CIS 5371 Cryptography 3b. Pseudorandomness B
advertisement
CIS 5371 Cryptography
3b. Pseudorandomness
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Pseudorandomness
An introduction
• A distribution D is pseudorandom if no PPT
distinguisher can detect if it a string sampled
according to D or chosen uniformly at random.
• This is formalized by requiring that every PPT
algorithm outputs 1 with almost the same
probability when given a truly random string
as when given a pseudorandom string.
2
Pseudorandomness
An introduction
• A pseudorandom generator is a
deterministic algorithm that given a short
truly random seed of length n will stretch
it to into a longer string of length π(π)
that is pseudorandom.
3
Existence of pseudorandom
generators
• We cannot prove that pseudorandom
generators exist!
• We believe that such generators can be
constructed from one-way functions.
• There are some long-standing problems
that have no efficient solution and it is
believed that they are unsolvable in
polynomial time.
4
Pseudorandom generators
informal definition
• A distribution D is pseudorandom if no PPT
distinguisher can detect if it is given a string
sampled according to D or a string chosen
uniformly at random.
• This can be formalized by requiring that a PPT
distinguisher D outputs 1 with almost the
same probability when given a truly random
string and when given a pseudorandom string.
5
Pseudorandomness
Definition
Let π(β) be a polynomial and πΊ a deterministic
polynomial-time algorithm that for any π and any
input π π {0,1}π will output string of length π(π).
πΊ is a pseudorandom generator if:
• π π >π
• ∀ PPT distinguishers π·, ∃ π negl function with:
| Pr π· π = 1 − Pr π· πΊ π = 1 ≤ negl(n)
where π is uniform random string of length π π , π ππ
is uniform random of length π and the probabilities
are taken over the coins used by π· and the choices
of π, π .
6
Stream Ciphers
A stream cipher is a deterministic algorithm
(Init, GetBits) where,
•
•
Init takes as input a seed π and an optional
initialization vector πΌπ and outputs a state π π‘0 .
GetBits takes as input π π‘π and outputs a bit π¦
and state π π‘π+1
7
Algorithm 3.16
Construct πΊπ from (Init, GetBits)
Input: Seed π and optional πΌπ.
Output: π¦1 , … , π¦π
π π‘0 β Init(π , πΌπ)
for π = 1 to π:
π¦π , π π‘π β GetBits π π‘π−1
return π¦1 , … , π¦π
8
A secure fixed length
encryption scheme
π
ππ ππ’ππππππππ
πππππππ‘ππ
πππ
ππππππ‘ππ₯π‘
πππ
πππβπππ‘ππ₯π‘
9
A secure fixed length encryption
Protocol Π
Let πΊ be a pseudorandom generator with expansion
factor π. Define a private-key encryption scheme
for messages of length π as follows
• Gen: on input 1π choose π ο¬ {0,1}π uniformly at
random and output π as key.
• Enc: on input a key π ο {0,1}π and a message
πο{0,1}π(π) output the ciphertext
π βG π ο
π.
• Dec: on input a key π ο {0,1}π and a ciphertext
cο{0,1}π(π) output the plaintext
π βG π ο
π.
10
A secure fixed length encryption
Theorem
If πΊ be a pseudorandom generator then
protocol ο is a fixed-length private-key
encryption scheme that has
indistinguishable encryptions in the
presence of an eavesdropper.
11
A secure fixed length encryption
Reduction
Adversary A’
(Distinguisher D)
Adversary A (Protocol ο)
1π
π€
choose a random bit π
compute ππ : = w ο
ππ
1 if π ′ = π
0 if π ′ οΉ π
π0 , π1
ππ
Suppose that A
succeeds with
probability π(π)
π′
12
A secure fixed length encryption
Proof
•
when π€ is uniform random we have
Pr π· π€ = 1 = Pr
•
PrivK eav (π΄, ο
π =1 =
1
.
2
when π€ = πΊ(π) we have
Pr π· πΊ π
= 1 = Pr PrivK eav (π΄, ο π = 1
Since πΊ is a pseudorandom generator
| Pr π· π€ = 1 - Pr π· πΊ π
= 1 | ≤ negl
Therefore
|
1
2
− Pr PrivK eav π΄, ο π = 1 | ≤ negl.
13
Stream ciphers
• We can easily modify the earlier construction
for the encryption scheme ο for variable
output length PRG.
• In this case,
• π β G π, 1 π ο
π .
• π β G π, 1|π| ο
π .
14
Discussion
• We use the term
• stream cipher
for the PR stream generator,
• not the encryption algorithm.
• There are a number of practical
constructions of stream ciphers that are
extraordinarily fast, such as the stream
cipher RC4.
15
Discussion
• The WEP encryption protocol for 802.11
used RC4 and was broken.
• But since then it is fixed---and the standard
updated.
• If RC4 has to be used the first 1024 bits or
so should be discarded.
16
Discussion
• From a security point of view it is
advocated to use block cipher constructions
for constructing secure encryption
schemes.
• This disadvantage is that this approach is
less efficient when compared to using a
dedicated stream cipher.
17
Multi-message eavesdropping
mult
experiment PrivK
(π΄,ο)(π)
1. The adversary π΄ is given input 1π and outputs a pair
of vectors of messages π10 , … , π0π‘ and π11 , … , π1π‘
witβ |π0π = |π1π for all π.
2. A key π is generated runnng πΊππ 1π and a random bit
π ο¬ 0,1 is chosen. For all π the ciphertext πππ ο¬ Enππ πππ
is computed and the vector of ciphertexts ππ1 , … , πππ‘
is given to π΄.
3. .π΄ outputs a bit π ′ .
4. The output of the experiment iπ 1 if π = π ′ and 0 otherwise.
18
Definition
A private-key encryption scheme ο=(Gen,Enc,Dec)
that has indistinguishable multiple encryptions in
the presence of an eavesdropper satisfies:
ο’ PPT Adversary π΄, ο€ a negligible function negl:
Pr[PrivK
mult
(π΄, ο) π = 1] ≤
1
2
+ negl π ,
where the probability is taken over the random
coins of π΄, and the experiment.
19
Indistinguishable single encryptions vs
indistinguishable multi encryptions
• The secure fixed length encryption Protocol Π
presented earlier is deterministic and cannot
be used as a construction for a
indistinguishable multi encryptions.
• To see why use the experiment PrivK mult for
the pair of vector messages (0π , 0π ) and
0π , 1π .
20
Secure multiple encryptions using a
stream-cipher mode of operation
• Synchronized mode
• Communicating parties use a different
part of the stream cipher output to
encrypt a message.
πΈπππ π β ο‘πΊ∞ π , 1|π| ο
πο±
• Useful for parties communicating in the
same session.
• Communicating parties must maintain
state between encryptions.
21
Secure multiple encryptions
stream-cipher mode of operation
Unsynchronized mode
ο§ Encryptions are carried out independently
of one another.
ο§ Communicating parties are not required to
maintain state between encryptions.
ο§ πΈπππ π β ο‘πΌπ, πΊ∞ π , πΌπ, 1|π| ο
πο±
where the initial vector πΌπ ο¬ {0,1}π is
chosen at random.
22
Security against ChosenPlaintext Attack (CPA)
ο§ We now consider a more powerful adversary
that is active.
ο§ The adversary can ask for the encryptions of
some specific plaintext messages, as well as
eavesdrop.
23
The CPA indistinguishability
experiment PrivK cpa (π΄,ο)(π)
1.
A key π is generated runnng Gen 1π .
2.
The adversary π΄ is given input 1π and oracle access to Enππ β ,
and outputs a pair of messages π0 , π1 of equal length.
3. A random bit π ο¬ 0,1 is chosen and a ciphertext
c ο¬ Enππ ππ is computed and given to π΄.
4. Adversary π΄ continues to have oracle access to Enππ β , and
outputs a bit π ′ .
5. The output of the experiment iπ 1 if π = π ′ and 0 otherwise.
24
Indistinguishable encryptions under CPA
Definition
A private-key encryption scheme ο = Gen, Enc, Dec
has indistinguishable encryptions under CPA if
∀ PPT adversaries π΄, ∃ a negl function such that,
Pr[PrivKcpa
π΄, ο
π = 1] ≤
1
2
+ negl π ,
where the probability is taken over the coins of A
and those of the experiment.
25
CPA security for multiple encryptions
ο§ As for single encryption, extend the experiment
to PrivK cpa in which the adversary outputs a
pair of vectors of plaintext.
ο§ Any private-key encryption scheme that has
indistinguishable encryptions under CPA also
has indistinguishable multiple encryptions
under CPA
26
