Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.
-
date post
20-Dec-2015 -
Category
Documents
-
view
222 -
download
0
Transcript of Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.
Recap of last week’s lecture• Pseudo-random permutations constructions • Notions of security:
– Indistinguishabilty of encryptions– Semantic Security
• Equivalence• Public-key cryptosystems
The world so far
Pseudo-random generators
Signature Schemes
UOWHFs
One-way functions
Two guards Identification
Will soon see:
•Computational Pseudorandomness
•Shared-key Encryption and Authentication
P NP
Pseudo-random Permutations
Pseudo-random Functions
Open Problems
• Construct small domain pseudo-random permutations– With good security reductions
• Construct a cryptosystem that remains secure when encrypting its own key
Encryption Using Pseudo-Random Permutations
• Sender and Receiver share a secret key S R {0,1}k
• S defines a function FS k
• What is wrong with encrypting X with FS (x)?
Definition of the Security of Encryption
• Several settings– Shared key vs public key– How active is the adversary
• Sender and receiver want to prevent Eve from learning anything about the message
• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides
Information Theoretic Setting
• If Eve has some knowledge of m should remain the same
– Probability of guessing m• Min entropy of m
– Probability of guessing whether m is m0 or m1
– Probability of computing some function f of m
• Ideally: the ciphertext sent is independent of the message m
– Implies all the above• Shannon: achievable only if the entropy of
the shared secret is at least as large as the message m entropy
• If no special knowledge about m– then |m| shared bits that may be used
once!
To specify security of encryption
• The power of the adversary – computational
• Probabilistic polynomial time machine (PPTM)– access to the system
• Can it change the messages?
• What constitute a failure of the system What it means to break the system.– Reading a message– Forging a message?
Computational Security of EncryptionIndistinguishability of Encryptions
Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.
For every pptm A, choosing a pair X0, X1 0,1n
PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0, X1 are indistinguishable
Quantification over the choice of X0, X1 0,1n
Computational Security of EncryptionSemantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all
pptm relation R for XR Dn
PrR(X,A(E(X)) - PrR(X,A’())
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is aware of X
Note: presentation of semantic security is non-standard (but equivalent)
What is a public-key encryption scheme• Allows Alice to publish public key KP while keeping hidden a
secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public)
and KS (secret)
• ``Anyone” who is given KP and m can encrypt itEncryption: a method
E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public-key KP, message (plaintext) m, random coins r and outputs
an encrypted message (ciphertext).
• Given a ciphertext and secret key it is possible to decrypt itDecryption: a method
D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret-key KS, public-key KP, and ciphertext c and outputs a plaintext
m. Require D(KS, KP, E(KP, m, r)) = m
Equivalence of Semantic Security and Indistinguishability of Encryptions
• Would like to argue their equivalence• Must define the attack
– Otherwise cannot fully talk about an attack• Chosen plaintext attacks
– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting
• Minimal one that makes sense there– What about shared-key encryption?
• More severe attacks– Chosen ciphertext
Encryption process must be probabilistic!
Security of public key cryptosystems:exact timing
• Adversary A gets public key KP • Then A can mount an adaptive attack
– No need for further interaction since can do all the encryption on its own
• Then A chooses– In semantic security: the distribution Dn and the relation R
– In indistinguishability of encryptions: the pair X0, X1 0,1n
• Then A is given the test– In semantic security: E(KP, X ,r) for XR Dn
and rR 0,1m
– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m
The Equivalence Theorem
• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property
Equivalence ProofIf a scheme has the indistinguishability property, then it is semantically secure:• Suppose not, and A chooses
– some distribution Dn
– some relation R• Choose X0, X1 R Dn
and run A twice on– C0 = E(KP, X0 ,r0) call the output Y0
– C1 = E(KP, X1 ,r1) call the output Y1
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)]
• If |0-1| is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property
• If |0-1| is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn
and C’ = E(KP, X’, r) – Run A on C’ and output Y’
Here we use the power to generate encryptions
Equivalence Proof• For X0, X1 R Dn
let – 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is not negligible: can distinguish between encryption of X0 of X1
– Contradicting the indistinguishability property
X0 Y
R
E(Xb)
A
Equivalence Proof
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn
and C’=E(KP, X’, r)
– Run A on C’ and output Y’
X Y
R
E(X)
A
X Y’
R
E(X’)
A
X’A’
Equivalence Proof…If a scheme is semantically secure, then it has the indistinguishability
of encryptions property:• Suppose not, and A chooses
– A pair X0, X10,1n
– For which it can distinguish with advantage • Choose
– Distribution Dn = {X0, X1}
– Relation R which is “equality with X”
• For any A’ that does not get C = E(KP, X, r) and outputs Y’
ProbA’[R(X, Y’)] = ½
• By simulating A and outputting Y= Xb for guess b0,1
ProbA[R(X, Y)] ¸ ½ +
Even if A’ is computationally unbounded
Similar setting
• The same proof works for the shared key case with adaptive chosen plaintext attack– Need to give attacker (explicit) access to the encryption device
• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries to find Y
such that• Y=f(X)• f is any function (not necessarily polynomial time computable)
– In spite of difference equivalent to our definition
What happens if…
• There is extra information about X:– Both A and A’ get h(X) for some polynomial time
computable function h– h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key
When is each definition useful
• Semantic security seems to convey that the message is protected– Not the strongest possible definition
• Easier to prove indistinguishability of encryptions
Concatenations• If (G,E,D) is a semantically secure cryptosystem,
then if Adversary A • Chooses X0 , X10,1n
• Receives k independent encryptions of Xb for bR0,1
• has to decide whether b 0 or b 1.• Cannot have non negligible advantage• Proof: hybrid argument
Independent keys or independent randomness?Both version…
Concatenation
• Let A be an adversary that selects:– Distribution Dn on 0,1n
– Relation R computable in probabilistic polynomial time
• Let X1, X2, ... Xk 2R Dn
• Suppose that A receives E(X1), E(X2), ..., E(Xk)• Computes Y and hopes that R(X1, X2, ..., Xk, Y)
Homework: prove that for any A there is an A’ with similar probability of success
Trapdoor One-way PermutationsA collection functions with three probabilistic polynomial time algorithms• Key generation: on input n, the security parameter, and random bits,
generates two keys KP (Public) and KS (secret) and domain size D (could be 0,1n)• Forward computation: each KP defines a permutation f(KP,,¢) on D.
Given KP and x easy to compute f(KP,,x)
Hard to invert: for any PPT A given y=f(KP,,x) for a random KP (generated as above) and x 2R D, probability that A finds x is negligible
• Backward computation: given Ks easy to invert f(KP,,¢) there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x
Encryption from trapdoor permutation• Key generation: KP (Public) and KS (secret) are the keys
of the trapdoor permutation
• Encryption: to encrypt a message m0,1k
– select x R 0,1n and r R 0,1n – compute
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP
(k-1)(x) ¢r– Send m Xored with g(x) and y=fP
(k)(x) and r(g(x) © m, fP
(k)(x), r)
• Decryption: given (c, y, r)– extract x = fP
(-k)(y) using KS – compute g(x) using r– extract m by Xoring c with g(x)
Security of construction
Claim: given y=fP(k)(x), r the string
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP
(k-1)(x) ¢r
is indistinguishable from randomProof: it is a pseudo-random generator
Pseudo-randomness implies indistinguishability of encryption
• Given input (z,y,r) want to decide whether z=g(x) or not
• Run A to get {m0,m1}
b’
If b’=b output “pseudo-random”
Choose b 2R {0,1} and
Compute E(mb) = (z©mb, y, r)
A’A
(z,y,r)
Example
• Blum-Goldwasser cryptosystem– Based on the Blum, Blum, Shub pseudo-random generator– The permutation defined by
N= P ¢ Q, where P,Q = 3 mod 4
– For x 2 ZN*, x is a quadratic residue
fN(x)=x2 mod N
Known: the last bit(s) of x2 mod N is hardcore
Blum-Goldwasser Encryption• Key generation: N - Public key and (P,Q) - Secret key a
• Encryption: to encrypt a message m0,1k
– select x R ZN*
– computeg(x) =x, x2, x4, … x2i, …, x2k mod N
let g(x) be the lsb’s of the sequence– Send m Xored with g(x) and y = x2k mod N
(g(x) © m, x2k)
• Decryption: given (c, y)– extract x = yd mod N– compute g(x)– extract m by Xoring c with g(x)
(N)=(P-1)(Q-1)
Let d = 2-k mod (N)
Single exponentionation!
SecurityTheorem: the Blum-Goldwasser cryptosystem is
semantically secure against chosen plaintext attack iff factoring is hard
Shared key encryption• Sender and receiver share a key s of a pseudo-random
function Fs: {0,1}n {0,1}k
• Encryption of a message m0,1k
– Choose rR0,1n
– Send (Fs (r) © m,r)
• Decryption of a ciphertext (y,r)– Compute m=Fs (r) © y
• Proof of security: based on the indistinguishability of Fs from a truly random function– As long as all the r’s are different: collection of ciphertexts
indistinguishable from random
SecurityTheorem: If Fs is a pseudo-random function then
scheme is semantically secure against chosen plaintext attack.
Proof: from the equivalent definition of pseudo-random function where either the last query/challenge is random or not
Need security against random queries only
Discrete Log Problem• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.
x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp• In general: easy to exponentiate via repeated squaring
– Consider binary representation• What about discrete log?
– If difficult, f(g,x) = (g, gx ) is a one-way function
DL Assumption for group G: • No efficient algorithm can solve for XR[0..n-1] whp the DL
problem for Y=ga
Discrete Log Problem
Very useful group for DL:• P and Q: Large primes, s.t. Q | P-1• g: an element of order Q in ZP
*.Best known algorithms -
– Q or– subexponential in log P
Randomized reduction:given y generate Y’= Ygr for rR [Q]
Diffie-Hellman The Diffie-Hellman assumption
Let G be a group and g an element in G.Given g, X=ga and Y=gb it is hard to find Z=gab
for random a and b the probability of a poly-time machine outputting gab is negligible
More accurately: a sequence of groups
Don’t know how to verify whether given Z’ is equal to gab
Decisional Diffie-Hellman Problem
For for generator g and a,b [Q]
Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab
Equivalent: is logg Y = logX Z
DDH-Assumption:• The DDH-Problem is hard in the worst case.
Average DDHFor a,bR [Q] and c which is either
– c= ab
– cR [Q]
Given Y=ga and X=gb and Z =gc
decide whether Z =gab or Z gab
DDH-Assumption average case:• The DDH-Problem is hard for above distribution
Worst to Average case reductionTheorem:The average case and worst case of the
DDH-Assumption are equivalent.• Given ga and gb and gc (and P, Q) • Sample r,s1,s2R [Q]
• compute ga’ = (ga)r gs1
gb’ = (gb) gs2
gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2
a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1
+s1s2
c is either ab or not
…Worst to average
If c = abe mod Q then – a’ = ras1 mod Q
– b’ = bs2 mod Q
– c'= a'b'+ e r mod Q
• Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q]
a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1
+s1s2
Evidence to Validity of DDH
• Endured extensive research for DH search– DH-search related to discrete log
• Hard for generic algorithms – that work in a black-box group)
• Computing the most significant bits of gab is hard• Random-self-reducibility.
El-Gamal Cryptosystem variant:
• Private key a R [Q]
• Public key Y=ga and P, Q and h• To encrypt M
– choose rR [Q] compute X=gr and Yr
– send hX , h(Yr )Mi
• To decrypt hX, Wi:– compute Xa = Yr and – output h(Xa) W
How is h chosen?
Pair-wise independence suffices
ZP
Subgroup of size Q
{0,1}k
h
El-Gamal Security
Under the DDH assumption cryptosystem is semantically secure against chosen plaintext
but...• Scheme is malleable
– To change M to M’=MC :change hX, Wi to hX, WCi
Open Problems
• How to get a good encryption scheme with a weaker than fully blown pseudo-random function
From single bit to many bits• If there is an encryption scheme that can hide E(KP, 0 ,r)
from E(KP, 1 ,r): then can construct a full blown semantically secure cryptosystem by
concatenation (for any length messages) • Each bit in the message m0,1k is encrypted separately• Proof: a hybrid argument
– Using definition of indistinguishability of encryption– Suppose adversary chooses X0, X1 0,1k
– Let:• D0 be the distribution on encryptions of X0 • Dk be the distribution on encryptions of X1 • Di be the distribution where the first i bits are from X0 and the last k-i bits are from X1
• Example: quadratic residues mod NDifference with concatenation:
each one is a bit
One-way encryption is sufficient for semantic security against chosen plaintext attackCall an encryption scheme one-way if given c=E(KP, m,
s) for random m and s it is hard to find mThis is the weakest form of security one can expect from a ``self-
respecting” cryptosystem
Can construct a single-bit indistinguishable scheme from it:• To encrypt a bit b0,1:
– choose random x, s and r – Send (c,r,b’) where
• c=E(KP, x, s)• b’= x¢r © b
Security: from the Goldreich-Levin reconstruction algorithm
Examples of public-key cryptosystems• Factoring related: RSA, Rabin• Discrete-log related:
– Diffie-Hellman (El Gamal)– Various groups
• Early Knapsack and Codes (late 1970’s)– Merkle Hellman– McEliece: probabilistic cryptosystem
• Modern Lattice Based– Ajtai-Dwork: only one for which worst case to hardness reduction
is known• Goldreich-Goldwasser and Halevi• Regev’s
• NTRU
Further Issues
• What about errors in decryption?
• Is the this the ultimate definition– Does it capture all the ways where encryption is used?
Example: Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.
To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose
Is it Safe?• Definition of security: Existential unforgeability against adaptive
chosen message attack– Adversary can ask to authenticate any sequence of messages m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete contrl ove the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack