1. Cryptography
Lecture 7

2. Computational indistinguishability (EAV-security)
Fix a scheme  and some adversary A
Define a randomized exp’t PrivKA,(n):
A(1n) outputs m0, m1  {0,1}* of equal length
k  Gen(1n), b  {0,1}, c  Enck(mb)
b’  A(c)
Adversary A succeeds if b = b’, and we say the experiment evaluates to 1 in this case

3. Computational indistinguishability (EAV-security)
 is EAV-secure if for all PPT attackers A, there is a negligible function  such that Pr[PrivKA,(n) = 1] ≤ ½ + (n)

4. Clicker quiz
Consider encryption scheme  that encrypts a 2n-bit message using an n-bit key via Enck(ma | mb) = kma | kmb . Which of the following could be the start of a proof that  is not EAV-secure?
Consider an attacker A who outputs m0 = 0n0n and m1 = 1n1n…
Consider an attacker A who outputs m0 = 0n0n and m1 = 0n1n…
Consider an attacker A who outputs m0 = 0n1n and m1 = 1n0n…
 is EAV-secure, since it uses the one-time pad

5. Multiple-message security
Fix , A
Define a randomized exp’t PrivKmultA,(n):
A(1n) outputs two vectors (m0,1, …, m0,t) and (m1,1, …, m1,t)
Require that |m0,i| = |m1,i| for all i
k  Gen(1n), b  {0,1}, for all i: ci  Enck(mb,i)
b’  A(c1, …, ct); A succeeds if b = b’, and experiment evaluates to 1 in this case

6. A formal definition
 is multiple-message indistinguishable if for all PPT attackers A, there is a negligible function  such that Pr[PrivKmultA,(n) = 1] ≤ ½ + (n)
Exercise: show that the pseudo-OTP is not multiple-message indistinguishable

7. Multiple-message secrecy
No encryption scheme is multiple-message indistinguishable!
Proof?
What assumption did we make?
No deterministic (and stateless) encryption scheme is multiple-message indistinguishable
Need to consider randomized schemes!

8. Randomized encryption
The issue is not an artifact of our definition
It really is a problem if an attacker can tell when the same message is encrypted twice

9. Multiple-message secrecy
We are not going to work with multiple-message indistinguishability
Instead, define something stronger: security against chosen-plaintext attacks (CPA-security)
Nowadays, this is the minimal notion of security an encryption scheme should satisfy

10. CPA-security c c2 c1 k k m c  Enck(m) c1  Enck(m1) m2 m1

11. Is the threat model too strong?
In practice, there are many ways an attacker can influence what gets encrypted
Not clear how best to model this
Chosen-plaintext attacks encompass any such influence
In some cases an attacker may have complete control over what gets encrypted

12. “Midway” AF is out of water… Will attack AF … Help! Fresh water needed
Midway Island
For more details, see:

13. CPA-security Fix , A Define a randomized exp’t PrivKCPAA,(n):
k  Gen(1n)
A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same length
b  {0,1}, c  Enck(mb), give c to A
A can continue to interact with Enck(·)
A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

14. CPA-security
 is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

15. Relation with previous def’n?
CPA-security is stronger than multiple-message indistingiushability
I.e., if  is CPA-secure then it is also multiple-message indistinguishable
Corollary: no deterministic encryption scheme can be CPA-secure

16. Pseudorandom functions

17. Random function When we talk about a random function f, we mean
Choosing f uniformly at random (and then fixing it)
Interacting with f
In particular, once we choose f there is no more randomness involved
In particular, if we query f on the same input twice, we get the same result

18. Choosing a uniform function
Funcn = all functions mapping {0,1}n to {0,1}n
How big is Funcn ?
Can represent a function in Funcn using n · 2n bits
|Funcn| = 2n·2n
000
001
010
011
100
101
110
111
010
100
111
001
000
# of entries: 23 = 8

19. Clicker quiz How many functions are there mapping {0,1}n to {0,1}m?
m · 2n
2n·2m
m · 2n·2n
2m·2n

20. Choosing a uniform function
Choose uniform f  Funcn
Equivalent: for each x  {0,1}n, choose f(x) uniformly in {0,1}n
I.e., fill up the function table with uniform values
Can also view this as being done “on-the-fly,” as values are needed

21. Pseudorandom functions
Informally, a pseudorandom function “looks like” a random (i.e., uniform) function

22. Pseudorandom functions
Informally, a pseudorandom function “looks like” a random function
As in our discussion of PRGs, it does not make sense to talk about any fixed function being pseudorandom
We look instead at functions chosen according to some distribution
In particular, we look instead at keyed functions

23. Keyed functions
Let F: {0,1}* x {0,1}*  {0,1}* be an efficient, deterministic algorithm
Define Fk(x) = F(k, x)
The first input is called the key
Assume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x|
Choosing a uniform k  {0,1}n is equivalent to choosing the function Fk : {0,1}n  {0,1}n
The algorithm F defines a distribution over functions in Funcn!

24. Note {Fk}k{0,1}n is a subset of Funcn
The number of functions in Funcn is 2n·2n
{Fk}k{0,1}n is a subset of Funcn
The number of functions in {Fk}k{0,1}n is at most 2n
This is only a tiny fraction of Funcn!

25. Pseudorandom functions (PRFs)
F is a pseudorandom function if Fk, for uniform key k  {0,1}n, is indistinguishable from a uniform function f  Funcn
Formally, for all poly-time distinguishers D: | Prk{0,1}n[DFk(·) = 1] - PrfFuncn[Df(·) = 1] | ≤ ε(n)

26. ?? f … Fk … x1 f  Funcn chosen uniformly at random World 0 f(x1) xt
f(xt) ??
World 1
k  {0,1}n chosen uniformly at random Fk x1
Fk(x1) … xt
Fk(xt)
(poly-time)

27. Examples (insecure)
F(k, x) = 0n
F(k, x) = k
F(k, x) = k  x