III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion: indistinguishable encryption against chosen plaintext attacks 1
The indistinguishability game Let A be a probabilistic polynomial time algorithm (ppt). cpa CPA indistinguishability game PrivK A,Π ( n) 1. k Gen( 1 n ). 2. A receives input 1 n and has oracle access to Enc ( k ). { } with m 0 = m 1. Outputs two plaintexts m 0,m 1 0,1 3. b { 0,1},c Enc ( k m b ). c given to A. 4. A continues to have oracle access to Enc ( k ). It outputs b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. cpa Write Pr ivk A,Π has won. ( n) = 1, if output is 1. Say A has succeded or A 2
Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 3
The indistinguishability game Definition 3.1 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen plaintext attacks (is cpa-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cpa Pr Pr ivk A,Π ( n) = 1 1 2 + µ ( n ). Observation A cpa-secure encryption scheme cannot have a deterministic encryption algorithm. 4
Multiple messages Multiple messages cpa game Pr ivk mult cpa A,Π 1. k Gen( 1 n ). ( n) 2. A receives input 1 n and has oracle access to Enc ( k ). A outputs two vectors of messages M 0 = ( m 1 t 0,,m 0 ), M 1 = ( m 1 t 1,,m ) i 1 with m 0 = m 1 i for all i. 3. b { 0,1},c i Enc ( i k m b ). C = ( c 1,,c ) t is given to A. 4. A continues to have oracle access to Enc ( k ). A outputs bit b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. Write Pr ivk A,Π mult cpa = 1, if output is 1. Say A has succeded or A has won. 5
CPA-security and multiple messages Theorem 3.2 If encryption scheme Π = ( Gen,Enc,Dec) is cpa-secure, then it also has indistinguishable multiple encryption under chosen plaintext attacks. 6
CPA-security and blocks of messages Π = ( Gen,Enc,Dec) fixed length, l( n) = 1. ( ) as follows Define Π = Ge n,en c,de c Ge n : same as Gen En c : En c k m De c : De c k ( ) = Enc k m 1 m = m 1 m s,m i { 0,1} l(n) ( ) Enc ( k m s ), ( c) = Dec ( k c 1 ) Dec ( k c ) s Corollary 3.3 If encryption scheme Π = ( Gen,Enc,Dec) is ( ) is cpa-secure. cpa-secure, then Π = Ge n,en c,de c 7
Truly random functions n { n n { } { } } Func : = f : 0,1 0,1 Func = 2 n n2 n random function: f Func n 8
Keyed functions { } { 0,1} { 0,1} ( k,x)! F( k,x) ( ) = F k x F : 0,1 called keyed function. Write F k,x ( ). F called length-preserving, if F is only defined for ( x,k) 0,1 F k { } { 0,1} with x = k and if for all ( x,k) ( x) = k = x. F called efficient, if there is a polynomial time algorithm A with A( k,x) = F ( k x) for all x,k { 0,1}. F called permutation, if for every n N and k { 0,1} n F k : { 0,1} n { 0,1} n is bijective. 9
Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 10
Pseudorandom function (PRF) Definition 3.4 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving function. F is called a pseudorandom function, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Func n. ( 1 n ) = 1 µ ( n ), Func n := f : 0,1 { { } n { 0,1} n } 11
Pseudorandom functions f 1 f 2 f 3 F k1 F k2 f 5 f 4 f 6 F k5 F k3 f 8 f 9 f 11 f 10 f 11 f 7 Distinguisher D F F k 6 k 4 Func n with uniform distribution F n = F k { ( ) } k 0,1 { } n with distribution k 0,1 { } n 12
Truly random permutations n { { } n n { } } Perm : = f : 0,1 0,1 f is a permutation n Permn = 2! random permutation: f Perm n 13
Pseudorandom permutation (PRP) Definition 3.5 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving permutation. F is called a pseudorandom permutation, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Perm n. ( 1 n ) = 1 µ ( n ), 14
From PRF to cpa-security Construction 3.6 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient, and length-preserving function. Define Π F = ( Gen F,Enc F,Dec ) F as follows: Gen F : on input 1 n, choose k { 0,1} n. Enc F : on input k,m { 0,1} n, choose r { 0,1} n and output c := ( r,m F ( k r )). Dec F : on input c = ( r,s) { 0,1} n { 0,1} n and k { 0,1} n output m := s F k ( r ). 15
From PRF to cpa-security Theorem 3.7 If F is a pseudorandom function, then Π F as defined in Construction 3.6 is cpa-secure. 16
From adversaries to distinguishers D on input 1 n and oracle access to f : { 0,1} n { 0,1} n 1. Simulate A( 1 n ). When A queries for an encryption of m { 0,1} n, answer as follows: { } n a) r 0,1 b) Query f ( ). ( ) to obtain f ( r ) and return r,m f ( r ) 2 When A outputs m 0,m 1, choose b { 0,1}, then { } n a) r 0,1 b) Query f c := ( r,m b f ( r )). ( ) to obtain f ( r ) and return 3. Continue to simulate A and answer encryption queries as in 1. Let A's output be b { 0,1}. Output 1, if b = b, 17 otherwise output 0.
A conceptual scheme Define Π true = ( Gen true,enc true,dec ) true as follows: Gen true : on input 1 n, choose f Func n. Enc true : on input f, m { 0,1} n, choose r { 0,1} n and output Dec true : c := ( r,m f ( r )). on input c = ( r,s) { 0,1} n { 0,1} n and f Func n output m := s f ( r ). Remark - The scheme is not an encryption scheme, because it is not efficient. It is only used in the proof of Theorem 3.7. - The CPA indistiguishability experiment can be defined for 18 this scheme.
From PRF to cpa-security two basic claims Claim 1 For all ppts A Pr Pr ivk cpa A,ΠF (n) = 1 Pr Pr ivk cpa (n) = 1 A,Π true ( ) = Pr D F k ( 1 n ) = 1 ( ) Pr Df ( 1 n ) = 1. Claim 2 Let A be a ppt adversary in PrivK cpa A, that on input 1 n makes at most q(n) oracle queries. Then Pr cpa Priv A,Πtrue (n) = 1 1 2 + q(n) 2. n 19
The CCA indistinguishability game 1. k Gen( 1 n ) cca CCA indistinguishability game Pr ivk A,Π ( n) 2. A on input 1 n has access to encryption algorithm Enc ( k ) and to decryption algorithm Dec k m 0,m 1 { 0,1} * of equal length. 3. b { 0,1}, c Enc ( k m b ). c is given to A. ( ). A outputs 2 messages 4. b A( 1 n,c), here A has access to encryption algorithm Enc k Dec k ( ) and to decryption algorithm Dec ( k ), but query ( c) is forbidden. 5. Output of experiment is 1, if b = b 20. Otherwise output is 0.
CCA-security Definition 3.8 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen ciphertext attacks (is cca-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cca Pr Pr ivk A,Π ( n) = 1 1 2 + µ ( n ). Observation cpa-security does not imply cca-security. 21