Project Verona

Are we done? We now have a perfectly - secure cipher !

No ! are ! In fact as as the . - - if we can share of this can use same mechanism to Keys very long , long message keys length , " [ the itself ) • share " message One-time restriction

Malleable

Issues with the one-time pad:

- : . Never . ! One-time Very important reuse the one-time pad to encrypt two messages Completely broken

= ① = ① Mz C k M , and Cz k Suppose ,

= C +0 ④ k ⑦ Mz can this to recover Then , ④ Cz (k mi) ( ) , f- leverage messages = ← m ④ Mz learn the ✗or of two ! , messages One-time pad reuse :

Verona . Project (US counter-intelligence operation against U.s.sk during Cold War) ↳ ~ Soviets reused some in codebook to of ~ 3000 sent Soviet pages led decryption messages by intelligence over 37- year period [notably exposed espionage by Julius and Ethel Rosenberg ]

- Microsoft Point-to-point Tunneling CMS- PPTP) in Windows 98 /NT (used for VPN) ↳ Same key (in stream cipher) used for both server → client communication AND for client → server ↳ communication (RCH)

- 802.11 : client and server use WEP both same key to encrypt traffic

one-time reuse (can even recover small many problems just beyond pad key after observing number of frames ! )

- : one-time no can the : M#ble pad provides integrity ; anyone modify ciphertext

m ← K +0 C

← ' replace c with c. ④ m

' ' ⇒ = k ④ c ④ m ④ m ← 's cored into ( ) m adversary change now ✗ original message . a then tem If satisfies 114/3 / Ml . cipher perfect secrecy ,

: s to most . This that about Intuition Every ciphertext can decrypt at 1kt IMI messages means ciphertext leaks information the all Cannot be . (not . secret message messages equally likely) perfectly

" " s ← . EM . a . m Pref We will use I KI IMI . Take c (k ) for some KEK m counting argument Suppose any ciphertext Encrypt , , s This can to at most 1kt messages (one for each choice of ) . Since I KI IMI there ciphertext only decrypt possible key , ' that is some message m EM such ' Vk E K : (k c) F m Decrypt ,

correctness of the By cipher,

' tf KEK : ( k m ) E C Encrypt ,

This means that

' t = = Pr k k : ( k m ) 0 ( Encrypt , c) ! Cannot be perfectly secret t = > o Pr (k k : (k m) c ] } Encrypt ,

: the - cookbooks Perfect . ( in most critical scenarios ) Takeaway secrecy requires long keys Very impractical except exchanging daily

If we want efficient usable we need to somewhere. something / , compromise

- : is a Perfect an information-theoreiyl.ie, mathematical) Observe secrecy property Even an nfiniyp¥atayub¥ adversary cannot break security We will relax this property and only require ( ) adversaries security against computationaHy-bounded efficient " "

- : the one-time : we will a from a seed ( s c- { ) random start 0,13128 . Idea compress pad generate long looking string e.g. ,

s " : se { 0,13 (1 is the seed IT typically length or

c- secur-i-yparame-I.ly____-""j GG) {0,15 where n → × ← " " n is the stretch of a PRG " : K= {0,13 Strader " m = C = {0,13

" " - : ← - (k m) c m ④ Instead of ✗or with the we use the to derive a stream of random Encrypt , ing key, key

: ← (k c) m c ④ G(K) bits and use that in of the one-time Decrypt , |G looking place pad

< ! If I n then this scheme cannot be secure So we need a di¥ notion of , perfectly security

" " " " : Want a stream to like a one- time to reasonable function . Intuitively cipher pad any adversary ⇒ " " Equivalently : output of a PRG should look like uniformly - random string of secret e. , " g. length " ? what is a reasonable adversary + key - : Theoretical answer runs in ( ) time a algorithm probabilistic polynomial (denote poly (7) where ✗ is parameter) " security - : < Practical answer runs in time 28° and < 26 (can use numbers as well space larger )

: a Goat construct PRG so no efficient adversary can distinguish output from random .

two Captured by defining experiments or games : # the to the (t) is s {0,131 ← t-RG.li input adversary ⇐ ← ) adversary + Gcs adversary often called the chalking - / Z 2 > BE {0,13 > be {"B Experiment 0 Experiment 1

's to between 0 and random Adversary goal is distinguish Experiment (pseudorandom string) Experiment 1 (truly string) ↳ + ← or t-fo.IM) : It is given as input a string t of length n (either Gcs) Remember adversary knows the algorithm Gi ↳ / . It a a bit be { 0.13) ! outputs guess ( single i-0-yseed.is hidden

0 define the Let Wo :=Pr[ adversary outputs 1 in Experiment ] distinguishing advantage of A as Do Not RELY ON SECURITY BY OBSCURITY! W } : = Wo - , :=Pr[ 1 in 1 PRGAdv A G ] / Wil / ] [ - adversary outputs Experiment , time f- probabilistic polynomial " A PRG G :{0,131 → {0.13 is if all efficient adversaries A than . for Definition secede , smarter any inverse polynomial PRGADVCA G) , =negl( e.g., ¥ ylogt ↳ , negligible function (in the input length) µ

- ' Theoretical definition : ffx) is negligible if f- C- off ) for all CEIN " " - Practical definition : I E 2-128 quantity 2-80 or Understanding the definition: → we all when n ? 1 . Can ask for security against adversaries ( A)

and O . No ! Consider inefficient adversary that outputs 1 if t is the image of G otherwise

- = Wo 1 = PRGAdv[A. G) 1- ¥ I 1 if non - = W = Pr t←R {oil )^ : Is c- 0,131 : 667=-1 ¥ } , [ { ]

1 ? . is 2 Can the of a PRG be biased first bit of PRG . %) output leg , output wp

! 1 is 1 No Consider efficient adversary that outputs if first bit of challenge . - Wo = 3- PRGADV [A.G) = } ! - NIBLE. = } W , £

More no efficient statistical test can of a secure PRG from random. generally , distinguish output 10 3 . Can the of a PRG be ( first bits the 11th bit) ? output predictable e.g. , given , predict

! If are It E can with E (since random is No the bits w . ) predictable .p , distinguish advantage string unpredictable ⇒ Infarct : unpredictable pseudorandom

: same as the one-time to A secure PRG the statistical . take-away has properties pad any efficient adversary ⇒ Should be able to use it in of one-time to obtain a scheme ( efficient place pad secure encryption against adversaries)

Need to of an scheme. define security encryption

Goal is to that no efficient can learn information about the the capture property adversary any message given only to that . Suffices no efficient can of Mo from me even if ciphertext argue adversary distinguish encryption message ,

Mo m are . , , Harihar

Let be a We define C- : ( . two {0,13 Encrypt, Decrypt) cipher experiments (parameterized by b ) b. C- {0,13 I ADMIT ch•"eY= semantic security KEK experiment Encryptrnb) } t

b' c- {0,13

two chooses . and of one of them. Needs to which one (i.e Adversary messages receives encryption guess , distinguish

of Mo of m encryption fwm encryption ,)

Let Wo := [b' = I / b = 0] that 1 Pr probability adversary guesses W := Pr b' = I b =L } (if is these two should be different , [ ] ) / adversary good distinguishes, very

Define semantic of A for TlsE=( ) security advantage adversary cipher Encrypt , Decrypt

- SSAdr[ A. IsE) =/ Wo W , /

TISE :( ) is secure if for all efficient adversaries A Definition . A , cipher Encrypt Decrypt semantically , SSAdu LA TSE] = / , neg (7) ← 1 is a (here models the of the security parameter , bittength key)