COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Transcription

1 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27

2 Previously on COS 433

3 Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )

4 Security Definition (One- time setting) Definition: (Enc, Dec) has (t,ε)-ciphertext indistinguishability if, for all running in time at most t Pr[ß IND-Exp ( ) ] Pr[ß IND-Exp ( ) ] ε

5 Construction with k << m Idea: use OTP, but have key generated by some expanding function G k G m

6 What Do We Want Out of G? Definition: G:{,} λ à {,} n is a (t,ε)- secure pseudorandom generator (PRG) if: n > λ G is deterministic For all running in time at most t, Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} n ] ε

7 Reminder: Kerckhoffs s Principle Kerckhoffs s Principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Applies to any crypto object we ll see in this course For PRGs, the key is just the input to the function

8 Secure PRG à Ciphertext Indistinguishability K = {,} λ M = {,} n C = {,} n Enc(k,m) = PRG(k) m Dec(k,c) = PRG(k) c

9 Security? Intuitively, security is obvious: PRG(k) looks random, so should completely hide m However, formalizing this argument is non- trivial. Solution: reductions Assume toward contradiction an adversary for the encryption scheme, derive an adversary for the PRG

10 Security Assume towards contradiction that there is a such that b m, m M c k ß K c ß G(k) m b b Pr[W ]-Pr[W ] ε, non- negligible W b : b = in IND-Exp b

11 Security Use to build. will run as a subroutine, and pretend to be m, m M b c b ß {,} c ß x m b x (either G(s) or truly random) b b

12 Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b m, m M c b ß {,} s ß K c ß PRG(s) m b b

13 Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½( + Pr[W ] Pr[W ]) = ½( ± ε )

14 Security Case 2: x is truly random sees OTP encryption m, m M λ c b ß {,} x ß {,} n c ß x m b b

15 Security Case 2: x is truly random sees OTP encryption Therefore Pr[b = b=] = Pr[b = b=] Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½

16 Security Putting it together: Pr[ (G(s))=:sß {,} λ ] = ½( ± ε(λ) ) Pr[ (x)=:xß {,} n ] = ½ Absolute Difference: ½ε, Contradiction!

17 Security Thm: If G is a (t+t,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability, where t is the time to: Flip a random bit b XOR two n- bit strings

18 Security Thm: If G is a (t+poly,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability

19 An Alternate Proof: Hybrids Idea: define sequence of hybrid experiments between IND-Exp and IND-Exp In each hybrid, make small change from previous hybrid Hopefully, each small change is undetectable Using triangle inequality, overall change from IND- Exp and IND-Exp is undetectable

20 An Alternate Proof: Hybrids Hybrid : IND-Exp m, m M c k ß K c ß G(k) m b

21 An Alternate Proof: Hybrids Hybrid : m, m M c x ß {,} n c ß x m b

22 An Alternate Proof: Hybrids Hybrid 2: m, m M c x ß {,} n c ß x m b

23 An Alternate Proof: Hybrids Hybrid 3: IND-Exp m, m M c k ß K c ß G(k) m b

24 An Alternate Proof: Hybrids Pr[b = : IND-Exp ]-Pr[b = : IND-Exp ] = Pr[b = : Hyb ]-Pr[b = : Hyb 3] Pr[b = : Hyb ]-Pr[b = : Hyb ] + Pr[b = : Hyb ]-Pr[b = : Hyb 2] + Pr[b = : Hyb 2]-Pr[b = : Hyb 3] If Pr[b =:IND-Exp ]-Pr[b =:IND-Exp ] ε, Then for some i=,,2, Pr[b =:Hyb i]-pr[b =:Hyb i+] ε/3

25 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 k ß K x ß {,} n m, m M c ß G(k) m m, m M c ß x m b b

26 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct m, m M c c ß x m x (either G(s) or truly random) b b

27 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct If is given G(s) for a random s, sees Hybrid If is given x for a random x, sees Hybrid Therefore, advantage of is equal to advantage of which is at least ε/3 Contradiction!

28 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε/3 m, m M x ß {,} n c ß x m m, m M c ß x m x ß {,} n b b

29 An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε(λ)/3 m, m M λ x ß {,} s(λ) Impossible by OTP security m, m M λ x ß {,} s(λ) c ß x m c ß x m b b

30 An Alternate Proof: Hybrids Suppose distinguishes Hybrid 2 from Hybrid 3 with advantage ε/3 m, m M c ß x m x ß {,} n m, m M k ß K c ß G(k) m b b Proof essentially identical to Hybrid /Hybrid case

31 How do we build PRGs?

32 Linear Feedback Shift Registers In each step, Last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

33 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

34 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

35 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

36 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

37 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

38 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

39 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

40 Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

41 Linear Feedback Shift Registers Are LFSR s secure PRGs?

42 Linear Feedback Shift Registers Are LFSR s secure PRGs? No! First n bits of output = initial state x Write x = x,,x n, x Initialize LFSB to have state x,,x n Run LFSB for x steps, obtaining y Check if y = x

43 PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Definition: G is (t,p,ε)-unpredictable if, for all running in time at most t, Pr[G(s) p+ ß (G(s) [,p] ) ] ½ ε

44 PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Theorem: G is unpredictable iff it is pseudorandom

45 Proof Pseudorandomness à Unpredictability Assume towards contradiction s.t. Pr[G(s) p+ ß (G(s) [,p] ) ] ½ > ε

46 Proof Pseudorandomness à Unpredictability Construct x x [,p] b b x p+

47 Proof Pseudorandomness à Unpredictability Analysis: If x is random, Pr[ b x p+ = ] = ½ If x is pseudorandom, Pr[ b x p+ = ] = Pr[G(s) p+ ß (G(s) [,p] ) ] > (½ + ε) or < (½ - ε)

48 Proof Unpredictability à Pseudorandomness Assume towards contradiction s.t. Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} t ] > ε

49 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i H : truly random x H t : pseudorandom t

50 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i Pr[ (x)=:xß H s ] Pr[ (x)=:xß H ] > ε Let q i = Pr[ (x)=:xß H i ]

51 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i q t q > ε Let q i = Pr[ (x)=:xß H i ]

52 Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i By triangle inequality, there must exist an i s.t. q i q i- > ε/t Can assume wlog that q i q i- > ε/t

53 Proof Unpredictability à Pseudorandomness Construct y=g(s) [,i-] bß {,} y ß {,} t-i x = y b y b b b

54 Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then sees H i outputs with probability q i outputs b=g(s) i with probability q i

55 Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then Define q i as Pr[ outputs ] ½(q i + q i ) = q i- q i = 2q i- - q i outputs G(s) [,i] with probability -q i = + q i 2q i-

56 Proof Unpredictability à Pseudorandomness Analysis: Pr[ outputs G(s) i ] = ½ (q i ) + ½ ( + q i 2q i- ) = ½ + q i q i- > ½ + ε/t

57 Linearity

58 Linearity LFSR s are linear: state = state output = ( ) state ( )

59 Linearity LFSR s are linear: Each output bit is a linear function of the initial state (that is, G(s) = A s (mod 2) ) Any linear G cannot be a PRG Can check if x is in column- span of A using linear algebra

60 Introducing Non- linearity Non- linearity in the output: Non- linear feedback:

61 LFSR period Period = number of bits before state repeats After one period, output sequence repeats Therefore, should have extremely long period Ideally almost 2 λ Possible to design LFSR s with period 2 λ -

62 Hardware vs Software PRGs based on LFSR s are very fast in hardware Unfortunately, not easily amenable to software

63 RC4 Fast software based PRG Resisted attack for several years No longer considered secure, but still widely used

64 RC4 State = permutation on [256] plus two integers Permutation stored as 256- byte array S Init(6- byte k): For i=,,255 S[i] = i j = For i=,,255 j = j + S[i] + k[i mod 6] (mod 256) Swap S[i] and S[j] Output (S,,)

65 RC4 GetBits(S,i,j): i++ (mod 256) j+= S[i] (mod 256) Swap S[i] and S[j] t = S[i] + S[j] (mod 256) Output (S,i,j), S[t] New state Next output byte

66 Insecurity of RC4 Second byte of output is slightly biased towards Pr[second byte = 8 ] 2/256 Should be /256 Means RC4 is not secure according to our definition outputs iff second byte is equal to 8 Advantage: /256 Not a serious attack in practice, but demonstrates some structural weakness

67 Insecurity of RC4 Possible to extend attack to actually recover the input k in some use cases The seed is set to (IV, k) for some initial value IV Encrypt messages as RC4(IV,k) m Also give IV to attacker Cannot show security assuming RC4 is a PRG Can be used to completely break WEP encryption standard

68 Extending the Stretch of a PRG Suppose you have a fixed- stretch PRG G Better yet, a PRG that expands by a single bit G: {,} λ à {,} λ+ Construct a PRG G of arbitrary output length

69 Extending the Stretch of a PRG seed G state state G state 2 state 2 G state 3 state 3 G

70 Security Proof Assume towards contradiction Define hybrids

71 Security Proof H : {,} λ seed G state state G state 2 state 2 G state 3 state 3 G

72 Security Proof H : {,} λ {,} state state 2 G state 2 G state 3 state 3 G

73 Security Proof H 2 : {,} λ {,} {,} state 2 state 3 G state 3 G

74 Security Proof H t : {,} {,} {,} {,}

75 Security Proof H corresponds to pseudorandom x H t corresponds to truly random x Let q i = Pr[ (x)=:xß H i ] By assumption, q t q > ε i s.t. q i q i- > ε/t

76 Security Proof y state i state i+ G state i+ G state i+2 state i+2 G

77 Security Proof Analysis If y = G(s), then sees H i- Pr[ outputs ] = q i- Pr[ outputs ] = q i- If y is random, then sees H i Pr[ Pr[ outputs ] = q i outputs ] = q i

78 Summary Stream ciphers = secure encryption for arbitrary length, number of messages (though we did not completely prove it) However, implementation difficulties due to having to maintaining state

79 Reminders Project part Due Tomorrow HW2 will be released tonight