360 likes | 559 Views
CIS 5371 Cryptography. 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. A Computational Approach to Cryptography.
E N D
CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography
A Computational Approach to Cryptography • The principal of Kerchoffs essentially says that it is not necessary to use a perfectly-secret encryption scheme, but instead it suffices to use a scheme that cannot be broken in reasonable time with any reasonable probability of success.
A Computational Approach to Cryptography • That is, it suffices to use an encryption scheme that • can be broken in theory • but that cannot be broken in practice with probability better than 1030 in 200 years using the fastest available supercomputer.
A Computational Approach • Security is only preserved against efficient adversaries • Adversaries can potentially succeed with some very small probability (small enough so that we are not concerned that it will ever really happen)
The asymptotic approach –an example The effect that availability of faster computers might have on security in practice • Say we have a cryptographic scheme where honest parties are required to run for cycles and for which an adversary is running for cycles can succeed in breaking the scheme with probability .
The asymptotic approach –an example • The asymptotic approach has the advantage of not depending on any specific assumptions regarding, e.g., the type of computer an adversary will use.
Efficient Algorithms Generating randomness There are a number of ways random bits are obtained in practice. • One solution is to use a hardware random number generator that generates random bit-streams based on certain physical phenomena like thermal/electrical noise or radioactive decay. • Another possibility is to use software random number generators which generate random bit-streams based on unpredictable behavior such as the time between key-strokes, movement of the mouse, hard disk access times, and so on.
Efficient Algorithms Generating randomness • Some modern operating systems provide functions of this sort. Note that, in either of these cases, the underlying unpredictable event is unlikely to directly yield uniformly-distributed bits, and so further processing of the initial bit-stream is needed. • Techniques for doing this are complex and poorly understood.
Efficient Algorithms Generating randomness • One must careful in how random bits are chosen, and the use of badly designedor inappropriate random number generators can often leave a good cryptosystem vulnerable to attack. • Particular care must be taken to use a random number generator that is designed for cryptographic use, rather than a general-purpose random number generator which may be fine for some applications but not cryptographic ones
Proofs by Reduction Strategy • Assume that some low-level problem is hard to solve. • Then prove that the construction in question is secure given this assumption.
Proofs by Reduction The proof that a given construction is secure as long as some underlying problem is hard generally proceeds by presenting • an explicit reduction showing how to convert any efficient adversary Athat succeeds in breaking the construction with non-negligible probability • into an efficient algorithm A’ succeeds in solving the problem that was assumed to be hard.
Proofs by Reduction Instance of Solution to x Break
Computationally Secure Encryption Equivalent version: -
Computationally Secure Encryption = and is chosen uniformly at random from .
Theorem Let (Gen,Enc,Dec) be a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then PPT adversary A, , there exists a negligible function : where is chosen randomly from, and the probability are taken over the random coins of A, the choice of and and any random coins used in the encryption process. * is the i-th bit of m =
Proof of Theorem We shall reduce the “indistinguishabilityof the bits of encrypted messages” to the “indistinguishabilityof the encryptions of the messages” in the presence of an eavesdropper.
Security reduction: converting an adversary A to an adversary A Algorithm A (low level reference problem X) Adversary A Protocol , being analyzed SupposeA succeeds in solving with advantage The reduction showsthat A succeeds in solving x with advantage at least
Proof, in detail • Let the advantage of Abe • . • Let , and let • be the set of strings of length whose -th bit is 0 and • be the set of strings of length whose -th bit is 1. • The adversary selects the plaintext messages • and , and gives these to .
Proof, in detail Then + Since the encryption scheme has indistinguishable encryptions is negligible
Proof of theorem– by reduction Algorithm A’(message distinguisher) Adversary A (i-th bit distinguisher) Suppose A succeeds with advantage in distinguishing the i-th bit of encrypted messages prediction of the value of the i-th bit prediction of the message
Semantic Security Theorem.Let (Gen,Enc,Dec) be a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then, such that, polynomial-time computable functions and sampleable sets there is a negligible function neglsuch that: | where is chosen randomly from , and the probabilities are the choices of , the random coins of and the encryption process.
Semantic Security: Definition A private-key encryption scheme(Gen,Enc,Dec) is semantically secure in the presence of an eavesdropper if PPT algorithms PPT such that, efficiently sampleable distributions and all polynomial-time computable functionsthere is a negligible functionneglsuch that: | negl where is chosen according to the distribution , and the probabilities are taken over the choices of , the random coins of and the encryption process.
Semantic Security: Theorem A private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if and only if, it is semantically secure in the presence of an eavesdropper.