Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Published byBlanche Davis Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 6 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 6 Arpita Patra © Arpita Patra

2 Recall >> Computational security
Security definitions (ind-coa/sem-coa) Pseudorandom Generators (PRGs), non-trivial to construct, no secure PRG in the face of an unbounded powerful adversary A scheme based on PRG Reduction based proof overview, proof of our scheme >> More stronger definition Mult-coa definition Stronger than coa and needs randomized encryption scheme

3 Today’s Goal Introduction to cpa attack and cpa security
Look for assumption needed to construct a scheme Pseudo-random Functions Definition Non-trivial to construct Pseudo-random Permutation (Strong/weak variant) Construction based on PRF

4 Security for SKE with COA to CPA
Randomized PPT COA Given the knowledge of two messages (vector of messages), it cannot be distinguished if the ciphertext corresponds to the first or second message (message vector). Randomized PPT CPA Given the knowledge of two messages (vector of messages), it cannot be distinguished if the ciphertext corresponds to the first or second message (message vector).

5 Chosen-Plaintext Attacks (CPA)
m c = Enck(m) Enc ?? mt ct m2 c2 m1 c1 k k (m1, c1), (m2, c2), …, (mt, ct): ci = Enck(mi) Encryption Oracle Don’t shout right away that this attack is unmountable, unrealistic, adversary cannot do it. It is very much doable. >> Adversary influences the honest parties to encrypt messages (using the same key) of its choice >> Adv’s Goal: to determine the plaintext encrypted in a new cipher-text Is CPA is mountable only against a moron???

6 CPA M. Luby: Pseudorandomness and Cryptographic Applications; Princeton University Press, 1996 Mihir Bellare, Anand Desai, E. Jokipii, Phillip Rogaway: A Concrete Security Treatment of Symmetric Encryption. FOCS,1997.

7 Is CPA Realistic ? How can an attacker influence parties to encrypt messages of its choice (using the same key) ? Consider a secure hardware with secret-key embedded >> Often used in military applications An insider may have access to the hardware (not the key) >> Can choose messages of its choice and get their encryptions

8 CPA shortened WWII by 2-3 Years
Break of German codes by British during WW II Allied Power At Bletchley Park Loc3 Loc1 Loc2 CPA has a great contribution to humankind. Bletchley park was the mecca of cryptanalysis + crypto during WWII. Axis Power Enck(Loc1) Enck(Loc2) Trivia: Who played a key role in this cryptanalysis process Enck(Loc3)

9 CPA Indistinguishability Experiment
PrivK (n) A,  cpa  = (Gen, Enc, Dec), M , n Query: Plain-text Response: Ciphertext PPT Attacker A k Let me verify Gen(1n) I can break  Training Phase: >> A is given oracle access to Enck() >> A adaptively submits its query (free to submit m0, m1) and receives their encryption

10 CPA Indistinguishability Experiment
PrivK (n) A,  cpa  = (Gen, Enc, Dec), M , n b  {0, 1} Training Phase PPT Attacker A m0, m1 M, |m0| = |m1| c  Enck(mb) k Let me verify Gen(1n) I can break  Challenge Phase: >> A submits two equal length challenge plaintexts >> A is free to submit any message of its choice (including the ones already queried during the training phase) >> One of the challenge plaintexts is randomly encrypted for A (using fresh randomness)

11 CPA Indistinguishability Experiment
PrivK (n) A,  cpa  = (Gen, Enc, Dec), M , n b  {0, 1} Training Phase PPT Attacker A m0, m1 M, |m0| = |m1| c  Enck(mb) k Query: Plain-text Let me verify Gen(1n) I can break  Response: Ciphertext Post-challenge Training Phase: >> A is given oracle access to Enck() >> A adaptively submits its query (possibly including m0, m1) and receives their encryption

12 CPA Indistinguishability Experiment
PrivK (n) A,  cpa  = (Gen, Enc, Dec), M , n b  {0, 1} Training Phase PPT Attacker A m0, m1 M, |m0| = |m1| c  Enck(mb) k Post-challenge Training Let me verify Gen(1n) I can break  b’  {0, 1} b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won Response Phase: A finally submits its guess regarding encrypted challenge plain-text A wins the experiment if its guess is correct

13 CPA Security ½ + negl(n) Why it is stronger than multi-coa? PrivK (n)
 = (Gen, Enc, Dec), M , n b  {0, 1} Training Phase PPT Attacker A m0, m1 M, |m0| = |m1| c  Enck(mb) k Post-challenge Training Let me verify Gen(1n) I can break  b’  {0, 1} b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won  is CPA-secure if for every PPT A, there is a negligible function negl, such that: ½ + negl(n) Pr PrivK (n) A,  cpa = 1 Why it is stronger than multi-coa?

14 CPA Security for Multiple Encryptions
PrivK (n) A,  cpa-mult  = (Gen, Enc, Dec), M , n Training Phase b  {0, 1} M0 = (m0,1, …, m0, t) M1 = (m1,1, …, m1, t) PPT Attacker A (freedom to choose any pair) c1  Enck(mb,1) ,…, ct  Enck(mb, t) k Let me verify Gen(1n) I can break  Post-challenge Training b’  {0, 1} b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won  is CPA-secure for multiple encryptions if for every PPT A, there is a negligible function negl, such that: ½ + negl(n) Pr PrivK (n) A,  cpa-mult = 1

15 CPA Multiple-message vs Single-message Security
Experiment is a special case of PrivK (n) A,  cpa cpa-mult Set |M0| = |M1| = 1 Converse was not true in the case of coa-security Any cipher that is CPA-secure for multiple encryptions is also CPA-secure (for single encryption) What about the converse ? Theorem: Any cipher that is CPA-secure is also CPA-secure for multiple encryptions Sufficient to prove CPA-security for single encryption; rest is “for free”

16 CPA-security Guarantee in Practice
Ensures security against CPA even if multiple messages are encrypted using a single key and communicated >> Even if the adversary knows that the encrypted messages belong to one of the two possible “classes” >> Even if the adversary has seen encryptions of the messages in those classes in the past We have overcome both the drawbacks perfectly-secure scheme: (a) key size as big as message (b) key cannot be reused Very good security guarantees >> The least we should expect from a SKE

17 Search for Assumptions of cpa-Secure Scheme
Encryption procedure cannot be deterministic. Can u find an attack? Encryption procedure MUST be randomized >> Need “fresh” randomness for each run of Enc. Results different ciphertexts for the same message >> At the same time want to use a “single key”. m c = (xi, m yi) Enc ?? x1 = 00000…0 y1 R {0,1}n x2 = 00000…1 x2n = 11111… 1 y2n R {0,1}n y2 R {0,1}n x1 = 00000…0 y1 R {0,1}n x2 = 00000…1 x2n = 11111… 1 y2n R {0,1}n y2 R {0,1}n yi Pad yi is truly random f: {0,1}n  {0, 1}n >> Instances of OTP f: {0,1}n  {0, 1}n >> Problem with the above solution --- size of f is n2n bits

18 Assumptions for cpa-secure SKEs
O. Goldreich, S. Goldwasser and S. Micali. How to Construct Random Functions. JACM, 33(4), , 1986 Pseudorandom Functions (PRF) that “look” like TRF but actually not!!

19 Pseudorandomness Funcn = { Set of all functions f: {0,1}n  {0, 1}n }
- It’s a property of a probability distribution on a set Funcn = { Set of all functions f: {0,1}n  {0, 1}n } G: a prob. Dist. = { Set of probabilities } U: Uniform probability Distribution We are interested in certain type of G. A function drawn according to U is called truly random function (TRF) Sampler for G and U y Give me output for x G is pseudorandom if a function drawn according to G is indistinguishable from a function drawn according to U to a PPT distinguisher who can make PPT no. of queries

20 Funcn & Uniform Distribution & TRF
Funcn = { Set of all functions f: {0,1}n  {0, 1}n } = {f1, f2, …, f } 2n. 2n U = {1/ ,1/ , …, 1/ } |Funcn| = 2n. 2n 2n. 2n 2n. 2n 2n. 2n x1 = 00000…0 x2 = 00000…1 x2n = 11111… 1 2n possibilities 2n possibilities n2n Truly Random Function (TRF): chosen according to U >> Output behavior is completely unpredictable >> Every string of length n is a possible image with equal probability

21 Pseudorandom Functions (PRF)
> PRF- A function chosen from Funcn according to some distribution different from U - yet, its output behavior “looks like” a TRF - must be efficiently computable - Function specification must be concise (poly size) Definitely not by truth table which will be of size n2n The sender & the receiver needs to agree on the function > keyed functions fk (.): {0,1}n  {0, 1}n Example: fk (x): k ⨁ x Funcn :{ Set of all functions f: {0,1}n  {0, 1}n } |Funcn| = 2n. 2n TRF: A function chosen uniformly at random from Fn KFuncn KFuncn :{ Set of all KEYED functions fk: {0,1}n  {0, 1}n } |KFuncn| = 2n Funcn PRF: A function chosen uniformly at random from KFuncn and “behaves” like a TRF

22 A possible Definition of PRF in PRG style
Give F (table) either uniformly sampled from Funcn or from KFuncn to PPT distinguisher D and ask if it is a TRF or PRF. >> Does it work? >> No, since the description of the function is of exponential size >> Instead we give D oracle access to either a TRF or a PRF and ask “tell us who are you interacting with?” >> If D cannot tell apart the “behavior” of the function Fk (for a uniformly random k) from a truly random function f: {0,1}n  {0,1}n, then we say f is a PRF.

23 Indistinguishability Game for PRF
F: {0, 1}n x {0, 1}n  {0, 1}n Oracle Funcn = {f1, f2, …, f } 2n. 2n x1 Value of the function at x1 f R Funcn y1 = f(x1) b= 0 PPT distinguisher D Value of the function at x1 is y1 KFuncn = {Fk1, …, Fk } 2n b

24 Indistinguishability Game for PRF
F: {0, 1}n x {0, 1}n  {0, 1}n Oracle Funcn = {f1, f2, …, f } 2n. 2n xt Value of the function at xt f R Funcn yt = f(xt) b= 0 PPT distinguisher D Value of the function at xt is yt KFuncn = {Fk1, …, Fk } 2n b D can adaptively asks its queries D allowed to ask polynomial number of queries

25 Indistinguishability Game for PRF
F: {0, 1}n x {0, 1}n  {0, 1}n Funcn = {f1, f2, …, f } 2n. 2n Value of the function at x1 PPT distinguisher D Value of the function at x1 is y1 b= 1 k R {0,1}n KFuncn = {Fk1, …, Fk } 2n b x1 y1= Fk(x1) Fk

26 Indistinguishability Game for PRF
F: {0, 1}n x {0, 1}n  {0, 1}n Funcn = {f1, f2, …, f } 2n. 2n Value of the function at xt PPT distinguisher D Value of the function at xt is yt b= 1 k R {0,1}n KFuncn = {Fk1, …, Fk } 2n b xt yt= Fk(xt) Fk D can adaptively asks its queries D allowed to ask polynomial number of queries

27 Modeling PRF as an Indistinguishability Game
F: {0, 1}n x {0, 1}n  {0, 1}n Funcn = {f1, f2, …, f } 2n. 2n ? ? PPT distinguisher D (x1, y1), (x2, y2),…, (xk, yk) KFuncn = {Fk1, …, Fk } 2n F is a PRF if for every PPT D there is an negl(n) | Pr [D (1n) = 1] f( ) | Pr [D (1n) = 1] Fk( ) -  negl(n) >> uniformly random k >> D‘s randomness >> uniform choice of f >> D’s randomness >> D not given k in the above game --- otherwise D can distinguish with high probability

28 Let’s Try to Construct a PRF
Consider the following keyed function F Input: x Output: k  x length-preserving For any x, uniformly random output (if k is uniformly random) F is no way a PRF F is a PRF xi Oracle yi = f(xi) Value of the function at x1 Value of the function at x2 b= 0 f R Funcn PPT distinguisher D (x1, y1), (x2, y2) Value of the function at x1 is y1 Value of the function at x2 is y2 k R {0,1}n b= 1 x1x2=y1 y2 x1x2y1 y2 xi yi= Fk(xi) 1 Pr [D (1n) = 1] Fk( ) Pr [D (1n) = 1] f( ) - | If D interacted with a random function If D interacted with a keyed Fk = 1 – 2-n Fk D outputs 1 with probability 1 D outputs 1 only if f(x2) = f(x1)  x1  x2 --- prob: 2-n

29 Do PRFs exist? No proof… But we strongly believe they do
Didn’t we just say we believe something is true but don’t have a proof? Yet another Assumption: PRFs exist. Later in the course………. PRFs exist CT 7 (for 1) ?? Goldreich-Goldwasser-Micali Because no good distinguisher PRGs exist Block Ciphers: DES, AES Far from practical Highly practical

30 Pseudo Random Permutation (PRP)
F: {0, 1}n x {0, 1}n  {0, 1}n Permn = {f1, f2, …, f } (2n)! ? ? PPT distinguisher D (x1, y1), (x2, y2),…, (xk, yk) KPermn = {Fk1, …, Fk } 2n Distinct pairs F is a PRF if for every PPT D there is an negl(n) | Pr [D (1n) = 1] f( ) | Pr [D (1n) = 1] Fk( ) -  negl(n) >> uniform choice of f >> D’s randomness >> uniformly random k >> D‘s randomness

31 TRF & TRP RA: No PPT distinguisher can tell apart between TRF & TRP. (use Birthday paradox KL A.4.)

32 | | - Strong PRP Pr [D (1n) = 1] Pr [D (1n) = 1]  negl(n)
F: {0, 1}n x {0, 1}n  {0, 1}n Permn = {f1, f2, …, f } (2n)! ? >> Any strong PRP is by default a PRP ? >> What about the converse ? PPT distinguisher D KPermn = {Fk1, …, Fk } 2n (x1, y1), (x2, y2),…, (xk, yk) (y1, x1), (y2, x2),…, (yk, xk) F is a PRF if for every PPT D there is an negl(n) | Pr [D (1n) = 1] Fk( ) , Fk-1( ) Pr [D (1n) = 1] f( ) , f-1( ) | -  negl(n) >> uniform choice of f >> D’s randomness >> uniformly random k >> D‘s randomness

33 Do PRPs/SPRPs exist? No proof… But we strongly believe they do
Yet another Assumption: PRPs/SPRPs exist. Later in the course………. PRPs/SPRPs exist Luby-Rackoff Because no good distinguisher PRFs exist Block Ciphers: DES, AES Far from practical Highly practical Efficiency of SPRPs based cpa-secure schemes are better than PRF-based ones

34

Download ppt "Cryptography Lecture 6 Arpita Patra © Arpita Patra."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 3 Arpita Patra.

Cryptography Lecture 3 Arpita Patra.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Cryptography Lecture 4 Arpita Patra.

Cryptography Lecture 4 Arpita Patra.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.

Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Similar presentations

Ads by Google