Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Foundations of Cryptography Lecture 11: Security of Encryption Schemes Lecturer: Moni Naor Recap of last week’s lecture • Pseudo-random permutations constructions • Notions of security: – Indistinguishabilty of encryptions – Semantic Security • Equivalence • Public-key cryptosystems The world so far Signature Schemes UOWHFs Pseudo-random generators One-way functions Two guards Identification P NP Will soon see: •Computational Pseudorandomness •Shared-key Encryption and Authentication Pseudo-random Functions Pseudo-random Permutations Open Problems • Construct small domain pseudo-random permutations – With good security reductions • Construct a cryptosystem that remains secure when encrypting its own key Encryption Using Pseudo-Random Permutations • Sender and Receiver share a secret key S R {0,1}k • S defines a function FS Fk • What is wrong with encrypting X with FS (x)? Definition of the Security of Encryption Information Theoretic Setting • Several settings – Shared key vs public key – How active is the adversary • If Eve has some knowledge of m should remain the same – Probability of guessing m • Min entropy of m – Probability of guessing whether m is m0 • Sender and receiver want to or m1 prevent Eve from learning – Probability of computing some function f anything about the message of m • Ideally: the ciphertext sent is • Want to simulate as much as independent of the message m possible the protection that an – Implies all the above information theoretic encryption • Shannon: achievable only if the entropy of scheme provides the shared secret is at least as large as • the message m entropy If no special knowledge about m – then |m| shared bits that may be used once! To specify security of encryption • The power of the adversary – computational • Probabilistic polynomial time machine (PPTM) – access to the system • Can it change the messages? • What constitute a failure of the system What it means to break the system. – Reading a message – Forging a message? Computational Security of Encryption Indistinguishability of Encryptions Indistinguishability of encrypted strings: • Adversary A chooses X0 , X1 0,1n • receives encryption of Xb for bR0,1 • has to decide whether b 0 or b 1. For every pptm A, choosing a pair X0, X1 0,1n PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible. Probability is over the choice of keys, randomization in the encryption and A‘s coins. In other words: encryptions of X0, X1 are indistinguishable Quantification over the choice of X0, X1 0,1n Computational Security of Encryption Semantic Security Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X A selects: • Distribution Dn on 0,1n • Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R for XR Dn PrR(X,A(E(X)) - PrR(X,A’()) is negligible In other words: The outputs of A and A’ are indistinguishable even for a tester who is aware of X Note: presentation of semantic security is non-standard (but equivalent) A: Dn A’: Dn E(X) X 2R Dn . A X A’ Y X R Y R ¼ What is a public-key encryption scheme • Allows Alice to publish public key KP while keeping hidden a secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public) and KS (secret) • ``Anyone” who is given KP and m can encrypt it Encryption: a method E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public-key KP, message (plaintext) m, random coins r and outputs an encrypted message (ciphertext). • Given a ciphertext and secret key it is possible to decrypt it Decryption: a method D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret-key KS, public-key KP, and ciphertext c and outputs a plaintext m. Require D(KS, KP, E(KP, m, r)) = m Equivalence of Semantic Security and Indistinguishability of Encryptions • Would like to argue their equivalence • Must define the attack – Otherwise cannot fully talk about an attack • Chosen plaintext attacks – Adversary can obtain the encryption of any message it wishes – In an adaptive manner – Certainly feasible in a public-key setting • Minimal one that makes sense there – What about shared-key encryption? • More severe attacks – Chosen ciphertext Encryption process must be probabilistic! Security of public key cryptosystems: exact timing • Adversary A gets public key KP • Then A can mount an adaptive attack – No need for further interaction since can do all the encryption on its own • Then A chooses – In semantic security: the distribution Dn and the relation R – In indistinguishability of encryptions: the pair X0, X1 0,1n • Then A is given the test – In semantic security: E(KP, X ,r) for XR Dn and rR 0,1m – In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m The Equivalence Theorem • For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property Equivalence Proof If a scheme has the indistinguishability property, then it is semantically secure: • Suppose not, and A chooses – some distribution Dn – some relation R • Choose X0, X1 R Dn and run A twice on – C0 = E(KP, X0 ,r0) call the output Y0 – C1 = E(KP, X1 ,r1) call the output Y1 • For X0, X1 R Dn let – – 0 = Prob[R(X0, Y0)] 1 = Prob[R(X0, Y1)] Here we use the power to generate encryptions • If |0-1| is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property • If |0-1| is negligible: can run A’ with no access to real ciphertext – sample X’ R Dn and C’ = E(KP, X’, r) – Run A on C’ and output Y’ Equivalence Proof E(Xb) • For X0, X1 R Dn let – 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)] • If |0-1| is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property A X0 Y R A’ Equivalence Proof X’ E(X) E(X’) A A • For X0, X1 R Dn let – 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)] • If |0-1| is negligible: can run A’ with no access to real ciphertext – sample X’ R Dn and C’=E(KP, X’, r) – Run A on C’ and output Y’ X Y R X Y’ R Equivalence Proof… If a scheme is semantically secure, then it has the indistinguishability of encryptions property: • Suppose not, and A chooses – A pair X0, X10,1n – For which it can distinguish with advantage • Choose – Distribution Dn = {X0, X1} – Relation R which is “equality with X” Even if A’ is computationally unbounded • For any A’ that does not get C = E(KP, X, r) and outputs Y’ ProbA’[R(X, Y’)] = ½ • By simulating A and outputting Y= Xb for guess b0,1 ProbA[R(X, Y)] ¸ ½ + Similar setting • The same proof works for the shared key case with adaptive chosen plaintext attack – Need to give attacker (explicit) access to the encryption device • ``Standard” definition of semantic security: – Instead of A trying to find Y such that R(X,Y), A tries to find Y such that • Y=f(X) • f is any function (not necessarily polynomial time computable) – In spite of difference equivalent to our definition What happens if… • There is extra information about X: – Both A and A’ get h(X) for some polynomial time computable function h – h might not be invertible • Relation R is not polynomial time • Try to encrypt information about the secret key When is each definition useful • Semantic security seems to convey that the message is protected – Not the strongest possible definition • Easier to prove indistinguishability of encryptions Concatenations • If (G,E,D) is a semantically secure cryptosystem, then if Adversary A Independent keys or n • Chooses X0 , X10,1 independent randomness? Both version… • Receives k independent encryptions of Xb for bR0,1 • has to decide whether b 0 or b 1. • Cannot have non negligible advantage • Proof: hybrid argument Concatenation • Let A be an adversary that selects: – Distribution Dn on 0,1n – Relation R computable in probabilistic polynomial time • Let X1, X2, ... Xk 2R Dn • Suppose that A receives E(X1), E(X2), ..., E(Xk) • Computes Y and hopes that R(X1, X2, ..., Xk, Y) Homework: prove that for any A there is an A’ with similar probability of success Trapdoor One-way Permutations A collection functions with three probabilistic polynomial time algorithms • Key generation: on input n, the security parameter, and random bits, generates two keys KP (Public) and KS (secret) and domain size D (could be 0,1n) • Forward computation: each KP defines a permutation f(KP,,¢) on D. Given KP and x easy to compute f(KP,,x) Hard to invert: for any PPT A given y=f(KP,,x) for a random KP (generated as above) and x 2R D, probability that A finds x is negligible • Backward computation: given Ks easy to invert f(KP,,¢) there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x Encryption from trapdoor permutation • Key generation: KP (Public) and KS (secret) are the keys of the trapdoor permutation • Encryption: to encrypt a message m0,1k – select x R 0,1n and r R 0,1n – compute g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r – Send m Xored with g(x) and y=fP(k)(x) and r (g(x) © m, fP(k)(x), r) • Decryption: given (c, y, r) – extract x = fP(-k)(y) using KS – compute g(x) using r – extract m by Xoring c with g(x) Security of construction Claim: given y=fP(k)(x), r the string g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP(k-1)(x) ¢r is indistinguishable from random Proof: it is a pseudo-random generator Pseudo-randomness implies indistinguishability of encryption (z,y,r) • Given input (z,y,r) want to decide whether z=g(x) or not • Run A to get {m0,m1} Choose b 2R {0,1} and Compute E(mb) = (z©mb, y, r) A A’ b’ If b’=b output “pseudo-random” Example • Blum-Goldwasser cryptosystem – Based on the Blum, Blum, Shub pseudo-random generator – The permutation defined by N= P ¢ Q, where P,Q = 3 mod 4 – For x 2 ZN*, x is a quadratic residue fN(x)=x2 mod N Known: the last bit(s) of x2 mod N is hardcore Blum-Goldwasser Encryption • Key generation: N - Public key and (P,Q) - Secret key a • Encryption: to encrypt a message m0,1k – select x R ZN* – compute g(x) =x, x2, x4, … x2i, …, x2k mod N let g(x) be the lsb’s of the sequence – Send m Xored with g(x) and y = x2k mod N (g(x) © m, x2k) • Decryption: given (c, y) – extract x = yd mod N – compute g(x) – extract m by Xoring c with g(x) (N)=(P-1)(Q-1) Let d = 2-k mod (N) Single exponentionation! Security Theorem: the Blum-Goldwasser cryptosystem is semantically secure against chosen plaintext attack iff factoring is hard Shared key encryption • Sender and receiver share a key s of a pseudo-random function Fs: {0,1}n {0,1}k • Encryption of a message m0,1k – Choose rR0,1n – Send (Fs (r) © m,r) • Decryption of a ciphertext (y,r) – Compute m=Fs (r) © y • Proof of security: based on the indistinguishability of Fs from a truly random function – As long as all the r’s are different: collection of ciphertexts indistinguishable from random Security Theorem: If Fs is a pseudo-random function then scheme is semantically secure against chosen plaintext attack. Proof: from the equivalent definition of pseudo-random function where either the last query/challenge is random or not Need security against random queries only Discrete Log Problem • Let G be a group and g an element in G. • Let y=gz and x the minimal non negative integer satisfying the equation. x is called the discrete log of y to base g. • Example: y=gx mod p in the multiplicative group of Zp • In general: easy to exponentiate via repeated squaring – Consider binary representation • What about discrete log? – If difficult, f(g,x) = (g, gx ) is a one-way function DL Assumption for group G: • No efficient algorithm can solve for XR[0..n-1] whp the DL problem for Y=ga Discrete Log Problem Very useful group for DL: • P and Q: Large primes, s.t. Q | P-1 • g: an element of order Q in ZP*. Best known algorithms – Q or – subexponential in log P Randomized reduction: given y generate Y’= Ygr for rR [Q] Diffie-Hellman The Diffie-Hellman assumption Let G be a group and g an element in G. Given g, X=ga and Y=gb it is hard to find Z=gab for random a and b the probability of a poly-time machine outputting gab is negligible More accurately: a sequence of groups Don’t know how to verify whether given Z’ is equal to gab Decisional Diffie-Hellman Problem For for generator g and a,b [Q] Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab Equivalent: is logg Y = logX Z DDH-Assumption: • The DDH-Problem is hard in the worst case. Average DDH For a,bR [Q] and c which is either – c= ab – cR [Q] Given Y=ga and X=gb and Z =gc decide whether Z =gab or Z gab DDH-Assumption average case: • The DDH-Problem is hard for above distribution Worst to Average case reduction Theorem:The average case and worst case of the DDH-Assumption are equivalent. • Given ga and gb and gc (and P, Q) • Sample r,s1,s2R [Q] c is either ab or not • compute a’ = ras1 mod Q ga’ = (ga)r gs1 b’ = bs2 mod Q a’b’=rab+ras2+bs1+s1s gb’ = (gb) gs2 2 gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2 …Worst to average If c = abe mod Q then – a’ = ras1 mod Q – b’ = bs2 mod Q – c'= a'b'+ e r mod Q a’ = ras1 mod Q b’ = bs2 mod Q a’b’=rab+ras2+bs1+s1s 2 • Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q] Evidence to Validity of DDH • Endured extensive research for DH search – DH-search related to discrete log • Hard for generic algorithms – that work in a black-box group) • Computing the most significant bits of gab is hard • Random-self-reducibility. El-Gamal Cryptosystem variant: • Private key a R [Q] Subgroup of size Q h • Public key Y=ga and P, Q and h • To encrypt M r {0,1} r – choose rR [Q] compute X=g and Y Z r – send hX , h(Y )Mi How is h chosen? • To decrypt hX, Wi: a r Pair-wise independence – compute X = Y and k P a – output h(X ) W suffices El-Gamal Security Under the DDH assumption cryptosystem is semantically secure against chosen plaintext but... • Scheme is malleable – To change M to M’=MC : change hX, Wi to hX, WCi Open Problems • How to get a good encryption scheme with a weaker than fully blown pseudo-random function From single bit to many bits • If there is an encryption scheme that can hide E(KP, 0 ,r) from E(KP, 1 ,r): then can construct a full blown semantically secure cryptosystem by concatenation (for any length messages) • Each bit in the message m0,1k is encrypted separately • Proof: a hybrid argument – Using definition of indistinguishability of encryption – Suppose adversary chooses X0, X1 0,1k – Let: • D0 be the distribution on encryptions of X0 • Dk be the distribution on encryptions of X1 • Di be the distribution where the first i bits are from X0 and the last k-i bits are from X1 • Example: quadratic residues mod N Difference with concatenation: each one is a bit One-way encryption is sufficient for semantic security against chosen plaintext attack Call an encryption scheme one-way if given c=E(KP, m, s) for random m and s it is hard to find m This is the weakest form of security one can expect from a ``selfrespecting” cryptosystem Can construct a single-bit indistinguishable scheme from it: • To encrypt a bit b0,1: – – choose random x, s and r Send (c,r,b’) where • • c=E(KP, x, s) b’= x¢r © b Security: from the Goldreich-Levin reconstruction algorithm Examples of public-key cryptosystems • • Factoring related: RSA, Rabin Discrete-log related: – – • Diffie-Hellman (El Gamal) Various groups Early Knapsack and Codes (late 1970’s) – – • Merkle Hellman McEliece: probabilistic cryptosystem Modern Lattice Based – Ajtai-Dwork: only one for which worst case to hardness reduction is known • • • Goldreich-Goldwasser and Halevi Regev’s NTRU Further Issues • What about errors in decryption? • Is the this the ultimate definition – Does it capture all the ways where encryption is used? Example: Interactive Authentication P wants to convince V that he is approving message m P has a public key KP of an encryption scheme E. To authenticate a message m: • V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP) • P V : Receiving c Decrypt c using KS Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose Is it Safe? • Definition of security: Existential unforgeability against adaptive chosen message attack – Adversary can ask to authenticate any sequence of messages m1, m2, … – Has to succeed in making V accept a message m not authenticated – Has complete contrl ove the channels • Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r • Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP) • Malleability – not sufficient to verify correct form of ciphertext in simulation • Closer to a chosen ciphertext attack Sources • Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 1984. • Goldreich’s Foundations of Cryptography, volume 2