Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: • Chapter 3 • Read sections 3.1-3.2 first (skipping 3.2.2) 1 Negligible functions A nonegative function f : is said to be negligible if for every positive polynomial Pn( ), there is an integer n0 such that 1 f( n ) for all n n (i.e., for sufficiently large n). Pn() 0 Examples: 2n , 2 n , n log n are negligible functions. Negligible functions approach zero faster than the reciprocal of every polynomial. We write negl(n ) to denote an unspecified negligible function. 2 Properties of negligible functions If negl1 (nn ) and negl2 ( ) are negligible functions, then negl12 (nn) negl ( ) is negligible. If negl(n ) is a negligible function and p( n ) a polynomial, then p( n ) negl() n is negligible. Examples: 2n 2 n and n100n log n are negligible. 3 Relaxing the security requirement In perfect indistinguishability (perfect secrecy), the adversary has unlimited computing power, success rate 1 2; also, message length is hidden. Now we relax the notion of perfect indistinguishability by limiting adversaries to having poly(n ) computing power, allowing the success rate to be 1 2 negl(n ), not hiding message length. 4 Security Parameter The n in the previous slide is called a security parameter, which indicates the key leng.th We will associate an encryption scheme with a secureity parameter n, and would like to be secure in the sense that any adversary with poly( n) computing power can break with at most negl( n) probability. 5 PPT Algorithms Probabilistic polynomial-time algorithms Polynomial-time : the running time is polynomial in input length. Input length is the number of bits of the input. What is the length of n in binary, and what is the length of 1n ? What is the difference between these two statements: An( ) is a PPT algorithm. A(1n ) is a PPT algorithm. 6 Private-key encryption scheme w. security parameter n A tuple of polynomial-time algorithms: (,,)Gen Enc Dec Key generation algorithm Gen : On input 1n , outputs a key k{0,1}n . We write k Gen(1n ). (n : security parameter.) Encryption algorithm Enc: On input a key k and a message * m{0,1} , outputs a ciphertext c. We write c Enck ( m ). Decryption algorithm Dec: On input a key k and a ciphertext c, Dec outputs a message m or an error symbol . We write m: Deck ( c ). Correctness requirement: for every k Gen(1n ) and m {0,1}* , Deckk Enc( m ) m . Gen, Enc are probabilistic. Dec, deterministic. 7 If message space M{0,1}()n , then ( Gen , Enc, Dec) is said to be a fixed-leng th private-key encryption scheme for messages of length (n ). nn If Gen(1 ) simply outputs ku {0,1} , we omit Gen and simply denote the scheme by (Enc , Dec ). This is almost always the case. 8 eav Ciphertext Indistinguishability Experiment PrivK A, (n) Adversary: PPT eavesdropper with a single ciphertext. (Gen , Enc , Dec ) : an encryption scheme with security parameter n. Imagine a game played by Bob and an adversary A (Eve): n Eve, given input 1 , outputs a pair of messages mm01, with mm01 (i.e., having the same length). n Bob chooses a key k Gen(1 ) and a bit b u {0,1}; computes c Ek ( mb ); and gives c to Eve. Eve outputs a bit bc, trying to tell whether is an encryption of mm01 or . eav The output, PrivKA, (n ), of the experiment is 1 iff b b (i.e., Eve succeeds.) 9 Ciphertext Indistinguishability against an eavesdropper Definition: A private-key encryption scheme has indistinguishable encryptions against an eavesdropper (or is EAV-secure) if for all probabilistic polynomial-time adversaries A, there is a negligible function negl( n ) such that (for all n) 1 Pr PrivKeav (nn ) 1 negl( ) A, 2 where the probability is taken over the randomness used by A, the randomness used by Bob to choose the key and the bit b, as well as the randomness used by Enc. n eav A1 , m01 , m , Enckb ( m ) b : Pr PrivKA, (n ) 1 Pr n n bu {0,1}, k Gen(1 ), m01, m A(1 ) 10 An equivalent formulation eav For b 0 or 1 (fixed), let PrivKA, (n ,b ) denote the previous experiment with the fixed b used. eav Let output PrivKA, (n ,b ) denote the adversary's output. n eav A1 , m01 , m , Enck (mb ) 1: Pr output PrivKA, (n ,b ) 1 Pr nn k Gen(1 ), m01, m A (1 ) Theorem: A private-key encryption scheme is EAV-secure if and only if for all PPT adversaries A, there is a negligible function negl( n ) such that Pr output PrivKeav (nn ,0 ) 1 Pr output PrivK eav ( ,1 ) 1 AA, , negl()n . 11 That is, nn A1,,, m0 m 1 Enckk ()1:mm01 A1,,, m 0 m 1 Enc ()1: Pr Pr n n n n k Gen(1 ), m01, m A (1 ) k Gen (1 ), m01, m A (1 ) negl( n ) 12 Adversaries cannot learn any bit of the plaintext Let mi denote the ith bit of m. If an encryption scheme is EAV-secure, then from a ciphertext i c Enck ( m ), it is infeasible for the adversary to recover m . Theorem: If a fixed-length private-key encryption scheme with MA {0,1}()n is EAV-secure, then for all PPT adversaries and any in1, , ( ) , it holds: 1 n i n ()n Pr A1 , Encku ( m ) m : k {0,1} , mnu {0,1} negl( ). 2 13 Secure Encryption Schemes Secure: EAV-secure, CPA-secure, or CCA-secure. Secure private-key encryption schemes may be constructed from: Pseudorandom generators Pseudorandom functions Pseudorandom permutations. 14 Pseudorandom Generators and Stream Ciphers Encryption schemes using pseudorandom generators K&L: Section 3.3 15 Motivation Vernam's one-time pad scheme is perfectly secure against single-ciphertext eavesdropper. Drawback: it requires a random key as long as the message. Solution: use a short key as seed to generate a "pseudorandom" key that is as long as needed. This is the basic idea of stream ciphers. 16 Stream ciphers The term "stream cipher" may refer to the entire encryption scheme or just the pseudorandom generator. 17 What is a pseudorandom generator? Informally, a pseudorandom generator is an algorithm G that given a (short ) truly random string s, outputs a " random-like " (i.e.,pseudorandom) string longer than s. Informally, a string r is "random-like " if it is hard to tell whether or not r is generated by a truly-random generator. n Loosely speaking, two sets ABnn, {0,1} are said to be polynomially indistinguishable if for every polynomial distinguisher D, | PrD ( r ) 1: r u An PrDr( ) 1: r u Bn | negl()n 18 In the above, we were actually talking about the indistinguishability between two ensembles (sequences) of sets: AB and . nnnn Definition: Two ensembles of sets AB and are nnnn polynomially indistinguishable if for every polynomial-time distinguisher D, it holds that | PrD ( r ) 1: run A PrD ( r ) 1: run B | negl( n ) Which of the following are polynomially indistinguishable? n n n ABnn{0,1} , {0,1} 0 nn100 Ann{0,1} , B s {0,1} : s 2 as a binary integer nn1 ABnn{0,1} , 0 {0,1} 19 n n n ABn {0,1} and n {0,1} 0 are polynomially indistinguishable. PrD() r1: r u An Prr Pr D ( r ) 1 rAn 1 PrDr ( ) 1 n 2 rAn 1 n 1 PrD (0 ) 1 PrDr ( ) 1 n n 2 2 rBn PrD ( r ) 1: r u Bn PrrD Pr (r ) 1 rBn 1 n PrD(r ) 1 21 rBn || PrD ( r ) 1: r u ABn PrD ( r ) 1: r u n negl)(n 20 Definition of pseudorandom generator Let ( ) be a polynomial such that (n ) n for all n 0. Let G be a deterministic polynomial-time algorithm that, for any input string s {0,1}n , outputs a string Gs( ) {0,1}()n . G is said to be a pseudorandom generator with expansion factor ( ) if for every polynomial-time distinguisher D, n | PrD ( G ()) s 1: s u {0,1} ()n PrD ( r ) 1: r u {0,1} | negl( n ) That is, the two ensembles AB and , are polynomially nnn N n N n ()n indistinguishable, where Ann G( s ) : s {0,1} and B 0,1 . 21 Example: insecure pseudorandom generator n Let G( s ) s ( s11 snn ) for s s s {0,1} . Expansion factor l( n ) n 1. G is not a pseudorandom generator: 1 if r11 rnn r For r{0,1}n1 , let D( r ) 0 otherwise n PrD ( G ( s )) 1: s u {0,1} 1 n1 PrD ( r ) 1: r u {0,1} 1 2 Difference between the two probabilities is not negligible. 22 Remarks A string r is said to be a random string if it is generated by a true random generator (i.e., rru {0,1} , where ). A string r is said to be a pseudorandom string if it is generated by a pseudorandom generator. What if the distinguisher D has unlimited (or exponential) time? 1 if r G( s ) for some s {0,1}n Given r{0,1}()n , let D( r ) 0 otherwise n PrD ( G ( s )) 1: s u {0,1} 1 ()()()n n n n n PrD ( r ) 1: r u {0,1} 2 2 1 2 Difference between the two probabilities is not negligible. 23 Existence of pseudorandom generators If one-way functions exist, then pseudorandom generators exist. That is, pseudorandom generators can be constructed from one-way functions.