foundations of cryptography lecture 13 lecturer: moni naor
TRANSCRIPT
Foundations of Cryptography
Lecture 13
Lecturer: Moni Naor
Recap of Lecture 12
• Pseudo-Random Permutations• Feistal Permutations• Proof of the construction• Semantic Security and Indistinguishability of
encryptions
To specify security of encryption
• The power of the adversary – computational
• Probabilistic polynomial time machine (PPTM)– access to the system
• Can it change the messages?
• What constitute a failure of the system – what it means to break the system.– Reading a message– Forging a message?
What is a public-key encryption scheme
• Allows Alice to publish a public key KP while keeping hidden a secret key KS Key generation: a method G:{0,1}* {0,1}* x {0,1}* that
outputs KP (Public) and KS (secret)• ``Anyone” who is given KP and m can encrypt it
Encryption: a method E:{0,1}* x {0,1}* x {0,1}* {0,1}*
that takes a public key KP a message (plaintext) m and random coins and output an encrypted message ciphertext
• Given a ciphertext and the secret key it possible to decrypt itDecryption: a method
D:{0,1}* x {0,1}* x {0,1}* {0,1}* that takes a secret key KS, a public key KP and a ciphertext c and
output a plaintext m. In general D(KS, KP, E(KP, m, r)) = m
Computational Security of EncryptionIndistinguishability of Encryptions
Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.
For every pptm A, choosing a pair X0 , X1 0,1n PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0 , X1 are indistinguishable
Quantification over the choice of X0 , X1 0,1n
Computational Security of EncryptionSemantic Security
Whatever Adversary A can compute on encrypted string X 0,1n so can A’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a (polynomial time samplable) distribution Dn
on 0,1n there is an pptm A’ so that for all pptm relation R for XR Dn
PrR(X,A(E(X)) - Pr R(X,A’())
is negligible
In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X
Note: presentation of semantic security is non-standard (but equivalent to it)
Equivalence of Semantic Security and Indistinguishability of Encryptions
• Would like to argue their equivalence• Must define the attack
– Otherwise cannot fully talk about an attack• Chosen plaintext attacks
– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting– What about shared-key encryption?
• More severe attacks– Chosen ciphertext
Security of public key cryptosystems:exact timing
• Adversary A gets to public key KP • Then A can mount an adaptive attack
– No need for further interaction since can do all the encryption on its own
• Then A chooses– In semantic security the distribution Dn and the relation R
– In indistinguishability of encryptions the pair X0 , X1 0,1n
• Then A is given the test– In semantic security E(KP, X ,r) for XR Dn
and rR 0,1m
– In indistinguishability of encryptions the E(KP, Xb ,r) for bR 0,1
and rR 0,1m
The Equivalence Theorem
• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property
Equivalence ProofIf a scheme has the indistinguishability of encryptions property, then it is
semantically secure:• Suppose not, and A chooses
– some distribution Dn – some relation R
• Choose X0 , X1 R Dn and run A twice on
– C0 = E(KP, X0 ,r0) call the output Y0
– C1 = E(KP, X1 ,r1) call the output Y1
• For X0 , X1 R Dn let
– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X1, Y0)]
• If 0 -1 If is non negligible can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property
• If 0 -1 is negligible can run A’ with no access to encryption– sample X’ R Dn
and C’ = E(KP, X’, r) – Run A on C’ and output Y’
Here we Use the power to generate encryptions
Equivalence Proof…If a scheme is semantically secure, then it has the
indistinguishability of encryptions property:• Suppose not, and A chooses
– A pair X0 , X10,1n
– For which it can distinguish with advantage • Choose
– distribution Dn = {X0 , X1 }
– Relation R which is “equality with X”
• For any A’ that does not get C = E(KP, X ,r) and outputs Y’
Prob[R(X, Y’)]= ½ • By simulating A and outputting Y= Xb for guess b0,1
Prob[R(X, Y)] ¸ ½ +
Similar setting
• The same proof works for the shared key case with adaptive chosen plaintext attack
• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries
to find Y such that• Y=f(X)• f is any function (not necessarily polynomial time computable)
– In spite of difference equivalent to our definition
When is each definition useful
• Semantic security seems to convey that the message is protected– Not the strongest possible definition
• Easier to prove indistinguishability of encryptions
Concatenations
• If (G,E,D) is a semantically secure cryptosystem, then if Adversary A
• Chooses X0 , X10,1n
• Receives k independent encryptions of Xb for bR0,1
• has to decide whether b 0 or b 1.• Cannot have non negligible advantage• Proof: hybrid argument
Concatenation
• Let A be an adversary that selects:– Distribution Dn on 0,1n
– Relation R computable in probabilistic polynomial time
• Let X1, X2, ... Xk 2R Dn
• Suppose that A receives E(X1), E(X2), ..., E(Xk)
• Computes Y and hopes that R(X1, X2, ..., Xk ,Y)
Homework: prove that for any A there is an A’ with similar probability of success
Construction: from trapdoor permutation• Key generation: KP (Public) and KS (secret) are the keys
of the trapdoor permutation• Encryption: to encrypt a message m0,1k
– select x R 0,1n and r R 0,1n – compute
g(x)=x¢r, fP(x) ¢r, fP(2)(x) ¢r, … fP
(k-1)(x) ¢r– Send m Xored with g(x) and y=fP
(k)(x) and r(g(x) © m, fP
(k)(x), r)• Decryption: given (c, y, r)
– extract x = fP(-k)(y) using KS
– compute g(x) using r– extract m by Xoring c with g(x)
Security of construction
Claim: given y=fP(k)(x), g(x) is indistinguishable
from randomProof: it is a pseudo-random generator
Pseudo-randomness implies indistinguishability of encryption
Example
• Blum-Goldwasser cryptosystem– Based on the Blum, Blum, Shub pseudo-random
generator– The permutation defined by N= P ¢ Q, where
P,Q = 3 mod 4– For x 2 ZN
*, x is a quadratic residue
fN(x)=x2 mod N
Shared key encryption
• Sender and receiver share a key s of a pseudo-random function
Fs: {0,1}n {0,1}k
• Encryption of a message m0,1k
– Choose rR0,1n
– Send (Fs (r) © m,r)• Decryption of a ciphertext (y,r)
– Compute m=Fs (r) © y
• Proof of security: based on the indistinguishability of Fs from a truly random function
Open Problems
• How to get a good encryption scheme with a weaker than fully blown pseudo-random function
• Homework: read – Moni Naor and Omer Reingold, From Unpredictability
to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs, Crypto'98.
From single bit to many bits• If there is an encryption scheme that can hide E(KP, 0 ,r) from
E(KP, 1 ,r), then can construct a full blown (for any length messages) semantically secure cryptosystem by concatenation
• Each bit in the message m0,1k is encrypted separately• Proof: a hybrid argument
– Using definition of indistinguishability of encryption– Suppose adversary chooses X0 , X10,1k
– Let:• D0 be the distribution on encryptions of X0 • Dk be the distribution on encryptions of X1 • Di be the distribution where the first i bits are from X0 and the last k-i bits are from X1
• Example: quadratic residues mod N
One-way encryption is sufficient for semantic security against chosen plaintext attackCall an encryption scheme one-way if given c=E(KP, m, s) for
random m and s it is hard to find mThis is the weakest form of security one can expect from a ``self-respecting”
cryptosystem• Can use it to construct a single-bit indistinguishable scheme:• To encrypt a bit b0,1:
– choose random x, s and r – Send (c,r,b’) where
• c=E(KP, x, s)• b’= x¢r © b
Security: from the Goldreich-Levin reconstruction algorithm
Examples of public-key cryptosystems• Factoring related: RSA, Rabin• Discrete-log related:
– Diffie-Hellman (El Gamal)– Various groups
• Early Knapsack and Codes (late 1970’s)– Merkle Hellman– McEliece: probabilsitic cryptosystem
• Modern Lattice Based– Ajtai-Dwork: only one for which worst case to hardness
reduction is known– Goldreich-Goldwasser and Halevi
• NTRU
Example: Interactive Authentication
P wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose