2 Crypto
2 Crypto
• Is this significant?
– No longer perfectly secret!
– m1 Å m2 reveals where m1, m2 differ
– Frequency analysis
– Exploiting characteristics of ASCII…
• Letters all begin
with 01…
• The space
character begins
with 00…
• XOR of two
letters gives 00…
• XOR of letter and
space gives 01…
• Easy to identify
XOR of letter and
space!
Source: http://benborowiec.com/2011/07/23/better-ascii-table/
In pictures
• Two approaches
– Concrete security
– Asymptotic security
Computational indistinguishability
(concrete)
• (t, e)-indistinguishability:
– Security may fail with probability ≤ e
– Restrict attention to attackers running in time ≤ t
• Or, t CPU cycles
Computational indistinguishability
(concrete version)
Pr[PrivKA,P(n) = 1] ≤ ½ + e(n)
Encryption and plaintext length
• In practice, we want encryption schemes that can
encrypt arbitrary-length messages
• Encryption does not hide the plaintext length (in
general)
– The definition takes this into account by requiring m0,
m1 to have the same length
• But beware that leaking plaintext length can
often lead to problems in the real world!
– Obvious examples…
– Database searches
– Encrypting compressed data
Example 1
• Consider a scheme where Gen(1n) generates a
uniform n-bit key, and the best attack is brute-
force search of the key space
– So if A runs in time t(n), then
Pr[PrivKA,P(n) = 1] < ½ + O(t(n)/2n)
seed
output
PRGs
• Let G be a deterministic, poly-time algorithm
that is expanding, i.e., |G(x)| = p(|x|) > |x|
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x ¬ Un and outputting G(x)
– PrDn[y] = Prx ¬ Un[G(x) = y] = Sx : G(x)=y Prx ¬ Un[x]
= Sx : G(x)=y 2-n
= |{x : G(x)=y}|/2n
– Note that most y occur with probability 0
• I.e., Dn is far from uniform
PRGs
• G is a PRG iff {Dn} is pseudorandom
p bits
key
p bits p bits
message Å ciphertext
“Pseudo” one-time pad
n bits
key
p bits
G “pseudo” key
p bits p bits
message Å ciphertext
Pseudo one-time pad
• Let G be a deterministic algorithm, with
|G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n Þ message space {0,1}p(n)
• Enck(m): output G(k) Å m
• Deck(c): output G(k) Å c
b
D
For any efficient D, the probabilities that D outputs 1
in each case must be “close”
Proof by reduction
1. Assume G is a pseudorandom generator
2. Assume toward a contradiction that there is
an efficient attacker A who “breaks” the
pseudo-OTP scheme (as per the definition)
3. Use A as a subroutine to build an efficient D
that “breaks” pseudorandomness of G
– By assumption, no such D exists!
Þ No such A can exist
Alternately…
1. Assume G is a pseudorandom generator
2. Fix some arbitrary, efficient A attacking the
pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
attacking G
– Relate the distinguishing gap of D to the success
probability of A
4. By assumption, the distinguishing gap of D must
be negligible
Þ Use this to bound the success probability of A
Security theorem
• If G is a pseudorandom generator, then the
pseudo one-time pad Π is EAV-secure (i.e.,
computationally indistinguishable)
The reduction
y
m0, m1
mb b←{0,1}
c
b’ A
if (b=b’)
output 1 D
Analysis
• If A runs in polynomial time, then so does D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• Claim: when y=G(x) for uniform x, then the
view of A is exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
The reduction
k ¬ Un
y
G
m0, m1
mb b←{0,1}
P-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
The reduction
y ¬ Up(n)
y
m0, m1
mb b←{0,1}
OTP-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
• Since G is pseudorandom:
| µ(n) – ½ | ≤ negl(n)
Þ Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)
Stepping back…
• Proof that the pseudo-OTP is secure…
– We have a provably secure scheme, rather than
just a heuristic construction!
Stepping back…
• Proof that the pseudo-OTP is secure…
• …with some caveats
– Assumes G is a pseudorandom generator
– Security is relative to our definition
c
k k
m
c ¬ Enck(m)
Multiple-message secrecy
c1, …, ct
k k
m1, …, mt
c1 ¬ Enck(m1)
…
ct ¬ Enck(mt)
A formal definition
• Fix P, A
• Define a randomized exp’t PrivKmultA,P(n):
1. A(1n) outputs two vectors (m0,1, …, m0,t) and
(m1,1, …, m1,t)
• Require that |m0,i| = |m1,i| for all i
2. k ¬ Gen(1n), b ¬ {0,1}, for all i: ci ¬ Enck(mb,i)
3. b’ ¬ A(c1, …, ct); A succeeds if b = b’, and
experiment evaluates to 1 in this case
A formal definition
• P is multiple-message indistinguishable if for
all PPT attackers A, there is a negligible
function e such that
Pr[PrivKmultA,P(n) = 1] ≤ ½ + e(n)