Chapter 4: Private Key Cryptography Encryption and Pseudorandomness

Transcription

1 Chapter 4: Private Key Cryptography Encryption and Pseudorandomness C. Tartary Encryption and Pseudorandomness p. 1 / 61

2 Book Reference This chapter is based on Chapter 3 of the textbook. Encryption and Pseudorandomness p. 2 / 61

3 Security Comparison In cryptography, we have two models of opponents: those with unlimited power and those with bounded computational abilities. Perfectly secure schemes resistant against unbounded adversary (no information is revealed to the opponent), no mathematical assumption needed for security, long key size (storage issue), unique key use (refreshment issue). Encryption and Pseudorandomness p. 3 / 61

4 Security Comparison In cryptography, we have two models of opponents: those with unlimited power and those with bounded computational abilities. Perfectly secure schemes resistant against unbounded adversary (no information is revealed to the opponent), no mathematical assumption needed for security, long key size (storage issue), unique key use (refreshment issue). Computationally secure schemes multiple key use, reasonable key size, the security is based on unproven mathematical assumptions, weak against computationally unbounded adversaries. Encryption and Pseudorandomness p. 3 / 61

5 "Practical" Security The cryptosystems developed during the modern cryptography s era are to be computationally secure (with respect to computers power). At first glance, computationally secure schemes seem less tempting for use than information theoretically secure constructions. Nonetheless, some assumptions still require many lifetime of computations to be broken even with today s supercomputer. As a consequence, such a level of security is acceptable in practice. Kerckhoffs principle (2). A cipher must be practically, if not mathematically, indecipherable. A consequence is that one can use a cryptosystem which cannot be broken with "reasonable probability" in "reasonable time" even if it is not perfectly secure. This leads to the notion of practically unbreakable cryptographic primitives. Encryption and Pseudorandomness p. 4 / 61

6 Computational Security The notion of perfect security is modified to less requiring conditions. In order to achieve computational security, one expect: the security is only preserved against efficient adversaries that run in a feasible amount of time, the adversaries can potentially succeed with some very small probability (that is small enough such that this event never occurs in practice). There are two approaches to achieve the previous to requirements: the concrete approach and the asymptotic approach. Encryption and Pseudorandomness p. 5 / 61

7 Concrete Approach In this approach, we quantify the success probability of the attacker as well as the running time of the attack using bounds (upper bound: successful attack, lower bound: running time). This concrete approach is generally modeled by two positive numbers t, ǫ (where ǫ 1) and is expressed: A scheme is (t,ǫ)-secure if every adversary running in time at most t succeeds in breaking the scheme with probability at most ǫ. Encryption and Pseudorandomness p. 6 / 61

8 Concrete Approach In this approach, we quantify the success probability of the attacker as well as the running time of the attack using bounds (upper bound: successful attack, lower bound: running time). This concrete approach is generally modeled by two positive numbers t, ǫ (where ǫ 1) and is expressed: A scheme is (t,ǫ)-secure if every adversary running in time at most t succeeds in breaking the scheme with probability at most ǫ. This model is useful in practice as t and ǫ are value that users of cryptographic primitives are ultimately interested in. Remark 1 In this setting, one must always say "(t,ǫ)-secure" and never "secure" alone as security depends on the purpose of the cryptosystem. The same couple (t,ǫ) can be considered as "secure" for an average use but not for national security purposes for instance. Encryption and Pseudorandomness p. 6 / 61

9 Asymptotic Approach In this approach, we quantify the success probability of the attacker as well as the running time of the attack as functions of a security parameter n. When honest parties set-up the scheme, they choose the value n (which generally represents the length of the key). This value n is assumed to be known by the adversary when he attacks the scheme (i.e. he knows the length of the keys). Encryption and Pseudorandomness p. 7 / 61

10 Asymptotic Approach In this approach, we quantify the success probability of the attacker as well as the running time of the attack as functions of a security parameter n. When honest parties set-up the scheme, they choose the value n (which generally represents the length of the key). This value n is assumed to be known by the adversary when he attacks the scheme (i.e. he knows the length of the keys). Using this parameter-based approach, we represent the notion of efficient algorithm by probabilistic algorithms running in time polynomial in n (also denoted PPT as Probabilistic Polynomial Time). This means that for some constants a,c the algorithm runs in time an c. It is requested that the honest parties as well as the adversary run in polynomial time. However, the later can run much longer (i.e. he may be represented by a higher degree polynomial in n) than the honest parties. we represent the notion of small probability of success by success probabilities smaller than any inverse polynomial in n. This means that for every constant c the adversary s success probability is smaller than n c for large enough values of n. Encryption and Pseudorandomness p. 7 / 61

11 Asymptotic Approach This asymptotic approach can be summarized as: A scheme is secure if every PPT adversary succeeds in breaking the scheme with only negligible probability in the security parameter. This model only guarantees security for large values of the security parameter. Example 1 Assume that we have a secure scheme where an adversary running for n 3 minutes breaks the scheme with probability n. Whenn 40, then the scheme is broken (with probability 1) in about 6 weeks. When n = 50, then the scheme is broken (with probability 1/1000) in about 3 months. When n = 500, then the adversary needs to run for more than 200 years to break the scheme with probability Encryption and Pseudorandomness p. 8 / 61

12 Asymptotic Approach On the previous example, we see that increasing n leads to a better defense against the opponent. So, choosing longer keys is a way to thwart the adversary s attacks. In particular, this can be used to deal with the increase of computational power the enemy can gain over time. The asymptotic approach does not depends on any hardware assumption, needs to an understanding of the security benefits (small n s are bad). In the remaining of this course, we focus on the asymptotic approach exclusively. Encryption and Pseudorandomness p. 9 / 61

13 Efficient Computation Definition 1 An algorithm A is said to run in polynomial time if there exists a polynomial p( ) such that, for every input x {0,1}, the computation of A(x) terminates within at mostp( x ) steps. Definition 2 A probabilistic algorithm is one that has access to a source of randomness returning unbiased random bits that independent from each other and equal to 1 with probability1/2. Remark 2 We can compose PPT algorithms together. If A and A are two PPT algorithms then, when A runsa as a subroutine, the new algorithm à is still a PPT algorithm. Remark 3 The use of randomness is inherent in cryptography. It is required by the honest participants to generate keys. Thus, it is natural to assume that the adversary is probabilistic as well. Remark 4 It is not clear whether or not randomness provides extra-security guarantees (in a theoretical point of view). Nonetheless, assuming that the adversary is probabilistic dos not weaken the security of the scheme since a construction secure against probabilistic enemies will also be secure against deterministic ones. Encryption and Pseudorandomness p. 10 / 61

14 Generating Randomness The use of randomness is vital for cryptography. Indeed, if the participants are deterministic then the adversary can get their private key by running Gen in the same way as theirs. That algorithm is public due to Kerchkoffs principle. There are different ways to generate randomness (with different levels of success): hardware random number generators: they are based on some physical phenomenon (electric noise, radioactive decay,...) software random number generators: they are based on human behavior (hard drive access time, movement of the mouse,...)active: the receivers can adaptively ask for encryptions and/or decryption of his choice. Those are very unlikely to provide uniform distribution. In addition, their "randomness" is to be proved. For instance, the random function from the C language is not random. Thus, one must need to use a random number generator designed for cryptographic purposes. Encryption and Pseudorandomness p. 11 / 61

15 Negligibility of Functions Definition 3 ([Gol01]) A functionf : N R + is said to be negligible if for every positive polynomialp( ) there exists an integern such that for all n > N, we have: f(n) < 1 p(n) This is the formal definition of the notion "small probability of success" seen before. Remark 5 Two functions f 1 and f 2 may be negligible but approaching 0 at different rates. Consider f 1 (n) = 2 n and f 2 (n) = 2 n. We have: f 1 (n) < 10 6 when n 20 and f 2 (n) < 10 6 when n 400. Encryption and Pseudorandomness p. 12 / 61

16 Negligibility of Functions Proposition 1 Let f 1 andf 2 be two negligible function. Then: f 1 +f 2 is also negligible, for any positive polynomial p, the function p f 1 is also negligible. The second point of this proposition indicates that if an even occurs in a negligible way then, when repeating the experiment a polynomial number of times, the probability of occurrence is still negligible. We get the following outcome: Events that occur with negligible probability are so unlikely to occur that they can be ignored for all practical purposes. Therefore, a break of a cryptographic scheme that occurs with negligible probability is not significant. Encryption and Pseudorandomness p. 13 / 61

17 Security Proofs The notion of security can be expressed as: A scheme is secure if for every probabilistic polynomial-time adversary A carrying out an attack of some specified type, and for every positive polynomial p( ) there exists an integern such that the probability of the attack success is less than 1 for every p(n) n > N. In theory, when demonstrating that a scheme S is secure, one has to show that no PPT adversary can break it with non-negligible probability. Remark 6 In practice, we work in a different way. We try to show that there exists a "hard" problem S which can be broken if S is. We show that if one can break S using a PPT algorithm A then one can build another PPT algorithm A (usingaas a subroutine) which breaks the "hard" problem S. Encryption and Pseudorandomness p. 14 / 61

18 Computationally-Secure Encryption We recall the definition of a private key encryption scheme. Definition 4 A private key encryption scheme is a tuple of PPT algorithms Gen, Enc, Dec such that: Gen takes as input the security parameter 1 n and outputs a key k. We can assume, w.l.o.g, that k n. Enc takes as input a keyk and a plaintext messagem {0,1}. It outputs a ciphertext c. Enc may be randomized. Dec takes as input a keyk and a ciphertext c. It outputs a messagem. Dec is deterministic. It is required that for everyn, every keyk and every messagem, we have: Dec k (Enc k (m)) = m If for k output by the key generator, Enc k is only defined for messages m {0,1} l(n) then we say that (Gen, Enc, Dec) is a fixed-length private key encryption scheme for message of length l(n). Encryption and Pseudorandomness p. 15 / 61

19 Computationally-Secure Encryption We consider an experiment Priv eav A,Π in which an adversary A outputs two messages m 0,m 1. He is given the encryption of one of them chosen at random, using a randomly-generated key. The scheme is said to be perfectly secure is A cannot determine which message corresponds to the ciphertext with probability different from 1 2. In the case of computational security, we relax the previous requirements as follows: A is assumed to run in polynomial-time as a function of the security parameter. A may be able to determine the correct message from the cryptogram with negligible probability higher than 1 2. Encryption and Pseudorandomness p. 16 / 61

20 Computationally-Secure Encryption We consider an experiment Priv eav A,Π in which an adversary A outputs two messages m 0,m 1. He is given the encryption of one of them chosen at random, using a randomly-generated key. The scheme is said to be perfectly secure is A cannot determine which message corresponds to the ciphertext with probability different from 1 2. In the case of computational security, we relax the previous requirements as follows: A is assumed to run in polynomial-time as a function of the security parameter. A may be able to determine the correct message from the cryptogram with negligible probability higher than 1 2. The differences with the definition of perfect secrecy are: Priv eav A,Π depends on the security parameter n, the messages m 0,m 1 have the same length. Encryption and Pseudorandomness p. 16 / 61

21 Indistinguishability The experiment Priv eav A,Π (n) works as follows: 1. A is given input 1 n and outputs a pair of messages m 0,m 1 of the same length. 2. A key k is generated by Gen and a random bit b is chosen. We call c the challenge ciphertext. 3. A output a bit b. 4. The output of the experiment is defined to be 1 if b = b and 0 otherwise. If Priv eav A,Π (n) = 1, we say that A succeeded. The idea of indistinguishability is that the PPT A does not succeed in the above game with nonnegligible probability greater than 1 2. Encryption and Pseudorandomness p. 17 / 61

22 Indistinguishability Definition 5 A private key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversariesa, there exists a negligible function ǫ such that: Prob(Priv eav A,Π (n) = 1) 1 2 +ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b and any random coins in the encryption process). The definition requires the above property to be true for all PPT algorithms. This means that the security holds whatever the strategy of attack A has decided to use. The definition means that, whatever the strategy A uses, he does not get any advantage more significant than the random guess (which returns the correct ciphertext index with probability 1 2 ). Remark 7 This security holds despite the fact that A was allowed to choose the valuesm 0 and m 1. Encryption and Pseudorandomness p. 18 / 61

23 Indistinguishability Another way to express indistinguishability is to say that A behaves in the same way whether he sees the encryption of m 0 or m 1. Definition 6 A private key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if for all PPT adversariesa, there exists a negligible function ǫ such that: Prob[output(Priv eav A,Π (n,0)) = 1] Prob[output(Priveav A,Π (n,1)) = 1] ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b and any random coins in the encryption process). Encryption and Pseudorandomness p. 19 / 61

24 Indistinguishability The property of indistinguishability implies that no single bit of a randomly chosen message m can be predicted with probability significantly better than 1/2. Consider a message m and denote m i its i th bit. Proposition 2 Let (Gen, Enc, Dec) be a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then, for all PPT adversaries A and all i, there exists a negligible functionǫsuch that: Prob[A(1 n,enc k (m)) = m i ] 1 2 +ǫ(n) where m is chosen uniformly at random from {0,1} n and the probability is taken over the random coins of A, the choice of m and the key k, and any random coins used in the encryption process. Encryption and Pseudorandomness p. 20 / 61

25 Indistinguishability We assume that, when the security parameter 1 n is given, we have an efficient algorithm which can return an element of S n (strings of length n over the alphabet S). When this exists, the set S is said to be efficiently sampleable. Proposition 3 Let (Gen, Enc, Dec) be a private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Then, for all PPT adversaries A, there exists a PPT algorithm A such that for all polynomial time computable function f and all efficiently-sampleable sets S, there exists a negligible function ǫ such that: Prob[A(1 n,enc k (m)) = f(m)] Prob[A (1 n ) = f(m)] ǫ(n) where m is chosen uniformly at random from S n and the probabilities are taken over the choice of m and the key k, and any random coins used bya, A and the encryption process. Encryption and Pseudorandomness p. 21 / 61

26 Semantic Security In practice, when once is given a ciphertext, he may have already got some pre-knowledge of the cryptosystem (by eavesdropping the channel for instance). In addition, the plaintexts sent through the network may not be created uniformly at random. The purpose of semantic security is to guarantee the security of the scheme against such a threat. Definition 7 A private key encryption scheme (Gen, Enc, Dec) is semantically secure in the presence of an eavesdropper if for all PPT algorithms A, there exists a PPT algorithm A such that for all efficientlysampleable distributionsx 1,X 2,X 3,...and all polynomial-time computable functionsf andh, there exists a negligible function ǫ such that: Prob[A(1 n,enc k (m),h(m)) = f(m)] Prob[A (1 n,h(m)) = f(m)] ǫ(n) wheremis chosen according to the distributionx n and the probabilities are taken over the choice ofmand the key k and any random coins used by A,A and the encryption process. In the definition above, the element h(m) represents the extra information that the adversary may have about the system. Encryption and Pseudorandomness p. 22 / 61

27 Semantic Security Definition 7 seems to guarantee a higher level of security than indistinguishability as the earlier allows a more complex opponent model. Nonetheless, we have the following result. Theorem 1 A private-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper if and only if it is semantically secure in the presence of an eavesdropper. As a consequence, it is enough to focus to work with the definition of indistinguishability. Encryption and Pseudorandomness p. 23 / 61

28 Pseudorandomness This notion is very important in cryptography. In the context of private key encryption, it is central to the security of schemes as key are to be generated according to some specific probability distributions. The purpose of pseudorandomness is to relax the requirement of randomness. A string is pseudorandom if it looks like a uniformly distributed string for every entity running in polynomial time. Pseudorandomness is a computational assumption. If the adversary is unbounded computationally then nothing is pseudorandom. Pseudorandomness is related to distribution on strings and not the strings themselves. When we say that a distribution D over strings of length l is pseudorandom, it means that D is indistinguishable from the uniform distribution over the string of length l. The advantage of the notion of pseudorandomness is that it can be implemented and an pseudorandom string can be generated from a short string. Thus, a long message can be encrypted using a short key. Note that this is impossible for perfectly secret encryption schemes. Encryption and Pseudorandomness p. 24 / 61

29 Pseudorandom Generators A pseudorandom number generator is a deterministic algorithm that receives a small amount of true randomness (seed) and stretches it into a large amount of pseudorandomness. Definition 8 Let l( ) be a polynomial and let G be a deterministic polynomial-time algorithm such that for any input s {0,1} n, algorithm G outputs a string of length l(n). We say that G is a pseudorandom generator (PRG) if the following two conditions hold: (expansion) For every n it holds that l(n) > n. (pseudorandomness) For all probabilistic polynomial-time distinguisherd, there exists a negligible function ǫ such that: Prob[D(r) = 1] Prob[D(G(s)) = 1] < ǫ(n) where r is chosen uniformly at random from {0,1} l(n), the seed s is chosen uniformly at random from {0,1} n and the probabilities are taken over the random coins used by D and the choice of r ands. The function l( ) is called the expansion factor ofg. Encryption and Pseudorandomness p. 25 / 61

30 Pseudorandom Generators The seed for a PRG must be chosen uniformly at random and kept secret from the distinguisher D. Moreover, the number of possible seeds (thus, the length of the seed) must be large enough so that a brute force attack cannot be used by a PPT adversary to recover the secret value s. An issue with PRGs is that we do not know if they exist. It is believed that they actually exist. In fact, under the assumption that one-way functions exist, we can construct PRGs. Encryption and Pseudorandomness p. 26 / 61

31 Fixed-Length Secure Cryptosystem A intuitive simple way to construct a cryptosystem with indistinguishable encryptions is to instantiate the one-time pad using a PRG to issue the key/pad. Let G be a PRG with the expansion factor l. Define a private-key encryption scheme for messages of length l as follows: Gen: on input 1 n, choose k uniformly at random from {0,1} n and return it as the key, Enc: on input a key k {0,1} n, and a message m {0,1} l(n), return the ciphertext: c := G(k) m Dec: on input a key k {0,1} n, and a ciphertext c {0,1} l(n) and return the message: m := G(k) c Encryption and Pseudorandomness p. 27 / 61

32 Fixed-Length Secure Cryptosystem A intuitive simple way to construct a cryptosystem with indistinguishable encryptions is to instantiate the one-time pad using a PRG to issue the key/pad. Let G be a PRG with the expansion factor l. Define a private-key encryption scheme for messages of length l as follows: Gen: on input 1 n, choose k uniformly at random from {0,1} n and return it as the key, Enc: on input a key k {0,1} n, and a message m {0,1} l(n), return the ciphertext: c := G(k) m Dec: on input a key k {0,1} n, and a ciphertext c {0,1} l(n) and return the message: m := G(k) c Theorem 2 If G is a PRG then the previous construction is a fixed-length private-key encryption scheme that has indistinguishable encryptions in the presence of an eavesdropper. Encryption and Pseudorandomness p. 27 / 61

33 Fixed-Length Secure Cryptosystem A natural question is to know what this approach brings us new. At first sight, we achieve the same purpose as the one-time pad (i.e. the encryption of l-bit messages message using a pad of identical length). But, we lost the perfect secrecy of the one-time pad, for the computational security of the PRG. Encryption and Pseudorandomness p. 28 / 61

34 Fixed-Length Secure Cryptosystem A natural question is to know what this approach brings us new. At first sight, we achieve the same purpose as the one-time pad (i.e. the encryption of l-bit messages message using a pad of identical length). But, we lost the perfect secrecy of the one-time pad, for the computational security of the PRG. The purpose of this construction is that the l-bit string can be much longer than the secret key k which is not possible to achieve with perfectly-secure schemes. Encryption and Pseudorandomness p. 28 / 61

35 Handling Variable-Length Messages In the previous construction, one was only able to encrypt message of lengthl(n) the value of which was determined by the security parameter n. In order to overcome this issue, one may use a variable output-length pseudorandom generator. These generators are very practical as one does not know a priori the total number of bits to be used during the lifetime of the scheme. As a consequence, one would need to create a PRG having two inputs: the seed s and the required length of the output l. Definition 9 holds: A deterministic polynomial-time algorithm G is a variable output-length PRG if the following Letsbe a string andlbe a positive integer. ThenG(s,1 l ) outputs a string of length l. For all s,l,l with l < l, the stringg(s,1 l ) is a prefix ofg(s,1 l ). Define G l (s) := G(s,1 l( s ) ). Then, for every polynomial l( ) it holds that G l is a PRG with expansion factorl. We have the following important results about PRGs. Theorem 3 Any fixed output-length PRG can be converted into a variable output-length PRG. Encryption and Pseudorandomness p. 29 / 61

36 Stream Ciphers The terminology of "stream cipher" is not well defined in the way that it is sometimes used to speak about the PRG while it may also be employed to designate the whole cryptosystem. We consider that "stream cipher" refers to the algorithm used to generate the pseudorandom stream. A few stream ciphers: RC4: the first few bytes have been showed to be biased. This leads to a weakness into WEP encryption scheme for wireless networks. Bluetooth: attacks based on the linear correlation of the inputs conditioned on a given output pattern of some specific nonlinear function [LMV05] Linear Feedback Shift Registers (LFSR): it has been shown how to recover the key from sufficiently many bytes of out put. They must not be used. Remark 8 In practice, one uses block ciphers to generate pseudorandom strings. They seems more secure than existing stream ciphers. Remark 9 One can generate stream ciphers from block ciphers. But, these stream ciphers are usually less efficient than those not created by this technique. Encryption and Pseudorandomness p. 30 / 61

37 Multiple Encryptions So far, we assume that the adversary was able to receive a single ciphertext. However, in real life, many cryptograms are exchanged through the communication channel and it is likely that the attacker is able to have access to many of them. We need to redefine the opponent s model for such a setting. The experiment Priv mult A,Π (n) works as follows: 1. A is given input 1 n and outputs a pair of vectors of messages M0 = (m 1 0,...,mt 0 ) and M 1 = (m 1 1,...,mt 1 ) with mi 0 = mi 1 for all i. 2. A key k is generated by running Gen(1 n ) and a random bit b is chosen. The vector of cryptograms C := (Enc k (m 1 b ),...,Enc k(m t b )) is given to A. 3. A output a bit b. 4. The output of the experiment is defined to be 1 if b = b and 0 otherwise. If Priv mult A,Π (n) = 1, we say that A succeeded. Encryption and Pseudorandomness p. 31 / 61

38 Multiple Encryptions Definition 10 A private key encryption scheme has indistinguishable multiple encryptions in the presence of an eavesdropper if for all PPT adversariesa, there exists a negligible function ǫ such that: Prob ( Priv mult A,Π (n) = 1 ) 1 2 +ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b and any random coins in the encryption process). It is important that the security against a single encryption is a priori not enough to guarantee the security against multiple encryption. Proposition 4 There exist private-key encryption schemes that have indistinguishable encryptions in the presence of an eavesdropper but do not have indistinguishable multiple encryptions in the presence of an eavesdropper. Encryption and Pseudorandomness p. 32 / 61

39 Probabilistic Encryption An example of such a scheme is on Slide 27 (instantiation of the one-time pad using a PRG). In fact, this is a particular case of a more general result: Theorem 4 Let = (Gen,Enc,Dec) be an encryption scheme for which Enc is a deterministic function of the key and the message. Then, does not have indistinguishable multiple encryptions in the presence of an eavesdropper. Thus, a necessary condition to achieve multiple encryptions security is to randomize the encryption machine. More precisely, one needs to obtain different cryptograms when the encryption algorithm Enc is run different times on the same message m and key k. This seems to be complicated to achieve as the decryption algorithm must be deterministic. But, it can be done! Encryption and Pseudorandomness p. 33 / 61

40 Stream Cipher for Multiple Encryptions Practically, there are two ways to use PRGs to obtain multiple secure encryptions. Synchronized Mode. K IV 1 G Part 1 Part 2 Part 3 m 1 c 1 m 2 c 2 m 3 c 3 In this mode, the communicating parties use a different part of the stream output by G to encrypt each message. This mode is synchronized in the way that both parties need to know which part of the stream has been used. Reusing a part of the stream is not secure. Encryption and Pseudorandomness p. 34 / 61

41 Stream Cipher for Multiple Encryptions This mode is: useful when parties communicate in a single session. The first party uses Part 1 of the stream to encrypt m 1. The second party decrypts c 1 and sends his reply m 2 using Part 2 of the stream as a mask and so on. not suitable in applications where pieces of the string are not used sequentially as the users have to keep track of parts already utilized. Encryption and Pseudorandomness p. 35 / 61

42 Stream Cipher for Multiple Encryptions Unsynchronized Mode. K G Part 1 G Part 2 G Part 3 IV 1 m 1 c 1 IV 2 m 2 c 2 IV 3 m 3 c 3 In this mode, encryption are carried out independently of one another. The parties do not need to maintain records of the pieces of stream already used. Encryption and Pseudorandomness p. 36 / 61

43 Stream Cipher for Multiple Encryptions In such a situation, we require the PRG to be stronger as the security must be guaranteed even when the IVs are known. Only the seed s is to be kept secret. In addition, we want that, for any pair(iv 1, IV 2 ) chosen uniformly at random, the streamsg(s, IV 1 ) and G(s, IV 2 ) should remain pseudorandom even when considered together. Using such a PRG, encryption works as: Enc k (m) := IV [G(k, IV) m] with IV is chosen uniformly at random from {0,1} n. The value IV is to be refreshed at each encryption to guarantee security. Many stream ciphers used in practice are based on this augmented pseudorandomness property and thus, they can be used in the unsynchronized model. Note that a "standard" PRG may not exhibit such a property. Encryption and Pseudorandomness p. 37 / 61

44 Chosen-Plaintext Attacks (CPA) So far, the adversary was only a passive actor between the two communicating parties. We now present a model where A has temporary access to the encryption algorithm. In the CPA model, A can adaptively query Enc k on multiple messages. During those queries, Enc k behaves as a black-box. That is, A only gets the output of Enc k. He does not have access to the values inside Enc k during his queries. In particular, he does not have direct access to the secret key k. We expect the same security as before. Namely, we expect A not to be able to distinguish the encryption of two arbitrary messages m 0 and m 1 that he chose himself. This must occur despite the fact that A was given access to Enc k. Encryption and Pseudorandomness p. 38 / 61

45 Chosen-Plaintext Attacks (CPA) The experiment Priv cpa A,Π (n) works as follows: 1. A key k is generated by running Gen(1 n ). 2. A is given input 1 n and oracle access to Enc k and outputs a pair of messages m 0,m 1 of the same length. 3. A random bit b is chosen and the ciphertext Enc k (m b ) is given to A. 4. A continues to have oracle access to Enc k and outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b and 0 otherwise. If Priv cpa A,Π (n) = 1, we say that A succeeded. Encryption and Pseudorandomness p. 39 / 61

46 Chosen-Plaintext Attacks (CPA) Definition 11 A private key encryption scheme has indistinguishable encryptions under a chosenplaintext attack (or is CPA-secure) if for all PPT adversaries A, there exists a negligible function ǫ such that: ( ) Prob Priv cpa A,Π (n) = ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bitband any random coins in the encryption process). Encryption and Pseudorandomness p. 40 / 61

47 Chosen-Plaintext Attacks (CPA) Definition 11 A private key encryption scheme has indistinguishable encryptions under a chosenplaintext attack (or is CPA-secure) if for all PPT adversaries A, there exists a negligible function ǫ such that: ( ) Prob Priv cpa A,Π (n) = ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bitband any random coins in the encryption process). Proposition 5 If a cryptosystem is CPA-secure then it is secure against an eavesdropper. Encryption and Pseudorandomness p. 40 / 61

48 Chosen-Plaintext Attacks (CPA) Definition 11 A private key encryption scheme has indistinguishable encryptions under a chosenplaintext attack (or is CPA-secure) if for all PPT adversaries A, there exists a negligible function ǫ such that: ( ) Prob Priv cpa A,Π (n) = ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bitband any random coins in the encryption process). Proposition 5 If a cryptosystem is CPA-secure then it is secure against an eavesdropper. Remark 10 It seems that no scheme can verify Definition 11. Indeed, given the game played by A, it is enough for him to query the encryption algorithm as an oracle at Step 4 to determine the value of the secret bitb. This is true if the encryption scheme is deterministic but is false if it is deterministic. Encryption and Pseudorandomness p. 40 / 61

49 Chosen-Plaintext Attacks (CPA) Definition 11 A private key encryption scheme has indistinguishable encryptions under a chosenplaintext attack (or is CPA-secure) if for all PPT adversaries A, there exists a negligible function ǫ such that: ( ) Prob Priv cpa A,Π (n) = ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bitband any random coins in the encryption process). Proposition 5 If a cryptosystem is CPA-secure then it is secure against an eavesdropper. Remark 10 It seems that no scheme can verify Definition 11. Indeed, given the game played by A, it is enough for him to query the encryption algorithm as an oracle at Step 4 to determine the value of the secret bitb. This is true if the encryption scheme is deterministic but is false if it is deterministic. Proposition 6 No deterministic encryption scheme is CPA-secure. In other words, if a cryptosystem is CPAsecure then it must use a probabilistic encryption algorithm. Encryption and Pseudorandomness p. 40 / 61

50 Chosen-Plaintext Attacks (CPA) The practical costs of the CPA-security is to use less computationally efficient scheme than those only requiring security against an eavesdropper. Nonetheless, CPAs corresponds to realistic scenarii. For instance, if your encryption machine is physically captured by an adversary (as this may occur in times of war). Another case is related to communication between servers. Those communications are encrypted to provide security but those communications are about requests performed by users. So, those ciphertexts sent from one server to another one correspond to messages chosen by the users. Thus, in many case, one does not have a choice and one must opt for a slower but more secure cryptosystem to ensure the security of his applications. Encryption and Pseudorandomness p. 41 / 61

51 CPA Security and Multiple Encryptions We can generalize the security of an encryption scheme in the same way as in the case of an eavesdropper by giving A a vector of cryptograms to decrypt. Nonetheless, contrary to the case of an eavesdropper, we have the following result: Proposition 7 Any private key encryption scheme that has indistinguishable encryptions under CPA also has indistinguishable multiple encryptions under CPA. Thus, it is enough to prove that a scheme is CPA-secure for a single encryption to earn the property for multiple encryptions. Encryption and Pseudorandomness p. 42 / 61

52 CPA Security and Message Length Another advantage with CPA-secure encryption schemes is that it is easy to construct arbitrary-length CPA-secure scheme from any fixed-length CPA-secure cryptosystem. If (Gen, Enc, Dec) is a CPA-secure cryptosystem encrypting 1-bit long messages then it is easy to encrypt l-bit long messages m := m 1 m l as: Enc k (m) = Enc k(m 1 ) Enc k (m l ) Note that, in practice, there may be more efficient ways to construct variable-length message encryption schemes. Encryption and Pseudorandomness p. 43 / 61

53 Pseudorandom Functions We now look at functions mapping n-bit strings to n-bit strings. We are interested in keyed two-input functions F : {0,1} {0,1} {0,1}. The first input of F is called the key. For simplicity, we can assume that F is length-preserving meaning that the key, the second input and the output of F have the same length. So, if we pick k {0,1} n, the function F k := F(k, ) is a mapping from n-bit strings to n-bit strings. The keyed function F induced a probabilistic distribution on functions given by the random choice of the key k. Definition 12 Let F : {0,1} {0,1} {0,1} be an efficient, length-preserving, keyed function. We say that F is a pseudorandom function (PRF) if for all PPT distinguishers D, there exists a negligible functionǫsuch that: Prob[D Fk( ) (1 n ) = 1] Prob[D f( ) (1 n ) = 1] ǫ(n) where k is chosen uniformly at random from {0,1} n and f is chosen uniformly at random from the set of functions mappingn-bit strings ton-bit strings. Encryption and Pseudorandomness p. 44 / 61

54 Pseudorandom Functions As for PRGs, it is important to ask whether PRFs exist. In practice, efficient primitives called block ciphers exist and are believed to be PRFs. In a theoretical point of view, we have: Theorem 5 PRFs exist if and only if PRGs exist. One of the use of PRFs is the design of CPA-secure cryptosystems. Encryption and Pseudorandomness p. 45 / 61

55 CPA-Secure Cryptosystems A simple tentative to use PRFs in this context is to define the encryption algorithm as: Enc k (m) = F k (m). Unfortunately, this approach is deterministic and therefore it cannot be CPA-secure. The idea is to use a random element and a pseudorandom pad to achieve CPA-security. Let F be a PRF. Define a private-key encryption scheme for messages of length n as follows: Gen: on input 1 n, choose k uniformly at random from {0,1} n and return it as the key, Enc: on input a key k {0,1} n, and a message m {0,1} n, choose r uniformly at random from {0,1} n and return the ciphertext: c := r,f k (r) m Dec: on input a key k {0,1} n, and a ciphertext c = r,s and return the message: m := F k (r) s Encryption and Pseudorandomness p. 46 / 61

56 CPA-Secure Cryptosystems Intuitively, the security is due to the fact that F k (r) looks random to an attacker who only sees a ciphertext r,s. More precisely, we have: Theorem 6 If F is a PRF, then the previous construction is a fixed-length private-key encryption scheme for messages of length n that has indistinguishable encryptions under a CPA. We can extend this construction to arbitrary-length plaintexts m = m 1 m l as: r 1,F k (r 1 ) m 1,,r l,f k (r l ) m l Corollary 1 If F is a PRF, then the above construction is a private-key encryption scheme for arbitrarylength messages that has indistinguishable encryptions under a CPA. Remark 11 An issue with the last two constructions is that the length of a cryptogram is twice as large as the size of its corresponding plaintext. Encryption and Pseudorandomness p. 47 / 61

57 Pseudorandom Permutations Let F : {0,1} {0,1} {0,1} be an efficient, length-preserving, keyed function. Definition 13 We call F a keyed permutation if for every k, the function F k ( ) is one-to-one. We said that a keyed permutation is efficient if there exist a polynomial-time algorithm computing F k (x) when k and x are given and a polynomial-time algorithm computing F 1 k (x) given k andx. Proposition 8 If F is a pseudorandom permutation then it is also a PRF. If F is a pseudorandom permutation then cryptographic primitives may require that only honest parties can compute the inverse F 1 k. This is a stronger requirement than being pseudorandom. In such a case F must be indistinguishable from a random permutation even if the distinguisher D is given oracle access to the inverse of the permutation. Encryption and Pseudorandomness p. 48 / 61

58 Pseudorandom Permutations Definition 14 LetF : {0,1} {0,1} {0,1} be an efficient, keyed permutation. We say thatf is a strong pseudorandom function if for all PPT distinguishersd, there exists a negligible function ǫ such that: Prob[D F k( ),F k ( ) 1 (1 n ) = 1] Prob[D f( ),F k( ) 1 (1 n ) = 1] ǫ(n) where k is chosen uniformly at random from {0,1} n and f is chosen uniformly at random from the set of permutationsn-bit strings. Previously, we said that a stream cipher can be modeled as a PRG. Similarly, strong pseudorandom functions can be represented in practice by block ciphers. Encryption and Pseudorandomness p. 49 / 61

59 Block Ciphers As stream ciphers, block ciphers are tools used to construct a secure cryptosystem. A block cipher processes data per chunks. The message to be processed is first padded unambiguously so that the number of bits becomes a multiple of the block length. Then, the block cipher processes information following one of the following modes: Electronic Code Block (ECB) mode, Cipher Block Chaining (CBC) mode, Output Feedback (OFB) Mode, Counter (CTR) Mode. Note that there exists other modes but the four modes above are standard. Encryption and Pseudorandomness p. 50 / 61

60 Block Ciphers: ECB Mode m 1 m 2 m 3 F k F k F k C 1 This is the simplest way that one can think of. The description is performed using F 1 k. C 2 Unfortunately, the scheme is deterministic. Therefore, it cannot be CPA-secure. Even worse, ECBmode encryption does not have indistinguishable encryptions in the presence of an eavesdropper. Thus, this mode must never be used. C 3 Encryption and Pseudorandomness p. 51 / 61

61 Block Ciphers: CBC Mode m 1 m 2 m 3 IV F k F k F k IV C 1 C 2 C 3 In this mode, the initial vector IV of length n is chosen first. Then, encryption is done using the recursive formula: { c 0 = IV c i = F k (c i 1 m i ) Encryption and Pseudorandomness p. 52 / 61

62 Block Ciphers: CBC Mode The CBC mode is probabilistic and it has been shown that if F is a pseudorandom permutation then this mode is CPA-secure. The issue with this mode is that encryption is to be performed sequentially. Thus, one cannot use parallel mode to speed-up this mode. Encryption and Pseudorandomness p. 53 / 61

63 Block Ciphers: OFB Mode IV F k F k F k m 1 m 2 m 32 IV C 1 C 2 C 3 In this mode, the initial vector IV of length n is chosen first. The stream is generated from IV and does not depend on the messages to be sent. The encryption is done using the recursive formula: r 0 = IV r i = F k (r i 1 ) c i = r i m i Encryption and Pseudorandomness p. 54 / 61

64 Block Ciphers: OFB Mode In this mode, it is not required that F be invertible. As the CBC mode, the OFB mode is probabilistic and it is CPA-secure if F is a pseudorandom too. The advantage of this mode is that most of the computation is independent from the messages. It can be done separately using pre-processing with speed-up the encryption process. Encryption and Pseudorandomness p. 55 / 61

65 Block Ciphers: CTR Mode ctr ctr + 1 ctr + 2 ctr + 3 F k F k F k m 1 m 2 m 3 ctr C 1 C 2 C 3 There are many variants of the CTR mode. The proposed example is the randomized counter mode. In this mode, the initial vector CTR of length n is chosen first. The encryption is done using the recursive formula: { r i = F k (ctr+i) c i = r i m i Encryption and Pseudorandomness p. 56 / 61

66 Block Ciphers: CTR Mode One property is that this mode can be used in parallel computations and, as OFB, it is possible to generate the stream ahead of time independently from the message. In addition, one can process the i th block ciphertext without having to decrypt its predecessors or followers (random access). Finally, we have the following security result: Theorem 7 CPA. If F is a PRF, then the randomized counter mode has indistinguishable encryptions under a All these properties make this mode very attractive for practical implementations. Encryption and Pseudorandomness p. 57 / 61

67 Comparison: Block/Stream Ciphers Stream cipher are somewhat faster than block cipher but only by a factor between one and two. Thus, they are only advantageous over limited capacity devices such as PDAs and cell phones. On the other hand, stream cipher appear to be less studied in practice than block ciphers. There are many block ciphers which are efficient and are perceived as being quite secure while stream ciphers tend to be broken more easily. There is also the misuse of stream ciphers which consists of using the same pseudorandom string twice. For all this reasons, it seems safer to utilize block ciphers. Encryption and Pseudorandomness p. 58 / 61

68 Chosen-Ciphertext Attacks (CCA) In this attacking model, the adversary is also allowed to obtain the decryption of messages of his choice via a second black box. The experiment Priv cca A,Π (n) works as follows: 1. A key k is generated by running Gen(1 n ). 2. A is given input 1 n and oracle access to Enc k and Dec k. He outputs a pair of messages m 0,m 1 of the same length. 3. A random bit b is chosen and the ciphertext c := Enc k (m b ) is given to A. 4. A continues to have oracle access to Enc k and Dec k (except on the challenge ciphertext c). He outputs a bit b. 5. The output of the experiment is defined to be 1 if b = b and 0 otherwise. If Priv cca A,Π (n) = 1, we say that A succeeded. Encryption and Pseudorandomness p. 59 / 61

69 Chosen-Ciphertext Attacks (CCA) Definition 15 A private key encryption scheme has indistinguishable encryptions under a chosenciphertext attack (or is CCA-secure) if for all PPT adversaries A, there exists a negligible function ǫ such that: ( ) Prob Priv cca A,Π (n) = ǫ(n) where the probability is taken over the random coins used by A, as well as the random coins used in the experiment (for choosing the key, the random bit b and any random coins in the encryption process). The restriction of the adversary to query Dec k on the challenge c comes from the fact that Dec k is deterministic. Remark 12 None of the schemes seen so far is CCA-secure. Encryption and Pseudorandomness p. 60 / 61

70 References [Gol01] [LMV05] Oded Goldreich. Foundations of Cryptography: Volume I - Basic Tools. Cambridge University Press, Yi Lu, Willi Meier, and Serge Vaudenay. The conditional correlation attack: A practical attack on Bluetooth encryption. In Advances in Cryptology - Crypto 05, volume 3621 of Lecture Notes in Computer Science, pages , Santa Barbara, USA, August Springer - Verlag. Encryption and Pseudorandomness p. 61 / 61