Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Published byMarcia Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 6 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 6 Arpita Patra © Arpita Patra

2 Recall o Security definitions (ind-coa/sem-coa) o Pseudorandom Generators (PRGs), non-trivial to construct, no secure PRG in the face of an unbounded powerful adversary o A scheme based on PRG o Reduction based proof overview, proof of our scheme >> Computational security o Mult-coa definition o Stronger than coa and needs randomized encryption scheme >> More stronger definition

3 Today’s Goal o Pseudo-random Functions -Introduction to cpa attack and cpa security -Look for assumption needed to construct a scheme o Definition -Construction based on PRF o Non-trivial to construct o Pseudo-random Permutation (Strong/weak variant)

4 Security for SKE with COA to CPA -Randomized -PPT -COA Given the knowledge of two messages (vector of messages), it cannot be distinguished if the ciphertext corresponds to the first or second message (message vector). -Randomized -PPT -CPA Given the knowledge of two messages (vector of messages), it cannot be distinguished if the ciphertext corresponds to the first or second message (message vector).

5 Chosen-Plaintext Attacks (CPA) k k ?? Enc m c = Enc k (m) (m 1, c 1 ), (m 2, c 2 ), …, (m t, c t ): c i = Enc k (m i ) >> Adversary influences the honest parties to encrypt messages (using the same key) of its choice m1m1 c1c1 m2m2 c2c2 mtmt ctct >> Adv’s Goal: to determine the plaintext encrypted in a new cipher-text Encryption Oracle Is CPA is mountable only against a moron???

6 CPA M. Luby: Pseudorandomness and Cryptographic Applications; Princeton University Press, 1996 Mihir Bellare, Anand Desai, E. Jokipii, Phillip Rogaway: A Concrete Security Treatment of Symmetric Encryption. FOCS,1997.FOCS,1997.

7 Is CPA Realistic ?  How can an attacker influence parties to encrypt messages of its choice (using the same key) ?  Consider a secure hardware with secret-key embedded >> Often used in military applications  An insider may have access to the hardware (not the key) >> Can choose messages of its choice and get their encryptions

8 CPA shortened WWII by 2-3 Years  Break of German codes by British during WW II Loc 1 Loc 2 Loc 3 Enc k (Loc 1 ) Enc k (Loc 2 ) Enc k (Loc 3 )  Trivia: Who played a key role in this cryptanalysis process At Bletchley Park Axis Power Allied Power

9 CPA Indistinguishability Experiment  = (Gen, Enc, Dec), M, n Gen(1 n ) k PrivK (n) A,  cpa Query: Plain-text Response: Ciphertext Training Phase: >> A is given oracle access to Enc k () >> A adaptively submits its query (free to submit m 0, m 1 ) and receives their encryption I can break  Let me verify PPT Attacker A

10 CPA Indistinguishability Experiment Gen(1 n ) k PrivK (n) A,  cpa Challenge Phase: Training Phase >> A submits two equal length challenge plaintexts >> A is free to submit any message of its choice (including the ones already queried during the training phase) >> One of the challenge plaintexts is randomly encrypted for A (using fresh randomness) m 0, m 1  M, |m 0 | = |m 1 | b  {0, 1} c  Enc k (m b ) I can break  Let me verify PPT Attacker A  = (Gen, Enc, Dec), M, n

11 CPA Indistinguishability Experiment I can break  Let me verify Gen(1 n ) k PrivK (n) A,  cpa PPT Attacker A Post-challenge Training Phase: Training Phase b  {0, 1} c  Enc k (m b ) >> A is given oracle access to Enc k () >> A adaptively submits its query (possibly including m 0, m 1 ) and receives their encryption Query: Plain-text Response: Ciphertext m 0, m 1  M, |m 0 | = |m 1 |  = (Gen, Enc, Dec), M, n

12 CPA Indistinguishability Experiment I can break  Let me verify Gen(1 n ) k PrivK (n) A,  cpa PPT Attacker A Response Phase: Training Phase b  {0, 1} c  Enc k (m b ) Post-challenge Training  A finally submits its guess regarding encrypted challenge plain-text  A wins the experiment if its guess is correct b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost m 0, m 1  M, |m 0 | = |m 1 |  = (Gen, Enc, Dec), M, n

13 CPA Security I can break  Let me verify Gen(1 n ) k PrivK (n) A,  cpa PPT Attacker A Training Phase b  {0, 1} c  Enc k (m b ) Post-challenge Training b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost ½ + negl(n) Pr PrivK (n) A,  cpa = 1   is CPA-secure if for every PPT A, there is a negligible function negl, such that: m 0, m 1  M, |m 0 | = |m 1 |  = (Gen, Enc, Dec), M, n Why it is stronger than multi-coa?

14 CPA Security for Multiple Encryptions I can break  Let me verify Gen(1 n ) k PrivK (n) A,  cpa-mult PPT Attacker A Training Phase b  {0, 1} Post-challenge Training b’  {0, 1} Game Output b = b’ 1 --- attacker won b  b’ 0 --- attacker lost (freedom to choose any pair) M 0 = (m 0,1, …, m 0, t )  M 1 = (m 1,1, …, m 1, t )  c 1  Enc k (m b,1 ) c t  Enc k (m b, t ),…, ½ + negl(n) Pr PrivK (n) A,  cpa-mult = 1   is CPA-secure for multiple encryptions if for every PPT A, there is a negligible function negl, such that:  = (Gen, Enc, Dec), M, n

15 CPA Multiple-message vs Single-message Security  Experiment is a special case of PrivK (n) A,  cpa PrivK (n) A,  cpa-mult  Set |M 0 | = |M 1 | = 1   Any cipher that is CPA-secure for multiple encryptions is also CPA- secure (for single encryption)  What about the converse ? Converse was not true in the case of coa-security Theorem: Any cipher that is CPA-secure is also CPA-secure for multiple encryptions  Sufficient to prove CPA-security for single encryption; rest is “for free”

16 CPA-security Guarantee in Practice  Ensures security against CPA even if multiple messages are encrypted using a single key and communicated >> Even if the adversary knows that the encrypted messages belong to one of the two possible “classes” >> Even if the adversary has seen encryptions of the messages in those classes in the past  Very good security guarantees >> The least we should expect from a SKE

17 Search for Assumptions of cpa-Secure Scheme x 1 = 00000…0 y 1  R {0,1} n x 2 = 00000…1 … x 2 n = 11111… 1 y 2 n  R {0,1} n y 2  R {0,1} n … x 1 = 00000…0 y 1  R {0,1} n x 2 = 00000…1 … x 2 n = 11111… 1 y 2 n  R {0,1} n y 2  R {0,1} n … f: {0,1} n  {0, 1} n Enc m yiyi c = (x i, m  y i ) ?? Pad y i is truly random >> Instances of OTP >> Problem with the above solution --- size of f is n2 n bits  Encryption procedure cannot be deterministic. Can u find an attack? >> Need “fresh” randomness for each run of Enc. Results different ciphertexts for the same message >> At the same time want to use a “single key”.  Encryption procedure MUST be randomized

18 Assumptions for cpa-secure SKEs Pseudorandom Functions (PRF) that “look” like TRF but actually not!! O. Goldreich, S. Goldwasser and S. Micali. How to Construct Random Functions. JACM, 33(4), 792-807, 1986

19 - It’s a property of a probability distribution on a set Pseudorandomness Func n = { Set of all functions f: {0,1} n  {0, 1} n } G: a prob. Dist. = { Set of probabilities } U: Uniform probability Distribution G is pseudorandom if a function drawn according to G is indistinguishable from a function drawn according to U to a PPT distinguisher who can make PPT no. of queries y Give me output for x Sampler for G and U We are NOT interested in ANY pseudo-random dist. on Func n A function drawn according to U is called truly random function

20 Func n & Uniform Distribution & TRF Func n = { Set of all functions f: {0,1} n  {0, 1} n } |Func n | = x 1 = 00000…0 x 2 = 00000…1 … x 2 n = 11111… 1 2 n possibilities 2 n. 2 n n2 n = {f 1, f 2, …, f } 2 n. 2 n U = { 1/,1/, …, 1/ } 2 n. 2 n  Truly Random Function (TRF): chosen according to U >> Output behavior is completely unpredictable >> Every string of length n is a possible image with equal probability

21 Pseudorandom Functions (PRF) > PRF- A function chosen from Func n according to some distribution different from U - yet, its output behavior “looks like” a TRF - must be efficiently computable - Function specification must be concise (poly size) o Definitely not by truth table which will be of size n2 n o The sender & the receiver needs to agree on the function > keyed functions f k (.): {0,1} n  {0, 1} n Func n : { Set of all functions f: {0,1} n  {0, 1} n } KFunc n Func n KFunc n :{ Set of all KEYED functions f k : {0,1} n  {0, 1} n } |Func n | = 2 n. 2 n |KFunc n | = 2n2n TRF: A function chosen uniformly at random from F n PRF: A function chosen uniformly at random from KFunc n and “behaves” like a TRF

22 A possible Definition of PRF in PRG style  Give F (table) either uniformly sampled from Func n or from KFunc n to PPT distinguisher D and ask if it is a TRF or PRF. >> If D cannot tell apart the “behavior” of the function F k (for a uniformly random k) from a truly random function f: {0,1} n  {0,1} n, then we say f is a PRF. >> Does it work? >> No, since the description of the function is of exponential size >> Instead we give D oracle access to either a TRF or a PRF and ask “tell us who are you interacting with?”

23 Indistinguishability Game for PRF PPT distinguisher D Value of the function at x 1 x1x1 b= 0 y 1 = f(x 1 ) Oracle Func n = {f 1, f 2, …, f } 2 n. 2 n Value of the function at x 1 is y 1 f  R Func n F: {0, 1} n x {0, 1} n  {0, 1} n KFunc n = {F k 1, …, F k } 2n2n b

24 Indistinguishability Game for PRF PPT distinguisher D Value of the function at x t xtxt b= 0 y t = f(x t ) Oracle Func n = {f 1, f 2, …, f } 2 n. 2 n Value of the function at x t is y t f  R Func n F: {0, 1} n x {0, 1} n  {0, 1} n KFunc n = {F k 1, …, F k } 2n2n b D can adaptively asks its queries D allowed to ask polynomial number of queries

25 Indistinguishability Game for PRF PPT distinguisher D Value of the function at x 1 Func n = {f 1, f 2, …, f } 2 n. 2 n Value of the function at x 1 is y 1 F: {0, 1} n x {0, 1} n  {0, 1} n KFunc n = {F k 1, …, F k } 2n2n b b= 1 k  R {0,1} n y 1 = F k (x 1 ) FkFk x1x1

26 Indistinguishability Game for PRF PPT distinguisher D Value of the function at x t Func n = {f 1, f 2, …, f } 2 n. 2 n Value of the function at x t is y t F: {0, 1} n x {0, 1} n  {0, 1} n KFunc n = {F k 1, …, F k } 2n2n b b= 1 k  R {0,1} n y t = F k (x t ) FkFk xtxt D can adaptively asks its queries D allowed to ask polynomial number of queries

27 Modeling PRF as an Indistinguishability Game PPT distinguisher D Func n = {f 1, f 2, …, f } 2 n. 2 n F: {0, 1} n x {0, 1} n  {0, 1} n F is a PRF if for every PPT D there is an negl(n) (x 1, y 1 ), (x 2, y 2 ),…, (x k, y k ) ? ?  negl(n) Pr [D (1 n ) = 1] F k ( ) >> uniformly random k >> D‘s randomness Pr [D (1 n ) = 1] f( ) >> uniform choice of f >> D’s randomness - || >> D not given k in the above game--- otherwise D can distinguish with high probability = {F k 1, …, F k } 2n2n KFunc n

28 Let’s Try to Construct a PRF Consider the following keyed function F Input: x Output: k  x length-preserving For any x, uniformly random output (if k is uniformly random) F is a PRF PPT distinguisher D Value of the function at x 1 Value of the function at x 1 is y 1 Value of the function at x 2 Value of the function at x 2 is y 2 b= 1 k  R {0,1} n y i = F k (x i ) FkFk xixi xixi b= 0 y i = f(x i ) Oracle f  R Func n (x 1, y 1 ), (x 2, y 2 ) x 1  x 2 =y 1  y 2 x 1  x 2  y 1  y 2 1 0  If D interacted with a keyed F k  D outputs 1 with probability 1  If D interacted with a random function  D outputs 1 only if f(x 2 ) = f(x 1 )  x 1  x 2 --- prob: 2 -n Pr [D (1 n ) = 1] F k ( ) Pr [D (1 n ) = 1] f( ) - || = 1 – 2 -n F is no way a PRF

29 Do PRFs exist? No proof… But we strongly believe they do Didn’t we just say we believe something is true but don’t have a proof? Yet another Assumption: PRFs exist. PRFs exist PRGs exist Goldreich-Goldwasser-Micali Block Ciphers: DES, AES Because no good distinguisher Highly practical Far from practical Later in the course………. CT 7 (for 1) ??

30 Pseudo Random Permutation (PRP) PPT distinguisher D F: {0, 1} n x {0, 1} n  {0, 1} n (x 1, y 1 ), (x 2, y 2 ),…, (x k, y k ) ? ? Distinct pairs Perm n = {f 1, f 2, …, f } (2 n )! KPerm n = {F k 1, …, F k } 2n2n F is a PRF if for every PPT D there is an negl(n)  negl(n) Pr [D (1 n ) = 1] F k ( ) >> uniformly random k >> D‘s randomness Pr [D (1 n ) = 1] f( ) >> uniform choice of f >> D’s randomness - ||

31 TRF & TRP CT 8 (for 2): No PPT distinguisher can tell apart between TRF & TRP. (use Birthday paradox KL A.4.)

32 PPT distinguisher D Perm n = {f 1, f 2, …, f } (2 n )! F: {0, 1} n x {0, 1} n  {0, 1} n (x 1, y 1 ), (x 2, y 2 ),…, (x k, y k ) ? ?  negl(n) Pr [D (1 n ) = 1] F k ( ) - || (y 1, x 1 ), (y 2, x 2 ),…, (y k, x k ), F k -1 ( ) Pr [D (1 n ) = 1] f( ), f -1 ( ) Strong PRP >> Any strong PRP is by default a PRP >> What about the converse ? = {F k 1, …, F k } 2n2n F is a PRF if for every PPT D there is an negl(n) >> uniformly random k >> D‘s randomness >> uniform choice of f >> D’s randomness KPerm n

33 Do PRPs/SPRPs exist? No proof… But we strongly believe they do Yet another Assumption: PRPs/SPRPs exist. PRPs/SPRPs exist PRFs exist Luby-Rackoff Block Ciphers: DES, AES Because no good distinguisher Highly practical Far from practical Later in the course………. Efficiency of SPRPs based cpa-secure schemes are better than PRF-based ones

34

Download ppt "Cryptography Lecture 6 Arpita Patra © Arpita Patra."

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.

Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Cryptography Lecture 8 Stefan Dziembowski

Cryptography Lecture 8 Stefan Dziembowski
Cryptography Lecture 3 Arpita Patra.

Cryptography Lecture 3 Arpita Patra.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

Similar presentations

Ads by Google