Professional Documents
Culture Documents
001101011
𝐺 00101001001010010100101011
Idea:
Choose a short key 𝐾 randomly.
Obtain 𝐾’ = 𝐺(𝐾).
Use 𝐾’ as key for the one time pad.
Issue: ?
Introduction: Pseudorandom generator
Suppose there was a generator that stretches random bits.
001101011
𝐺 00101001001010010100101011
Idea:
Choose a short key 𝐾 randomly.
Obtain 𝐾’ = 𝐺(𝐾).
Use 𝐾’ as key for the one time pad.
Issue:
Such a generator is not possible!
Any such generator produces a longer string but the string is
not random.
Introduction: Pseudorandom generator
Suppose there was a generator that stretches random bits.
001101011
𝐺 00101001001010010100101011
Idea:
Choose a short key 𝐾 randomly.
Obtain 𝐾’ = 𝐺(𝐾).
Use 𝐾’ as key for the one time pad.
Issue:
Such a generator is not possible!
Any such generator produces a longer string but the string is not
random.
What if we can argue that the output of the generator is
computationally indistinguishable from truly random string.
Introduction: Secure communication
Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.
Formalizing notion of security:
When can you say that your protocol has been broken?
Adversary is able to figure out the secret key.
Question: Can you say that your protocol is secure if no adversary can
figure out the secret key?
Introduction: Secure communication
Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.
Formalizing notion of security:
When can you say that your protocol has been broken?
Adversary is able to figure out the secret key.
Question: Can you say that your protocol is secure if no adversary can
figure out the secret key?
NO! Consider the encryption scheme 𝐶 = 𝐸𝐾 𝑀 = 𝑀
Introduction: Secure communication
Secure communication: Alice wants to talk to Bob without
Eve (who has access to the channel) knowing the
communication.
Formalizing notion of security:
When can you say that your protocol has been broken?
Adversary is able to figure out the secret key.
Question: Can you say that your protocol is secure if no adversary can
figure out the secret key?
NO! Consider the encryption scheme 𝐶 = 𝐸𝐾 𝑀 = 𝑀
Adversary is able to figure out the entire message.
Question: Can you say that your protocol is secure if no adversary can
figure out the entire message?
NO! Maybe the first bit of the message is revealed which may be
crucial.
Pseudorandom generators
𝐺 𝑅[1]
𝑆𝑡 𝑆𝑡
𝐺 𝑆𝑡[1]
𝐺 𝑅[2]
𝑆𝑡[1]
𝑅
𝐺 𝑅[3]
Pseudorandom generator
What are the desirable properties of a pseudorandom
𝑘 𝑛
generator 𝐺: 0, 1 → 0,1 for Cryptographic purposes:
Stretch: 𝑛 > 𝑘
Efficient: 𝐺 should be efficient
Indistinguishability: No bounded resource algorithm should be
able to distinguish the output of the generator 𝐺 𝑥 (for random
𝑥) from a random 𝑛 bit string.
Unpredictability: The output of the generator should not be
predictable.
Perfect indistinguishability
• = (Gen, Enc, Dec)
• Informally:
– Two messages m0, m1; one chosen at random and
encrypted (using uniform k) to give c Enck(mb);
adversary A given c and tries to determine which
message was encrypted
– is secure if no adversary A can guess correctly
with probability any better than ½
Perfect indistinguishability
• Let =(Gen, Enc, Dec) be an encryption
scheme, and A an adversary (eavesdropper)
• Define a randomized exp’t PrivKA, :
1. A outputs m0, m1 M
2. k Gen, b {0,1}, c Enck(mb)
3. b’ A(c); A succeeds if b = b’, and experiment
Challenge ciphertext
evaluates to 1 in this case
Perfect indistinguishability
• Easy to succeed with probability ½ …
• is perfectly indistinguishable if for all
attackers (algorithms) A, it holds that
Pr[PrivKA, = 1] = ½
Perfect indistinguishability
• Claim: is perfectly indistinguishable if and
only if it is perfectly secret
seed
output
PRGs
• Let G be a deterministic, poly-time algorithm
• G is expanding: |G(x)| = p(|x|) > |x|
• G defines a sequence of distributions!
– Dn = the distribution on p(n)-bit strings defined by
choosing x Un and outputting G(x)
– PrDn[y] = PrUn[G(x) = y] = x : G(x)=y PrUn[x]
= x : G(x)=y 2-n
= |{x : G(x)=y}|/2n
PRGs
• Let G be a deterministic, poly-time algorithm
• G is expanding: |G(x)| = p(|x|) > |x|
• G is a pseudorandom generator if {Dn} is
pseudorandom
PRGs
• G is a pseudorandom generator if {Dn} is
pseudorandom
– I.e., for all PPT attackers A, there is a negligible
function such that
| Prx Un[A(G(x))=1] - Pry Up(n)[A(y)=1] | ≤ (n)
p bits
key
p bits p bits
message ciphertext
Pseudorandom (number) generators
• PRGs (PRNGs)
key
p bits
G “pseudo” key
p bits p bits
message ciphertext
Pseudo one-time pad
• Let G be a deterministic, poly-time function,
with |G(k)| = p(|k|)
• Gen(1n): output uniform n-bit key k
– Security parameter n message space {0,1}p(n)
• Enck(m): output G(k) m
• Deck(c): output G(k) c
• Correctness is obvious…
PRGs, revisited
• Let G be an efficient, deterministic function
with |G(k)| = 2·|k| k Un
y U2n
G
y
b
D
(For any efficient D…) the probability that D
outputs 1 in both cases must be close
Proof by reduction
1. Assume G is a pseudorandom generator
2. Say there is an efficient attacker A who
‘breaks’ the pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
that ‘breaks’ pseudorandomness of G
– But we know that no such D exists!
No such A can exist
Alternately…
1. Assume G is a pseudorandom generator
2. Fix some arbitrary, efficient A attacking the
pseudo-OTP scheme
3. Use A as a subroutine to build an efficient D
attacking G
– Relate the distinguishing probability of D to the
success probability of A
4. By assumption, the distinguishing
probability of D must be negligible
Bound the success probability of A
“Pseudo” one-time pad
n bits
k
2n bits
G “pseudo” key
2n bits 2n bits
message ciphertext
Security theorem
• If G is a pseudorandom generator, then the
pseudo one-time pad is (computationally)
indistinguishable.
The reduction
y
m0, m1
b←{0,1}
mb
c
b’ A
if (b=b’)
output 1 D
Analysis
• If A runs in polynomial time, then so does D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If input y is pseudorandom, the view of A is
exactly as in PrivKA,Π(n)
Prx ← Un[D(G(x))=1] = µ(n)
The reduction
k Un
y
G
m0, m1
b←{0,1}
mb
-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If input y is pseudorandom, the view of A is
exactly as in PrivKA,Π(n)
Prx ← Un[D(G(x))=1] = µ(n)
• If input y is uniform, A succeeds with
probability exactly ½
Pry ← U2n[D(y)=1] = ½
The reduction
y U2n
y
m0, m1
b←{0,1}
mb
OTP-Enc c
b’ A
if (b=b’)
output 1 D
Analysis
• Let µ(n) = Pr[PrivKA,Π(n) = 1]
• If input y is pseudorandom, the view of A is
exactly as in PrivKA,Π(n)
Prx ← Un[D(G(x))=1] = µ(n)
• If input y is uniform, A succeeds with
probability exactly ½
Pry ← U2n[D(y)=1] = ½
• Since G is pseudorandom…
| µ(n) – ½ | ≤ ε(n)
Pr[PrivKA,Π(n) = 1] ≤ ½ + ε(n)
• Proof that the pseudo OTP is secure…
– We have a provably secure scheme, rather than a
heuristic construction!
• Proof that the pseudo OTP is secure…
• …with some caveats
– Assuming G is a pseudorandom generator
– Relative to our definition
𝐺(𝐾) 𝑅
B B
1. Randomly select 𝑏 (𝑀0, 𝑀1) 1. Randomly select 𝑏 (𝑀0, 𝑀1)
2. Execute 𝐴 2. Execute 𝐴
3. Output 1 iff 𝑏 = 𝑏’ 3. Output 1 iff 𝑏 = 𝑏’
𝐺(𝐾) ⊕ 𝑀𝑏 𝑅 ⊕ 𝑀𝑏
𝑏’ 𝐴 𝑏’ 𝐴
Stream Ciphers: Security of Stream Ciphers
𝐴𝑑𝑣𝑃𝑅𝐺 𝐵, 𝐺 = | Pr 𝐵 𝐺 𝐾 = 1 − Pr[𝐵 𝑅 = 1]|
1
Lemma 1: Pr 𝐵 𝑅 = 1 = .
2
1
Lemma 2: Pr 𝐵 𝐺 𝐾 = 1 = ± 𝐴𝑑𝑣𝐼𝑁𝐷 (𝐴, 𝐸)
2
𝐺(𝐾) 𝑅
B B
1. Randomly select 𝑏 (𝑀0, 𝑀1) 1. Randomly select 𝑏 (𝑀0, 𝑀1)
2. Execute 𝐴 2. Execute 𝐴
3. Output 1 iff 𝑏 = 𝑏’ 3. Output 1 iff 𝑏 = 𝑏’
𝐺(𝐾) ⊕ 𝑀𝑏 𝑅 ⊕ 𝑀𝑏
𝑏’ 𝐴 𝑏’ 𝐴
Hybrid Argument: Indistinguishability Vs Unpredictability
Theorem(unpredictability implies indistinguishability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG,
then 𝐺 is also a (𝑡, 𝜖)-indistinguishable PRG.
Proof: We prove the contrapositive. Let 𝐴 be an algorithm
that runs in time at most 𝑡 such that the following holds:
Pr 𝑘
𝐴 𝐺 𝐾 =1 − Pr 𝑛
𝐴 𝑅 =1 ≤𝜖
𝐾← 0,1 𝑅← 0,1
we will show that there exists an algorithm 𝐵 that predicts
the output of the generator.
Let the output of the generator be denoted by 𝑦1 𝑦2 … 𝑦𝑛 and
let 𝑟1 𝑟2 … 𝑟𝑛 denote independent random bits.
Hybrid Argument : Indistinguishability Vs Unpredictability
Theorem(unpredictability implies indistinguishability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG, then 𝐺 is
also a (𝑡, 𝜖)-indistinguishable PRG.
Claim 1: | Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 | ≤ 𝜖
𝑅←𝐷𝑛 𝑅←𝐷0
Hybrid Argument : Indistinguishability Vs Unpredictability
Theorem(unpredictability implies indistinguishability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG, then 𝐺 is
also a (𝑡, 𝜖)-indistinguishable PRG.
Proof:
Claim 2: ∃𝑖, Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 > 𝜖/𝑛
𝑅←𝐷𝑖 𝑅←𝐷𝑖+1
How do we use the above claim to design an algorithm 𝐵 that predicts the
𝑖+1 𝑡ℎ bit of the generator, given the first 𝑖 bits?
Hybrid Argument : Indistinguishability Vs Unpredictability
Theorem(unpredictability implies indistinguishability): Let
𝐺: 0,1 𝑘 → 0,1 𝑛 . If 𝐺 is a (𝑡′, 𝜖/𝑛)-unpredictable PRG, then 𝐺 is
also a (𝑡, 𝜖)-indistinguishable PRG.
Proof:
Claim 2: ∃𝑖, Pr 𝐴 𝑅 = 1 − Pr 𝐴 𝑅 = 1 > 𝜖/𝑛
𝑅←𝐷𝑖 𝑅←𝐷𝑖+1
• Two approaches
– Concrete security
– Asymptotic security
Computational indistinguishability
(concrete version)
Pr[PrivKA, = 1] = ½
Computational indistinguishability
• Relax perfect indistinguishability in two ways:
– Security may fail with small probability
– Restrict attention to efficient attackers
• Two approaches
– Concrete
– Asymptotic
Computational indistinguishability
(concrete)
• (t, )-indistinguishability:
– Security may fail with probability ≤
– Restrict attention to attackers running in time ≤ t
Asymptotic security
• Introduce security parameter n Z+
– Fixed by honest parties at initialization
– Allows users to tailor the security level
• For now, can view as the key length
– Known by adversary
• Fix , A
• Define a randomized exp’t PrivKA, (n):
1. A(1n) outputs m0, m1 {0,1}* of equal length
2. k Gen(1n), b {0,1}, c Enck(mb)
3. b’ A(c); A succeeds if b = b’, and experiment
evaluates to 1 in this case
Computational indistinguishability
(asymptotic version)
• is indistinguishable if for all PPT attackers A,
there is a negligible function such that
𝐺’
𝐺 𝐺 𝐺
𝑅1 𝑅2 𝑅𝑖
Theorem: If 𝐺: 0,1 𝑛 → 0,1 𝑛+1 is a secure PRG, then 𝐺 ′ : 0,1 𝑛 → 0,1 𝑙(𝑛)
is a secure PRG.
Proof: Suppose 𝐺′ is insecure. This means that there is an adversary 𝐴 that runs in
time 𝑝(𝑛) and the following holds:
1
Pr 𝐴 𝐺 𝐾 =1 − Pr 𝐴 𝑅 =1 > .
𝐾← 0,1 𝑛
𝑅← 0,1 𝑙 𝑛 𝑞 𝑛
Where 𝑞(. ) is some polynomial.
𝐵 𝑥1 … 𝑥𝑛+1 :
Let 𝑅𝑖+1 = 𝑥𝑛+1 , 𝑅𝑖+2 = 𝐺 𝑥1 … 𝑥𝑛 𝑛 + 1 , 𝑅𝑖+3 =
𝐺 𝐺 𝑥1 … 𝑥𝑛 1 … 𝑛 𝑛 + 1 , …
Let 𝑅1 = 𝑟1 , … , 𝑅𝑖 = 𝑟𝑖 , where 𝑟1 , … , 𝑟𝑖 are independent random
bits.
Execute 𝐴 with the input 𝑅1 , … , 𝑅𝑛 . Output 1 iff 𝐴 outputs 1.
Stream Ciphers: Summary
So, do secure PRGs exist?
Not known.
Conditional existence: Secure PRGs exist if one way functions
(OWFs) exist. Many people believe that they do.
Example of OWF: 𝑓 𝑥, 𝑦 = 𝑥 ⋅ 𝑦 for large primes 𝑥 and 𝑦.
Types of Attacks
Until now we have seen security analysis in a restrictive setting.
1. Secure communication
2. One-time encryption: Secret key used to send only one secret
message.
3. Ciphertext-only adversary: Adversary only listens to the public
channel.
We would like to relax these restrictions.
We only analysed the ciphertext-only adversary case, when all an
adversary does is listen to the channel. Here are some other
attack scenarios:
1. Ciphertext-only attack
2. Known Plaintext Attack
3. Chosen Plaintext Attack (CPA)
4. Chosen Ciphertext Attack (CCA)
Types of Attacks
We only analysed the passive adversary case, when all an
adversary does is listen to the channel. Here are some other
attack scenarios:
1. Ciphertext-only Attack: The adversary only gets to see the
ciphertexts.
2. Known Plaintext Attack: The adversary gets to know messages
of a few ciphertexts.
3. Chosen Plaintext Attack (CPA): The adversary is capable to
obtaining ciphertexts for messages of its choice.
4. Chosen Ciphertext Attack (CCA): The adversary can obtain
decryptions of ciphertexts of its choice.
Types of Attacks: KPA
Known Plaintext Attack (KPA): Examples
The plaintext may be deduced from the context.
Alice sends Bob a message “Meet me at the coffee shop at 5pm”. Eve
observes Alice and Bob at the coffee shop at 5pm and deduce the
plaintext.
The plaintext may be made public after the secrecy of the
message becomes irrelevant.
Alice sends Bob a message “Meet me at the coffee shop at 5pm”. Once
the meeting is over, Alice makes the plaintext public as it is no more
required to keep it a secret.
On the other hand, Alice keeps using the same key for future
communication with Bob.
Types of Attacks: CPA
Chosen Plaintext Attack (CPA): Examples
In World War-II, the English would mine specific areas. This
would evoke response from the Germans to sweep that area.
A router may be programmed to encrypt any packet that it
sends.
An email program may forward an email after encryption.
Types of Attacks: CCA
Chosen Ciphertext Attack (CCA): Examples
Eve send an arbitrarily chosen ciphertext and observe the
behaviour of Bob to figure out the plaintext.
In cases where encryption is used as an authentication
mechanism. A person may be authenticated using the
knowledge that the person can successfully decrypt an
encrypted message.