Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security • “A Good disguise should not reveal the person’s height” – Shafi Goldwasser and Silvio Micali, 1982 1
Design of Encryption Algorithms • Encryption algorithms are used for privacy of data. – which means they do not leak any information about the plaintext • The question is when are we satisfied that the cipher really does not leak? – For this we need to know the power of the adversary. What Shannon said? • Shannon said in his classical work that using a one-time pad, the cipher achieved “perfect secrecy” – no attacker, even with infinite power of computation can obtain any information about the plain-text. – But the one-time pad is impractical. 2
But Cryptographers want provable security • Lets assume that the attacker is a “probabilistic polynomial time” (PPT) machine – that’s a more practical assumption! • So, now the question is can the adversary (attacker) obtain information about the plaintext efficiently? – for our purpose efficiently means in polynomial time. PPT • Probabilistic Algorithms or randomized algorithms, A, may toss a coin a finite number of times during its computation. • The output y, and the next step may depend on the results of the preceding coin tosses. • The coin is in general fair. • Examples: Primality test algorithms, factoring algorithms etc. 3
Definition of Semantic Security (SS) n For every distribution X over {0,1} and → n n For every partial information h: {0,1} {0,1} → n * For every interesting information f: {0,1} {0,1} For every attacking algorithm A running in time ≤ t' t(n) [t(n) is a polynomial in n], there exists a simulating algorithm S such that: = ≤ = + ε Pr [ ( ( , A E m p ), p h m , ( )) f m ( )] Pr [ ( ( )) S h m f m ( )] ( ) n ← ← m X k k m X ← (p , s ) G n ( ) k k • Here ε (n) is a negligible quantity. • Notion tries to attempt ideal security. • That is the eavesdropper is disconnected from the communication. • In spite of observing the ciphertext, he obtains no extra interesting observation than the case when he has not seen the ciphertext. Message Indistinguishability (MI) ∈ n For every two messages m , m {0,1} 0 1 ≤ For every attacking algorithm A that runs in time t(n) 1 = ≤ + ε Pr [ ( ( A E m p , ), p ) i ] ( ) n ∈ i {0,1} i k k 2 ← (p , s ) G n ( ) k k • SS and MI are equivalent 4
Proofs : SS => MI = = If X={m , m }, f : f m ( ) 0, ( f m ) 1, h(): empty output string 0 1 0 1 From SS, for every adversary A there is a simulator S, st. = ≤ = + ε Pr [ ( ( , A E m p ), p ) i ] Pr [ () S i ] ( ) n ← ← m X k k m X ← (p , s ) G n ( ) k k Now, since the simulator receives no information: = = Pr[ () S i ] 1/ 2, regardless of . S 1 = ≤ + ε Thus, Pr [ ( ( A E m p , ), p ) i ] ( ) n ∈ i {0,1} i k k 2 ← (p , s ) G n ( ) k k SS=>MI ∈ n For every m m , {0,1} , for every algorithm A that 0 1 ≤ ∈ * runs in time ( ), for every t n a {0,1} , = − = ≤ ∈ Pr [ ( ( A E m p , ), p ) a ] Pr [ ( ( A E m , p ), p ) a ] 2 ( ) n ∈ ∈ ( p , s ) G n ( ) 1 k k ( p , s ) G n ( ) 0 k k k k k k (*) ∈ − ⇒ ≡ ¬ ⇒ ¬ ∈ − ( , ) t MI * (*) ( , ) t MI 5
SS=>MI = ⎧ 1, if ( , ) A c p a ⎨ Define, '( , )= 0, otherwise A c p ⎩ ∴ = Pr [ A E m p '( ( , ), p ) i ] ∈ i {0,1} i k k ← (p , s ) G n ( ) k k 1 1 = = + = Pr [ A E m '( ( , p ), p ) 0] Pr [ A E m p '( ( , ), p ) 1] 0 k k 1 k k ← ← 2 (p , s ) G n ( ) 2 (p , s ) G n ( ) k k k k 1 (1 Pr 1 = − = + = [ ( ( A E m , p ), p ) a ]) Pr [ ( ( A E m p , ), p ) a ] 0 k k 1 k k ← ← 2 (p , s ) G n ( ) 2 (p , s ) G n ( ) k k k k 1 1 (Pr = + = − = [ ( ( A E m p , ), p ) a ] Pr [ ( ( A E m , p ), p ) a ]) 1 k k 0 k k ← ← 2 2 (p , s ) G n ( ) (p , s ) G n ( ) k k k k 1 > +∈ ⇒ ∈ − ( ) n ( , ) t MI is violated. 2 (t, ε )-MI=>(t’,2 ε )-SS • Thus ┐ (t’,2 ε )-SS => ┐ (t, ε )-MI define ( ), where z is some information on m S z ∈ Pick ( p s , ) G n ( ) at random k k Return ( (0, A E p ), p , ) z k k /* Note that the run time of S is running time of A+poly(n) */ 6
(t, ε )-MI=>(t’,2 ε )-SS ¬ ε ⇒ (t',2 )-SS = > = + ε Pr [ ( ( , A E m p ), p h m , ( )) f m ( )] Pr [ ( ( )) S h m f m ( )] 2 ( ) n ← ← m X k k m X ← (p , s ) G n ( ) k k = or , Pr [ ( ( , A E m p ), p h m , ( )) f m ( )] ← m X k k ← (p , s ) G n ( ) k k > = + ε Pr [ ( (0, A E p ), p h m , ( )) f ( m )] 2 ( ) n ← m X k k ← (p , s ) G n ( ) k k ∑ = = or , Pr[ X m ](Pr [ ( ( A E X p , ), p h X , ( )) f X ( )] ← (p , s ) G n ( ) k k k k m − = > ε Pr [ ( (0, A E p ), p h X , ( )) f X ( )]) 2 ( ) n ← (p , s ) G n ( ) k k k k ⇒ ∃ ∈ = m ' X , st. Pr [ ( ( A E m p ', ), p h m , ( ')) f m ( ')] ← (p , s ) G n ( ) k k k k − = > ε Pr [ ( (0, A E p ), p h m , ( ')) f m ( ')]) 2 ( ) n ← (p , s ) G n ( ) k k k k ⇒ as there exists a pair of messages for which (*) does not hold ⇒ ∈ − ( , ) t MI does not hold. 7
Recommend
More recommend
