ×) group of order q
• x : private key
• y=gx : public key

) , ( ) , ( ) ; ( d c m y g a m

a a

→ =

x

c d d c / ) , ( =

OW-CPA = CDH Assumption IND-CPA = DDH Assumption To be proven to see the restrictions

El El Gamal Gamal Encryption Encryption

Provable Security - Introduction - 48 David Pointcheval

Asymmetric Encryption Asymmetric Encryption

• Formal Security Model
• Examples
• Provable Security

Provable Security - Introduction - 49 David Pointcheval

is given as input = (<g>, ×) and (A,B)

• y ← A and c ← B
• choose a random value d : (y,(c,d)) → m
• output d/m

If m is correct, DH(A,B)=d/m Succcdh () = Succow()

) , ( ) , ( ) ; ( d c m y g a m

a a

→ =

• x

c d d c / ) , ( =

• [

]

) ( ) , ( )) , ( , ( Pr ) ( Succ

,

m;a d c m d c y

r m

• w
• =

= =

• El

El Gamal Gamal: OW-CPA : OW-CPA

Provable Security - Introduction - 50 David Pointcheval

is given as input = (<g>, ×) and (A, B, C)

• y ← A and c ← B: (y) → (m0, m1)
• b ∈{0,1} and d ← C mb: 2(c,d) → b’
• output β = (b=b’)

Let us assume that m0, m1 ∈ :

– If C=DH(A,B), Pr[b=b’] = Pr[(c,d) = b] – If C≠DH(A,B), Pr[b=b’] = 1/2

El El Gamal Gamal: IND-CPA : IND-CPA

1 Pr 2 ) ( Adv

) ; ( ) , ( ) ( ) , , ( ) ), , ( , , (

1 1 1 2 ,

− =

        ← ← = a m d c y s m m b s d c m m ind

b b a

Provable Security - Introduction - 51 David Pointcheval

If the messages are encoded into :

– If C=DH(A,B), Pr[b=b’] = Pr[(c,d) = b] – If C≠DH(A,B), Pr[b=b’] = 1/2

El El Gamal Gamal: IND-CPA ( : IND-CPA (Cnt’d Cnt’d) )

[ ]

[ ] [ ] [ ] [ ] [ ] [ ]

1 ' Pr 1 1 ' Pr ' Pr 1 ' Pr 1 ' Pr 1 ' Pr 1 ' Pr 2 ) ( Adv = = − = = = = ≠ − = = = − = = + = = = − = = b b b b b b b b b b b b b b b b b b

• [

] [ ]

[ ]

) ( Adv 2 1 2 1 ' Pr ) , ( CDH 1 Pr ) , ( CDH 1 Pr ) ( Advddh

• ind

b b B A C B A C = − = = ≠ = − = = =

Thus, Advind(t) ≤ 2 Advddh (t’)

Provable Security - Introduction - 52 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Examples

Provable Security - Introduction - 53 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Examples

Provable Security - Introduction - 54 David Pointcheval

Authentication Authentication

• Signature Algorithm,
• Verification Algorithm,

kv ks

• m

σ 0/1 m

Security: impossible to forge a valid σ without ks

Provable Security - Introduction - 55 David Pointcheval

Basic Goal Basic Goal

• Existential Forgery:

without the private key, it is computationally impossible to forge a valid message-signature pair

[ ]

) , ( ) ( 1 ) , ( Pr ) ( Succ m m

ef

= = =

v

k

Provable Security - Introduction - 56 David Pointcheval

Basic Attacks Basic Attacks

• No-Message Attacks

In the public-key cryptography setting, the adversary knows the verification key, and can thus verify any signature

• Known-Message Attacks (KMA)

Message-signature pairs are aimed to be published: the adversary has thus access to a list of message-signature pairs ⇒ the basic attack

Provable Security - Introduction - 57 David Pointcheval

Chosen-Message Attacks Chosen-Message Attacks

• Chosen-Message Attacks (CMA)

In the list of message-signature pairs, the messages are adaptively chosen by the adversary ⇒ the strongest attack

Provable Security - Introduction - 58 David Pointcheval

Probabilistic Signatures Probabilistic Signatures

• With probabilistic schemes,

several signatures may be associated to a given message

• Existential Forgery: produce a signature σ

for a new message m (not in the list Λ)

• Malleability: produce a new pair (m,σ)∉Λ

maybe for an already signed message ((m,σ’) is in Λ for some σ’ ≠ σ) Non-malleability ⇒ resistance to existential forgeries

Provable Security - Introduction - 59 David Pointcheval

Probabilistic Signatures ( Probabilistic Signatures (Cnt’d Cnt’d) )

• Chosen-Message Attacks (CMA)

the adversary can ask any message of his choice, maybe the same several times (this may give more information with probabilistic schemes)

• Single-Occurrence

Chosen-Message Attacks (SO-CMA)

each message can be asked at most once

Provable Security - Introduction - 60 David Pointcheval

Signature Schemes Signature Schemes

• Formal Security Model
• Examples

Provable Security - Introduction - 61 David Pointcheval

RSA Signature RSA Signature

• n = pq, product of large primes
• e, relatively prime to ϕ(n) = (p-1)(q-1)
• n, e : public key
• d = e-1 mod ϕ(n) : private key

) mod ( ) , (

?

n m m

e =

=

• n

m m

d mod

) ( =

• Existential Forgery = easy!

Provable Security - Introduction - 62 David Pointcheval

GHR Signature GHR Signature

• n = pq, product of large primes
• y ∈

n *

• n, y : public key
• p,q or ϕ(n) : private key

) mod ( ) (

?

n y x m,e,x

e =

= ) mod , ( ) ( n y e m

d

=

If p function from into primes Existential Forgery = Flexible RSA Problem p, function e=p(m) d=e-1 mod ϕ(n)

Provable Security - Introduction - 63 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 64 David Pointcheval

Strong Security Notions Strong Security Notions

Signature: difficult to obtain security against existential forgeries Encryption: difficult to reach CCA security Maybe possible, but with inefficient schemes Inefficient schemes are unuseful in practice: Everybody wants security, but only if it is transparent

Provable Security - Introduction - 65 David Pointcheval

Ideal Models Ideal Models

⇒ one makes some ideal assumptions:

– ideal random hash function: random oracle model – ideal symmetric encryption: ideal cipher model – ideal group: generic model (generic adversaries)

Provable Security - Introduction - 66 David Pointcheval

The Random Oracle Model The Random Oracle Model

• Introduced by Bellare-Rogaway

ACM-CCS ‘93

• The most admitted model
• It consists in considering some functions

as perfectly random functions,

• r replacing them by random oracles:

– each new query is returned a random answer – a same query asked twice receives twice the same answer

Provable Security - Introduction - 67 David Pointcheval

Modeling a Random Oracle Modeling a Random Oracle

A usual way to model a random oracle H is to maintain a list ΛH which contains all the query-answers (x,ρ):

• ΛH is initially set to an empty list
• A query x to H is answered the following way

– if for some ρ, (x,ρ) ∈ ΛH, ρ is returned – otherwise, sa random ρ is drawn from the appropriate range s(x,ρ) is appended to ΛH sρ is returned

Provable Security - Introduction - 68 David Pointcheval

The Generic Model The Generic Model

• It consists in considering the underlying

group as a generic one: (,+) ≈ (q,+)

• But the adversary has access

to the encoding of elements: (Q)

• If one assumes that = <P>,

we define σ(x) = (x.P) σ(x ± y) = ((x ± y).P) = (x.P ± y.P)

• Generic group: the encoding is random

Provable Security - Introduction - 69 David Pointcheval

Modeling a Generic Group Modeling a Generic Group

A usual way to model a generic group is to maintain a list Λ which contains all (x, σ(x)):

• Λ is initially set to ((1, σ(1)), (x, σ(x))): P and Y
• A query σ1 ± σ2 to the group law is answered:

– First, because of the randomness of the encoding, there exist x1, x2, such that (x1, σ1), (x2, σ2) ∈ Λ – If (x1 ± x2, σ) ∈ Λ for some σ, σ is returned – otherwise, sa new random σ is drawn s(x1 ± x2, σ) is appended to Λ sσ is returned

Provable Security - Introduction - 70 David Pointcheval

Proofs in the Generic Model Proofs in the Generic Model

• Λ ← ((P1, σ1), (P2, σ2)):

– (P1, σ1) = (1, σ1) encodes P, the generator – (P2, σ2) = (X, σ2) encodes Y, a random point (Y = x.P), thus x is replaced by the unknown X

• For a query σi ± σj, one looks for

(Pi, σi), (Pj, σj) ∈ Λ

– If (Pi ± Pj, σ) ∈ Λ for some σ, σ is returned – Otherwise, Pk = Pi ± Pj, a new σ is drawn (Pk, σ) is appended to Λ and σ is returned

Provable Security - Introduction - 71 David Pointcheval

Bad Simulation Bad Simulation

• Λ ← ((P1 = 1, σ1), (P2 = X, σ2)): (P, Y = x.P)
• For a query σi ± σj, one looks for

(Pi, σi), (Pj, σj) ∈ Λ

– If (Pi ± Pj, σ) ∈ Λ for some σ, it is returned – Otherwise, Pk = Pi ± Pj, a new σ is drawn

A problem arises if P ≠ P’ while P(x) = P’(x) But Q = P - P’ ≠ 0 is affine, then Pr[Q(x) = 0] ≤ 1/q

Provable Security - Introduction - 72 David Pointcheval

Bad Simulation ( Bad Simulation (Cnt’d Cnt’d) )

• After n queries to the group law oracle,

at most n+2 polynomials have been defined.

• The probability that a problem arises

is less than (n+1)(n+2)/2q

Provable Security - Introduction - 73 David Pointcheval

Summary Summary

• Introduction
• Asymmetric Cryptography
• Computational Assumptions
• Security Proofs
• Encryption and Signature
• New Assumptions
• New Formalism

Provable Security - Introduction - 74 David Pointcheval

Reduction Reduction

Several problems

1, 2, 3, ... may be reduced

to a given attack Atk:

• Let be an adversary that breaks the scheme,

with probability ε on a probability space, defined by the internal coins, the external

• nes, the keys and the random oracles.
• We successively modify the probability space

Provable Security - Introduction - 75 David Pointcheval

Modifications Modifications

The modifications of the probability space may impact the success probability: ε = Pr[S]

• probability space unchanged

⇒ the success probability is unchanged

• unchanged unless a bad event E happens

– S is independent of E: ε’ ≥ ε × Pr[¬E] ε’ = Pr[S’] = Pr[S’ ∧ E] + Pr[S’ ∧ ¬E] ≥ Pr[S’ ∧ ¬E] = Pr[S’| ¬E] Pr[¬E] ≥ Pr[S] Pr[¬E] = ε × Pr[¬E]

Provable Security - Introduction - 76 David Pointcheval

Shoup’s Shoup’s Lemma Lemma

The modifications of the probability space may impact the success probability: ε = Pr[S]

• unchanged unless a bad event E happens

– S is not independent of E: | ε’ - ε | ≤ Pr[E] | ε’ - ε | = | Pr[S’] - Pr[S] | = | Pr[S’∧E] + Pr[S’∧¬E]

• Pr[S’∧E] - Pr[S’∧¬E] |

= | Pr[S’|E] Pr[E] + Pr[S’| ¬E] Pr[¬E]

• Pr[S|E] Pr[E] - Pr[S| ¬E] Pr[¬E] |

= | Pr[S’|E] - Pr[S|E] | × Pr[E] ≤ Pr[E]

Provable Security - Introduction - 77 David Pointcheval

We thus define a sequence of games:

• Game 0 - the original attack - Pr[S0] = ε
• Game 1 - relation between Pr[S0] and Pr[S1]
• Game i: which differs from Game i-1
• nly if event E happens

Event E happens = problem is broken ⇒ Pr[E] ≤ Succ(t’) where t’ is the running time of Game i ⇒ relation between Pr[Si-1], Pr[Si], Succ(t’)

Games Games

Provable Security - Introduction - 78 David Pointcheval

• Game n: the success probability is easy

to determine typically: Pr[Sn] = 0 or Pr[Sn] = 1/2

• r also Pr[Sn] ≤ q/2k

⇒ one gets an upper-bound on ε = Pr[S0]

Final Game Final Game

Provable Security - Introduction - 79 David Pointcheval

• Such a kind of proof clearly points out

crucial points: the bad events to cancel

• The proof is easy to check/follow

Conclusion Conclusion