Introduction to Cryptography @ Rice · COMP477 - Slide 02 1 Introduction to Cryptography @ Rice...

UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 1

Introduction to Cryptography @ Rice

Olivier Pereira

Slide 02


Computational Security

Let Π := 〈Gen,Enc,Dec〉 be a scheme s.t. |K| < |M|Then Π is not a perfectly secret encryption scheme.

⇒ Somehow, we want imperfect encryption

What can we expect from imperfect security?

I Replace impossibility by infeasibility (what?)

I Practical scheme emulating perfect scheme for practicalpurposes


Computational Security

Emulating perfectness? (informally, for encryption)

Given Π := 〈Gen,Enc,Dec〉, and adversary ADefine the following experiment PrivKeavA,Π

′:

1. A not unbounded outputs m0,m1 ∈M2. Choose k ← Gen and b ← {0, 1}, and send c = Enck(mb)

to A3. A(c) outputs b′

4. Define PrivKeavA,Π′ := 1 iff b = b′

Pr[PrivKeavA,Π′ = 1] =

1

2+ negligible term


Computational Security: Concrete Bounds

Two relaxations:

1. A does not have unbounded powerI Suppose A makes a brute force search

I 109 keys/secI 106 computersI 109 seconds (≈ 30 years)⇒ makes ≈ 280 steps

2. A can have a small success probabilityI Say, 2−48

I Event with Pr ≈ 2−30/sec occurs 1/100 yearsI Proba. to win the Powerball Jackpot: ≈ 2−28

⇒ Suggests that |K| = 2128 would be very nice!



Two relaxations:

1. A does not have unbounded power2. A can have small success probability

Proposed solution:

I design schemes that are (t, �)-secure

What does it say?

I Concrete bounds: we know what we can hold

I Contests can be organized, . . .



See: https://www.certicom.com/content/certicom/en/

the-certicom-ecc-challenge.html

https://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.htmlhttps://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.html


Computational Security: Asymptotic Bounds

Concrete security bounds:

I Suppose 〈Gen,Enc,Dec〉 is (t, �)-secure.What about 5t?

I How does (t, �) change with key size?Can encryption cost become > cryptanalysis cost?

Another solution:

I Consider (t, �) as functions of a security parameter n(e.g., the length of the key)

I Define a class of “feasible” algorithmsNumber of steps as a f (n)

I Show: ∀ feasible strategy of A, Pr[A wins] → 0 fast whenn increases


Computational Security: Asymptotic Bounds

Asymptotic security:

Π is secure if

I every “feasible” adversary strategy

I succeeds with “negligible” probability

when security parameters increase

An increase of computational power is bad news for A


Feasible Strategy / Efficient Algorithm

Let n be the length of the numbers we use. . .

Simple computational problems:

I Addition: O(n)I Multiplication: O(n2)I (Modular) Exponentiation: O(n3)I Search in ordered list: O(log(n))

Computationally hard problems:

I Integer factorization: 2O(√

n·log(n))

I Exhaustive key search: 2n

(The complexities listed here reflect classical algorithms, not the bestknown algorithms, which have more complex expressions.)



Observations suggest:

Polynomial-time algorithms are efficient

I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps

“Arbitrary” choice!?

I Various computing architectures can make complexitychange by a polynomial factor

I Algorithmic improvements typically change complexity by apolynomial factor

I But is |x |1000 less efficient than e|x|

1000 ?

I What tells asymptotic security about |x | = 128?For discussion see, e.g., http://www.cs.princeton.edu/theory/complexity/

http://www.cs.princeton.edu/theory/complexity/



Observations suggest:

Polynomial-time algorithms are efficient

I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps

Does it capture what we want?

I Cryptography is about randomnesse.g., choosing a key, . . .

I If honest parties can use randomness, so should A!I Is a probabilistic A more powerful?I Where do we find randomness?



Efficient ⇔ Probabilistic polynomial-time (PPT)I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps

I Steps include tossing a coin


Negligible Functions

What should be a “negligible” success probability?

I 1/p(n) is not small for PPT A:Polynomial repetition of A is still PPT

⇒ “negligible” ⇔ “decreases faster than any inverse poly.”

f is negligible iff:∀ polynomial p, ∃N such that ∀n ≥ N:

f (n) ≤ 1p(n)

Examples: 2−n, 2−√n, n− log(n)


Asymptotic security

Why using such an asymptotic treatment?

I Tells us how primitives behaveI PPT algos and negl. functions are convenient:

I PPT algo running PPT algos is still PPTI f negl and p poly ⇒ p · f negl

I PPT/negl capture our experience

I PPT/negl are robust to model changes

This will be adopted in the rest of this course


Encryption

What would be encryption in a computational world?

A triple 〈Gen,Enc,Dec〉 of PPT algos: (Introduce n)I Gen probabilistically selects k ← Gen(1n)

1n := 111 · · · 1 (n times) n is the security parameterI Enc provides c ← Enck(m)I Dec provides m := Deck(c)

Correctness: “for any security parameter...”

I ∀n, k ← Gen(1n), and ∀m: Deck(Enck(m)) = m


Security for Encryption

What would this become in a computational world?

Given Π := 〈Gen,Enc,Dec〉, and adversary A, define theexperiment PrivKeavA,Π(n):

1. A(1n) outputs m0,m1 of identical lengths2. Pick k ← Gen(1n), b ← {0, 1}, and send c ← Enck(mb)

to A3. A(c) outputs b′

4. Define PrivKeavA,Π(n) := 1 iff b = b′


Security of Encryption

Π := 〈Gen,Enc,Dec〉 has indistinguishable encryptions in thepresence of eavesdroppers if ∀ PPT A, ∃ negl. � :

Pr[PrivKeavA,Π(n) = 1] =1

2+ �(n)

Efficiency and Security depend on the security parameter


Building Secure Encryption Schemes

Emulating a one-time pad!

Gen(1n): pick k ← {0, 1}l(n), set M = {0, 1}l(n)→ We want |k| < |m| = l(n), for any m ∈M→ Expand k ∈ {0, 1}n to G (k) ∈ {0, 1}l(n)

Enck(m): compute and return c = m ⊕ k→ Instead, compute c = m ⊕ G (k)→ Enough if G (k) is indistinguishable of random

Deck(c): compute and return m = c ⊕ k→ Instead, compute c ⊕ G (k)

G is called a pseudorandom generator


Pseudorandomness

A deterministic poly-time algorithm G is a pseudorandomgenerator (or simply a PRG) only if, for any n,

I ∀s ∈ {0, 1}n, G (s) ∈ {0, 1}l(n) and l(n) > nI ∀ PPT D, ∃ negligible function � s.t.∣∣Pr[D(r) = 1]− Pr[D(G (s)) = 1]∣∣ ≤ �(n)

where r ← {0, 1}l(n) and s ← {0, 1}n

String s is called the seedFunction l is called the expansion factor of G


Pseudorandomness

Pseudorandom generators:

I Can only be computationally secure: try l(n) = 2 · nI n should be large enough to avoid brute-force

Theorem: [Håstad, Impagliazzo, Levin, Luby, 1999]Pseudorandom generators exist iff one-way functions exist

Existence of one-way functions ⇒ P 6= NP


Pseudorandomness

Proving the existence of a pseudorandom generator is worth$1.000.000!

See: http://www.claymath.org/millennium-problems/p-vs-np-problem/

http://www.claymath.org/millennium-problems/p-vs-np-problem/


Pseudorandomness

Assumption:

Pseudorandom generators exist


Building Secure Encryption Schemes

Our intuition leads us to Π := 〈Gen,Enc,Dec〉:

Gen(1n): pick k ← {0, 1}n, set M = {0, 1}l(n)

Enck(m): compute and return c = m ⊕ G (k)Deck(c): compute and return m = c ⊕ G (k)

What about security?

Definition ⇒ Assumption ⇒ Reduction


Building Encryption Schemes

THEOREMIf G is a pseudorandom generator, then Π is a (fixed length)encryption scheme that has indistinguishable encryption in thepresence of an eavesdropper.

PROOF.I ∀ PPT A for Π with η advantage,I ∃ PPT D for G with η advantage.

Therefore, η must be negligible.


Reduction

Suppose Pr[PrivKeavA,Π(n) = 1] =12 + η(n)

A Ok, b

m0,m1

mb ⊕ G (k)b′

⇒ A is s.t. Pr[b = b′] = 12 + η(n)


Reduction

A b

D

O ′

b′′

m0,m1

mb ⊕ w

b′

1⇔ b = b′

b′′ = 0 ⇒ w ← {0, 1}l(n)

b′′ = 1 ⇒{s ← {0, 1}nw := G (s)

Observe:

I If b′′ = 0, Pr[D outputs 1] = 12 : one-time pad

I If b′′ = 1, Pr[D outputs 1] = 12 + η(n): PrivKeavA,Π(n)

I D distinguishes with advantage η(n)

I If A is PPT, then D is PPT too


Building Encryption Schemes

THEOREMIf G is a pseudorandom generator, then Π is a (fixed length)encryption scheme that has indistinguishable encryption in thepresence of an eavesdropper.

Observations:

I ∃ Encryption with shorter keys than messages!I Proof is conditional, by reduction

I Proof holds for computationally bounded adversaries, andleaves some probability of attack


Variable-length encryption

Π is restricted to messages with |m| ≤ l(|k |)I We need G with variable-length output

I Use G repeatedly until output is long enough (see KL, Fig.7.1)

I Preserves security if G is used polynomially many times


Conclusion

I Computational security opens doors for cryptography withshorter keys

We can encrypt m of length p(|k |)!

I What about encrypting multiple messages? (same key)

Even the one-time pad becomes insecure!

FrontComputational SecurityEncryptionPseudorandomnessRealizing Encryption

Introduction to Cryptography @ Rice · COMP477 - Slide 02 1 Introduction to Cryptography @ Rice...

Documents

Transcript of Introduction to Cryptography @ Rice · COMP477 - Slide 02 1 Introduction to Cryptography @ Rice...