Cryptography Lecture 5 Arpita Patra © Arpita Patra

Recall >> Computational Security Made PPT/negligible function precise in terms of security parameter n Semantic and Indistinguishability Security notions Ind-based definitions are easy to follow Assumptions needed for a scheme Pseudorandomness

Today’s Goal Pseudorandomness and PRGs Construction for ind-secure scheme Proof: If there is a PRG, then the construction is secure according to ind definition Introduction to Reduction-based proofs Proof for our construction Short-comings of the current construction/definition Better definition / better construction / better assumption?

Pseudorandomness { Set of all binary strings of length l } - It’s a property of a probability distribution { Set of all binary strings of length l } G: a prob. Dist. = { Set of probabilities } U: Uniform probability Distribution A string drawn according to U is called random A string drawn according to G is called pseudorandom Sampler for G and U Give me a string w G is pseudorandom if a string drawn according to G is indistinguishable from a string drawn according to U to a PPT distinguisher

Pseudorandom Generators (PRGs) Deterministic PPT Algorithm G s R {0,1}n G(s)  {0,1}l(n) , l: poly Seed Let G be the dist. on l(n)-bit strings obtained by sampling s uniformly and running G(s). G is a PRG if dist. G is pseudorandom distribution and l(n) > n for every n. l() : expansion factor of G Requirements : 1. Expansion : for every n, l(n) > n 2. Pseudorandomness : G(s) “looks like” a truly random string

PRG Security | - | s R {0,1}n y: = G(s) Oracle U : uniform distribution over {0,1}l(n) PPT distinguisher D Challenger A random string of length l(n) plz A string of length l(n) please yR {0,1}l(n) b= 0 y How I selected it ? b= 1 s R {0,1}n y: = G(s) G: Probability distribution over {G(s): s R {0,1}n} G G is a PRG if for every PPT D, there is a negligible function negl | - | Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}l(n) s R {0,1}n Probability taken over >> Random Choice of r >> the randomness of D Probability taken over >> Random Choice of s >> the randomness of D

Let us try to construct a PRG… Designing PRG is a hard nut to crack s’ = s1s2…sn Expansion factor: n+1 s R {0,1}n G(s) = ss’ - Is G a PRG? Do you see a good distinguisher? D outputs 1 Yes y generated by G y{0,1}n+1 Is the final bit of y XOR of the preceding bits ? random or generated by G ? No D outputs 0 D y random - If y generated by G - If y is truly random D outputs 1 with probability 1 D outputs 1 with probability ½ Pr [D(G(s)) = 1] = 1 s R {0,1}n Pr [D(r) = 1] = ½ r R {0,1}n+1 - Pr [D(r) = 1] Pr [D(G(s)) = 1] | = ½ Non-negligible

PRG can be cracked by an unbounded adversary Length-doubling PRG s R {0,1}n G(s)  {0,1}2n Seed G(s): s  {0,1}n 2n 22n - Most of the 2n-length string do not occur as the output of G. - Prob that a random string of 2n-length belongs to the range of G: <= 2n/ 22n = 2-n - Can find a strategy for an unbounded distinguisher?

PRG can be cracked by an unbounded adversary G(s1) y = ? D outputs 1 s1 {0,1}n y{0,1}2n i.E Label y as pseudorandom G(s2) y = ? s2 {0,1}n Yes random or generated by G ? D s2n {0,1}n G(s2n) y = ? Pr [D(r) = 1] = Pr [D(G(s)) = 1] = 2-n 1 s R {0,1}n r R {0,1}2n - Pr [D(r) = 1] Pr [D(G(s)) = 1] | >= 1 – 2-n Non-negligible n must be large enough so that brute force is impossible

Do PRGs exist? No proof… But we strongly believe they do Didn’t we just say we believe something is true but don’t have a proof? First Assumption in the course: PRGs exist. Later in the course………. PRGs exist Goldreich-Levin, Yao Because no good distinguisher One-way functions (permutation) exist Stream Ciphers Far from practical Highly practical RA 4: Define Stream Ciphers and describe Trivium

COA-secure SKE K = {0, 1}n M = C = {0, 1}l(n) Dec Enc Gen Correctness: m:= cG(k) Enc c:= mG(k) k R K m  M c c  C m Gen Correctness: Deck( ) Enck(m) = m

I can break ’ non-negligible probability f(n) Proof by Reduction Case1: If  is secure then ’ is secure Case3: If A1 holds then A2 holds Case2: If A holds then  is secure Case4: If  is secure then A holds Proof by Contradiction/contrapositive This entire process is a mental exercise!! Do not know the internal details of I can break ’ non-negligible probability f(n) This is indeed an instance of ’ A challenge for  Simulation of a challenge of ’ Solution with probability 1/P(n) “break” with probability f(n) PPT attacker against ’ PPT attacker against  The probability that PPT attacker for  breaks security is at least f(n)/P(n) --- Non-negligible

Indistinguishability Based Definition: COA Indistinguishability experiment PrivK (n) A,  coa  = (Gen, Enc, Dec), M Attacker A Challenger b  {0, 1} m0, m1 M ; |m0|=|m1| (freedom to choose any pair) c  Enck(mb) I can break  b’  {0, 1} k Let me verify Run time: Poly(n) (Attacker’s guess about encrypted message) Gen(1n) PrivK (n) A,  coa b = b’ b  b’ 0 --- attacker lost 1 --- attacker won All Security Definitions will be in Ind style SEM Security ≈ IND Security  has is coa-secure if for every PPT attacker A, there is a negligible function negl(n) such that ½ + negl(n) Pr PrivK (n) A,  coa = 1  Probability is taken over the randomness used by A and the challenger

Security Proof of PRG-based Scheme m,k Enck(m) >> c = m G(k) c c,k Deck(c) >> m = c  G(k) Secret PRG-key k Theorem. If G is a PRG, then  is a coa-secure scheme. ½ + negl(n) Pr PrivK (n) A,  coa = 1  Proof: For every A, there is a negl(n) s.t (A1, negl1(n)), (A2, negl2(n))….. ½ + negl1(n) Pr PrivK (n) A1,  coa = 1  ½ + negl2(n) Pr PrivK (n) A2,  coa = 1  ⌃ ….. ½ + 1/p1(n); n>N1 < ½ + 1/p2(n); n>N2 < NOT coa-secure ∋ Ai and pi(n) such that ½ + 1/pi(n); for infinitely many n’s Pr PrivK (n) Ai,  coa = 1 >

Security Proof of PRG-based Scheme m,k Enck(m) >> c = m G(k) c c,k Deck(c) >> m = c  G(k) Secret PRG-key k Theorem. If G is a PRG, then  is a coa-secure scheme. Proof: Assume  is not secure A, p(n): ½ + 1/p(n) Pr PrivK (n) A,  coa = 1 > ½ Pr PrivK (n) A,  coa = 1 = = = Pr [D(G(s)) = 1] Pr [D(y) = 1] Let us run PrivK (n) A,  coa PRS or RS? y{0,1}l(n) D m0, m1M , |m0| = |m1| A c = mb  y 1 if b = b’ 0 otherwise b’  {0, 1} b

What have we done so far.. Formulate a formal definition for SKE in computational world Identify assumptions needed (PRG exists) and build a construction Prove security of the construction relative to the definition and assumption Small Key size. Key Reuse?? Let us formalize key reuse in the definition and see if the schemes we have seen satisfy the definition

Multiple-message COA Security PrivK (n) A,  coa-mult  = (Gen, Enc, Dec),M Attacker A M0 = (m0,1, …, m0, t)  M1 = (m1,1, …, m1, t)  b  {0, 1} (freedom to choose any pair) c1  Enck(mb,1) ,…, ct  Enck(mb, t) I can break  b’  {0, 1} k Let me verify Run time: Poly(n) (Attacker’s guess about encrypted vector) Gen(1n) b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won  is coa-mult-secure if for every PPT attacker A taking part in the above experiment, the probability that A wins the experiment is at most negligibly better than ½ ½ + negl(n) Pr PrivK (n) A,  coa-mult = 1  i.e.

Relation between Multiple-message and Single-message Security Experiment is a special case of PrivK (n) A,  coa coa-mult is the same as with |M0| = |M1| = 1 PrivK (n) A,  coa coa-mult  Any cipher which is coa-mult-secure is also coa-secure What about the converse ? Not necessarily

Multiple-message Security is Stronger than Single-message Security Attacker A M0 = (hello, hello)  M0 = (hello, world)  b  {0, 1} c1 := hello  k c2 := hello  k If b = 0 c1 := hello  k c2 := world  k If b = 1 k Let me verify Pr PrivK (n) A, OTP coa-mult = 1 b’ = 0 if c1 = c2 Gen(1n) b’ = 1 if c1 c2 Why the above attack is possible ? OTP is deterministic: encrypting m twice using same key yields the same ciphertext One way of showing a security notion is stronger than another notion is to find a scheme that is secure according to the second notion but insure according to the first notion. Demonstrates two things: first proof and assumption not enough, right definition is important..Determinism has limited power.. Randomization gives power. The above attack can be mounted on any cipher whose Enc algorithm is deterministic Thm: If  is a cipher whose Enc algorithm is a deterministic function of the key and the plain-text then  cannot have indistinguishable multiple encryptions in the presence of an eavesdropper Time to Go for Randomization of Encryption

What next? coa is not standard; have done for gradual progress. Will give an even stronger definition and construct a scheme. That will be secure according to coa and coa-mult.

Two assumptions and Their Implications PRGs exist coa-secure SKEs exist. Do they imply something fundamental exist?

One-Way Functions (OWF) Functions that are easy to compute but “difficult” to invert (almost-always) f: {0, 1}*  {0, 1}* {0, 1}* {0, 1}*

One-Way Functions (OWF) Functions that are easy to compute but “difficult” to invert (almost-always) y = f(x) x R {0, 1}* {0, 1}* Easy task {0, 1}*

One-Way Functions (OWF) Functions that are easy to compute but “difficult” to invert (almost-always) x = f-1(y) y  {0, 1}* {0, 1}* Difficult task {0, 1}* How to mathematically formalize the above notion ? By some experiment

The Inverting Experiment Experiment Invert (n) A, f f: {0, 1}*  {0, 1}* x R {0, 1}n PPT A(1n) y = f(x) x’ I can invert f on any input A’s guess about pre-image of y Let me verify f(x’) = y Game Output f(x’)  y 0 --- A lost 1 --- A won A need not have to find the original x to win the game --- sufficient to find one pre-image

OWF: Mathematical Formulation {0, 1}* {0, 1}* Function f is a OWF if the following two conditions hold : Easy to compute: for every x  {0, 1}*, f(x) can be computed in poly(n) times Hard to Invert: For every PPT algorithm A, there is a negligible function negl() : negl(n) Pr Invert (n) A, f = 1   Pr [ A(f(x), 1n)  f-1(f(x))]  negl(n) x  {0, 1}n

Two assumptions and Their Implications CT5 (for one): If PRG exists then OWF exists CT6 (for one): If coa-secure SKE exists, then OWF exists.

Scribe?

Security of the PRG-based SKE Theorem: If G is a PRG, then  is a fixed-length coa-secure SKE. A, p(n): ½ + 1/p(n) Pr PrivK (n) A,  coa = 1 > ½ Pr PrivK (n) A,  coa = 1 = = = Pr [D(G(s)) = 1] Pr [D(y) = 1] Let us run PrivK (n) A,  coa PRS or RS? y{0,1}n D m0, m1M , |m0| = |m1| A c = mb  y 1 if b = b’ 0 otherwise b’  {0, 1} b