Lecture 4: Computationally secure cryptography

Similar documents
Lecture 7: CPA Security, MACs, OWFs

Lecture 2: Perfect Secrecy and its Limitations

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 5, CPA Secure Encryption from PRFs

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 13: Private Key Encryption

Computational security & Private key encryption

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Modern symmetric-key Encryption

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

CPA-Security. Definition: A private-key encryption scheme

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 3: Lower bound on statistically secure encryption, extractors

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 7: Pseudo Random Generators

1 Number Theory Basics

1 Indistinguishability for multiple encryptions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Pseudorandom Generators

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 18: Message Authentication Codes & Digital Signa

Scribe for Lecture #5

CTR mode of operation

Indistinguishability and Pseudo-Randomness

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Lecture 9 - Symmetric Encryption

Notes for Lecture 16

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture 17: Constructions of Public-Key Encryption

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Introduction to Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Cryptography CS 555. Topic 4: Computational Security

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Constructing secure MACs Message authentication in action. Table of contents

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Lecture 28: Public-key Cryptography. Public-key Cryptography

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 11: Key Agreement

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Public Key Cryptography

8 Security against Chosen Plaintext

Lectures 2+3: Provable Security

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Computational hardness. Feb 2 abhi shelat

Modern Cryptography Lecture 4

Lecture 14: Secure Multiparty Computation

El Gamal A DDH based encryption scheme. Table of contents

Lecture Notes 20: Zero-Knowledge Proofs

CS 395T. Probabilistic Polynomial-Time Calculus

III. Pseudorandom functions & encryption

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lecture 8: Computational Indistinguishability and Pseudorandomness

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Block Ciphers/Pseudorandom Permutations

a Course in Cryptography rafael pass abhi shelat

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Semantic Security and Indistinguishability in the Quantum World

2 Message authentication codes (MACs)

On the Randomness Requirements for Privacy

1 Public-key encryption

Advanced Cryptography 03/06/2007. Lecture 8

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Chapter 2 : Perfectly-Secret Encryption

Advanced Topics in Cryptography

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Pseudorandom Generators

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XI

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture 8: The Dummy Adversary

Lecture 3: Interactive Proofs and Zero-Knowledge

Perfectly-Secret Encryption

1 Cryptographic hash functions

Cryptography 2017 Lecture 2

Solutions to homework 2

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

: Cryptography and Game Theory Ran Canetti and Alon Rosen. Lecture 8

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

Fully Homomorphic Encryption

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Lattice Cryptography

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Historical cryptography. cryptography encryption main applications: military and diplomacy

Transcription:

CS 7880 Graduate Cryptography September 18, 017 Lecture 4: Computationally secure cryptography Lecturer: Daniel Wichs Scribe: Lucianna Kiffer 1 Topic Covered ε-security Computationally secure cryptography (asymptotic security) Computational indistinguishability Interactive model of security ε-security Recall that the statistical distance between two distributions is defined as follows: SD(X, Y ) = 1 Pr[X = Z] = Pr[Y = Z] z = max Pr[x D] Pr[y D] D Z = max Pr[D(X) = 1] Pr[D(Y ) = 1] D:Z {0,1} The intuition here is that if two distributions have tiny statistical distance then no test D can distinguish them from each other. Therefore, they are essentially identical. This gives us a way to relax the security requirements for encryption. Recall that perfect security required that the distributions Enc(K, m 0 ), Enc(K, m1) are indentical. We now relax this by only insisting that they are statistically close. Definition 1 An encryption scheme has ε-security if m 0, m 1 M : SD(Enc(K, m 0 ), Enc(K, m1)) ε where K is a uniformly random key in the set K. Theorem 1 In any ε-secure encryption scheme we have that ε 1 K Proof: let ε = max m0,m 1 SD(Enc(K, m 0 ), Enc(K, m 1 )) max m 0,m 1 Pr[D m0 (Enc(K, m 0 )) = 1] Pr[D m0 (Enc(K, m 1 )) = 1] Lecture 4, Page 1

where D m0 is a distinguisher which is defined as D m0 (c) = 1 if k K such that Dec(k, c) = m 0. Taking the expectation over random choices for m 0, m 1, we get that the above is Pr[D M0 (Enc(K, M 0 )) = 1] Pr[D M0 (Enc(K, M 1 )) = 1] 1 K where M 0 and M 1 are the uniform distributions over M. It s easy to see that Pr[D M0 (Enc(K, M 0 )) = 1]. Moreover Pr[D M0 (Enc(K, M 1 )) = 1] K since for any ciphertext c in the support of Enc(K, M 1 ), there are at most K values of m 0 for which D m0 (c) would output 1 and the probability that the random variable M 0 takes on some such value is therefore bounded by K. Thus we are still bound by Shannon s impossibility result, saying that if the key is even 1-bit shorter than the message, ε 1. BUT, have not shown that the distinguisher is efficient. Thus, even though we can t get ε-security, maybe we can get somewhere if we restrict the distinguisher to be efficient. 3 Computationally Secure Cryptography The goal is to define encryption schemes that a computationally constrained adversary cannot distinguish with some bounded probability (i.e. probability less than the chance of an asteroid hitting the earth). One idea is to define (t, ε)-security where for any adversary whose run time is bounded by t, we would require that the success probability ε. We won t use this definition because it gets quite cumbersome. The exact run-time depends on the particular model of computation (Turing Machine vs. JAVA programs) and also it s not clear what choices of t, ε are the right ones. 3.1 Asymptotic Security Instead we define asymptotic security as follows: All schemes are parameterized by a security parameter n. As n gets bigger the scheme should asymptotically become more secure. For example, the scheme can set the size of the secret key to depend on n. Adversaries are PPT (probabilistic polynomial time), i.e. run in time polynomial in n and their other inputs. Adversaries have access to randomness (uniformly random bits). For a PPT algorithm A we write A(x) to denote the random variable for A s output and A(x; r) is the execution of a randomized algorithm for a particular input x and a particular randomness r. the adversary s success probability is negligible: ε = negl(n) if ε(n) = 1 n ω(1) c > 0, ε(n) = 1 Ω(n c ) c > 0 n 0 s.t. n > n 0, ε(n) 1 n c Lecture 4, Page

Examples of non-negligible functions include 1, 1 negligible function like 1. n Note that { 1 ε(n) = n is odd 1 n is even n is not negligible. log n and 1 n. We are looking for a A useful property of negligible functions is that multiplying a polynomial function times a negligible function results in a negligible function. Asymptotic security gives a sharp threshold for security without messy parameters. Almost all of the results we have can also be nicely translated to (t, ε)-security if desired. We make a brief comment on uniform v.s. non-uniform models of computation: uniform computation adversaries have one algorithm that gets n as an input while non-uniform models of adversaries allow for different algorithms for each different n. For this class we will usually think of the adversary as uniform but might mention some cases where this distinction makes a difference. 4 Computational Indistinguishability Consider the sequence of variables X = {X n } n N and Y = {Y n } n N (one for each security parameter). We define computational indistinguishability between the sequences as follows: Definition X, Y are computationally indistinguishable if PPT distinguishers D, ε(n) = negl(n) such that Pr[D(X n ) = 1] Pr[D(Y n ) = 1] ε(n) denoted by X Y. Theorem If X Y and f : {0, 1} {0, 1} is a PPT function, then f(x) f(y ). Informal proof: If we can distinguish between f(x) and f(y ), then we could run f on X and Y and distinguish the outputs and it use it to distinguish between X and Y. Proof: (reduction) Suppose there exists a PPT distinguisher D such that Pr[D(f(X n )) = 1] Pr[D(f(Y n )) = 1] negl(n) We can construction a new PPT distinguisher D = D f and get that Pr[D (X n ) = 1] Pr[D (Y n ) = 1] negl(n) since a polynomial function times a negligible function is still negligible. Theorem 3 Hybrid Argument. If X Y and Y Z, then X Z. Lecture 4, Page 3

Proof: For any distinguisher D let ε(n) = Pr[D(X n ) = 1] Pr[D(Z n ) = 1] = Pr[D(X n ) = 1] Pr[D(Y n ) = 1] + Pr[D(Y n ) = 1] Pr[D(Z n ) = 1] Pr[D(X n ) = 1] Pr[D(Y n ) = 1] + Pr[D(Y }{{} n ) = 1] Pr[D(Z n ) = 1] }{{} ε 1 (n) ε (n) Since X Y we know that ε 1 is negligible and since Y Z we know that ε is negligible. Therefore ε = ε 1 + ε is negligible which concludes the proof. 5 Security Game We usually define security via games which are interactive protocols between an adversary A trying to break the system and the world running the system (which we call the challenger). For some such Game and an adversary A we define Game A (1 n ) to denote output of the game; usually this will be the output of the adversary A at the end of the game. Often we define security via two games Game 0, Game 1 which represent two possible options for what the world might be doing (e.g., encryptions of two different messages) and we require that the adversary cannot tell them apart. We define this as follows. Definition 3 We say that two games Game 0, Game 1 are computationally indistinguishable, denoted by Game 0 Game 1, if PPTA negl ε() s.t. Pr[Game 0 A(1 n ) = 1] Pr[Game 1 A(1 n ) = 1] = ε(n) Computational indisitnguishability of games is analogous to computational indistinguishability of random variables. In particular, the same hybrid argument works for games. Theorem 4 If Game 0 Game 1 and Game 1 Game then Game 0 Game 5.1 Computationally Secure Encryption We consider an encryption scheme with key space K n = {0, 1} n and message space M n = {0, 1} l(n) where l is some polynomial. The ciphertext space is C n. The scheme consists of algorithms: Enc : K n M n C n Dec : K n C n M n we define the following game for proving computational security of encryption schemes: Definition 4 One-time security game: OneSec b where b {0, 1} Adversary chooses m 0, m 1 M n and sends it to the Challenger The Challenger samples a uniformly random key from the key space (k K n ), and then sends the Adversary an encryption c = Enc(k, m b ) of the message m b. Lecture 4, Page 4

The Adversary outputs some value b. Definition 5 An encryption scheme is one-time computationally secure if OneSec 0 OneSec 1. Lecture 4, Page 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback