B504/I538: Introduction to Cryptography Spring 2017 • Lecture 21 (2017—03—28)

Assignment 5 is due next Thursday! (2017—04—06)

Public-key encryption schemes Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that Gen：1ℕ→Ｋe×Ｋd is a randomized “keypair generation” algorithm; Enc：Ｋe×Ｍ→Ｃ is an (often randomized) “encryption” algorithm; Dec：Ｋd×Ｃ→Ｍ is a deterministic “decryption” algorithm. Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m) Ｋe is the encryption key space Ｋd is the decryption key space Ｍ is the message space Ｃ is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)

Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s) Correctness Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ, Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s)

Recall: IND-CPA security “left–or–right” (for symmetric-key encryption) Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0，1} (m10，m11) (m10，m11)∈Ｍ×Ｍ (|m10|=|m11|) c1 c1←Enck(m1b) (m20，m21) (m20，m21)∈Ｍ×Ｍ (|m20|=|m21|) c2 c2←Enck(m2b) ⋮ (mq0，mq1) (mq0，mq1)∈Ｍ×Ｍ (|mq0|=|mq1|) cq cq←Enck(mqb) b‘∈{0，1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½|

Variants of the IND-CPA security game The game we have seen in lectures is sometimes called the “left­–or–right” IND–CPA game Three other (“equivalent”) variants are common: “Real–or–random” IND–CPA security game “Find–then–guess” IND–CPA security game Semantic security game

IND-CPA security “real–or–random” (for symmetric-key encryption) ⋮ ⋮ Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) 1 s m1 1 s k←Gen(1 s) m1∈Ｍ c1 c1←Enck(m1) ⋮ mn mn∈Ｍ cn cn←Enck(mn) b‘∈{0，1} Game 1: (Attacker has access to random oracle) Challenger (C) Attacker (A) 1 s k←Gen(1 s) m1 1 s m1∈Ｍ c1 c1∊Ｃ ⋮ mn mn∈Ｍ cn cn∊Ｃ b‘∈{0，1} Define A’s advantage to be AdvROR(A)≔|Pr[b=b’]-½|

IND-CPA security “find–then–guess” (for symmetric-key encryption) ⋮ Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0，1} m1 m1∈Ｍ c1 c1←Enck(m1) ⋮ mq mq∈Ｍ cq cq←Enck(mqb) (M1，M2) (M1，M2)∈Ｍ×Ｍ (|M1|=|M2|) C C←Enck(Mb) b‘∈{0，1} Define A’s advantage to be AdvFTG-CPA(A)≔|Pr[b=b’]-½|

IND-CPA security for public-key schemes For symmetric-key encryption, we had two options: Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages

IND-CPA security (for public-key encryption) Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0，1} (m0，m1) (m0，m1)∈Ｍ×Ｍ (|m0|=|m1|) c←Enck(mb) c b‘∈{0，1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½| Defn: A public-key encryption scheme (Gen，Enc，Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCPA(A)≤ε(s).

IND-CCA2 security (for public-key encryption) 1 s 1 s ⋮ c←Encke(Mb) ⋮ Challenger (C) Attacker (A) ke 1 s (ke，kd)←Gen(1s) 1 s b∊{0，1} c1 c1∈Ｃ m1 m1≔Deckd(c1) ⋮ cn1 cn1∈Ｃ mn1 mn1≔Deckd(cn1) (M0，M1) (M0，M1)∈Ｍ×Ｍ c←Encke(Mb) c c’1 c’1∈Ｃ∖ {c} m’1 m’1≔Deckd(c’1) A cannot ask for Deckd(c) ⋮ c’n2 c’n2∈Ｃ∖ {c} m’n2 m’n2≔Deckd(c’n2) b‘∈{0，1} Define A’s advantage to be AdvCCA(A)≔|Pr[b=b’]-½|

IND-CCA2 security (for public-key encryption) Thm: A public-key encryption scheme (Gen，Enc，Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCCA(A)≤ε(s).

Consequences of public keys Thm (informal): Perfectly secret public-key encryption does not exist Unbounded attacker can learn m via brute force (How do we know this is always possible?) Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist PPT attacker can still learn m via brute force, given some prior knowledge about m

Recall: One-way permutations (OWPs) Challenger (C) Inverter (A) 1 s 1 s x∊{0，1}s y≔π(x) y x Let E be the event that π(x)≟y Define A’s advantage to be Advπ-1(A)≔Pr[E]

Recall: One-way permutations (OWPs) Defn: A function π：{0，1}*→{0，1}* is a one-way permutation (OWP) if it is easy to compute: there exists an efficient algorithm that , on input x∈{0，1}*, outputs π(x); length-preserving: for all x∈{0，1}*, |x|=|π(x)|; one–to–one: for all x1，x2∈{0，1}*, π(x)=π(y) implies x=y; and hard to invert: for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that Advπ-1(A) ≤ 𝜀(s).

Trapdoor (one-way) permutations (TDPs) Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy With trapdoor: ∃ PPT A that inverts with overwhelming probability Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor Formally, we consider a family of permutations, each with its own trapdoor

Trapdoor (one-way) permutations (TDPs) Defn: A triple of PPT algorithms (Gen，Samp，Inv) is a family of trapdoor permutations if Gen：1ℕ→Ｋe×Ｋd is a randomized algorithm. Each (ke,kd)←Gen(1n) defines a set Dke and an OWP πDke：Dke →Dke. Samp： Ｋe→ ⋃ Dke is a randomized algorithm that, on input any ke∈Ｋe, outputs a random element of Dke Inv： Ｋd× ⋃ Dke → ⋃ Dke is a deterministic algorithm on input kd and x∈Dke for any (ke，kd)←Gen(1n), outputs ΠD-1ke(x)

That’s all for today, folks!