Katz, LindellIntroduction to Modern Cryptrography

Slides Chapter 3

Markus Blaser, Saarland University

Computational security

Goal: No adversary can break the scheme

I in “reasonable” time

I with “reasonable” success probability.

Question: Mathematical modelling of “reasonable”

Efficient algorithms

I Word-RAM, Turing machine, . . .

I efficient = polynomial running time(There is a polynomial p such that for all inputs x, therunning time is bounded by p(|x|).)

I algorithms are randomized, i.e., the algorithm can flip a faircoin at any time.(Equivalently, the algorithm gets a sufficiently long randomstring drawn uniformly at random as an additional input.)

Negligible success probability

Definition (3.4)

A function f : N→ R≥0 is negligible if for every positivepolynomial p there is an N such that for all n > N: f(n) < 1

p(n) .

I p(n) = nc for all constants c is sufficient

I negligible functions will often be denoted by negl

Proposition (3.6)

Let negl1 and negl2 be negligible functions and p be a positivepolynomial.

1. negl1 + negl2 is negligible.

2. p · negl1 is negligible.

Why relaxations?

I Given c, you can run over all k ∈ K and compute Deck(c).This tells you which messages were not sent.Running time proportional to |K|.

I Assume you know a pair (m0, c0) with c0 = Enck(m0). Thenyou can find the key k by testing c0 = Enck(m0).Running time proportional to |K|.

I Or you can randomly guess a key k and check whetherc0 = Enck(m0).Success probability: 1/|K|.

Private key encryption scheme

Definition (3.7)

A private key encryption scheme is a tuple of ppt algorithms(Gen,Enc,Dec) such that

1. Gen on input 1n (n in unary) outputs a key k.W.l.o.g. |k| ≥ n.

2. Enc on input k and m ∈ {0, 1}∗ outputs a ciphertext c.

3. Dec on input k and c outputs a message m.

For every n, every k generated by Gen, and every m ∈ {0, 1}∗,

Deck(Enck(m)) = m.

If for fixed n, Enc is only defined on messages of length `(n) thenthe scheme if called a fixed length private key encryption scheme

I n = security parameter (“the larger, the more secure”)I scheme is stateless.I Gen usually generates key uniformly at random.

Indistinguishability

The adversarial indistinguishability experiment PrivKeavA,Π(n):

1. On input 1n, A outputs messages m0, m1 with |m0| = |m1|.

2. k← Gen(1n) and b ∈ {0, 1} is chosen uniformly at random.c← Enck(mb) is given to A (“challenge”)

3. A outputs b ′ ∈ {0, 1}.

4. PrivKeavA,Π(n) =

{1 b = b ′

0 otherwise

I A polynomial time bounded −→ |mi| = poly(n).

I Π fixed length −→ |mi| = `(n).

I A sees only one ciphertext and no further interaction≈ eavesdropping of one ciphertext.

Indistinguishability (2)

Definition (3.8)

Π = (Gen,Enc,Dec) has indistinguishable encryptions in thepresence of an eavesdropper or is EAV-secure if for all pptadversaries A there is a negligible functions negl such that for all n,

Pr[PrivKeavA,π(n) = 1] ≤

1

2+ negl(n).

(Probability is taken over randomness of A, k, b, and randomnessof Enc.)

I perfectly secret encryption =⇒ EAV-secure

I goal: key shorter than message

Semantic security

Definition (3.12)

(Enc,Dec) is semantically secure in the presence of aneavesdropper if for every ppt algorithm A there is a ppt algorithmA ′ such that for every ppt algorithm Samp and polynomial timecomputable functions f and h,

|Pr[A(1n,Enck(m), h(m)) = f(m)]

− Pr[A ′(1n, |m|, h(m)) = f(m)]| ≤ negl(n).

First probability is taken over uniform k ∈ {0, 1}n, m← Samp(1n),randomness of A, randomness of Enc. Second probability is takenover m← Samp(1n) and randomness of A ′.

Semantic security (2)

I Pr[A(1n,Enck(m), h(m)) = f(m)]: adversary gets aciphertext and has some information h(m). A tries to guessthe information f(m).

I A ′ has almost the same chance of guessing f(m) withoutknowing the chiphertext.

I “No (polynomial time computable) information is leaked.”

Theorem (3.13)

A private-key encryption scheme is EAV-secure iff it is semanticallysecure.

EAV-secure is easier to work with.

Pseudorandom generators

Definition (3.14)

Let ` be a polynomial and let G be a deterministic polynomial timealgorithm such that for each s ∈ {0, 1}n, G(s) ∈ {0, 1}`(n). G is apseudorandom generator, if

1. `(n) > n for all n,

2. for any ppt algorithm D,∣∣∣Prs∈{0,1}n [D(G(s)) = 1] − Prr∈{0,1}`(n) [D(r) = 1]∣∣∣ ≤ negl(n)

for all n.

probability also taken over internal randomness of D

` = expansion factor

A secure fixed-length encryption scheme

Construction (3.17)

G prg with expansion factor `.

I Gen: on input 1n, return k ∈ {0, 1}n uniformly at random.

I Enc: given key k and message m ∈ {0, 1}`(n), output

c := G(k)⊕m.

I Dec: given key k and ciphertext c ∈ {0, 1}`(n), output

c := G(k)⊕ c.

Theorem (3.18)

If G is a prg, then Construction 3.17 is EAV-secure.

Proofs by reduction

Assumption: Existence of pseudorandom generators.

I Assume that the scheme is not EAV-secure.Let A be an attacker with nonnegligible success probability.

I Construct a distinguisher who breaks the assumption, i.e.,algorithm D who can distinguish the output of G from auniform distribution with nonnegligable success probability.

Proof of Thm 3.18

Distinguisher DInput: w ∈ {0, 1}`(n)

1. Run A(1n) to obtain m0,m1 ∈ {0, 1}`(n).

2. Choose b ∈ {0, 1} at random. Set c := w⊕mb.

3. Give c to A and get output b ′.Return 1 if b ′ = b and 0 otherwise.

Stronger security notions

Multiple message eavesdropping experiment PrivKmultA,Π (n):

1. A is given 1n and it outputs two lists of messages(m0,1, . . . ,m0,t) and (m1,1, . . . ,m1,t) with |m0,i| = |m1,i| forall i.

2. k← Gen(1n) is generated and b ∈ {0, 1} is chosen unformly atrandom. Compute ci ← Enck(mb,i) and give (c1, . . . , ct) toA.

3. A outputs a bit b ′.

4. The output of the experiment is 1 if b = b ′ and 0 otherwise.

Multiple encryptions

Definition (3.19)

Π = (Gen,Enc,Dec) has indistinguishable multiple encryptions inthe presence of an eavesdropper if for all ppt A,

Pr[PrivKmult

A,π (n) = 1]≤ 12+ negl(n).

(probability over randomness of A and PrivKmultA,Π )

Theorem (3.21)

If Π is a (stateless) encryption scheme in which Enc isdeterministic, then Π cannot have indistinguishable multipleencryptions in the presence of an eavesdropper.

Chosen plaintext attacks

CPA indistinguishability experiment PrivKcpaA,Π(n)

1. k← Gen(1n) is generated.

2. A is given 1n and oracle access to Enck(.).He outputs two messages m0, m1 of the same length.

3. b ∈ {0, 1} is chosen uniformly at random and c← Enck(mb)is given to A.

4. A outputs a bit b ′ (with oracle access to Enck(.)).

5. The output of the experiment is 1 if b = b ′ and 0 otherwise.

I oracle access to Enck −→ no knowledge of k!

Chosen plaintext attacks (2)

Definition (3.22)

Π = (Gen,Enc,Dec) has indistinguishable encryptions underchosen-plaintext attacks or is CPA-secure if for all ppt A,

Pr[PrivKcpa

A,Π = 1]≤ 12+ negl(n).

(probability over randomness of A and of experiment)

CPA-security for multiple encryptions

The LR-oracle experiment PrivKLR-cpaA,Pi

1. k← Gen(1n) is generated.

2. b ∈ {0, 1} is chosen uniformly at random.

3. A is given 1n and oracle access to LRk,b(., .).

4. A outputs b ′.

5. The output of the experiment is 1 if b = b ′ and 0 otherwise.

I LRk,b(m0,m1) returns c← Enck(mb)

I no knowledge of k or b!

I enables adaptive attacks

CPA-security for multiple encryptions (2)

Definition (3.23)

Π has indistinguishable multiple encryptions under chosen-plaintextattacks if for all ppt A

Pr[PrivKLR-cpa

A,Π (n) = 1]≤ 12+ negl(n).

(probability over randomness of A and of experiment)

Theorem (3.24)

Any private-key encryption scheme that is CPA-secure is alsoCPA-secure for multiple encryptions.

Fixed-length versus arbitrary length

I Π = (Gen,Enc,Dec) fixed length scheme which is CPA-secure

I Define arbitray length scheme Π = (Gen ′,Enc ′,Dec ′) asfollows

I Gen ′ = Gen

I Cut message m into pieces m1, . . . ,mt of length `(n).Enc ′k(m) = Enck(m1), . . . ,Enck(mt)

I Decryption Dec ′ is blockwise.

Theorem

Π ′ is CPA-secure if Π is CPA-secure.

Follows from Theorem 3.24.

Constructing CPA-secure encryption schemes

Keyed functions

I keyed function F : {0, 1}∗ × {0, 1}∗ → {0, 1}∗.

I F is efficient, if (k, x) 7→ F(k, x) is polynomial timecomputable.

I k ∈ {0, 1}∗ induces a function Fk : {0, 1}∗ → {0, 1}∗ by

Fk(x) := F(k, x).

I key length `key(n), input length `in(n), and output length`out(n)restrict Fk to {0, 1}`in (n) and output has to be in {0, 1}`out (n).

I typically `key(n) = `in(n) = `out(n) = n.

Pseudorandom functions

Definition (3.25)

Let F be an efficient, length-preserving, keyed function. F ispseudorandom if for all ppt distinguishers D,∣∣∣Pr[DFk(.)(1n) = 1] − Pr[Df(.)(1n) = 1]

∣∣∣ ≤ negl(n).

(First probability over uniform choice of k, second probability overuniform choice of f ∈ Funcn. Both over randomness of D.)

I Funcn set of all functions {0, 1}n → {0, 1}n, |Funcn| = 2n2n

I |key space| = 2n

I input of D is the oracle

I k is not given to D

Pseudorandom permutations

keyed permutation: `in(n) = `out(n), Fk bijective for all k

pseudorandom: indistinguishable from random permutation

Proposition (3.27)

If F is a pseudorandom permutation and `in(n) ≥ n, then F is alsoa pseudorandom function.

Definition

A keyed permutation F is efficient if there is a polynomial timealgorithm computing (k, x) 7→ Fk(x) and a polynomial timealgorithm computing (k, y) 7→ F−1k (y).

Pseudorandom permutations (2)

Definition

Let F be an efficient, length-preserving, keyed permutation. F isstrongly pseudorandom if for all ppt D∣∣∣Pr[DFk(.),F−1

k (.)(1n) = 1] − Pr[Df(.),f−1(.)(1n) = 1]∣∣∣ ≤ negl(n).

(first probability over k, second over f ∈ Permn, both over D)

I Permn set of all permutations on {0, 1}n, |Permn| = (2n)!

Pseudorandom functions versus generators

F pseudorandom −→ prg (“stream chipher”)

I Choose s, I ∈ {0, 1}n

I Repeat until we produced the desired number of bits:I output Fs(I)I I := I+ 1.

prg G with expansion factor n2t(n)

−→ prf {0, 1}n × {0, 1}t(n) → {0, 1}n

I interpret G(k) as a table of values

I larger block lengths are possible but harder to achieve(Ch. 7.5)

CPA-secure encryption from prfs

Construction (3.30)

Let F be a prf.

I Gen: returns k ∈ {0, 1}n uniformly at random

I Enc: on key k ∈ {0, 1}n and message m ∈ {0, 1}n,choose r ∈ {0, 1}n uniformly at random and output

c := 〈r, Fk(r)⊕m〉.

I Dec: on key k ∈ {0, 1}n and ciphertext c = 〈r, s〉, output

m := Fk(r)⊕ s.

CPA-secure encryption—proof

Theorem (3.31)

If F is a prf, then Construction 3.30 is CPA-secure for messages oflength n.

Distinguisher D: has oracle access to O : {0, 1}n → {0, 1}n

1. Run A(1n). When A queries its oracle, then:I Query O(r) on random r ∈ {0, 1}n and obtain answer y.I Return 〈r, y⊕m〉 to A.

2. When A outputs m0,m1, choose b ∈ {0, 1} uniformly atrandom:

I Query O(r) on random r ∈ {0, 1}n and obtain answer y.I Return challenge 〈r, y⊕mb〉 to A

3. Answer oracle queries of A as above. When A outputs b ′,then output 1, if b = b ′ and 0 otherwise.

Stream ciphers and block ciphers

In practice:

I Stream ciphers produce a stream of pseudorandom bits

I CPA-secure, variable-length schemes based on prg-likeconstruction

I block ciphers are practical implementations of prfs (or prps)

I they are put into a “mode of operation” for repeated use.

(Definitions are somewhat blurry. . . )

Stream Ciphers

Algorithm (3.16)

Input: seed s, initialisation vector IVOutput: y1, . . . , y`

1. st0 := Init(s, IV)

2. for i := 1 to ` do

3. (yi, sti) := GetBits(sti−1)

4. return y1, . . . , y`

produces pseudorandom bits one after another

Synchronized mode

Prg G∞ with variable output length:

I G∞(s, 1`) returns ` bits like in Construction 3.17

I Encryption: c := G∞(k, 1|m|)⊕mI Decryption: m := G∞(k, 1|c|)⊕ cI can be even used to encrypt/decrypt multiple messages by

sharing the current state of the stream cipher

I no initialisation vector is needed

Unsynchronized mode

I allows stateless CPA-secure encryption of arbitrary lengthmessages

I G∞(s, IV, 1`) returns ` bits like in Construction 3.17

I Encryption: c := 〈IV, G∞(s, IV, 1|m|)⊕m〉, IV chosenuniformly at random.

I Decryption of 〈IV, c ′〉: m := G∞(s, IV, 1|m|)⊕ c ′.I CPA-secure, if Fk(IV) := G∞(k, IV, 1`) is a prf for any` = poly(n).

Block ciphers—modes of operation

Recall Construction 3.10:

I Prf F, encode m as 〈r, Fk(r)⊕m〉I Drawback: message length is doubled

Solution: Block ciphers

Electronic code book mode (ECB)

Crap.

Cipher block chaining mode (CBC)

I Encryption: ci := Fk(ci−1 ⊕mi)

I Decryption: mi := F−1k (ci)⊕ ci−1

I IV needs to be included, IV is random

I CPA-secure if F is prp.

Chained CBC

I Stateful variant of CBC

I can be attacked

Output feedback mode (OFB)

I CPA-secure if F is a prf.

I Evaluation of F can be done before actual encryption

Counter mode (CTR)

I ctr ∈ {0, 1}n is chosen uniformly at random.

I Encryption: ci := mi ⊕ Fk(ctr+ i).I CTR can be parallelized.

I ith block can be decrypted individually with only oneevaluation of F.

Theorem

If F is a prf, then CTR is CPA-secure.