COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Similar documents
Dan Boneh. Stream ciphers. The One Time Pad

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

Private-Key Encryption

5 Pseudorandom Generators

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Chapter 2 : Perfectly-Secret Encryption

Cryptography 2017 Lecture 2

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Pseudorandom Generators

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Modern Cryptography Lecture 4

Lecture 5, CPA Secure Encryption from PRFs

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Lecture 13: Private Key Encryption

Block Ciphers/Pseudorandom Permutations

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

STREAM CIPHER. Chapter - 3

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Modern symmetric-key Encryption

Symmetric Encryption

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

1 Indistinguishability for multiple encryptions

Scribe for Lecture #5

Solution of Exercise Sheet 7

Klein s and PTW Attacks on WEP

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

CTR mode of operation

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 7: Pseudo Random Generators

Computer Science A Cryptography and Data Security. Claude Crépeau

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

CS 6260 Applied Cryptography

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Block ciphers And modes of operation. Table of contents

Classical Cryptography

Computational security & Private key encryption

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

8 Security against Chosen Plaintext

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

1 Cryptographic hash functions

Lecture Notes on Secret Sharing

Lecture 2: Perfect Secrecy and its Limitations

1 Cryptographic hash functions

Introduction to Cryptology. Lecture 3

Lecture 5. Lecturer: Yevgeniy Dodis Spring 2012

Solution of Exercise Sheet 6

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Perfectly-Secret Encryption

A Pseudo-Random Encryption Mode

Lectures 2+3: Provable Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Historical cryptography. cryptography encryption main applications: military and diplomacy

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Notes on Property-Preserving Encryption

Notes for Lecture 16

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

CPSC 467: Cryptography and Computer Security

Simple Unpredictable Pseudo-Random Number Generator

SYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Cryptography Lecture 3. Pseudorandom generators LFSRs

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Benes and Butterfly schemes revisited

Indistinguishability and Pseudo-Randomness

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

6.080/6.089 GITCS Apr 15, Lecture 17

2 Message authentication codes (MACs)

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CS 6260 Applied Cryptography

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

Some New Weaknesses in the RC4 Stream Cipher

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA

Private-key Systems. Block ciphers. Stream ciphers

Shift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3

A survey on quantum-secure cryptographic systems

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Efficient Pseudorandom Generators Based on the DDH Assumption

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Cryptanalysis of the Stream Cipher ABC v2

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Solutions to homework 2

Transcription:

COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 27

Previously on COS 433

Security Experiment/Game (One- time setting) b m, m M c Challenger k ß K c ß Enc(k,m b ) b IND-Exp b ( )

Security Definition (One- time setting) Definition: (Enc, Dec) has (t,ε)-ciphertext indistinguishability if, for all running in time at most t Pr[ß IND-Exp ( ) ] Pr[ß IND-Exp ( ) ] ε

Construction with k << m Idea: use OTP, but have key generated by some expanding function G k G m

What Do We Want Out of G? Definition: G:{,} λ à {,} n is a (t,ε)- secure pseudorandom generator (PRG) if: n > λ G is deterministic For all running in time at most t, Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} n ] ε

Reminder: Kerckhoffs s Principle Kerckhoffs s Principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge. Applies to any crypto object we ll see in this course For PRGs, the key is just the input to the function

Secure PRG à Ciphertext Indistinguishability K = {,} λ M = {,} n C = {,} n Enc(k,m) = PRG(k) m Dec(k,c) = PRG(k) c

Security? Intuitively, security is obvious: PRG(k) looks random, so should completely hide m However, formalizing this argument is non- trivial. Solution: reductions Assume toward contradiction an adversary for the encryption scheme, derive an adversary for the PRG

Security Assume towards contradiction that there is a such that b m, m M c k ß K c ß G(k) m b b Pr[W ]-Pr[W ] ε, non- negligible W b : b = in IND-Exp b

Security Use to build. will run as a subroutine, and pretend to be m, m M b c b ß {,} c ß x m b x (either G(s) or truly random) b b

Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b m, m M c b ß {,} s ß K c ß PRG(s) m b b

Security Case : x = PRG(s) for a random seed s sees IND-Exp b for a random bit b Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½( + Pr[W ] Pr[W ]) = ½( ± ε )

Security Case 2: x is truly random sees OTP encryption m, m M λ c b ß {,} x ß {,} n c ß x m b b

Security Case 2: x is truly random sees OTP encryption Therefore Pr[b = b=] = Pr[b = b=] Pr[ b b =] = Pr[b=b ] = ½ Pr[b = b= ] + ½ ( - Pr[b = b=]) = ½

Security Putting it together: Pr[ (G(s))=:sß {,} λ ] = ½( ± ε(λ) ) Pr[ (x)=:xß {,} n ] = ½ Absolute Difference: ½ε, Contradiction!

Security Thm: If G is a (t+t,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability, where t is the time to: Flip a random bit b XOR two n- bit strings

Security Thm: If G is a (t+poly,ε/2)- secure PRG, then (Enc,Dec) is has (t,ε)- ciphertext indistinguishability

An Alternate Proof: Hybrids Idea: define sequence of hybrid experiments between IND-Exp and IND-Exp In each hybrid, make small change from previous hybrid Hopefully, each small change is undetectable Using triangle inequality, overall change from IND- Exp and IND-Exp is undetectable

An Alternate Proof: Hybrids Hybrid : IND-Exp m, m M c k ß K c ß G(k) m b

An Alternate Proof: Hybrids Hybrid : m, m M c x ß {,} n c ß x m b

An Alternate Proof: Hybrids Hybrid 2: m, m M c x ß {,} n c ß x m b

An Alternate Proof: Hybrids Hybrid 3: IND-Exp m, m M c k ß K c ß G(k) m b

An Alternate Proof: Hybrids Pr[b = : IND-Exp ]-Pr[b = : IND-Exp ] = Pr[b = : Hyb ]-Pr[b = : Hyb 3] Pr[b = : Hyb ]-Pr[b = : Hyb ] + Pr[b = : Hyb ]-Pr[b = : Hyb 2] + Pr[b = : Hyb 2]-Pr[b = : Hyb 3] If Pr[b =:IND-Exp ]-Pr[b =:IND-Exp ] ε, Then for some i=,,2, Pr[b =:Hyb i]-pr[b =:Hyb i+] ε/3

An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 k ß K x ß {,} n m, m M c ß G(k) m m, m M c ß x m b b

An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct m, m M c c ß x m x (either G(s) or truly random) b b

An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid with advantage ε/3 Construct If is given G(s) for a random s, sees Hybrid If is given x for a random x, sees Hybrid Therefore, advantage of is equal to advantage of which is at least ε/3 Contradiction!

An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε/3 m, m M x ß {,} n c ß x m m, m M c ß x m x ß {,} n b b

An Alternate Proof: Hybrids Suppose distinguishes Hybrid from Hybrid 2 with advantage ε(λ)/3 m, m M λ x ß {,} s(λ) Impossible by OTP security m, m M λ x ß {,} s(λ) c ß x m c ß x m b b

An Alternate Proof: Hybrids Suppose distinguishes Hybrid 2 from Hybrid 3 with advantage ε/3 m, m M c ß x m x ß {,} n m, m M k ß K c ß G(k) m b b Proof essentially identical to Hybrid /Hybrid case

How do we build PRGs?

Linear Feedback Shift Registers In each step, Last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers In each step, last bit of state is removed and outputted Rest of bits are shifted right First bit is XOR of subset of remaining bits

Linear Feedback Shift Registers Are LFSR s secure PRGs?

Linear Feedback Shift Registers Are LFSR s secure PRGs? No! First n bits of output = initial state x Write x = x,,x n, x Initialize LFSB to have state x,,x n Run LFSB for x steps, obtaining y Check if y = x

PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Definition: G is (t,p,ε)-unpredictable if, for all running in time at most t, Pr[G(s) p+ ß (G(s) [,p] ) ] ½ ε

PRGs should be Unpredictable More generally, it should be hard, given some bits of output, to predict subsequent bits Theorem: G is unpredictable iff it is pseudorandom

Proof Pseudorandomness à Unpredictability Assume towards contradiction s.t. Pr[G(s) p+ ß (G(s) [,p] ) ] ½ > ε

Proof Pseudorandomness à Unpredictability Construct x x [,p] b b x p+

Proof Pseudorandomness à Unpredictability Analysis: If x is random, Pr[ b x p+ = ] = ½ If x is pseudorandom, Pr[ b x p+ = ] = Pr[G(s) p+ ß (G(s) [,p] ) ] > (½ + ε) or < (½ - ε)

Proof Unpredictability à Pseudorandomness Assume towards contradiction s.t. Pr[ (G(s))=:sß {,} λ ] Pr[ (x)=:xß {,} t ] > ε

Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i H : truly random x H t : pseudorandom t

Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i Pr[ (x)=:xß H s ] Pr[ (x)=:xß H ] > ε Let q i = Pr[ (x)=:xß H i ]

Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i q t q > ε Let q i = Pr[ (x)=:xß H i ]

Proof Unpredictability à Pseudorandomness Hybrids: H i : x [,i] ß G(s), x [i+,t] ß {,} t-i By triangle inequality, there must exist an i s.t. q i q i- > ε/t Can assume wlog that q i q i- > ε/t

Proof Unpredictability à Pseudorandomness Construct y=g(s) [,i-] bß {,} y ß {,} t-i x = y b y b b b

Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then sees H i outputs with probability q i outputs b=g(s) i with probability q i

Proof Unpredictability à Pseudorandomness Analysis: If b = G(s) i, then Define q i as Pr[ outputs ] ½(q i + q i ) = q i- q i = 2q i- - q i outputs G(s) [,i] with probability -q i = + q i 2q i-

Proof Unpredictability à Pseudorandomness Analysis: Pr[ outputs G(s) i ] = ½ (q i ) + ½ ( + q i 2q i- ) = ½ + q i q i- > ½ + ε/t

Linearity

Linearity LFSR s are linear: state = state output = ( ) state ( )

Linearity LFSR s are linear: Each output bit is a linear function of the initial state (that is, G(s) = A s (mod 2) ) Any linear G cannot be a PRG Can check if x is in column- span of A using linear algebra

Introducing Non- linearity Non- linearity in the output: Non- linear feedback:

LFSR period Period = number of bits before state repeats After one period, output sequence repeats Therefore, should have extremely long period Ideally almost 2 λ Possible to design LFSR s with period 2 λ -

Hardware vs Software PRGs based on LFSR s are very fast in hardware Unfortunately, not easily amenable to software

RC4 Fast software based PRG Resisted attack for several years No longer considered secure, but still widely used

RC4 State = permutation on [256] plus two integers Permutation stored as 256- byte array S Init(6- byte k): For i=,,255 S[i] = i j = For i=,,255 j = j + S[i] + k[i mod 6] (mod 256) Swap S[i] and S[j] Output (S,,)

RC4 GetBits(S,i,j): i++ (mod 256) j+= S[i] (mod 256) Swap S[i] and S[j] t = S[i] + S[j] (mod 256) Output (S,i,j), S[t] New state Next output byte

Insecurity of RC4 Second byte of output is slightly biased towards Pr[second byte = 8 ] 2/256 Should be /256 Means RC4 is not secure according to our definition outputs iff second byte is equal to 8 Advantage: /256 Not a serious attack in practice, but demonstrates some structural weakness

Insecurity of RC4 Possible to extend attack to actually recover the input k in some use cases The seed is set to (IV, k) for some initial value IV Encrypt messages as RC4(IV,k) m Also give IV to attacker Cannot show security assuming RC4 is a PRG Can be used to completely break WEP encryption standard

Extending the Stretch of a PRG Suppose you have a fixed- stretch PRG G Better yet, a PRG that expands by a single bit G: {,} λ à {,} λ+ Construct a PRG G of arbitrary output length

Extending the Stretch of a PRG seed G state state G state 2 state 2 G state 3 state 3 G

Security Proof Assume towards contradiction Define hybrids

Security Proof H : {,} λ seed G state state G state 2 state 2 G state 3 state 3 G

Security Proof H : {,} λ {,} state state 2 G state 2 G state 3 state 3 G

Security Proof H 2 : {,} λ {,} {,} state 2 state 3 G state 3 G

Security Proof H t : {,} {,} {,} {,}

Security Proof H corresponds to pseudorandom x H t corresponds to truly random x Let q i = Pr[ (x)=:xß H i ] By assumption, q t q > ε i s.t. q i q i- > ε/t

Security Proof y state i state i+ G state i+ G state i+2 state i+2 G

Security Proof Analysis If y = G(s), then sees H i- Pr[ outputs ] = q i- Pr[ outputs ] = q i- If y is random, then sees H i Pr[ Pr[ outputs ] = q i outputs ] = q i

Summary Stream ciphers = secure encryption for arbitrary length, number of messages (though we did not completely prove it) However, implementation difficulties due to having to maintaining state

Reminders Project part Due Tomorrow HW2 will be released tonight

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback