CS 6903 Modern Cryptography February 14th, Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala

Transcription

1 CS 6903 Modern Cryptography February 14th, 2008 Lecture 4: Instructor: Nitesh Saxena Scribe: Neil Stewart, Chaya Pradip Vavilala Definition 1 (Indistinguishability (IND-G)) IND-G is a notion that was defined to prove that IND OW. Recall that Indistinguishability(IND) is a notion which says that it should be infeasible for an adversary to differentiate ciphertexts of two different messages. Formally, the notion of security against (IND-G) is defined using the following experiment between a computationally bounded adversay A and a challenger possessing a shared key K. Exp IND G (A) where A is the adversary, is Symmetric Key Encryption and IND G is Indistinguishable guess. The adversarial game is shown below in Figure 1: Figure 1: Exp IND G (A) Notice that unlike IND the notion of IND-G does not rely on the the existence of a preinitialized world. 1. The adversay A chooses two messages m 0,m 1 from the message space M at random and sends them to the challenger. 4-1

2 2. The challenger randomly chooses a bit b {0, 1}, and sends ciphertext C= Enc(K, m b ) to the adversary. 3. The adversary performs some computation and tries to guess which message was encrypted by selecting b. 4. The outcome of the experiment would return d=1 if b =b or d=0 otherwise. The advantage of A being able to make the right guess for b is given by: Adv IND G (A) = Pr(Exp KR (A) = 1) 1 + ε 2 The advantage for IND-G is not shown as the difference of two probabilities as was the case with IND but as the probability of the experiment returning the correct guess for b. Theorem 1 (IND G OW) If is secure with respect to the IND G notion, then it is also secure against the OW notion. Proof. The theorem is proven by contradiction ( OW IND G) We will show that if an adversary A who can break the OW security notion, then we can construct and adversary B who can break IND G. We first perform an experiment between two adeversaries A,B and the challenger. The adverarial game for this experiment is given below in Figure 2: Figure 2: Exp OW (A) 1. Adversary B chooses two messages m 0, m 1 from the message space M at random and sends them to the challenger. 4-2

3 2. The challenger randomly chooses a bit b {0, 1}, and sends ciphertext C= Enc(K, m b ) to adversary B. 3. Adversary B forwards the ciphertext to adversary A, who tries to determine the message given the ciphertext and returns m to adversary B The experiment returns d=0 if m =m 0 or d=1 if m =m 1. The advantage of the adversary B can be shown to be: Adv IND G (B) = Pr(Exp IND G (B) = 1) =Adv OW (A) ( 1 - AdvOW (A)) We know from Definition 1 that Adv OW(A) 1 + ε, hence 2 Adv OW (A) 2ε It can be said that if there is no adversary who can break OW with a significant probability we cannot construct one who can break IND-G Theorem 2 (M IND) If an is secure with respect to the M notion, then it is also secure with respect to the IND notion. Proof. We prove the theorem by contradiction ( IND M) We will show that if an adversary A who can break the scheme with respect to the IND security notion, then we can construct an adversary B who can break the with respect to M. The adverarial game for this experiment is given below in Figure 3: 1. Adversary A chooses two messages m 0, m 1 and sends them over to adversary B. 2. Adversary B takes these two messages m 0, m 1 from A and sends them to the challenger. 3. The challenger encrypts the message m b where b {0, 1},depending on whether he is in World 1 or World 2 4. The challenger now sends the encrypted cipher c to B. 5. B now simply forwards c to the adversary A. 4-3

4 Figure 3: Construction of M attacker B from a IND attacker A 6. A now does a computation to determine which message,m 0 or m 1, corresponds to the the cipher text C and outputs a bit b where b {0, 1}. 7. Adversary B now checks the bit recieved from A and sets Y=m 1 if d=1 and Y=m 0 if d=0. 8. B now sends a function f and its output Y to the challenger. The advantage of the M adversary B can be shown as: IND M Adv M (B) = Pr(ExpM 1 = Pr(Exp IND 1 Definition 2 (Active Adversary) (B)=1)) - Pr(Exp M 0 (B)=1)) (A)=1)) - Pr(Exp IND 0 (A)=1)) = Adv IND(A) An active adversary is modeled as having access to special oracles called the encryption or decryption oracle. This is a more powerful adversarial model than the passive attackers that were used so far. 4-4

5 Adaptive Chosen Plaintext attack(cpa). This attack assumes the attacker has access to an encryption oracle and that the attacker can choose an arbitrary number of plaintexts to be encrypted and obtain the corresponding ciphertexts. The adversary s strategy is to try and derive partial information by querying the encryption oracle based on the information gained from the preceeding encryptions. This is a very important model in the case of public key cryptography. Chosen ciphertext attack(cca). Contrary to the previous model, the adversary,in these attacks,has access to a decryption oracle and chooses an arbitrary number of ciphertexts to derive the corresponding ciphertext. Adaptive Chosen Ciphertext attack(cca2). This attack is a more interactive version of the previous one, in that, the adversary tries to gain partial information by making queries to the decryption oracle based on the results previous decryptions. Indistinguishability under Chosen-plaintext attack (IND-CPA). A cryptosystem is said to have achieved indistinguishablility under chosen plaintext attack, if a PPT adversary first queries the encryption oracle a reasonable number of times, then chooses two plaintexts for the challenger to encrypt and has only a negligible advantage over random guessing in distinguishing which plaintext belongs to which ciphertext. Indistinguishability under Chosen-ciphertext attack( IND-CCA). A cryptosystem is said to have achieved indistinguishablility under chosen ciphertext attack, if a PPT adversary, first queries the deccryption oracle a reasonable number of times, chooses two plaintexts for the challenger to encrypt and has only a negligible advantage over random guessing in distinguishing which ciphertext belongs to which plaintext. Indistinguishability under Adaptive Chosen-ciphertext attack (IND-CCA2). A cryptosystem is said to have achieved indistinguishablility under adaptive chosen ciphertext attack, if a PPT adversary, first queries the deccryption oracle a reasonable number of times, chooses two plaintext 4-5