Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Provable Security III
Modern cryptography: computational security
• Information-theoretic cryptography• Security: statistical or even perfect• Efficiency: bad… (key length ≤ message length)• Other: not beyond symmetric cryptography (public-key crypto impossible)
• Modern cryptography (achieves only computational security)
computational security: relaxing statistical security
• A cryptographic scheme E is (𝑡, 𝜀)-secure if every adversary of running time at most 𝑡 succeeds in breaking E (e.g., distinguishes from a random system) with probability at most 𝜀".• Prefect security: 𝑡 = ∞, 𝜀=0
• Statistical security: 𝑡 = ∞, 𝜀=𝑛𝑒𝑔𝑙 𝑛 = 𝑛−𝜔(1) (n is security parameter)
• Computational security: 𝑡 = 𝑛𝜔(1), 𝜀=𝑛−𝜔(1)
• Asymptotic setting
private-key encryption scheme
Computationally indistinguishable encryptions
computationally indistinguishable encryptions
Semantic Security
Pseudorandom generator (PRG)
• (Pseudorandom generator). Let g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛)be a deterministic polynomial-time algorithm. We say that g is a pseudorandom generator (PRG) if for all PPT distinguishers D, there exists a negligible function negl(∙):
|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|=negl(n)
where the probabilities are taken over 𝑈𝑛 (or 𝑈ℓ) and the random coins used by D.
• (𝒕, 𝜺)-secure PRG: g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛) is a (𝑡, 𝜀)-secure PRG if every probabilistic distinguisher D of running time 𝑡 satisfies:
|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|≤ 𝜀
PRG has only computational security
• A useful replacement lemma: if X and Y is (𝑡, 𝜀)-indistinguishable and function f (defined over the domain of X and Y) is T-computable, then f(X) and f(Y) is at least (𝑡 − T, 𝜀)-indistinguishable.• Corollary. SD(f(X),f(Y)) ≤ SD(X,Y)
Proof. Consider unbounded adversaries (where 𝑡 = ∞)
A PRG with small stretch implies one with arbitrary (polynomial) stretch• 𝑠1
𝑠0 𝑠1 𝑠2 𝑠𝑖… …
𝑟1 𝑟2 𝑟3
𝑠3
𝑟i+1
𝑠𝑖+1
PRG-based fixed encryption