Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Slides:



Advertisements
Similar presentations
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Advertisements

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
Cryptography Lecture 9 Arpita Patra.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
0x1A Great Papers in Computer Security
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Lectures so far: Today’s lecture: Discrete probability Proving things
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Tuesday’s lecture: Today’s lecture: One-way permutations (OWPs)
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Tae-Joon Kim Jong yun Jun
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dan Boneh Public Key Encryption from trapdoor permutations Constructions Online Cryptography Course Dan Boneh Goal: construct chosen-ciphertext secure.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Secrecy of (fixed-length) stream ciphers
B504/I538: Introduction to Cryptography
Topic 11: Authenticated Encryption + CCA-Security
B504/I538: Introduction to Cryptography
Cryptography Lecture 4.
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Topic 30: El-Gamal Encryption
Topic 3: Perfect Secrecy
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6.
Topic 7: Pseudorandom Functions and CPA-Security
B504/I538: Introduction to Cryptography
B504/I538: Introduction to Cryptography
Cryptography Lecture 25.
B504/I538: Introduction to Cryptography
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Cryptography Lecture 21.
2. Perfect Secret Encryption
Cryptography Lecture 23.
CIS 5371 Cryptography 2. Perfect Secret Encryption
Presentation transcript:

Ryan Henry I 538 /B 609 : Introduction to Cryptography

Ryan Henry The goal of secure program obfuscation is to make a program ``unintelligible'' while preserving its functionality. For decades, program obfuscation for general programs has remained an art, with all public general-purpose obfuscation methods known to be broken. In this talk, we will describe new developments that for the first time provide a mathematical approach to the problem of general-purpose program obfuscation, where extracting secrets from the obfuscated program requires solving mathematical problems that currently take hundreds of years to solve on the world's fastest computing systems. We will also discuss the implications of these developments. Friday, November 13 at 3:00pm in LH 102: Amit Sahai, UCLA Software with Secrets

Ryan Henry Tuesday’s lecture: Computational hardness assumptions Diffie-Hellman key exchange Today’s lecture: Public key encryption IND-CPA / IND-CCA for public key schemes Trapdoor functions and permutations 2

Ryan Henry Assignment 5 is due Tuesday, November 10! (That’s next week!) 3

Ryan Henry Testing for generators Thm: Let (G,) be a cyclic group of order n=p 1 e 1 ⋯p k e k, where the p i are pairwise distinct primes. Then g∈G is a generator of (G,) if and only if ∀i=1,…,k, g n⁄p i ≢1.(*) 4 (“⇒”) By def n : If g∈G is a generator, then g m ≢1 for any 0<m<n. (“⇐”) Suppose g∈G satisfies Eq (*), and let j=|g|. By Lagrange’s Theorem, j|n; i.e., n=jq for some q∈ℕ +. In other words, j=p 1 e′ 1 ⋯p k e′ k where 0≤e′ i ≤e i for each i=1,…,k. If j<m, then ∃ i such that e′ i ≤e i, in which case j|(n⁄p i ). But then Eq (*) implies that g j ≢1, which is a contradiction. Hence, we must have that j≥m. ☐ Proof:

Ryan Henry Public-key encryption schemes 5 Def n : A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that – Gen:1 ℕ →K e ×K d is a randomized “keypair generation” algorithm; – Enc:K e ×M→C is an (often randomized) “encryption” algorithm; – Dec:K d ×C→M is a deterministic “decryption” algorithm. Usually write Enc k e (m) and Dec k d (m) instead of Enc(k e,m) and Dec(k d,m) K e is the encryption key space K d is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)

Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) 6 Def n : A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Dec k d (Enc k e (m))=m|(k e,k d )←Gen(1 s )]≥1-ε(s)

Ryan Henry Recall: IND-CPA security 7 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} (m 10 ,m 11 )∈M×M (|m 10 |=|m 11 |) c 1 ←Enc k (m 1b ) b‘∈{0,1} 1 s1 s 1 s1 s (m 10 ,m 11 ) c 1 (m 20 ,m 21 )∈M×M (|m 20 |=|m 21 |) c 2 ←Enc k (m 2b ) (m 20 ,m 21 ) c 2 (m q0 ,m q1 )∈M×M (|m q0 |=|m q1 |) c q ←Enc k (m qb ) (m q0 ,m q1 ) c q ⋮ Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| “left–or–right”

Ryan Henry Variants of the IND-CPA security game ▪ The game we have seen in lectures is sometimes called the “left­–or–right” IND–CPA game ▪ Three other (“equivalent”) variants are common: 1. “Real–or–random” IND–CPA security game 2. “Find–then–guess” IND–CPA security game 3. Semantic security game 8

Ryan Henry IND-CPA security 9 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ←Enc k (m n ) m n c n ⋮ Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ∊C b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ∊C m n c n ⋮ Game 1: (Attacker has access to random oracle) “real–or–random” Define A’s advantage to be Adv ROR (A)≔|Pr[b=b’]-½|

Ryan Henry IND-CPA security 10 (for symmetric-key encryption) “find–then–guess” Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m q ∈M (M 1 ,M 2 )∈M×M (|M 1 |=|M 2 |) c q ←Enc k (m qb ) m q c q ⋮ (M 1 ,M 2 ) C C←Enc k (M b ) Define A’s advantage to be Adv FTG-CPA (A)≔|Pr[b=b’]-½|

Ryan Henry IND-CPA security for public-key schemes ▪F▪For symmetric-key encryption, we had two options: 1. Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper 2. Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages ▪F▪For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages 11

Ryan Henry 12 IND-CPA security (for public-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s (m 0 ,m 1 )∈M×M (|m 0 |=|m 1 |) c←Enc k (m b ) (m 0 ,m 1 ) c Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| Def n : A public-key encryption scheme (Gen,Enc,Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CPA (A)≤ε(s).

Ryan Henry 13 Challenger (C) Attacker (A) (k e ,k d )←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s c1c1 m1m1 (M 0 ,M 1 ) c ⋮ c 1 ∈C (M 0 ,M 1 )∈M×M m 1 ≔Dec k d (c 1 ) c← Enc k e (M b ) ⋮ c’n2c’n2 m’n2m’n2 c’ n 2 ∈C∖ {c} m’ n 2 ≔Dec k d (c’ n 2 ) A c a n n o t a s k f o r D e c k d ( c ) cn1cn1 mn1mn1 c n 1 ∈C m n 1 ≔Dec k d (c n 1 ) c’1c’1 m’1m’1 c’ 1 ∈C∖ {c} m’ 1 ≔Dec k d (c’ 1 ) keke Define A’s advantage to be Adv CCA (A)≔|Pr[b=b’]-½| IND-CCA2 security (for public-key encryption)

Ryan Henry Thm: A public-key encryption scheme (Gen,Enc,Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CCA (A)≤ε(s). 14 IND-CCA2 security (for public-key encryption)

Ryan Henry Consequences of public keys Thm (informal): Perfectly secret public-key encryption does not exist 15 Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist ▪U▪Unbounded attacker can learn m via brute force (How do we know this is always possible?) ▪P▪PPT attacker can still learn m via brute force, given some prior knowledge about m

Ryan Henry Recall: One-way permutations (OWPs) 16 Challenger (C) Inverter (A) x∊{0,1} s y≔π(x) x 1 s1 s y Let E be the event that π(x)≟y Define A’s advantage to be Adv π -1 (A)≔Pr[E] 1 s1 s

Ryan Henry Recall: One-way permutations (OWPs) 17

Ryan Henry Trapdoor (one-way) permutations (TDPs) ▪I▪Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy –W–With trapdoor: ∃ PPT A that inverts with overwhelming probability –W–Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor ▪F▪Formally, we consider a family of permutations, each with its own trapdoor 18

Ryan Henry Trapdoor (one-way) permutations (TDPs) Def n : A triple of PPT algorithms (Gen,Samp,Inv) is a family of trapdoor permutations if 1. Gen:1 ℕ →K e ×K d is a randomized algorithm. Each (k e,k d )←Gen(1 n ) defines a set D k e and an OWP π D k e :D k e →D k e. 2. Samp: K e → ⋃ D k e is a randomized algorithm that, on input any k e ∈K e, outputs a random element of D k e 3. Inv: K d × ⋃ D k e → ⋃ D k e is a deterministic algorithm on input k d and x∈D k e for any (k e ,k d )←Gen(1 n ), outputs Π D -1 k e (x) 19

Ryan Henry That’s all for today, folks! 20