CIS 5371 Cryptography

3. Private-Key Encryption and Pseudorandomness

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

A Computational Approach to Cryptography

The principal of Kerchoffs essentially says that it is not necessary to use a perfectly-secret encryption scheme, but instead it suffices to use a scheme that cannot be broken in reasonable time with any reasonable probability of success.

A Computational Approach to Cryptography

That is, it suffices to use an encryption scheme that
can be broken in theory but that cannot be broken in practice with probability better than 1030 in 200 years using the fastest available supercomputer.

A Computational Approach
1. Security is only preserved against efficient adversaries 2. Adversaries can potentially succeed with some very small probability

(small enough so that we are not concerned that it will ever really happen)

A concrete approach

.
5

The asymptotic approach

The asymptotic approach

The asymptotic approach

The asymptotic approach an example

The effect that availability of faster computers might have on security in practice Say we have a cryptographic scheme where honest parties are required to run for 106 2 cycles and for which an adversary is running for 108 4 cycles can succeed in breaking the scheme with probability 230 2 .
9

The asymptotic approach an example

10

The asymptotic approach an example

280 .

11

The asymptotic approach an example

The asymptotic approach has the advantage of not depending on any specific assumptions regarding, e.g., the type of computer an adversary will use.

12

Efficient Algorithms

13

Efficient Algorithms
Generating randomness
There are a number of ways random bits are obtained in practice. One solution is to use a hardware random number generator that generates random bitstreams based on certain physical phenomena like thermal/electrical noise or radioactive decay. Another possibility is to use software random number generators which generate random bitstreams based on unpredictable behavior such as the time between key-strokes, movement of the mouse, hard disk access times, and so on.
14

Efficient Algorithms
Generating randomness

Some modern operating systems provide functions of this sort. Note that, in either of these cases, the underlying unpredictable event is unlikely to directly yield uniformly-distributed bits, and so further processing of the initial bitstream is needed. Techniques for doing this are complex and poorly understood.

15

Efficient Algorithms
Generating randomness
One must careful in how random bits are chosen, and the use of badly designed or inappropriate random number generators can often leave a good cryptosystem vulnerable to attack. Particular care must be taken to use a random number generator that is designed for cryptographic use, rather than a general-purpose random number generator which may be fine for some applications but not cryptographic ones

16

Negligible Success

17

Negligible Success

18

Proofs by Reduction
Strategy
1.

2.

Assume that some low-level problem is hard to solve. Then prove that the construction in question is secure given this assumption.

19

Proofs by Reduction
The proof that a given construction is secure as long as some underlying problem is hard generally proceeds by presenting an explicit reduction showing how to convert any efficient adversary A that succeeds in breaking the construction with non-negligible probability into an efficient algorithm A succeeds in solving the problem that was assumed to be hard.

20

Proofs by Reduction

21

Proofs by Reduction

Instance of

Solution to x

Break

22

Computationally Secure Encryption

()

23

Computationally Secure Encryption

24

Computationally Secure Encryption

25

Computationally Secure Encryption

Equivalent version:
| Pr,PrivK eav , , 0 = 1-

Pr PrivK eav , , 1 = 1 | negl()

26

Computationally Secure Encryption

and is chosen uniformly at random

from *0,1+ .

27

Theorem
Let (Gen,Enc,Dec) be a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then PPT adversaries, , a negligible function negl:

Pr,

1 , ()

1 + negl , 2

where is chosen randomly from *0,1+ , and the probability are taken over the random coins of , the choice of and and any random coins used in the encryption process.
28

Proof of Theorem
We shall reduce the indistinguishability of the encryptions of the messages to the indistinguishability of the bits of encrypted messages in the presence of an eavesdropper.

29

Security reduction: converting an adversary A to an adversary A

Adversary A (low level reference problem X) Adversary A

The reduction shows shows that A succeeds in solving x with advantage at least Suppose A succeeds in solving with advantage

Protocol , being analysed

30

Proof of theorem by reduction

Adversary A (message distinguisher)
1 Adversary A (bit distinguisher) 1 0 , 1 0 , 1
prediction of the message
prediction of the value of the i-th bit
31

Suppose A succeeds with advantage in distinguishing the i-th bit of encrypted messages

Proof, in detail
Let the advantage of be = Pr (Enc =
1 2

. = 1=1 =

Then Pr (Enc = = Pr,PrivK eav ,

1 = 0 2

1 = 0 + 1 2 =
1 2

= Pr,( ) =

+ ()

Since the encryption scheme has indistinguishable encryptions is negligible

32

Semantic Security
Theorem. Let (Gen,Enc,Dec) be a private-key encryption
scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then,
PPT adversary , PPT algorithm such that,

polynomial-time computable functions and sampleable sets there is a negligible function negl such that:

| Pr, 1 ,

= - Pr 1 = |

1 2

+ negl ,

where is chosen randomly from *0,1+ , and the probabilities are the choices of , , the random coins of , and the encryption process. 33

Semantic Security: Definition

A private-key encryption scheme (Gen,Enc,Dec) is semantically secure in the presence of an eavesdropper if
PPT algorithm , PPT such that, efficiently sampleable distributions = 1 , . . . and all polynomial-time computable functions , there is a negligible function negl such that:
|Pr, 1 , , () = - Pr (1 , ()) = | negl ,

where is chosen according to the distribution , and the probabilities are taken over the choices of , , the random coins of , and the encryption process.
34

Semantic Security: Theorem

A private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if and only if, it is semantically secure in the presence of an eavesdropper.

35