Which of the following encryption schemes is CPAsecure G is a PRG F is a PRF Enc k m chooses uniform r outputs ltr Gr mgt Enc k m chooses uniform r outputs ltr F ID: 1002548
Download Presentation The PPT/PDF document "Cryptography Lecture 8 Clicker quiz" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. CryptographyLecture 8
2. Clicker quizWhich of the following encryption schemes is CPA-secure (G is a PRG, F is a PRF)?Enck(m) chooses uniform r; outputs <r, G(r) m>Enck(m) chooses uniform r; outputs <r, Fk(r) m>The one-time padEnck(m) chooses uniform r; outputs <r, Fr(k) m>
3. Keyed functionsLet F: {0,1}n x {0,1}n {0,1}n be an efficient, deterministic algorithmDefine Fk(x) = F(k, x)The first input is called the keySecurity parameter = key length = nF is pseudorandom if Fk (for uniform k) is indistinguishable from a random function on the same domain/range
4. ??(poly-time)World 1k {0,1}n chosen uniformly at randomFkx1Fk(x1)…xtFk(xt)x1f Funcn chosen uniformly at randomWorld 0ff(x1)…xtf(xt)
5. PRFs vs. PRGsPRF F immediately implies a PRG G:Define G(k) = Fk(0…0) | Fk(0…1)I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where <i> denotes the n-bit encoding of iPRF can be viewed as a PRG with random access to exponentially long outputThe function Fk can be viewed as the n2n-bit string Fk(0…0) | … | Fk(1…1)
6. Pseudorandom permutations (PRPs)Let f Funcnf is a permutation if it is a bijectionThis means that the inverse f-1 existsLet Permn Funcn be the set of permutationsWhat is |Permn|?
7. Pseudorandom permutationsLet F be a length-preserving, keyed functionF is a keyed permutation ifFk is a permutation for every kFk-1, the inverse of Fk, is efficiently computableF is a pseudorandom permutation if Fk , for uniform key k {0,1}n, is indistinguishable from a uniform permutation f PermnEven if attacker can query the function and its inverse
8. NoteFor large enough n, a random permutation is indistinguishable from a random functionSo in practice, PRPs are also good PRFs
9. Do PRFs/PRPs exist?They are a stronger primitive than PRGs……though they can be built from PRGsIn practice, block ciphers are usedWill discuss extensively later
10. Block ciphersBlock ciphers are practical constructions of pseudorandom permutationsNo asymptotics: F: {0,1}n x {0,1}m {0,1}mn = “key length”m = “block length”Hard to distinguish Fk from uniform f Permm even for attackers running in time 2n
11. AESAdvanced encryption standard (AES)Key length = 128, 192, or 256 bitsBlock length = 128 bitsWill discuss details later in the courseAvailable in standard crypto librariesNo real reason to use anything else
12. CPA-securityFix , ADefine a randomized exp’t PrivKCPAA,(n):k Gen(1n)A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same lengthb {0,1}, c Enck(mb), give c to AA can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
13. CPA-security is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)
14. CPA-secure encryptionLet F be a length-preserving, keyed functionGen(1n): choose a uniform key k {0, 1}nEnck(m), where|m| = |k| = n: Choose uniform r {0, 1}n (nonce/initialization vector)Output ciphertext < r, Fk(r) m >Deck(c1, c2): output c2 Fk(c1)Correctness is immediate
15. key messageF pseudorandom rciphertext pseudorandom message
16. Security?Theorem: if F is a pseudorandom function, then this scheme is CPA-secure
17. NoteThe key is as long as the message……but the same key can be used to securely encrypt multiple messages
18. Security?Theorem: if F is a pseudorandom function, then this scheme is CPA-secureProof by reduction…See book for formal proofHere: high-level intuition
19. mr, Fk(r) mr ← {0,1}n
20. m0, m1r* , Fk(r*) mr* ← {0,1}n b ← {0,1}
21. AnalysisSince F is a pseudorandom function, we can replace Fk with a truly random function fSee book for details
22. AnalysisWhat is the success probability of A when the experimentuses a random function f? There are two sub-casesr* was used for some other ciphertext (call this event Repeat)r* was not used for some other ciphertextLet q(n) be a bound on the number of encryption queries made by A
23. AnalysisPr[success] ≤ Pr[success|Repeat] + Pr[Repeat]Pr[Repeat] ≤ q(n)/2nWhy?Pr[ success | Repeat] = ½ Analogous to the one-time pad in this case, since f(r*) is uniform and independent of everything elsePr[A succeeds] ≤ ½ + q(n)/2nI.e., the scheme is secure!
24. Real-world security?The security bound we proved is tightWhat happens if a nonce r is ever reused?What happens to the bound if the nonce is chosen non-uniformly?
25. Attacks?If r repeats, security failsExactly analogous to multiple encryptions using the (pseudo)one-time pad schemeWhen r is a uniform, n-bit string, the probability of a repeat is negligibleIf r is too short, or is chosen from another distribution, repeats may happen!May make scheme insecure