MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 2
Administrivia o Piazza Time-zone Survey & Office hours o PS1 Released, due Sept 15
The Secure Communication Problem m Key k Key k Bob Alice Eve o Alice and Bob have a common key k o Algorithms (Gen, Enc, Dec) o Correctness: Dec(k, Enc(k,m)) = m o Security: No Eve learns anything about m.
How to Define Security Perfect secrecy: A Posteriori = A Priori For all ๐, ๐: Pr ๐ = ๐ ๐น ๐ฟ, ๐ = ๐] = Pr[๐ = ๐] Perfect indistinguishability: For all ๐ ! , ๐ " , ๐: Pr[๐น ๐ฟ, ๐ ! = ๐] = Pr[๐น ๐ฟ, ๐ " = ๐] The two definitions are equivalent!
Is there a perfectly secure scheme? โข One-time Pad : ๐น ๐, ๐ = ๐โจ๐ โข However : Keys are as long as Messages โข WORSE, Shannonโs theorem : for any perfectly secure scheme, |key| โฅ |message|. Can we overcome Shannonโs conundrum?
Letโs first rewriteโฆ Perfect indistinguishability: as a Turing test For all ๐ ! , ๐ " , ๐: Pr[๐น ๐ฟ, ๐ ! = ๐] = Pr[๐น ๐ฟ, ๐ " = ๐] World 0: World 1: k โ K k โ K ๐ = ๐น ๐, ๐ " ๐ = ๐น ๐, ๐ ! is a distinguisher . For all EVE and all ๐ ! , ๐ " : Pr ๐ โ K ; ๐ = ๐น ๐, ๐ ! : ๐น๐๐น ๐ = 0 = Pr ๐ โ K ; ๐ = ๐น ๐, ๐ " : ๐น๐๐น ๐ = 0
Letโs first rewriteโฆ Perfect indistinguishability: as a Turing test For all ๐ ! , ๐ " , ๐: Pr[๐น ๐ฟ, ๐ ! = ๐] = Pr[๐น ๐ฟ, ๐ " = ๐] World 0: World 1: k โ K k โ K ๐ = ๐น ๐, ๐ " ๐ = ๐น ๐, ๐ ! is a distinguisher . For all EVE and all ๐ ! , ๐ " : Pr ๐ โ K ; ๐ โ 0,1 ; ๐ = ๐น ๐, ๐ # : ๐น๐๐น ๐ = ๐ = 1/2
The Axiom of Modern Crypto Feasible Computation = Probabilistic polynomial-time* ( p.p.t. = Probabilistic polynomial-time) (polynomial in a security parameter n) So, Alice and Bob are fixed p.p.t. algorithms. (e.g., run in time n^2) Eve is any p.p.t. algorithm. (e.g., run in time n^4, or n^100, or n^10000,โฆ) * in recent years, quantum polynomial-time
Computational Indistinguishability (take 1) World 0: World 1: k โ K k โ K ๐ = ๐น ๐, ๐ " ๐ = ๐น ๐, ๐ ! is a p.p.t. distinguisher. For all p.p.t. EVE and all ๐ ! , ๐ " : Pr ๐ โ K ; ๐ โ 0,1 ; ๐ = ๐น ๐, ๐ # : ๐น๐๐น ๐ = ๐ = 1/2 Still subject to Shannonโs impossibility!
Still subject to Shannonโs impossibility! ciphertexts Messages n+1 bits c ๐ ! Set of messages consistent with c = {D(k,c): all k} ๐ " Consider Eve that picks a random key k and w.p โฅ ๐/๐ ๐ outputs 0 if D(k,c) = ๐ ! outputs 1 if D(k,c) = ๐ " w.p = 0 and a random bit if neither holds. Bottomline: Pr[EVE succeeds] โฅ 1/2 + 1/2 %
New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐: โ โ โ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐ ! s.t. for all ๐ > ๐ ! : ๐ (n) < 1/p(n) Key property: Events that occur with negligible probability look to poly-time algorithms like they never occur.
New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐: โ โ โ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐ ! s.t. for all ๐ > ๐ ! : ๐ (n) < 1/p(n) Question: Let ๐ ๐ = ๐/๐ ๐ฆ๐ฉ๐ก ๐ . Is ๐ negligible?
New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐: โ โ โ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐ ! s.t. for all ๐ > ๐ ! : ๐ (n) < 1/p(n) Question: Let ๐ ๐ = ๐/๐ ๐๐๐ if n is prime and ๐ ๐ = ๐/๐ ๐ otherwise. Is ๐ negligible?
Computational Indistinguishability World 0: World 1: k โ K k โ K ๐ = ๐น ๐, ๐ " ๐ = ๐น ๐, ๐ ! is a distinguisher. For all p.p.t. EVE, there is a negligible function ๐ s.t. for all ๐ ! , ๐ " : Pr ๐ โ K ; ๐ โ 0,1 ; ๐ = ๐น ๐, ๐ # : ๐น๐๐น ๐ = ๐ โค 1 2 + ๐(๐)
Our First Crypto Tool: Pseudorandom Generators (PRG)
PRG Definition A function ๐ป: {0,1} % โ {0,1} %+" is a pseudorandom generator if for no p.p.t. EVE can distinguish between ๐ป(๐ % ) and ๐ %+" . ๐ % = uniform distribution on n bits. ๐ %+" = uniform distribution on n+1 bits.
PRG Definition A function ๐ป: {0,1} % โ {0,1} %+" is a pseudorandom generator if for for all p.p.t. EVE, there is a negligible function ๐ s.t. | Pr ๐ง โ ๐ %+" : ๐น๐๐น ๐ง = 0 โ Pr[๐ฆ โ ๐ % ; y = G x : EVE y = 0] | โค ๐(n) Question: What happens to this de_inition if EVE is unbounded?
PRG โน Overcoming Shannonโs Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐ป๐๐ 1 % : Generate a random ๐ -bit key k. ๐น๐๐ ๐, ๐ where ๐ is an (๐ + ๐) -bit message: Expand k into a (n+1)-bit pseudorandom string k , = ๐ป(k) One-time pad with k , : ciphertext is ๐โฒโจ๐ ๐ธ๐๐ ๐, ๐ outputs G(๐)โจ๐ ๐๐ฉ๐ฌ๐ฌ๐๐๐ฎ๐จ๐๐ญ๐ญ: ๐ธ๐๐ ๐, ๐ outputs G ๐ โจ๐ = G ๐ โจ๐ป ๐ โจm = m
PRG โน Overcoming Shannonโs Conundrum Security: by contradiction. Suppose for contradiction that there is a p.p.t. EVE, a polynomial function ๐ and ๐ ! , ๐ " ๐ก. ๐ข. Pr ๐ โ K ; ๐ โ 0,1 ; ๐ = ๐น ๐, ๐ # : ๐น๐๐น ๐ = ๐ โฅ 1 2 + 1/๐(๐)
PRG โน Overcoming Shannonโs Conundrum Security: by contradiction. Suppose for contradiction that there is a p.p.t. EVE, a polynomial function ๐ and ๐ ! , ๐ " ๐ก. ๐ข. ฯ = Pr ๐ โ {0,1} % ; ๐ โ 0,1 ; ๐ = ๐ป(๐)โจ๐ # : ๐น๐๐น ๐ = ๐ โฅ 1 2 + 1/๐(๐) Let ฯ , = Pr ๐โฒ โ 0,1 %+" ; ๐ โ 0,1 ; ๐ = ๐โฒโจ๐ # : ๐น๐๐น ๐ = ๐ = " - This will give us a distinguisher EVEโ for G, contradicting the assumption that G is a pseudorandom generator. QED.
PRG โน Overcoming Shannonโs Conundrum Distinguisher EVEโ for G. Get as input a string y, run EVE( yโจ๐ # ) for a random b, and let EVEโs output be bโ. Output โPRGโ if b=bโ and โRANDOMโ otherwise. Pr ๐น๐๐น , ๐๐ฃ๐ข๐๐ฃ๐ข๐ก โ๐๐๐ปโ ๐ง ๐๐ก ๐๐ก๐๐ฃ๐๐๐ ๐๐๐๐๐] = ฯ โฅ " - + 1/๐(๐) Pr ๐น๐๐น , ๐๐ฃ๐ข๐๐ฃ๐ข๐ก โ๐๐๐ปโ ๐ง ๐๐ก ๐ ๐๐๐๐๐] = ฯ , = 1 2 Therefore, Pr ๐น๐๐น , ๐๐ฃ๐ข๐๐ฃ๐ข๐ก โ๐๐๐ปโ ๐ง ๐๐ก ๐๐ก๐๐ฃ๐๐๐ ๐๐๐๐๐] โ Pr ๐น๐๐น , ๐๐ฃ๐ข๐๐ฃ๐ข๐ก โ๐๐๐ปโ ๐ง ๐๐ก ๐ ๐๐๐๐๐] โฅ 1/๐(๐)
PRG โน Overcoming Shannonโs Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐น๐: Do PRGs exist? (Exercise: If P=NP, PRGs do not exist.) How do we encrypt ๐ "!! message bits with ๐ key bits? ๐น๐: (Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)
Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โappropriately chosen functions composed appropriately many times look randomโ)
Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โappropriately chosen functions composed appropriately many times look randomโ) 2. Come up with a candidate construction Rijndael MATH TH (now the Advanced MA Encryption Standard)
Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โappropriately chosen functions composed appropriately many times look randomโ) 2. Come up with a candidate construction 3. Do extensive cryptanalysis.
Constructing PRGs: Two Methodologies The Foundational Methodology (much of this course) Reduce to simpler primitives. โScience wins either wayโ โSilvio Micali Digital PRF Signatures PRG Hashing OWF well-studied , average-case hard, problems
Constructing PRGs: Two Methodologies The Foundational Methodology (much of this course) A PRG Candidate from the hardness of Subset-sum: % ๐ฆ . ๐ . mod 2 %+" ) G( ๐ " , โฆ , ๐ % , ๐ฆ " , โฆ , ๐ฆ % ) = ( ๐ " , โฆ , ๐ % , โ ./" where ๐ . are random (n+1)-bit numbers, and ๐ฆ . are random bits. Beautiful Function: If G is a one-way function, then G is a PRG (Pset 1). If lattice problems are hard on the worst-case, G is a PRG (6.876 Fall18 / CS294-168 Spring20)
PRG โน Overcoming Shannonโs Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐น๐: Do PRGs exist? (Exercise: If P=NP, PRGs do not exist.) How do we encrypt ๐ "!! message bits with ๐ key bits? ๐น๐: (Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)
Recommend
More recommend