Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes

Recap of last week’s lecture Pseudo-random permutations constructions Notions of security: –Indistinguishabilty of encryptions –Semantic Security Equivalence Public-key cryptosystems

The world so far Pseudo-random generators Signature Schemes UOWHFs One-way functions Two guards Identification Will soon see: Computational Pseudorandomness Shared-key Encryption and Authentication P  NP Pseudo-random Permutations Pseudo-random Functions

Open Problems Construct small domain pseudo-random permutations –With good security reductions Construct a cryptosystem that remains secure when encrypting its own key

Encryption Using Pseudo-Random Permutations Sender and Receiver share a secret key S  R {0,1} k S defines a function F S   k What is wrong with encrypting X with F S (x)?

Definition of the Security of Encryption Several settings –Shared key vs public key –How active is the adversary Sender and receiver want to prevent Eve from learning anything about the message Want to simulate as much as possible the protection that an information theoretic encryption scheme provides Information Theoretic Setting If Eve has some knowledge of m should remain the same –Probability of guessing m Min entropy of m –Probability of guessing whether m is m 0 or m 1 –Probability of computing some function f of m Ideally: the ciphertext sent is independent of the message m –Implies all the above Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy If no special knowledge about m –then |m| shared bits that may be used once!

To specify security of encryption The power of the adversary – computational Probabilistic polynomial time machine (PPTM) –access to the system Can it change the messages? What constitute a failure of the system What it means to break the system. –Reading a message –Forging a message?

Computational Security of Encryption Indistinguishability of Encryptions Indistinguishability of encrypted strings: Adversary A chooses X 0, X 1  0,1  n receives encryption of X b for b  R  0,1  has to decide whether b  0 or b  1. For every pptm A, choosing a pair X 0, X 1  0,1  n  Pr  A  ‘1’  b  1  - Pr  A  ‘1’  b  0   is negligible. Probability is over the choice of keys, randomization in the encryption and A ‘s coins. In other words: encryptions of X 0, X 1 are indistinguishable Quantification over the choice of X 0, X 1  0,1  n

Computational Security of Encryption Semantic Security Whatever Adversary A can compute on encrypted string X  0,1  n, so can A ’ that does not see the encryption of X, yet simulates A ’s knowledge with respect to X A selects: Distribution D n on  0,1  n Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution D n on  0,1  n there is an pptm A’ so that for all pptm relation R for X  R D n  Pr  R(X,A(E(X))  - Pr  R(X,A’(  ))   is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who is aware of X Note: presentation of semantic security is non-standard (but equivalent)

XY R E(X) A XY R. A’ A: D n A’: D n ¼ X 2 R D n

What is a public-key encryption scheme Allows Alice to publish public key K P while keeping hidden a secret key K S Key generation : G:{0,1} *  {0,1} * x{0,1}* outputting K P (Public) and K S (secret) ``Anyone” who is given K P and m can encrypt it Encryption : a method E:{0,1} * x {0,1} * x {0,1}*  {0,1} * taking public-key K P, message (plaintext) m, random coins r and outputs an encrypted message (ciphertext). Given a ciphertext and secret key it is possible to decrypt it Decryption : a method D:{0,1} * x {0,1} * x {0,1}*  {0,1} * taking secret-key K S, public-key K P, and ciphertext c and outputs a plaintext m. Require D(K S, K P, E(K P, m, r)) = m

Equivalence of Semantic Security and Indistinguishability of Encryptions Would like to argue their equivalence Must define the attack –Otherwise cannot fully talk about an attack Chosen plaintext attacks –Adversary can obtain the encryption of any message it wishes –In an adaptive manner –Certainly feasible in a public-key setting Minimal one that makes sense there –What about shared-key encryption? More severe attacks –Chosen ciphertext Encryption process must be probabilistic!

Security of public key cryptosystems: exact timing Adversary A gets public key K P Then A can mount an adaptive attack –No need for further interaction since can do all the encryption on its own Then A chooses –In semantic security: the distribution D n and the relation R –In indistinguishability of encryptions: the pair X 0, X 1  0,1  n Then A is given the test –In semantic security: E(K P, X,r) for X  R D n and r  R  0,1  m –In indistinguishability of encryptions: E(K P, X b, r) for b  R  0,1  and r  R  0,1  m

The Equivalence Theorem For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

Equivalence Proof If a scheme has the indistinguishability property, then it is semantically secure: Suppose not, and A chooses – some distribution D n – some relation R Choose X 0, X 1  R D n and run A twice on –C 0 = E(K P, X 0,r 0 ) call the output Y 0 –C 1 = E(K P, X 1,r 1 ) call the output Y 1 For X 0, X 1  R D n let –  0 = Prob[R(X 0, Y 0 )] –  1 = Prob[R(X 0, Y 1 )] If |  0 -  1 | is not negligible: can distinguish between encryption of X 0 of X 1 –Contradicting the indistinguishability property If |  0 -  1 | is negligible: can run A’ with no access to real ciphertext –sample X’  R D n and C’ = E(K P, X’, r) –Run A on C’ and output Y’ Here we use the power to generate encryptions

Equivalence Proof For X 0, X 1  R D n let –  0 = Prob[R(X 0, Y 0 )] –  1 = Prob[R(X 0, Y 1 )] If |  0 -  1 | is not negligible: can distinguish between encryption of X 0 of X 1 –Contradicting the indistinguishability property X0X0 Y R E(X b ) A

Equivalence Proof For X 0, X 1  R D n let –  0 = Prob[R(X 0, Y 0 )] –  1 = Prob[R(X 0, Y 1 )] If |  0 -  1 | is negligible: can run A’ with no access to real ciphertext –sample X’  R D n and C’=E(K P, X’, r) –Run A on C’ and output Y’ XY R E(X) A XY’ R E(X’) A X’ A’

Equivalence Proof… If a scheme is semantically secure, then it has the indistinguishability of encryptions property: Suppose not, and A chooses –A pair X 0, X 1  0,1  n –For which it can distinguish with advantage  Choose –Distribution D n = {X 0, X 1 } –Relation R which is “equality with X ” For any A’ that does not get C = E(K P, X, r) and outputs Y’ Prob A’ [R(X, Y’)] = ½ By simulating A and outputting Y= X b for guess b  0,1  Prob A [R(X, Y)] ¸ ½ +  Even if A’ is computationally unbounded

Similar setting The same proof works for the shared key case with adaptive chosen plaintext attack –Need to give attacker (explicit) access to the encryption device ``Standard” definition of semantic security: –Instead of A trying to find Y such that R(X,Y), A tries to find Y such that Y=f(X) f is any function (not necessarily polynomial time computable) –In spite of difference equivalent to our definition

What happens if… There is extra information about X : –Both A and A’ get h(X) for some polynomial time computable function h –h might not be invertible Relation R is not polynomial time Try to encrypt information about the secret key

When is each definition useful Semantic security seems to convey that the message is protected –Not the strongest possible definition Easier to prove indistinguishability of encryptions

Concatenations If (G,E,D) is a semantically secure cryptosystem, then if Adversary A Chooses X 0, X 1  0,1  n Receives k independent encryptions of X b for b  R  0,1  has to decide whether b  0 or b  1. Cannot have non negligible advantage Proof: hybrid argument Independent keys or independent randomness? Both version…

Concatenation Let A be an adversary that selects: –Distribution D n on  0,1  n –Relation R computable in probabilistic polynomial time Let X 1, X 2,... X k 2 R D n Suppose that A receives E(X 1 ), E(X 2 ),..., E(X k ) Computes Y and hopes that R(X 1, X 2,..., X k, Y) Homework : prove that for any A there is an A’ with similar probability of success

Trapdoor One-way Permutations A collection functions with three probabilistic polynomial time algorithms Key generation : on input n, the security parameter, and random bits, generates two keys K P (Public) and K S (secret) and domain size D (could be  0,1  n ) Forward computation : each K P defines a permutation f(K P,, ¢ ) on D. Given K P and x easy to compute f(K P,,x) Hard to invert: for any PPT A given y=f(K P,,x) for a random K P (generated as above) and x 2 R D, probability that A finds x is negligible Backward computation : given K s easy to invert f(K P,, ¢ ) there is an algorithm that given K P (Public) and K S (secret) and y=f(K P, x) finds x

Encryption from trapdoor permutation Key generation: K P (Public) and K S (secret) are the keys of the trapdoor permutation Encryption: to encrypt a message m  0,1  k –select x  R  0,1  n and r  R  0,1  n –compute g(x) = x ¢ r, f P (x) ¢ r, f P (2) (x) ¢ r, …, f P (k-1) (x) ¢ r –Send m Xored with g(x) and y=f P (k) (x) and r (g(x) © m, f P (k) (x), r) Decryption: given (c, y, r) –extract x = f P (-k) (y) using K S –compute g(x) using r –extract m by Xoring c with g(x)

Security of construction Claim : given y=f P (k) (x), r the string g(x) = x ¢ r, f P (x) ¢ r, f P (2) (x) ¢ r, …, f P (k-1) (x) ¢ r is indistinguishable from random Proof: it is a pseudo-random generator Pseudo-randomness implies indistinguishability of encryption

Given input (z,y,r) want to decide whether z=g(x) or not Run A to get {m 0,m 1 } b’ If b’=b output “pseudo-random” Choose b 2 R {0,1} and Compute E(m b ) = (z © m b, y, r) A’A (z,y,r)

Example Blum-Goldwasser cryptosystem –Based on the Blum, Blum, Shub pseudo-random generator –The permutation defined by N= P ¢ Q, where P,Q = 3 mod 4 –For x 2 Z N *, x is a quadratic residue f N (x)=x 2 mod N Known: the last bit(s) of x 2 mod N is hardcore

Blum-Goldwasser Encryption Key generation: N - Public key and (P,Q) - Secret key a Encryption: to encrypt a message m  0,1  k –select x  R Z N * –compute g(x) =x, x 2, x 4, … x 2 i, …, x 2 k mod N let g(x) be the lsb ’s of the sequence –Send m Xored with g(x) and y = x 2 k mod N (g(x) © m, x 2 k ) Decryption: given (c, y) –extract x = y d mod N –compute g(x) –extract m by Xoring c with g(x)  (N)=(P-1)(Q-1) Let d = 2 -k mod  (N) Single exponentionation!

Security Theorem : the Blum-Goldwasser cryptosystem is semantically secure against chosen plaintext attack iff factoring is hard

Shared key encryption Sender and receiver share a key s of a pseudo-random function F s : {0,1} n  {0,1} k Encryption of a message m  0,1  k –Choose r  R  0,1  n –Send (F s (r) © m,r) Decryption of a ciphertext (y,r) –Compute m=F s (r) © y Proof of security: based on the indistinguishability of F s from a truly random function –As long as all the r ’s are different: collection of ciphertexts indistinguishable from random

Security Theorem : If F s is a pseudo-random function then scheme is semantically secure against chosen plaintext attack. Proof: from the equivalent definition of pseudo-random function where either the last query/challenge is random or not Need security against random queries only

Discrete Log Problem Let G be a group and g an element in G. Let y=g z and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. Example: y=g x mod p in the multiplicative group of Z p In general: easy to exponentiate via repeated squaring –Consider binary representation What about discrete log? –If difficult, f(g,x) = (g, g x ) is a one-way function DL Assumption for group G : No efficient algorithm can solve for X  R [0..n-1] whp the DL problem for Y= g a

Discrete Log Problem Very useful group for DL: P and Q : Large primes, s.t. Q | P-1 g : an element of order Q in Z P *. Best known algorithms - –  Q or –subexponential in log P Randomized reduction: given y generate Y’= Y g r for r  R [Q]

Diffie-Hellman The Diffie-Hellman assumption Let G be a group and g an element in G. Given g, X=g a and Y=g b it is hard to find Z=g ab for random a and b the probability of a poly-time machine outputting g ab is negligible More accurately: a sequence of groups Don’t know how to verify whether given Z’ is equal to g ab

Decisional Diffie-Hellman Problem For for generator g and a,b  [Q] Given g, Y= g a, X= g b and Z decide whether Z = g ab or Z  g ab Equivalent: is log g Y = log X Z DDH-Assumption: The DDH-Problem is hard in the worst case.

Average DDH For a,b  R [Q] and c which is either –c= ab –c  R [Q] Given Y= g a and X= g b and Z = g c decide whether Z = g ab or Z  g ab DDH-Assumption average case: The DDH-Problem is hard for above distribution

Worst to Average case reduction Theorem :The average case and worst case of the DDH-Assumption are equivalent. Given g a and g b and g c (and P, Q ) Sample r,s 1,s 2  R [Q] compute g a’ = ( g a ) r g s 1 g b’ = ( g b ) g s 2 g c’ = ( g c ) r ( g a ) r s 2 ( g b ) s 1 g s 1 s 2 a’ = ra  s 1 mod Q b’ = b  s 2 mod Q a’b’=rab+ras 2 +bs 1 +s 1 s 2 c is either ab or not

…Worst to average If c = ab  e mod Q then –a’ = ra  s 1 mod Q –b’ = b  s 2 mod Q –c'= a'b'+ e r mod Q Always: a’ and b' are uniformly distributed. If e =0, then c' = a'b'. Otherwise c' is uniform and independent in [Q] a’ = ra  s 1 mod Q b’ = b  s 2 mod Q a’b’=rab+ras 2 +bs 1 +s 1 s 2

Evidence to Validity of DDH Endured extensive research for DH search –DH-search related to discrete log Hard for generic algorithms –that work in a black-box group) Computing the most significant bits of g ab is hard Random-self-reducibility.

El-Gamal Cryptosystem variant: Private key a  R [Q] Public key Y= g a and P, Q and h To encrypt M –choose r  R [Q] compute X= g r and Y r –send h X, h( Y r )  M i To decrypt h X, W i : – compute X a = Y r and – output h(X a )  W How is h chosen? Pair-wise independence suffices ZPZP Subgroup of size Q {0,1} k h

El-Gamal Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext but... Scheme is malleable –To change M to M’=M  C : change h X, W i to h X, W  C i

Open Problems How to get a good encryption scheme with a weaker than fully blown pseudo-random function

From single bit to many bits If there is an encryption scheme that can hide E(K P, 0,r) from E(K P, 1,r): then can construct a full blown semantically secure cryptosystem by concatenation (for any length messages) Each bit in the message m  0,1  k is encrypted separately Proof: a hybrid argument –Using definition of indistinguishability of encryption –Suppose adversary chooses X 0, X 1   0,1  k –Let: D 0 be the distribution on encryptions of X 0 D k be the distribution on encryptions of X 1 D i be the distribution where the first i bits are from X 0 and the last k-i bits are from X 1 Example: quadratic residues mod N Difference with concatenation: each one is a bit

One-way encryption is sufficient for semantic security against chosen plaintext attack Call an encryption scheme one-way if given c=E(K P, m, s) for random m and s it is hard to find m This is the weakest form of security one can expect from a ``self- respecting” cryptosystem Can construct a single-bit indistinguishable scheme from it: To encrypt a bit b  0,1  : –choose random x, s and r –Send (c,r,b’) where c=E(K P, x, s) b’= x ¢ r © b Security : from the Goldreich-Levin reconstruction algorithm

Examples of public-key cryptosystems Factoring related: RSA, Rabin Discrete-log related: –Diffie-Hellman (El Gamal) –Various groups Early Knapsack and Codes (late 1970’s) –Merkle Hellman –McEliece: probabilistic cryptosystem Modern Lattice Based –Ajtai-Dwork: only one for which worst case to hardness reduction is known Goldreich-Goldwasser and Halevi Regev’s NTRU

Further Issues What about errors in decryption? Is the this the ultimate definition –Does it capture all the ways where encryption is used?

Example: Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose

Is it Safe? Definition of security: Existential unforgeability against adaptive chosen message attack –Adversary can ask to authenticate any sequence of messages m 1, m 2, … –Has to succeed in making V accept a message m not authenticated –Has complete contrl ove the channels Intuition of security: if E does not leak information about plaintext –Nothing is leaked about r Several problems: if E is “just” semantically secure against chosen plaintext attacks: –Adversary might change c=E(m ° r, K P ) into c’=E(m’ ° r, K P ) Malleability –not sufficient to verify correct form of ciphertext in simulation Closer to a chosen ciphertext attack

Sources Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, Goldreich’s Foundations of Cryptography, volume 2