1. Foundations of Cryptography Lecture 13 Lecturer: Moni Naor

2. Recap of Lecture 12 Pseudo-Random Permutations Feistal Permutations Proof of the construction Semantic Security and Indistinguishability of encryptions

3. To specify security of encryption The power of the adversary – computational Probabilistic polynomial time machine (PPTM) –access to the system Can it change the messages? What constitute a failure of the system – what it means to break the system. –Reading a message –Forging a message?

4. What is a public-key encryption scheme Allows Alice to publish a public key K P while keeping hidden a secret key K S Key generation : a method G:{0,1} *  {0,1} * x {0,1}* that outputs K P (Public) and K S (secret) ``Anyone” who is given K P and m can encrypt it Encryption : a method E:{0,1} * x {0,1} * x {0,1}*  {0,1} * that takes a public key K P a message (plaintext) m and random coins and output an encrypted message ciphertext Given a ciphertext and the secret key it possible to decrypt it Decryption : a method D:{0,1} * x {0,1} * x {0,1}*  {0,1} * that takes a secret key K S, a public key K P and a ciphertext c and output a plaintext m. In general D(K S, K P, E(K P, m, r)) = m

5. Computational Security of Encryption Indistinguishability of Encryptions Indistinguishability of encrypted strings: Adversary A chooses X 0, X 1  0,1  n receives encryption of X b for b  R  0,1  has to decide whether b  0 or b  1. For every pptm A, choosing a pair X 0, X 1  0,1  n  Pr  A  ‘1’  b  1  - Pr  A  ‘1’  b  0   is negligible. Probability is over the choice of keys, randomization in the encryption and A ‘s coins. In other words: encryptions of X 0, X 1 are indistinguishable Quantification over the choice of X 0, X 1  0,1  n

6. Computational Security of Encryption Semantic Security Whatever Adversary A can compute on encrypted string X  0,1  n so can A ’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X A selects: Distribution D n on  0,1  n Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a (polynomial time samplable) distribution D n on  0,1  n there is an pptm A’ so that for all pptm relation R for X  R D n  Pr  R(X,A(E(X))  - Pr  R(X,A’(  ))   is negligible In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X Note: presentation of semantic security is non-standard (but equivalent to it)

7. Equivalence of Semantic Security and Indistinguishability of Encryptions Would like to argue their equivalence Must define the attack –Otherwise cannot fully talk about an attack Chosen plaintext attacks –Adversary can obtain the encryption of any message it wishes –In an adaptive manner –Certainly feasible in a public-key setting –What about shared-key encryption? More severe attacks –Chosen ciphertext

8. Security of public key cryptosystems: exact timing Adversary A gets to public key K P Then A can mount an adaptive attack –No need for further interaction since can do all the encryption on its own Then A chooses –In semantic security the distribution D n and the relation R –In indistinguishability of encryptions the pair X 0, X 1  0,1  n Then A is given the test –In semantic security E(K P, X,r) for X  R D n and r  R  0,1  m –In indistinguishability of encryptions the E(K P, X b,r) for b  R  0,1  and r  R  0,1  m

9. The Equivalence Theorem For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

10. Equivalence Proof If a scheme has the indistinguishability of encryptions property, then it is semantically secure: Suppose not, and A chooses – some distribution D n – some relation R Choose X 0, X 1  R D n and run A twice on –C 0 = E(K P, X 0,r 0 ) call the output Y 0 –C 1 = E(K P, X 1,r 1 ) call the output Y 1 For X 0, X 1  R D n let –  0 = Prob[R(X 0, Y 0 )] –  1 = Prob[R(X 1, Y 0 )] If  0 -  1  If is non negligible can distinguish between encryption of X 0 of X 1 –Contradicting the indistinguishability property If  0 -  1  is negligible can run A’ with no access to encryption –sample X’  R D n and C’ = E(K P, X’, r) –Run A on C’ and output Y’ Here we Use the power to generate encryptions

11. Equivalence Proof… If a scheme is semantically secure, then it has the indistinguishability of encryptions property: Suppose not, and A chooses – A pair X 0, X 1  0,1  n –For which it can distinguish with advantage  Choose –distribution D n = {X 0, X 1 } –Relation R which is “equality with X ” For any A’ that does not get C = E(K P, X,r) and outputs Y’ Prob[R(X, Y’)]= ½ By simulating A and outputting Y= X b for guess b  0,1  Prob[R(X, Y)] ¸ ½ + 

12. Similar setting The same proof works for the shared key case with adaptive chosen plaintext attack ``Standard” definition of semantic security: –Instead of A trying to find Y such that R(X,Y), A tries to find Y such that Y=f(X) f is any function (not necessarily polynomial time computable) –In spite of difference equivalent to our definition

13. When is each definition useful Semantic security seems to convey that the message is protected –Not the strongest possible definition Easier to prove indistinguishability of encryptions

14. Concatenations If (G,E,D) is a semantically secure cryptosystem, then if Adversary A Chooses X 0, X 1  0,1  n Receives k independent encryptions of X b for b  R  0,1  has to decide whether b  0 or b  1. Cannot have non negligible advantage Proof: hybrid argument

15. Concatenation Let A be an adversary that selects: –Distribution D n on  0,1  n –Relation R computable in probabilistic polynomial time Let X 1, X 2,... X k 2 R D n Suppose that A receives E(X 1 ), E(X 2 ),..., E(X k ) Computes Y and hopes that R(X 1, X 2,..., X k,Y) Homework : prove that for any A there is an A’ with similar probability of success

16. Construction: from trapdoor permutation Key generation: K P (Public) and K S (secret) are the keys of the trapdoor permutation Encryption: to encrypt a message m  0,1  k –select x  R  0,1  n and r  R  0,1  n –compute g(x)=x ¢ r, f P (x) ¢ r, f P (2) (x) ¢ r, … f P (k-1) (x) ¢ r –Send m Xored with g(x) and y=f P (k) (x) and r (g(x) © m, f P (k) (x), r) Decryption: given (c, y, r) –extract x = f P (-k) (y) using K S –compute g(x) using r –extract m by Xoring c with g(x)

17. Security of construction Claim : given y=f P (k) (x), g(x) is indistinguishable from random Proof: it is a pseudo-random generator Pseudo-randomness implies indistinguishability of encryption

18. Example Blum-Goldwasser cryptosystem –Based on the Blum, Blum, Shub pseudo-random generator –The permutation defined by N= P ¢ Q, where P,Q = 3 mod 4 –For x 2 Z N *, x is a quadratic residue f N (x)=x 2 mod N

19. Shared key encryption Sender and receiver share a key s of a pseudo-random function F s : {0,1} n  {0,1} k Encryption of a message m  0,1  k –Choose r  R  0,1  n –Send (F s (r) © m,r) Decryption of a ciphertext (y,r) –Compute m=F s (r) © y Proof of security: based on the indistinguishability of F s from a truly random function

20. Open Problems How to get a good encryption scheme with a weaker than fully blown pseudo-random function Homework: read –Moni Naor and Omer Reingold, From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs, Crypto'98.

21. From single bit to many bits If there is an encryption scheme that can hide E(K P, 0,r) from E(K P, 1,r), then can construct a full blown (for any length messages) semantically secure cryptosystem by concatenation Each bit in the message m  0,1  k is encrypted separately Proof: a hybrid argument –Using definition of indistinguishability of encryption –Suppose adversary chooses X 0, X 1  0,1  k –Let: D 0 be the distribution on encryptions of X 0 D k be the distribution on encryptions of X 1 D i be the distribution where the first i bits are from X 0 and the last k-i bits are from X 1 Example: quadratic residues mod N

22. One-way encryption is sufficient for semantic security against chosen plaintext attack Call an encryption scheme one-way if given c=E(K P, m, s) for random m and s it is hard to find m This is the weakest form of security one can expect from a ``self-respecting” cryptosystem Can use it to construct a single-bit indistinguishable scheme: To encrypt a bit b  0,1  : –choose random x, s and r –Send (c,r,b’) where c=E(K P, x, s) b’= x ¢ r © b Security : from the Goldreich-Levin reconstruction algorithm

23. Examples of public-key cryptosystems Factoring related: RSA, Rabin Discrete-log related: –Diffie-Hellman (El Gamal) –Various groups Early Knapsack and Codes (late 1970’s) –Merkle Hellman –McEliece: probabilsitic cryptosystem Modern Lattice Based –Ajtai-Dwork: only one for which worst case to hardness reduction is known –Goldreich-Goldwasser and Halevi NTRU

24. Example: Interactive Authentication P wants to convince V that he is approving message m P has a public key K P of an encryption scheme E. To authenticate a message m: V  P : Choose r 2 R {0,1} n. Send c=E(m ° r, K P ) P  V : Receiving c Decrypt c using K S Verify that prefix of plaintext is m. If yes - send r. V is satisfied if he receives the same r he choose