Foundations of Cryptography

Lecture 13

Lecturer: Moni Naor

Recap of Lecture 12

• Pseudo-Random Permutations• Feistal Permutations• Proof of the construction• Semantic Security and Indistinguishability of

encryptions

To specify security of encryption

• The power of the adversary – computational

• Probabilistic polynomial time machine (PPTM)– access to the system

• Can it change the messages?

• What constitute a failure of the system – what it means to break the system.– Reading a message– Forging a message?

What is a public-key encryption scheme

• Allows Alice to publish a public key KP while keeping hidden a secret key KS Key generation: a method G:{0,1}* {0,1}* x {0,1}* that

outputs KP (Public) and KS (secret)• ``Anyone” who is given KP and m can encrypt it

Encryption: a method E:{0,1}* x {0,1}* x {0,1}* {0,1}*

that takes a public key KP a message (plaintext) m and random coins and output an encrypted message ciphertext

• Given a ciphertext and the secret key it possible to decrypt itDecryption: a method

D:{0,1}* x {0,1}* x {0,1}* {0,1}* that takes a secret key KS, a public key KP and a ciphertext c and

output a plaintext m. In general D(KS, KP, E(KP, m, r)) = m

Computational Security of EncryptionIndistinguishability of Encryptions

Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n

• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.

For every pptm A, choosing a pair X0 , X1 0,1n PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.

Probability is over the choice of keys, randomization in the encryption and A‘s coins.

In other words: encryptions of X0 , X1 are indistinguishable

Quantification over the choice of X0 , X1 0,1n

Computational Security of EncryptionSemantic Security

Whatever Adversary A can compute on encrypted string X 0,1n so can A’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a (polynomial time samplable) distribution Dn

on 0,1n there is an pptm A’ so that for all pptm relation R for XR Dn

PrR(X,A(E(X)) - Pr R(X,A’())

is negligible

In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X

Note: presentation of semantic security is non-standard (but equivalent to it)

Equivalence of Semantic Security and Indistinguishability of Encryptions

• Would like to argue their equivalence• Must define the attack

– Otherwise cannot fully talk about an attack• Chosen plaintext attacks

– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting– What about shared-key encryption?

• More severe attacks– Chosen ciphertext

Security of public key cryptosystems:exact timing

• Adversary A gets to public key KP • Then A can mount an adaptive attack

– No need for further interaction since can do all the encryption on its own

• Then A chooses– In semantic security the distribution Dn and the relation R

– In indistinguishability of encryptions the pair X0 , X1 0,1n

• Then A is given the test– In semantic security E(KP, X ,r) for XR Dn

and rR 0,1m

– In indistinguishability of encryptions the E(KP, Xb ,r) for bR 0,1

and rR 0,1m

The Equivalence Theorem

• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

Equivalence ProofIf a scheme has the indistinguishability of encryptions property, then it is

semantically secure:• Suppose not, and A chooses

– some distribution Dn – some relation R

• Choose X0 , X1 R Dn and run A twice on

– C0 = E(KP, X0 ,r0) call the output Y0

– C1 = E(KP, X1 ,r1) call the output Y1

• For X0 , X1 R Dn let

– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X1, Y0)]

• If 0 -1 If is non negligible can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property

• If 0 -1 is negligible can run A’ with no access to encryption– sample X’ R Dn

and C’ = E(KP, X’, r) – Run A on C’ and output Y’

Here we Use the power to generate encryptions

Equivalence Proof…If a scheme is semantically secure, then it has the

indistinguishability of encryptions property:• Suppose not, and A chooses

– A pair X0 , X10,1n

– For which it can distinguish with advantage • Choose

– distribution Dn = {X0 , X1 }

– Relation R which is “equality with X”

• For any A’ that does not get C = E(KP, X ,r) and outputs Y’

Prob[R(X, Y’)]= ½ • By simulating A and outputting Y= Xb for guess b0,1

Prob[R(X, Y)] ¸ ½ +

Similar setting

• The same proof works for the shared key case with adaptive chosen plaintext attack

• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries

to find Y such that• Y=f(X)• f is any function (not necessarily polynomial time computable)

– In spite of difference equivalent to our definition

When is each definition useful

• Semantic security seems to convey that the message is protected– Not the strongest possible definition

• Easier to prove indistinguishability of encryptions

Concatenations

• If (G,E,D) is a semantically secure cryptosystem, then if Adversary A

• Chooses X0 , X10,1n

• Receives k independent encryptions of Xb for bR0,1

• has to decide whether b 0 or b 1.• Cannot have non negligible advantage• Proof: hybrid argument

Concatenation

• Let A be an adversary that selects:– Distribution Dn on 0,1n

– Relation R computable in probabilistic polynomial time

• Let X1, X2, ... Xk 2R Dn

• Suppose that A receives E(X1), E(X2), ..., E(Xk)

• Computes Y and hopes that R(X1, X2, ..., Xk ,Y)

Homework: prove that for any A there is an A’ with similar probability of success

Construction: from trapdoor permutation• Key generation: KP (Public) and KS (secret) are the keys

of the trapdoor permutation• Encryption: to encrypt a message m0,1k

– select x R 0,1n and r R 0,1n – compute

g(x)=x¢r, fP(x) ¢r, fP(2)(x) ¢r, … fP

(k-1)(x) ¢r– Send m Xored with g(x) and y=fP

(k)(x) and r(g(x) © m, fP

(k)(x), r)• Decryption: given (c, y, r)

– extract x = fP(-k)(y) using KS

– compute g(x) using r– extract m by Xoring c with g(x)

Security of construction

Claim: given y=fP(k)(x), g(x) is indistinguishable

from randomProof: it is a pseudo-random generator

Pseudo-randomness implies indistinguishability of encryption

Example

• Blum-Goldwasser cryptosystem– Based on the Blum, Blum, Shub pseudo-random

generator– The permutation defined by N= P ¢ Q, where

P,Q = 3 mod 4– For x 2 ZN

*, x is a quadratic residue

fN(x)=x2 mod N

Shared key encryption

• Sender and receiver share a key s of a pseudo-random function

Fs: {0,1}n {0,1}k

• Encryption of a message m0,1k

– Choose rR0,1n

– Send (Fs (r) © m,r)• Decryption of a ciphertext (y,r)

– Compute m=Fs (r) © y

• Proof of security: based on the indistinguishability of Fs from a truly random function

Open Problems

• How to get a good encryption scheme with a weaker than fully blown pseudo-random function

• Homework: read – Moni Naor and Omer Reingold, From Unpredictability

to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs, Crypto'98.

From single bit to many bits• If there is an encryption scheme that can hide E(KP, 0 ,r) from

E(KP, 1 ,r), then can construct a full blown (for any length messages) semantically secure cryptosystem by concatenation

• Each bit in the message m0,1k is encrypted separately• Proof: a hybrid argument

– Using definition of indistinguishability of encryption– Suppose adversary chooses X0 , X10,1k

– Let:• D0 be the distribution on encryptions of X0 • Dk be the distribution on encryptions of X1 • Di be the distribution where the first i bits are from X0 and the last k-i bits are from X1

• Example: quadratic residues mod N

One-way encryption is sufficient for semantic security against chosen plaintext attackCall an encryption scheme one-way if given c=E(KP, m, s) for

random m and s it is hard to find mThis is the weakest form of security one can expect from a ``self-respecting”

cryptosystem• Can use it to construct a single-bit indistinguishable scheme:• To encrypt a bit b0,1:

– choose random x, s and r – Send (c,r,b’) where

• c=E(KP, x, s)• b’= x¢r © b

Security: from the Goldreich-Levin reconstruction algorithm

Examples of public-key cryptosystems• Factoring related: RSA, Rabin• Discrete-log related:

– Diffie-Hellman (El Gamal)– Various groups

• Early Knapsack and Codes (late 1970’s)– Merkle Hellman– McEliece: probabilsitic cryptosystem

• Modern Lattice Based– Ajtai-Dwork: only one for which worst case to hardness

reduction is known– Goldreich-Goldwasser and Halevi

• NTRU

Example: Interactive Authentication

P wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose