Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 6.

Published byZsanett Hajduné Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 6."— Presentation transcript:

1 Cryptography Lecture 6

2 Clicker quiz Let G(x) = x || parity(x). Which of the following proves that G is not a pseudorandom generator? G is not expanding Consider the following distinguisher D: D(y) outputs 1 iff the first bit of y is 1 Consider the following distinguisher D: D(y) outputs 1 iff the parity of the first n bits of y is 0 Consider the following distinguisher D: D(y) outputs 1 iff the parity of the first n bits of y is equal to the last bit of y

3 PRGs Let G be a deterministic, poly-time algorithm that is expanding, i.e., |G(x)| = p(|x|) > |x| seed G output

4 PRGs Let G be a deterministic, poly-time algorithm that is expanding, i.e., |G(x)| = p(|x|) > |x| G defines a sequence of distributions! Dn = the distribution on p(n)-bit strings defined by choosing x  Un and outputting G(x) PrDn[y] = PrUn[G(x) = y] = x : G(x)=y PrUn[x] = x : G(x)=y 2-n = |{x : G(x)=y}|/2n Note that most y occur with probability 0 I.e., Dn is far from uniform

5 PRGs G is a PRG iff {Dn} is pseudorandom
I.e., for all efficient distinguishers A, there is a negligible function  such that | Prx  Un[A(G(x))=1] - Pry  Up(n)[A(y)=1] | ≤ (n) I.e., no efficient A can distinguish whether it is given G(x) (for uniform x) or a uniform string y!

6 Example (insecure PRG)
Let G(x) = 0….0 Distinguisher? Analysis?

7 Example (insecure PRG)
Let G(x) = x | OR(bits of x) Distinguisher? Analysis?

8 Do PRGs exist? We don’t know…
Would imply P  NP We will assume certain algorithms are PRGs Recall the 3 principles of modern crypto… This is what is done in practice We will return to this later in the course Can construct PRGs from weaker assumptions For details, see Chapter 7

9 Where things stand We saw that there are some inherent limitations if we want perfect secrecy In particular, key must be as long as the message We defined computational secrecy, a relaxed notion of security Can we overcome prior limitations?

10 Recall: one-time pad p bits key p bits p bits message ciphertext

11  “Pseudo” one-time pad n bits key p bits G “pseudo” key p bits p bits
message ciphertext

12 Pseudo one-time pad Let G be a deterministic algorithm, with |G(k)| = p(|k|) Gen(1n): output uniform n-bit key k Security parameter n  message space {0,1}p(n) Enck(m): output G(k)  m Deck(c): output G(k)  c Correctness is obvious…

13 Security of pseudo-OTP?
Would like to be able to prove security Based on the assumption that G is a PRG

14 Definitions, proofs, and assumptions
We’ve defined computational secrecy Our goal is to prove that the pseudo OTP meets that definition We cannot prove this unconditionally Beyond our current techniques… Anyway, security clearly depends on G Can prove security based on the assumption that G is a pseudorandom generator

15 PRGs, revisited Let G be an efficient, deterministic function with |G(k)| = p(|k|) k  Un y  Up(n) G D y b For any efficient D, the probabilities that D outputs 1 in each case must be “close”

16 Proof by reduction Assume G is a pseudorandom generator
Assume toward a contradiction that there is an efficient attacker A who “breaks” the pseudo-OTP scheme (as per the definition) Use A as a subroutine to build an efficient D that “breaks” pseudorandomness of G By assumption, no such D exists!  No such A can exist

17 Alternately… Assume G is a pseudorandom generator
Fix some arbitrary, efficient A attacking the pseudo-OTP scheme Use A as a subroutine to build an efficient D attacking G Relate the distinguishing gap of D to the success probability of A By assumption, the distinguishing gap of D must be negligible  Use this to bound the success probability of A

18 Security theorem If G is a pseudorandom generator, then the pseudo one-time pad Π is EAV-secure (i.e., computationally indistinguishable)

19 The reduction y D m0, m1 b←{0,1} mb c b’ A if (b=b’) output 1

20 Analysis If A runs in polynomial time, then so does D

21 Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
Claim: when y=G(x) for uniform x, then the view of A is exactly as in PrivKA,Π(n)  Prx ← Un[D(G(x))=1] = µ(n)

22 The reduction k  Un y G -Enc m0, m1 b←{0,1} mb c b’ A
if (b=b’) output 1 D

23 Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
If y=G(x) for uniform x, then the view of A is exactly as in PrivKA,Π(n)  Prx ← Un[D(G(x))=1] = µ(n) If distribution of y is uniform, then A succeeds with probability exactly ½  Pry ← Up(n)[D(y)=1] = ½

24 The reduction y  Up(n) y OTP-Enc m0, m1 b←{0,1} mb c b’ A
if (b=b’) output 1 D

25 Analysis Let µ(n) = Pr[PrivKA,Π(n) = 1]
If y=G(x) for uniform x, then the view of A is exactly as in PrivKA,Π(n)  Prx ← Un[D(G(x))=1] = µ(n) If distribution of y is uniform, then A succeeds with probability exactly ½  Pry ← Up(n)[D(y)=1] = ½ Since G is pseudorandom: | µ(n) – ½ | ≤ negl(n) Pr[PrivKA,Π(n) = 1] ≤ ½ + negl(n)

26 Stepping back… Proof that the pseudo OTP is secure…
We have a provably secure scheme, rather than just a heuristic construction!

27 Stepping back… Proof that the pseudo OTP is secure… …with some caveats
Assuming G is a pseudorandom generator Relative to our definition The only ways the scheme can be broken are: If a weakness is found in G If the definition isn’t sufficiently strong…

28 Have we gained anything?
YES: the pseudo-OTP has a key shorter than the message n bits vs. p(n) bits The fact that the parties internally generate a p(n)-bit temporary string to encrypt/decrypt is irrelevant The key is what the parties share in advance Parties do not store the p(n)-bit temporary value

29 Recall… Perfect secrecy has two limitations/drawbacks
Key as long as the message Key can only be used once We have seen how to circumvent the first Does the pseudo OTP have the second limitation? How can we circumvent the second?

30 But first… Develop an appropriate security definition
Recall that security definitions have two parts Security goal Threat model We will keep the security goal the same, but strengthen the threat model

31 Single-message secrecy
k k m c  Enck(m)

32 Multiple-message secrecy
c1, …, ct k k m1, …, mt c1  Enck(m1) … ct  Enck(mt)

33 A formal definition Fix , A
Define a randomized exp’t PrivKmultA,(n): A(1n) outputs two vectors (m0,1, …, m0,t) and (m1,1, …, m1,t) Require that |m0,i| = |m1,i| for all i k  Gen(1n), b  {0,1}, for all i: ci  Enck(mb,i) b’  A(c1, …, ct); A succeeds if b = b’, and experiment evaluates to 1 in this case

34 A formal definition  is multiple-message indistinguishable if for all PPT attackers A, there is a negligible function  such that Pr[PrivKmultA,(n) = 1] ≤ ½ + (n) Exercise: show that the pseudo-OTP is not multiple-message indistinguishable

Download ppt "Cryptography Lecture 6."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.

Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Topic 26: Discrete LOG Applications

Topic 26: Discrete LOG Applications
Cryptography Lecture 5 Arpita Patra © Arpita Patra.

Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Modern symmetric-key Encryption

Modern symmetric-key Encryption

Similar presentations

Ads by Google