Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Transcription

1 Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of n] K n is finite and is called the key space, M n is called the message space and C n is called the ciphertext space - Gen and Enc are probabilistic polynomial-time algorithms, and Dec is a deterministic polynomial-time algorithm - for every n N, Gen(1 n ) outputs an element of K n [the distribution of Gen(1 n ) is not necessarily uniform over K n ] - Enc(k,m) C n for every k K n and m M n - for every n N, every m M n and every k K n, Dec(k,Enc(k,m)) = m - (n is called the security parameter) Sample question: why does the definition above write Gen(1 n ) instead of writing Gen(n)? (Answer: Because n typically represents the length of the key, and we want Gen() to be able to run in polynomial time of the length of the key, so if we want to say Gen is polynomial-time we need to give an input whose length is polynomially related to the length of the key. Another solution would have been to say Gen is an exponential-time probabilistic algorithm such that Gen(n) outputs an element of K n for each n N.) Definition of a non-asymptotic encryption scheme: It s a tuple Π = ((K,M,C),Gen,Enc,Dec) where: - K,M,C are sets of bitstrings such that K is finite; K is called the key space, M is called the message space and C is called the ciphertext space - Gen is a probabilistic algorithm that takes no input and that outputs an element of K - Enc and Dec are polynomial-time algorithms (Enc can also be probabilistic) such that Enc(k,m) C and Dec(k,Enc(k,m)) = m for every k K and m M Sample question: what is the purpose of the security parameter n? (Answer: the security parameter n allows one to make asymptotic statements about the advantage of polynomial-time adversaries.) In your solutions to other problems (i.e., when the question is not Give the definition of a private-key encryption scheme ), you can simply say Let Π = (Gen, Enc, Dec) be a private-key encryption scheme, etc you don t need to mention (K n,m n,c n ) n=1 Sample question: I choose a random string in {0,1} 128 and I ask an adversary to guess the string. The adversary names values until it finds my string, and then the game stops. Can a polynomial-time adversary win this game with probability 1, if we consider the input length of the problem to be 128? (Answer: yes. The polynomial-time adversary in question simply tries all strings of length 128 one after one, which takes time in the worst case. This is a constant running time. In fact, we could even define the input length of the problem to be 0, and the running time would still be constant (and polynomial). This shows why you need the security parameter in crypto definitions.) Sample question: What is an information-theoretic adversary? (Answer: An adversary with unbounded computational powers we don t care about the adversary s running time or size of Turing machine description, etc. The only limit on what such an adversary can achieve is the amount of information they receive, hence the name information-theoretic.) Sample question: What is a computational adversary? (Answer: The opposite of information-theoretic. It s an adversary that is computationally bounded in some way or other; it has to be efficient in some sense (usually polynomial-time).) Definition of perfect privacy for non-asymptotic private-key encryption schemes. Let Π =... Let K be a random variable distributed according to Gen(). Let M be any distribution over M (i.e., M is a random 1

2 variable of range M). Let C = Enc(K,M). Then C and M are independent. In other words, for all c C and m M or, put differently, Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m] for every c C such that Pr[C = c] > 0, and for every m M. To be able to prove that the above definition is equivalent to the fact that for every m 1,m 2 M, Enc(K,m 1 ) has the same distribution over C as Enc(K,m 2 ) (i.e., Pr[Enc(K,m 1 ) = c] = Pr[Enc(K,m 2 ) = c] for every c C; note randomness comes from K as well as from Enc). (Note this second definition of perfect privacy doesn t mention any distribution M over the message space.) To be able to prove that if M > C, then a (non-asymptotic) encryption scheme Π cannot be perfectly private To be able to do Additional Problem 2 in homework 3 (sorry) Know the PrivK eav Π,A experiment for asymptotic and non-asymptotic schemes (the experiment looks a little different in the asymptotic setting, because then the security parameter n is there); be ready to argue(maybe not completely formally) that Pr[PrivK eav Π,A = 1] = 1 2 if Π is a non-asymptotic perfectly secret encryption scheme NOTE: FROM HERE ON, EVERYTHING REFERS TO ASYMPTOTIC SECURITY (i.e., with security parameter) Know the definition of a negligible function Know the definition of indistinguishable encryptions against in the presence of an eavesdropper asymptotic (description of PrivK eav Π,A experiment + definition with negl(n)); be ready to argue (maybe not completely formally) that Pr[PrivK eav Π,A = 1] = 1 2 if Π is perfectly secret (the other direction is also true, but don t worry about it). The definition of chosen plaintext security. (Description of PrivK cpa Π,A experiment + definition itself.) Know what a computational reduction means (it just means a proof of the type if there exists an (efficient) adversary A that can do task X, there also exists an (efficient) adversary that can do task Y The definition of semantic security (Definition 3.13 in your book, I think; discussed in the bonus problem of homework 2). Be ready to outline the proof that an encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper (IEIPE, let s say) is also semantically secure. The outline is as follows: Let A be a polytime adversary. We construct A as follows. A chooses a fixed message m 0 M n, samples a key k by running Gen(1 n ), then runs A with input (1 n,enc k (m 0 ),h(m)), and outputs what A outputs (note A s own input is (1 n,h(m)) it forwards the value h(m) to A). Thus, A (1 n,h(m)) = A(1 n,enc k (m 0 ),h(m)) where k is chosen randomly according to Gen(1 n ), and so all we need to show is that Pr[A(1 n,enc K (m),h(m)) = f(m)] Pr[A(1 n,enc K (m 0 ),h(m)) = f(m)] negl(n) (1) where K is distributed according to Gen(1 n ) and m is distributed according to X n. To show (1), we use a computational reduction to IEIPE. Namely, we build an adversary B for IEIPE from A. B works as follows: it uses the same m 0 as fixed by A (technically: it runs A to find m 0 ), and selects m = m 1 by sampling 2

3 X n (which can be done efficiently). Then B outputs (m 0,m 1 ) as its challenge ciphertexts, and receives back the encryption c = Enc K (m b ) for K Gen(1 n ) and b {0,1} uniform at random. Then B runs A(1 n,enc K (m b ),h(m = m 1 )) and outputs b = 1 if A outputs f(m = m 1 ), and outputs 0 otherwise. If b = 1 then B has chance Pr[A(1 n,enc K (m),h(m)) = f(m)] of outputting 1, whereas if b = 0 then B has chance 1 Pr[A(1 n,enc K (m 0 ),h(m)) = f(m)] of outputting 1. If follows from a standard manipulation of probabilities that if B s advantage is negligible, then (1) is also negligible. Know the definition of a pseudorandom generator, as in the book. Sample question: Let G be a pseudorandom generator. Can anyone compute G(0 n )? G(1 n )? (Answer: yes, of course. G is a public, polynomial-time function and there is no secret key.) Be able to prove that an information-theoretic adversary can distinguish any pseudorandom generator with advantage at least 1 2 ; namely, that if G : {0,1}n {0,1} l(n) is a pseudorandom generator (with, of course, l(n) n+1) then there exists a information- theoretic distinguisher D such that Pr,G(s)) = 1] Pr [D(1 n,r) = 1] 1 s {0,1} n[d(1n r {0,1} l(n) 2. (D simply checks to see if the value it received is in the range of G, and this has chance at most 1 2 of happening in the random world.) Knowing how to build a IEIPE scheme from a pseudorandom generator, and knowing how to prove that the construction is indeed IEIPE (construction 3.15 and theorem 3.16 in my book maybe something else in your edition) Knowing, on an informal level, the multiple message experiment PrivK mult Π,A, and being able to explain why no deterministic encryption scheme can satisfy this notion of security Know the definition of CPA security... of course. (Note there are two things: one is the experiment PrivK cpa Π,A, and another thing is the definition itself.) [Don t forget: the adversary must choose ciphertexts (m 0,m 1 ) of equal length!] Know the little story about the second world war, with the Japanese and the Americans and midway island Know the definition of a pseudorandom function, as stated in the book. Know how to use a pseudorandom function to build a CPA-secure scheme for fixed-length messages, and, actually, even for arbtriray-length messages, as described in the book (you don t need to learn the proof of security) Know the definition of a pseudorandom permutation and of a strong pseudorandom permutation. (Note: for a strong pseudorandom permutation, the inverse also needs to be efficiently computable (knowing the key, of course).) Know the definition of a blockcipher. It s simply: E : {0,1} k {0,1} n n is a blockcipher if E(k, ) is a permutation of {0,1} n for every k {0,1} k, and for which both E(k, ) and E 1 (k, ) are efficiently computable. (Of course, a good blockcipher should have the property that E ±1 (k, ) looks like a random permutation for a randomly chosen k, but it is hard to formalize this mathematically if the blockcipher E is only defined for one particular value of k and n, such as k = n = 256, or something.) 3

4 Know the different modes of operation based on blockciphers; ECB mode, CBC mode, OFB mode and CTR mode. Know the definition of CCA security. Be ready to explain, say, why none of the above modes are CCA secure. (MACs) Know the definition of a Message Authentication Code (MAC). Note: The definition of a MAC does not include any definition of secutiy; that s separate. Know the definition of existentially unforgeable under a chosen plaintext attack for MACs (the standard 1 security notion for MACs, as in the book) Know the definition of what it means for a MAC to have unique tags. (It means that for each message m and key k, there is at most one t such that Vrfy(k,m,t) = 1.) (Note: a deterministic MAC meaning that Mac( ) is deterministic outputs only one t per message m (and key k), but this does not mean the MAC has unique tags; Vrfy can accept more tags than the tag which is output by Mac.) (OWFs, OWPs, HARDCORE BITS, GOLDREICH-LEVIN HARDCORE BIT, ETC) Know the definition of a one-way function. (Don t forget it s polytime; of course, also don t forget that the adversary must be polytime.) Know the definition of a one-way permutation... Know the definition of a hardcore bit (for a one-way permutation, say). [Note: if f : {0,1} {0,1} is a permutation of {0,1} n for each n N (i.e., f is a permutation ) and hc : {0,1} {0,1} is a function, then we can define what it means for hc to be a hardcore bit for f without making the assumption that f is one-way. Namely, you can define hardcore bit for f even if f is not a one-way permutation. But the definition will never be satisfied: if f is not a OWP, then no hc will exists that satisfies the definition, because you can invert f with non-negligible probability to compute hc.] Know the construction of the Goldreich-Levin hardcore bit gl. I would also like you to know the proof that gl is really a hardcore bit for the function (x,r) (f(x),r), but that s asking too much. However, know these parts of the proof: 1. Markov s inequality: that if X is an r.v. such that X 0 then Pr[X c] E[X]/c, for all c > 0. (No proof needed.) 2. The following useful fact: that if X is a random variable such that 0 X 1, such that E[X] = µ, then Pr[X µ t] t for every 0 t µ. Know this fact, and know how to prove it from Markov s inequality by considering the r.v. 1 X. 3. Therefore (by 2), if A is an adversary that can compute x r from (f(x),r) with probability at least 1 2 +ε(n) (for random x and r), then a fraction of at least 1 2ε(n) of the x s have the property that for that fixed x (and for random r), A s chance of computing hc is still at least ε(n). (Proof: let p x be A s chance of computing hc for a given x, with randomness over r and over A s coins; then E x [p x ] = 1 2 +ε(n), and so we can apply item 1 with µ = 1 2 +ε(n) and t = 1 2 ε(n).) 4. Know Chebyshev s inequality with its (easy) proof (see the book). 5. Know how to prove that if two random variables X and Y are independent, then Var(X + Y) = 1 Just because it is standard does not really mean it is the best security notion; but nevermind. 4

5 Var(X)+Var(Y). (You can use the fact that E[XY] = E[X]E[Y] for independent random variables X and Y without proving that fact.) 6. Know how to prove that if X 1,...,X m are pairwise independent random variables such that E[X i ] = µ for each i, then [ i Pr X ] i m µ ε 1 4ε 2 m. (Use Chebyshev s inequality and item 5.) 7. Know the description of the adversary A for inverting f, that uses the adversarya for computing hc( ); see the paragraph The inversion algorithm A in the book. (You don t need to remember the exact value of l which was named m when I did it in class but you should know that 2 l = poly(n).) Moving on: know how to construct a PRG from a pair (f,hc) where f is a OWP and hc is a hardcore bit for f. Know the proof (the one I messed up in class, that Tianren finished). Finally... last but not least... know the hybrid argument for proving unpredictability implies pseudorandomness, the one from your homework. (If you didn t use a hybrid argument then you probably did it wrong.) 5