Cryptography Lecture 4 Arpita Patra © Arpita Patra

Recall >> Perfect Security Various Definitions and their equivalence (Shannon’s Theorem) Inherent Drawbacks Cannot afford perfect security >> Relaxing Perfect Security Make the adversary bounded/efficient/polynomial time Allow the break with some small/negligible probability Are they necessary? Computational Security

Today’s Goal Both relaxations are necessary. Computational/Cryptographic Security Impossible to break Infeasible to break with high prob. Will make ‘polynomially bounded/efficient’ and ‘small/negligible prob.’ precise Paradigm I- Semantic Security for SKE- computational analogue of Shannon’s perfect security Paradigm II- Indistinguishability-based Security for SKE – computational analogue of game/experiment based security definition of perfect security Look for assumptions needed for construction and construct a scheme

Necessity of relaxed Threat Model - Assume a SKE that allows many messages to be encrypted using a single short key - Allow the adversary to be unbounded powerful in contrast to bounded - Assume the adversary knows many (m1, c1), (m2, c2), …,(mt, ct): ci = Enck(mi) - Decrypt each ciphertext with all possible keys until it finds a matching key ---brute-force O(|K|) k1 k2 k3 k1 k ? k2 k ? k ? k3 ? Deck1(ci) = mi, for all i (m1, c1), (m2, c2), …, (mt, ct): ci = Enck(mi) ? Deck2(ci) = mi, for all i ? Deck3(ci) = mi, for all i Yes Hurray : I got the key

Necessity of relaxed Break Model - Assume a SKE that allows many messages to be encrypted using a single short key - Break is allowed with only zero probability - Let the adversary knows many (m1, c1), (m2, c2), …,(mt, ct): ci = Enck(mi) - Make random guess about a k and decrypt each ciphertext that key to verify k1 k2 k3 - O(1) time k ? k2 k ? - Probability : 1 / |K| k ? ? Deck2(ci) = mi, for all i (m1, c1), (m2, c2), …, (mt, ct): ci = Enck(mi) Yes Hurray : my guess was correct

Making “Polynomially Bounded” Precise– Asymptotic Approach >> “Feasible” /“Efficient” / “Probabilistic Poly time (PPT)” algorithm means: - running time of the algorithm is polynomial in the input size >> PPT adversary = PPT algorithm - Input size: n - Running time of adversary is polynomial in n. - A function f: Z+  Z+ is polynomial in n if there exist finite number of {ci} such that f(n) < i ci ni for all n. Example: n3 >> Example of what PPT adversary cannot do: Assume your key size is n bits | K | = 2n An efficient/PPT adversary CANNOT brute-force over K

Making “Very Small/Negligible” Precise– Asymptotic Approach >> “ Very Small / negligible in n” means those f(n) : - for every polynomial in n, p(n), there exists some positive integer N, such that f(n) < 1/p(n) , for all n > N n: Security parameter. A tunable parameter that tunes how difficult it is to break a cryptosystem - “grows slower than any inverse poly” >> Example: 1/2n , 1/2n/2 >> How about 1/n10 ? For 1/n20 there is NO N s.t. 1/n10 < 1/n20 >> An adversary running for n3 time breaks a scheme with probability at most 1/2n - The more the value of n, the tougher the life of the adversary is. >> Usually the key size is set to n

Closures properties of poly and negligible functions Proposition: Let p1 and p2 be polynomials in n. Then, (i) p1 + p2 is a poly. (ii) p1 * p2 is a poly. Proposition: Let negl1 and negl2 be negligible functions in n. Then, (i) negl1 + negl2 is a negligible function. (ii) p(n). negl1 is a negligible function for any poly p(n)

Asymptotic Approach: Summary >> Security parameter n - publicly known (part of the scheme) ; inputs to all algorithms (including adversary) will be made of size polynomial in n. Running time of the users Running time of the attacker Success probability of the attacker Functions of a security parameter n Polynomial in n Negligible in n >> Typically n is the size of secret-key (ex: n = 128, 256, etc)

Choosing n Carefully is Very Essential A designer claims that an adversary running for n3 minutes can break his scheme with probability 240 2-n Physicists believe that the no. of seconds elapsed since the birth of Earth is on the order of 258 Something that occurs with probability 2-60/sec is expected to occur once every 100 billion years - 240 2-n is negligible --- hence secure scheme - But what value of n to select while implementing ? - If n  40 then an adversary working for 403 minutes (6 weeks) can break the scheme with probability 1 - You will claim it’s a useless scheme, but you just made a foolish choice of n - n = 50 ? : adversary working for 503 minutes (3 months) succeed with probability 1/1000 - may be unacceptable - n = 500: adversary working for 200 yrs can break the scheme with probability 2-460 - definitely acceptable

n = Knob User’s running time is also increasing  Adv’s job becomes harder  min max n

Concrete Approach   >> Set the value of n >> Run users and adversary on specific machines No adversary running for 5 yrs on 4GHz Machine can break the scheme with probability better than 2-60 Concrete Statement 1 Concrete Statement 2 Asymptotic Statement …… Concrete Statement n  Asymptotic Approach  Concrete Approach

Syntax of Secret Key Encryption (SKE) Revisited Key-generation Algorithm: Gen(1n) > Outputs a key k chosen according to some probability distribution. > MUST be a Randomized algorithm 2. Encryption Algorithm: Enck(m); m in {0,1}l(n) > c  Enck(m) when randomized and c:=Enck(m) when deterministic > Deterministic/Randomized algorithm 3. Decryption Algorithm: Deck(c) > Outputs m:= Deck(c) > Deterministic

Semantic Security for SKE S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28(2): 270-299, 1984 Impossible to break Infeasible to break with high prob. Randomized PPT COA Given prior information about message, the ciphertext leaks no additional information about the message h(m): external info about m; history function f(m): additional information about m that adv wants to compute

Semantic Security Two worlds: In one adv gets ciphertext and in another it does not. If the difference between probabilities of guessing f(x) in the both worlds are negligibly apart, then semantic security is achieved. k Enc m Gen(1n) c  Enck(m) h(m) guess about f(m) h(m) guess about f(m) |m| Computational Analogue of Shannon’s definition of perfect-security A’ A  = (Gen, Enc, Dec) is semantically-secure if for every PPT A there exists a PPT A’ such that for any Samp and PPT functions f and h: | - | Pr [ A(1n,c,h(m)) =f(m)] Pr [ A’(1n,|m|,h(m)) =f(m)]  negl(n) Probability taken over >> uniform k, >> m output by Samp(1n), >> the randomness of A and >> the randomness of Enc Probability taken over >> m output by Samp(1n) and >> the randomness of A’

Indistinguishability Security for SKE S. Goldwasser and S. Micali. Probabilistic Encryption. Journal of Computer and System Sciences, 28(2): 270-299, 1984 Impossible to break Infeasible to break with high prob. Randomized PPT COA Given the knowledge of two messages, it cannot be distinguished if the ciphertext corresponds to the first or second message.

Indistinguishability Based Definition An Experiment / a game between a challenger and an adversary Indistinguishability experiment PrivK (n) A,  ind  = (Gen, Enc, Dec), M Attacker A Challenger b  {0, 1} m0, m1 M ; |m0|=|m1| (freedom to choose any pair) c  Enck(mb) I can break  b’  {0, 1} k Let me verify Run time: Poly(n) (Attacker’s guess about encrypted message) Gen(1n) PrivK (n) A,  ind b = b’ b  b’ 0 --- attacker lost 1 --- attacker won Published in the same paper. It captures the fact that the adversary gets just a single ciphertext. Even though the adversary knows that the ciphertext corresponds to one two message m0 and m1, it cannot tell apart which message the ciphertext corresponds to. Very strong.  has is ind-secure if for every PPT attacker A, there is a negligible function negl(n) such that ½ + negl(n) Pr PrivK (n) A,  ind = 1  Probability is taken over the randomness used by A and the challenger

Semantic vs. Indistinguishability Security SEM: Given prior information about message, the ciphertext leaks no additional information about the message Randomized PPT COA Given the knowledge of two messages, it cannot be distinguished if the ciphertext corresponds to the first or second message. IND Security → SEM Security IND Security ← SEM Security IND Security is the de facto style followed in Crypto community RA3: If a scheme is ind-secure then for all PPT A and any index i, there is a negligible function negl(n) s.t Pr [ A(1n,c) =mi] ≤ ½ + negl(n) For uniform distribution of k and m. IND Security ↔ SEM Security

Indistinguishability Based Definition: Renaming An Experiment / a game between a challenger and an adversary Indistinguishability experiment PrivK (n) A,  coa  = (Gen, Enc, Dec), M Attacker A Challenger b  {0, 1} m0, m1 M ; |m0|=|m1| (freedom to choose any pair) c  Enck(mb) I can break  b’  {0, 1} k Let me verify Run time: Poly(n) (Attacker’s guess about encrypted message) Gen(1n) PrivK (n) A,  coa b = b’ b  b’ 0 --- attacker lost 1 --- attacker won Published in the same paper. It captures the fact that the adversary gets just a single ciphertext. Even though the adversary knows that the ciphertext corresponds to one two message m0 and m1, it cannot tell apart which message the ciphertext corresponds to. Very strong.  has is coa-secure if for every PPT attacker A, there is a negligible function negl(n) such that ½ + negl(n) Pr PrivK (n) A,  coa = 1  Probability is taken over the randomness used by A and the challenger

Equivalent Formulation of Ind Definition Attacker A  = (Gen, Enc, Dec), M , n Challenger b  {0, 1} m0, m1 , |m0| = |m1| (freedom to choose any pair) c  Enck(mb) I can break  b’  {0, 1} k Let me verify Run time: Poly(n) (Attacker’s guess about encrypted message) Gen(1n) b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won ½ + negl(n) Pr PrivK (n) A,  coa = 1  Intuition behind the definition ? >> Attacker should behave in the same way irrespective of m0 or m1 >> What does same behavior mean ? --- Attacker just outputs a bit >> Same behavior means that attacker outputs 1 with almost the same probability in each case (irrespective of whether it sees an encryption of m0 or m1)

Equivalent Formulation PrivK (n, b) : the experiment with mb selected by challenger A,  coa Output(PrivK (n, b)) : output bit of the attacker during A,  coa PrivK (n, b))  = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function negl, such that : Pr[Output(PrivK (n, 0)) = 1] A,  coa Pr[Output(PrivK (n, 1)) = 1] A,  coa | - |  negl(n) A4  = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function negl, such that : ½ + negl(n) Pr PrivK (n) A,  coa = 1 

Assumptions for coa-Secure SKEs A suggestion: Try to BE good rather than trying to pretend to be good. Recall the promises of computational security? - Shorter key for big message - Key Reuse Let’s go OTP style: key will be used to pad/mask the message - The pad can’t be just the key - Pad = f(key) and the function is length-expanding ?? - For perfect security the pad needed to be truly random - For computational security, enough if the pad ‘looks’ random to a PPT adversary but actually not. M = K = C = {0, 1}l k k Dec m:= ck Enc c:= mk k R K m  M c c  C m Gen

Assumptions for coa-Secure SKEs M. Blum, S. Micali. How to Generate Cryptographically strong sequences of pseudo-random bits. SIAM Journal of Computing, 13(4), 850-864, 1984 A. C.-C. Yao. Theory and Applications of Trapdoor Functions. FOCS, 80-91, 1982. Pseudorandom Generators (PRGs): Tool to cheat the PPT adversaries

Pseudorandomness { Set of all binary strings of length l } - It’s a property of a probability distribution { Set of all binary strings of length l } G: a prob. Dist. = { Set of probabilities } U: Uniform probability Distribution A string drawn according to U is called random A string drawn according to G is called pseudorandom Sampler for G and U Give me a string w G is pseudorandom if a string drawn according to G is indistinguishable from a string drawn according to U to a PPT distinguisher

Pseudorandom Generators (PRGs) Deterministic PPT Algorithm G s R {0,1}n G(s)  {0,1}l(n) , l: poly Seed Let G be the dist. on l(n)-bit strings obtained by sampling s uniformly and running G(s). G is a PRG if dist. G is pseudorandom distribution and l(n) > n for every n. l() : expansion factor of G Requirements : 1. Expansion : for every n, l(n) > n 2. Pseudorandomness : G(s) “looks like” a truly random string

PRG Security | - | s R {0,1}n y: = G(s) Oracle U : uniform distribution over {0,1}l(n) PPT distinguisher D Challenger A random string of length l(n) plz A string of length l(n) please yR {0,1}l(n) b= 0 y How I selected it ? b= 1 s R {0,1}n y: = G(s) G: Probability distribution over {G(s): s R {0,1}n} G G is a PRG if for every PPT D, there is a negligible function negl | - | Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}l(n) s R {0,1}n Probability taken over >> Random Choice of r >> the randomness of D Probability taken over >> Random Choice of s >> the randomness of D

Scribe?