Download presentation

Presentation is loading. Please wait.

Published byEmmeline Carr Modified over 2 years ago

1
1 Brief PRP-PRF Recap CS255 Winter ‘06

2
2 PRPs and PRFs PRF: F: K X Y such that: exists “efficient” algorithm to eval. F(k,x) PRP: E: K X X such that: 1. Exists “efficient” algorithm to eval. E(k,x) 2. The func E( k, ) is one-to-one 3. Exists “efficient” algorithm for inverse D(k,x)

3
3 Secure PRF For b=0,1 define experiment EXP(b) as: Def: F is a secure PRF if for all “efficient” A: PRF Adv[A,F] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. b=0: k K, f F(k, ) b=1: f Funs[X,Y] x i X f(x i ) b’ {0,1}

4
4 Secure PRP For b=0,1 define experiment EXP(b) as: Def: E is a secure PRP if for all “efficient” A: PRP Adv[A,E] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. b=0: k K, f E(k, ) b=1: f Perms[X] x i X f(x i ) b’ {0,1}

5
5 PRF Switching Lemma Example PRPs: 3DES, AES, … –For AES: K = {0,1} 128, X = {0,1} 128 –AES PRP Assumption: All 2 80 –time algs A have PRP Adv[A, AES] < 2 -40 PRF Switching lemma: Any secure PRP is also a secure PRF. If E is a PRP over (K,X) then for any q-query adversary A: | PRF Adv[A,E] - PRP Adv[A,E] | < q 2 / 2|X|

6
6 Using PRPs and PRFs Security always defined using two parameters: –What “power” does adversary have? examples: Adv sees only one ciphertext (i.e. one-time key) Adv sees many PT/CT pairs (CPA) –What “goal” is adversary trying to achieve? example: Semantic security: learn info about PT from CT. one-time key Many-time key (CPA) CCA Sem. Sec. Steam-ciphers Det. ctr-mode (rand) CBC (rand) ctr-mode Later Goal Power

7
7 Semantic Security for one-time key E = (E,D) a cipher defined over (K,M,C) For b=0,1 define EXP(b) as: Def: E is sem. sec. for one-time key if for all “efficient” A: SS Adv[A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. kKkK m 0, m 1 M : |m 0 | = |m 1 | C E(k, m b ) b’ {0,1}

8
8 Semantic security (cont.) Sem. sec. no “efficient” adversary learns info about PT from a single CT. Electronic Code Book (ECB): not sem. sec. for messages that contain more than one block. –To break ECB adversary uses: m 0 = “ Hello World ” m 1 = “ Hello Hello ” Two blocks

9
9 Constructions Examples of sem. sec. systems: – SS Adv[A, OTP] = 0 for all A – Deterministic counter mode from a PRF F : E DETCTR (k,m) = Stream cipher built from PRF (e.g. AES, 3DES) m[0]m[1]… F(k,0)F(k,1)… m[L] F(k,L) c[0]c[1]…c[L]

10
10 Det. ctr-mode security Theorem:For any L>0. If F is a secure PRF over (K,X,X) then E DETCTR is sem. sec. cipher over (K,X L,X L ). In particular, for any adversary A attacking E DETCTR there exists a PRF adversary B s.t.: SS Adv[A, E DETCTR ] = 2 PRF Adv[B, F] Hence: Since PRF Adv[B, F] is negligible (since F is a secure PRF) then SS Adv[A, E DETCTR ] must be negligible.

11
11 Proof PRF Chal b SS Adv A (given)PRF Adv B (us) m 0, m 1 X L Choose f r {0,1} 0, 1, …, L f(0), f(1), …, f(L) c i m r [i] f(i) X (c 0, c 1, …, c L ) X L r’ {0,1} If r=r’ output 0, else output 1 b=1: f Funs[X,X] Pr[EXP(1)=0] = Pr[r=r’] = ½ b=0: f F(k, ) Pr[EXP(0)=0] = ½ ½ SS Adv[A, E DETCTR ] Hence, PRF Adv[F, B] = ½ SS Adv[A, EDETCTR]

12
12 Semantic Security for many-time key E = (E,D) a cipher defined over (K,M,C) For b=0,1 define EXP(b) as: Def: E is sem. sec. under CPA if for all “efficient” A: SS CPA Adv[A, E ] = | Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. kKkK m 0, m 1 M : |m 0 | = |m 1 | C E(k, m b ) b’ {0,1} x i M E(k,x i )

13
13 Randomized Encryption Fact: stream ciphers are insecure under CPA. Fact: No deterministic encryption can be secure under CPA. If secret key is to be used multiple times encryption algorithm must be randomized !!

14
14 Construction 1: CBC Cipher block chaining with a random IV. E(k, ) m[0]m[1]m[3]m[4]IV E(k, ) c[0]c[1]c[3]c[4]IV ciphertext

15
15 CBC: CPA Analysis CBC Theorem: For any L>0, If F is a secure PRP over (K,X) then E CBC is a sem. sec. under CPA over (K, X L, X L+1 ). In particular, for a q-query adversary A attacking E CBC there exists a PRP adversary B s.t.: SS CPA Adv[A, E CBC ] 2 PRP Adv[B, F] + 2 q 2 L 2 / |X| Note: CBC is only secure as long as qL << |X| 1/2

16
16 Construction 2: rand ctr-mode m[0]m[1]… F(k,IV)F(k,IV+1)… m[L] F(k,IV+L) c[0]c[1]…c[L] IV IV - Picked fresh at random for every encryption msg ciphertext

17
17 rand ctr-mode: CPA analysis Randomized counter mode: random IV. Counter-mode Theorem: For any L>0, If F is a secure PRF over (K,X,X) then E CTR is a sem. sec. under CPA over (K,X L,X L+1 ). In particular, for a q-query adversary A attacking E CTR there exists a PRF adversary B s.t.: SS CPA Adv[A, E CTR ] 2 PRF Adv[B, F] + 2 q 2 L / |X| Note: ctr-mode only secure as long as q 2 L << |X| Better then CBC !

Similar presentations

Presentation is loading. Please wait....

OK

Online Cryptography Course Dan Boneh

Online Cryptography Course Dan Boneh

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on op amp circuits resistor Best ppt on forest society and colonialism in india Ppt on conservation of linear momentum Ppt on cold call teach like a champion Ppt on mars one way Ppt on scientific calculator project in java Ppt on ruby programming language Ppt on db2 introduction Ppt on phonetic transcription symbols Hrm ppt on recruitment