Cryptography Lecture 6
CPA-security c c2 c1 k k m c Enck(m) c1 Enck(m1) m2 m1
Is the threat model too strong? In practice, there are many ways an attacker can influence what gets encrypted Not clear how best to model Chosen-plaintext attacks encompass any such influence Moreover, in some cases an attacker may have significant control over what gets encrypted
“Midway” AF is short of water… Will attack AF … Help! Fresh water needed Midway Island For more details, see: http://www.navy.mil/midway/how.html
CPA-security Fix , A Define a randomized exp’t PrivKCPAA,(n): k Gen(1n) A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same length b {0,1}, c Enck(mb), give c to A A can continue to interact with Enck(·) A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
CPA-security is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)
Impossible? Consider the following attacker A: Using a chosen-plaintext attack, get c0 = Enck(m0) and c1 = Enck(m1) Output m0, m1; get challenge ciphertext c If c=c0 output ‘0’ ; if c=c1 output ‘1’ A succeeds with probability 1 (?) This attack only works if encryption is deterministic! Moral: randomized encryption must be used!
Randomized encryption The issue is not an artifact of our definition It really is a problem if an attacker can tell when the same message is encrypted twice
Pseudorandom functions
Pseudorandom functions Informally, a pseudorandom function “looks like” a random (i.e., uniform) function
Random function Funcn = all functions mapping {0,1}n to {0,1}n How big is Funcn ? Can represent a function in Funcn using n · 2n bits |Funcn| = 2n·2n 000 001 010 011 100 101 110 111 010 100 111 001 000 # of entries: 23 = 8
Random function Exercise: how many functions are there mapping {0,1}n to {0,1}m?
Random function Choose uniform f Funcn Equivalent: for each x {0,1}n, choose f(x) uniformly in {0,1}n I.e., fill up the function table with uniform values Can also view this as being done “on-the-fly,” as values are needed
Pseudorandom functions Informally, a pseudorandom function “looks like” a random function As in our discussion of PRGs, it does not make sense to talk about any fixed function being pseudorandom We look instead at keyed functions
Keyed functions Let F: {0,1}* x {0,1}* {0,1}* be an efficient, deterministic algorithm Define Fk(x) = F(k, x) The first input is called the key Assume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x| Choosing a uniform k {0,1}n is equivalent to choosing the function Fk : {0,1}n {0,1}n I.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!
Note The number of functions in Funcn is 2n2n {Fk}k{0,1}n is a subset of Funcn The number of functions in {Fk}k{0,1}n is at most 2n This is only a tiny fraction of Funcn!
Pseudorandom functions (PRFs) F is a pseudorandom function if Fk, for uniform key k {0,1}n, is indistinguishable from a uniform function f Funcn Formally, for all poly-time distinguishers D: | Prk{0,1}n[DFk(·) = 1] - PrfFuncn[Df(·) = 1] | ≤ ε(n)
?? f … Fk … x1 f Funcn chosen uniformly at random World 0 f(x1) xt f(xt) ?? World 1 k {0,1}n chosen uniformly at random Fk x1 Fk(x1) … xt Fk(xt) (poly-time)
Examples (insecure) F(k, x) = 0n F(k, x) = k F(k, x) = k x