View
217
Download
1
Embed Size (px)
Citation preview
Lecturer: Moni Naor
Foundations of Cryptography
Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes
Recap of last week’s lecture• Pseudo-random functions constructions • Pseudo-random function applications• Pseudo-random Permutation Motivation nad
Definition• Feistal Permutations
Good question on pseudo-random functionsWant to construct a pseudo-random permutation on
very large domain, from one on large domain • FS: {0,1}n {0,1}m
• Construct F’S’: {0,1}n’ {0,1}m Idea: let H a family of universal hash functions where
– h: {0,1}n’ {0,1}n for h 2 H– for any x x’ we have Probh 2 H h(x) = h(x’) ·
Then F’S,h(x) = FS (h(x))
What can you say about the quality of F’
Pseudo-Random Permutations
Block-Ciphers:• Shared-key encryption
schemes where: The encryption of every plaintext
block is a ciphertext block of the same length.
Key BC
Plaintext
Ciphertext
Block Ciphers
Advantages– Saves up on memory and communication bandwidth– Easy to incorporate within existing systems.
Main Disadvantage– Every block is always encrypted in the same way.
• Important Examples: DES, AES
Modeling Block Ciphers
• Pseudo-random Permutations
F : 0,1k 0,1n 0,1n
Key Domain Range
F-1: 0,1k 0,1n 0,1n
Key Range Domain
Want:– X= FS
-1 (FS (X))• Correct inverse
– Efficiently computable
The Test
The tester A that can choose adaptively– X1 and get Y1= FS (X1)– Y2 and get X2= FS
-1(Y2) …
– Xq and get Yq= FS (Xq)• Then A has to decide whether
– FS R Φkor– FS R P
(n) = F | 1-1 F :0,1n 0,1n
Can choose to evaluate or invert any point!
(t,,q)-pseudo-random
For a function F chosen at random from
(1) Φk={FS | S0,1k
(2) P(n) = F | 1-1 F :0,1n 0,1n
For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= ‘1’ FR Fk
- PrA= ‘1’ FR P(n)
Construction of Pseudo-Random Permutations
• Possible to construct pseudo-random permutations from pseudo-random functions (and vice versa...)
• Based on 4 Feistal Permutations
Feistal Permutation
Any function f :0,1n 0,1n defines a Feistal Permutation 0,12n 0,12n
Df(L,R)=(R, L f(R))
Feistal permutations are as easy to invert as to compute:Df
-1(L,R)=(Rf(L),L)
Many Block Cipher based on such permutations, where the function f is derived from secret key
Feistal Permutation
f
L1 R1
L2 R2
Df(L1,R1)=(R1, L1f(R1))
Df-1(L2,R2)=(R2f(L2),L2)
Composing Feistal Permutations• Make the function f:0,1n 0,1n a pseudo-random
function FS R Φk
• This defines a keyed family of permutations 0,12n 0,12n
• Clearly it is not pseudo-random– Right block goes unchanged to left block
What about composing two such keyed permutations With independent keys
• Not pseudo-random:DS2
(DS1(L,R))= (FS1
(R)L, FS2(FS1
(R)L)R)
– For two inputs sharing the same left block– Looks pretty good for random attacks!
Protects left block
Protects right block
Main ConstructionLet F1, F2 ,F3 ,F4 R PRF, then the composition of
DF1, DF2
, DF3, DF4
is a pseudo-random permutation.
• Each Fi :0,1n 0,1n.Resulting Permutation 0,12n 0,12n.
• F1 and F4 can be ``combinatorial”:– pair-wise independent.– low probability of collision on first block
• Error probability is ~ q2/2n
Security TheoremLet(1) be the set of permutations obtained when
The two middle are Feistal permutations based on truly random functions GS1, GS2 and the first and last are (h1, h2) chosen from a pairwise independent family.
(2) P(2n) = F | 1-1 F :0,12n 0,12n
Theorem: For any adversary A– not necessarily efficient – that makes at most q queries
the advantage in distinguishing between a random permutation from P(2n) and a random one from is at most q2/2n + q2/22n
Corollary: the original construction is computationally secure
h1
h-12
D1
D2
Back to two permutationsFor each pair of input and output blocks (L1,R1) is mapped
to (L2,R2) if and only if• GS1
(R1) = L1 L2
• GS2(L2) = R1 R2
• So we have “one-wise independence”:– Happens with probability 1/22n
• Furthermore: for any q pairs h(L1
1,R11) (L2
1,R21)i, h(L1
2,R12) (L2
2,R22)i, … , h(L1
q,R1q) (L2
q,R2q)i
such thatFor j i: R1
j R1i and L2
j L2i
The probability that all are mapped to each other is 1/22qn
(GS1(R1)L1, GS2
(GS1(R1)L1)R1)
L2 R2
The Transcript• May assume A is deterministic
– Since this it is not computationally bounded• The transcript T is the set of pairs of inputs/outputs
(X1,Y1), (X2,Y2), … , (Xq,Yq)
queries by A– Queries can go either way (evaluate or invert)
• Consider a third distribution P of responses if A– asks for F(x) and x appeared before in and <x,y>, query:
• answer y– asks for F-1(y) and y appeared before in and <x,y>, query:
• answer x– Otherwise answer a random z 0,12n.
• P is not always consistent with some permutation– Call the resulting transcript inconsistent
P is close to P
Claim: A may differentiate between P and P only if transcript is inconsistent
Claim [“inconsistent”]:
ProbP[T is inconsistent] q2/22n
Proof: birthday
It remains to bound the difference between P and
The BAD event
Thought experiment: choose the functions (h1, h2) also for process P
Serves no purpose there
If T = (X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, it is BAD for functions (h1, h2) if there exist ji such that either– h1(xi) collides with the right half of h1(xj) – h2(yi) collides with the left half of h2(yj)
BAD event: either T is inconsistent or T is BAD for (h1, h2)
Claim: ProbP[BAD] q2/2n + q2/22n
For a query the probability of collision based on pairwise independence
Key Lemma
Lemma: For any adversary A, for any possible value
V= (X1,Y1), (X2,Y2), … , (Xq,Yq)
ProbP[T=V and not BAD]
= Prob[T=V and not BAD]
It is either 2-2qn or 0
Concluding the proofBy summing Key Lemma over all transcripts• ProbP[not BAD] = Prob[not BAD] this implies• ProbP[BAD] = Prob[BAD]
By summing Key Lemma over all transcripts for which A outputs ‘1’:ProbP[A outputs ‘1’ and not BAD]
= Prob[A outputs ‘1’ and not BAD]Hence:
ProbP[A outputs ‘1’]- Prob[A outputs ‘1’] ProbP [BAD] q2/2n + q2/22n
By the “inconsistent” Claim P and P are close and we are done
The world so far
Pseudo-random generators
Signature Schemes
UOWHFs
One-way functions
Two guards Identification
Will soon see:
•Computational Pseudorandomness
•Shared-key Encryption and Authentication
P NP
Pseudo-random Permutations
Pseudo-random Functions
Other Constructions• Generalized Feistal Permutations
• Generalized construction of pseudo-random permutations:– The first and last rounds as before.– The two middle Feistal permutations are replaced with t generalized
Feistel permutations.– The distinguishing probability is roughly q2/22(1-1/t)n
• Construction of long pseudo-random permutations from short ones:– First and last round combinatorial – In the middle independent applications of the short pseudo-random
permutations
Encryption Using Pseudo-Random Permutations
• Sender and Receiver share a secret key S R {0,1}k
• S defines a function FS k
• What is wrong with encrypting X with FS (x)?
Definition of the Security of Encryption
• Several settings– Shared key vs public key– How active is the adversary
• Sender and receiver want to prevent Eve from learning anything about the message
• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides
Information Theoretic Setting
• If Eve has some knowledge of m should remain the same
– Probability of guessing m• Min entropy of m
– Probability of guessing whether m is m0 or m1
– Probability of computing some function f of m
• Ideally: the ciphertext sent is independent of the message m
– Implies all the above• Shannon: achievable only if the entropy of
the shared secret is at least as large as the message m entropy
• If no special knowledge about m– then |m| shared bits that may be used
once!
To specify security of encryption
• The power of the adversary – computational
• Probabilistic polynomial time machine (PPTM)– access to the system
• Can it change the messages?
• What constitute a failure of the system What it means to break the system.– Reading a message– Forging a message?
Computational Security of EncryptionIndistinguishability of Encryptions
Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.
For every pptm A, choosing a pair X0, X1 0,1n
PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0, X1 are indistinguishable
Quantification over the choice of X0, X1 0,1n
Computational Security of EncryptionSemantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all
pptm relation R for XR Dn
PrR(X,A(E(X)) - PrR(X,A’())
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is aware of X
Note: presentation of semantic security is non-standard (but equivalent)
X Y
R
E(X)
A
X Y
R
.
A’
A: Dn A’: Dn
¼
X 2R Dn
What is a public-key encryption scheme• Allows Alice to publish public key KP while keeping hidden a
secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public)
and KS (secret)
• ``Anyone” who is given KP and m can encrypt itEncryption: a method
E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public key KP, message (plaintext) m, random coins r and outputs
an encrypted message (ciphertext).
• Given a ciphertext and secret key it is possible to decrypt itDecryption: a method
D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret key KS, public key KP, and ciphertext c and outputs a plaintext
m. Require D(KS, KP, E(KP, m, r)) = m
Equivalence of Semantic Security and Indistinguishability of Encryptions
• Would like to argue their equivalence• Must define the attack
– Otherwise cannot fully talk about an attack• Chosen plaintext attacks
– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting
• Minimal one that makes sense there– What about shared-key encryption?
• More severe attacks– Chosen ciphertext
Encryption process must be probabilistic!
Security of public key cryptosystems:exact timing
• Adversary A gets public key KP • Then A can mount an adaptive attack
– No need for further interaction since can do all the encryption on its own
• Then A chooses– In semantic security: the distribution Dn and the relation R
– In indistinguishability of encryptions: the pair X0, X1 0,1n
• Then A is given the test– In semantic security: E(KP, X ,r) for XR Dn
and rR 0,1m
– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m
The Equivalence Theorem
• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property
Equivalence ProofIf a scheme has the indistinguishability property, then it is semantically secure:• Suppose not, and A chooses
– some distribution Dn
– some relation R• Choose X0, X1 R Dn
and run A twice on– C0 = E(KP, X0 ,r0) call the output Y0
– C1 = E(KP, X1 ,r1) call the output Y1
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)]
• If 0-1 is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property
• If 0-1 is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn
and C’ = E(KP, X’, r) – Run A on C’ and output Y’
Here we Use the power to generate encryptions
Equivalence Proof• For X0, X1 R Dn
let – 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If 0-1 is not negligible: can distinguish between encryption of X0 of X1
– Contradicting the indistinguishability property
X0 Y
R
E(Xb)
A
Equivalence Proof
• For X0, X1 R Dn let
– 0 = Prob[R(X0, Y0)]
– 1 = Prob[R(X0, Y1)]
• If 0-1 is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn
and C’=E(KP, X’, r)
– Run A on C’ and output Y’
X Y
R
E(X)
A
X Y’
R
E(X’)
A
X’A’
Equivalence Proof…If a scheme is semantically secure, then it has the indistinguishability
of encryptions property:• Suppose not, and A chooses
– A pair X0, X10,1n
– For which it can distinguish with advantage • Choose
– Distribution Dn = {X0, X1}
– Relation R which is “equality with X”
• For any A’ that does not get C = E(KP, X, r) and outputs Y’
ProbA’[R(X, Y’)] = ½
• By simulating A and outputting Y= Xb for guess b0,1
ProbA[R(X, Y)] ¸ ½ +
Even if A’ is computationally unbounded
Similar setting
• The same proof works for the shared key case with adaptive chosen plaintext attack
• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries
to find Y such that• Y=f(X)• f is any function (not necessarily polynomial time computable)
– In spite of difference equivalent to our definition
What happens if…
• There is extra information about X:– Both A and A’ get h(X) for some polynomial time
computable function h– h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key
When is each definition useful
• Semantic security seems to convey that the message is protected– Not the strongest possible definition
• Easier to prove indistinguishability of encryptions
Sources• Luby-Rackoff: How to construct pseudorandom
permutations from pseudorandom functions, SIAM J. Computing, 1988.
• Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999.
• Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 1984.
• Goldreich’s Foundations of Cryptography, volume 2