Cryptography
Lecture 4
Arpita Patra
© Arpita Patra
Recall
>> Perfect Security
o Various Definitions and their equivalence (Shannon’s Theorem)
o Inherent Drawbacks
o Cannot afford perfect security
>> Relaxing Perfect Security
o Make the adversary bounded/efficient/polynomial time
o Allow the break with some small/negligible probability
o Are they necessary?
Computational
Security
Today’s Goal
- Both relaxations are necessary.
- Computational/Cryptographic Security
Impossible to break
Infeasible to break with high prob.
o Will make ‘polynomially bounded/efficient’ and ‘small/negligible prob.’ precise
o Paradigm I- Semantic Security for SKE- computational analogue of
Shannon’s perfect security
o Paradigm II- Indistinguishability-based Security for SKE – computational
analogue of game/experiment based security definition of perfect security
o Look for assumptions needed for construction and construct a scheme
Necessity of relaxed Threat Model
- Assume a SKE that allows many messages to be encrypted using a single
short key
- Allow the adversary to be unbounded powerful in contrast to bounded
- Assume the adversary knows many (m1, c1), (m2, c2), …,(mt, ct): ci = Enck(mi)
- Decrypt each ciphertext with all possible keys until it finds a matching key
---brute-force O(|K|)
k1
k2
k?
k3
(m1, c1), (m2, c2), …,
(mt, ct): ci = Enck(mi)
Yes
Hurray : I got the key
Necessity of relaxed Break Model
- Assume a SKE that allows many messages to be encrypted using a single
short key
- Break is allowed with only zero probability
- Let the adversary knows many (m1, c1), (m2, c2), …,(mt, ct): ci = Enck(mi)
- Make random guest about a k and decrypt each ciphertext that key to verify
k1
k2
k?
(m1, c1), (m2, c2), …,
(mt, ct): ci = Enck(mi)
- O(1) time
- Probability : 1 / |K|
k3
Yes
Hurray : my guess was correct
Making “Polynomially Bounded” Precise–
Asymptotic Approach
>> “Feasible” /“Efficient” / “Probabilistic Poly time (PPT)” algorithm means:
- running time of the algorithm is polynomial in the input size
>> PPT adversary = PPT algorithm
- Input size: n
- Running time of adversary is polynomial in n.
- A function f: Z+  Z+ is polynomial in n if there exist finite number of {ci}
such that f(n) < i ci ni for all n. Example: n3
>> Example of what PPT adversary cannot do:
o Assume your key size is n. That is its n-bit long
o | K | = 2n
o An efficient/PPT adversary CANNOT brute-force over K
Making “Very Small/Negligible” Precise–
Asymptotic Approach
>> “ Very Small / negligible in n” means those f(n) :
- for every polynomial in n, p(n), there exists some positive integer N, such
that f(n) < 1/p(n) , for all n > N
- “grows slower than any inverse poly”
>> Example: 1/2n , 1/2n/2
>> How about 1/n10 ?
For 1/n20 there is no N s.t. 1/n10 < 1/n20
>> An adversary running for n3 time breaks a scheme with probability at most 1/2n
- The more the value of n, the tougher the life of the adversary is.
>> Usually the key size is same set to n
Closures properties of poly and negligible
functions
Proposition: Let p1 and p2 be polynomials in n. Then,
(i) p1 + p2 is a poly.
(ii) p1 * p2 is a poly.
Proposition: Let negl1 and negl2 be negligible functions in n. Then,
(i) negl1 + negl2 is a negligible function.
(ii) p(n). negl1 is a negligible function for any poly p(n)
Asymptotic Approach: Summary
>> Security parameter n --- publicly known (part of the scheme) ; inputs to
all algorithms (including adversary) will be made of size polynomial in n.
Running time of the users
Running time of the attacker
Success probability of the attacker
Functions of a security parameter n
Polynomial in n
>> Typically n is the size of secret-key (ex: n = 128, 256, etc)
Negligible in n
Choosing n Carefully is Very Essential
A designer claims that an adversary running for n3 minutes can break his scheme
with probability 240 2-n
- 240 2-n is negligible --- hence secure scheme
- But what value of n to select while implementing ?
- If n  40 then an adversary working for 403 minutes (6 weeks) can break the
scheme with probability 1
- You will claim it’s a useless scheme, but you just made a
foolish choice of n
3
- n = 50 ? : adversary working for 50 minutes (3 months) succeed with probability
1/1000
- may be unacceptable
- n = 500: adversary working for 200 yrs can break the scheme with probability 2-460
- definitely acceptable
n = Knob
User’s running time is also increasing 
Adv’s job becomes harder 
min
n
max
Concrete Approach
>> Set the value of n
>> Run users and adversary on specific machines
No adversary running for 5 yrs on 4GHz Machine can break
the scheme with probability better than 2-60
Concrete Statement 1
Concrete Statement 2
Asymptotic Statement
Asymptotic Approach
Concrete Approach
…
…


Concrete Statement n
Syntax of Secret Key Encryption (SKE)
Revisited
1. Key-generation Algorithm: Gen(1n)
> Outputs a key k chosen according to some probability distribution.
> MUST be a Randomized algorithm
2. Encryption Algorithm: Enck(m); m in {0,1}l(n)
> c  Enck(m) when randomized and c:=Enck(m) when deterministic
> Deterministic/Randomized algorithm
3. Decryption Algorithm: Deck(c)
> Outputs m:= Deck(c)
> Usually deterministic
Semantic Security for SKE
S. Goldwasser and S. Micali. Probabilistic Encryption.
Journal of Computer and System Sciences, 28(2):
270-299, 1984
Impossible to break
Infeasible to break with
high prob.
-
Randomized
PPT
COA
Given prior information about message,
the ciphertext leaks no additional
information about the message
h(m): external info
about m; history
function
f(m): additional information
about m that adv wants to
compute
Semantic Security
Two worlds: In one adv gets ciphertext and in another it does not. If the difference
between probabilities of guessing f(x) in the both worlds are negligibly apart, then
semantic security is achieved.
m
Gen(1n)
Enc
c  Enck(m)
k
|m|
h(m)
h(m)
A’
A
Computational Analogue of
guess
aboutdefinition
f(m)
Shannon’s
of
perfect-security
guess about f(m)
 = (Gen, Enc, Dec) is semantically-secure if for every PPT A there exists a PPT A’
such that for any Samp and PPT functions f and h:
|
Pr [ A(1n,c,h(m)) =f(m)]
-
Probability taken over
>> uniform k,
>> m output by Samp(1n),
>> the randomness of A and
>> the randomness of Enc
Pr [ A’(1n,|m|,h(m)) =f(m)]
|
Probability taken over
>> m output by Samp(1n) and
>> the randomness of A’
 negl(n)
Indistinguishability Security for SKE
S. Goldwasser and S. Micali. Probabilistic Encryption.
Journal of Computer and System Sciences, 28(2):
270-299, 1984
Impossible to break
Infeasible to break with
high prob.
-
Randomized
PPT
COA
Given the knowledge of two messages, it
cannot be distinguished if the ciphertext
corresponds to the first or second
message.
Indistinguishability Based Definition
An Experiment / a game between a challenger and an adversary
PrivK
Indistinguishability experiment
ind
A, 
(n)
Attacker A
 = (Gen, Enc, Dec), M
Challenger
m0, m1 M ; |m0|=|m1|
(freedom to choose any pair)
c  Enck(mb)
I can break 
Run time: Poly(n)
b’  {0, 1}
(Attacker’s guess about encrypted message)
Let me verify
Gen(1n)
ind
PrivK
1 --- attacker won
A, 
(n)
0 --- attacker lost
 has is ind-secure if for every PPT attacker A, there is a negligible function negl(n) such that
ind
Pr PrivK (n) = 1
A, 

½ + negl(n)
Probability is taken over the randomness
used by A and the challenger
Semantic vs. Indistinguishability Security
-
SEM: Given prior information about message, the
ciphertext leaks no additional information about the
message
Randomized
PPT
COA
Given the knowledge of two messages, it cannot be
distinguished if the ciphertext corresponds to the first
or second message.
IND Security → SEM Security
IND Security ← SEM Security
Chalk & Talk 3 (for one): If a scheme is ind-secure then for all PPT A and any index i,
there is a negligible function negl(n) s.t
Pr [ A(1n,c) =mi] ≤
½ + negl(n) For uniform distribution of k and m.
IND Security ↔ SEM Security
Indistinguishability Based Definition: Renaming
An Experiment / a game between a challenger and an adversary
PrivK
Indistinguishability experiment
coa
A, 
(n)
Attacker A
 = (Gen, Enc, Dec), M
Challenger
m0, m1 M ; |m0|=|m1|
(freedom to choose any pair)
c  Enck(mb)
I can break 
Run time: Poly(n)
b’  {0, 1}
(Attacker’s guess about encrypted message)
Let me verify
Gen(1n)
coa
PrivK
1 --- attacker won
A, 
(n)
0 --- attacker lost
 has is coa-secure if for every PPT attacker A, there is a negligible function negl(n) such that
coa
Pr PrivK (n) = 1
A, 

½ + negl(n)
Probability is taken over the randomness
used by A and the challenger
Equivalent Formulation of Ind Definition
 = (Gen, Enc, Dec), M , n
Attacker A
m0, m1
Challenger
, |m0| = |m1|
(freedom to choose any pair)
c  Enck(mb)
I can break 
Run time: Poly(n)
b’  {0, 1}
(Attacker’s guess about encrypted message)
Let me verify
Gen(1n)
Game Output
0 --- attacker lost
1 --- attacker won
coa
Pr PrivK (n) = 1
A, 

½ + negl(n)
Intuition behind the definition ?
>> Attacker should behave in the same way irrespective of m0 or m1
>> What does same behavior mean ? --- Attacker just outputs a bit
>> Same behavior means that attacker outputs 1 with al most the same probability in each
case (irrespective of whether it sees an encryption of m0 or m1)
Equivalent Formulation
coa
PrivK (n, b) : the experiment with mb selected by challenger
A, 
coa
Output(PrivK (n, b)) : output bit of the attacker during
A, 
coa
PrivK (n, b))
A, 
 = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function
negl, such that :
|
coa
Pr[Output(PrivK (n, 0)) = 1]
A, 
-
coa
Pr[Output(PrivK (n, 1)) = 1]
A, 
|

negl(n)
Chalk & Talk 4 (for one)
 = (Gen, Enc, Dec) is coa-secure if for every PPT adversary A, there is a negligible function
negl, such that :
coa
Pr PrivK (n) = 1
 ½ + negl(n)
A, 
Assumptions for coa-Secure SKEs

Recall the promises of computational security?
- Shorter key for big message
- Key Reuse
 Let’s go OTP style: key will be used to pad/mask the message
- The pad can’t be just the key
- Pad = f(key) and the function is length-expanding ??
- For perfect security the pad needed to be truly random
- For computational security, enough if the pad ‘looks’ random to a PPT
adversary but actually not.
M = K = C = {0, 1}l
k
k
Gen
k R K
mM
Enc
c:= mk
c
cC
Dec
m:= ck
m
Assumptions for coa-Secure SKEs
M. Blum, S. Micali. How to Generate
Cryptographically strong sequences of
pseudo-random bits. SIAM Journal of
Computing, 13(4), 850-864, 1984
A. C.-C. Yao. Theory and Applications of
Trapdoor Functions. FOCS, 80-91, 1982.
Pseudorandom Generators (PRGs): Tool to
cheat the PPT adversaries
Pseudorandomness
- It’s a property of a probability distribution
{ Set of all binary strings of length l }
G: a prob. Dist. = { Set of probabilities }
Sampler for G and U
Give me a string
A string drawn
according to G is
called pseudorandom
U: Uniform probability Distribution
A string drawn
according to U is called
random
w
G is pseudorandom if a string drawn according to G is indistinguishable from a string
drawn according to U to a PPT distinguisher