Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Published byAntonia Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive."— Presentation transcript:

1 Cryptography Lecture 2 Arpita Patra

2 Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive. Syntax: (Gen, Enc, Dec), M >> Definition of SKE: Key components: threat (who?) and break (what?) >> Threat: Common:- (bounded with negl success probability; randomized) to all Computational security definitions; will vary attack model: Ciphertext-only (CO) Attck. >> Break: No partial info about the message is leaked from the ciphertext irrespective of what external information adv has (except with negl. probability) >> the very basic definition of CO-Security both in IND and SIM style that are equivalent >> PRG as a tool to build SKE with CO-security. IND-based definition for PRG. >> Zoo/ Mammoth and felt the subject’s vastness against our negligible knowledge >> Three fundamental principles of Modern Crypto – Formal Definitions, Well-studied Assumptions, Sound Proofs

3 Today’s Roadmap >> Construction based on PRG >> Overview of Proof by reduction >> Proof of PRG-based SKE: IND style CO-security >> Extension of CO-security to CO-MULT-security >> PRG-based scheme is insecure; hunt for new scheme (assignment problem) >> Chosen Plaintext Attack (CPA), CPA Security >> Is it practical? >> A construction for CPA-secure scheme

4 IND: Ciphertext Only Security  = (Gen, Enc, Dec), I can break  Let me verify m 0, m 1 , |m 0 |=|m 1 | (freedom to choose any pair) Gen(1 n ) k b  {0, 1} c  Enc k (m b ) b’  {0, 1} (Attacker’s guess about encrypted message) b = b’ 1 --- attacker won b  b’ 0 --- attacker lost Eavesdropping indistinguishability experiment PrivK (n) A,  co  has indistinguishable encryptions in the presence of an eavesdropper or is co-secure if for every PPT attacker A, there is a negligible function negl(n) such that Run time: Poly(n) Attacker A ½ + negl(n) Pr PrivK (n) A,  co = 1  Probability is taken over the randomness used by A and the challenger Common Feature: Experiment- a game between a challenger and an adversary Challenger PrivK (n) A,  co

5 SEM: Ciphertext Only Security Two worlds: In one adv gets ciphertext and in another it does not. If the difference between probabilities of guessing f(x) in the both worlds are negligibly apart, then semantic security is achieved. k Enc m Gen(1 n ) c  Enc k (m) h(m) guess about f(m)  = (Gen, Enc, Dec) is semantically-secure in the presence of a eavesdropper if for every PPT A there exists a A’ such that for any Samp and PPT functions f and h: Pr [ A’(1 n,|m|,h(m) =f(m)] -||  negl(n) h(m) guess about f(m) |m| Pr [ A(1 n,c,h(m) =f(m)] Probability taken over >> uniform k, >> m output by Samp(1 n ), >> the randomness of A and >> the randomness of Enc A A’ Probability taken over >> m output by Samp(1 n ) and >> the randomness of A’

6 PRG Security PPT distinguisher D s  R {0,1} n A string of length l (n) please U : uniform distribution over {0,1} l (n) A random string of length l (n) plz b= 0 y  R {0,1} l (n) b= 1 y: = G(s) G Oracle y How I selected it ? G is a PRG if for every PPT D, there is a negligible function negl Pr [D(r) = 1]Pr [D(G(s)) = 1] - ||  negl(n) r  R {0,1} l (n) s  R {0,1} n Probability taken over >> Random Choice of r >> the randomness of D Probability taken over >> Random Choice of s >> the randomness of D G: Probability distribution over {G(s): s  R {0,1} n } Challenger

7 Existence of PRG Do PRG exists ? OWF + hardcore bit  PRG  Provably secure Several practical PRGs (Stream Ciphers)  No good distinguishers found till now  High practical efficiency compared to provably- secure PRGs

8 Secure Communication using PRG Sender and receiver share a (short) PRG key   Pseudo-random pad instead of a truly random pad Plain-text Cipher-text PRG Pad

9 SKE from PRG Let G be a PRG with expansion factor l (n) We design a cipher for encrypting messages of length l (n) The scheme is fixed-length encryption >> Gen:  Input: security parameter n  Output: key k  R {0,1} n >> Enc:  Input: secret key k; plain-text m  {0,1} l (n)  Output: cipher-text c:= G(k)  m Deterministic encryption >> Dec:  Input: secret key k; cipher-text c  {0,1} l (n)  Output: plain-text m:= G(k)  c

10 Proof by Reduction The probability that PPT attacker for  breaks security is f(n)/P(n) PPT attacker against  An instance of  PPT attacker against  ’ I can break  ’ non- negligible probability f(n) Simulation of an instance of  ’ Do not know the internal details of This is indeed an instance of  “break” with probability f(n) Solution with probability 1/P(n) --- Non-negligible This entire process is a mental exercise!! Case1: If  is secure then  ’ is secureCase3: If A1 holds then A2 holds Case4: If  is secure then A holds Case2: If A holds then  is secure Proof by Contradiction/contrapositive

11 Security of the PRG-based SKE Theorem: If G is a PRG, then  is a fixed-length CO-secure SKE. Proof: On the white broad.

12 Security for Multiple Encryptions  Till now we considered an eavesdropper monitoring a single ciphertext  Desirable (in practice):  Several messages encrypted using a single key  A PPT eavesdropper observes all the ciphertexts  Not captured in previous SEM/IND CO-security definition.  Require a new definition  Semantic Paradigm: No PPT eavesdropper can non-negligibly compute any polynomial function of the underlying plain-texts by looking at the ciphertexts  IND Paradigm: Even though Adv knows the two sets of ciphertexts encrypted in the ciphertext, he cannot decide which set is encrypted.

13 Multiple-message Ciphertext Only Security  = (Gen, Enc, Dec), I can break  Let me verify (freedom to choose any pair) Gen(1 n ) k b  {0, 1} c 1  Enc k (m b,1 ) b’  {0, 1} (Attacker’s guess about encrypted vector) Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost PrivK (n) A,  co-mult  has indistinguishable multiple encryptions in the presence of an eavesdropper or is CO- MULT-secure if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ Run time: Poly(n) Attacker A ½ + negl(n) Pr PrivK (n) A,  co-mult = 1  i.e. M 0 = (m 0,1, …, m 0, t )  M 1 = (m 1,1, …, m 1, t )  c t  Enc k (m b, t ),…,

14 Relation between Multiple-message and Single-message Security  Experiment is a special case of PrivK (n) A,  co PrivK (n) A,  co-mult  is the same as with |M 0 | = |M 1 | = 1 PrivK (n) A,  co PrivK (n) A,  co-mult    Any cipher which has indistinguishable multiple encryptions has also indistinguishable encryptions  What about the converse ?  Not necessarily

15 Multiple-message Security is Stronger than Single-message Security Let me verify Gen(1 n ) k b  {0, 1} c 1 := hello  k b’ = 0 if c 1 = c 2 Attacker A M 0 = (hello, hello)  M 0 = (hello, world)  c 2 := hello  k If b = 0 c 1 := hello  k c 2 := world  k If b = 1 b’ = 1 if c 1  c 2  Why the above attack is possible ? Pr PrivK (n) A, OTP co-mult = 1  OTP is deterministic: encrypting m twice using same key yields the same ciphertext  The above attack can be mounted on any cipher whose Enc algorithm is deterministic Thm: If  is a cipher whose Enc algorithm is a deterministic function of the key and the plain-text then  cannot have indistinguishable multiple encryptions in the presence of an eavesdropper Time to Go for Randomization of Encryption Way to bypass the negative result: Statefullness

16

Download ppt "Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive."

Similar presentations

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Cryptography Lecture 1 Arpita Patra.

Cryptography Lecture 1 Arpita Patra.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 3 Arpita Patra.

Cryptography Lecture 3 Arpita Patra.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
Cryptography Lecture 4 Arpita Patra.

Cryptography Lecture 4 Arpita Patra.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.

Cryptography Lecture 2 Arpita Patra. Recall >> Crypto: Past and Present (aka Classical vs. Modern Cryto) o Scope o Scientific Basis (Formal Def. + Precise.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

Similar presentations

Ads by Google