CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

Slides:



Advertisements
Similar presentations
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Advertisements

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography Lecture 4 Arpita Patra.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
B504/I538: Introduction to Cryptography
Secrecy of (fixed-length) stream ciphers
Cryptography Lecture 9.
Topic 11: Authenticated Encryption + CCA-Security
Cryptography Lecture 12.
Topic 5: Constructing Secure Encryption Schemes
Topic 30: El-Gamal Encryption
Cryptography Lecture 6.
Cryptography Lecture 10.
Topic 7: Pseudorandom Functions and CPA-Security
B504/I538: Introduction to Cryptography
Cryptography Lecture 7.
Cryptography Lecture 25.
Cryptography Lecture 11.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 5.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 11.
Cryptography Lecture 9.
Topic 13: Message Authentication Code
Cryptography Lecture 7.
Cryptography Lecture 10.
Cryptography Lecture 9.
Cryptography Lecture 11.
Cryptography Lecture 10.
Cryptography Lecture 6.
Cryptography Lecture 21.
Cryptography Lecture 23.
Presentation transcript:

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security

CS555Spring 2012/Topic 72 Outline and Readings Outline Handling variable length messages Security for multiple messages Stream ciphers for multiple messages CPA secure Readings: Katz and Lindell: 3.4, 3.5

Handling Variable Length Messages (Textbook, Section 3.4.2) A variable output-length pseudo-random generator is G(s, 1 l ) that output l such that –Any shorter output is the prefix of the longer one –Fix any length, this is a pseudo-random generator Given such a generator, can encrypt messages of different length by choosing l to be length of the message. CS555Spring 2012/Topic 73

Security for Multiple Encryptions (Textbook Section 3.4.3) How to encrypt multiple messages with one key? –What is wrong with using the standard way of using stream cipher to encrypt? How to define secure encryption with multiple messages? CS555Spring 2012/Topic 74

Definition Has indistinguishable Multiple Encryptions in the presence of an eavesdropper. Define an experiment called PrivK mult (n) –Involving an Adversary and a Challenger –Instantiated with an Adv algorithm A, and an encryption scheme  = (Gen, Enc, Dec) CS555Spring 2012/Topic 75 Challenger Adversary k  Gen(1 n ) b  R {0,1} A (1 n ) gives two vector of messages such that corresponding msgs have equal lengths M 0, M 1 C=E k [m b 1 ], E k [m b 2 ], …E k [m b t ] b’  {0,1} PrivK mult = 1 if b=b’, and PrivK mult = 0 if b  b’ Pr[PrivK mult A,  =1]  ½ + negl(n)

Single Msg vs. Multiple Msgs Give an encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper –i.e., secure in single message setting But does not have indistinguishable multiple encryptions in the presence of an eavesdropper. –i.e., insecure for encrypting multiple messages? No deterministic encryption scheme is secure for multiple messages CS555Spring 2012/Topic 76

How to Encrypt Multiple Messages with a Stream Cipher (i.e., Pseudorandom generator) Method 1: Synchronized mode –Use a different part of the output stream to encrypt each new message –Sender and receiver needs to know which position is used to encrypt each message –Often problematic CS555Spring 2012/Topic 77

How to Encrypt Multiple Messages with a Stream Cipher Method 2: Unsynchronized mode –Use a random Initial Vector (IV) –Enc k (m) =  IV, G(k,IV)  m  IV must be randomly chosen, and freshly chosen for each message How to decrypt? –What G to use and under what assumptions on G such a scheme has indistinguishable multiple encryptions in the presence of an eavesdropper What if G(k,IV)  G’(k||IV), where G’ is a pseudorandom generator CS555Spring 2012/Topic 78

Security of Unsynchronized Mode Recall that –IV is sent in clear, so is known by the adversary –For each IV, G( ,IV) is assumed to be pseudorandom generator; –Furthermore, when given multiple IVs and outputs under the same randomly chosen seed, the combined output must be pseudo-random –Stream ciphers in practice are assumed to have the above augmented pseudorandomness property and used this way CS555Spring 2012/Topic 79

Functions and Keyed Functions Consider Enc k (m) =  IV, G(k,IV)  m  G(k,IV) takes two inputs. This can also be viewed as a family (set) of functions, aka, a keyed function For each key k, we define function G k to be G k (x) = G(k,x) The property we desire for G is such that when k is randomly chosen, G k (  ) has the property that knowing G k (x 1 ) one cannot predict what will G k (x 2 ) be x 1  x 2 –That is, G k (  ) should be indistinguishable from a random function. –If one can predict G k (x) when given x, is the above encryption scheme secure? CS555Spring 2012/Topic 710

Security Against Chosen Plaintext Attacks (Textbook 3.5) Security notions considered so far is for ciphertext-only attacks Modeling chosen plaintext attacks –Adversary may choose messages and obtain corresponding ciphertexts adaptively Adaptively means that adversary may look at the ciphertext of the first chosen message, then choose the next message. –How to model this ability of the adversary? Adversary is given an encryption oracle, which can encrypt messages but does not give out the key CS555Spring 2012/Topic 711

The CPA Indistinguishablility Experiment: PrivK cpa (n) A k is generated by Gen(1 n ) Adversary is given oracle access to Enc k (  ), and outputs a pair of equal-length messages m 0 and m 1 A random bit b is chosen, and adversary is given Enc k (m b ) –Called the challenge ciphertext Adversary still has oracle access to Enc k (  ), and (after some time) outputs b’ PrivK cpa (n) = 1 if b=b’ (adversary wins) and =0 otherwise CS555Spring 2012/Topic 712

CPA-secure (aka IND-CPA security) A private-key encryption scheme  = (Gen, Enc, Dec) has indistinguishable encryption under a chosen-plaintext attack iff. for all PPT adversary A, there exists a negligible function negl such that Pr[PrivK cpa A,  =1]  ½ + negl(n) No deterministic encryption scheme is CPA- secure. Why? CS555Spring 2012/Topic 713

Properties of CPA-secure CPA-secure for multiple messages is equivalent to CPA-secure for a single message Given a fixed-length encryption scheme that is CPA-secure, we can encrypt messages of arbitrary length by encrypting different parts of messages separately CS555Spring 2012/Topic 714

CS555Spring 2012/Topic 715 Coming Attractions … Pseudorandom functions Reading: Katz & Lindell: 3.6