cis 5371 cryptography
DESCRIPTION
CIS 5371 Cryptography. 3c. Pseudorandom Functions B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Definition. Definition 3.23. Let F be an efficient length preserving keyed function. F is a pseudorandom function if - PowerPoint PPT PresentationTRANSCRIPT
1
CIS 5371 Cryptography3c. Pseudorandom Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
2
Definition
.
3
Definition 3.23
• Let F be an efficient length preserving keyed function. F is a pseudorandom function if PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all functions mapping n-bit strings to n-bit strings.
4
A secure fixed length encryption scheme
h𝐹𝑟𝑒𝑠 𝑟𝑎𝑛𝑑𝑜𝑚𝑠𝑡𝑟𝑖𝑛𝑔𝑟
𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 h𝑐𝑖𝑝 𝑒𝑟𝑡𝑒𝑥𝑡𝑋𝑂𝑅
𝑝𝑎𝑑
5
Existence of pseudorandom functions
• We cannot prove that pseudorandom
functions exist!• In practice there exist very efficient
primitives called block ciphers that are widely believed to behave as pseudorandom functions.
6
CPA secure encryption using PRF
Protocol Let be a pseudorandom function. Define a private-key encryption scheme for messages of length as follows:• Gen: on input choose uniformly at random and output as key.• Enc: on input a key and a message m, choose choose uniformly at random and output the ciphertext
• Dec: on input a key and a ciphertext output the plaintext
7
Theorem 3.25Let be a pseudorandom function. Then protocol is a fixed-length private-key encryption scheme for messages of length n that has indistinguishable encryptions under CPA.
8
A secure fixed length encryption Proof
Then,
9
A secure fixed length encryption Proof
We have, .Let . Then = + . If is negligible then we should not be able to distinguish these. Otherwise a gap between them would make it possible to distinguish truly random from pseudorandom.
10
A secure fixed length encryption Reduction
Adversary A with Protocol or
, O
𝑏 ′
𝑐𝑏
(𝑟 , 𝑠′ 𝑚)
1 if 0 if
Choose uniformly at random
Query O to get
Distinguisher D with oracle O:
choose a random bit Query O to get
return
𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑚
𝑚0 ,𝑚1 Repeat: Query to get encryptions of chosen
plaintexts
Query encryption oracle to get encryptions of chosen
plaintexts
h𝑜𝑡 𝑒𝑟 : (𝑟 , 𝑠′ 𝑚)
11
A secure fixed length encryption Proof
From, and we get that must be negligible. So is negligible.
12
A secure variable length encryption
The messages can be securely encrypted as .
13
Corollary 3.26
Let be a pseudorandom function. Then the scheme sketched in the previous slide is an arbitrary length private-key encryption scheme that has indistinguishable encryptions under CPA.
14
Pseudorandom permutations
one-to-one • A efficient if there is a polynomial-time algorithm that will compute given and .• A pseudorandom permutation is defined in a manner analogous to Definition 3.23, by replacing the term “function” by “permutation”.
15
Definition 3.28Strong Pseudorandom permutations• Let F be an efficient keyed permutation. We say that is a strong pseudorandom permutation if, PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all permutations on n-bit strings.• The analogue for strong pseudorandom permutations are block ciphers.
16
Pseudorandom permutationsmodes of operation
1. Electronic Code Book (ECB)2. Cipher Block Chaining (CBC)3. Output Feedback (OFB)4. Counter(CTR)
Electronic Code Book (ECB)
17
Pseudorandom permutations
𝐹 𝑘
𝑐1
𝑚1
𝐹 𝑘
𝑐2
𝑚2
𝐹 𝑘
𝑐3
𝑚3
Cipher Block Chaining (CBC)
18
Pseudorandom permutations
𝐹 𝑘
𝑐1
𝑚1
𝐹 𝑘
𝑐2
𝑚2
𝐹 𝑘
𝑐3
𝑚3
IV
IV
Output Feedback (OFB)19
Pseudorandom permutations
𝐹 𝑘
𝑐1
𝐹 𝑘
𝑐2
𝑚2
𝐹 𝑘
𝑐3
IV
IV𝑚1 𝑚3
Counter mode (CTR)20
Pseudorandom permutations
𝐹 𝑘
𝑐1
𝐹 𝑘
𝑐2
𝑚2
𝐹 𝑘
𝑐3
ctr
ctr
𝑚1 𝑚3
ctr+1 ctr+2 ctr+3
21
Pseudorandom permutationsmodes of operation
Electronic Code Book (ECB) Encryption is deterministic : no CPA-securityWorse: ECB-mode does not have indistinguishable encryptions in the presence of an eavesdropper.
22
Pseudorandom permutationsmodes of operation
Cipher Block Chaining (CBC).Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation.Drawback: encryption is sequential.
23
Pseudorandom permutationsmodes of operation
Output Feedback (OFB), .Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation.Drawback: both encryption and encryption are sequential.
24
Pseudorandom permutationsmodes of operationCounter(CTR) -- randomized counter mode, , Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom function.Both encryption and encryption can be fully parallelized.We do not require that is a permutation (that is, it need not be invertible).
25
Chosen Ciphertext Attacks (CCA)In a CCA the adversary not only can encrypt messages of his choice (CPA) but also can decrypt ciphertexts of his choice (with one exception).Formally this is captured by giving the adversary access to a decryption oracle (as well as the encryption oracle).Let be a private-key encryption scheme, an adversary and the value of the security parameter.
26
CCA indistinguishability experiment
3. A 4. The adversary
on the challenge ciphertext itself. Eventually
27
Indistinguishable encryptions under CCA --
DefinitionA private-key encryption scheme has indistinguishable encryptions under CCA if ∀ PPT adversaries ,
=1] where the probabilities is taken over the coins used in the experiment.
28
Insecurity of the encryption schemes that we have studied1. All the earlier discussed private-key encryption schemes are not CCA-secure2. Example. Let and , to get the ciphertext . The adversary flips the first bit of and asks for the decryption. He gets either () or (.3. A similar type of chosen ciphertext attack applies to all the others.