Private-Key and Public-Key Encryption, Study notes of Cryptography and System Security

We discussed pseudo-random functions in the last lecture. In this lecture, we focus on encryption schemes. Today we will cover the following ...

Typology: Study notes

2022/2023

Uploaded on 05/11/2023

ekagarh
ekagarh 🇺🇸

4.6

(33)

270 documents

1 / 6

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
University of Illinois, Urbana Champaign
CS 598DK Special Topics in Cryptography
Instructor: Dakshita Khurana
Scribe: Aniket Murhekar, Rucha Kulkarni
Date: September 11, 2019
LECTURE
5
Private-Key and Public-Key Encryption
We discussed pseudo-random functions in the last lecture. In this lecture, we focus on
encryption schemes. Today we will cover the following topics.
Define private-key and public-key encryption schemes and understand what it means
for them to be secure.
Define and distinguish between single-message and multi-message encryption schemes.
Construct a private-key encryption scheme using pseudo-random functions (PRFs)
and present a proof of its security.
Show that a secure single-message public key encryption scheme is also a secure multi-
message encryption scheme.
Describe a public key encryption scheme, El-Gamal.
5.1 Recap: Pseudo-random functions
Recall from the last lecture that a pseudo-random function is a family of functions which,
intuitively speaking, behaves like a randomly chosen function would behave.
More concretely, we say that a function family F:{0,1}k× {0,1}l {0,1}mis pseudo-
random if no efficient adversary Acan distinguish the function F(s, ·) (for a uniformly
chosen s) from a function chosen uniformly at random from the set Fof all functions
from {0,1}lto {0,1}m. Here our adversaries are non-uniform probabilistic polynomial-time
Turing machines with oracle access to either F(s, ·) or a function in F. Thus,
Definition 5.1.Pseudo-random function (PRF). A family of functions F:{0,1}k×
{0,1}l {0,1}mis said to be pseudo-random if for all non-uniform probabilistic polynomial-
time oracle Turing machines A, we have that:
|Pr[AF(s,·)(1k) = 1] Pr[Af(1k) = 1]| negl(k)
where the first probability is taken over the uniform choice of s {0,1}kand the random-
ness of A, and the second probability is taken over the uniform choice of f F and the
randomness of A.
pf3
pf4
pf5

Partial preview of the text

Download Private-Key and Public-Key Encryption and more Study notes Cryptography and System Security in PDF only on Docsity!

University of Illinois, Urbana Champaign CS 598DK Special Topics in Cryptography

Instructor: Dakshita Khurana Scribe: Aniket Murhekar, Rucha Kulkarni Date: September 11, 2019

LECTURE

Private-Key and Public-Key Encryption

We discussed pseudo-random functions in the last lecture. In this lecture, we focus on encryption schemes. Today we will cover the following topics.

  • Define private-key and public-key encryption schemes and understand what it means for them to be secure.
  • Define and distinguish between single-message and multi-message encryption schemes.
  • Construct a private-key encryption scheme using pseudo-random functions (PRFs) and present a proof of its security.
  • Show that a secure single-message public key encryption scheme is also a secure multi- message encryption scheme.
  • Describe a public key encryption scheme, El-Gamal.

5.1 Recap: Pseudo-random functions

Recall from the last lecture that a pseudo-random function is a family of functions which, intuitively speaking, behaves like a randomly chosen function would behave. More concretely, we say that a function family F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }m^ is pseudo- random if no efficient adversary A can distinguish the function F (s, ·) (for a uniformly chosen s) from a function chosen uniformly at random from the set F of all functions from { 0 , 1 }l^ to { 0 , 1 }m. Here our adversaries are non-uniform probabilistic polynomial-time Turing machines with oracle access to either F (s, ·) or a function in F. Thus,

Definition 5.1. Pseudo-random function (PRF). A family of functions F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }m^ is said to be pseudo-random if for all non-uniform probabilistic polynomial- time oracle Turing machines A, we have that:

|Pr[AF^ (s,·)(1k) = 1] − Pr[Af^ (1k) = 1]| ≤ negl(k)

where the first probability is taken over the uniform choice of s ∈ { 0 , 1 }k^ and the random- ness of A, and the second probability is taken over the uniform choice of f ∈ F and the randomness of A.

5.2 Encryption schemes and their security

We first define an encryption scheme. Informally, an encryption scheme should do the following: generate a key (or a pair of keys), encrypt a plaintext message to produce a ciphertext, and then decrypt a ciphertext using the key to recover the plaintext. Formally:

Definition 5.2. Encryption scheme. An encryption scheme is a tuple of probabilistic polynomial-time (PPT) algorithms (KeyGen, Enc, Dec):

  1. KeyGen : On input 1k, output two strings (ek, dk), using rkeygen as the randomness. Here ek is the encryption key or public key and dk is the decryption or private key.
  2. Enc : On input encryption key ek and plaintext m, output the ciphertext c, using renc as the randomness.
  3. Dec : On input decryption key dk and ciphertext c, output the plaintext m.

Note that Dec has to be a deterministic algorithm. Also note that the randomness renc used in encryption is not necessarily given as input to Dec. We also distinguish between private-key and public-key encryption. In the former, the private key is shared between the two parties. We do not concern ourselves with how they exchanged this key. In the latter, the encryption is key is public, but the decryption is possible only with the knowledge of the private key. We now discuss the properties that the algorithms should satisfy, namely, correctness and security. Correctness. This requires that the algorithm Dec correctly decrypts the ciphertext of the message encrypted by the algorithm Enc:

Pr[Dec(dk, Enc(ek, m)) = m] = 1 − negl(k), (5.1) where the probability is taken over the randomness used in the KeyGen and Enc al- gorithms. The above notion is called statistical correctness. When the right-hand side is exactly 1, we say the scheme satisfies perfect correctness. Security. When can we say that the scheme is secure? Suppose the scheme does not reveal the entire message m to adversaries who do not possess the decryption key. Can we call this scheme “secure”? Even if the scheme does not reveal m entirely, it could reveal parts of m, or maybe a function of the bits of m to adversaries, which itself is problematic and could reveal information about m. So our security definition needs to be strengthened. For this we consider a game between an adversary A and a challenger C:

  1. A is given 1k^ and outputs two messages m 0 and m 1 of equal length.
  2. C generates a key ek using KeyGen and randomness r, and chooses a bit b ∈ { 0 , 1 } uniformly at random. She sends c = Enc(ek, mb) to A.
  3. A tries to guess b and outputs b′.
  4. Set the variable GameA to 1 if and only if b = b′.

We say that the scheme is secure if no non-uniform probabilistic polynomial-time (nuPPT) Turing machine can correctly guess b with probability much better than 1/2, for every choice of m 0 and m 1. That is:

∀ nuPPT A, ∀m 0 , m 1 s.t. |m 0 | = |m 1 | = k : Pr[GameA = 1] =

  • negl(k). (5.2)
  1. Enc(ek, m) = ek ⊕ m
  2. Dec(ek, c) = ek ⊕ c

It is easy to see that this satisfies both the properties of correctness and security when only one message is being encrypted. Thus in the single message setting, OTP is a perfectly secure encryption scheme. However, OTP suffers from a few drawbacks: the size of the key has to be equal to the size of the message, and the same key cannot be used to encrypt multiple messages. If the same key encrypts two messages m and m′, then an adversary can compute m ⊕ m′. Now an adversary can distinguish between the pairs (0m 01 , 0 m 02 ) and (0m 11 , 1 m 12 ) because the first bit of c 1 ⊕ c 2 = (0mb 1 ⊕ k) ⊕ (bmb 2 ⊕ k)) will be b, where ∈ b{ 0 , 1 } is the choice of the challenger. Thus the adversary correctly guesses b with probability 1, rendering the OTP scheme insecure for multiple messages. We now describe a secure private-key encryption scheme using PRFs. As we will show, this scheme is secure even in the multi-message setting. We first describe the scheme in the single message setting. Let F : { 0 , 1 }k^ × { 0 , 1 }l^ → { 0 , 1 }n^ be a PRF. Consider the scheme Π = (KeyGen, Enc, Dec) given by:

  1. KeyGen(1k) = s $ ←− { 0 , 1 }k, the seed of the PRF
  2. Enc(s, m; r) = 〈F (s, r) ⊕ m, r〉, where r $ ←− { 0 , 1 }l, and n = |m|
  3. Dec(s, 〈c 1 , c 2 〉) = c 1 ⊕ F (s, c 2 )

Correctness: The correctness condition of Equation (5.1) can be re-phrased using the notation used in defining the encryption scheme as:

Dec(dk, Enc(ek, m)) = Dec(s, 〈F (s, r) ⊕ m, r〉) = (F (s, r) ⊕ m) ⊕ F (s, r) = m.

Thus, Equation (5.1) follows. Security: In the following lemma, We will prove this scheme has single message security, and then as a corollary we establish how multi message security also follows.

Lemma 5.3. For all messages m 0 and m 1 of equal length, the distributions Enc(ek, m 0 ) and Enc(ek, m 1 ) are computationally indistinguishable. Equivalently, the encryption scheme defined above has single message security.

Proof. For a uniformly randomly chosen string r′, we have from the definition of PRFs the following computational indistinguishability relation.

Enc(ek = s, m 0 ; r) ≡ (m 0 ⊕ F (s, r), r) ≈c (m 0 ⊕ r′, r).

Now we can say (m 0 ⊕ r′, r) ≈c (r′, r), for any r′, r sampled uniformly at random. Thus we get,

(m 0 ⊕ r′, r) ≈c (r′, r) ≈c (m 1 ⊕ r′, r) ≈c (m 1 ⊕ P RF (ek, r), r) ≡ Enc(ek, m 1 ; r),

and the lemma follows.

Corollary 5.4. The encryption scheme Π described above has multi message security.

Applying the same proof idea to tuples of encryptions,

Cb = (Enc(ek, mb 1 ; r 1 ), Enc(ek, mb 2 ; r 2 ),... , Enc(ek, mbp; rp)), f or b ∈ { 0 , 1 },

of two distinct long messages Mb = (mb 1 , mb 2 ,... , mbp), we show that for all i ∈ [p], Enc(ek, mbi; ri) is computationally indistinguishable from its corresponding part in the other message Enc(ek, m(1−b)i; ri). Thus, the entire messages are also indistinguishable computationally, proving the corollary.

5.4 Secure public-key encryption scheme

We first prove the following theorem, which when combined with a single message secure public key encryption (PKE) scheme will result in a multi message secure PKE.

Theorem 5.5. Single message PKE =⇒ Multi message PKE.

Proof. Recall the informal discussion that established this theorem from Section 5.2. We formalize this now for two part messages. Fix the messages as M 0 = (m 01 , m 02 ) and M 1 = (m 11 , m 12 ). We will prove their encryptions Db = (ek, Enc(ek, mb 1 ; r), Enc(ek, mb 2 ; r′)) for b ∈ { 0 , 1 } are computationally indistinguishable. By definition of multi-message security, the theorem then follows. We define an intermediate distribution D 0 ′ = (ek, Enc(ek, m 01 ; r), Enc(ek, m 12 ; r′)) to- wards proving D 0 ≈c D 1. We first prove by contradiction that D 0 ≈c D′ 0. Suppose then, that this claim is false, then there exists an adversary A such that

P r[A(ek, Enc(m 01 ), Enc(m 02 )) = 1] − P r[A(ek, Enc(m 01 ), Enc(m 12 )) = 1] =

poly(k)

We can then construct a machine, which is commonly termed as a reduction, denoted by B, that works as follows.

  1. B first samples two messages m 02 , m 12 uniformly at random.
  2. B then uses the public key ek, creates ciphertext ct and sends the messages (ek, Enc(mi 2 , ct)), for i ∈ { 0 , 1 }.
  3. It now runs the adversary’s algorithm A(ek, Enc(mi 2 ), ct).

If A distinguishes between (ek, Enc(m 02 ), ct) and (ek, Enc(m 12 ), ct) with probability 1 /poly(k), then B can distinguish between (ek, Enc(m 02 )) and (ek, Enc(m 12 )) with the same non-negligible probability, breaking single message security, a contradiction. Similarly, we can prove D 0 ′ ≈c D 1. Together with D 0 ≈c D′ 0 this establishes D 0 ≈c D 1. We can extend the proof to show the scheme has multi-message security for greater than 2 message parts, by creating the sequence of intermediate tuples

Di = (ek, Enc(ek, m 01 ; r),... , Enc(ek, m 0 x; r), Enc(ek, m1(x+1); r),... , Enc(ek, m 1 p; r))

for all x in [p], whose initial parts are ciphertexts of message parts of the first message, followed by ciphertexts of the second message. In a chain of relations we can prove they are all computationally indistinguishable, thus proving the theorem.

In the final part of this lecture, we discuss a specific secure PKE scheme.