Presentation is loading. Please wait.

Presentation is loading. Please wait.

Modern symmetric-key Encryption

Published byEllen Davidson Modified over 5 years ago

Similar presentations

Presentation on theme: "Modern symmetric-key Encryption"— Presentation transcript:

1 Modern symmetric-key Encryption

2 Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his course. Comp 547 at Mcgill university

3 Overview of sec The Concrete Approach The Asymptotic Approach
Defining Computationally-Secure Encryption The Basic Definition of Security Constructing Secure Encryption Schemes Pseudorandom Generators Proofs by Reduction Fixed-Length Encryption Scheme Stronger Security Notions Security for Multiple Encryptions Chosen-Plaintext Attacks and CPA-Security

4 Computational Security
What does it mean to be pseudo-random Things can look random when they are not This can be used to achieve secure encryption while using short keys

5 Computational Security
Encrypt many messages using short keys Limitations of perfect secrecy can be bypassed We can achieve a strong but necessarily weaker notion than perfect secrecy

6 Computational approach to secure encryption
A computation encryption scheme can be broken given enough time Try all the keys until you find the right one Guess keys until you find the right one Under certain assumptions, it should take millions of years to break an encryption scheme even given all the (current and future) computation power available on earth

7 Weakening of security The computational approach incorporates two relaxations of the notion of perfect security Security is only preserved against efficient adversaries that run in a feasible amount of time Adversaries can potentially succeed with some very small probability.

8 Concrete security The concrete approach quantifies the security of a cryptographic scheme by bounding the maximum success probability of any adversary running for at most some fixed amount of time. That is, let t,ε be positive constants with ε ≤ 1. A scheme is (t,ε)-secure if every adversary running for time at most t succeeds in breaking the scheme with probability at most ε.

9 Concrete security Modern private-key encryption schemes are generally assumed to give almost optimal security in the following sense: When the key has length 𝑠, an adversary running in time 𝑡 can succeed in breaking the scheme with probability at most (𝑐 is small) 𝑐 ∗ 𝑡 2 𝑠

10 Asymptotic security An algorithm
Takes a parameter 𝑛 Use random coins The success probability of an algorithm is the probability that it produces the correct output The running time and success probability of an algorithm are all viewed as functions of 𝑛.

11 Algorithm running time and success probability.
The running time of an algorithm is how many steps it takes until it stops An algorithm is efficient if the algorithm runs in polynomial time An algorithm is polynomial time if there exists a constant c,d such that the running time of algorithm is less than c⋅ 𝑛 𝑑 . An algorithm has small probability of success if the probability that the algorithm succeeds is negligible in 𝑛.

12 Negligible function A function 𝜇: ℕ→ 𝑅 + is negligible if
Computer science definition: ∀ 𝑐∈𝑁 :𝜇 𝑛 ∈𝑂( 𝑛 −𝑐 ) Math definition: ∀ 𝑐∈𝑁 : ∃ 𝑛 ′ ∈𝑁 ∀𝑛≥ 𝑛 ′ 𝜇 𝑛 ≤ 1 𝑛 𝑐 An algorithm has small probability of success if the probability that the algorithm succeeds is negligible in 𝑛. Class of negligible functions is closed under addition and multiplication

13 Security A scheme is secure if:
Every Probabilistic Polynomial Time Adversary (viewed as an algorithm) succeeds in breaking the scheme with only negligible probability.

14 Warning Negligible probability might be large for small values
Example: f(n) = min 2 𝑛−128 , 1

15 Secure encryption scheme (in terms of game)
𝑚 0 , 𝑚 1 𝑟 ∈ 𝑅 {0,1} 𝑐 𝑐←𝐸𝑛𝑐( 𝑚 𝑟 ) 𝑏 Wins if 𝑏=𝑟 𝐺 An encryption scheme is secure ∀𝐴∈𝑃𝑃𝑇 ∃ 𝜇∈𝑛𝑒𝑔𝑙 : Pr 𝐴 𝐺 =𝑤𝑖𝑛 ≤ 1 2 +𝜇 𝑛 Every PPT adversary does only negligibly better than guessing.

16 Encryption game An encryption scheme is secure
𝑚 0 , 𝑚 1 𝑚 0 , 𝑚 1 c←𝐸𝑛𝑐( 𝑚 1 ) c←𝐸𝑛𝑐( 𝑚 0 ) c c 𝐺 0 𝐺 1 b 𝑟∈ 𝑅 {0,1} 𝑚 0 , 𝑚 1 ← 𝐺 𝑟 c guess wins if guess =𝑟 An encryption scheme is secure ∀𝐷∈𝑃𝑃𝑇 ∃ 𝜇∈𝑛𝑒𝑔𝑙 : Pr 𝐴 𝐺 =𝑤𝑖𝑛 ≤ 1 2 +𝜇 𝑛

17 Encryption game An encryption scheme is secure
𝑚 0 , 𝑚 1 𝑚 0 , 𝑚 1 c←𝐸𝑛𝑐( 𝑚 0 ) c←𝐸𝑛𝑐( 𝑚 1 ) c c 𝐺 0 𝐺 1 An encryption scheme is secure if a distinguisher cannot guess which of these two games he is playing with more than one-half plus negligible probability

18 Computational indistinguishability
Two games 𝐺 0 , 𝐺 1 (parameterized by 𝑛) are computationally indistinguishable if For all PPT distinguisher, there exists a negligible function 𝜇 𝑛 such that when the distinguisher is given G sampled from 𝐺 0 , 𝐺 1 at random, the probability that he correctly guesses which game he was given is at most 1 2 +𝜇(𝑛)

19 Definition of Pseudo-random generator
A function 𝐺 : 0,1 𝑛 → 0,1 ℓ 𝑛 is a PRG if Expansion: ℓ 𝑛 >𝑛 (trivial if ℓ 𝑛 ≤𝑛) Pseudo-random: Pr⁡[𝐴𝑑𝑣 𝑤𝑖𝑛𝑠 𝑡ℎ𝑒 𝑓𝑜𝑙𝑙𝑜𝑤𝑖𝑛𝑔 𝑔𝑎𝑚𝑒] ≤ 1 2 +𝜇(𝑛) 𝑟 ∈ 𝑅 {0,1} seed ∈ 𝑅 0,1 𝑛 w 0 ←𝐺 𝑠𝑒𝑒𝑑 w w 1 ∈ 𝑅 0,1 ℓ 𝑛 w← 𝑤 𝑏 𝑏 Wins if 𝑏=𝑟

20 Definition of Pseudo-random generator
A function 𝐺 : 0,1 𝑛 → 0,1 ℓ 𝑛 is a PRG if Expansion: ℓ 𝑛 >𝑛 (trivial if ℓ 𝑛 ≤𝑛) Pseudo-random: following two games are computationally indistinguishable r ∈ 𝑅 0,1 𝑛 w w w←𝐺(𝑟) w ∈ 𝑅 0,1 ℓ(𝑛) 𝐺 0 𝐺 1

21 Encrypting a message from a short key using a pseudo-random generator

22 CPA-secure An encryption scheme is secure
𝑚 0 , 𝑚 1 r ∈ 𝑅 0,1 c←𝐸𝑛𝑐( 𝑚 𝑟 ) c 𝑚′ Repeat as many times as the adversary wants c′←𝐸𝑛𝑐(𝑚′) 𝑐′ b wins if 𝑏=𝑟 An encryption scheme is secure ∀𝐴∈𝑃𝑃𝑇 ∃ 𝜇∈𝑛𝑒𝑔𝑙 : Pr 𝐴 𝐺 =𝑤𝑖𝑛 ≤ 1 2 +𝜇 𝑛 (every PPT adversary does only negligibly better than guessing.)

23 Chosen-plaintext security
𝑚 0 , 𝑚 1 𝑚 0 , 𝑚 1 c c←𝐸𝑛𝑐( 𝑚 0 ) c c←𝐸𝑛𝑐( 𝑚 1 ) m m c c←𝐸𝑛𝑐(𝑚) c c←𝐸𝑛𝑐(𝑚) Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants 𝐺 0 𝐺 1

24 Midway islands (non-CPA secure)
American cryptanalysts thought: * = Midway Island Americans sent: “Midway is low on water” Japanese sent: “* blah blah” Americans confirmed that * = Midway Island Lesson: Adversaries can influence the message.

25 On the (in)security of deterministic encryption scheme
An encryption scheme is deterministic Each plaintext maps to a unique ciphertext Can deterministic encryption scheme be CPA-secure? No! Encrypting the same plaintext twice results in the same ciphertext. Lesson: Secure encryption requires randomness

26 Definition of random function
Consistency: if you query a random function with the same input, it will give you the same output Random: If you provide a new input to a random function, it will give you a random output

27 Pseudo-random function
A class of functions ( 𝐹 1 ,…, 𝐹 2 𝑛 ) if every PPT adversary wins the following game with probability 𝜇 𝑛 where 𝜇∈𝑛𝑒𝑔𝑙 𝑟 ∈ 𝑅 {0,1} k ∈ 𝑅 0,1 𝑛 𝑓 0 ← 𝑓 𝑘 𝑓 1 ←𝑟𝑎𝑛𝑑𝑜𝑚 f← 𝑓 𝑟 𝑥 Repeat as many times as the distinguisher wants y←𝑓(𝑥) 𝑦 𝑏 Wins if 𝑏=𝑟

28 Pseudo-random function
A class of functions ( 𝐹 1 ,…, 𝐹 2 𝑛 ) is pseudo-random if the following two games are indistinguishable F ←𝑟𝑎𝑛𝑑𝑜𝑚 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 k ∈ 𝑅 0,1 𝑛 F ← 𝐹 𝐾 m m w←𝐹(𝑚) 𝑤←𝐹(𝑚) 𝑤 𝑤 Repeat as many times as the distinguisher wants Repeat as many times as the distinguisher wants 𝐺 0 𝐺 1

29 CPA-secure encryption scheme from PRF
𝐾𝑒𝑦𝑔𝑒𝑛 {1} 𝑠 𝑘 ∈ 𝑅 0,1 𝑠 𝐸𝑛 𝑐 𝑘 𝑚 𝑟 ∈ 𝑅 0,1 𝑛 𝑐← 𝑟, 𝐹 𝑘 𝑟 ⊕𝑚 𝐷𝑒 𝑐 𝑘 𝑐 𝑟,𝑑 ←𝑐 𝑚← 𝐹 𝑘 𝑟 ⊕𝑑

30 Building a distinguisher for the PRF using a distinguisher for the encryption scheme
𝑚 0 , 𝑚 1 𝑟 ∈ 𝑅 0,1 𝑛 𝑟 𝑑←(𝑤⊕ 𝑚 0 ) guess 𝑐 𝑤 𝑐←(𝑟,𝑑)

31 Building a distinguisher for the PRF using a distinguisher for the encryption scheme
k ∈ 𝑅 0,1 𝑛 𝑚 0 , 𝑚 1 𝑟 ∈ 𝑅 0,1 𝑛 𝑟 f ← 𝐹 𝐾 𝑑←(𝑤⊕ 𝑚 0 ) 𝑐 𝑤 𝑐←(𝑟,𝑑) w ←𝑓(𝑟) guess 𝑟 𝑚 0 , 𝑚 1 𝑟 ∈ 𝑅 0,1 𝑛 F ←𝑟𝑎𝑛𝑑𝑜𝑚 𝑑←(𝑤⊕ 𝑚 0 ) w ←𝑓(𝑟) 𝑤 guess 𝑐 𝑐←(𝑟,𝑑)

Download ppt "Modern symmetric-key Encryption"

Similar presentations

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

Similar presentations

Ads by Google