Cryptography Lecture 5

Perfect indistinguishability Let =(Gen, Enc, Dec) be an encryption scheme with message space M, and let A be an adversary/algorithm Define a randomized exp’t PrivKA,: A outputs m0, m1  M k  Gen, b  {0,1}, c  Enck(mb) b’  A(c) Adversary A succeeds if b = b’, and we say the experiment evaluates to 1 in this case Challenge ciphertext

Perfect indistinguishability Easy to succeed with probability ½ … Scheme  is perfectly indistinguishable if for all attackers (algorithms) A, it holds that Pr[PrivKA, = 1] = ½

Perfect indistinguishability Claim:  is perfectly indistinguishable   is perfectly secret I.e., perfect indistinguishability is just an alternate definition of perfect secrecy

Computational secrecy? Idea: relax perfect indistinguishability Two approaches Concrete security Asymptotic security

Computational indistinguishability (concrete) (t, )-indistinguishability: Security may fail with probability ≤  Restrict attention to attackers running in time ≤ t Or, t CPU cycles

Computational indistinguishability (concrete version)  is (t, )-indistinguishable if for all attackers A running in time at most t, it holds that Pr[PrivKA, = 1] ≤ ½ +  Note: (, 0)-indistinguishable = perfect indistinguishability Relax definition by taking t <  and  > 0

Concrete security Parameters t,  are what we ultimately care about in the real world Does not lead to a clean theory... Sensitive to exact computational model  can be (t, )-secure for many choices of t,  Would like to have schemes where users can adjust the achieved security as desired

Asymptotic security Introduce security parameter n For now, think of n as the key length Chosen by honest parties when they generate/share key Allows users to tailor the security level Known by adversary Measure running times of all parties, and the success probability of the adversary, as functions of n

Computational indistinguishability (asymptotic) Security may fail with probability negligible in n Restrict attention to attackers running in time (at most) polynomial in n

Definitions A function f: Z+  Z+ is polynomial if there exists c such that f(n) < nc A function f: Z+  [0,1] is negligible if for every polynomial p it holds that f(n) < 1/p(n) for large enough n I.e., decays faster than any inverse polynomial Typical example: f(n) = poly(n)∙2-cn

Why these specific choices? Somewhat arbitrary “Efficient” = “probabilistic polynomial-time (PPT)” borrowed from complexity theory Convenient closure properties Poly * poly = poly A PPT algorithm making calls to PPT subroutines is PPT Poly * negligible = negligible Poly-many calls to subroutines that fail with negligible probability fail with negligible probability overall

(Re)defining encryption A private-key encryption scheme is defined by three PPT algorithms (Gen, Enc, Dec): Gen: takes as input 1n; outputs k. (Assume |k|≥n.) Enc: takes as input a key k and message m{0,1}*; outputs ciphertext c c  Enck(m) Dec: takes key k and ciphertext c as input; outputs a message m or “error”

Computational indistinguishability (asymptotic version) Fix a scheme  and some adversary A Define a randomized exp’t PrivKA,(n): A(1n) outputs m0, m1  {0,1}* of equal length k  Gen(1n), b  {0,1}, c  Enck(mb) b’  A(c) Adversary A succeeds if b = b’, and we say the experiment evaluates to 1 in this case

Computational indistinguishability (asymptotic version)  is computationally indistinguishable (aka EAV-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKA,(n) = 1] ≤ ½ + (n)

Example 1 Consider a scheme where Gen(1n) generates a uniform n-bit key, and the best attack is brute-force search of the key space So if A runs in time t(n), then Pr[PrivKA,(n) = 1] < ½ + O(t(n)/2n) This scheme is EAV-secure! For any polynomial t, the function t(n)/2n is negligible

Example 2 Consider a scheme and a particular attacker A that runs for n3 minutes and breaks the scheme with probability 240 2-n This does not contradict asymptotic security What about real-world security (against this particular attacker)? n=40: A breaks scheme with prob. 1 in 6 weeks n=50: A breaks scheme with prob. 1/1000 in 3 months n=500: A breaks scheme with prob. 2-500 in 200 years

Example 3 What happens when computers get faster? E.g., consider a scheme that takes time n2 to run but time 2n to break with prob. 1 What if computers get 4 faster? Honest users double n and can thus maintain the same running time Time to break scheme is squared! Time required to break the scheme increases

Encryption and plaintext length In practice, we want encryption schemes that can encrypt arbitrary-length messages Encryption does not hide the plaintext length (in general) The definition takes this into account by requiring m0, m1 to have the same length But beware that leaking plaintext length can often lead to problems in the real world! Obvious examples… Database searches Encrypting compressed data

Computational secrecy From now on, we will assume the computational setting by default Usually, the asymptotic setting

Pseudorandomness

Pseudorandomness Important building block for computationally secure encryption Important concept in cryptography

What does “random” mean? What does “uniform” mean? Which of the following is a uniform string? 0101010101010101 0010111011100110 0000000000000000 If we generate a uniform 16-bit string, each of the above occurs with probability 2-16

What does “uniform” mean? “Uniformity” is not a property of a string, but a property of a distribution A distribution on n-bit strings is a function D: {0,1}n  [0,1] such that x D(x) = 1 The uniform distribution on n-bit strings, denoted Un, assigns probability 2-n to every x  {0,1}n

What does “pseudorandom” mean? Informal: cannot be distinguished from uniform (i.e., random) Which of the following is pseudorandom? 0101010101010101 0010111011100110 0000000000000000 Pseudorandomness is a property of a distribution, not a string

Pseudorandomness (take 1) Fix some distribution D on n-bit strings x  D means “sample x according to D” Historically, D was considered pseudorandom if it “passed a bunch of statistical tests” Prx  D[1st bit of x is 1]  ½ Prx  D[parity of x is 1]  ½ Prx  D[Testi(x)=1]  Prx  Un[Testi(x)=1] for i = 1, …

Pseudorandomness (take 2) This is not sufficient in an adversarial setting! Who knows what statistical test an attacker will use? Cryptographic def’n of pseudorandomness: D is pseudorandom if it passes all efficient statistical tests

Pseudorandomness (concrete) Let D be a distribution on p-bit strings D is (t, )-pseudorandom if for all A running in time at most t, | Prx  D[A(x)=1] - Prx  Up[A(x)=1] | ≤ 

Pseudorandomness (asymptotic) Security parameter n, polynomial p Let Dn be a distribution over p(n)-bit strings Pseudorandomness is a property of a sequence of distributions {Dn} = {D1, D2, … }

Pseudorandomness (asymptotic) {Dn} is pseudorandom if for all probabilistic, polynomial-time distinguishers A, there is a negligible function  such that | Prx  Dn[A(x)=1] - Prx  Up(n)[A(x)=1] | ≤ (n)

Pseudorandom generators (PRGs) A PRG is an efficient, deterministic algorithm that expands a short, uniform seed into a longer, pseudorandom output Useful whenever you have a “small” number of true random bits, and want lots of “random-looking” bits

PRGs Let G be a deterministic, poly-time algorithm that is expanding, i.e., |G(x)| = p(|x|) > |x| seed G output