1. Cryptography
Lecture 7

2. CPA-security c c2 c1 k k m c  Enck(m) c1  Enck(m1) m2 m1

3. Is the threat model too strong?
In practice, there are many ways an attacker can influence what gets encrypted
Not clear how best to model
Chosen-plaintext attacks encompass any such influence
Moreover, in some cases an attacker may have significant control over what gets encrypted

4. “Midway” AF is short of water… Will attack AF …
Help! Fresh water needed
Midway Island
For more details, see:

5. CPA-security Fix , A Define a randomized exp’t PrivKCPAA,(n):
k  Gen(1n)
A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same length
b  {0,1}, c  Enck(mb), give c to A
A can continue to interact with Enck(·)
A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

6. CPA-security
 is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

7. Impossible? Consider the following attacker A:
Using a chosen-plaintext attack, get c0 = Enck(m0) and c1 = Enck(m1)
Output m0, m1; get challenge ciphertext c
If c=c0 output ‘0’ ; if c=c1 output ‘1’
A succeeds with probability 1 (?)
This attack only works if encryption is deterministic!
Moral: randomized encryption must be used!

8. Randomized encryption
The issue is not an artifact of our definition
It really is a problem if an attacker can tell when the same message is encrypted twice

9. Pseudorandom functions

10. Pseudorandom functions
Informally, a pseudorandom function “looks like” a random (i.e., uniform) function

11. Random function Funcn = all functions mapping {0,1}n to {0,1}n
How big is Funcn ?
Can represent a function in Funcn using n · 2n bits
|Funcn| = 2n·2n
000
001
010
011
100
101
110
111
010
100
111
001
000
# of entries: 23 = 8

12. Random function
Exercise: how many functions are there mapping {0,1}n to {0,1}m?

13. Random function Choose uniform f  Funcn
Equivalent: for each x  {0,1}n, choose f(x) uniformly in {0,1}n
I.e., fill up the function table with uniform values
Can also view this as being done “on-the-fly,” as values are needed

14. Pseudorandom functions
Informally, a pseudorandom function “looks like” a random function
As in our discussion of PRGs, it does not make sense to talk about any fixed function being pseudorandom
We look instead at keyed functions

15. Keyed functions
Let F: {0,1}* x {0,1}*  {0,1}* be an efficient, deterministic algorithm
Define Fk(x) = F(k, x)
The first input is called the key
Assume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x|
Choosing a uniform k  {0,1}n is equivalent to choosing the function Fk : {0,1}n  {0,1}n
I.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!

16. Note The number of functions in Funcn is 2n2n
{Fk}k{0,1}n is a subset of Funcn
The number of functions in {Fk}k{0,1}n is at most 2n
This is only a tiny fraction of Funcn!

17. Pseudorandom functions (PRFs)
F is a pseudorandom function if Fk, for uniform key k  {0,1}n, is indistinguishable from a uniform function f  Funcn
Formally, for all poly-time distinguishers D: | Prk{0,1}n[DFk(·) = 1] - PrfFuncn[Df(·) = 1] | ≤ ε(n)

18. ?? f … Fk … x1 f  Funcn chosen uniformly at random World 0 f(x1) xt
f(xt) ??
World 1
k  {0,1}n chosen uniformly at random Fk x1
Fk(x1) … xt
Fk(xt)
(poly-time)

19. Examples (insecure)
F(k, x) = 0n
F(k, x) = k
F(k, x) = k  x