Cryptography Lecture 7 CPA-security - PowerPoint Presentation

Slide1

Cryptography

Lecture

7

CPA-security

k

c

m

c



Enc

k(m)

k

m

1

c

1  Enck(m1)

m

2

c2  Enck(m2)

c1

c

2

Is the threat model too strong?

In practice, there are many ways an attacker can

influence what gets encrypted

Not clear how best to modelChosen-plaintext attacks encompass any such influenceMoreover, in some cases an attacker may have significant control over what gets encrypted

“Midway”

Will attack AF …

Midway Island

Help! Fresh water needed

AF is short of water…

For

more details, see: http://www.navy.mil/midway/how.html

CPA-security

Fix

, ADefine a randomized

exp’t PrivKCPAA

,(n):k  Gen(1n)

A(1n) interacts with an encryption oracle Enck(·), and then outputs m

0, m1 of the same lengthb  {0,1}, c  Enck(mb), give c to A

A can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

CPA-security

 is

secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that

Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

Impossible?

Consider the following attacker A:

Using a chosen-plaintext attack, get c0

= Enck(m0

) and c1 = Enck(m1)Output m0

, m1; get challenge ciphertext cIf c=c0 output ‘0’ ; if c=c1 output ‘1’

A succeeds with probability 1 (?)This attack only works if encryption is deterministic!Moral: randomized encryption must be used!

Randomized encryption

The issue is

not an artifact of our definitionIt really is a problem if an attacker can tell when the same message is encrypted twice

Pseudorandom functions

Pseudorandom functions

Informally, a pseudorandom function “looks like” a random (i.e., uniform) function

Random function

010

100

100

111001

010010000

# of entries: 23 = 8

000001010

011100101110111

Funcn = all functions mapping {0,1}n to {0,1}nHow big is Funcn ?Can represent a function in

Funcn using n · 2n bits|Funcn| = 2n·2n

Random function

Exercise: how many functions are there mapping

{0,1}n to {

0,1}m?

Random function

Choose uniform f

 Func

nEquivalent

: for each x  {0,1}n, choose f(x) uniformly in {0,1}nI.e., fill up the function table with uniform valuesCan also view this as being done “on-the-fly,” as values are needed

Pseudorandom functions

Informally, a pseudorandom function “looks like” a random function

As in our discussion of PRGs, it does not make sense to talk about any

fixed function being pseudorandomWe look instead at keyed functions

Keyed functions

Let F: {0,1}

* x {0,1}

*  {0,1}*

be an efficient, deterministic algorithmDefine Fk(x) = F(k, x)The first input is called the

keyAssume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x|

Choosing a uniform k  {0,1}n is equivalent to choosing the function Fk : {0,1}n  {0,1}n

I.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!

Note

The number of functions in

Funcn is 2

n2n{Fk

}k{0,1}n is a subset of Func

nThe number of functions in {Fk}k{0,1}

n is at most 2nThis is only a tiny fraction of Funcn!

Pseudorandom functions (PRFs)

F is a

pseudorandom function if

Fk, for uniform key k  {0,1}

n, is indistinguishable from a uniform function f  Funcn

Formally, for all poly-time distinguishers D:| Prk{0,1}

n[DFk(·) = 1] -

PrfFuncn[Df(

·) = 1] | ≤ ε(n)

??

(poly-time)

World 1

k

 {0,1}

n

chosen

uniformly at random

F

k

x

1

F

k

(x

1

)

…

x

t

F

k

(

x

t

)

x

1

f



Func

n

chosen

uniformly at random

World 0

f

f(x

1

)

…

x

t

f(

x

t

)

Examples (insecure)

F(k, x) = 0

nF(k, x) = k

F(k, x) = k  x