Download presentation

Presentation is loading. Please wait.

1
**CIS 5371 Cryptography 3b. Pseudorandomness.**

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2
**Pseudorandomness An introduction**

A distribution D is pseudorandom if no PPT distinguisher can detect if it a string sampled according to D or chosen uniformly at random. This is formalized by requiring that every PPT algorithm outputs 1 with almost the same probability when given a truly random string as when given a pseudorandom string.

3
**Pseudorandomness An introduction**

A pseudorandom generator is a deterministic algorithm that given a short truly random seed of length n will stretch it to into a longer string of length π(π) that is pseudorandom.

4
**Existence of pseudorandom generators**

We cannot prove that pseudorandom generators exist! We believe that such generators can be constructed from one-way functions. There are some long-standing problems that have no efficient solution and it is believed that they are unsolvable in polynomial time.

5
**Pseudorandom generators informal definition**

A distribution D is pseudorandom if no PPT distinguisher can detect if it is given a string sampled according to D or a string chosen uniformly at random. This can be formalized by requiring that a PPT distinguisher D outputs 1 with almost the same probability when given a truly random string and when given a pseudorandom string.

6
**Pseudorandomness Definition**

Let π(β) be a polynomial and πΊ a deterministic polynomial-time algorithm that on input any π π {0,1 } π will output string of length π(π). πΊ is a pseudorandom generator if: π π >π β PPT distinguishers D, β π negl function with: | Pr π· π =1 β Pr π· πΊ π =1 β€negl(n) where π is uniform random string of length π π , π ππ is uniform random of length π and the probabilities are taken over the coins used by π· and the choices of π,π .

7
**A secure fixed length encryption scheme**

π ππππππ‘ππ₯π‘ πππβπππ‘ππ₯π‘ πππ
ππ ππ’ππππππππ πππππππ‘ππ πππ

8
**A secure fixed length encryption Protocol ο**

Let πΊ be a pseudorandom generator with expansion factor π. Define a private-key encryption scheme for messages of length π as follows Gen: on input 1 π choose π ο¬ {0,1 } π uniformly at random and output π as key. Enc: on input a key π ο {0,1 } π and a message mο{0,1 } π(π) output the ciphertext πβG π ο
π . Dec: on input a key π ο {0,1 } π and a ciphertext cο{0,1 } π(π) output the plaintext πβG π ο
π .

9
**A secure fixed length encryption Theorem**

If πΊ be a pseudorandom generator then protocol ο is a fixed-length private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper.

10
**A secure fixed length encryption Reduction**

Adversary Aβ (Distinguisher D) Adversary A (Protocol ο) π€ 1 π π 0 , π 1 choose a random bit π compute π π := w ο
π π Suppose that A succeeds with probability π(π) π π 1 if π β² =π πβ² 0 if π β² οΉ π

11
**A secure fixed length encryption Proof**

Let π π = Pr[Priv K eav (π΄, ο) π =1]β Then, when π€ is uniform random we have Pr π· π€ =1 =Pr[Priv K eav (π΄, ο) π =1]= when π€=πΊ(π) we have Pr π· π€ =1 = Pr π· πΊ π =1 = Pr[Priv K eav (π΄, ο) π =1]= π(π).

12
**A secure fixed length encryption Proof**

Therefore when π€ is chosen uniformly in {0,1 } π π : |Pr π· π€ =1 βPrβ‘[π· πΊ π =1]|= ο₯(π) .

13
**Variable output length pseudorandom generators**

A deterministic polynomial-time algorithm πΊ is a variable output-length pseudorandom generator if: Let π be a string and π>0 an integer. Then πΊ π , 1 π outputs a string of length π. For all π ,π,πβ² with π< π β² , the string πΊ π , 1 π is a prefix of πΊ π , 1 π β² . Define πΊ π π β πΊ π , 1 π(|π |) . Then for every polynomial it holds that πΊ π π , 1 π is a pseudorandom generator with expansion factor π.

14
Stream ciphers We can easily modify the earlier construction for the encryption scheme ο for variable output length PRG. In this case, πβG π, 1 π ο
π . πβG π, 1 |π| ο
π .

15
**Discussion We use the term stream cipher for the PR stream generator,**

not the encryption algorithm. There are a number of practical constructions of stream ciphers that are extraordinarily fast, such as the stream cipher RC4.

16
Discussion The WEP encryption protocol for used RC4 and was broken. But since then it is fixed---and the standard updated. If RC4 has to be used the first 1024 bits or so should be discarded.

17
Discussion From a security point of view it is advocated to use block cipher constructions for constructing secure encryption schemes. This disadvantage is that this approach is less efficient when compared to using a dedicated stream cipher.

18
**Multi-message eavesdropping experiment Priv K mult (π΄,ο)(π)**

The adversary π΄ is given input 1 π and outputs a pair of vectors of messages π 0 1 ,β¦, π 0 π‘ and π 1 1 ,β¦, π 1 π‘ witβ |π 0 π = π 1 π | for all π. A key π is generated runnng πΊππ 1 π and a random bit πβ 0,1 is chosen. For all π the ciphertext π π ο¬ En π π π π π is computed and the vector of ciphertexts π π 1 , β¦, π π π‘ is given to π΄. .π΄ outputs a bit π β² . The output of the experiment iπ 1 if π =π β² and 0 otherwise.

19
**Definition ο’ PPT Adversary π΄, ο€ a negligible function negl:**

A private-key encryption scheme ο=(Gen,Enc,Dec) that has indistinguishable multiple encryptions in the presence of an eavesdropper satisfies: ο’ PPT Adversary π΄, ο€ a negligible function negl: Prβ‘[Priv K mult (π΄, ο) π =1] β€ negl π , where the probability is taken over the random coins of π΄, and the experiment.

20
**Indistinguishable single encryptions vs indistinguishable multi encryptions**

The secure fixed length encryption Protocol ο presented earlier is deterministic and cannot be used as a construction for a indistinguishable multi encryptions. To see why, we use the experiment Priv K mult for the pair of vector messages ( 0 π , 0 π ) and 0 π , 1 π .

21
**Secure multiple encryptions using a stream cipher**

Synchronized mode Communicating parties use a different part of the stream cipher output to encrypt a message. Useful for parties communicating in the same session. Communicating parties must maintain state between encryptions.

22
**Secure multiple encryptions using a stream cipher**

Unsynchronized mode Encryptions are carried out independently of one another. Communicating parties are not required to maintain state between encryptions. πΈπ π π π β ο‘πΌπ, πΊ π,πΌπ ο
πο± where the initial vector πΌπ ο¬ {0,1} π is chosen at random.

23
**Security against Chosen-Plaintext Attack (CPA)**

We now consider a more powerful adversary that is active. The adversary can ask for the encryptions of some specific plaintext messages, as well as eavesdrop.

24
**The CPA indistinguishability experiment Priv K cpa (π΄,ο)(π)**

A key π is generated runnng Gen 1 π . The adversary π΄ is given input 1 π and oracle access to En π π β , .and outputs a pair of messages π 0 , π 1 of equal length. A random bit π ο 0,1 is chosen and a ciphertext c ο¬ En π π π π is computed and given to π΄. Adversary π΄ continues to have oracle access to En π π β , and outputs a bit π β² . The output of the experiment iπ 1 if π =π β² and 0 otherwise.

25
**Indistinguishable encryptions under CPA Definition**

A private-key encryption scheme ο= Gen,Enc,Dec has indistinguishable encryptions under CPA if β PPT adversaries π΄, β a negl function such that, Prβ‘[Priv Kcpa π΄, ο π =1] β€ negl π , where the probability is taken over the coins of A and those of the experiment.

26
**CPA security for multiple encryptions**

As for single encryption, extend the experiment to Priv K cpa in which the adversary outputs a pair of vectors of plaintext. Any private-key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA

Similar presentations

© 2019 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google