Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Post on 18-Dec-2015
218 Views
Preview:
Transcript
Foundations of Cryptography
Lecture 12
Lecturer: Moni Naor
Recap of Lecture 11
• Pseudo-random functions• Combining pseudo-random functions
– Concatenation– Composing
• The GGM tree construction• Pseudo-Random Permutations• Feistal Permutations
Pseudo-Random Permutations
Block-Ciphers:• Shared-key encryption
schemes where: the encryption of every plaintext
block is a ciphertext block of the same length.
ey C
Plaintext
Ciphertext
Block Ciphers
Advantages– Saves up on memory and communication bandwidth– Easy to incorporate within existing systems.
Main Disadvantage– Every block is always encrypted in the same way.
• Important Examples: DES, AES
Modeling Block Ciphers
• Pseudo-random Permutations
F : 0,1k 0,1n 0,1n
Key Domain Range
F-1: 0,1k 0,1n 0,1n
Key Range Domain
Want:– X= FS
-1 (FS (X))• Correct inverse
– Efficiently computable
The Test
The tester A that can choose adaptively– X1 and get Y1= FS (X1)– Y2 and get X2= FS
-1(Y2) …
– Xq and get Yq= FS (Xq)• Then A has to decide whether
– FS R Φkor– FS R P
(n) = F | 1-1 F :0,1n 0,1n
Can choose to evaluate or invert any point!
(t,,q)-pseudo-random
For a function F chosen at random from
(1) Φk={FS | S0,1k
(2) P(n) = F | 1-1 F :0,1n 0,1n
For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= ‘1’ FR Fk
- PrA= ‘1’ FR P(n)
Construction of Pseudo-Random Permutations
• Possible to construct p.r. permutation from p.r. functions (and vice versa..)
• Based on 4 Feistal Permutations
Feistal Permutation
Any f :0,1n 0,1n defines a Feistal Permutation
Df(L,R)=(R, L f(R))
Feistal permutations are as easy to invert as to compute:Df
-1(L,R)=(R f(L),L)
Many Block Cipher based on such permutations where the function f is derived from secret key
Feistal Permutation
f
L1 R1
L2 R2
Composing Feistal Permutations• Make the function f:0,1n 0,1n a pseudo-random function
GS R Φ’k
• This defines a keyed family of permutations 0,12n 0,12n
• Clearly it is not pseudo-random– Right block goes unchanged to left block
What about composing two such keyed permutations With independent keys
• Not pseudo-random:DS2
(DS1(L,R))= (GS1
(L) R, GS2(GS1
(L) R) R)
-For two inputs sharing the same left block• Looks pretty good for random attacks!
– No repetitions on the pseudo-random part
Main Construction
Let GS1 , GS2
, GS3 , GS4
R PRF. Then the composition of DS1
, DS2 , DS3
, DS4 is a
pseudo-random permutation.• Each Gi :0,1n 0,1n Resulting Permutation 0,12n 0,12n . • G1 and G4 can be ``combinatorial”:
– pair-wise independent.– low probability of collision on first block
• Error probability is ~ q2/2n
Security TheoremLet
(1) be the set of permutations obtained whenThe two middle G2 ,G3 are truly random functions and the first and last are (h1 ,h2 ) chosen from a pairwise independent family.
(2) P(n) = F | 1-1 F :0,1n 0,1n
Theorem: For any adversary A– (not necessarily efficient) – that makes at most q queries
the advantage in distinguishing between a random permutation from P(n) and a radnom one from is at most q2/2n + q2/22n
Corollary: the original construction is computationally secure
Back to two permutationsFor each pair of input and output blocks (L1,R1) is
mapped to (L2,R2) if and only if• GS1
(R1) = L1 L2
• GS2(L2) = R1 R2
• So we have “one-wise independence”:– Happens with probability 1/22n
• Furthermore: for any q pairs (L1
1,R11) (L2
1,R21), (L1
2,R12) (L2
2,R22),… , (L1
q,R1q) (L2
q,R2q)
such thatFor j i: R1
j R1i and L2
j L2i
The probability that all are mapped to each other is 1/22qn
The Transcript• May assume A is deterministic
– Since this it is not computationally bounded• The transcript T is the set of pairs of inputs/outputs
(X1,Y1), (X2,Y2), … , (Xq,Yq)
queries by A– Queries can go either way (evaluate or invert)
• Consider a third distribution P of responses if A– asks for F(x) and x appeared before in and <x,y>, query:
• answer y– asks for F-1(y) and y appeared before in and <x,y>, query:
• answer x– Otherwise answer a random z 0,12n.
• P is not always consistent with some permutation– Call the resulting transcript inconsistent
P is close to P
Claim: A may differentiate between P and P only if transcript is inconsistent
Claim [“inconsistent”]:
Prob[T is inconsistent] q2/22n
Proof: birthday
It remains to bound the difference between P and
The BAD eventThought experiment: choose the functions (h1 ,h2 ) also for
process PServe a no purpose there
If T =(X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, we say that it is BAD for functions (h1 ,h2 ) if there exist j i such that either– h1(xi) collides with the right half of h1(xj) – h2(yi) collides with the left half of h2(yj)
BAD event: either T is inconsistent or T is BAD for (h1 ,h2 )
Claim: ProbP[BAD] q2/2n + q2/22n
Key Lemma
Lemma: For any adversary A, for any possible value
V= (X1,Y1), (X2,Y2), … , (Xq,Yq)
ProbP[T=V and not BAD]
= Prob[T=V and not BAD]
Concluding the proofBy summing Key Lemma over all transcripts• ProbP[not BAD] = Prob[not BAD] this implies• ProbP[BAD] = Prob[BAD]By summing Key Lemma over all transcripts for which A outputs ‘1’:
ProbP[A outputs ‘1’ and not BAD]
= Prob[A outputs ‘1’ and not BAD]Hence:
ProbP[A outputs ‘1’]- Prob[A outputs ‘1’] ProbP [BAD] q2/2n + q2/22n
By the “inconsistent” Claim P and P are close and we are done
K-wise independent permutations• Simple constructions for k-wise independent functions
– For instance random polynomial of degree k-1• No equivalent ones known for k-wise independent
permutations• In the 4 Feistal permutation construction If two middle
functions are k-wise independent – Security Theorem implies that the result is q2/2n close to k–wise
independent permutation• T. Gowers: alternative construction of approximate k-wise
independent permutations
Other Constructions• Generalized Feistal Permutations• Generalized construction of pseudo-random permutations:
– The first and last rounds as before.– The two middle Feistal permutations are replaced with t generalized
Feistel permutations.– The distinguishing probability is roughly q2/22(1-1/t)n
• construction of long pseudo-random permutations from short ones:– First and last round combinatorial – In the middle independent applications of the short pseudo-random
permutations
Encryption Using Pseudo-Random Permutations
• Sender and Receiver share a secret key S R {0,1}k
• S defines a function FS k
• What is wrong with encrypting X with FS (x)?
Definition of the Security of Encryption• Several setting
– Shared key vs public key– How active is the adversary
• Sender and receiver want to prevent Eve from learning anything about the message
• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides
Information Theoretic Setting
• If Eve has some knowledge of m should remain the same
– Probability of guessing m• Min entropy of m
– Probability of guess whether m is m0 or m1
– Probability of computing some function f of m
• Ideally: the message sent is a independent of the message m
– Implies all the above• Shannon: achievable only if the entropy of
the shared secret is at least as large as the message m entropy
• If no special knowledge about m– then |m|
To specify security of encryption
• The power of the adversary – computational
• Probabilistic polynomial time machine (PPTM)– access to the system
• Can it change the messages?
• What constitute a failure of the system – what it means to break the system.– Reading a message– Forging a message?
Computational Security of EncryptionIndistinguishability of Encryptions
Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n
• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.
For every pptm A, choosing a pair X0 , X1 0,1n PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0 , X1 are indistinguishable
Quantification over the choice of X0 , X1 0,1n
Computational Security of EncryptionSemantic Security
Whatever Adversary A can compute on encrypted string X 0,1n so can A’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X
A selects:• Distribution Dn on 0,1n
• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm
A’ so that for all pptm relation R for XR Dn
PrR(X,A(E(X)) - Pr R(X,A’())
is negligible
In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X
Note: presentation of semantic security is non-standard (but equivalent)
References
• Blum-Micali : SIAM J. Computing 1984 • Yao:• Blum, Blum, Shub: SIAM J. Computing, 1988• Goldreich, Goldwasser and Micali: J. of the
ACM, 1986• Luby-Rackoff: SIAM J. Computing, 1988• Naor-Reingold: Journal of Cryptology, 1999
...References
• O. Goldreich, The Foundations of Cryptography - www.wisdom.weizmann.ac.il/~oded/foc-book.html
• M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press.
• S. Goldwasser and M. Bellare Lecture Notes on Cryptography,
www-cse.ucsd.edu/~mihir/papers/gb.html
top related