MPI-INF Logo
Campus Event Calendar

Event Entry

What and Who

Constructive Cryptography and Modular Protocol Design

Prof. Dr. Ueli Maurer
ETH Zürich
CISPA Distinguished Lecture Series
AG 1, AG 2, AG 3, AG 4, AG 5, SWS, RG1, MMCI  
Public Audience
English

Date, Time and Location

Thursday, 15 January 2015
14:00
60 Minutes
E1 5
0.02
Saarbrücken

Abstract

There is a significant and surprising discrepancy between the
(generally) mathematically rigorous cryptographic literature and the
reality of practical cryptographic protocol design. While the security
of cryptographic schemes (such as various types of encryption,
signatures, etc.) is usually rigorously defined and proven (based on
some intractability assumptions), practical cryptographic protocols
such as TLS that make use of these schemes are often broken, patched,
again broken, etc. Why can't we design provably secure protocols, in
the same sense as we seem to be able to design provably secure
cryptographic schemes?

Constructive cryptography, developed jointly with Renato Renner, is an
alternative paradigm for designing cryptographic protocols and proving
their security; the goal is to avoid the above-mentioned discrepancy.
In constructive cryptography, a cryptographic scheme (e.g. encryption)
is seen as constructing a certain resource (e.g. a secure channel)
from another resource (e.g. an authenticated channel and a secret
key), for a well-defined notion of construction. The construction
notion is composable; for example, a key constructed by a secure
key-agreement protocol can provably be used as the key in any
application that requires a secret key. Composition allows to design
complex protocols in a modular, layered manner. The security proofs of
the modules (e.g. encryption, authentication, key agreement, or
signatures) directly compose to a security proof for the entire
protocol.

A treatment of cryptographic statements in constructive cryptography
comes with several advantages, including reusability, clear semantics
of security definitions, simplicity due to an abstract treatment freed
from artifacts (like Turing machines, asymptotics, polynomial-time,
communication tapes, corruption messages, etc.), capturing different
security notions (such as information-theoretic and computational
security) in a single treatment, and possibly also suitability for a
treatment with formal methods.

Based on joint works with several coauthors, including Sandro Coretti,
Christian Matt, Renato Renner, Bjoern Tackmann.

Contact

Sabine Nermerich
302-3585
--email hidden
passcode not visible
logged in users only

Sabine Nermerich, 01/06/2015 09:05 -- Created document.