Ryan Henry I 538 /B 609 : Introduction to Cryptography
Ryan Henry The goal of secure program obfuscation is to make a program ``unintelligible'' while preserving its functionality. For decades, program obfuscation for general programs has remained an art, with all public general-purpose obfuscation methods known to be broken. In this talk, we will describe new developments that for the first time provide a mathematical approach to the problem of general-purpose program obfuscation, where extracting secrets from the obfuscated program requires solving mathematical problems that currently take hundreds of years to solve on the world's fastest computing systems. We will also discuss the implications of these developments. Friday, November 13 at 3:00pm in LH 102: Amit Sahai, UCLA Software with Secrets
Ryan Henry Tuesday’s lecture: Computational hardness assumptions Diffie-Hellman key exchange Today’s lecture: Public key encryption IND-CPA / IND-CCA for public key schemes Trapdoor functions and permutations 2
Ryan Henry Assignment 5 is due Tuesday, November 10! (That’s next week!) 3
Ryan Henry Testing for generators Thm: Let (G,) be a cyclic group of order n=p 1 e 1 ⋯p k e k, where the p i are pairwise distinct primes. Then g∈G is a generator of (G,) if and only if ∀i=1,…,k, g n⁄p i ≢1.(*) 4 (“⇒”) By def n : If g∈G is a generator, then g m ≢1 for any 0<m<n. (“⇐”) Suppose g∈G satisfies Eq (*), and let j=|g|. By Lagrange’s Theorem, j|n; i.e., n=jq for some q∈ℕ +. In other words, j=p 1 e′ 1 ⋯p k e′ k where 0≤e′ i ≤e i for each i=1,…,k. If j<m, then ∃ i such that e′ i ≤e i, in which case j|(n⁄p i ). But then Eq (*) implies that g j ≢1, which is a contradiction. Hence, we must have that j≥m. ☐ Proof:
Ryan Henry Public-key encryption schemes 5 Def n : A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that – Gen:1 ℕ →K e ×K d is a randomized “keypair generation” algorithm; – Enc:K e ×M→C is an (often randomized) “encryption” algorithm; – Dec:K d ×C→M is a deterministic “decryption” algorithm. Usually write Enc k e (m) and Dec k d (m) instead of Enc(k e,m) and Dec(k d,m) K e is the encryption key space K d is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)
Ryan Henry Correctness ▪ Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) 6 Def n : A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Dec k d (Enc k e (m))=m|(k e,k d )←Gen(1 s )]≥1-ε(s)
Ryan Henry Recall: IND-CPA security 7 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} (m 10 ,m 11 )∈M×M (|m 10 |=|m 11 |) c 1 ←Enc k (m 1b ) b‘∈{0,1} 1 s1 s 1 s1 s (m 10 ,m 11 ) c 1 (m 20 ,m 21 )∈M×M (|m 20 |=|m 21 |) c 2 ←Enc k (m 2b ) (m 20 ,m 21 ) c 2 (m q0 ,m q1 )∈M×M (|m q0 |=|m q1 |) c q ←Enc k (m qb ) (m q0 ,m q1 ) c q ⋮ Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| “left–or–right”
Ryan Henry Variants of the IND-CPA security game ▪ The game we have seen in lectures is sometimes called the “left–or–right” IND–CPA game ▪ Three other (“equivalent”) variants are common: 1. “Real–or–random” IND–CPA security game 2. “Find–then–guess” IND–CPA security game 3. Semantic security game 8
Ryan Henry IND-CPA security 9 (for symmetric-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ←Enc k (m n ) m n c n ⋮ Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) k←Gen(1 s ) m 1 ∈M c 1 ∊C b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m n ∈M c n ∊C m n c n ⋮ Game 1: (Attacker has access to random oracle) “real–or–random” Define A’s advantage to be Adv ROR (A)≔|Pr[b=b’]-½|
Ryan Henry IND-CPA security 10 (for symmetric-key encryption) “find–then–guess” Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} m 1 ∈M c 1 ←Enc k (m 1 ) b‘∈{0,1} 1 s1 s 1 s1 s m 1 c 1 m q ∈M (M 1 ,M 2 )∈M×M (|M 1 |=|M 2 |) c q ←Enc k (m qb ) m q c q ⋮ (M 1 ,M 2 ) C C←Enc k (M b ) Define A’s advantage to be Adv FTG-CPA (A)≔|Pr[b=b’]-½|
Ryan Henry IND-CPA security for public-key schemes ▪F▪For symmetric-key encryption, we had two options: 1. Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper 2. Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages ▪F▪For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages 11
Ryan Henry 12 IND-CPA security (for public-key encryption) Challenger (C) Attacker (A) k←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s (m 0 ,m 1 )∈M×M (|m 0 |=|m 1 |) c←Enc k (m b ) (m 0 ,m 1 ) c Define A’s advantage to be Adv CPA (A)≔|Pr[b=b’]-½| Def n : A public-key encryption scheme (Gen,Enc,Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CPA (A)≤ε(s).
Ryan Henry 13 Challenger (C) Attacker (A) (k e ,k d )←Gen(1 s ) b∊{0,1} b‘∈{0,1} 1 s1 s 1 s1 s c1c1 m1m1 (M 0 ,M 1 ) c ⋮ c 1 ∈C (M 0 ,M 1 )∈M×M m 1 ≔Dec k d (c 1 ) c← Enc k e (M b ) ⋮ c’n2c’n2 m’n2m’n2 c’ n 2 ∈C∖ {c} m’ n 2 ≔Dec k d (c’ n 2 ) A c a n n o t a s k f o r D e c k d ( c ) cn1cn1 mn1mn1 c n 1 ∈C m n 1 ≔Dec k d (c n 1 ) c’1c’1 m’1m’1 c’ 1 ∈C∖ {c} m’ 1 ≔Dec k d (c’ 1 ) keke Define A’s advantage to be Adv CCA (A)≔|Pr[b=b’]-½| IND-CCA2 security (for public-key encryption)
Ryan Henry Thm: A public-key encryption scheme (Gen,Enc,Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ + such that Adv CCA (A)≤ε(s). 14 IND-CCA2 security (for public-key encryption)
Ryan Henry Consequences of public keys Thm (informal): Perfectly secret public-key encryption does not exist 15 Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist ▪U▪Unbounded attacker can learn m via brute force (How do we know this is always possible?) ▪P▪PPT attacker can still learn m via brute force, given some prior knowledge about m
Ryan Henry Recall: One-way permutations (OWPs) 16 Challenger (C) Inverter (A) x∊{0,1} s y≔π(x) x 1 s1 s y Let E be the event that π(x)≟y Define A’s advantage to be Adv π -1 (A)≔Pr[E] 1 s1 s
Ryan Henry Recall: One-way permutations (OWPs) 17
Ryan Henry Trapdoor (one-way) permutations (TDPs) ▪I▪Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy –W–With trapdoor: ∃ PPT A that inverts with overwhelming probability –W–Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor ▪F▪Formally, we consider a family of permutations, each with its own trapdoor 18
Ryan Henry Trapdoor (one-way) permutations (TDPs) Def n : A triple of PPT algorithms (Gen,Samp,Inv) is a family of trapdoor permutations if 1. Gen:1 ℕ →K e ×K d is a randomized algorithm. Each (k e,k d )←Gen(1 n ) defines a set D k e and an OWP π D k e :D k e →D k e. 2. Samp: K e → ⋃ D k e is a randomized algorithm that, on input any k e ∈K e, outputs a random element of D k e 3. Inv: K d × ⋃ D k e → ⋃ D k e is a deterministic algorithm on input k d and x∈D k e for any (k e ,k d )←Gen(1 n ), outputs Π D -1 k e (x) 19
Ryan Henry That’s all for today, folks! 20