III. Pseudorandom functions & encryption

Similar documents
CPA-Security. Definition: A private-key encryption scheme

CTR mode of operation

Block Ciphers/Pseudorandom Permutations

Block ciphers And modes of operation. Table of contents

Computational security & Private key encryption

Modern symmetric-key Encryption

Modern Cryptography Lecture 4

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Lecture 7: CPA Security, MACs, OWFs

Notes on Property-Preserving Encryption

Chosen Plaintext Attacks (CPA)

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Chapter 11 : Private-Key Encryption

1 Number Theory Basics

Lecture 5, CPA Secure Encryption from PRFs

Lecture 13: Private Key Encryption

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Constructing secure MACs Message authentication in action. Table of contents

8 Security against Chosen Plaintext

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

Lectures 2+3: Provable Security

Private-Key Encryption

1 Indistinguishability for multiple encryptions

CS 6260 Applied Cryptography

2 Message authentication codes (MACs)

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Semantic Security and Indistinguishability in the Quantum World

Chosen-Ciphertext Security (I)

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Public-Key Encryption

El Gamal A DDH based encryption scheme. Table of contents

Public Key Cryptography

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Scribe for Lecture #5

Provable Security in Symmetric Key Cryptography

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Symmetric Encryption

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Block encryption of quantum messages

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

CS 6260 Applied Cryptography

Perfectly-Secret Encryption

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Homework 7 Solutions

Chapter 2 : Perfectly-Secret Encryption

A note on the equivalence of IND-CCA & INT-PTXT and IND-CCA & INT-CTXT

Introduction to Cryptology. Lecture 3

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Advanced Topics in Cryptography

Hierarchical identity-based encryption

Relations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

RSA-OAEP and Cramer-Shoup

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Randomness-Dependent Message Security

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Standard versus Selective Opening Security: Separation and Equivalence Results

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

The Cramer-Shoup Cryptosystem

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Non-malleability under Selective Opening Attacks: Implication and Separation

Lecture 9 - Symmetric Encryption

On the CCA1-Security of Elgamal and Damgård s Elgamal

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Public-seed Pseudorandom Permutations EUROCRYPT 2017

The Random Oracle Model and the Ideal Cipher Model are Equivalent

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Property Preserving Symmetric Encryption Revisited

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Lecture 5: Pseudorandom functions from pseudorandom generators

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

A survey on quantum-secure cryptographic systems

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Public Key Cryptography

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Pseudorandom functions and permutations

On the power of non-adaptive quantum chosen-ciphertext attacks

Identity-based encryption

On Post-Quantum Cryptography

ON CIPHERTEXT UNDETECTABILITY. 1. Introduction

Transcription:

III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion: indistinguishable encryption against chosen plaintext attacks 1

The indistinguishability game Let A be a probabilistic polynomial time algorithm (ppt). cpa CPA indistinguishability game PrivK A,Π ( n) 1. k Gen( 1 n ). 2. A receives input 1 n and has oracle access to Enc ( k ). { } with m 0 = m 1. Outputs two plaintexts m 0,m 1 0,1 3. b { 0,1},c Enc ( k m b ). c given to A. 4. A continues to have oracle access to Enc ( k ). It outputs b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. cpa Write Pr ivk A,Π has won. ( n) = 1, if output is 1. Say A has succeded or A 2

Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 3

The indistinguishability game Definition 3.1 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen plaintext attacks (is cpa-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cpa Pr Pr ivk A,Π ( n) = 1 1 2 + µ ( n ). Observation A cpa-secure encryption scheme cannot have a deterministic encryption algorithm. 4

Multiple messages Multiple messages cpa game Pr ivk mult cpa A,Π 1. k Gen( 1 n ). ( n) 2. A receives input 1 n and has oracle access to Enc ( k ). A outputs two vectors of messages M 0 = ( m 1 t 0,,m 0 ), M 1 = ( m 1 t 1,,m ) i 1 with m 0 = m 1 i for all i. 3. b { 0,1},c i Enc ( i k m b ). C = ( c 1,,c ) t is given to A. 4. A continues to have oracle access to Enc ( k ). A outputs bit b'. 5. Output of experiment is 1, if b = b', otherwise output is 0. Write Pr ivk A,Π mult cpa = 1, if output is 1. Say A has succeded or A has won. 5

CPA-security and multiple messages Theorem 3.2 If encryption scheme Π = ( Gen,Enc,Dec) is cpa-secure, then it also has indistinguishable multiple encryption under chosen plaintext attacks. 6

CPA-security and blocks of messages Π = ( Gen,Enc,Dec) fixed length, l( n) = 1. ( ) as follows Define Π = Ge n,en c,de c Ge n : same as Gen En c : En c k m De c : De c k ( ) = Enc k m 1 m = m 1 m s,m i { 0,1} l(n) ( ) Enc ( k m s ), ( c) = Dec ( k c 1 ) Dec ( k c ) s Corollary 3.3 If encryption scheme Π = ( Gen,Enc,Dec) is ( ) is cpa-secure. cpa-secure, then Π = Ge n,en c,de c 7

Truly random functions n { n n { } { } } Func : = f : 0,1 0,1 Func = 2 n n2 n random function: f Func n 8

Keyed functions { } { 0,1} { 0,1} ( k,x)! F( k,x) ( ) = F k x F : 0,1 called keyed function. Write F k,x ( ). F called length-preserving, if F is only defined for ( x,k) 0,1 F k { } { 0,1} with x = k and if for all ( x,k) ( x) = k = x. F called efficient, if there is a polynomial time algorithm A with A( k,x) = F ( k x) for all x,k { 0,1}. F called permutation, if for every n N and k { 0,1} n F k : { 0,1} n { 0,1} n is bijective. 9

Oracle access Algorithm D has oracle access to function f : U R, if D 1. can write elements x U into special memory cells, 2. in one step receives function value f ( x). Notation Write D f ( ) access to f ( ). to denote that algorithm D has oracle 10

Pseudorandom function (PRF) Definition 3.4 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving function. F is called a pseudorandom function, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Func n. ( 1 n ) = 1 µ ( n ), Func n := f : 0,1 { { } n { 0,1} n } 11

Pseudorandom functions f 1 f 2 f 3 F k1 F k2 f 5 f 4 f 6 F k5 F k3 f 8 f 9 f 11 f 10 f 11 f 7 Distinguisher D F F k 6 k 4 Func n with uniform distribution F n = F k { ( ) } k 0,1 { } n with distribution k 0,1 { } n 12

Truly random permutations n { { } n n { } } Perm : = f : 0,1 0,1 f is a permutation n Permn = 2! random permutation: f Perm n 13

Pseudorandom permutation (PRP) Definition 3.5 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient and length-preserving permutation. F is called a pseudorandom permutation, if for all ppt distinguishers D there is a negligible function µ such that for all n N ( ) Pr D F k ( 1 n ) = 1 ( ) Pr Df where k { 0,1} n,f Perm n. ( 1 n ) = 1 µ ( n ), 14

From PRF to cpa-security Construction 3.6 Let F : { 0,1} { 0,1} { 0,1} be a keyed, efficient, and length-preserving function. Define Π F = ( Gen F,Enc F,Dec ) F as follows: Gen F : on input 1 n, choose k { 0,1} n. Enc F : on input k,m { 0,1} n, choose r { 0,1} n and output c := ( r,m F ( k r )). Dec F : on input c = ( r,s) { 0,1} n { 0,1} n and k { 0,1} n output m := s F k ( r ). 15

From PRF to cpa-security Theorem 3.7 If F is a pseudorandom function, then Π F as defined in Construction 3.6 is cpa-secure. 16

From adversaries to distinguishers D on input 1 n and oracle access to f : { 0,1} n { 0,1} n 1. Simulate A( 1 n ). When A queries for an encryption of m { 0,1} n, answer as follows: { } n a) r 0,1 b) Query f ( ). ( ) to obtain f ( r ) and return r,m f ( r ) 2 When A outputs m 0,m 1, choose b { 0,1}, then { } n a) r 0,1 b) Query f c := ( r,m b f ( r )). ( ) to obtain f ( r ) and return 3. Continue to simulate A and answer encryption queries as in 1. Let A's output be b { 0,1}. Output 1, if b = b, 17 otherwise output 0.

A conceptual scheme Define Π true = ( Gen true,enc true,dec ) true as follows: Gen true : on input 1 n, choose f Func n. Enc true : on input f, m { 0,1} n, choose r { 0,1} n and output Dec true : c := ( r,m f ( r )). on input c = ( r,s) { 0,1} n { 0,1} n and f Func n output m := s f ( r ). Remark - The scheme is not an encryption scheme, because it is not efficient. It is only used in the proof of Theorem 3.7. - The CPA indistiguishability experiment can be defined for 18 this scheme.

From PRF to cpa-security two basic claims Claim 1 For all ppts A Pr Pr ivk cpa A,ΠF (n) = 1 Pr Pr ivk cpa (n) = 1 A,Π true ( ) = Pr D F k ( 1 n ) = 1 ( ) Pr Df ( 1 n ) = 1. Claim 2 Let A be a ppt adversary in PrivK cpa A, that on input 1 n makes at most q(n) oracle queries. Then Pr cpa Priv A,Πtrue (n) = 1 1 2 + q(n) 2. n 19

The CCA indistinguishability game 1. k Gen( 1 n ) cca CCA indistinguishability game Pr ivk A,Π ( n) 2. A on input 1 n has access to encryption algorithm Enc ( k ) and to decryption algorithm Dec k m 0,m 1 { 0,1} * of equal length. 3. b { 0,1}, c Enc ( k m b ). c is given to A. ( ). A outputs 2 messages 4. b A( 1 n,c), here A has access to encryption algorithm Enc k Dec k ( ) and to decryption algorithm Dec ( k ), but query ( c) is forbidden. 5. Output of experiment is 1, if b = b 20. Otherwise output is 0.

CCA-security Definition 3.8 Π = ( Gen,Enc,Dec) has indistinguishable encryptions under chosen ciphertext attacks (is cca-secure) if for every probabilistic polynomial time algorithm A there is a negligible function µ : N R + such that cca Pr Pr ivk A,Π ( n) = 1 1 2 + µ ( n ). Observation cpa-security does not imply cca-security. 21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback