Definitions Constructions Active Adversaries Indistinguishablity Indistinguishablity of encryptions – private-key model Definition 3 (Indistinguishablity of encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions in the private-key model, if for any p , ℓ ∈ poly, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and poly-time B, � � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n )) = 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n )) = 1 ] � = neg ( n ) Non-uniform definition
Definitions Constructions Active Adversaries Indistinguishablity Indistinguishablity of encryptions – private-key model Definition 3 (Indistinguishablity of encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions in the private-key model, if for any p , ℓ ∈ poly, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and poly-time B, � � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n )) = 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n )) = 1 ] � = neg ( n ) Non-uniform definition Public-key variant
Definitions Constructions Active Adversaries Equivalence Equivalence of definitions Theorem 4 An encryption scheme ( G , E , D ) is semantically secure iff is has indistinguishable encryptions.
Definitions Constructions Active Adversaries Equivalence Equivalence of definitions Theorem 4 An encryption scheme ( G , E , D ) is semantically secure iff is has indistinguishable encryptions. We prove the private key case
Definitions Constructions Active Adversaries Equivalence Indistinguishability = ⇒ Semantic Security
Definitions Constructions Active Adversaries Equivalence Indistinguishability = ⇒ Semantic Security Fix M , A, f and h , be as in Definition 2.
Definitions Constructions Active Adversaries Equivalence Indistinguishability = ⇒ Semantic Security Fix M , A, f and h , be as in Definition 2. We construct A ′ as Algorithm 5 ( A ′ ) Input: 1 n , 1 | m | and h ( m ) e ← G ( 1 n ) 1 1 c = E e ( 1 | m | ) 2 Output A ( 1 n , 1 | m | , h ( m ) , c ) 3
Definitions Constructions Active Adversaries Equivalence Indistinguishability = ⇒ Semantic Security Fix M , A, f and h , be as in Definition 2. We construct A ′ as Algorithm 5 ( A ′ ) Input: 1 n , 1 | m | and h ( m ) e ← G ( 1 n ) 1 1 c = E e ( 1 | m | ) 2 Output A ( 1 n , 1 | m | , h ( m ) , c ) 3 Claim 6 A ′ is a good simulator for A (according to Definition 2)
Definitions Constructions Active Adversaries Equivalence Proving Claim 6 For n ∈ N , let � Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m )) = f ( 1 n , m )] � δ ( n ) := − Pr m ←M n [ A ′ ( 1 n , 1 | m | , h ( 1 n , m )) = f ( 1 n , m )] � �
Definitions Constructions Active Adversaries Equivalence Proving Claim 6 For n ∈ N , let � Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m )) = f ( 1 n , m )] � δ ( n ) := − Pr m ←M n [ A ′ ( 1 n , 1 | m | , h ( 1 n , m )) = f ( 1 n , m )] � � Claim 7 For every n ∈ N , exists x n ∈ Supp ( M n ) with � Pr e ← G ( 1 n ) 1 [ A ( 1 n , 1 | x n | , h ( 1 n , x n ) , E e ( x n )) = f ( 1 n , x n )] � δ ( n ) ≤ − Pr [ A ′ ( 1 n , 1 | x n | , h ( 1 n , x n )) = f ( 1 n , x n )] � �
Definitions Constructions Active Adversaries Equivalence Proving Claim 6 For n ∈ N , let � Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m )) = f ( 1 n , m )] � δ ( n ) := − Pr m ←M n [ A ′ ( 1 n , 1 | m | , h ( 1 n , m )) = f ( 1 n , m )] � � Claim 7 For every n ∈ N , exists x n ∈ Supp ( M n ) with � Pr e ← G ( 1 n ) 1 [ A ( 1 n , 1 | x n | , h ( 1 n , x n ) , E e ( x n )) = f ( 1 n , x n )] � δ ( n ) ≤ − Pr [ A ′ ( 1 n , 1 | x n | , h ( 1 n , x n )) = f ( 1 n , x n )] � � Proof : Write the lhs and rhs terms in the definition of δ ( n ) as sums over the different choices of m ∈ Supp ( M n ) , and use | a + b | ≤ | a | + | b |
Definitions Constructions Active Adversaries Equivalence Assume ∃ an infinite I ⊆ N and p ∈ poly s.t. δ ( n ) > 1 / p ( n ) for every n ∈ I .
Definitions Constructions Active Adversaries Equivalence Assume ∃ an infinite I ⊆ N and p ∈ poly s.t. δ ( n ) > 1 / p ( n ) for every n ∈ I . The following algorithm contradicts the indistinguishability of ( G , E , D ) with respect to { ( x n , y n = 1 | x n | ) } n ∈ N and { z n = ( 1 n , 1 | x n | , h ( 1 n , x n ) , f ( 1 n , x n )) } n ∈ N . Algorithm 8 ( B ) Input: z n = ( 1 n , 1 | x n | , h ( 1 n , x n ) , f ( 1 n , x n )) , c Output 1 iff A ( 1 n , 1 | x n | , h ( x n ) , c ) = f ( 1 n , x n )
Definitions Constructions Active Adversaries Equivalence Semantic Security = ⇒ Indistinguishability Assume ∃ PPT B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and a { z n } n ∈ N , such that (wlg) for infinitely many n ’s: (1) 1 Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n ))= 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n ))= 1 ] ≥ p ( n )
Definitions Constructions Active Adversaries Equivalence Semantic Security = ⇒ Indistinguishability Assume ∃ PPT B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and a { z n } n ∈ N , such that (wlg) for infinitely many n ’s: (1) 1 Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n ))= 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n ))= 1 ] ≥ p ( n ) Let M n be x n wp 1 2 and y n otherwise. Let f ( 1 n , x n ) = 1, f ( 1 n , y n ) = 0 and h ( 1 n , · ) = z n ) . Define A ( 1 n , 1 ℓ ( n ) , z n , c ) to return B ( z n , c ) .
Definitions Constructions Active Adversaries Equivalence Semantic Security = ⇒ Indistinguishability Assume ∃ PPT B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and a { z n } n ∈ N , such that (wlg) for infinitely many n ’s: (1) 1 Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n ))= 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n ))= 1 ] ≥ p ( n ) Let M n be x n wp 1 2 and y n otherwise. Let f ( 1 n , x n ) = 1, f ( 1 n , y n ) = 0 and h ( 1 n , · ) = z n ) . Define A ( 1 n , 1 ℓ ( n ) , z n , c ) to return B ( z n , c ) . (2) Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m ))= f ( 1 n , m )] ≥ 1 1 2 + p ( n )
Definitions Constructions Active Adversaries Equivalence Semantic Security = ⇒ Indistinguishability Assume ∃ PPT B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and a { z n } n ∈ N , such that (wlg) for infinitely many n ’s: (1) 1 Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n ))= 1 ] − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n ))= 1 ] ≥ p ( n ) Let M n be x n wp 1 2 and y n otherwise. Let f ( 1 n , x n ) = 1, f ( 1 n , y n ) = 0 and h ( 1 n , · ) = z n ) . Define A ( 1 n , 1 ℓ ( n ) , z n , c ) to return B ( z n , c ) . (2) Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m ))= f ( 1 n , m )] ≥ 1 1 2 + p ( n ) where for any A ′ (3) Pr m ←M n , e ← G ( 1 n ) 1 [ A ( 1 n , 1 | m | , h ( 1 n , m ) , E e ( m )) = f ( 1 n , m )] ≤ 1 2
Definitions Constructions Active Adversaries Multiple Encryptions Security Under Multiple Encryptions
Definitions Constructions Active Adversaries Multiple Encryptions Security Under Multiple Encryptions Definition 9 (Indistinguishablity for multiple encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions for multiple messages in the private-key model, if for any p , ℓ, t ∈ poly, { x n , 1 , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and polynomial-time B, � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n , 1 ) , . . . E e ( x n , t ( n ) )) = 1 ] � − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n , 1 ) , . . . E e ( y n , t ( n ) )) = 1 � = neg ( n )
Definitions Constructions Active Adversaries Multiple Encryptions Security Under Multiple Encryptions Definition 9 (Indistinguishablity for multiple encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions for multiple messages in the private-key model, if for any p , ℓ, t ∈ poly, { x n , 1 , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and polynomial-time B, � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n , 1 ) , . . . E e ( x n , t ( n ) )) = 1 ] � − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n , 1 ) , . . . E e ( y n , t ( n ) )) = 1 � = neg ( n ) Extensions : Different length messages
Definitions Constructions Active Adversaries Multiple Encryptions Security Under Multiple Encryptions Definition 9 (Indistinguishablity for multiple encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions for multiple messages in the private-key model, if for any p , ℓ, t ∈ poly, { x n , 1 , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and polynomial-time B, � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n , 1 ) , . . . E e ( x n , t ( n ) )) = 1 ] � − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n , 1 ) , . . . E e ( y n , t ( n ) )) = 1 � = neg ( n ) Extensions : Different length messages Semantic security version
Definitions Constructions Active Adversaries Multiple Encryptions Security Under Multiple Encryptions Definition 9 (Indistinguishablity for multiple encryptions – private-key model) An encryption scheme ( G , E , D ) has indistinguishable encryptions for multiple messages in the private-key model, if for any p , ℓ, t ∈ poly, { x n , 1 , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N and polynomial-time B, � � Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( x n , 1 ) , . . . E e ( x n , t ( n ) )) = 1 ] � − Pr e ← G ( 1 n ) 1 [ B ( z n , E e ( y n , 1 ) , . . . E e ( y n , t ( n ) )) = 1 � = neg ( n ) Extensions : Different length messages Semantic security version Public-key definition
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Public-Key Model Theorem 10 A public-key encryption scheme has indistinguishable encryptions for multiple messages, iff it has indistinguishable encryptions for a single message.
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Public-Key Model Theorem 10 A public-key encryption scheme has indistinguishable encryptions for multiple messages, iff it has indistinguishable encryptions for a single message. Proof : Assume ( G , E , D ) is public-key secure for a single message and not for multiple messages with respect to B, { x 1 , t ( n ) , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N .
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Public-Key Model Theorem 10 A public-key encryption scheme has indistinguishable encryptions for multiple messages, iff it has indistinguishable encryptions for a single message. Proof : Assume ( G , E , D ) is public-key secure for a single message and not for multiple messages with respect to B, { x 1 , t ( n ) , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) ∈ { 0 , 1 } ℓ ( n ) } n ∈ N , { z n ∈ { 0 , 1 } p ( n ) } n ∈ N . It follows that for some function i ( n ) ∈ [ t ( n )] � Pr [ B ( 1 n , e , E e ( x n , 1 ) , . . . , E e ( x n , i − 1 ) , E e ( y n , i ) . . . , E e ( y n , t ( n ) )) = 1 ] � − Pr [ B ( 1 n , e , E e ( x n , 1 ) , . . . , E e ( x n , i ) , E e ( y n , i + 1 ) . . . , E e ( y n , t ( n ) )) = 1 ] � � > neg ( n ) where in both cases e ← G ( 1 n ) 1
Definitions Constructions Active Adversaries Multiple Encryptions Algorithm 11 ( B ′ ) Input: 1 n , z n = ( i ( n ) , x 1 , t ( n ) , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) , e , c Return B ( c , E e ( x n , 1 ) , . . . , E e ( x n , i − 1 ) , c , E e ( y n , i + 1 ) . . . , E e ( y n , t ( n ) ))
Definitions Constructions Active Adversaries Multiple Encryptions Algorithm 11 ( B ′ ) Input: 1 n , z n = ( i ( n ) , x 1 , t ( n ) , . . . x n , t ( n ) , y n , 1 , . . . , y n , t ( n ) , e , c Return B ( c , E e ( x n , 1 ) , . . . , E e ( x n , i − 1 ) , c , E e ( y n , i + 1 ) . . . , E e ( y n , t ( n ) )) B ′ is critically using the public key
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Private-Key Model Fact 12 Assuming (non uniform) OWFs exists, there exists an encryption scheme that has private-key indistinguishable encryptions for a single messages, but not for multiple messages
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Private-Key Model Fact 12 Assuming (non uniform) OWFs exists, there exists an encryption scheme that has private-key indistinguishable encryptions for a single messages, but not for multiple messages Proof : Let g : { 0 , 1 } n �→ { 0 , 1 } n + 1 be a (non-uniform) PRG, and for i ∈ N let g i be its ”iterated extension" to output of length i (see Lecture 2, Construction 15).
Definitions Constructions Active Adversaries Multiple Encryptions Multiple Encryption in the Private-Key Model Fact 12 Assuming (non uniform) OWFs exists, there exists an encryption scheme that has private-key indistinguishable encryptions for a single messages, but not for multiple messages Proof : Let g : { 0 , 1 } n �→ { 0 , 1 } n + 1 be a (non-uniform) PRG, and for i ∈ N let g i be its ”iterated extension" to output of length i (see Lecture 2, Construction 15). Construction 13 G ( 1 n ) outputs e ← { 0 , 1 } n , E e ( m ) outputs g | m | ( e ) ⊕ m D e ( c ) outputs g | c | ( e ) ⊕ c
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof :
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it.
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it. Wlog, � � Pr [ B ( z n , g | x n | ( U n ) ⊕ x n ) = 1 ] − Pr [ B ( z n , U | x n | ⊕ x n ) = 1 ] � � > neg ( n ) (4)
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it. Wlog, � � Pr [ B ( z n , g | x n | ( U n ) ⊕ x n ) = 1 ] − Pr [ B ( z n , U | x n | ⊕ x n ) = 1 ] � � > neg ( n ) (4) Hence, B implies a (non-uniform) distinguisher for g
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it. Wlog, � � Pr [ B ( z n , g | x n | ( U n ) ⊕ x n ) = 1 ] − Pr [ B ( z n , U | x n | ⊕ x n ) = 1 ] � � > neg ( n ) (4) Hence, B implies a (non-uniform) distinguisher for g Claim 15 ( G , E , D ) does not have a private-key indistinguishable encryptions for multiple messages
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it. Wlog, � � Pr [ B ( z n , g | x n | ( U n ) ⊕ x n ) = 1 ] − Pr [ B ( z n , U | x n | ⊕ x n ) = 1 ] � � > neg ( n ) (4) Hence, B implies a (non-uniform) distinguisher for g Claim 15 ( G , E , D ) does not have a private-key indistinguishable encryptions for multiple messages Proof :
Definitions Constructions Active Adversaries Multiple Encryptions Claim 14 ( G , E , D ) has private-key indistinguishable encryptions for a single message Proof : Assume not, and let B, { x n , y n ∈ { 0 , 1 } ℓ ( n ) } n ∈ N and { z n ∈ { 0 , 1 } p ( n ) } n ∈ N be the triplet that realizes it. Wlog, � Pr [ B ( z n , g | x n | ( U n ) ⊕ x n ) = 1 ] − Pr [ B ( z n , U | x n | ⊕ x n ) = 1 ] � � � > neg ( n ) (4) Hence, B implies a (non-uniform) distinguisher for g Claim 15 ( G , E , D ) does not have a private-key indistinguishable encryptions for multiple messages Proof : Take x n , 1 = x n , 2 , y n , 1 � = y n , 2 and D ( c 1 , c 2 ) outputs 1 iff c 1 = c 2
Definitions Constructions Active Adversaries Section 2 Constructions
Definitions Constructions Active Adversaries Private key indistinguishable encryptions for multiple messages Suffice to encrypt messages of some fixed length (here the length is n ).
Definitions Constructions Active Adversaries Private key indistinguishable encryptions for multiple messages Suffice to encrypt messages of some fixed length (here the length is n ). Let F be a (non-uniform) length preserving PRF
Definitions Constructions Active Adversaries Private key indistinguishable encryptions for multiple messages Suffice to encrypt messages of some fixed length (here the length is n ). Let F be a (non-uniform) length preserving PRF Construction 16 G ( 1 n ) : output e ← F n , E e ( m ) : choose r ← { 0 , 1 } n and output ( r , e ( r ) ⊕ m ) D e ( r , c ) : output e ( r ) ⊕ c
Definitions Constructions Active Adversaries Private key indistinguishable encryptions for multiple messages Suffice to encrypt messages of some fixed length (here the length is n ). Let F be a (non-uniform) length preserving PRF Construction 16 G ( 1 n ) : output e ← F n , E e ( m ) : choose r ← { 0 , 1 } n and output ( r , e ( r ) ⊕ m ) D e ( r , c ) : output e ( r ) ⊕ c Claim 17 ( G , E , D ) has private-key indistinguishable encryptions for a multiple messages
Definitions Constructions Active Adversaries Private key indistinguishable encryptions for multiple messages Suffice to encrypt messages of some fixed length (here the length is n ). Let F be a (non-uniform) length preserving PRF Construction 16 G ( 1 n ) : output e ← F n , E e ( m ) : choose r ← { 0 , 1 } n and output ( r , e ( r ) ⊕ m ) D e ( r , c ) : output e ( r ) ⊕ c Claim 17 ( G , E , D ) has private-key indistinguishable encryptions for a multiple messages Proof :
Definitions Constructions Active Adversaries Public-key indistinguishable encryptions for multiple messages Let ( G , f , Inv ) be a (non-uniform) TDP , and let b be an hardcore predicate for f .
Definitions Constructions Active Adversaries Public-key indistinguishable encryptions for multiple messages Let ( G , f , Inv ) be a (non-uniform) TDP , and let b be an hardcore predicate for f . Construction 18 (bit encryption) G ( 1 n ) : output ( e , d ) ← G ( 1 n ) E e ( m ) : choose r ← { 0 , 1 } n and output ( y = f e ( r ) , c = b ( r ) ⊕ m ) D d ( y , c ) : output b ( Inv d ( y )) ⊕ c
Definitions Constructions Active Adversaries Public-key indistinguishable encryptions for multiple messages Let ( G , f , Inv ) be a (non-uniform) TDP , and let b be an hardcore predicate for f . Construction 18 (bit encryption) G ( 1 n ) : output ( e , d ) ← G ( 1 n ) E e ( m ) : choose r ← { 0 , 1 } n and output ( y = f e ( r ) , c = b ( r ) ⊕ m ) D d ( y , c ) : output b ( Inv d ( y )) ⊕ c Claim 19 ( G , E , D ) has public-key indistinguishable encryptions for a multiple messages
Definitions Constructions Active Adversaries Public-key indistinguishable encryptions for multiple messages Let ( G , f , Inv ) be a (non-uniform) TDP , and let b be an hardcore predicate for f . Construction 18 (bit encryption) G ( 1 n ) : output ( e , d ) ← G ( 1 n ) E e ( m ) : choose r ← { 0 , 1 } n and output ( y = f e ( r ) , c = b ( r ) ⊕ m ) D d ( y , c ) : output b ( Inv d ( y )) ⊕ c Claim 19 ( G , E , D ) has public-key indistinguishable encryptions for a multiple messages We believe that public-key encryptions schemes are “more complex" than private-key ones
Definitions Constructions Active Adversaries Section 3 Active Adversaries
Definitions Constructions Active Adversaries Active Adversaries Chosen plaintext attack (CPA): The adversary can ask for encryption and choose the messages to distinguish accordingly
Definitions Constructions Active Adversaries Active Adversaries Chosen plaintext attack (CPA): The adversary can ask for encryption and choose the messages to distinguish accordingly Chosen ciphertext attack (CPA): The adversary can also ask for decryptions of certain messages
Definitions Constructions Active Adversaries Active Adversaries Chosen plaintext attack (CPA): The adversary can ask for encryption and choose the messages to distinguish accordingly Chosen ciphertext attack (CPA): The adversary can also ask for decryptions of certain messages
Definitions Constructions Active Adversaries Active Adversaries Chosen plaintext attack (CPA): The adversary can ask for encryption and choose the messages to distinguish accordingly Chosen ciphertext attack (CPA): The adversary can also ask for decryptions of certain messages In the public-key settings, the adversary is also given the public key
Definitions Constructions Active Adversaries Active Adversaries Chosen plaintext attack (CPA): The adversary can ask for encryption and choose the messages to distinguish accordingly Chosen ciphertext attack (CPA): The adversary can also ask for decryptions of certain messages In the public-key settings, the adversary is also given the public key We focus on indistinguishability, but each of the above definitions has an equivalent semantic security variant.
Definitions Constructions Active Adversaries CPA Security Let ( G , E , D ) be an encryption scheme. For a pair of algorithms A = ( A 1 , A 2 ) , n ∈ N , z ∈ { 0 , 1 } ∗ and b ∈ { 0 , 1 } , let: Experiment 20 ( Exp CPA A , n , z ( b ) ) ( e , d ) ← G ( 1 n ) 1 ( m 0 , m 1 , s ) ← A E e ( · ) ( 1 n , z ) 2 1 c ← E e ( m b ) 3 Output A E e ( · ) ( 1 n , s , c ) 4 2
Definitions Constructions Active Adversaries CPA Security Let ( G , E , D ) be an encryption scheme. For a pair of algorithms A = ( A 1 , A 2 ) , n ∈ N , z ∈ { 0 , 1 } ∗ and b ∈ { 0 , 1 } , let: Experiment 20 ( Exp CPA A , n , z ( b ) ) ( e , d ) ← G ( 1 n ) 1 ( m 0 , m 1 , s ) ← A E e ( · ) ( 1 n , z ) 2 1 c ← E e ( m b ) 3 Output A E e ( · ) ( 1 n , s , c ) 4 2 Definition 21 (private key CPA ) ( G , E , D ) has indistinguishable encryptions in the private-key model under CPA attack, if ∀ PPT A 1 , A 2 , and poly-bounded { z n } n ∈ N : | Pr [ Exp CPA A , n , z n ( 0 ) = 1 ] − Pr [ Exp CPA A , n , z n ( 1 ) = 1 ] | = neg ( n )
Definitions Constructions Active Adversaries public-key variant...
Definitions Constructions Active Adversaries public-key variant... The scheme from Construction 16 has indistinguishable encryptions in the private-key model under CPA attack(for short, private-key CPA secure)
Definitions Constructions Active Adversaries public-key variant... The scheme from Construction 16 has indistinguishable encryptions in the private-key model under CPA attack(for short, private-key CPA secure) The scheme from Construction 18 has indistinguishable encryptions in the public-key model (for short, public-key CPA secure)
Definitions Constructions Active Adversaries public-key variant... The scheme from Construction 16 has indistinguishable encryptions in the private-key model under CPA attack(for short, private-key CPA secure) The scheme from Construction 18 has indistinguishable encryptions in the public-key model (for short, public-key CPA secure) In both cases, definitions are not equivalent
Definitions Constructions Active Adversaries CCA Security Experiment 22 ( Exp CCA1 A , n , z ( b ) ) ( e , d ) ← G ( 1 n ) 1 ( m 0 , m 1 , s ) ← A E e ( · ) , D d ( · ) ( 1 n , z ) 2 1 c ← E e ( m b ) 3 Output A E e ( · ) ( 1 n , s , c ) 4 2
Definitions Constructions Active Adversaries CCA Security Experiment 22 ( Exp CCA1 A , n , z ( b ) ) ( e , d ) ← G ( 1 n ) 1 ( m 0 , m 1 , s ) ← A E e ( · ) , D d ( · ) ( 1 n , z ) 2 1 c ← E e ( m b ) 3 Output A E e ( · ) ( 1 n , s , c ) 4 2 Experiment 23 ( Exp CCA2 A , n , z n ( b ) ) ( e , d ) ← G ( 1 n ) 1 ( x 0 , x 1 , s ) ← A E e ( · ) , D d ( · ) ( 1 n , z ) 2 1 c ← E e ( x b ) 3 E e ( · ) , D ¬ c d ( · ) ( 1 n , s , c ) Output A 4 2
Definitions Constructions Active Adversaries Definition 24 (private key CCA1 / CCA2 ) ( G , E , D ) has indistinguishable encryptions in the private-key model under x ∈ { CCA1 , CCA2 } attack, if ∀ PPT A 1 , A 2 , and poly-bounded { z n } n ∈ N : | Pr [ Exp x A , n , z n ( 0 ) = 1 ] − Pr [ Exp x A , n , z n ( 1 ) = 1 ] | = neg ( n )
Definitions Constructions Active Adversaries Definition 24 (private key CCA1 / CCA2 ) ( G , E , D ) has indistinguishable encryptions in the private-key model under x ∈ { CCA1 , CCA2 } attack, if ∀ PPT A 1 , A 2 , and poly-bounded { z n } n ∈ N : | Pr [ Exp x A , n , z n ( 0 ) = 1 ] − Pr [ Exp x A , n , z n ( 1 ) = 1 ] | = neg ( n ) The public key definition is analogous
Definitions Constructions Active Adversaries Private-key CCA2 Private-key CCA2 Is the scheme from Construction 16 private-key CCA1 secure?
Definitions Constructions Active Adversaries Private-key CCA2 Private-key CCA2 Is the scheme from Construction 16 private-key CCA1 secure? CCA2 secure? Let ( G , E , D ) be a private key CPA scheme, and let ( Gen M , Mac , Vrfy ) be an existential unforgeable strong MAC. Construction 25 G ′ ( 1 n ) : Output ( e ← G E ( 1 n ) , k ← Gen M ( 1 n )) . a E ′ d , k ( m ) : let c = E e ( m ) and output ( c , t = Mac k ( c )) D e , k ( c , t ) : if Vrfy k ( c , t ) = 1, output D e ( c ) . Otherwise, output ⊥ a We assume for simplicity that the encryption and decryption keys are the same.
Definitions Constructions Active Adversaries Private-key CCA2 Private-key CCA2 Is the scheme from Construction 16 private-key CCA1 secure? CCA2 secure? Let ( G , E , D ) be a private key CPA scheme, and let ( Gen M , Mac , Vrfy ) be an existential unforgeable strong MAC. Construction 25 G ′ ( 1 n ) : Output ( e ← G E ( 1 n ) , k ← Gen M ( 1 n )) . a E ′ d , k ( m ) : let c = E e ( m ) and output ( c , t = Mac k ( c )) D e , k ( c , t ) : if Vrfy k ( c , t ) = 1, output D e ( c ) . Otherwise, output ⊥ a We assume for simplicity that the encryption and decryption keys are the same.
Definitions Constructions Active Adversaries Private-key CCA2 Theorem 26 Construction 25 is a private-key CCA2 -secure encryption scheme.
Definitions Constructions Active Adversaries Private-key CCA2 Theorem 26 Construction 25 is a private-key CCA2 -secure encryption scheme. Proof : ?
Definitions Constructions Active Adversaries Public-key CCA1 Public-key CCA1
Definitions Constructions Active Adversaries Public-key CCA1 Public-key CCA1 Let ( G , E , D ) be a public-key CPA scheme and let ( P , V ) be a NIZK for L = { ( c 0 , c 1 , pk 0 , pk 1 ): ∃ ( m , z 0 , z 1 ) s . t . c 0 = E pk 0 ( m , z 0 ) ∧ c 1 = E pk 1 ( m , z 1 ) }
Definitions Constructions Active Adversaries Public-key CCA1 Public-key CCA1 Let ( G , E , D ) be a public-key CPA scheme and let ( P , V ) be a NIZK for L = { ( c 0 , c 1 , pk 0 , pk 1 ): ∃ ( m , z 0 , z 1 ) s . t . c 0 = E pk 0 ( m , z 0 ) ∧ c 1 = E pk 1 ( m , z 1 ) } Construction 27 (The Naor-Yung Paradigm) G ′ ( 1 n ) : For i ∈ { 0 , 1 } : set ( sk i , pk i ) ← G ( 1 n ) . 1 Let r ← { 0 , 1 } ℓ ( n ) , and output pk ′ = ( pk 0 , pk 1 , r ) and 2 sk ′ = ( pk ′ , sk 0 , sk 1 ) E ′ pk ′ ( m ) : For i ∈ { 0 , 1 } : c i = E pk i ( m , z i ) , where z i is a uniformly 1 chosen string of the right length π ← P (( c 0 , c 1 , pk 0 , pk 1 ) , ( m , z 0 , z 1 ) , r ) 2 Output ( c 0 , c 1 , π ) . 3 D ′ sk ′ ( c 0 , c 1 , π ) : If V (( c 0 , c 1 , pk 0 , pk 1 ) , π, r ) = 1, return D sk 0 ( c 0 ) . Otherwise, return ⊥
Definitions Constructions Active Adversaries Public-key CCA1 Omitted details: We assume for simplicity that the encryption key output by G ( 1 n ) is of length at least n . ℓ is an arbitrary polynomial, and determines the maximum message length to encrypt using ”security parameter" n .
Definitions Constructions Active Adversaries Public-key CCA1 Omitted details: We assume for simplicity that the encryption key output by G ( 1 n ) is of length at least n . ℓ is an arbitrary polynomial, and determines the maximum message length to encrypt using ”security parameter" n . Is the scheme CCA1 secure?
Definitions Constructions Active Adversaries Public-key CCA1 Omitted details: We assume for simplicity that the encryption key output by G ( 1 n ) is of length at least n . ℓ is an arbitrary polynomial, and determines the maximum message length to encrypt using ”security parameter" n . Is the scheme CCA1 secure? We need the NIZK to be “adaptive secure". Theorem 28 Assuming that ( P , V ) is adaptive secure, then Construction 27 is a public-key CCA1 secure encryption scheme.
Definitions Constructions Active Adversaries Public-key CCA1 Omitted details: We assume for simplicity that the encryption key output by G ( 1 n ) is of length at least n . ℓ is an arbitrary polynomial, and determines the maximum message length to encrypt using ”security parameter" n . Is the scheme CCA1 secure? We need the NIZK to be “adaptive secure". Theorem 28 Assuming that ( P , V ) is adaptive secure, then Construction 27 is a public-key CCA1 secure encryption scheme. Proof : Given an attacker A ′ for the CCA1 security of ( G ′ , E ′ , D ′ ) , we use it to construct an attacker A on the CPA security of ( G , E , D ) . Let S = ( S 1 , S 2 ) be the (adaptive) simulator for ( P , V , L )
Definitions Constructions Active Adversaries Public-key CCA1 Algorithm 29 ( A ) Input: ( 1 n , pk ) let j ← { 0 , 1 } , pk 1 − j = pk , ( pk j , sk j ) ← G ( 1 n ) and 1 ( r , s ) ← S 1 ( 1 n ) Emulate A ′ ( 1 n , pk ′ = ( pk 0 , pk 1 , r )) as follows: 2 On query ( c 0 , c 1 , π ) of A ′ to D ′ : 3 If V (( c 0 , c 1 , pk 0 , pk 1 ) , π, r ) = 1, answer D sk j ( c j ) . Otherwise, answer ⊥ . Output the same pair ( m 0 , m 1 ) as A ′ does 4 On challenge c ( = E pk ( m b ) ): 5 Set c 1 − j = c , a ← { 0 , 1 } , c j = E pk j ( m a ) , and π ← S 2 (( c 0 , c 1 , pk 0 , pk 1 ) , r , s ) Send c ′ = ( c 0 , c 1 , π ) to A ′ Output the same value that A ′ does 6
Definitions Constructions Active Adversaries Public-key CCA1 Claim 30 Assume that A ′ breaks the CCA1 security of ( G ′ , E ′ , D ′ ) with probability δ ( n ) , then A breaks the CPA security of ( G , E , D ) with probability ( δ ( n ) − neg ( n )) / 2.
Recommend
More recommend