



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
We discussed pseudo-random functions in the last lecture. In this lecture, we focus on encryption schemes. Today we will cover the following ...
Typology: Study notes
1 / 6
This page cannot be seen from the preview
Don't miss anything!




University of Illinois, Urbana Champaign CS 598DK Special Topics in Cryptography
Instructor: Dakshita Khurana Scribe: Aniket Murhekar, Rucha Kulkarni Date: September 11, 2019
Private-Key and Public-Key Encryption
We discussed pseudo-random functions in the last lecture. In this lecture, we focus on encryption schemes. Today we will cover the following topics.
Recall from the last lecture that a pseudo-random function is a family of functions which, intuitively speaking, behaves like a randomly chosen function would behave. More concretely, we say that a function family F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }m^ is pseudo- random if no efficient adversary A can distinguish the function F (s, ·) (for a uniformly chosen s) from a function chosen uniformly at random from the set F of all functions from { 0 , 1 }l^ to { 0 , 1 }m. Here our adversaries are non-uniform probabilistic polynomial-time Turing machines with oracle access to either F (s, ·) or a function in F. Thus,
Definition 5.1. Pseudo-random function (PRF). A family of functions F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }m^ is said to be pseudo-random if for all non-uniform probabilistic polynomial- time oracle Turing machines A, we have that:
|Pr[AF^ (s,·)(1k) = 1] − Pr[Af^ (1k) = 1]| ≤ negl(k)
where the first probability is taken over the uniform choice of s ∈ { 0 , 1 }k^ and the random- ness of A, and the second probability is taken over the uniform choice of f ∈ F and the randomness of A.
We first define an encryption scheme. Informally, an encryption scheme should do the following: generate a key (or a pair of keys), encrypt a plaintext message to produce a ciphertext, and then decrypt a ciphertext using the key to recover the plaintext. Formally:
Definition 5.2. Encryption scheme. An encryption scheme is a tuple of probabilistic polynomial-time (PPT) algorithms (KeyGen, Enc, Dec):
Note that Dec has to be a deterministic algorithm. Also note that the randomness renc used in encryption is not necessarily given as input to Dec. We also distinguish between private-key and public-key encryption. In the former, the private key is shared between the two parties. We do not concern ourselves with how they exchanged this key. In the latter, the encryption is key is public, but the decryption is possible only with the knowledge of the private key. We now discuss the properties that the algorithms should satisfy, namely, correctness and security. Correctness. This requires that the algorithm Dec correctly decrypts the ciphertext of the message encrypted by the algorithm Enc:
Pr[Dec(dk, Enc(ek, m)) = m] = 1 − negl(k), (5.1) where the probability is taken over the randomness used in the KeyGen and Enc al- gorithms. The above notion is called statistical correctness. When the right-hand side is exactly 1, we say the scheme satisfies perfect correctness. Security. When can we say that the scheme is secure? Suppose the scheme does not reveal the entire message m to adversaries who do not possess the decryption key. Can we call this scheme “secure”? Even if the scheme does not reveal m entirely, it could reveal parts of m, or maybe a function of the bits of m to adversaries, which itself is problematic and could reveal information about m. So our security definition needs to be strengthened. For this we consider a game between an adversary A and a challenger C:
We say that the scheme is secure if no non-uniform probabilistic polynomial-time (nuPPT) Turing machine can correctly guess b with probability much better than 1/2, for every choice of m 0 and m 1. That is:
∀ nuPPT A, ∀m 0 , m 1 s.t. |m 0 | = |m 1 | = k : Pr[GameA = 1] =
It is easy to see that this satisfies both the properties of correctness and security when only one message is being encrypted. Thus in the single message setting, OTP is a perfectly secure encryption scheme. However, OTP suffers from a few drawbacks: the size of the key has to be equal to the size of the message, and the same key cannot be used to encrypt multiple messages. If the same key encrypts two messages m and m′, then an adversary can compute m ⊕ m′. Now an adversary can distinguish between the pairs (0m 01 , 0 m 02 ) and (0m 11 , 1 m 12 ) because the first bit of c 1 ⊕ c 2 = (0mb 1 ⊕ k) ⊕ (bmb 2 ⊕ k)) will be b, where ∈ b{ 0 , 1 } is the choice of the challenger. Thus the adversary correctly guesses b with probability 1, rendering the OTP scheme insecure for multiple messages. We now describe a secure private-key encryption scheme using PRFs. As we will show, this scheme is secure even in the multi-message setting. We first describe the scheme in the single message setting. Let F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }n^ be a PRF. Consider the scheme Π = (KeyGen, Enc, Dec) given by:
Correctness: The correctness condition of Equation (5.1) can be re-phrased using the notation used in defining the encryption scheme as:
Dec(dk, Enc(ek, m)) = Dec(s, 〈F (s, r) ⊕ m, r〉) = (F (s, r) ⊕ m) ⊕ F (s, r) = m.
Thus, Equation (5.1) follows. Security: In the following lemma, We will prove this scheme has single message security, and then as a corollary we establish how multi message security also follows.
Lemma 5.3. For all messages m 0 and m 1 of equal length, the distributions Enc(ek, m 0 ) and Enc(ek, m 1 ) are computationally indistinguishable. Equivalently, the encryption scheme defined above has single message security.
Proof. For a uniformly randomly chosen string r′, we have from the definition of PRFs the following computational indistinguishability relation.
Enc(ek = s, m 0 ; r) ≡ (m 0 ⊕ F (s, r), r) ≈c (m 0 ⊕ r′, r).
Now we can say (m 0 ⊕ r′, r) ≈c (r′, r), for any r′, r sampled uniformly at random. Thus we get,
(m 0 ⊕ r′, r) ≈c (r′, r) ≈c (m 1 ⊕ r′, r) ≈c (m 1 ⊕ P RF (ek, r), r) ≡ Enc(ek, m 1 ; r),
and the lemma follows.
Corollary 5.4. The encryption scheme Π described above has multi message security.
Applying the same proof idea to tuples of encryptions,
Cb = (Enc(ek, mb 1 ; r 1 ), Enc(ek, mb 2 ; r 2 ),... , Enc(ek, mbp; rp)), f or b ∈ { 0 , 1 },
of two distinct long messages Mb = (mb 1 , mb 2 ,... , mbp), we show that for all i ∈ [p], Enc(ek, mbi; ri) is computationally indistinguishable from its corresponding part in the other message Enc(ek, m(1−b)i; ri). Thus, the entire messages are also indistinguishable computationally, proving the corollary.
We first prove the following theorem, which when combined with a single message secure public key encryption (PKE) scheme will result in a multi message secure PKE.
Theorem 5.5. Single message PKE =⇒ Multi message PKE.
Proof. Recall the informal discussion that established this theorem from Section 5.2. We formalize this now for two part messages. Fix the messages as M 0 = (m 01 , m 02 ) and M 1 = (m 11 , m 12 ). We will prove their encryptions Db = (ek, Enc(ek, mb 1 ; r), Enc(ek, mb 2 ; r′)) for b ∈ { 0 , 1 } are computationally indistinguishable. By definition of multi-message security, the theorem then follows. We define an intermediate distribution D 0 ′ = (ek, Enc(ek, m 01 ; r), Enc(ek, m 12 ; r′)) to- wards proving D 0 ≈c D 1. We first prove by contradiction that D 0 ≈c D′ 0. Suppose then, that this claim is false, then there exists an adversary A such that
P r[A(ek, Enc(m 01 ), Enc(m 02 )) = 1] − P r[A(ek, Enc(m 01 ), Enc(m 12 )) = 1] =
poly(k)
We can then construct a machine, which is commonly termed as a reduction, denoted by B, that works as follows.
If A distinguishes between (ek, Enc(m 02 ), ct) and (ek, Enc(m 12 ), ct) with probability 1 /poly(k), then B can distinguish between (ek, Enc(m 02 )) and (ek, Enc(m 12 )) with the same non-negligible probability, breaking single message security, a contradiction. Similarly, we can prove D 0 ′ ≈c D 1. Together with D 0 ≈c D′ 0 this establishes D 0 ≈c D 1. We can extend the proof to show the scheme has multi-message security for greater than 2 message parts, by creating the sequence of intermediate tuples
Di = (ek, Enc(ek, m 01 ; r),... , Enc(ek, m 0 x; r), Enc(ek, m1(x+1); r),... , Enc(ek, m 1 p; r))
for all x in [p], whose initial parts are ciphertexts of message parts of the first message, followed by ciphertexts of the second message. In a chain of relations we can prove they are all computationally indistinguishable, thus proving the theorem.
In the final part of this lecture, we discuss a specific secure PKE scheme.