0% found this document useful (0 votes)
38 views86 pages

2 Crypto

Uploaded by

mhming1103
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
38 views86 pages

2 Crypto

Uploaded by

mhming1103
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 86

Lecture 3

Perfect secrecy (formal)


• Encryption scheme (Gen, Enc, Dec) with message
space M and ciphertext space C is perfectly secret if
for every distribution over M, every m Î M, and
every c Î C with Pr[C=c] > 0, it holds that

Pr[M = m | C = c] = Pr[M = m].

• I.e., the distribution of M does not change, even


conditioned on observing the ciphertext
One-time pad (OTP)
• Let M = {0,1}n
• Gen: choose a uniform key k Î {0,1}n
• Enck(m) = k Å m
• Deck(c) = k Å c
Security of OTP
• Theorem: The one-time pad is perfectly secret
(proven last week)
One-time pad
• If we use the one-time pad with k=0…0, then
the ciphertext is the same as the message!
– Isn’t that a problem?
– Maybe we should exclude the all-0 key?
One-time pad
• The one-time pad achieves perfect secrecy!

• One-time pad has historically been used in the


real world
– E.g., “red phone” between DC and Moscow

• Not currently used!


– Why not?
One-time pad
• Several limitations
– The key is as long as the message
– Only secure if each key is used to encrypt a
single message

Þ Parties must share keys of (total) length equal


to the (total) length of all the messages they
might ever send
Using the same key twice?
• Completely insecure against a known-plaintext
attack!
• Say c1 (= k Å m1)
c2 (= k Å m2)
and the attacker knows m1
• Attacker can compute k := c1 Å m1
• Attacker can compute m2 := c2 Å k
Using the same key twice?
• Say c1 = k Å m1
c2 = k Å m2

• Attacker can compute


c1 Å c2 = (k Å m1) Å (k Å m2) = m1 Å m2

• This leaks information about m1, m2!


Using the same key twice?
• m1 Å m2 is information about m1, m2

• Is this significant?
– No longer perfectly secret!
– m1 Å m2 reveals where m1, m2 differ
– Frequency analysis
– Exploiting characteristics of ASCII…
• Letters all begin
with 01…
• The space
character begins
with 00…
• XOR of two
letters gives 00…
• XOR of letter and
space gives 01…

• Easy to identify
XOR of letter and
space!
Source: http://benborowiec.com/2011/07/23/better-ascii-table/
In pictures

01… 01… 01… 00… …

01… 01… 01… 01… …

00… 00… 00… 01…


01010000 …

01010000 = 00100000 Å ‘p’


??
One-time pad
• Drawbacks
– Key as long the message
– Only secure if each key is used to encrypt once
– Trivially broken by a known-plaintext attack

• All these limitations are inherent for schemes


achieving perfect secrecy
– I.e., it’s not just a problem with the OTP
Optimality of the one-time pad
• Theorem: if (Gen, Enc, Dec) with message
space M is perfectly secret, then |K| ≥ |M|
• Intuition:
– Given any ciphertext, try decrypting under every
possible key in K
– This gives a list of up to |K| possible messages
– If |K| < |M|, some message is not on the list
Optimality of the one-time pad
• Theorem: if (Gen, Enc, Dec) with message
space M is perfectly secret, then |K| ≥ |M|.
• Proof:
– Assume |K| < |M|
– Need to show that there is a distribution on M,
a message m, and a ciphertext c such that
Pr[M=m | C=c] ¹ Pr[M=m]
Optimality of the one-time pad
• Proof, continued
– Take the uniform distribution on M
– Take any ciphertext c
– Consider the set M(c) = { Deck(c) }kÎK
• These are the only possible messages that could yield
the ciphertext c
– |M(c)| ≤ |K| < |M|, so there is some m that is
not in M(c)
• Pr[M=m | C=c] = 0 ¹ Pr[M=m]
Where do we stand?
• We defined the notion of perfect secrecy
• We proved that the one-time pad achieves it!
• We proved that the one-time pad is optimal!
– E.g., we cannot improve the key length
• Are we done?

• Do better by relaxing the definition


– But in a meaningful way…
Perfect secrecy
• Requires that absolutely no information about
the plaintext is leaked, even to eavesdroppers
with unlimited computational power
– The definition has some inherent drawbacks
– The definition seems unnecessarily strong…
Computational secrecy
• Would be ok if a scheme leaked information
with tiny probability to eavesdroppers with
bounded computing resources/running time
• I.e., we can relax perfect secrecy by
– Allowing security to “fail” with tiny probability
– Restricting attention to “efficient” attackers
Tiny probability of failure?
• Say security fails with probability 2-60
– Should we be concerned about this?
– With probability > 2-60, the sender and receiver
will both be struck by lightning in the next year…
– Something that occurs with probability 2-60/sec is
expected to occur once every 100 billion years
Bounded attackers?
• Consider brute-force search of key space;
assume one key can be tested per clock cycle
• Desktop computer » 257 keys/year
• Supercomputer » 1017 flops » 280 keys/year
• Supercomputer since Big Bang » 2112 keys
– Restricting attention to attackers limited to trying
2112 keys is fine!

• Modern key spaces: 2128 keys or more…


Roadmap
• We will give an alternate (but equivalent)
definition of perfect secrecy
– Using a randomized experiment
• That definition has a natural relaxation
Perfect indistinguishability
• P = (Gen, Enc, Dec), message space M
• Informally:
– Two messages m0, m1; one is chosen and
encrypted (using unknown k) to give c ¬ Enck(mb)
– Adversary A is given c and tries to determine
which message was encrypted
– P is perfectly indistinguishable if no A can guess
correctly with probability any better than ½
Perfect indistinguishability
• Let P = (Gen, Enc, Dec) be an encryption
scheme with message space M, and let A be
an adversary
• Define a randomized exp’t PrivKA,P:
1. A outputs m0, m1 Î M
2. k ¬ Gen, b ¬ {0,1}, c ¬ Enck(mb)
3. b’ ¬ A(c) Challenge ciphertext
Adversary A succeeds if b = b’, and we say the
experiment evaluates to 1 in this case
Perfect indistinguishability
• Easy to succeed with probability ½ …

• Scheme P is perfectly indistinguishable if for


all attackers (algorithms) A, it holds that
Pr[PrivKA,P = 1] = ½
Perfect indistinguishability
• Claim: P is perfectly indistinguishable if and
only if P is perfectly secret
– I.e., perfect indistinguishability is just an alternate
definition of perfect secrecy
Computational secrecy?
• Idea: relax perfect indistinguishability

• Two approaches
– Concrete security
– Asymptotic security
Computational indistinguishability
(concrete)
• (t, e)-indistinguishability:
– Security may fail with probability ≤ e
– Restrict attention to attackers running in time ≤ t
• Or, t CPU cycles
Computational indistinguishability
(concrete version)

• P is (t, e)-indistinguishable if for all attackers A


running in time at most t, it holds that
Pr[PrivKA,P = 1] ≤ ½ + e

• Note: (¥, 0)-indistinguishability = perfect


indistinguishability
– Relax definition by taking t < ¥ and e > 0
Concrete security
• Parameters t, e are what we ultimately care
about in the real world

• Does not lead to a clean theory...


– Sensitive to exact computational model
– P can be (t, e)-secure for many choices of t, e
• Would like to have schemes where users can
adjust the achieved security as desired
Asymptotic security
• Introduce security parameter n
– For now, think of n as the key length
– Chosen by honest parties when they generate
and/or share the key
• Allows users to tailor the security level
– Known by adversary

• Measure running times of all parties, and the


success probability of the adversary, as
functions of n
Computational indistinguishability
(asymptotic)
• Computational indistinguishability:
– Security may fail with probability negligible in n
– Restrict attention to attackers running in time
polynomial in n
Definitions
• A function f: Z+ ® Z+ is polynomial if there
exists c such that f(n) < nc

• A function f: Z+ ® [0,1] is negligible if for


every polynomial p it holds that f(n) < 1/p(n)
for large enough n
– I.e., decays faster than any inverse polynomial
– Typical example: f(n) = poly(n)·2-cn
(Re)defining encryption
• A private-key encryption scheme is defined by
three PPT algorithms (Gen, Enc, Dec):
– Gen: takes as input 1n; outputs k. (Assume |k|≥n.)
– Enc: takes as input a key k and message mÎ{0,1}*;
outputs ciphertext c
c ¬ Enck(m)
– Dec: takes key k and ciphertext c as input; outputs
a message m or “error”
Computational indistinguishability
(asymptotic version)

• Fix a scheme P and some adversary A


• Define a randomized exp’t PrivKA,P(n):
1. A(1n) outputs m0, m1 Î {0,1}* of equal length
2. k ¬ Gen(1n), b ¬ {0,1}, c ¬ Enck(mb)
3. b’ ¬ A(c)
Adversary A succeeds if b = b’, and we say the
experiment evaluates to 1 in this case
Computational indistinguishability
(asymptotic version)
• P is computationally indistinguishable (aka
EAV-secure) if for all PPT attackers A, there is a
negligible function e such that

Pr[PrivKA,P(n) = 1] ≤ ½ + e(n)
Encryption and plaintext length
• In practice, we want encryption schemes that can
encrypt arbitrary-length messages
• Encryption does not hide the plaintext length (in
general)
– The definition takes this into account by requiring m0,
m1 to have the same length
• But beware that leaking plaintext length can
often lead to problems in the real world!
– Obvious examples…
– Database searches
– Encrypting compressed data
Example 1
• Consider a scheme where Gen(1n) generates a
uniform n-bit key, and the best attack is brute-
force search of the key space
– So if A runs in time t(n), then
Pr[PrivKA,P(n) = 1] < ½ + O(t(n)/2n)

• This scheme is EAV-secure!


– For any polynomial t, the function t(n)/2n is
negligible
Example 2
• Consider a scheme and a particular attacker A
that runs for n3 minutes and “breaks the
scheme” with probability 240 2-n
– This does not contradict asymptotic security
– What about real-world security (against this
particular attacker)?
• n=40: A breaks scheme with prob. 1 in 6 weeks
• n=50: A breaks scheme with prob. 1/1000 in 3 months
• n=500: A breaks scheme with prob. 2-500 in 200 years
Example 3
• What happens when computers get faster?
• E.g., consider a scheme that takes n2 steps to
run but 2n steps to break with prob. 1
• What if computers get 4´ faster?
– Honest users double n but can maintain the same
running time
– Number of steps needed to break the scheme is
squared!
• Time required to break the scheme increases
Computational secrecy
• From now on, we will assume the computational
setting by default
– Usually, the asymptotic setting
Lecture 4
Pseudorandomness
Pseudorandomness
• Important building block for computationally
secure encryption

• Important concept in cryptography


What does “random” mean?
• What does “uniform” mean?
• Which of the following is a uniform string?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• If we generate a uniform 16-bit string, each of
the above occurs with probability 2-16
What does “uniform” mean?
• “Uniformity” is not a property of a string, but
a property of a distribution

• A distribution on n-bit strings is a function


D: {0,1}n ® [0,1] such that Sx D(x) = 1
– The uniform distribution on n-bit strings, denoted
Un, assigns probability 2-n to every x Î {0,1}n
What does “pseudorandom” mean?
• Informal: cannot be distinguished from
uniform (i.e., random)
• Which of the following is pseudorandom?
– 0101010101010101
– 0010111011100110
– 0000000000000000
• Pseudorandomness is a property of a
distribution, not a string
Pseudorandomness (take 1)
• Fix some distribution D on n-bit strings
– x ¬ D means “sample x according to D”
• Historically, D was considered pseudorandom
if it “passed a bunch of statistical tests”
– Prx ¬ D[1st bit of x is 1] » ½
– Prx ¬ D[parity of x is 1] » ½
– Prx ¬ D[Testi(x)=1] » Prx ¬ Un[Testi(x)=1] for i = 1, …
Pseudorandomness (take 2)
• This is not sufficient in an adversarial setting!
– Who knows what statistical test(s) an attacker
will use?

• Cryptographic def’n of pseudorandomness:


– D is pseudorandom if it passes all efficient
statistical tests
Pseudorandomness (concrete)
• Let D be a distribution on p-bit strings

• D is (t, e)-pseudorandom if for all A running in


time at most t,
| Prx ¬ D[A(x)=1] - Prx ¬ Up[A(x)=1] | ≤ e
Pseudorandomness (asymptotic)
• Security parameter n, polynomial p

• Let Dn be a distribution over p(n)-bit strings


• Pseudorandomness is a property of a
sequence of distributions {Dn} = {D1, D2, … }
Pseudorandomness (asymptotic)
• {Dn} is pseudorandom if for all probabilistic,
polynomial-time distinguishers A, there is a
negligible function e such that

| Prx ¬ Dn[A(x)=1] - Prx ¬ Up(n)[A(x)=1] | ≤ e(n)


Pseudorandom generators (PRGs)
• A PRG is an efficient, deterministic algorithm
that expands a short, uniform seed into a
longer, pseudorandom output
– Useful whenever you have a “small” number of
true random bits, and want lots of “random-
looking” bits
• Note: we assume the ability to generate
uniform bits, but doing so is “expensive”
PRGs
• Let G be a deterministic, poly-time algorithm
that is expanding, i.e., |G(x)| = p(|x|) > |x|

seed

output
PRGs
• Let G be a deterministic, poly-time algorithm
that is expanding, i.e., |G(x)| = p(|x|) > |x|
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x ¬ Un and outputting G(x)
– PrDn[y] = Prx ¬ Un[G(x) = y] = Sx : G(x)=y Prx ¬ Un[x]
= Sx : G(x)=y 2-n
= |{x : G(x)=y}|/2n
– Note that most y occur with probability 0
• I.e., Dn is far from uniform
PRGs
• G is a PRG iff {Dn} is pseudorandom

• I.e., for all efficient distinguishers A, there is a


negligible function e such that
| Prx ¬ Un[A(G(x))=1] - Pry ¬ Up(n)[A(y)=1] | ≤ e(n)

• I.e., no efficient A can distinguish whether it is


given G(x) (for uniform x) or a uniform string y!
Example (insecure PRG)
• Let G(x) = 0….0
– Distinguisher?
– Analysis?
Example (insecure PRG)
• Let G(x) = x | OR(bits of x)
– Distinguisher?
– Analysis?
PRGs
• G is a PRG if for all efficient distinguishers A,
there is a negligible function e such that
| Prx ¬ Un[A(G(x))=1] - Pry ¬ Up(n)[A(y)=1] | ≤ e(n)

• I.e., no efficient A can distinguish whether it is


given G(x) (for uniform x) or a uniform string y
Do PRGs exist?
• We don’t know…
– Would imply P ¹ NP
• We will assume PRGs exist
– Recall the 3 principles of modern crypto…
• In practice, we have several algorithms
believed to be PRGs & we an construct PRGs
from weaker assumptions
– See Katz & Lindell Book (Chapters 7-8)
Where things stand
• We saw that there are some inherent
limitations if we want perfect secrecy
– In particular, key must be as long as the message

• We defined computational secrecy, a


relaxed notion of security

• Does that definition allow us to overcome


prior limitations?
Recall: one-time pad

p bits

key

p bits p bits

message Å ciphertext
“Pseudo” one-time pad
n bits

key
p bits

G “pseudo” key

p bits p bits

message Å ciphertext
Pseudo one-time pad
• Let G be a deterministic algorithm, with
|G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n Þ message space {0,1}p(n)
• Enck(m): output G(k) Å m
• Deck(c): output G(k) Å c

• Correctness follows as in the OTP…


Have we gained anything?
• YES: the pseudo-OTP has a key shorter than
the message
– n bits vs. p(n) bits
• The fact that the parties internally generate a
p(n)-bit temporary string to encrypt/decrypt is
irrelevant
– The key is what the parties share in advance
– Parties do not store the p(n)-bit temporary value
Security of pseudo-OTP?
• Would like to be able to prove security
– Based on the assumption that G is a PRG
Definitions, proofs, and assumptions
• We’ve defined computational secrecy
• Our goal is to prove that the pseudo-OTP
meets that definition
• We cannot prove this unconditionally
– Beyond our current techniques…
– Anyway, security clearly depends on G
• Can prove security based on the assumption
that G is a pseudorandom generator
PRGs, revisited
k ¬ Un
• Let G be an efficient, deterministic function
with |G(k)| = p(|k|)
y ¬ Up(n)
G
y

b
D
For any efficient D, the probabilities that D outputs 1
in each case must be “close”
Proof by reduction
1. Assume G is a pseudorandom generator
2. Assume toward a contradiction that there is
an efficient attacker A who “breaks” the
pseudo-OTP scheme (as per the definition)
3. Use A as a subroutine to build an efficient D
that “breaks” pseudorandomness of G
– By assumption, no such D exists!
Þ No such A can exist
Alternately…
1. Assume G is a pseudorandom generator
2. Fix some arbitrary, efficient A attacking the
pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
attacking G
– Relate the distinguishing gap of D to the success
probability of A
4. By assumption, the distinguishing gap of D must
be negligible
Þ Use this to bound the success probability of A
Security theorem
• If G is a pseudorandom generator, then the
pseudo one-time pad Π is EAV-secure (i.e.,
computationally indistinguishable)
The reduction

y
m0, m1

mb b←{0,1}

c
b’ A
if (b=b’)
output 1 D
Analysis
• If A runs in polynomial time, then so does D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• Claim: when y=G(x) for uniform x, then the
view of A is exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
The reduction
k ¬ Un

y
G
m0, m1

mb b←{0,1}
P-Enc c
b’ A

if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
The reduction
y ¬ Up(n)

y
m0, m1

mb b←{0,1}
OTP-Enc c
b’ A

if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If y=G(x) for uniform x, then the view of A is
exactly as in PrivKA,Π(n)
Þ Prx ← Un[D(G(x))=1] = µ(n)
• If distribution of y is uniform, then A succeeds
with probability exactly ½
Þ Pry ← Up(n)[D(y)=1] = ½
• Since G is pseudorandom:
| µ(n) – ½ | ≤ negl(n)
Þ Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)
Stepping back…
• Proof that the pseudo-OTP is secure…
– We have a provably secure scheme, rather than
just a heuristic construction!
Stepping back…
• Proof that the pseudo-OTP is secure…
• …with some caveats
– Assumes G is a pseudorandom generator
– Security is relative to our definition

• The only ways the scheme can be broken are:


– If a weakness is found in G
– If the definition isn’t sufficiently strong…
Recall…
• Perfect secrecy has two limitations/drawbacks
– Key as long as the message
– Key can only be used once

• We have seen how to circumvent the first


• Does the pseudo-OTP have the second
limitation?

• How can we circumvent the second?


But first…
• Develop an appropriate security definition

• Recall that security definitions have two parts


– Security goal
– Threat model

• We will keep the security goal the same, but


strengthen the threat model
Single-message secrecy

c
k k

m
c ¬ Enck(m)
Multiple-message secrecy

c1, …, ct
k k

m1, …, mt
c1 ¬ Enck(m1)

ct ¬ Enck(mt)
A formal definition
• Fix P, A
• Define a randomized exp’t PrivKmultA,P(n):
1. A(1n) outputs two vectors (m0,1, …, m0,t) and
(m1,1, …, m1,t)
• Require that |m0,i| = |m1,i| for all i
2. k ¬ Gen(1n), b ¬ {0,1}, for all i: ci ¬ Enck(mb,i)
3. b’ ¬ A(c1, …, ct); A succeeds if b = b’, and
experiment evaluates to 1 in this case
A formal definition
• P is multiple-message indistinguishable if for
all PPT attackers A, there is a negligible
function e such that

Pr[PrivKmultA,P(n) = 1] ≤ ½ + e(n)

• Question: Is pseudo-OTP multiple-message


indistinguishable?

You might also like