Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
Document related concepts
no text concepts found
Transcript 
Foundations of Cryptography
Lecture 11: Security of Encryption Schemes
Lecturer: Moni Naor
Recap of last week’s lecture
• Pseudo-random permutations constructions
• Notions of security:
– Indistinguishabilty of encryptions
– Semantic Security
• Equivalence
• Public-key cryptosystems
The world so far
Signature
Schemes
UOWHFs
Pseudo-random
generators
One-way
functions
Two guards
Identification
P  NP
Will soon see:
•Computational Pseudorandomness
•Shared-key Encryption and Authentication
Pseudo-random
Functions
Pseudo-random
Permutations
Open Problems
• Construct small domain pseudo-random permutations
– With good security reductions
• Construct a cryptosystem that remains secure when
encrypting its own key
Encryption Using Pseudo-Random
Permutations
• Sender and Receiver share a secret key S R {0,1}k
• S defines a function FS  Fk
• What is wrong with encrypting X with FS (x)?
Definition of the Security of Encryption
Information Theoretic Setting
• Several settings
– Shared key vs public key
– How active is the adversary
•
If Eve has some knowledge of m should
remain the same
– Probability of guessing m
• Min entropy of m
– Probability of guessing whether m is m0
• Sender and receiver want to
or m1
prevent Eve from learning
– Probability of computing some function f
anything about the message
of m
• Ideally: the ciphertext sent is
• Want to simulate as much as
independent of the message m
possible the protection that an
– Implies all the above
information theoretic encryption
• Shannon: achievable only if the entropy of
scheme provides
the shared secret is at least as large as
•
the message m entropy
If no special knowledge about m
– then |m| shared bits that may be used
once!
To specify security of encryption
• The power of the adversary
– computational
• Probabilistic polynomial time machine (PPTM)
– access to the system
• Can it change the messages?
• What constitute a failure of the system
What it means to break the system.
– Reading a message
– Forging a message?
Computational Security of Encryption
Indistinguishability of Encryptions
Indistinguishability of encrypted strings:
• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1
• has to decide whether b  0 or b  1.
For every pptm A, choosing a pair X0, X1 0,1n
 PrA ‘1’  b  1  - PrA ‘1’  b  0  
is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0, X1 are indistinguishable
Quantification over the choice of X0, X1 0,1n
Computational Security of Encryption
Semantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does
not see the encryption of X, yet simulates A’s knowledge with respect to X
A selects:
• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all
pptm relation R
for XR Dn
 PrR(X,A(E(X)) - PrR(X,A’())  
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is
aware of X
Note: presentation of semantic security is non-standard (but equivalent)
A: Dn
A’: Dn
E(X)
X 2R Dn
.
A
X
A’
Y
X
R
Y
R
¼
What is a public-key encryption scheme
• Allows Alice to publish public key KP while keeping hidden a
secret key KS
Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public) and KS
(secret)
• ``Anyone” who is given KP and m can encrypt it
Encryption: a method
E:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking public-key KP, message (plaintext) m, random coins r and outputs
an encrypted message (ciphertext).
• Given a ciphertext and secret key it is possible to decrypt it
Decryption: a method
D:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking secret-key KS, public-key KP, and ciphertext c and outputs a
plaintext m. Require
D(KS, KP, E(KP, m, r)) = m
Equivalence of Semantic Security and
Indistinguishability of Encryptions
• Would like to argue their equivalence
• Must define the attack
– Otherwise cannot fully talk about an attack
• Chosen plaintext attacks
– Adversary can obtain the encryption of any message it wishes
– In an adaptive manner
– Certainly feasible in a public-key setting
• Minimal one that makes sense there
– What about shared-key encryption?
• More severe attacks
– Chosen ciphertext
Encryption process
must be probabilistic!
Security of public key cryptosystems:
exact timing
• Adversary A gets public key KP
• Then A can mount an adaptive attack
– No need for further interaction since can do all the encryption on its
own
• Then A chooses
– In semantic security: the distribution Dn and the relation R
– In indistinguishability of encryptions: the pair X0, X1 0,1n
• Then A is given the test
– In semantic security: E(KP, X ,r) for XR Dn and rR 0,1m
– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and
rR0,1m
The Equivalence Theorem
• For adaptive chosen plaintext attack in a public
key setting a cryptosystem is semantically secure
if and only if it has the indistinguishability of
encryptions property
Equivalence Proof
If a scheme has the indistinguishability property, then it is semantically secure:
• Suppose not, and A chooses
– some distribution Dn
– some relation R
• Choose X0, X1 R Dn and run A twice on
– C0 = E(KP, X0 ,r0) call the output Y0
– C1 = E(KP, X1 ,r1) call the output Y1
• For X0, X1 R Dn let
–
–
0 = Prob[R(X0, Y0)]
1 = Prob[R(X0, Y1)]
Here we use the power
to generate encryptions
• If |0-1| is not negligible: can distinguish between encryption of X0 of X1
– Contradicting the indistinguishability property
• If |0-1| is negligible: can run A’ with no access to real ciphertext
– sample X’ R Dn and C’ = E(KP, X’, r)
– Run A on C’ and output Y’
Equivalence Proof
E(Xb)
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is not negligible:
can distinguish between
encryption of X0 of X1
– Contradicting the
indistinguishability property
A
X0
Y
R
A’
Equivalence Proof
X’
E(X)
E(X’)
A
A
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If |0-1| is negligible: can run A’
with no access to real ciphertext
– sample X’ R Dn and C’=E(KP, X’, r)
– Run A on C’ and output Y’
X
Y
R
X
Y’
R
Equivalence Proof…
If a scheme is semantically secure, then it has the
indistinguishability of encryptions property:
• Suppose not, and A chooses
– A pair X0, X10,1n
– For which it can distinguish with advantage 
• Choose
– Distribution Dn = {X0, X1}
– Relation R which is “equality with X”
Even if A’ is computationally
unbounded
• For any A’ that does not get C = E(KP, X, r) and outputs Y’
ProbA’[R(X, Y’)] = ½
• By simulating A and outputting Y= Xb for guess b0,1
ProbA[R(X, Y)] ¸ ½ + 
Similar setting
• The same proof works for the shared key case with
adaptive chosen plaintext attack
– Need to give attacker (explicit) access to the encryption device
• ``Standard” definition of semantic security:
– Instead of A trying to find Y such that R(X,Y), A tries to find Y
such that
• Y=f(X)
• f is any function (not necessarily polynomial time computable)
– In spite of difference equivalent to our definition
What happens if…
• There is extra information about X:
– Both A and A’ get h(X) for some polynomial time
computable function h
– h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key
When is each definition useful
• Semantic security seems to convey that the
message is protected
– Not the strongest possible definition
• Easier to prove indistinguishability of encryptions
Concatenations
• If (G,E,D) is a semantically secure cryptosystem,
then if Adversary A
Independent keys or
n
• Chooses X0 , X10,1
independent randomness?
Both version…
• Receives k independent encryptions of Xb for
bR0,1
• has to decide whether b  0 or b  1.
• Cannot have non negligible advantage
• Proof: hybrid argument
Concatenation
• Let A be an adversary that selects:
– Distribution Dn on 0,1n
– Relation R computable in probabilistic polynomial time
• Let X1, X2, ... Xk 2R Dn
• Suppose that A receives E(X1), E(X2), ..., E(Xk)
• Computes Y and hopes that R(X1, X2, ..., Xk, Y)
Homework: prove that for any A there is an A’ with
similar probability of success
Trapdoor One-way Permutations
A collection functions with three probabilistic polynomial time algorithms
• Key generation: on input n, the security parameter, and random bits,
generates two keys
KP (Public) and KS (secret) and domain size D (could be 0,1n)
• Forward computation: each KP defines a permutation f(KP,,¢) on D.
Given KP and x easy to compute f(KP,,x)
Hard to invert: for any PPT A given y=f(KP,,x) for a random KP
(generated as above) and x 2R D, probability that A finds x is
negligible
• Backward computation: given Ks easy to invert f(KP,,¢)
there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x
Encryption from trapdoor permutation
• Key generation: KP (Public) and KS (secret) are the keys
of the trapdoor permutation
• Encryption: to encrypt a message m0,1k
– select x R 0,1n and r R 0,1n
– compute
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r
– Send m Xored with g(x) and y=fP(k)(x) and r
(g(x) © m, fP(k)(x), r)
• Decryption: given (c, y, r)
– extract x = fP(-k)(y) using KS
– compute g(x) using r
– extract m by Xoring c with g(x)
Security of construction
Claim: given y=fP(k)(x), r the string
g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r
is indistinguishable from random
Proof: it is a pseudo-random generator
Pseudo-randomness implies indistinguishability of
encryption
(z,y,r)
• Given input (z,y,r) want to
decide whether z=g(x) or
not
• Run A to get {m0,m1}
Choose b 2R {0,1} and
Compute E(mb) = (z©mb, y, r)
A
A’
b’
If b’=b output “pseudo-random”
Example
• Blum-Goldwasser cryptosystem
– Based on the Blum, Blum, Shub pseudo-random generator
– The permutation defined by
N= P ¢ Q,
where P,Q = 3 mod 4
– For x 2 ZN*, x is a quadratic residue
fN(x)=x2 mod N
Known: the last bit(s) of x2 mod N is hardcore
Blum-Goldwasser Encryption
• Key generation: N - Public key and (P,Q) - Secret key a
• Encryption: to encrypt a message m0,1k
– select x R ZN*
– compute
g(x) =x, x2, x4, … x2i, …, x2k mod N
let g(x) be the lsb’s of the sequence
– Send m Xored with g(x) and y = x2k mod N
(g(x) © m, x2k)
• Decryption: given (c, y)
– extract x = yd mod N
– compute g(x)
– extract m by Xoring c with g(x)
(N)=(P-1)(Q-1)
Let d = 2-k mod (N)
Single exponentionation!
Security
Theorem: the Blum-Goldwasser cryptosystem is
semantically secure against chosen plaintext attack
iff factoring is hard
Shared key encryption
• Sender and receiver share a key s of a pseudo-random
function
Fs: {0,1}n  {0,1}k
• Encryption of a message m0,1k
– Choose rR0,1n
– Send (Fs (r) © m,r)
• Decryption of a ciphertext (y,r)
– Compute m=Fs (r) © y
• Proof of security: based on the indistinguishability of Fs from a
truly random function
– As long as all the r’s are different: collection of ciphertexts
indistinguishable from random
Security
Theorem: If Fs is a pseudo-random function then
scheme is semantically secure against chosen
plaintext attack.
Proof: from the equivalent definition of pseudo-random
function where either the last query/challenge is random
or not
Need security against random queries only
Discrete Log Problem
• Let G be a group and g an element in G.
• Let y=gz and x the minimal non negative
integer satisfying the equation.
x is called the discrete log of y to base g.
• Example: y=gx mod p in the multiplicative group of Zp
• In general: easy to exponentiate via repeated squaring
– Consider binary representation
• What about discrete log?
– If difficult, f(g,x) = (g, gx ) is a one-way function
DL Assumption for group G:
• No efficient algorithm can solve for XR[0..n-1] whp the DL
problem for Y=ga
Discrete Log Problem
Very useful group for DL:
• P and Q: Large primes, s.t. Q | P-1
• g: an element of order Q in ZP*.
Best known algorithms – Q
or
– subexponential in log P
Randomized reduction:
given y generate Y’= Ygr for rR [Q]
Diffie-Hellman
The Diffie-Hellman assumption
Let G be a group and g an element in G.
Given g, X=ga and Y=gb it is hard to find Z=gab
for random a and b the probability of a poly-time machine outputting
gab is negligible
More accurately: a sequence of groups
Don’t know how to verify whether given Z’ is equal to gab
Decisional Diffie-Hellman Problem
For for generator g and a,b [Q]
Given g, Y=ga, X=gb and Z decide whether Z =gab
or Z  gab
Equivalent: is logg Y = logX Z
DDH-Assumption:
• The DDH-Problem is hard in the worst case.
Average DDH
For a,bR [Q] and c which is either
– c= ab
– cR [Q]
Given
Y=ga and X=gb and Z =gc
decide whether
Z =gab or Z gab
DDH-Assumption average case:
• The DDH-Problem is hard for above distribution
Worst to Average case reduction
Theorem:The average case and worst case of the
DDH-Assumption are equivalent.
• Given ga and gb and gc (and P, Q)
• Sample r,s1,s2R [Q]
c is either ab or not
• compute
a’ = ras1 mod Q
ga’ = (ga)r gs1
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s
gb’ = (gb) gs2
2
gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2
…Worst to average
If c = abe mod Q then
– a’ = ras1 mod Q
– b’ = bs2 mod Q
– c'= a'b'+ e r mod Q
a’ = ras1 mod Q
b’ = bs2 mod Q
a’b’=rab+ras2+bs1+s1s
2
• Always: a’ and b' are uniformly distributed.
• If e =0, then c' = a'b'.
• Otherwise c' is uniform and independent in [Q]
Evidence to Validity of DDH
• Endured extensive research for DH search
– DH-search related to discrete log
• Hard for generic algorithms
– that work in a black-box group)
• Computing the most significant bits of gab is hard
• Random-self-reducibility.
El-Gamal Cryptosystem variant:
• Private key a R [Q]
Subgroup of
size Q
h
• Public key Y=ga and P, Q and h
• To encrypt M
r
{0,1}
r
– choose rR [Q] compute X=g and Y
Z
r
– send hX , h(Y )Mi
How is h chosen?
• To decrypt hX, Wi:
a
r
Pair-wise independence
– compute X = Y and
k
P
a
– output h(X )  W
suffices
El-Gamal Security
Under the DDH assumption cryptosystem is
semantically secure against chosen plaintext
but...
• Scheme is malleable
– To change M to M’=MC :
change hX, Wi to hX, WCi
Open Problems
• How to get a good encryption scheme with a
weaker than fully blown pseudo-random function
From single bit to many bits
• If there is an encryption scheme that can hide E(KP, 0 ,r)
from E(KP, 1 ,r):
then can construct a full blown semantically secure cryptosystem by
concatenation (for any length messages)
• Each bit in the message m0,1k is encrypted separately
• Proof: a hybrid argument
– Using definition of indistinguishability of encryption
– Suppose adversary chooses X0, X1  0,1k
– Let:
• D0 be the distribution on encryptions of X0
• Dk be the distribution on encryptions of X1
• Di be the distribution where the first i bits
are from X0 and the last k-i bits are from X1
• Example: quadratic residues mod N
Difference with concatenation:
each one is a bit
One-way encryption is sufficient for semantic
security against chosen plaintext attack
Call an encryption scheme one-way if given c=E(KP, m, s)
for random m and s it is hard to find m
This is the weakest form of security one can expect from a ``selfrespecting” cryptosystem
Can construct a single-bit indistinguishable scheme from it:
• To encrypt a bit b0,1:
–
–
choose random x, s and r
Send (c,r,b’) where
•
•
c=E(KP, x, s)
b’= x¢r © b
Security: from the Goldreich-Levin reconstruction algorithm
Examples of public-key cryptosystems
•
•
Factoring related: RSA, Rabin
Discrete-log related:
–
–
•
Diffie-Hellman (El Gamal)
Various groups
Early Knapsack and Codes (late 1970’s)
–
–
•
Merkle Hellman
McEliece: probabilistic cryptosystem
Modern Lattice Based
–
Ajtai-Dwork: only one for which worst case to hardness reduction
is known
•
•
•
Goldreich-Goldwasser and Halevi
Regev’s
NTRU
Further Issues
• What about errors in decryption?
• Is the this the ultimate definition
– Does it capture all the ways where encryption is used?
Example: Interactive Authentication
P wants to convince V that he is approving message m
P has a public key KP of an encryption scheme E.
To authenticate a message m:
• V  P: Choose r 2R {0,1}n.
Send c=E(m ° r, KP)
• P  V : Receiving c
Decrypt c using KS
Verify that prefix of plaintext is m.
If yes - send r.
V is satisfied if he receives the same r he choose
Is it Safe?
• Definition of security: Existential unforgeability against adaptive
chosen message attack
– Adversary can ask to authenticate any sequence of messages m1, m2, …
– Has to succeed in making V accept a message m not authenticated
– Has complete contrl ove the channels
• Intuition of security: if E does not leak information about plaintext
– Nothing is leaked about r
• Several problems: if E is “just” semantically secure against chosen
plaintext attacks:
– Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)
• Malleability
– not sufficient to verify correct form of ciphertext in simulation
• Closer to a chosen ciphertext attack
Sources
• Goldwasser-Micali: Probabilistic Encryption, Journal
of Computer and System Sciences, 1984.
• Goldreich’s Foundations of Cryptography, volume 2
Related documents
50 Word Company Description 100 Word
50 Word Company Description 100 Word
a common digital Europe
a common digital Europe
Are you looking for an easier way to initiate and
Are you looking for an easier way to initiate and
Database Security
Database Security
BitLocker Drive Encryption Self
BitLocker Drive Encryption Self
All Definitions for
All Definitions for
Network Security: It`s Time to Take It Seriously
Network Security: It`s Time to Take It Seriously
Pr sentation PowerPoint
Pr sentation PowerPoint
Solutions to the practice questions for midterm
Solutions to the practice questions for midterm
Database Confidentiality
Database Confidentiality
CSCI 3140 Module 3 – Logical Database
CSCI 3140 Module 3 – Logical Database
Document
Document
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
CS 363 Comparative Programming Languages
CS 363 Comparative Programming Languages