Katz, Lindell Introduction to Modern Cryptrography · Katz, Lindell Introduction to Modern...
-
Upload
truongthuy -
Category
Documents
-
view
224 -
download
2
Transcript of Katz, Lindell Introduction to Modern Cryptrography · Katz, Lindell Introduction to Modern...
Katz, LindellIntroduction to Modern Cryptrography
Slides Chapter 3
Markus Blaser, Saarland University
Computational security
Goal: No adversary can break the scheme
I in “reasonable” time
I with “reasonable” success probability.
Question: Mathematical modelling of “reasonable”
Efficient algorithms
I Word-RAM, Turing machine, . . .
I efficient = polynomial running time(There is a polynomial p such that for all inputs x, therunning time is bounded by p(|x|).)
I algorithms are randomized, i.e., the algorithm can flip a faircoin at any time.(Equivalently, the algorithm gets a sufficiently long randomstring drawn uniformly at random as an additional input.)
Negligible success probability
Definition (3.4)
A function f : N→ R≥0 is negligible if for every positivepolynomial p there is an N such that for all n > N: f(n) < 1
p(n) .
I p(n) = nc for all constants c is sufficient
I negligible functions will often be denoted by negl
Proposition (3.6)
Let negl1 and negl2 be negligible functions and p be a positivepolynomial.
1. negl1 + negl2 is negligible.
2. p · negl1 is negligible.
Why relaxations?
I Given c, you can run over all k ∈ K and compute Deck(c).This tells you which messages were not sent.Running time proportional to |K|.
I Assume you know a pair (m0, c0) with c0 = Enck(m0). Thenyou can find the key k by testing c0 = Enck(m0).Running time proportional to |K|.
I Or you can randomly guess a key k and check whetherc0 = Enck(m0).Success probability: 1/|K|.
Private key encryption scheme
Definition (3.7)
A private key encryption scheme is a tuple of ppt algorithms(Gen,Enc,Dec) such that
1. Gen on input 1n (n in unary) outputs a key k.W.l.o.g. |k| ≥ n.
2. Enc on input k and m ∈ {0, 1}∗ outputs a ciphertext c.
3. Dec on input k and c outputs a message m.
For every n, every k generated by Gen, and every m ∈ {0, 1}∗,
Deck(Enck(m)) = m.
If for fixed n, Enc is only defined on messages of length `(n) thenthe scheme if called a fixed length private key encryption scheme
I n = security parameter (“the larger, the more secure”)I scheme is stateless.I Gen usually generates key uniformly at random.
Indistinguishability
The adversarial indistinguishability experiment PrivKeavA,Π(n):
1. On input 1n, A outputs messages m0, m1 with |m0| = |m1|.
2. k← Gen(1n) and b ∈ {0, 1} is chosen uniformly at random.c← Enck(mb) is given to A (“challenge”)
3. A outputs b ′ ∈ {0, 1}.
4. PrivKeavA,Π(n) =
{1 b = b ′
0 otherwise
I A polynomial time bounded −→ |mi| = poly(n).
I Π fixed length −→ |mi| = `(n).
I A sees only one ciphertext and no further interaction≈ eavesdropping of one ciphertext.
Indistinguishability (2)
Definition (3.8)
Π = (Gen,Enc,Dec) has indistinguishable encryptions in thepresence of an eavesdropper or is EAV-secure if for all pptadversaries A there is a negligible functions negl such that for all n,
Pr[PrivKeavA,π(n) = 1] ≤
1
2+ negl(n).
(Probability is taken over randomness of A, k, b, and randomnessof Enc.)
I perfectly secret encryption =⇒ EAV-secure
I goal: key shorter than message
Semantic security
Definition (3.12)
(Enc,Dec) is semantically secure in the presence of aneavesdropper if for every ppt algorithm A there is a ppt algorithmA ′ such that for every ppt algorithm Samp and polynomial timecomputable functions f and h,
|Pr[A(1n,Enck(m), h(m)) = f(m)]
− Pr[A ′(1n, |m|, h(m)) = f(m)]| ≤ negl(n).
First probability is taken over uniform k ∈ {0, 1}n, m← Samp(1n),randomness of A, randomness of Enc. Second probability is takenover m← Samp(1n) and randomness of A ′.
Semantic security (2)
I Pr[A(1n,Enck(m), h(m)) = f(m)]: adversary gets aciphertext and has some information h(m). A tries to guessthe information f(m).
I A ′ has almost the same chance of guessing f(m) withoutknowing the chiphertext.
I “No (polynomial time computable) information is leaked.”
Theorem (3.13)
A private-key encryption scheme is EAV-secure iff it is semanticallysecure.
EAV-secure is easier to work with.
Pseudorandom generators
Definition (3.14)
Let ` be a polynomial and let G be a deterministic polynomial timealgorithm such that for each s ∈ {0, 1}n, G(s) ∈ {0, 1}`(n). G is apseudorandom generator, if
1. `(n) > n for all n,
2. for any ppt algorithm D,∣∣∣Prs∈{0,1}n [D(G(s)) = 1] − Prr∈{0,1}`(n) [D(r) = 1]∣∣∣ ≤ negl(n)
for all n.
probability also taken over internal randomness of D
` = expansion factor
A secure fixed-length encryption scheme
Construction (3.17)
G prg with expansion factor `.
I Gen: on input 1n, return k ∈ {0, 1}n uniformly at random.
I Enc: given key k and message m ∈ {0, 1}`(n), output
c := G(k)⊕m.
I Dec: given key k and ciphertext c ∈ {0, 1}`(n), output
c := G(k)⊕ c.
Theorem (3.18)
If G is a prg, then Construction 3.17 is EAV-secure.
Proofs by reduction
Assumption: Existence of pseudorandom generators.
I Assume that the scheme is not EAV-secure.Let A be an attacker with nonnegligible success probability.
I Construct a distinguisher who breaks the assumption, i.e.,algorithm D who can distinguish the output of G from auniform distribution with nonnegligable success probability.
Proof of Thm 3.18
Distinguisher DInput: w ∈ {0, 1}`(n)
1. Run A(1n) to obtain m0,m1 ∈ {0, 1}`(n).
2. Choose b ∈ {0, 1} at random. Set c := w⊕mb.
3. Give c to A and get output b ′.Return 1 if b ′ = b and 0 otherwise.
Stronger security notions
Multiple message eavesdropping experiment PrivKmultA,Π (n):
1. A is given 1n and it outputs two lists of messages(m0,1, . . . ,m0,t) and (m1,1, . . . ,m1,t) with |m0,i| = |m1,i| forall i.
2. k← Gen(1n) is generated and b ∈ {0, 1} is chosen unformly atrandom. Compute ci ← Enck(mb,i) and give (c1, . . . , ct) toA.
3. A outputs a bit b ′.
4. The output of the experiment is 1 if b = b ′ and 0 otherwise.
Multiple encryptions
Definition (3.19)
Π = (Gen,Enc,Dec) has indistinguishable multiple encryptions inthe presence of an eavesdropper if for all ppt A,
Pr[PrivKmult
A,π (n) = 1]≤ 12+ negl(n).
(probability over randomness of A and PrivKmultA,Π )
Theorem (3.21)
If Π is a (stateless) encryption scheme in which Enc isdeterministic, then Π cannot have indistinguishable multipleencryptions in the presence of an eavesdropper.
Chosen plaintext attacks
CPA indistinguishability experiment PrivKcpaA,Π(n)
1. k← Gen(1n) is generated.
2. A is given 1n and oracle access to Enck(.).He outputs two messages m0, m1 of the same length.
3. b ∈ {0, 1} is chosen uniformly at random and c← Enck(mb)is given to A.
4. A outputs a bit b ′ (with oracle access to Enck(.)).
5. The output of the experiment is 1 if b = b ′ and 0 otherwise.
I oracle access to Enck −→ no knowledge of k!
Chosen plaintext attacks (2)
Definition (3.22)
Π = (Gen,Enc,Dec) has indistinguishable encryptions underchosen-plaintext attacks or is CPA-secure if for all ppt A,
Pr[PrivKcpa
A,Π = 1]≤ 12+ negl(n).
(probability over randomness of A and of experiment)
CPA-security for multiple encryptions
The LR-oracle experiment PrivKLR-cpaA,Pi
1. k← Gen(1n) is generated.
2. b ∈ {0, 1} is chosen uniformly at random.
3. A is given 1n and oracle access to LRk,b(., .).
4. A outputs b ′.
5. The output of the experiment is 1 if b = b ′ and 0 otherwise.
I LRk,b(m0,m1) returns c← Enck(mb)
I no knowledge of k or b!
I enables adaptive attacks
CPA-security for multiple encryptions (2)
Definition (3.23)
Π has indistinguishable multiple encryptions under chosen-plaintextattacks if for all ppt A
Pr[PrivKLR-cpa
A,Π (n) = 1]≤ 12+ negl(n).
(probability over randomness of A and of experiment)
Theorem (3.24)
Any private-key encryption scheme that is CPA-secure is alsoCPA-secure for multiple encryptions.
Fixed-length versus arbitrary length
I Π = (Gen,Enc,Dec) fixed length scheme which is CPA-secure
I Define arbitray length scheme Π = (Gen ′,Enc ′,Dec ′) asfollows
I Gen ′ = Gen
I Cut message m into pieces m1, . . . ,mt of length `(n).Enc ′k(m) = Enck(m1), . . . ,Enck(mt)
I Decryption Dec ′ is blockwise.
Theorem
Π ′ is CPA-secure if Π is CPA-secure.
Follows from Theorem 3.24.
Constructing CPA-secure encryption schemes
Keyed functions
I keyed function F : {0, 1}∗ × {0, 1}∗ → {0, 1}∗.
I F is efficient, if (k, x) 7→ F(k, x) is polynomial timecomputable.
I k ∈ {0, 1}∗ induces a function Fk : {0, 1}∗ → {0, 1}∗ by
Fk(x) := F(k, x).
I key length `key(n), input length `in(n), and output length`out(n)restrict Fk to {0, 1}`in (n) and output has to be in {0, 1}`out (n).
I typically `key(n) = `in(n) = `out(n) = n.
Pseudorandom functions
Definition (3.25)
Let F be an efficient, length-preserving, keyed function. F ispseudorandom if for all ppt distinguishers D,∣∣∣Pr[DFk(.)(1n) = 1] − Pr[Df(.)(1n) = 1]
∣∣∣ ≤ negl(n).
(First probability over uniform choice of k, second probability overuniform choice of f ∈ Funcn. Both over randomness of D.)
I Funcn set of all functions {0, 1}n → {0, 1}n, |Funcn| = 2n2n
I |key space| = 2n
I input of D is the oracle
I k is not given to D
Pseudorandom permutations
keyed permutation: `in(n) = `out(n), Fk bijective for all k
pseudorandom: indistinguishable from random permutation
Proposition (3.27)
If F is a pseudorandom permutation and `in(n) ≥ n, then F is alsoa pseudorandom function.
Definition
A keyed permutation F is efficient if there is a polynomial timealgorithm computing (k, x) 7→ Fk(x) and a polynomial timealgorithm computing (k, y) 7→ F−1k (y).
Pseudorandom permutations (2)
Definition
Let F be an efficient, length-preserving, keyed permutation. F isstrongly pseudorandom if for all ppt D∣∣∣Pr[DFk(.),F−1
k (.)(1n) = 1] − Pr[Df(.),f−1(.)(1n) = 1]∣∣∣ ≤ negl(n).
(first probability over k, second over f ∈ Permn, both over D)
I Permn set of all permutations on {0, 1}n, |Permn| = (2n)!
Pseudorandom functions versus generators
F pseudorandom −→ prg (“stream chipher”)
I Choose s, I ∈ {0, 1}n
I Repeat until we produced the desired number of bits:I output Fs(I)I I := I+ 1.
prg G with expansion factor n2t(n)
−→ prf {0, 1}n × {0, 1}t(n) → {0, 1}n
I interpret G(k) as a table of values
I larger block lengths are possible but harder to achieve(Ch. 7.5)
CPA-secure encryption from prfs
Construction (3.30)
Let F be a prf.
I Gen: returns k ∈ {0, 1}n uniformly at random
I Enc: on key k ∈ {0, 1}n and message m ∈ {0, 1}n,choose r ∈ {0, 1}n uniformly at random and output
c := 〈r, Fk(r)⊕m〉.
I Dec: on key k ∈ {0, 1}n and ciphertext c = 〈r, s〉, output
m := Fk(r)⊕ s.
CPA-secure encryption—proof
Theorem (3.31)
If F is a prf, then Construction 3.30 is CPA-secure for messages oflength n.
Distinguisher D: has oracle access to O : {0, 1}n → {0, 1}n
1. Run A(1n). When A queries its oracle, then:I Query O(r) on random r ∈ {0, 1}n and obtain answer y.I Return 〈r, y⊕m〉 to A.
2. When A outputs m0,m1, choose b ∈ {0, 1} uniformly atrandom:
I Query O(r) on random r ∈ {0, 1}n and obtain answer y.I Return challenge 〈r, y⊕mb〉 to A
3. Answer oracle queries of A as above. When A outputs b ′,then output 1, if b = b ′ and 0 otherwise.
Stream ciphers and block ciphers
In practice:
I Stream ciphers produce a stream of pseudorandom bits
I CPA-secure, variable-length schemes based on prg-likeconstruction
I block ciphers are practical implementations of prfs (or prps)
I they are put into a “mode of operation” for repeated use.
(Definitions are somewhat blurry. . . )
Stream Ciphers
Algorithm (3.16)
Input: seed s, initialisation vector IVOutput: y1, . . . , y`
1. st0 := Init(s, IV)
2. for i := 1 to ` do
3. (yi, sti) := GetBits(sti−1)
4. return y1, . . . , y`
produces pseudorandom bits one after another
Synchronized mode
Prg G∞ with variable output length:
I G∞(s, 1`) returns ` bits like in Construction 3.17
I Encryption: c := G∞(k, 1|m|)⊕mI Decryption: m := G∞(k, 1|c|)⊕ cI can be even used to encrypt/decrypt multiple messages by
sharing the current state of the stream cipher
I no initialisation vector is needed
Unsynchronized mode
I allows stateless CPA-secure encryption of arbitrary lengthmessages
I G∞(s, IV, 1`) returns ` bits like in Construction 3.17
I Encryption: c := 〈IV, G∞(s, IV, 1|m|)⊕m〉, IV chosenuniformly at random.
I Decryption of 〈IV, c ′〉: m := G∞(s, IV, 1|m|)⊕ c ′.I CPA-secure, if Fk(IV) := G∞(k, IV, 1`) is a prf for any` = poly(n).
Block ciphers—modes of operation
Recall Construction 3.10:
I Prf F, encode m as 〈r, Fk(r)⊕m〉I Drawback: message length is doubled
Solution: Block ciphers
Electronic code book mode (ECB)
Crap.
Cipher block chaining mode (CBC)
I Encryption: ci := Fk(ci−1 ⊕mi)
I Decryption: mi := F−1k (ci)⊕ ci−1
I IV needs to be included, IV is random
I CPA-secure if F is prp.
Chained CBC
I Stateful variant of CBC
I can be attacked
Output feedback mode (OFB)
I CPA-secure if F is a prf.
I Evaluation of F can be done before actual encryption
Counter mode (CTR)
I ctr ∈ {0, 1}n is chosen uniformly at random.
I Encryption: ci := mi ⊕ Fk(ctr+ i).I CTR can be parallelized.
I ith block can be decrypted individually with only oneevaluation of F.
Theorem
If F is a prf, then CTR is CPA-secure.