k c m c Enc k m k m 1 c 1 Enc k m 1 m 2 c 2 Enc k m 2 c 1 c 2 Is the threat model too strong In practice there are many ways an attacker can ID: 783518
Download The PPT/PDF document "Cryptography Lecture 7 CPA-security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cryptography
Lecture
7
Slide2CPA-security
k
c
m
c
Enc
k(m)
k
m
1
c
1 Enck(m1)
m
2
c2 Enck(m2)
c1
c
2
Slide3Is the threat model too strong?
In practice, there are many ways an attacker can
influence what gets encrypted
Not clear how best to modelChosen-plaintext attacks encompass any such influenceMoreover, in some cases an attacker may have significant control over what gets encrypted
Slide4“Midway”
Will attack AF …
Midway Island
Help! Fresh water needed
AF is short of water…
For
more details, see: http://www.navy.mil/midway/how.html
Slide5CPA-security
Fix
, ADefine a randomized
exp’t PrivKCPAA
,(n):k Gen(1n)
A(1n) interacts with an encryption oracle Enck(·), and then outputs m
0, m1 of the same lengthb {0,1}, c Enck(mb), give c to A
A can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
Slide6CPA-security
is
secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that
Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)
Slide7Impossible?
Consider the following attacker A:
Using a chosen-plaintext attack, get c0
= Enck(m0
) and c1 = Enck(m1)Output m0
, m1; get challenge ciphertext cIf c=c0 output ‘0’ ; if c=c1 output ‘1’
A succeeds with probability 1 (?)This attack only works if encryption is deterministic!Moral: randomized encryption must be used!
Slide8Randomized encryption
The issue is
not an artifact of our definitionIt really is a problem if an attacker can tell when the same message is encrypted twice
Slide9Pseudorandom functions
Slide10Pseudorandom functions
Informally, a pseudorandom function “looks like” a random (i.e., uniform) function
Slide11Random function
010
100
100
111001
010010000
# of entries: 23 = 8
000001010
011100101110111
Funcn = all functions mapping {0,1}n to {0,1}nHow big is Funcn ?Can represent a function in
Funcn using n · 2n bits|Funcn| = 2n·2n
Slide12Random function
Exercise: how many functions are there mapping
{0,1}n to {
0,1}m?
Slide13Random function
Choose uniform f
Func
nEquivalent
: for each x {0,1}n, choose f(x) uniformly in {0,1}nI.e., fill up the function table with uniform valuesCan also view this as being done “on-the-fly,” as values are needed
Slide14Pseudorandom functions
Informally, a pseudorandom function “looks like” a random function
As in our discussion of PRGs, it does not make sense to talk about any
fixed function being pseudorandomWe look instead at keyed functions
Slide15Keyed functions
Let F: {0,1}
* x {0,1}
* {0,1}*
be an efficient, deterministic algorithmDefine Fk(x) = F(k, x)The first input is called the
keyAssume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x|
Choosing a uniform k {0,1}n is equivalent to choosing the function Fk : {0,1}n {0,1}n
I.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!
Slide16Note
The number of functions in
Funcn is 2
n2n{Fk
}k{0,1}n is a subset of Func
nThe number of functions in {Fk}k{0,1}
n is at most 2nThis is only a tiny fraction of Funcn!
Slide17Pseudorandom functions (PRFs)
F is a
pseudorandom function if
Fk, for uniform key k {0,1}
n, is indistinguishable from a uniform function f Funcn
Formally, for all poly-time distinguishers D:| Prk{0,1}
n[DFk(·) = 1] -
PrfFuncn[Df(
·) = 1] | ≤ ε(n)
Slide18??
(poly-time)
World 1
k
{0,1}
n
chosen
uniformly at random
F
k
x
1
F
k
(x
1
)
…
x
t
F
k
(
x
t
)
x
1
f
Func
n
chosen
uniformly at random
World 0
f
f(x
1
)
…
x
t
f(
x
t
)
Slide19Examples (insecure)
F(k, x) = 0
nF(k, x) = k
F(k, x) = k x