Download presentation
Presentation is loading. Please wait.
1
B504/I538: Introduction to Cryptography
Spring • Lecture 21 (2017—03—28)
2
Assignment 5 is due next Thursday!
(2017—04—06)
3
Public-key encryption schemes
Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that Gen:1ℕ→Ke×Kd is a randomized “keypair generation” algorithm; Enc:Ke×M→C is an (often randomized) “encryption” algorithm; Dec:Kd×C→M is a deterministic “decryption” algorithm. Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m) Ke is the encryption key space Kd is the decryption key space M is the message space C is the ciphertext space (set of possible encryption keys) (set of possible decryption keys) (set of possible messages) (set of possible ciphertexts)
4
Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s)
Correctness Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key) Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε:ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈M, Pr[Deckd(Encke(m))=m|(ke,kd)←Gen(1s)]≥1-ε(s)
5
Recall: IND-CPA security
“left–or–right” (for symmetric-key encryption) Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} (m10,m11) (m10,m11)∈M×M (|m10|=|m11|) c1 c1←Enck(m1b) (m20,m21) (m20,m21)∈M×M (|m20|=|m21|) c2 c2←Enck(m2b) ⋮ (mq0,mq1) (mq0,mq1)∈M×M (|mq0|=|mq1|) cq cq←Enck(mqb) b‘∈{0,1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½|
6
Variants of the IND-CPA security game
The game we have seen in lectures is sometimes called the “left–or–right” IND–CPA game Three other (“equivalent”) variants are common: “Real–or–random” IND–CPA security game “Find–then–guess” IND–CPA security game Semantic security game
7
IND-CPA security “real–or–random” (for symmetric-key encryption) ⋮ ⋮
Game 0: (Attacker has access to real encryption oracle) Challenger (C) Attacker (A) 1 s m1 1 s k←Gen(1 s) m1∈M c1 c1←Enck(m1) ⋮ mn mn∈M cn cn←Enck(mn) b‘∈{0,1} Game 1: (Attacker has access to random oracle) Challenger (C) Attacker (A) 1 s k←Gen(1 s) m1 1 s m1∈M c1 c1∊C ⋮ mn mn∈M cn cn∊C b‘∈{0,1} Define A’s advantage to be AdvROR(A)≔|Pr[b=b’]-½|
8
IND-CPA security “find–then–guess” (for symmetric-key encryption) ⋮
Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} m1 m1∈M c1 c1←Enck(m1) ⋮ mq mq∈M cq cq←Enck(mqb) (M1,M2) (M1,M2)∈M×M (|M1|=|M2|) C C←Enck(Mb) b‘∈{0,1} Define A’s advantage to be AdvFTG-CPA(A)≔|Pr[b=b’]-½|
9
IND-CPA security for public-key schemes
For symmetric-key encryption, we had two options: Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA) Secrecy for single message ⇏secrecy for multiple messages For public-key encryption, we have only one option Secrecy for single message ⇔ secrecy for multiple messages
10
IND-CPA security (for public-key encryption)
Challenger (C) Attacker (A) 1 s 1 s k←Gen(1 s) b∊{0,1} (m0,m1) (m0,m1)∈M×M (|m0|=|m1|) c←Enck(mb) c b‘∈{0,1} Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½| Defn: A public-key encryption scheme (Gen,Enc,Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCPA(A)≤ε(s).
11
IND-CCA2 security (for public-key encryption) 1 s 1 s ⋮ c←Encke(Mb) ⋮
Challenger (C) Attacker (A) ke 1 s (ke,kd)←Gen(1s) 1 s b∊{0,1} c1 c1∈C m1 m1≔Deckd(c1) ⋮ cn1 cn1∈C mn1 mn1≔Deckd(cn1) (M0,M1) (M0,M1)∈M×M c←Encke(Mb) c c’1 c’1∈C∖ {c} m’1 m’1≔Deckd(c’1) A cannot ask for Deckd(c) ⋮ c’n2 c’n2∈C∖ {c} m’n2 m’n2≔Deckd(c’n2) b‘∈{0,1} Define A’s advantage to be AdvCCA(A)≔|Pr[b=b’]-½|
12
IND-CCA2 security (for public-key encryption)
Thm: A public-key encryption scheme (Gen,Enc,Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε:ℕ→ℝ+ such that AdvCCA(A)≤ε(s).
13
Consequences of public keys
Thm (informal): Perfectly secret public-key encryption does not exist Unbounded attacker can learn m via brute force (How do we know this is always possible?) Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist PPT attacker can still learn m via brute force, given some prior knowledge about m
14
Recall: One-way permutations (OWPs)
Challenger (C) Inverter (A) 1 s 1 s x∊{0,1}s y≔π(x) y x Let E be the event that π(x)≟y Define A’s advantage to be Advπ-1(A)≔Pr[E]
15
Recall: One-way permutations (OWPs)
Defn: A function π:{0,1}*→{0,1}* is a one-way permutation (OWP) if it is easy to compute: there exists an efficient algorithm that , on input x∈{0,1}*, outputs π(x); length-preserving: for all x∈{0,1}*, |x|=|π(x)|; one–to–one: for all x1,x2∈{0,1}*, π(x)=π(y) implies x=y; and hard to invert: for every PPT algorithm A, there exists a negligible function ε:ℕ→ℝ+ such that Advπ-1(A) ≤ 𝜀(s).
16
Trapdoor (one-way) permutations (TDPs)
Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy With trapdoor: ∃ PPT A that inverts with overwhelming probability Without trapdoor: ∄ PPT A that inverts with non-negligible probability ⇒ hard for any PPT A to find the trapdoor Formally, we consider a family of permutations, each with its own trapdoor
17
Trapdoor (one-way) permutations (TDPs)
Defn: A triple of PPT algorithms (Gen,Samp,Inv) is a family of trapdoor permutations if Gen:1ℕ→Ke×Kd is a randomized algorithm. Each (ke,kd)←Gen(1n) defines a set Dke and an OWP πDke:Dke →Dke. Samp: Ke→ ⋃ Dke is a randomized algorithm that, on input any ke∈Ke, outputs a random element of Dke Inv: Kd× ⋃ Dke → ⋃ Dke is a deterministic algorithm on input kd and x∈Dke for any (ke,kd)←Gen(1n), outputs ΠD-1ke(x)
18
That’s all for today, folks!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.