1. B504/I538: Introduction to Cryptography
Spring • Lecture 21
(2017—03—28)

2. Assignment 5 is due next Thursday!
(2017—04—06)

3. Public-key encryption schemes
Defn: A public-key encryption scheme is a triple of algorithms (Gen, Enc, Dec) such that
Gen：1ℕ→Ｋe×Ｋd is a randomized “keypair generation” algorithm;
Enc：Ｋe×Ｍ→Ｃ is an (often randomized) “encryption” algorithm;
Dec：Ｋd×Ｃ→Ｍ is a deterministic “decryption” algorithm.
Usually write Encke(m) and Deckd(m) instead of Enc(ke,m) and Dec(kd,m)
Ｋe is the encryption key space
Ｋd is the decryption key space
Ｍ is the message space
Ｃ is the ciphertext space
(set of possible encryption keys)
(set of possible decryption keys)
(set of possible messages)
(set of possible ciphertexts)

4. Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s)
Correctness
Intuitively: Correctness is the property of being able to decrypt (given the appropriate decryption key)
Defn: A public-key encryption scheme (Gen, Enc, Dec) with message space M is correct if there exists a negligible function ε：ℕ→ℝ+ such that, ∀s∈ℕ and ∀m∈Ｍ,
Pr[Deckd(Encke(m))=m｜(ke,kd)←Gen(1s)]≥1-ε(s)

5. Recall: IND-CPA security
“left–or–right”
(for symmetric-key encryption)
Challenger (C)
Attacker (A)
1 s
1 s
k←Gen(1 s)
b∊{0，1}
(m10，m11)
(m10，m11)∈Ｍ×Ｍ
(|m10|=|m11|) c1
c1←Enck(m1b)
(m20，m21)
(m20，m21)∈Ｍ×Ｍ
(|m20|=|m21|) c2
c2←Enck(m2b) ⋮
(mq0，mq1)
(mq0，mq1)∈Ｍ×Ｍ
(|mq0|=|mq1|) cq
cq←Enck(mqb)
b‘∈{0，1}
Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½|

6. Variants of the IND-CPA security game
The game we have seen in lectures is sometimes called the “left­–or–right” IND–CPA game
Three other (“equivalent”) variants are common:
“Real–or–random” IND–CPA security game
“Find–then–guess” IND–CPA security game
Semantic security game

7. IND-CPA security “real–or–random” (for symmetric-key encryption) ⋮ ⋮
Game 0: (Attacker has access to real encryption oracle)
Challenger (C)
Attacker (A)
1 s m1
1 s
k←Gen(1 s)
m1∈Ｍ c1
c1←Enck(m1) ⋮ mn
mn∈Ｍ cn
cn←Enck(mn)
b‘∈{0，1}
Game 1: (Attacker has access to random oracle)
Challenger (C)
Attacker (A)
1 s
k←Gen(1 s) m1
1 s
m1∈Ｍ c1
c1∊Ｃ ⋮ mn
mn∈Ｍ cn
cn∊Ｃ
b‘∈{0，1}
Define A’s advantage to be AdvROR(A)≔|Pr[b=b’]-½|

8. IND-CPA security “find–then–guess” (for symmetric-key encryption) ⋮
Challenger (C)
Attacker (A)
1 s
1 s
k←Gen(1 s)
b∊{0，1} m1
m1∈Ｍ c1
c1←Enck(m1) ⋮ mq
mq∈Ｍ cq
cq←Enck(mqb)
(M1，M2)
(M1，M2)∈Ｍ×Ｍ
(|M1|=|M2|) C
C←Enck(Mb)
b‘∈{0，1}
Define A’s advantage to be AdvFTG-CPA(A)≔|Pr[b=b’]-½|

9. IND-CPA security for public-key schemes
For symmetric-key encryption, we had two options:
Secrecy for a single message: Indistinguishable encryptions in the presence of an eavesdropper
Secrecy for multiple messages: Indistinguishable multiple encryptions in the presence of an eavesdropper (IND-CPA)
Secrecy for single message ⇏secrecy for multiple messages
For public-key encryption, we have only one option
Secrecy for single message ⇔ secrecy for multiple messages

10. IND-CPA security (for public-key encryption)
Challenger (C)
Attacker (A)
1 s
1 s
k←Gen(1 s)
b∊{0，1}
(m0，m1)
(m0，m1)∈Ｍ×Ｍ
(|m0|=|m1|)
c←Enck(mb) c
b‘∈{0，1}
Define A’s advantage to be AdvCPA(A)≔|Pr[b=b’]-½|
Defn: A public-key encryption scheme (Gen，Enc，Dec) is IND-CPA secure if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCPA(A)≤ε(s).

11. IND-CCA2 security (for public-key encryption) 1 s 1 s ⋮ c←Encke(Mb) ⋮
Challenger (C)
Attacker (A) ke
1 s
(ke，kd)←Gen(1s)
1 s
b∊{0，1} c1
c1∈Ｃ m1
m1≔Deckd(c1) ⋮
cn1
cn1∈Ｃ
mn1
mn1≔Deckd(cn1)
(M0，M1)
(M0，M1)∈Ｍ×Ｍ
c←Encke(Mb) c
c’1
c’1∈Ｃ∖ {c}
m’1
m’1≔Deckd(c’1)
A cannot
ask for Deckd(c) ⋮
c’n2
c’n2∈Ｃ∖ {c}
m’n2
m’n2≔Deckd(c’n2)
b‘∈{0，1}
Define A’s advantage to be AdvCCA(A)≔|Pr[b=b’]-½|

12. IND-CCA2 security (for public-key encryption)
Thm: A public-key encryption scheme (Gen，Enc，Dec) is IND-CCA2 secure if, for every PPT attacker A, there exists a negligible function ε：ℕ→ℝ+ such that AdvCCA(A)≤ε(s).

13. Consequences of public keys
Thm (informal): Perfectly secret public-key encryption does not exist
Unbounded attacker can learn m via brute force (How do we know this is always possible?)
Thm (informal): Deterministic IND-CPA secure public- key encryption does not exist
PPT attacker can still learn m via brute force, given some prior knowledge about m

14. Recall: One-way permutations (OWPs)
Challenger (C)
Inverter (A)
1 s
1 s
x∊{0，1}s
y≔π(x) y x
Let E be the event that π(x)≟y
Define A’s advantage to be Advπ-1(A)≔Pr[E]

15. Recall: One-way permutations (OWPs)
Defn: A function π：{0，1}*→{0，1}* is a one-way permutation (OWP) if it is
easy to compute: there exists an efficient algorithm that , on input x∈{0，1}*, outputs π(x);
length-preserving: for all x∈{0，1}*, |x|=|π(x)|;
one–to–one: for all x1，x2∈{0，1}*, π(x)=π(y) implies x=y; and
hard to invert: for every PPT algorithm A, there exists a negligible function ε：ℕ→ℝ+ such that Advπ-1(A) ≤ 𝜀(s).

16. Trapdoor (one-way) permutations (TDPs)
Intuitively, a trapdoor OWP is an OWP with a “trapdoor” that makes inverting easy
With trapdoor:
∃ PPT A that inverts with overwhelming probability
Without trapdoor:
∄ PPT A that inverts with non-negligible probability
⇒ hard for any PPT A to find the trapdoor
Formally, we consider a family of permutations, each with its own trapdoor

17. Trapdoor (one-way) permutations (TDPs)
Defn: A triple of PPT algorithms (Gen，Samp，Inv) is a family of trapdoor permutations if
Gen：1ℕ→Ｋe×Ｋd is a randomized algorithm. Each (ke,kd)←Gen(1n) defines a set Dke and an OWP πDke：Dke →Dke.
Samp： Ｋe→ ⋃ Dke is a randomized algorithm that, on input any ke∈Ｋe, outputs a random element of Dke
Inv： Ｋd× ⋃ Dke → ⋃ Dke is a deterministic algorithm on input kd and x∈Dke for any (ke，kd)←Gen(1n), outputs ΠD-1ke(x)

18. That’s all for today, folks!