III. Pseudorandom functions & encryption

Transcription

1 III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion: indistinguishable encryption against chosen plaintext attacks 1

2 The indistinguishability game Let A be a probabilistic polynomial time algorithm (ppt). cpa CPA indistinguishability game PrivK A,Π ( n) 1. k Gen( 1 n ). 2. A receives input 1 n and has oracle access to Enc ( k ). { } with m 0 = m 1. Outputs two plaintexts m 0,m 1 0,1 3. b { 0,1},c Enc ( k m b ). c given to A. 4. A continues to have oracle access to Enc ( k ). It outputs b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. cpa Write Pr ivk A,Π has won. ( n) = 1, if output is 1. Say A has succeded or A 2

3 Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 3

4 The indistinguishability game Definition 3.1 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen plaintext attacks (is cpa-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cpa Pr Pr ivk A,Π ( n) = µ ( n ). Observation A cpa-secure encryption scheme cannot have a deterministic encryption algorithm. 4

5 Multiple messages Multiple messages cpa game Pr ivk mult cpa A,Π 1. k Gen( 1 n ). ( n) 2. A receives input 1 n and has oracle access to Enc ( k ). A outputs two vectors of messages M 0 = ( m 1 t 0,,m 0 ), M 1 = ( m 1 t 1,,m ) i 1 with m 0 = m 1 i for all i. 3. b { 0,1},c i Enc ( i k m b ). C = ( c 1,,c ) t is given to A. 4. A continues to have oracle access to Enc ( k ). A outputs bit b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. Write Pr ivk A,Π mult cpa = 1, if output is 1. Say A has succeded or A has won. 5

6 CPA-security and multiple messages Theorem 3.2 If encryption scheme Π = ( Gen,Enc,Dec) is cpa-secure, then it also has indistinguishable multiple encryption under chosen plaintext attacks. 6

7 CPA-security and blocks of messages Π = ( Gen,Enc,Dec) fixed length, l( n) = 1. ( ) as follows Define Π = Ge n,en c,de c Ge n : same as Gen En c : En c k m De c : De c k ( ) = Enc k m 1 m = m 1 m s,m i { 0,1} l(n) ( ) Enc ( k m s ), ( c) = Dec ( k c 1 ) Dec ( k c ) s Corollary 3.3 If encryption scheme Π = ( Gen,Enc,Dec) is ( ) is cpa-secure. cpa-secure, then Π = Ge n,en c,de c 7

8 Truly random functions n { n n { } { } } Func : = f : 0,1 0,1 Func = 2 n n2 n random function: f Func n 8

9 Keyed functions { } { 0,1} { 0,1} ( k,x)! F( k,x) ( ) = F k x F : 0,1 called keyed function. Write F k,x ( ). F called length-preserving, if F is only defined for ( x,k) 0,1 F k { } { 0,1} with x = k and if for all ( x,k) ( x) = k = x. F called efficient, if there is a polynomial time algorithm A with A( k,x) = F ( k x) for all x,k { 0,1}. F called permutation, if for every n N and k { 0,1} n F k : { 0,1} n { 0,1} n is bijective. 9

10 Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 10

11 Pseudorandom function (PRF) Definition 3.4 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving function. F is called a pseudorandom function, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Func n. ( 1 n ) = 1 µ ( n ), Func n := f : 0,1 { { } n { 0,1} n } 11

12 Pseudorandom functions f 1 f 2 f 3 F k1 F k2 f 5 f 4 f 6 F k5 F k3 f 8 f 9 f 11 f 10 f 11 f 7 Distinguisher D F F k 6 k 4 Func n with uniform distribution F n = F k { ( ) } k 0,1 { } n with distribution k 0,1 { } n 12

13 Truly random permutations n { { } n n { } } Perm : = f : 0,1 0,1 f is a permutation n Permn = 2! random permutation: f Perm n 13

14 Pseudorandom permutation (PRP) Definition 3.5 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving permutation. F is called a pseudorandom permutation, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Perm n. ( 1 n ) = 1 µ ( n ), 14

15 From PRF to cpa-security Construction 3.6 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient, and length-preserving function. Define Π F = ( Gen F,Enc F,Dec ) F as follows: Gen F : on input 1 n, choose k { 0,1} n. Enc F : on input k,m { 0,1} n, choose r { 0,1} n and output c := ( r,m F ( k r )). Dec F : on input c = ( r,s) { 0,1} n { 0,1} n and k { 0,1} n output m := s F k ( r ). 15

16 From PRF to cpa-security Theorem 3.7 If F is a pseudorandom function, then Π F as defined in Construction 3.6 is cpa-secure. 16

17 From adversaries to distinguishers D on input 1 n and oracle access to f : { 0,1} n { 0,1} n 1. Simulate A( 1 n ). When A queries for an encryption of m { 0,1} n, answer as follows: { } n a) r 0,1 b) Query f ( ). ( ) to obtain f ( r ) and return r,m f ( r ) 2 When A outputs m 0,m 1, choose b { 0,1}, then { } n a) r 0,1 b) Query f c := ( r,m b f ( r )). ( ) to obtain f ( r ) and return 3. Continue to simulate A and answer encryption queries as in 1. Let A's output be b { 0,1}. Output 1, if b = b, 17 otherwise output 0.

18 A conceptual scheme Define Π true = ( Gen true,enc true,dec ) true as follows: Gen true : on input 1 n, choose f Func n. Enc true : on input f, m { 0,1} n, choose r { 0,1} n and output Dec true : c := ( r,m f ( r )). on input c = ( r,s) { 0,1} n { 0,1} n and f Func n output m := s f ( r ). Remark - The scheme is not an encryption scheme, because it is not efficient. It is only used in the proof of Theorem The CPA indistiguishability experiment can be defined for 18 this scheme.

19 From PRF to cpa-security two basic claims Claim 1 For all ppts A Pr Pr ivk cpa A,ΠF (n) = 1 Pr Pr ivk cpa (n) = 1 A,Π true ( ) = Pr D F k ( 1 n ) = 1 ( ) Pr Df ( 1 n ) = 1. Claim 2 Let A be a ppt adversary in PrivK cpa A, that on input 1 n makes at most q(n) oracle queries. Then Pr cpa Priv A,Πtrue (n) = q(n) 2. n 19

20 The CCA indistinguishability game 1. k Gen( 1 n ) cca CCA indistinguishability game Pr ivk A,Π ( n) 2. A on input 1 n has access to encryption algorithm Enc ( k ) and to decryption algorithm Dec k m 0,m 1 { 0,1} * of equal length. 3. b { 0,1}, c Enc ( k m b ). c is given to A. ( ). A outputs 2 messages 4. b A( 1 n,c), here A has access to encryption algorithm Enc k Dec k ( ) and to decryption algorithm Dec ( k ), but query ( c) is forbidden. 5. Output of experiment is 1, if b = b 20. Otherwise output is 0.

21 CCA-security Definition 3.8 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen ciphertext attacks (is cca-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cca Pr Pr ivk A,Π ( n) = µ ( n ). Observation cpa-security does not imply cca-security. 21