Cryptography

Cryptography Lecture 5

Pseudorandom generators(PRGs) • Let G be an efficient, deterministic algorithm that expands a short seedinto a longer output • Specifically, let |G(x)| = p(|x|) • G is a PRG if: when the distribution of x is uniform, the distribution of G(x) is “indistinguishable from uniform” • Useful whenever you have a “small” number of true random bits, and want lots of “random-looking” bits • Note that G(x) is very far from uniform

PRGs • I.e., for all efficient distinguishers A, there is a negligible function  such that| Prx Un[A(G(x))=1] - Pry Up(n)[A(y)=1] | ≤ (n) • I.e., no efficient A can distinguish whether it is given G(x) (for uniform x) or a uniform string y!

Example (insecure PRG) • Let G(x) = 0….0 • Distinguisher? • Analysis?

Example (insecure PRG) • Let G(x) = x | OR(bits of x) • Distinguisher? • Analysis?

Stream ciphers • As defined, PRGs are limited • They have fixed-length output • They produce the entire output in “one shot” • In practice, PRGs are based on stream ciphers • Can be viewed as producing an “unbounded” stream of pseudorandom bits, on demand • More flexible, more efficient • See book for details; will revisit later

Do PRGs/stream ciphers exist? • We don’t know… • Would imply P  NP • We will assume certain algorithms are PRGs • Recall the 3 principles of modern crypto… • This is what is done in practice • We will return to this later in the course • Can construct PRGs from weaker assumptions • For details, see Chapter 7

Where things stand • We saw that there are some inherent limitations if we want perfect secrecy • In particular, key must be as long as the message • We defined computational secrecy, a relaxed notion of security • Can we overcome prior limitations?

Recall: one-time pad pbits key pbits pbits  message ciphertext

“Pseudo” one-time pad n bits key pbits G “pseudo” key pbits pbits  message ciphertext

Pseudo one-time pad • Let G be a deterministic algorithm, with |G(k)| = p(|k|) • Gen(1n): output uniform n-bit key k • Security parameter n  message space {0,1}p(n) • Enck(m): output G(k)  m • Deck(c): output G(k)  c • Correctness is obvious…

Security of pseudo-OTP? • Would like to be able to prove security • Based on the assumption that G is a PRG

Definitions, proofs, and assumptions • We’ve defined computational secrecy • Our goal is to prove that the pseudo OTP meets that definition • We are unable to prove this unconditionally • Beyond our current techniques… • Anyway, security clearly depends on G • Can hope to prove security basedon the assumption that G is a pseudorandom generator

D PRGs, revisited k Un • Let G be an efficient, deterministic function with |G(k)| = p(|k|) y  Up(n) G y b For any efficient D, the probabilities that Doutputs 1 in each case must be close

Proof by reduction • Assume G is a pseudorandom generator • Assume toward a contradiction that there is an efficient attacker A who “breaks” the pseudo-OTP scheme (as per the definition) • Use A as a subroutine to build an efficient D that “breaks” pseudorandomness of G • By assumption, no such D exists!  No such A can exist

Alternately… • Assume G is a pseudorandom generator • Fix some arbitrary, efficient A attacking the pseudo-OTP scheme • Use A as a subroutine to build an efficient D attacking G • Relate the distinguishing probability of D to the success probability of A • By assumption, the distinguishing probability of D must be negligible  Bound the success probability of A

Security theorem • If G is a pseudorandom generator, then the pseudo one-time pad Π is EAV-secure (i.e., computationally indistinguishable)

m0, m1 b’ mb c D The reduction y b←{0,1} A if (b=b’)output 1

Analysis • If A runs in polynomial time, then so does D

Analysis • Let µ(n) = Pr[PrivKA,Π(n) = 1] • Claim: if distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)  Prx← Un[D(G(x))=1] = µ(n)

m0, m1 b’ The reduction k Un y G b←{0,1} mb -Enc c A if (b=b’)output 1 D

Analysis • Let µ(n) = Pr[PrivKA,Π(n) = 1] • If distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)  Prx← Un[D(G(x))=1] = µ(n) • If distribution of y is uniform, then A succeeds with probability exactly ½  Pry ← Up(n)[D(y)=1] = ½

m0, m1 b’ The reduction y  Up(n) y b←{0,1} mb OTP-Enc c A if (b=b’)output 1 D

Analysis • Let µ(n) = Pr[PrivKA,Π(n) = 1] • If distribution of y is pseudorandom, then the view of A is exactly as in PrivKA,Π(n)  Prx← Un[D(G(x))=1] = µ(n) • If distribution of y is uniform, then A succeeds with probability exactly ½  Pry ← Up(n)[D(y)=1] = ½ • Since G is pseudorandom: | µ(n) – ½ | ≤ negl(n) • Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)

Stepping back… • Proof that the pseudo OTP is secure… • We have a provably secure scheme, rather than a heuristic construction!

Stepping back… • Proof that the pseudo OTP is secure… • …with some caveats • Assuming G is a pseudorandom generator • Relative to our definition • The only way the scheme can be broken is: • If a weakness is found in G • If the definition isn’t sufficiently strong…

Have we gained anything? • YES: the pseudo-OTP has a key shorter than the message • n bits vs. p(n) bits • The fact that the parties internally generate a p(n)-bit temporary string to encrypt/decrypt is irrelevant • The key is what the parties share in advance • In real-world implementation, could avoid storing entire p(n)-bit temporary value

Recall… • Perfect secrecy has two limitations/drawbacks • Key as long as the message • Key can only be used once • We have seen how to circumvent the first • The pseudo OTP still has the second limitation(for the same reason as the OTP) • How can we circumvent the second?

But first… • Develop an appropriate security definition • Recall that security definitions have two parts • Security goal • Threat model • We will keep the security goal the same, but strengthen the threat model

Single-message secrecy c k k m cEnck(m)

Multiple-message secrecy c1, …, ct k k m1, …, mt c1Enck(m1)…ctEnck(mt)

A formal definition • Fix , A • Define a randomized exp’tPrivKmultA,(n): • A(1n) outputs two vectors (m0,1, …, m0,t) and(m1,1, …, m1,t) • Required that |m0,i| = |m1,i| for all i • k  Gen(1n), b  {0,1}, for all i: ci  Enck(mb,i) • b’  A(c1, …, ct); A succeeds if b = b’, and experiment evaluates to 1 in this case

A formal definition •  is multiple-messageindistinguishable if for all PPT attackers A, there is a negligible function  such that Pr[PrivKmultA,(n) = 1] ≤ ½ + (n) • Exercise: show that the pseudo-OTP is not multiple-message indistinguishable

Multiple-message secrecy • No deterministic, stateless encryption scheme is multiple-message indistinguishable • Proof?

Multiple-message secrecy • We are not going to work with multiple-message secrecy • Instead, define something stronger: security against chosen-plaintext attacks (CPA-security) • Nowadays, this is the minimal notion of security an encryption scheme should satisfy

CPA-security c c2 c1 k k m cEnck(m) m2 m1 c1Enck(m1) c2Enck(m2)

Is the threat model too strong? • In practice, there are many ways an attacker can influence what gets encrypted • Not clear how best to model • Chosen-plaintext attacks encompass any such influence • Moreover, in some cases an attacker may have significant control over what gets encrypted

Cryptography

Cryptography

Presentation Transcript

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

CRYPTOGRAPHY

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography

Cryptography