Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.

Lecturer: Moni Naor

Foundations of Cryptography

Lecture 11: Security of Encryption Schemes

Recap of last week’s lecture• Pseudo-random permutations constructions • Notions of security:

– Indistinguishabilty of encryptions– Semantic Security

• Equivalence• Public-key cryptosystems

The world so far

Pseudo-random generators

Signature Schemes

UOWHFs

One-way functions

Two guards Identification

Will soon see:

•Computational Pseudorandomness

•Shared-key Encryption and Authentication

P NP

Pseudo-random Permutations

Pseudo-random Functions

Open Problems

• Construct small domain pseudo-random permutations– With good security reductions

• Construct a cryptosystem that remains secure when encrypting its own key

Encryption Using Pseudo-Random Permutations

• Sender and Receiver share a secret key S R {0,1}k

• S defines a function FS k

• What is wrong with encrypting X with FS (x)?

Definition of the Security of Encryption

• Several settings– Shared key vs public key– How active is the adversary

• Sender and receiver want to prevent Eve from learning anything about the message

• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides

Information Theoretic Setting

• If Eve has some knowledge of m should remain the same

– Probability of guessing m• Min entropy of m

– Probability of guessing whether m is m0 or m1

– Probability of computing some function f of m

• Ideally: the ciphertext sent is independent of the message m

– Implies all the above• Shannon: achievable only if the entropy of

the shared secret is at least as large as the message m entropy

• If no special knowledge about m– then |m| shared bits that may be used

once!

To specify security of encryption

• The power of the adversary – computational

• Probabilistic polynomial time machine (PPTM)– access to the system

• Can it change the messages?

• What constitute a failure of the system What it means to break the system.– Reading a message– Forging a message?

Computational Security of EncryptionIndistinguishability of Encryptions

Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n

• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.

For every pptm A, choosing a pair X0, X1 0,1n

PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.

Probability is over the choice of keys, randomization in the encryption and A‘s coins.

In other words: encryptions of X0, X1 are indistinguishable

Quantification over the choice of X0, X1 0,1n

Computational Security of EncryptionSemantic Security

Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all

pptm relation R for XR Dn

PrR(X,A(E(X)) - PrR(X,A’())

is negligible

In other words:

The outputs of A and A’ are indistinguishable even for a tester who is aware of X

Note: presentation of semantic security is non-standard (but equivalent)

X Y

R

E(X)

A

X Y

R

.

A’

A: Dn A’: Dn

¼

X 2R Dn

What is a public-key encryption scheme• Allows Alice to publish public key KP while keeping hidden a

secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public)

and KS (secret)

• ``Anyone” who is given KP and m can encrypt itEncryption: a method

E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public-key KP, message (plaintext) m, random coins r and outputs

an encrypted message (ciphertext).

• Given a ciphertext and secret key it is possible to decrypt itDecryption: a method

D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret-key KS, public-key KP, and ciphertext c and outputs a plaintext

m. Require D(KS, KP, E(KP, m, r)) = m

Equivalence of Semantic Security and Indistinguishability of Encryptions

• Would like to argue their equivalence• Must define the attack

– Otherwise cannot fully talk about an attack• Chosen plaintext attacks

– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting

• Minimal one that makes sense there– What about shared-key encryption?

• More severe attacks– Chosen ciphertext

Encryption process must be probabilistic!

Security of public key cryptosystems:exact timing

• Adversary A gets public key KP • Then A can mount an adaptive attack

– No need for further interaction since can do all the encryption on its own

• Then A chooses– In semantic security: the distribution Dn and the relation R

– In indistinguishability of encryptions: the pair X0, X1 0,1n

• Then A is given the test– In semantic security: E(KP, X ,r) for XR Dn

and rR 0,1m

– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m

The Equivalence Theorem

• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

Equivalence ProofIf a scheme has the indistinguishability property, then it is semantically secure:• Suppose not, and A chooses

– some distribution Dn

– some relation R• Choose X0, X1 R Dn

and run A twice on– C0 = E(KP, X0 ,r0) call the output Y0

– C1 = E(KP, X1 ,r1) call the output Y1

• For X0, X1 R Dn let

– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)]

• If |0-1| is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property

• If |0-1| is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn

and C’ = E(KP, X’, r) – Run A on C’ and output Y’

Here we use the power to generate encryptions

Equivalence Proof• For X0, X1 R Dn

let – 0 = Prob[R(X0, Y0)]

– 1 = Prob[R(X0, Y1)]

• If |0-1| is not negligible: can distinguish between encryption of X0 of X1

– Contradicting the indistinguishability property

X0 Y

R

E(Xb)

A

Equivalence Proof

• For X0, X1 R Dn let

– 0 = Prob[R(X0, Y0)]

– 1 = Prob[R(X0, Y1)]

• If |0-1| is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn

and C’=E(KP, X’, r)

– Run A on C’ and output Y’

X Y

R

E(X)

A

X Y’

R

E(X’)

A

X’A’

Equivalence Proof…If a scheme is semantically secure, then it has the indistinguishability

of encryptions property:• Suppose not, and A chooses

– A pair X0, X10,1n

– For which it can distinguish with advantage • Choose

– Distribution Dn = {X0, X1}

– Relation R which is “equality with X”

• For any A’ that does not get C = E(KP, X, r) and outputs Y’

ProbA’[R(X, Y’)] = ½

• By simulating A and outputting Y= Xb for guess b0,1

ProbA[R(X, Y)] ¸ ½ +

Even if A’ is computationally unbounded

Similar setting

• The same proof works for the shared key case with adaptive chosen plaintext attack– Need to give attacker (explicit) access to the encryption device

• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries to find Y

such that• Y=f(X)• f is any function (not necessarily polynomial time computable)

– In spite of difference equivalent to our definition

What happens if…

• There is extra information about X:– Both A and A’ get h(X) for some polynomial time

computable function h– h might not be invertible

• Relation R is not polynomial time

• Try to encrypt information about the secret key

When is each definition useful

• Semantic security seems to convey that the message is protected– Not the strongest possible definition

• Easier to prove indistinguishability of encryptions

Concatenations• If (G,E,D) is a semantically secure cryptosystem,

then if Adversary A • Chooses X0 , X10,1n

• Receives k independent encryptions of Xb for bR0,1

• has to decide whether b 0 or b 1.• Cannot have non negligible advantage• Proof: hybrid argument

Independent keys or independent randomness?Both version…

Concatenation

• Let A be an adversary that selects:– Distribution Dn on 0,1n

– Relation R computable in probabilistic polynomial time

• Let X1, X2, ... Xk 2R Dn

• Suppose that A receives E(X1), E(X2), ..., E(Xk)• Computes Y and hopes that R(X1, X2, ..., Xk, Y)

Homework: prove that for any A there is an A’ with similar probability of success

Trapdoor One-way PermutationsA collection functions with three probabilistic polynomial time algorithms• Key generation: on input n, the security parameter, and random bits,

generates two keys KP (Public) and KS (secret) and domain size D (could be 0,1n)• Forward computation: each KP defines a permutation f(KP,,¢) on D.

Given KP and x easy to compute f(KP,,x)

Hard to invert: for any PPT A given y=f(KP,,x) for a random KP (generated as above) and x 2R D, probability that A finds x is negligible

• Backward computation: given Ks easy to invert f(KP,,¢) there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x

Encryption from trapdoor permutation• Key generation: KP (Public) and KS (secret) are the keys

of the trapdoor permutation

• Encryption: to encrypt a message m0,1k

– select x R 0,1n and r R 0,1n – compute

g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP

(k-1)(x) ¢r– Send m Xored with g(x) and y=fP

(k)(x) and r(g(x) © m, fP

(k)(x), r)

• Decryption: given (c, y, r)– extract x = fP

(-k)(y) using KS – compute g(x) using r– extract m by Xoring c with g(x)

Security of construction

Claim: given y=fP(k)(x), r the string

g(x) = x¢r, fP(x) ¢r, fP(2)(x) ¢r, …, fP

(k-1)(x) ¢r

is indistinguishable from randomProof: it is a pseudo-random generator

Pseudo-randomness implies indistinguishability of encryption

• Given input (z,y,r) want to decide whether z=g(x) or not

• Run A to get {m0,m1}

b’

If b’=b output “pseudo-random”

Choose b 2R {0,1} and

Compute E(mb) = (z©mb, y, r)

A’A

(z,y,r)

Example

• Blum-Goldwasser cryptosystem– Based on the Blum, Blum, Shub pseudo-random generator– The permutation defined by

N= P ¢ Q, where P,Q = 3 mod 4

– For x 2 ZN*, x is a quadratic residue

fN(x)=x2 mod N

Known: the last bit(s) of x2 mod N is hardcore

Blum-Goldwasser Encryption• Key generation: N - Public key and (P,Q) - Secret key a

• Encryption: to encrypt a message m0,1k

– select x R ZN*

– computeg(x) =x, x2, x4, … x2i, …, x2k mod N

let g(x) be the lsb’s of the sequence– Send m Xored with g(x) and y = x2k mod N

(g(x) © m, x2k)

• Decryption: given (c, y)– extract x = yd mod N– compute g(x)– extract m by Xoring c with g(x)

(N)=(P-1)(Q-1)

Let d = 2-k mod (N)

Single exponentionation!

SecurityTheorem: the Blum-Goldwasser cryptosystem is

semantically secure against chosen plaintext attack iff factoring is hard

Shared key encryption• Sender and receiver share a key s of a pseudo-random

function Fs: {0,1}n {0,1}k

• Encryption of a message m0,1k

– Choose rR0,1n

– Send (Fs (r) © m,r)

• Decryption of a ciphertext (y,r)– Compute m=Fs (r) © y

• Proof of security: based on the indistinguishability of Fs from a truly random function– As long as all the r’s are different: collection of ciphertexts

indistinguishable from random

SecurityTheorem: If Fs is a pseudo-random function then

scheme is semantically secure against chosen plaintext attack.

Proof: from the equivalent definition of pseudo-random function where either the last query/challenge is random or not

Need security against random queries only

Discrete Log Problem• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.

x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp• In general: easy to exponentiate via repeated squaring

– Consider binary representation• What about discrete log?

– If difficult, f(g,x) = (g, gx ) is a one-way function

DL Assumption for group G: • No efficient algorithm can solve for XR[0..n-1] whp the DL

problem for Y=ga

Discrete Log Problem

Very useful group for DL:• P and Q: Large primes, s.t. Q | P-1• g: an element of order Q in ZP

*.Best known algorithms -

– Q or– subexponential in log P

Randomized reduction:given y generate Y’= Ygr for rR [Q]

Diffie-Hellman The Diffie-Hellman assumption

Let G be a group and g an element in G.Given g, X=ga and Y=gb it is hard to find Z=gab

for random a and b the probability of a poly-time machine outputting gab is negligible

More accurately: a sequence of groups

Don’t know how to verify whether given Z’ is equal to gab

Decisional Diffie-Hellman Problem

For for generator g and a,b [Q]

Given g, Y=ga, X=gb and Z decide whether Z =gab or Z gab

Equivalent: is logg Y = logX Z

DDH-Assumption:• The DDH-Problem is hard in the worst case.

Average DDHFor a,bR [Q] and c which is either

– c= ab

– cR [Q]

Given Y=ga and X=gb and Z =gc

decide whether Z =gab or Z gab

DDH-Assumption average case:• The DDH-Problem is hard for above distribution

Worst to Average case reductionTheorem:The average case and worst case of the

DDH-Assumption are equivalent.• Given ga and gb and gc (and P, Q) • Sample r,s1,s2R [Q]

• compute ga’ = (ga)r gs1

gb’ = (gb) gs2

gc’ = (gc)r (ga)rs2 (gb)s1 gs1s2

a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1

+s1s2

c is either ab or not

…Worst to average

If c = abe mod Q then – a’ = ras1 mod Q

– b’ = bs2 mod Q

– c'= a'b'+ e r mod Q

• Always: a’ and b' are uniformly distributed. • If e =0, then c' = a'b'. • Otherwise c' is uniform and independent in [Q]

a’ = ras1 mod Qb’ = bs2 mod Qa’b’=rab+ras2+bs1

+s1s2

Evidence to Validity of DDH

• Endured extensive research for DH search– DH-search related to discrete log

• Hard for generic algorithms – that work in a black-box group)

• Computing the most significant bits of gab is hard• Random-self-reducibility.

El-Gamal Cryptosystem variant:

• Private key a R [Q]

• Public key Y=ga and P, Q and h• To encrypt M

– choose rR [Q] compute X=gr and Yr

– send hX , h(Yr )Mi

• To decrypt hX, Wi:– compute Xa = Yr and – output h(Xa) W

How is h chosen?

Pair-wise independence suffices

ZP

Subgroup of size Q

{0,1}k

h

El-Gamal Security

Under the DDH assumption cryptosystem is semantically secure against chosen plaintext

but...• Scheme is malleable

– To change M to M’=MC :change hX, Wi to hX, WCi

Open Problems

• How to get a good encryption scheme with a weaker than fully blown pseudo-random function

From single bit to many bits• If there is an encryption scheme that can hide E(KP, 0 ,r)

from E(KP, 1 ,r): then can construct a full blown semantically secure cryptosystem by

concatenation (for any length messages) • Each bit in the message m0,1k is encrypted separately• Proof: a hybrid argument

– Using definition of indistinguishability of encryption– Suppose adversary chooses X0, X1 0,1k

– Let:• D0 be the distribution on encryptions of X0 • Dk be the distribution on encryptions of X1 • Di be the distribution where the first i bits are from X0 and the last k-i bits are from X1

• Example: quadratic residues mod NDifference with concatenation:

each one is a bit

One-way encryption is sufficient for semantic security against chosen plaintext attackCall an encryption scheme one-way if given c=E(KP, m,

s) for random m and s it is hard to find mThis is the weakest form of security one can expect from a ``self-

respecting” cryptosystem

Can construct a single-bit indistinguishable scheme from it:• To encrypt a bit b0,1:

– choose random x, s and r – Send (c,r,b’) where

• c=E(KP, x, s)• b’= x¢r © b

Security: from the Goldreich-Levin reconstruction algorithm

Examples of public-key cryptosystems• Factoring related: RSA, Rabin• Discrete-log related:

– Diffie-Hellman (El Gamal)– Various groups

• Early Knapsack and Codes (late 1970’s)– Merkle Hellman– McEliece: probabilistic cryptosystem

• Modern Lattice Based– Ajtai-Dwork: only one for which worst case to hardness reduction

is known• Goldreich-Goldwasser and Halevi• Regev’s

• NTRU

Further Issues

• What about errors in decryption?

• Is the this the ultimate definition– Does it capture all the ways where encryption is used?

Example: Interactive AuthenticationP wants to convince V that he is approving message mP has a public key KP of an encryption scheme E.

To authenticate a message m:• V P: Choose r 2R {0,1}n. Send c=E(m ° r, KP)• P V : Receiving c

Decrypt c using KS

Verify that prefix of plaintext is m. If yes - send r.V is satisfied if he receives the same r he choose

Is it Safe?• Definition of security: Existential unforgeability against adaptive

chosen message attack– Adversary can ask to authenticate any sequence of messages m1, m2, …– Has to succeed in making V accept a message m not authenticated– Has complete contrl ove the channels

• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about r

• Several problems: if E is “just” semantically secure against chosen plaintext attacks: – Adversary might change c=E(m ° r, KP) into c’=E(m’ ° r, KP)

• Malleability– not sufficient to verify correct form of ciphertext in simulation

• Closer to a chosen ciphertext attack

Sources• Goldwasser-Micali: Probabilistic Encryption, Journal

of Computer and System Sciences, 1984.• Goldreich’s Foundations of Cryptography, volume 2