B504/I538: Introduction to Cryptography

Slides:



Advertisements
Similar presentations
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Advertisements

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
0x1A Great Papers in Computer Security
Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Lectures so far: Today’s lecture: Discrete probability Proving things
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Group theory exercise.
Secrecy of (fixed-length) stream ciphers
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Cryptography Lecture 9.
Topic 11: Authenticated Encryption + CCA-Security
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Cryptography Lecture 2 Arpita Patra © Arpita Patra.
Cryptography Lecture 4.
B504/I538: Introduction to Cryptography
Topic 5: Constructing Secure Encryption Schemes
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Cryptography Lecture 5.
Topic 30: El-Gamal Encryption
Topic 3: Perfect Secrecy
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 2 Arpita Patra © Arpita Patra.
Cryptography Lecture 6.
Cryptography Lecture 10.
Topic 7: Pseudorandom Functions and CPA-Security
B504/I538: Introduction to Cryptography
Cryptography Lecture 7.
B504/I538: Introduction to Cryptography
Cryptography Lecture 25.
Cryptography Lecture 4 Arpita Patra © Arpita Patra.
B504/I538: Introduction to Cryptography
Cryptography Lecture 4 Arpita Patra © Arpita Patra.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 4 Arpita Patra © Arpita Patra.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 5.
Cryptography Lecture 8.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 7.
Cryptography Lecture 9.
Cryptography Lecture 6.
Cryptography Lecture 21.
2. Perfect Secret Encryption
Cryptography Lecture 24.
Cryptography Lecture 23.
CIS 5371 Cryptography 2. Perfect Secret Encryption
Presentation transcript:

B504/I538: Introduction to Cryptography Spring 2017 • Lecture 21 (2017—03—28)

Assignment 5 is due next Thursday! (2017—04—06)

Public-key encryption schemes Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that Gen:1ℕ→Ke×Kd is a randomized “keypair generation” algorithm; Enc:Ke×M→C is an (often randomized) “encryption” algorithm; Dec:Kd×C→M is a deterministic “decryption” algorithm. Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m) Ke is the encryption key space Kd is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)

Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s) Correctness Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s)

Recall: IND-CPA security “left–or–right” (for symmetric-key encryption) Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} (m10,m11) (m10,m11)∈M×M (|m10|=|m11|) c1 c1←Enck(m1b) (m20,m21) (m20,m21)∈M×M (|m20|=|m21|) c2 c2←Enck(m2b) ⋮ (mq0,mq1) (mq0,mq1)∈M×M (|mq0|=|mq1|) cq cq←Enck(mqb) b‘∈{0,1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½|

Variants of the IND-CPA security game The game we have seen in lectures is sometimes called the “left­–or–right” IND–CPA game Three other (“equivalent”) variants are common: “Real–or–random” IND–CPA security game “Find–then–guess” IND–CPA security game Semantic security game

IND-CPA security “real–or–random” (for symmetric-key encryption) ⋮ ⋮ Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) 1 s m1 1 s k←Gen(1 s) m1∈M c1 c1←Enck(m1) ⋮ mn mn∈M cn cn←Enck(mn) b‘∈{0,1} Game 1: (Attacker has access to random oracle) Challenger (C) Attacker (A) 1 s k←Gen(1 s) m1 1 s m1∈M c1 c1∊C ⋮ mn mn∈M cn cn∊C b‘∈{0,1} Define A’s advantage to be AdvROR(A)≔|Pr[b=b’]-½|

IND-CPA security “find–then–guess” (for symmetric-key encryption) ⋮ Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} m1 m1∈M c1 c1←Enck(m1) ⋮ mq mq∈M cq cq←Enck(mqb) (M1,M2) (M1,M2)∈M×M (|M1|=|M2|) C C←Enck(Mb) b‘∈{0,1} Define A’s advantage to be AdvFTG-CPA(A)≔|Pr[b=b’]-½|

IND-CPA security for public-key schemes For symmetric-key encryption, we had two options: Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages

IND-CPA security (for public-key encryption) Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} (m0,m1) (m0,m1)∈M×M (|m0|=|m1|) c←Enck(mb) c b‘∈{0,1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½| Defn: A public-key encryption scheme (Gen,Enc,Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCPA(A)≤ε(s).

IND-CCA2 security (for public-key encryption) 1 s 1 s ⋮ c←Encke(Mb) ⋮ Challenger (C) Attacker (A) ke 1 s (ke,kd)←Gen(1s) 1 s b∊{0,1} c1 c1∈C m1 m1≔Deckd(c1) ⋮ cn1 cn1∈C mn1 mn1≔Deckd(cn1) (M0,M1) (M0,M1)∈M×M c←Encke(Mb) c c’1 c’1∈C∖ {c} m’1 m’1≔Deckd(c’1) A cannot ask for Deckd(c) ⋮ c’n2 c’n2∈C∖ {c} m’n2 m’n2≔Deckd(c’n2) b‘∈{0,1} Define A’s advantage to be AdvCCA(A)≔|Pr[b=b’]-½|

IND-CCA2 security (for public-key encryption) Thm: A public-key encryption scheme (Gen,Enc,Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCCA(A)≤ε(s).

Consequences of public keys Thm (informal): Perfectly secret public-key encryption does not exist Unbounded attacker can learn m via brute force (How do we know this is always possible?) Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist PPT attacker can still learn m via brute force, given some prior knowledge about m

Recall: One-way permutations (OWPs) Challenger (C) Inverter (A) 1 s 1 s x∊{0,1}s y≔π(x) y x Let E be the event that π(x)≟y Define A’s advantage to be Advπ-1(A)≔Pr[E]

Recall: One-way permutations (OWPs) Defn: A function π:{0,1}*→{0,1}* is a one-way permutation (OWP) if it is easy to compute: there exists an efficient algorithm that , on input x∈{0,1}*, outputs π(x); length-preserving: for all x∈{0,1}*, |x|=|π(x)|; one–to–one: for all x1,x2∈{0,1}*, π(x)=π(y) implies x=y; and hard to invert: for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that Advπ-1(A) ≤ 𝜀(s).

Trapdoor (one-way) permutations (TDPs) Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy With trapdoor: ∃ PPT A that inverts with overwhelming probability Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor Formally, we consider a family of permutations, each with its own trapdoor

Trapdoor (one-way) permutations (TDPs) Defn: A triple of PPT algorithms (Gen,Samp,Inv) is a family of trapdoor permutations if Gen:1ℕ→Ke×Kd is a randomized algorithm. Each (ke,kd)←Gen(1n) defines a set Dke and an OWP πDke:Dke →Dke. Samp: Ke→ ⋃ Dke is a randomized algorithm that, on input any ke∈Ke, outputs a random element of Dke Inv: Kd× ⋃ Dke → ⋃ Dke is a deterministic algorithm on input kd and x∈Dke for any (ke,kd)←Gen(1n), outputs ΠD-1ke(x)

That’s all for today, folks!