270 likes | 417 Views
CIS 5371 Cryptography. 3b. Pseudorandomness . B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Pseudorandomness An introduction.
E N D
CIS 5371 Cryptography 3b. Pseudorandomness. Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography
Pseudorandomness An introduction • A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random. • This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.
Pseudorandomness An introduction • A pseudorandom generator is a deterministic algorithm that given a short truly random seed of length nwill stretch it to into a longer string of length that is pseudorandom.
Existence of pseudorandom generators • We cannot prove that pseudorandom generators exist! • We believe that such generators can be constructed from one-way functions. • There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.
Pseudorandom generators informal definition • A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random. • This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.
PseudorandomnessDefinition Let be a polynomial and a deterministic polynomial-time algorithm that on input any will output string of length . is a pseudorandomgenerator if: • ∀ PPT distinguishers D, where is uniform random string of length is uniform random of length and the probabilities are taken over the coins used by and the choices of .
A secure fixed length encryption Protocol • Let be a pseudorandom generator with expansion • factor . Define a private-key encryption scheme • for messages of length as follows • Gen: on input choose uniformly at • random and output as key. • Enc: on input a key and a message • m output the ciphertext • Dec: on input a key and a ciphertext • c output the plaintext
A secure fixed length encryption Theorem If be a pseudorandom generator then protocol is a fixed-length private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper.
A secure fixed length encryption Reduction Adversary A’(Distinguisher D) Adversary A (Protocol ) choose a random bit compute Suppose that A succeeds with probability 1 if 0 if
A secure fixed length encryption Proof • Let Pr . • Then, • when is uniform random we have. • when we have • Pr .
A secure fixed length encryption Proof Therefore when is chosen uniformly in
Variable output length pseudorandom generators A deterministic polynomial-time algorithm is a variable output-length pseudorandom generator if: Let be a string and an integer. Then outputs a string of length . For all with the string is a prefix of . Define . Then for every polynomial it holds that is a pseudorandom generator with expansion factor .
Stream ciphers • We can easily modify the earlier construction for the encryption scheme for variable output length PRG. • In this case,
Discussion • We use the term • stream cipher forthe PR stream generator, • not the encryption algorithm. • There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4.
Discussion • The WEP encryption protocol for 802.11 used RC4 and was broken. • But since then it is fixed---and the standard updated. • If RC4 has to be used the first 1024 bits or so should be discarded.
Discussion • From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes. • This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher.
Definition A private-key encryption scheme =(Gen,Enc,Dec) that has indistinguishable multiple encryptions in the presence of an eavesdropper satisfies: : where the probability is taken over the random coins of , and the experiment.
Indistinguishable single encryptions vs indistinguishable multi encryptions • The secure fixed length encryption Protocol presented earlier is deterministic and cannot be used as a construction for a indistinguishable multi encryptions. • To see why, we use the experiment for the pair of vector messages and
Secure multiple encryptions using a stream cipher • Synchronized mode • Communicating parties use a different part of the stream cipher output to encrypt a message. • Useful for parties communicating in the same session. • Communicating parties must maintain state between encryptions.
Secure multiple encryptions using a stream cipher Unsynchronized mode • Encryptions are carried out independently of one another. • Communicating parties are not required to maintain state between encryptions. where the initial vector is chosen at random.
Security against Chosen-Plaintext Attack (CPA) • We now consider a more powerful adversary that is active. • The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop.
Indistinguishable encryptions under CPADefinition A private-key encryption scheme has indistinguishable encryptions under CPA if where the probability is taken over the coins of A and those of the experiment.
CPA security for multiple encryptions • As for single encryption, extend the experiment to in which the adversary outputs a pair of vectors of plaintext. • Any private-key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA