Transcript ppt

Foundations of Cryptography
Lecture 11: Security of Encryption Schemes
Lecturer: Moni Naor
Recap of last week’s lecture
• Pseudo-random permutations constructions
• Notions of security:
– Indistinguishabilty of encryptions
– Semantic Security
• Equivalence
• Public-key cryptosystems
The world so far
Signature
Schemes
UOWHFs
Pseudo-random
generators
One-way
functions
Two guards
Identification
P  NP
Will soon see:
•Computational Pseudorandomness
•Shared-key Encryption and Authentication
Pseudo-random
Functions
Pseudo-random
Permutations
Open Problems
• Construct small domain pseudo-random permutations
– With good security reductions
• Construct a cryptosystem that remains secure when
encrypting its own key
Encryption Using Pseudo-Random
Permutations
• Sender and Receiver share a secret key S R {0,1}k
• S defines a function FS  Fk
• What is wrong with encrypting X with FS (x)?
Definition of the Security of Encryption
Information Theoretic Setting
• Several settings
– Shared key vs public key
– How active is the adversary
•
If Eve has some knowledge of m should
remain the same
– Probability of guessing m
• Min entropy of m
– Probability of guessing whether m is m0
• Sender and receiver want to
or m1
prevent Eve from learning
– Probability of computing some function f
anything about the message
of m
• Ideally: the ciphertext sent is
• Want to simulate as much as
independent of the message m
possible the protection that an
– Implies all the above
information theoretic encryption
• Shannon: achievable only if the entropy of
scheme provides
the shared secret is at least as large as
•
the message m entropy
If no special knowledge about m
– then |m| shared bits that may be used
once!
To specify security of encryption
• The power of the adversary
– computational
• Probabilistic polynomial time machine (PPTM)
– access to the system
• Can it change the messages?
• What constitute a failure of the system
What it means to break the system.
– Reading a message
– Forging a message?
Computational Security of Encryption
Indistinguishability of Encryptions
Indistinguishability of encrypted strings:
• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1
• has to decide whether b  0 or b  1.
For every pptm A, choosing a pair X0, X1 0,1n
 PrA ‘1’  b  1  - PrA ‘1’  b  0  
is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0, X1 are indistinguishable
Quantification over the choice of X0, X1 0,1n
Computational Security of Encryption
Semantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does
not see the encryption of X, yet simulates A’s knowledge with respect to X
A selects:
• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all
pptm relation R
for XR Dn
 PrR(X,A(E(X)) - PrR(X,A’())  
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is
aware of X
Note: presentation of semantic security is non-standard (but equivalent)
A: Dn
A’: Dn
E(X)
X 2R Dn
.
A
X
A’
Y
X
R
Y
R
¼
What is a public-key encryption scheme
• Allows Alice to publish public key KP while keeping hidden a
secret key KS
Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public) and KS
(secret)
• ``Anyone” who is given KP and m can encrypt it
Encryption: a method
E:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking public-key KP, message (plaintext) m, random coins r and outputs
an encrypted message (ciphertext).
• Given a ciphertext and secret key it is possible to decrypt it
Decryption: a method
D:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking secret-key KS, public-key KP, and ciphertext c and outputs a
plaintext m. Require
D(KS, KP, E(KP, m, r)) = m
Equivalence of Semantic Security and
Indistinguishability of Encryptions
• Would like to argue their equivalence
• Must define the attack
– Otherwise cannot fully talk about an attack
• Chosen plaintext attacks
– Adversary can obtain the encryption of any message it wishes
– In an adaptive manner
– Certainly feasible in a public-key setting
• Minimal one that makes sense there
– What about shared-key encryption?
• More severe attacks
– Chosen ciphertext
Encryption process
must be probabilistic!
Security of public key cryptosystems:
exact timing
• Adversary A gets public key KP
• Then A can mount an adaptive attack
– No need for further interaction since can do all the encryption on its
own
• Then A chooses
– In semantic security: the distribution Dn and the relation R
– In indistinguishability of encryptions: the pair X0, X1 0,1n
• Then A is given the test
– In semantic security: E(KP, X ,r) for XR Dn and rR 0,1m
– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and
rR0,1m
The Equivalence Theorem
• For adaptive chosen plaintext attack in a public
key setting a cryptosystem is semantically secure
if and only if it has the indistinguishability of
encryptions property
Equivalence Proof
If a scheme has the indistinguishability property, then it is semantically secure:
• Suppose not, and A chooses
– some distribution Dn
– some relation R
• Choose X0, X1 R Dn and run A twice on
– C0 = E(KP, X0 ,r0) call the output Y0
– C1 = E(KP, X1 ,r1) call the output Y1
• For X0, X1 R Dn let
–
–
0 = Prob[R(X0, Y0)]
1 = Prob[R(X0, Y1)]
Here we use the power
to generate encryptions
• If |0-1| is not negligible: can distinguish between encryption of X0 of X1
– Contradicting the indistinguishability property
• If |0-1| is negligible: can run A’ with no access to real ciphertext
– sample X’ R Dn and C’ = E(KP, X’, r)
– Run A on C’ and output Y’
Equivalence Proof
E(Xb)
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is not negligible:
can distinguish between
encryption of X0 of X1
– Contradicting the
indistinguishability property
A
X0
Y
R
A’
Equivalence Proof
X’
E(X)
E(X’)
A
A
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is negligible: can run A’
with no access to real ciphertext
– sample X’ R Dn and C’=E(KP, X’, r)
– Run A on C’ and output Y’
X
Y
R
X
Y’
R
Equivalence Proof…
If a scheme is semantically secure, then it has the
indistinguishability of encryptions property:
• Suppose not, and A chooses
– A pair X0, X10,1n
– For which it can distinguish with advantage 
• Choose
– Distribution Dn = {X0, X1}
– Relation R which is “equality with X”
Even if A’ is computationally
unbounded
• For any A’ that does not get C = E(KP, X, r) and outputs Y’
ProbA’[R(X, Y’)] = ½
• By simulating A and outputting Y= Xb for guess b0,1
ProbA[R(X, Y)] ¸ ½ + 
Similar setting
• The same proof works for the shared key case with
adaptive chosen plaintext attack
– Need to give attacker (explicit) access to the encryption device
• ``Standard” definition of semantic security:
– Instead of A trying to find Y such that R(X,Y), A tries to find Y
such that
• Y=f(X)
• f is any function (not necessarily polynomial time computable)
– In spite of difference equivalent to our definition
What happens if…
• There is extra information about X:
– Both A and A’ get h(X) for some polynomial time
computable function h
– h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key
When is each definition useful
• Semantic security seems to convey that the
message is protected
– Not the strongest possible definition
• Easier to prove indistinguishability of encryptions
Concatenations
• If (G,E,D) is a semantically secure cryptosystem,
then if Adversary A
Independent keys or
n
• Chooses X0 , X10,1
independent randomness?
Both version…
• Receives k independent encryptions of Xb for
bR0,1
• has to decide whether b  0 or b  1.
• Cannot have non negligible advantage
• Proof: hybrid argument
Concatenation
• Let A be an adversary that selects:
– Distribution Dn on 0,1n
– Relation R computable in probabilistic polynomial time
• Let X1, X2, ... Xk 2R Dn
• Suppose that A receives E(X1), E(X2), ..., E(Xk)
• Computes Y and hopes that R(X1, X2, ..., Xk, Y)
Homework: prove that for any A there is an A’ with
similar probability of success
Trapdoor One-way Permutations
A collection functions with three probabilistic polynomial time algorithms
• Key generation: on input n, the security parameter, and random bits,
generates two keys
KP (Public) and KS (secret) and domain size D (could be 0,1n)
• Forward computation: each KP defines a permutation f(KP,,¢) on D.
Given KP and x easy to compute f(KP,,x)
Hard to invert: for any PPT A given y=f(KP,,x) for a random KP
(generated as above) and x 2R D, probability that A finds x is
negligible
• Backward computation: given Ks easy to invert f(KP,,¢)
there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x
Encryption from trapdoor permutation
• Key generation: KP (Public) and KS (secret) are the keys
of the trapdoor permutation
• Encryption: to encrypt a message m0,1k
– select x R 0,1n and r R 0,1n
– compute
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r
– Send m Xored with g(x) and y=fP(k)(x) and r
(g(x) © m, fP(k)(x), r)
• Decryption: given (c, y, r)
– extract x = fP(-k)(y) using KS
– compute g(x) using r
– extract m by Xoring c with g(x)
Security of construction
Claim: given y=fP(k)(x), r the string
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r
is indistinguishable from random
Proof: it is a pseudo-random generator
Pseudo-randomness implies indistinguishability of
encryption
(z,y,r)
• Given input (z,y,r) want to
decide whether z=g(x) or
not
• Run A to get {m0,m1}
Choose b 2R {0,1} and
Compute E(mb) = (z©mb, y, r)
A
A’
b’
If b’=b output “pseudo-random”
Example
• Blum-Goldwasser cryptosystem
– Based on the Blum, Blum, Shub pseudo-random generator
– The permutation defined by
N= P ¢ Q,
where P,Q = 3 mod 4
– For x 2 ZN*, x is a quadratic residue
fN(x)=x2 mod N
Known: the last bit(s) of x2 mod N is hardcore
Blum-Goldwasser Encryption
• Key generation: N - Public key and (P,Q) - Secret key a
• Encryption: to encrypt a message m0,1k
– select x R ZN*
– compute
g(x) =x, x2, x4, … x2i, …, x2k mod N
let g(x) be the lsb’s of the sequence
– Send m Xored with g(x) and y = x2k mod N
(g(x) © m, x2k)
• Decryption: given (c, y)
– extract x = yd mod N
– compute g(x)
– extract m by Xoring c with g(x)
(N)=(P-1)(Q-1)
Let d = 2-k mod (N)
Single exponentionation!
Security
Theorem: the Blum-Goldwasser cryptosystem is
semantically secure against chosen plaintext attack
iff factoring is hard
Shared key encryption
• Sender and receiver share a key s of a pseudo-random
function
Fs: {0,1}n  {0,1}k
• Encryption of a message m0,1k
– Choose rR0,1n
– Send (Fs (r) © m,r)
• Decryption of a ciphertext (y,r)
– Compute m=Fs (r) © y
• Proof of security: based on the indistinguishability of Fs from a
truly random function
– As long as all the r’s are different: collection of ciphertexts
indistinguishable from random
Security
Theorem: If Fs is a pseudo-random function then
scheme is semantically secure against chosen
plaintext attack.
Proof: from the equivalent definition of pseudo-random
function where either the last query/challenge is random
or not
Need security against random queries only
Discrete Log Problem
• Let G be a group and g an element in G.
• Let y=gz and x the minimal non negative
integer satisfying the equation.
x is called the discrete log of y to base g.
• Example: y=gx mod p in the multiplicative group of Zp
• In general: easy to exponentiate via repeated squaring
– Consider binary representation
• What about discrete log?
– If difficult, f(g,x) = (g, gx ) is a one-way function
DL Assumption for group G:
• No efficient algorithm can solve for XR[0..n-1] whp the DL
problem for Y=ga
Discrete Log Problem
Very useful group for DL:
• P and Q: Large primes, s.t. Q | P-1
• g: an element of order Q in ZP*.
Best known algorithms – Q
or
– subexponential in log P
Randomized reduction:
given y generate Y’= Ygr for rR [Q]
Diffie-Hellman
The Diffie-Hellman assumption
Let G be a group and g an element in G.
Given g, X=ga and Y=gb it is hard to find Z=gab
for random a and b the probability of a poly-time machine outputting
gab is negligible
More accurately: a sequence of groups
Don’t know how to verify whether given Z’ is equal to gab
Decisional Diffie-Hellman Problem
For for generator g and a,b [Q]
Given g, Y=ga, X=gb and Z decide whether Z =gab
or Z  gab
Equivalent: is logg Y = logX Z
DDH-Assumption:
• The DDH-Problem is hard in the worst case.
Average DDH
For a,bR [Q] and c which is either
– c= ab
– cR [Q]
Given
Y=ga and X=gb and Z =gc
decide whether
Z =gab or Z gab
DDH-Assumption average case:
• The DDH-Problem is hard for above distribution
Worst to Average case reduction
Theorem:The average case and worst case of the
DDH-Assumption are equivalent.
• Given ga and gb and gc (and P, Q)
• Sample r,s1,s2R [Q]
c is either ab or not
• compute
a’ = ras1 mod Q
ga’ = (ga)r gs1
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s
gb’ = (gb) gs2
2
gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2
…Worst to average
If c = abe mod Q then
– a’ = ras1 mod Q
– b’ = bs2 mod Q
– c'= a'b'+ e r mod Q
a’ = ras1 mod Q
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s
2
• Always: a’ and b' are uniformly distributed.
• If e =0, then c' = a'b'.
• Otherwise c' is uniform and independent in [Q]
Evidence to Validity of DDH
• Endured extensive research for DH search
– DH-search related to discrete log
• Hard for generic algorithms
– that work in a black-box group)
• Computing the most significant bits of gab is hard
• Random-self-reducibility.
El-Gamal Cryptosystem variant:
• Private key a R [Q]
Subgroup of
size Q
h
• Public key Y=ga and P, Q and h
• To encrypt M
r
{0,1}
r
– choose rR [Q] compute X=g and Y
Z
r
– send hX , h(Y )Mi
How is h chosen?
• To decrypt hX, Wi:
a
r
Pair-wise independence
– compute X = Y and
k
P
a
– output h(X )  W
suffices
El-Gamal Security
Under the DDH assumption cryptosystem is
semantically secure against chosen plaintext
but...
• Scheme is malleable
– To change M to M’=MC :
change hX, Wi to hX, WCi
Open Problems
• How to get a good encryption scheme with a
weaker than fully blown pseudo-random function
From single bit to many bits
• If there is an encryption scheme that can hide E(KP, 0 ,r)
from E(KP, 1 ,r):
then can construct a full blown semantically secure cryptosystem by
concatenation (for any length messages)
• Each bit in the message m0,1k is encrypted separately
• Proof: a hybrid argument
– Using definition of indistinguishability of encryption
– Suppose adversary chooses X0, X1  0,1k
– Let:
• D0 be the distribution on encryptions of X0
• Dk be the distribution on encryptions of X1
• Di be the distribution where the first i bits
are from X0 and the last k-i bits are from X1
• Example: quadratic residues mod N
Difference with concatenation:
each one is a bit
One-way encryption is sufficient for semantic
security against chosen plaintext attack
Call an encryption scheme one-way if given c=E(KP, m, s)
for random m and s it is hard to find m
This is the weakest form of security one can expect from a ``selfrespecting” cryptosystem
Can construct a single-bit indistinguishable scheme from it:
• To encrypt a bit b0,1:
–
–
choose random x, s and r
Send (c,r,b’) where
•
•
c=E(KP, x, s)
b’= x¢r © b
Security: from the Goldreich-Levin reconstruction algorithm
Examples of public-key cryptosystems
•
•
Factoring related: RSA, Rabin
Discrete-log related:
–
–
•
Diffie-Hellman (El Gamal)
Various groups
Early Knapsack and Codes (late 1970’s)
–
–
•
Merkle Hellman
McEliece: probabilistic cryptosystem
Modern Lattice Based
–
Ajtai-Dwork: only one for which worst case to hardness reduction
is known
•
•
•
Goldreich-Goldwasser and Halevi
Regev’s
NTRU
Further Issues
• What about errors in decryption?
• Is the this the ultimate definition
– Does it capture all the ways where encryption is used?
Example: Interactive Authentication
P wants to convince V that he is approving message m
P has a public key KP of an encryption scheme E.
To authenticate a message m:
• V  P: Choose r 2R {0,1}n.
Send c=E(m ° r, KP)
• P  V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he choose
Is it Safe?
• Definition of security: Existential unforgeability against adaptive
chosen message attack
– Adversary can ask to authenticate any sequence of messages m1, m2, …
– Has to succeed in making V accept a message m not authenticated
– Has complete contrl ove the channels
• Intuition of security: if E does not leak information about plaintext
– Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen
plaintext attacks:
– Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability
– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
Sources
• Goldwasser-Micali: Probabilistic Encryption, Journal
of Computer and System Sciences, 1984.
• Goldreich’s Foundations of Cryptography, volume 2