Cryptography Lecture 4 Arpita Patra Recall o Various Definitions and their equivalence (Shannons Theorem) o Inherent Drawbacks o Cannot afford perfect security >> Perfect Security >> Relaxing Perfect Security o Make the adversary bounded/efficient/polynomial time o Allow the break with some small/negligible probability o Are they necessary? Computational Security Todays Goal o Paradigm I- Semantic Security for SKE- computational analogue of Shannons perfect security -Both relaxations are necessary. o Will make polynomially bounded/efficient and small/negligible prob. precise -Computational/Cryptographic Security o Paradigm II- Indistinguishability-based Security for SKE computational analogue of game/experiment based security definition of perfect security o Look for assumptions needed for construction and construct a scheme Impossible to break Infeasible to break with high prob. Necessity of relaxed Threat Model - Assume a SKE that allows many messages to be encrypted using a single short key - Allow the adversary to be unbounded powerful in contrast to bounded - Assume the adversary knows many (m 1, c 1 ), (m 2, c 2 ), ,(m t, c t ): c i = Enc k (m i ) (m 1, c 1 ), (m 2, c 2 ), , (m t, c t ): c i = Enc k (m i ) k1k1 k2k2 k3k3 k ? - Decrypt each ciphertext with all possible keys until it finds a matching key ? Dec k 1 (c i ) = m i, for all i ? Dec k 2 (c i ) = m i, for all i ? Dec k 3 (c i ) = m i, for all i ---brute-force O(| K |) Yes Hurray : I got the key k1k1 k2k2 k3k3 Necessity of relaxed Break Model - Break is allowed with only zero probability (m 1, c 1 ), (m 2, c 2 ), , (m t, c t ): c i = Enc k (m i ) k1k1 k2k2 k3k3 k ? ? Dec k 2 (c i ) = m i, for all i - O(1) time Yes Hurray : my guess was correct - Probability : 1 / | K | k2k2 - Assume a SKE that allows many messages to be encrypted using a single short key - Let the adversary knows many (m 1, c 1 ), (m 2, c 2 ), ,(m t, c t ): c i = Enc k (m i ) - Make random guest about a k and decrypt each ciphertext that key to verify Making Polynomially Bounded Precise Asymptotic Approach >> Feasible /Efficient / Probabilistic Poly time (PPT) algorithm means: - running time of the algorithm is polynomial in the input size o Assume your key size is n. That is its n-bit long o | K | = 2 n o An efficient/PPT adversary CANNOT brute-force over K >> PPT adversary = PPT algorithm >> Example of what PPT adversary cannot do: - Running time of adversary is polynomial in n. - Input size: n - A function f: Z + Z + is polynomial in n if there exist finite number of {c i } such that f(n) < i c i n i for all n. Example: n 3 Making Very Small/Negligible Precise Asymptotic Approach >> Usually the key size is same set to n >> Very Small / negligible in n means those f(n) : - grows slower than any inverse poly - for every polynomial in n, p(n), there exists some positive integer N, such that f(n) N >> Example: 1/2 n, 1/2 n/2 >> How about 1/n 10 ? For 1/n 20 there is no N s.t. 1/n 10 < 1/n 20 >> An adversary running for n 3 time breaks a scheme with probability at most 1/2 n - The more the value of n, the tougher the life of the adversary is. n: Security parameter. A tunable parameter that tunes how difficult it is to break a cryptosystem Closures properties of poly and negligible functions Proposition: Let negl 1 and negl 2 be negligible functions in n. Then, (i) negl 1 + negl 2 is a negligible function. (ii) p(n). negl 1 is a negligible function for any poly p(n) Proposition: Let p 1 and p 2 be polynomials in n. Then, (i) p 1 + p 2 is a poly. (ii) p 1 * p 2 is a poly. Asymptotic Approach: Summary >> Security parameter n --- publicly known (part of the scheme) ; inputs to all algorithms (including adversary) will be made of size polynomial in n. Running time of the usersRunning time of the attackerSuccess probability of the attacker Functions of a security parameter n Polynomial in n Negligible in n >> Typically n is the size of secret-key (ex: n = 128, 256, etc) Choosing n Carefully is Very Essential A designer claims that an adversary running for n 3 minutes can break his scheme with probability n n is negligible --- hence secure scheme - But what value of n to select while implementing ? - If n 40 then an adversary working for 40 3 minutes (6 weeks) can break the scheme with probability 1 - You will claim its a useless scheme, but you just made a foolish choice of n - n = 50 ? : adversary working for 50 3 minutes (3 months) succeed with probability 1/ may be unacceptable - n = 500: adversary working for 200 yrs can break the scheme with probability definitely acceptable -Physicists believe that the no. of seconds elapsed since the birth of Earth is on the order of Something that occurs with probability /sec is expected to occur once every 100 billion years n = Knob minmax n Advs job becomes harder Users running time is also increasing Concrete Approach >> Set the value of n >> Run users and adversary on specific machines No adversary running for 5 yrs on 4GHz Machine can break the scheme with probability better than Asymptotic Statement Concrete Statement 1 Concrete Statement 2 Concrete Statement n Asymptotic Approach Concrete Approach Syntax of Secret Key Encryption (SKE) Revisited 1.Key-generation Algorithm: Gen(1 n ) 2. Encryption Algorithm: Enc k (m); m in {0,1} l(n) 3. Decryption Algorithm: Dec k (c) > MUST be a Randomized algorithm > Outputs a key k chosen according to some probability distribution. > Deterministic/Randomized algorithm > c Enc k (m) when randomized and c:=Enc k (m) when deterministic > Usually deterministic > Outputs m:= Dec k (c) Semantic Security for SKE S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28(2): , 1984 h(m): external info about m; history function f(m): additional information about m that adv wants to compute -Randomized -PPT -COA Given prior information about message, the ciphertext leaks no additional information about the message Impossible to break Infeasible to break with high prob. Semantic Security Two worlds: In one adv gets ciphertext and in another it does not. If the difference between probabilities of guessing f(x) in the both worlds are negligibly apart, then semantic security is achieved. k Enc m Gen(1 n ) c Enc k (m) h(m) guess about f(m) = (Gen, Enc, Dec) is semantically-secure if for every PPT A there exists a PPT A such that for any Samp and PPT functions f and h: Pr [ A(1 n,|m|,h(m)) =f(m)] -|| negl(n) h(m) guess about f(m) |m| Pr [ A(1 n,c,h(m)) =f(m)] Probability taken over >> uniform k, >> m output by Samp(1 n ), >> the randomness of A and >> the randomness of Enc A A Probability taken over >> m output by Samp(1 n ) and >> the randomness of A Computational Analogue of Shannons definition of perfect-security Indistinguishability Security for SKE S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28(2): , Randomized -PPT -COA Given the knowledge of two messages, it cannot be distinguished if the ciphertext corresponds to the first or second message. Impossible to break Infeasible to break with high prob. Indistinguishability Based Definition = (Gen, Enc, Dec), M I can break Let me verify m 0, m 1 M ; |m 0 |=|m 1 | (freedom to choose any pair) Gen(1 n ) k b {0, 1} c Enc k (m b ) b {0, 1} (Attackers guess about encrypted message) b = b attacker won b b attacker lost Indistinguishability experiment PrivK (n) A, ind has is ind-secure if for every PPT attacker A, there is a negligible function negl(n) such that Run time: Poly(n) Attacker A + negl(n) Pr PrivK (n) A, ind = 1 Probability is taken over the randomness used by A and the challenger An Experiment / a game between a challenger and an adversary Challenger PrivK (n) A, ind Semantic vs. Indistinguishability Security -Randomized -PPT -COA Given the knowledge of two messages, it cannot be distinguished if the ciphertext corresponds to the first or second message. SEM: Given prior information about message, the ciphertext leaks no additional information about the message Chalk & Talk 3 (for one): If a scheme is ind-secure then for all PPT A and any index i, there is a negligible function negl(n) s.t For uniform distribution of k and m. IND Security is the de facto style followed in Crypto community Indistinguishability Based Definition: Renaming = (Gen, Enc, Dec), M I can break Let me verify m 0, m 1 M ; |m 0 |=|m 1 | (freedom to choose any pair) Gen(1 n ) k b {0, 1} c Enc k (m b ) b {0, 1} (Attackers guess about encrypted message) b = b attacker won b b attacker lost Indistinguishability experiment PrivK (n) A, coa has is coa-secure if for every PPT attacker A, there is a negligible function negl(n) such that Run time: Poly(n) Attacker A + negl(n) Pr PrivK (n) A, coa = 1 Probability is taken over the randomness used by A and the challenger An Experiment / a game between a challenger and an adversary Challenger PrivK (n) A, coa Equivalent Formulation of Ind Definition = (Gen, Enc, Dec), M, n I can break Let me verify m 0, m 1 , |m 0 | = |m 1 | (freedom to choose any pair) Gen(1 n ) k b {0, 1} c Enc k (m b ) b {0, 1} (Attackers guess about encrypted message) Game Output b = b attacker won b b attacker lost Run time: Poly(n) Attacker A + negl(n) Pr PrivK (n) A, coa = 1 Intuition behind the definition ? >> Attacker should behave in the same way irrespective of m 0 or m 1 >> What does same behavior mean ? --- Attacker just outputs a bit >> Same behavior means that attacker outputs 1 with al most the same probability in each case (irrespective of whether it sees an encryption of m 0 or m 1 ) Challenger Equivalent Formulation PrivK (n, b) : the experiment with m b selected by challenger A, coa Output(PrivK (n, b)) : output bit of the attacker during A, coa PrivK (n, b)) A, coa = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function negl, such that : Pr[Output(PrivK (n, 0)) = 1] A, coa Pr[Output(PrivK (n, 1)) = 1] A, coa - | | negl(n) = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function negl, such that : + negl(n) Pr PrivK (n) A, coa = 1 Chalk & Talk 4 (for one) Assumptions for coa-Secure SKEs Lets go OTP style: key will be used to pad/mask the message - Pad = f(key) and the function is length-expanding ?? Recall the promises of computational security? - Shorter key for big message - Key Reuse - For perfect security the pad needed to be truly random - For computational security, enough if the pad looks random to a PPT adversary but actually not. M = K = C = {0, 1} l Gen k R K m M k c Enc c:= m k k Dec m:= c k c C m - The pad cant be just the key A suggestion: Try to BE good rather than trying to pretend to be good. Assumptions for coa-Secure SKEs M. Blum, S. Micali. How to Generate Cryptographically strong sequences of pseudo-random bits. SIAM Journal of Computing, 13(4), , 1984 A. C.-C. Yao. Theory and Applications of Trapdoor Functions. FOCS, 80-91, Pseudorandom Generators (PRGs): Tool to cheat the PPT adversaries - Its a property of a probability distribution Pseudorandomness { Set of all binary strings of length l } G: a prob. Dist. = { Set of probabilities } U: Uniform probability Distribution G is pseudorandom if a string drawn according to G is indistinguishable from a string drawn according to U to a PPT distinguisher w Give me a string Sampler for G and U A string drawn according to G is called pseudorandom A string drawn according to U is called random