Cryptography Lecture Notes: Private-Key Encryption & Computational Security, Study notes of Cryptography and System Security

A portion of lecture notes from cs 120/csci e-177: introduction to cryptography, focusing on private-key encryption and computational security. The notes discuss the concept of computational indistinguishability, which is a stronger security requirement than statistical security. The document also covers the asymptotic and concrete formalizations of indistinguishable encryptions and provides examples of insecure schemes. Additionally, it introduces the concepts of guessing-indistinguishability and semantic security.

Typology: Study notes

2010/2011

Uploaded on 11/02/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Salil Vadhan and Alon Rosen Oct. 3, 2006
Lecture Notes 5:
Private-Key Encryption: Computational Security
Recommended Reading.
Katz-Lindell 3.2, 3.3
1 Introduction
Motivation: Recall
statistical security
: for every
m0, m1 P
and set
T
of ciphertexts,
|Pr [EK(m0)T]Pr [EK(m1)T]| ε.
That is, there is no test
T
that distinguishes the encryptions of any pair of messages with
probability better than
ε
.
Still requires
|K| (1 ε)· |P|
.
(Computational) indistinguishability
: only consider tests
T
dened by feasible algorithms
A
,
i.e. replace the event
EK(m)T
with
A(EK(m)) = 1
.
First Goal: Construct computationally secure encryption schemes that go beyond the Shannon
barrier (i.e. have
|K| |P|
.
Still restricted to one use and passive adversary.
Later: Model and achieve security for multiple messages and active adversaries.
2 Asymptotic formalization
Need a
security parameter
1n
:
n
is chosen by the sender and receiver in advance depending
on the level of security they want.
A feasible adversary is any
poly(n)
-time adversary. We will always allow the adversary to
be
nonuniform
, i.e. have a program of size
poly(n)
.
Require that
G, E, D
all run in polynomial time (i.e.
poly(n)
).
G
now takes
n
as input (in
unary).
Main point:
G, E, D
run in some xed polynomial time (e.g. time
n2
) but security must hold
against adversaries with even larger running time. Thus, as we set
n
larger and larger (e.g.
as technology improves), the scheme takes much less time to use than it does to break.
The message space can change with the security parameter:
P=SnPn
. For example,
Pn
can be
{0,1},{0,1}n,{0,1}
.
1
pf3
pf4

Partial preview of the text

Download Cryptography Lecture Notes: Private-Key Encryption & Computational Security and more Study notes Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Salil Vadhan and Alon Rosen Oct. 3, 2006

Lecture Notes 5:

Private-Key Encryption: Computational Security

Recommended Reading.

  • Katz-Lindell 3.2, 3.

1 Introduction

  • Motivation: Recall statistical security: for every m 0 , m 1 ∈ P and set T of ciphertexts,

| Pr [EK (m 0 ) ∈ T ] − Pr [EK (m 1 ) ∈ T ] | ≤ ε.

That is, there is no test T that distinguishes the encryptions of any pair of messages with probability better than ε.

 Still requires |K| ≥ (1 − ε) · |P|.

  • (Computational) indistinguishability: only consider tests T dened by feasible algorithms A, i.e. replace the event EK (m) ∈ T  with A(EK (m)) = 1.
  • First Goal: Construct computationally secure encryption schemes that go beyond the Shannon barrier (i.e. have |K|  |P|.

 Still restricted to one use and passive adversary.

  • Later: Model and achieve security for multiple messages and active adversaries.

2 Asymptotic formalization

  • Need a security parameter 1 n: n is chosen by the sender and receiver in advance depending on the level of security they want.
  • A feasible adversary is any poly(n)-time adversary. We will always allow the adversary to be nonuniform, i.e. have a program of size poly(n).
  • Require that G, E, D all run in polynomial time (i.e. poly(n)). G now takes n as input (in unary).
  • Main point: G, E, D run in some xed polynomial time (e.g. time n^2 ) but security must hold against adversaries with even larger running time. Thus, as we set n larger and larger (e.g. as technology improves), the scheme takes much less time to use than it does to break.
  • The message space can change with the security parameter: P =

n Pn.^ For example,^ Pn can be { 0 , 1 }, { 0 , 1 }n, { 0 , 1 }∗.

  • What should ε be? A function ε : N → [0, 1] is negligible if for every c, there exists n 0 s.t. ε(n) < 1 /nc^ for all n > n 0.

Denition 1 (indistinguishable encryptions (asymptotic version)) Let (G, E, D) be an en- cryption scheme over P =

n Pn^ where all messages in^ Pn^ have the same length.^ (G, E, D)^ has (computationally) indistinguishable encryptions if for every (nonuniform) PPT A, there is a negli- gible function ε such that for all m 0 , m 1 ∈ Pn,

|Pr [A(EK (m 0 )) = 1] − Pr [A(EK (m 1 )) = 1]| ≤ ε(n),

where the probabilities above are taken over K ←R G(1n), the coin tosses of EK , and the coin tosses of A.

In other words, no feasible algorithm/adversary can distinguish the encryptions of any pair of messages with nonnegligible probability (a.k.a. advantage).

  • To handle varying message lengths (e.g. Pn = { 0 , 1 }∗): only consider pairs (m 0 , m 1 ) with |m 0 | = |m 1 | ≤ poly(n).

3 Concrete formalization

  • feasible adversary = time ≤ t on specic computational model (e.g. t = 2^100 cycles on a Pentium D) using a program of size ≤ t.
  • G, E, D should all run in time  t.

Denition 2 (indistinguishable encryptions (concrete version)) Let (G, E, D) be an encryp- tion scheme over P where all messages in P have the same length. (G, E, D) is (t, ε)-secure if for every probabilistic algorithm A running in time t and for all m 0 , m 1 ∈ P,

|Pr [A(EK (m 0 )) = 1] − Pr [A(EK (m 1 )) = 1]| ≤ ε.

where the probabilities above are taken over K ←R G, the coin tosses of EK , and the coin tosses of A.

  • G doesn't take any input.

4 Examples of Insecure Schemes

  • Shift cipher
  • Substitution cipher
  • Biased one-time pad: G(1n) : for i = { 1 ,... , n}, set ki = { 1 with pr. .49; 0 with pr.. 51 }. Output k = k 1... kn. P = { 0 , 1 }n, (^) Ek(m) = m ⊕ k.

Theorem 6 An encryption scheme has indistinguishable encryptions if and only if it has semantic security.

Hence if we assume (or prove) indistinguishability (i.e. distinguishing encryptions is hard), then we can deduce semantic security (i.e. computing information about the message is hard).

Proof: We'll only prove that indistinguishable encryptions implies semantic security. Let A be any PPT adversary, M a distribution on Pn and f : Pn → { 0 , 1 }∗^ any function. Fix

any message m 0 ∈ P, and let A′(1n) be the algorithm that chooses k

R ← G(1n) and runs A(Ek(m 0 )). Then,

Pr [A(EK (M )) = f (M )] ≤ Pr [A(EK (m)) = f (M )] + neg(n) = Pr

[

A′(1n) = f (M )

]

  • neg(n) ≤ max v {Pr [f (M ) = v]} + neg(n)