CIS 5371 Cryptography

advertisement
CIS 5371 Cryptography
3b. Pseudorandomness.
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Pseudorandomness
An introduction
• A distribution D is pseudorandom if no PPT
distinguisher can detect if it a string sampled
according to D or chosen uniformly at random.
• This is formalized by requiring that every PPT
algorithm outputs 1 with almost the same
probability when given a truly random string
as when given a pseudorandom string.
2
Pseudorandomness
An introduction
• A pseudorandom generator is a
deterministic algorithm that given a short
truly random seed of length n will stretch
it to into a longer string of length 𝑙(𝑛)
that is pseudorandom.
3
Existence of pseudorandom
generators
• We cannot prove that pseudorandom
generators exist!
• We believe that such generators can be
constructed from one-way functions.
• There are some long-standing problems
that have no efficient solution and it is
believed that they are unsolvable in
polynomial time.
4
Pseudorandom generators
informal definition
• A distribution D is pseudorandom if no PPT
distinguisher can detect if it is given a string
sampled according to D or a string chosen
uniformly at random.
• This can be formalized by requiring that a PPT
distinguisher D outputs 1 with almost the
same probability when given a truly random
string and when given a pseudorandom string.
5
Pseudorandomness
Definition
Let 𝑙(βˆ™) be a polynomial and 𝐺 a deterministic
polynomial-time algorithm that on input any
𝑠 πœ– {0,1}𝑛 will output string of length 𝑙(𝑛). 𝐺 is
a pseudorandom generator if:
• 𝑙 𝑛 >𝑛
• ∀ PPT distinguishers D, ∃ π‘Ž negl function with:
| Pr 𝐷 π‘Ÿ = 1 − Pr 𝐷 𝐺 𝑠 = 1 ≤ negl(n)
where π‘Ÿ is uniform random string of length 𝑙 𝑛 , 𝑠 𝑖𝑠
is uniform random of length 𝑛 and the probabilities
are taken over the coins used by 𝐷 and the choices
of π‘Ÿ, 𝑠.
6
A secure fixed length
encryption scheme
π‘˜
π‘π‘ π‘’π‘’π‘‘π‘œπ‘Ÿπ‘Žπ‘›π‘‘π‘œπ‘š
π‘”π‘’π‘›π‘’π‘Ÿπ‘Žπ‘‘π‘œπ‘Ÿ
π‘π‘Žπ‘‘
π‘π‘™π‘Žπ‘–π‘›π‘‘π‘’π‘₯𝑑
𝑋𝑂𝑅
π‘π‘–π‘β„Žπ‘’π‘Ÿπ‘‘π‘’π‘₯𝑑
7
A secure fixed length encryption
Protocol 
Let 𝐺 be a pseudorandom generator with expansion
factor 𝑙. Define a private-key encryption scheme
for messages of length 𝑙 as follows
• Gen: on input 1𝑛 choose π‘˜  {0,1}𝑛 uniformly at
random and output π‘˜ as key.
• Enc: on input a key π‘˜ οƒŽ {0,1}𝑛 and a message
mοƒŽ{0,1}𝑙(𝑛) output the ciphertext
𝑐 ≔G π‘˜ οƒ…π‘š.
• Dec: on input a key π‘˜ οƒŽ {0,1}𝑛 and a ciphertext
cοƒŽ{0,1}𝑙(𝑛) output the plaintext
π‘š ≔G π‘˜ 𝑐.
8
A secure fixed length encryption
Theorem
If 𝐺 be a pseudorandom generator then
protocol  is a fixed-length private-key
encryption scheme that has
indistinguishable encryptions in the
presence of an eavesdropper.
9
A secure fixed length encryption
Reduction
Adversary A’
(Distinguisher D)
Adversary A (Protocol )
1𝑛
𝑀
choose a random bit 𝑏
compute 𝑐𝑏 : = w οƒ… π‘šπ‘
1 if 𝑏 ′ = 𝑏
0 if 𝑏 ′ ο‚Ή 𝑏
π‘š0 , π‘š1
𝑐𝑏
Suppose that A
succeeds with
probability πœ€(𝑛)
𝑏′
10
A secure fixed length encryption
Proof
1
2
Let πœ€ 𝑛 = Pr[PrivK eav (𝐴, ) 𝑛 = 1] − .
Then,
•
when 𝑀 is uniform random we have
Pr 𝐷 𝑀 = 1 = Pr[PrivK
•
eav
(𝐴, ) 𝑛 = 1] =
1
.
2
when 𝑀 = 𝐺(π‘˜) we have
Pr 𝐷 𝑀 = 1 = Pr 𝐷 𝐺 π‘˜
=1 =
Pr[PrivK eav (𝐴, ) 𝑛 = 1] =
1
+
2
πœ€(𝑛).
11
A secure fixed length encryption
Proof
Therefore when 𝑀 is chosen uniformly in {0,1}𝑙
|Pr 𝐷 𝑀 = 1 − Pr[𝐷 𝐺 π‘˜
𝑛
:
= 1]| = ο₯(𝑛) .
12
Variable output length
pseudorandom generators
A deterministic polynomial-time algorithm 𝐺 is a
variable output-length pseudorandom generator if:
1. Let 𝑠 be a string and 𝑙 > 0 an integer. Then
𝐺 𝑠, 1𝑙 outputs a string of length 𝑙.
2. For all 𝑠, 𝑙, 𝑙′ with 𝑙 < 𝑙′ , the string 𝐺 𝑠, 1𝑙 is a
′
prefix of 𝐺 𝑠, 1𝑙 .
Define 𝐺𝑙 𝑠 ≝ 𝐺 𝑠, 1𝑙(|𝑠|) .
Then for every polynomial it holds that 𝐺𝑙 𝑠, 1𝑙 is a
pseudorandom generator with expansion factor 𝑙.
13
Stream ciphers
• We can easily modify the earlier construction
for the encryption scheme  for variable
output length PRG.
• In this case,
• 𝑐 ≔ G π‘˜, 1 π‘š οƒ… π‘š .
• π‘š ≔ G π‘˜, 1|𝑐| οƒ… 𝑐 .
14
Discussion
• We use the term
• stream cipher
for the PR stream generator,
• not the encryption algorithm.
• There are a number of practical
constructions of stream ciphers that are
extraordinarily fast, such as the stream
cipher RC4.
15
Discussion
• The WEP encryption protocol for 802.11
used RC4 and was broken.
• But since then it is fixed---and the standard
updated.
• If RC4 has to be used the first 1024 bits or
so should be discarded.
16
Discussion
• From a security point of view it is
advocated to use block cipher constructions
for constructing secure encryption
schemes.
• This disadvantage is that this approach is
less efficient when compared to using a
dedicated stream cipher.
17
Multi-message eavesdropping
mult
experiment PrivK
(𝐴,)(𝑛)
1. The adversary 𝐴 is given input 1𝑛 and outputs a pair
of vectors of messages π‘š10 , … , π‘š0𝑑 and π‘š11 , … , π‘š1𝑑
witβ„Ž |π‘š0𝑖 = π‘š1𝑖 | for all 𝑖.
2. A key π‘˜ is generated runnng 𝐺𝑒𝑛 1𝑛 and a random bit
𝑏 ∈ 0,1 is chosen. For all 𝑖 the ciphertext 𝑐 𝑖  Enπ‘π‘˜ π‘šπ‘π‘–
is computed and the vector of ciphertexts 𝑐𝑏1 , … , 𝑐𝑏𝑑
is given to 𝐴.
3. .𝐴 outputs a bit 𝑏 ′ .
4. The output of the experiment i𝑠 1 if 𝑏 = 𝑏 ′ and 0 otherwise.
18
Definition
A private-key encryption scheme =(Gen,Enc,Dec)
that has indistinguishable multiple encryptions in
the presence of an eavesdropper satisfies:
ο€’ PPT Adversary 𝐴, ο€€ a negligible function negl:
Pr[PrivK
mult
(𝐴, ) 𝑛 = 1] ≤
1
2
+ negl 𝑛 ,
where the probability is taken over the random
coins of 𝐴, and the experiment.
19
Indistinguishable single encryptions vs
indistinguishable multi encryptions
• The secure fixed length encryption Protocol 
presented earlier is deterministic and cannot
be used as a construction for a
indistinguishable multi encryptions.
• To see why, we use the experiment PrivK mult
for the pair of vector messages (0𝑛 , 0𝑛 ) and
0𝑛 , 1𝑛 .
20
Secure multiple encryptions
using a stream cipher
• Synchronized mode
• Communicating parties use a different
part of the stream cipher output to
encrypt a message.
• Useful for parties communicating in the
same session.
• Communicating parties must maintain
state between encryptions.
21
Secure multiple encryptions
using a stream cipher
Unsynchronized mode
 Encryptions are carried out independently
of one another.
 Communicating parties are not required to
maintain state between encryptions.
 πΈπ‘›π‘π‘˜ π‘š ≔ 𝐼𝑉, 𝐺 π‘˜, 𝐼𝑉 οƒ… π‘šοƒ±
where the initial vector 𝐼𝑉  {0,1}𝑛 is
chosen at random.
22
Security against ChosenPlaintext Attack (CPA)
 We now consider a more powerful
adversary that is active.
 The adversary can ask for the
encryptions of some specific plaintext
messages, as well as eavesdrop.
23
The CPA indistinguishability
experiment PrivK cpa (𝐴,)(𝑛)
1.
A key π‘˜ is generated runnng Gen 1𝑛 .
2.
The adversary 𝐴 is given input 1𝑛 and oracle access to Enπ‘π‘˜ βˆ™ ,
.and outputs a pair of messages π‘š0 , π‘š1 of equal length.
3. A random bit 𝑏
0,1 is chosen and a ciphertext
c  Enπ‘π‘˜ π‘šπ‘ is computed and given to 𝐴.
4. Adversary 𝐴 continues to have oracle access to Enπ‘π‘˜ βˆ™ , and
outputs a bit 𝑏 ′ .
5. The output of the experiment i𝑠 1 if 𝑏 = 𝑏 ′ and 0 otherwise.
24
Indistinguishable encryptions under CPA
Definition
A private-key encryption scheme  = Gen, Enc, Dec
has indistinguishable encryptions under CPA if
∀ PPT adversaries 𝐴, ∃ a negl function such that,
Pr[PrivKcpa
𝐴, 
𝑛 = 1] ≤
1
2
+ negl 𝑛 ,
where the probability is taken over the coins of A
and those of the experiment.
25
CPA security for multiple encryptions
 As for single encryption, extend the
experiment to PrivK cpa in which the adversary
outputs a pair of vectors of plaintext.
 Any private-key encryption scheme that has
indistinguishable encryptions under CPA also
has indistinguishable multiple encryptions
under CPA
26
Download