CIS 5371 Cryptography
3. Private-Key Encryption and
Pseudorandomness
Based on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography
1
A Computational Approach
to Cryptography
• The principal of Kerchoffs essentially
says that it is not necessary to use a
perfectly-secret encryption scheme, but
instead it suffices to use a scheme that
cannot be broken in reasonable time
with any reasonable probability of
success.
2
A Computational Approach
to Cryptography
• That is, it suffices to use an encryption
scheme that
• can be broken in theory
• but that cannot be broken in practice with
probability better than 10−30 in 200 years
using the fastest available supercomputer.
3
A Computational Approach
1. Security is only preserved against
efficient adversaries
2. Adversaries can potentially succeed
with some very small probability
(small enough so that we are not concerned
that it will ever really happen)
4
A concrete approach
𝟐−𝟔𝟒 .
5
The asymptotic approach
•
6
The asymptotic approach
7
The asymptotic approach
8
The asymptotic approach –
an example
The effect that availability of faster computers
might have on security in practice
• Say we have a cryptographic scheme where
honest parties are required to run for
106 ∙ 𝑛2 cycles
and for which an adversary is running for
108 ∙ 𝑛4 cycles
can succeed in breaking the scheme with
probability
230 ∙ 2−𝑛 .
9
The asymptotic approach –
an example
10
The asymptotic approach –
an example
2−80 .
11
The asymptotic approach –
an example
• The asymptotic approach has the
advantage of not depending on any
specific assumptions regarding,
e.g., the type of computer an adversary
will use.
12
Efficient Algorithms
13
Efficient Algorithms
Generating randomness
There are a number of ways random bits are
obtained in practice.
• One solution is to use a hardware random
number generator that generates random bitstreams based on certain physical phenomena
like thermal/electrical noise or radioactive decay.
• Another possibility is to use software random
number generators which generate random bitstreams based on unpredictable behavior such as
the time between key-strokes, movement of the
mouse, hard disk access times, and so on.
14
Efficient Algorithms
Generating randomness
•
•
Some modern operating systems provide
functions of this sort. Note that, in either of these
cases, the underlying unpredictable event is
unlikely to directly yield uniformly-distributed
bits, and so further processing of the initial bitstream is needed.
Techniques for doing this are complex and poorly
understood.
15
Efficient Algorithms
Generating randomness
• One must be careful in how random bits are
chosen, and the use of badly designed or
inappropriate random number generators can
often leave a good cryptosystem vulnerable to
attack.
• Particular care must be taken to use a random
number generator that is designed for
cryptographic use, rather than a general-purpose
random number generator which may be fine for
some applications but not cryptographic ones
16
Negligible Success
17
Negligible Success
18
Proofs by Reduction
Strategy
1.
2.
Assume that some low-level problem is
hard to solve.
Then prove that the construction in
question is secure given this assumption.
19
Proofs by Reduction
The proof that a given construction is secure as
long as some underlying problem is hard generally
proceeds by presenting
• an explicit reduction showing how to convert any
efficient adversary A that succeeds in breaking
the construction with non-negligible probability
• into an efficient algorithm A’ succeeds in solving
the problem that was assumed to be hard.
20
Proofs by Reduction
To do this:
1. Fix some adversary A that succeeds in breaking
a crypto construction  with probability (n).
2. Construct an algorithm A’ (the reduction) that
attempts to solve problem X using adversary A as
a subroutine.
3. Given some instance x of X, algorithm A’ simulates
for A an instance  of  such that: If A can break
 then A’ can break x with probability
1
𝑝(𝑛)
.
4. Adversary A’ gives instance  to A to break. Then
(𝑛)
A’ can solve instance x with probability
𝑝(𝑛)
21
Proofs by Reduction
Instance  of 
Solution to x
Break
22
Computationally Secure
Encryption
(𝑚)
23
Computationally Secure
Encryption
24
Computationally Secure
Encryption
25
Computationally Secure
Encryption
Equivalent version:
| Pr[PrivK eav 𝐴′ , Π 𝑛, 0 = 1]
- Pr PrivK eav 𝐴′ , Π 𝑛, 1 = 1 | ≤ negl(𝑛)
26
Computationally Secure
Encryption
and 𝑚 is chosen uniformly at random
from {0,1}𝑛 .
27
Theorem
Let (Gen,Enc,Dec) be a private-key encryption
scheme that has indistinguishable encryptions in
the presence of an eavesdropper. Then
 PPT adversaries 𝐴, any 𝑖 there is a negligible
function negl such that:
Pr[𝐴
1𝑛 , 𝐸𝑛𝑐𝑘 (𝑚)
=
𝑚𝑖
1
≤ + negl 𝑛 ,
2
where 𝑚 is chosen randomly from {0,1}𝑛 , and the
probability are taken over the random coins of 𝐴, the
choice of 𝑚 and 𝑘 and any random coins used in the
encryption process.
28
Proof of Theorem
We shall reduce the problem
“indistinguishability of the bits of
encrypted messages”
to the problem
“indistinguishability of the encryptions of
the messages”
in the presence of an eavesdropper.
29
Security reduction: converting an
adversary A ′ to an adversary A
Algorithm A ′ (low level reference problem X)
Adversary A
Protocol Π, being analyzed
𝑖𝑛𝑠𝑡𝑎𝑛𝑐𝑒 𝑥 𝑜𝑓 𝑋
𝑖𝑛𝑠𝑡𝑎𝑛𝑐𝑒  𝑜𝑓 Π
Suppose A succeeds
in solving with
advantage 𝜀 𝑛
The reduction shows
that A ′succeeds in solving
x with advantage at least
𝜀 𝑛
𝑠𝑜𝑙𝑢𝑡𝑖𝑜𝑛 𝑡𝑜 𝑥
𝑠𝑜𝑙𝑢𝑡𝑖𝑜𝑛 𝑡𝑜 Π
30
Proof, in detail
Let the advantage of 𝐴 be
𝜀′ 𝑛 = Pr 𝐴(Enc𝑘 𝑚 = 𝑚𝑖 −
1
2
.
Let 𝑖 ≤ 𝑛, and 𝐼0𝑛 be the set of strings of length 𝑛 whose
𝑖-th bit is 0 and 𝐼1𝑛 be the set of strings of length 𝑛 whose
𝑖-th bit is 1.
Take 𝑚𝑏 ∈ 𝐼𝑏𝑛 . Then
Pr 𝐴(Enc𝑘 𝑚𝑏 = 𝑏 = Pr PrivK eav 𝐴′ ,  𝑛 = 1 =
1
2
+𝜀 𝑛 ,
(𝜀 𝑛 negligible)
1
=
2
Pr 𝐴 𝐸𝑛𝑐𝑘 𝑚0
𝑏=0
1
=0 +
Pr 𝐴 𝐸𝑛𝑐𝑘 𝑚1
𝑏=1
2
=1
= Pr[𝐴(𝐸𝑛𝑐𝑘 𝑚 ) = 𝑚𝑖 ]
Then 𝜀′ = 𝜀
31
Proof of theorem– by reduction
Algorithm A’ (message distinguisher)
Adversary A (bit distinguisher)
1𝑛
1𝑛
𝑚0 , 𝑚1
𝑚0 , 𝑚1
𝑐𝑏
𝑐𝑏
Suppose A succeeds
with advantage 𝜀 𝑛 in
distinguishing the
i-th bit of encrypted
messages
𝑏′
𝑏′
prediction of
the message
prediction of
the value of
the i-th bit
32
Semantic Security, Intro
Theorem. Let (Gen,Enc,Dec) be a private-key encryption
scheme that has indistinguishable encryptions in the
presence of an eavesdropper. Then,
 PPT adversary 𝐴, ∃ a PPT algorithm A’ such that,
 polynomial-time computable functions 𝑓 and sampleable
sets 𝑆 there is a negligible function negl(𝑛) such that:
|Pr 𝐴 1𝑛 , 𝐸𝑛𝑐𝑘 𝑚
=𝑓 𝑚
− Pr 𝐴′ 1𝑛 = 𝑓 𝑚
≤
1
2
+ negl 𝑛 ,
where the first probability is taken over uniform choice
of 𝑘 𝜖 {0,1}𝑛 and 𝑚 𝜖 𝑆, that randomness of A, and the
randomness of 𝐸𝑛𝑐 , and the second probability is taken
over uniform choice of 𝑚 𝜖 𝑆 and the randomness of A’.
33
Semantic Security: Definition
A private-key encryption scheme (Gen,Enc,Dec) is semantically
secure in the presence of an eavesdropper if
 PPT algorithm 𝐴,  PPT 𝐴′ such that,
 PPT algorithm Samp and polynomial-time computable functions
𝑓, ℎ the following is negligible:
|Pr 𝐴 1𝑛 , 𝐸𝑛𝑐𝑘 𝑚 , ℎ 𝑚
=𝑓 𝑚
Pr 𝐴′ 1𝑛 , 𝑚 , ℎ 𝑚
−
= 𝑓 𝑚 |,
where 𝑚 is the output of Samp (1𝑛 ), and the probabilities are taken over
the choices of 𝑚, 𝑘, the random coins of 𝐴, 𝐴′.
34
Semantic Security: Theorem
A private-key encryption scheme has
indistinguishable encryptions in the
presence of an eavesdropper if and only if,
it is semantically secure in the presence of
an eavesdropper.
35