1 / 36

Cryptography

This lecture discusses pseudorandom functions and keyed functions in cryptography, including pseudorandom permutations, PRFs vs PRGs, block ciphers, and CPA-security.

michaelbwilliams
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 7

  2. Pseudorandom functions

  3. Keyed functions • Let F: {0,1}* x {0,1}* {0,1}* be an efficient, deterministic algorithm • Define Fk(x) = F(k, x) • The first input is called the key • Assume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x| • Choosing a uniform k  {0,1}n is equivalent to choosing the function Fk : {0,1}n  {0,1}n • I.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!

  4. x1 f(x1) f Funcnchosen uniformly at random f … xt World 0 f(xt) x1 World 1 Fk(x1) k  {0,1}n chosen uniformly at random Fk … xt Fk(xt) ?? (poly-time)

  5. Pseudorandom permutations (PRPs) • Let f  Funcn • f is a permutation if it is a bijection • This means that the inverse f-1 exists • Let Permn  Funcn be the set of permutations • What is |Permn|?

  6. Pseudorandom permutations • Let F be a length-preserving, keyed function • F is a keyed permutation if • Fkis a permutation for every k • Fk-1 is efficiently computable (where Fk-1(Fk(x)) = x) • F is a pseudorandom permutation if Fk, for uniform key k  {0,1}n, is indistinguishable from a uniform permutation f  Permn

  7. Note • For large enough n, a random permutation is indistinguishable from a random function • So in practice, PRPs are also good PRFs • Proofinthebook(required!)

  8. PRFs vs. PRGs • PRF F immediately implies a PRG G: • Define G(k) = Fk(0…0) | Fk(0…1) • I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where <i> denotes the n-bit encoding of i • PRF can be viewed as a PRG with random access to exponentially long output • The function Fkcan be viewed as the n2n-bit stringFk(0…0) | … | Fk(1…1)

  9. Do PRFs/PRPs exist? • They are a stronger primitive than PRGs… • …though can be built from PRGs • In practice, block ciphers are used

  10. Block ciphers • Block ciphers are practical constructions of pseudorandom permutations • No asymptotics: F: {0,1}n x {0,1}m {0,1}m • n = “key length” • m = “block length” • Hard to distinguish Fk from uniform f  Permmeven for attackers running in time 2n

  11. AES • Advanced encryption standard (AES) • Standardized by NIST in 2000 based on a public, worldwide competition lasting over 3 years • Block length = 128 bits • Key length = 128, 192, or 256 bits • Willnotdiscuss details later in the course • No real reason to use anything else

  12. CPA-security • Fix , A • Define a randomized exp’tPrivKCPAA,(n): • k  Gen(1n) • A(1n) interacts with an encryption oracleEnck(·), and then outputs m0, m1 of the same length • b  {0,1}, c  Enck(mb), give c to A • A can continue to interact with Enck(·) • A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

  13. CPA-security •  is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

  14. CPA-secure encryption • Let F be a length-preserving, keyed function • Gen(1n): choose a uniform key k  {0, 1}n • Enck(m), for |m| = |k|: • Choose uniform r  {0, 1}n (nonce/initialization vector) • Output ciphertext < r, Fk(r)  m > • Deck(c1, c2): output c2  Fk(c1) • Correctness is immediate

  15. F r key pseudorandom pseudorandom ciphertext message message

  16. Security? • Theorem: if F is a pseudorandom function, then this scheme is CPA-secure

  17. Note • The key may be as long as the message… • …but the same key can be used to safely encrypt multiple messages

  18. Security? • Theorem: if F is a pseudorandom function, then this scheme is CPA-secure • Proof by reduction… • Let  denote the scheme

  19. m m D PR/random f(r) r ← {0,1}n r, f(r)  m

  20. m0, m1 b’ mb D PR/random f(r*) r* ← {0,1}n b←{0,1} r*, f(r*)  mb if (b=b’)output 1

  21. Analysis • Let µ(n) = Pr[PrivCPAAdv,Π(n) = 1] • Let q(n) be a bound on the number of encryption queries made by attacker • If f = Fk for uniform k, then the view of Adv is exactly as in PrivCPAAdv,Π(n)  Prk{0,1}n[DFk(·)=1] = Pr[PrivCPAAdv,Π(n) = 1] = µ(n)

  22. Analysis • If f is uniform, there are two sub-cases • r* was used for some other ciphertext (call this event Repeat) • r* was not used for some other ciphertext • Prf[Df(·)=1] ≤ Prf[Df(·)=1|Repeat] + Pr[Repeat] • Pr[Repeat] ≤ q(n)/2n • Prf[Df(·)=1 | Repeat] = ½

  23. Analysis • Since F is pseudorandom…  | µ(n) – Prf[Df(·)=1] | ≤ ε(n) • µ(n) ≤ Prf[Df(·)=1] + ε(n)≤ ½ + q(n)/2n + ε(n) • For any polynomial q, the term q(n)/2n is negligible  Pr[PrivCPAAdv,Π(n) = 1] = µ(n) ≤ ½ + ε’(n) QED

  24. Real-world security? • The security bound we proved is tight • What happens if a nonce r is ever reused? • What is the probability that the nonce used in some challenge ciphertext is also used for some other ciphertext? • What happens to the bound if the nonce is chosen non-uniformly?

  25. CPA-secure encryption • We have shown a CPA-secure encryption scheme based on any block cipher/PRF • Enck(m) = <r, Fk(r)  m> • Drawbacks? • A 1-block plaintext results in a 2-block ciphertext • Only defined for encryption of n-bit messages

  26. Encrypting long messages? • Recall that CPA-security  security for the encryption of multiple messages • So, can encrypt the message m1, …, mt as Enck(m1), Enck(m2), …, Enck(mt) • This is also CPA-secure!

  27. c1 c1, …, ct ... k k ct m1, …, mt c1Enck(m1)…ctEnck(mt)

  28. Drawback • The ciphertext is twice the length of the plaintext • I.e., ciphertext expansion by a factor of two • Can we do better? • Modes of operation • Block-cipher modes of operation • Stream-cipher modes of operation

  29. CTR mode • Enck(m1, …, mt) // note: t is arbitrary • Choose ctr {0,1}n, set c0 = ctr • For i=1 to t: • ci = mi  Fk(ctr + i) • Output c0, c1, …, ct • Decryption? • Ciphertextexpansion is just 1 block

  30. CTR mode ctr ctr+1 ctr+2 ctr+t … Fk Fk Fk m1 m2 mt    c0 c1 c2 ct

  31. CTR mode • Theorem: If F is a pseudorandom function, then CTR mode is CPA-secure • Proof sketch: The sequence Fk(ctri + 1), …, Fk(ctri + t) used to encrypt the ith message is pseudorandom • Moreover, it is independent of every other such sequence unless ctri + j = ctri’ + j’ for some i, j, i’, j’ • Just need to bound the probability of that event

  32. CBC mode • Enck(m1, …, mt) // note: t is arbitrary • Choose random c0 {0,1}n (also called the IV) • For i=1 to t: • ci = Fk(mi  ci-1) • Output c0, c1, …, ct • Decryption? • Requires F to be invertible • Ciphertext expansion is just 1 block

  33. CBC mode m2 mt m1 IV    … Fk Fk Fk c2 ct c0 c1

  34. CBC mode • Theorem: If F is a pseudorandom permutation, then CBC mode is CPA-secure • Proof is more complicated than for CTR mode

  35. ECB mode • Enck(m1, …, mt) = Fk(m1), …, Fk(mt) • Deterministic • Not CPA-secure! • Can tell from the ciphertext whether mi = mj • Not even EAV-secure!

  36. Not just a theoretical problem! original encrypted using ECB mode (Taken from http://en.wikipedia.org and derived from images created by Larry Ewing (lewing@isc.tamu.edu) using The GIMP.)

More Related