Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 5: Constructing Secure Encryption Schemes

Published bySara Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "Topic 5: Constructing Secure Encryption Schemes"— Presentation transcript:

1 Topic 5: Constructing Secure Encryption Schemes
Cryptography CS 555 Topic 5: Constructing Secure Encryption Schemes

2 Homework 1 Released Due in class on Friday, February 3rd (2 weeks)
Solutions should be typeset (preferably in Latex) You may collaborate with classmates, but you must write up your own solution and you must understand this solution One question covers PRFs which we will cover early next week. Clarification questions:

3 Recap Sematic Security/Indistinguishable Encryptions
Concrete vs Asymptotic Security Negligible Functions Probabilistic Polynomial Time Algorithm

4 Today’s Goal Define computational security
If you don’t understand what you want to achieve, how can you possibly know when (or if) you have achieved it? Show how to build a symmetric encryption scheme with semantic security. Define computational security against an attacker who sees multiple ciphertexts or attempts to modify the ciphertexts

5 Building Blocks Pseudorandom Generators Stream Ciphers

6 Pseudorandom Generator G
Input: Short random seed s∈ 0,1 𝑛 Output: Longer “pseudorandom” string 𝐺 𝑠 ∈ 0,1 ℓ(𝑛) with ℓ 𝑛 >𝑛 ℓ 𝑛 is called expansion factor PRG Security: For all PPT attacker A there is a negligible function negl s.t Pr s∈ 0,1 𝑛 𝐴 𝐺 𝑠 =1 − Pr 𝑅∈ 0,1 ℓ(𝑛) ⁡ 𝐴 𝑅 =1 ≤negl 𝑛

7 PRG Security as a Game ∀ Pr 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≤ 1 2 +𝜇(𝑛) Random bit b
If b=1 r← 0,1 𝑛 R = G(r) Else 𝑅← 0,1 ℓ 𝑛 b’ ∀ Pr 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≤ 1 2 +𝜇(𝑛) 𝑝𝑝𝑡 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 Suppose we have m,m’,c’ s.t. Pr[EncK(m)= c’] > Pr[EncK(m’)=c’] then adversary can select m0= m, m1=m’. If the ciphertext challenge c=c’ then the adversary outputs guess b’ = 1. Otherwise, the adversary outputs random guess b’.

8 A Bad PRG G(s) = s|1. What is the expansion factor?
Answer: ℓ 𝑛 =n+1 Task: Construct a distinguisher D which breaks PRG security for G One Answer: D(x|1)=1 and D(x|0)=0 for all x. Analysis: Pr[D(G(s)) = 1] = ? Analysis: Pr[D(R) = 1] = ? Pr s∈ 0,1 𝑛 𝐷 𝐺 𝑠 =1 − Pr 𝑅∈ 0,1 ℓ(𝑛) ⁡ 𝐷 𝑅 =1 = 1 2

9 One-Time-Pads + PRGs Encryption:
Secret key is the seed (K=s) Encs(m)=G(s)⨁𝑚 Decs(c)=G(s)⨁𝑐 Advantage: m =ℓ 𝑛 ≫ 𝑠 =𝑛 Computational Security vs Information Theoretic (Perfect) Security Disadvantage: Still can only send one message Theorem 3.18: If G is a pseudorandom generator then the above encryption scheme has indistinguishable encryptions in the presence of an eavesdropper.

10 One-Time-Pads + PRGs Why is this sufficient?
Encs(m)=G(s)⨁𝑚 Decs(c)=G(s)⨁𝑐 Theorem 3.18: If G is a pseudorandom generator then the above encryption scheme has indistinguishable encryptions in the presence of an eavesdropper. Proof by Reduction: Start with and attacker A that breaks security of encryption scheme and transform A into distinguisher D that breaks PRG security of G. Why is this sufficient?

11 Breaking Semantic Security
m0, m1 Random bit b Random seed s c=G(s)⨁ 𝑚 𝑏 b’ Pr 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≥ 1 2 +𝑓(𝑛) 𝑝𝑝𝑡 𝑎𝑡𝑡𝑎𝑐𝑘𝑒𝑟 𝑛𝑜𝑛−𝑛𝑒𝑔𝑙𝑖𝑔𝑖𝑏𝑙𝑒 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 (possibly still small) Suppose we have m,m’,c’ s.t. Pr[EncK(m)= c’] > Pr[EncK(m’)=c’] then adversary can select m0= m, m1=m’. If the ciphertext challenge c=c’ then the adversary outputs guess b’ = 1. Otherwise, the adversary outputs random guess b’.

12 The Reduction g = 1 if b=b’ 0 otherwise Random bit b If b=1 r← 0,1 𝑛
PRG Attacker What is Pr b’’≠b’ b=0 ? Hint: What encryption scheme is used? What is Pr b’’=b’ b=1 ? Random bit b If b=1 r← 0,1 𝑛 R = G(r) Else 𝑅← 0,1 ℓ 𝑛 R Encryption Attacker m0, m1 c=R⨁ 𝑚 𝑏′ Random b’ b’’ g g = if b=b’ 0 otherwise

13 Analysis Pr s∈ 0,1 𝑛 𝐷 𝐺 𝑠 =1 − Pr 𝑅∈ 0,1 ℓ(𝑛) ⁡ 𝐷 𝑅 =1
= Pr b’’=b’ b=1 −Pr b’’≠b’ b=0 = Pr b’’=b’ b=1 −½ ≥½ + f(n) −½≥f(n) Recall: f(n) was (non-negligible) advantage of encryption attacker. Implication: PRG G is also insecure (contrary to assumption). QED

14 Candidate PRG Notation: Given string x∈ 0,1 𝑛 and a subset S⊂ 1,…,𝑛 let xS ∈ 0,1 |𝑆| denote the substring formed by concatenating bits at the positions in S. Example: x=10110 and S = {1,4,5} xS=110 𝑃 𝑥1,𝑥2,𝑥3,𝑥4,𝑥5 =𝑥1 +𝑥2+𝑥3+𝑥4𝑥5 mod 2 Select random subsets 𝕊=S1,…, 𝑆 ℓ 𝑛 ⊂ 1,…,𝑛 of size |Si|=5 and with ℓ 𝑛 = 𝑛 1.4 𝐺𝕊 𝑥 = 𝑃 𝑥 𝑆 1 … 𝑃 𝑥 𝑆 ℓ 𝑛

15 Stream Cipher vs PRG PRG pseudorandom bits output all at once
Pseudorandom bits can be output as a stream RC4, RC5 (Ron’s Code) st0 := Init(s) For i=1 to ℓ: (yi,sti):=GetBits(sti-1) Output: y1,…,yℓ

16 The RC4 Stream Cipher A proprietary cipher owned by RSA, designed by Ron Rivest in Became public in 1994. Simple and effective design. Variable key size (typical 40 to 256 bits), Output unbounded number of bytes. Widely used (web SSL/TLS, wireless WEP). Extensively studied, not a completely secure PRNG, when used correctly, no known attacks exist Newer Versions: RC5 and RC6 Rijndael selected by NIST as AES in 2000 CS555 Spring 2012/Topic 5

17 The RC4 Cipher The cipher internal state consists of
a 256-byte array S, which contains a permutation of 0 to 255 total number of possible states is 256!  21700 two indexes: i, j i = j = 0 Loop i = (i + 1) (mod 256) j = (j + S[i]) (mod 256) swap(S[i], S[j]) output (S[i] + S[j]) (mod 256) End Loop CS555 Spring 2012/Topic 5

18 Limitations of Current Security Definition
Assumes adversary observes just one ciphertext What if adversary observes two ciphertexts? 𝑐 1 =Encs( 𝑚 1 )=G(s)⨁ 𝑚 1 𝑐 2 =Encs( 𝑚 2 )=G(s)⨁ 𝑚 2 How could the adversary (Joe) attempt to modify c=Enck(m) below? m = “Pay Joe the following amount (USD): ”

19 Coming Up… Before Next Class (Friday) Read: Katz and Lindell 3.4
Security for Multiple Encryptions

Download ppt "Topic 5: Constructing Secure Encryption Schemes"

Similar presentations

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.

Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Computer Security CS 426 Lecture 3

Computer Security CS 426 Lecture 3
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream.
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Stream Cipher July 2011.

Stream Cipher July 2011.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Similar presentations

Ads by Google