mit 6 875 berkeley cs276
play

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 2 Administrivia o Piazza Time-zone Survey & Office hours o PS1 Released, due Sept 15 The Secure Communication Problem m Key k Key k Bob Alice Eve o Alice and Bob have a


  1. MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 2

  2. Administrivia o Piazza Time-zone Survey & Office hours o PS1 Released, due Sept 15

  3. The Secure Communication Problem m Key k Key k Bob Alice Eve o Alice and Bob have a common key k o Algorithms (Gen, Enc, Dec) o Correctness: Dec(k, Enc(k,m)) = m o Security: No Eve learns anything about m.

  4. How to Define Security Perfect secrecy: A Posteriori = A Priori For all ๐‘›, ๐‘‘: Pr ๐‘ = ๐‘› ๐น ๐ฟ, ๐‘ = ๐‘‘] = Pr[๐‘ = ๐‘›] Perfect indistinguishability: For all ๐‘› ! , ๐‘› " , ๐‘‘: Pr[๐น ๐ฟ, ๐‘› ! = ๐‘‘] = Pr[๐น ๐ฟ, ๐‘› " = ๐‘‘] The two definitions are equivalent!

  5. Is there a perfectly secure scheme? โ€ข One-time Pad : ๐น ๐‘™, ๐‘› = ๐‘™โจ๐‘› โ€ข However : Keys are as long as Messages โ€ข WORSE, Shannonโ€™s theorem : for any perfectly secure scheme, |key| โ‰ฅ |message|. Can we overcome Shannonโ€™s conundrum?

  6. Letโ€™s first rewriteโ€ฆ Perfect indistinguishability: as a Turing test For all ๐‘› ! , ๐‘› " , ๐‘‘: Pr[๐น ๐ฟ, ๐‘› ! = ๐‘‘] = Pr[๐น ๐ฟ, ๐‘› " = ๐‘‘] World 0: World 1: k โ† K k โ† K ๐‘‘ = ๐น ๐‘™, ๐‘› " ๐‘‘ = ๐น ๐‘™, ๐‘› ! is a distinguisher . For all EVE and all ๐‘› ! , ๐‘› " : Pr ๐‘™ โ† K ; ๐‘‘ = ๐น ๐‘™, ๐‘› ! : ๐น๐‘Š๐น ๐‘‘ = 0 = Pr ๐‘™ โ† K ; ๐‘‘ = ๐น ๐‘™, ๐‘› " : ๐น๐‘Š๐น ๐‘‘ = 0

  7. Letโ€™s first rewriteโ€ฆ Perfect indistinguishability: as a Turing test For all ๐‘› ! , ๐‘› " , ๐‘‘: Pr[๐น ๐ฟ, ๐‘› ! = ๐‘‘] = Pr[๐น ๐ฟ, ๐‘› " = ๐‘‘] World 0: World 1: k โ† K k โ† K ๐‘‘ = ๐น ๐‘™, ๐‘› " ๐‘‘ = ๐น ๐‘™, ๐‘› ! is a distinguisher . For all EVE and all ๐‘› ! , ๐‘› " : Pr ๐‘™ โ† K ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐น ๐‘™, ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ = 1/2

  8. The Axiom of Modern Crypto Feasible Computation = Probabilistic polynomial-time* ( p.p.t. = Probabilistic polynomial-time) (polynomial in a security parameter n) So, Alice and Bob are fixed p.p.t. algorithms. (e.g., run in time n^2) Eve is any p.p.t. algorithm. (e.g., run in time n^4, or n^100, or n^10000,โ€ฆ) * in recent years, quantum polynomial-time

  9. Computational Indistinguishability (take 1) World 0: World 1: k โ† K k โ† K ๐‘‘ = ๐น ๐‘™, ๐‘› " ๐‘‘ = ๐น ๐‘™, ๐‘› ! is a p.p.t. distinguisher. For all p.p.t. EVE and all ๐‘› ! , ๐‘› " : Pr ๐‘™ โ† K ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐น ๐‘™, ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ = 1/2 Still subject to Shannonโ€™s impossibility!

  10. Still subject to Shannonโ€™s impossibility! ciphertexts Messages n+1 bits c ๐‘› ! Set of messages consistent with c = {D(k,c): all k} ๐‘› " Consider Eve that picks a random key k and w.p โ‰ฅ ๐Ÿ/๐Ÿ‘ ๐’ outputs 0 if D(k,c) = ๐‘› ! outputs 1 if D(k,c) = ๐‘› " w.p = 0 and a random bit if neither holds. Bottomline: Pr[EVE succeeds] โ‰ฅ 1/2 + 1/2 %

  11. New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐œˆ: โ„• โ†’ โ„ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐‘œ ! s.t. for all ๐‘œ > ๐‘œ ! : ๐‚ (n) < 1/p(n) Key property: Events that occur with negligible probability look to poly-time algorithms like they never occur.

  12. New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐œˆ: โ„• โ†’ โ„ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐‘œ ! s.t. for all ๐‘œ > ๐‘œ ! : ๐‚ (n) < 1/p(n) Question: Let ๐‚ ๐’ = ๐Ÿ/๐’ ๐ฆ๐ฉ๐ก ๐’ . Is ๐‚ negligible?

  13. New Notion: Negligible Functions Functions that grow slower than 1/p(n) for any polynomial p. Definition: A function ๐œˆ: โ„• โ†’ โ„ is negligible if for every polynomial function p, for all sufficiently large n: there exists an ๐‘œ ! s.t. for all ๐‘œ > ๐‘œ ! : ๐‚ (n) < 1/p(n) Question: Let ๐‚ ๐’ = ๐Ÿ/๐’ ๐Ÿ๐Ÿ๐Ÿ if n is prime and ๐‚ ๐’ = ๐Ÿ/๐Ÿ‘ ๐’ otherwise. Is ๐‚ negligible?

  14. Computational Indistinguishability World 0: World 1: k โ† K k โ† K ๐‘‘ = ๐น ๐‘™, ๐‘› " ๐‘‘ = ๐น ๐‘™, ๐‘› ! is a distinguisher. For all p.p.t. EVE, there is a negligible function ๐‚ s.t. for all ๐‘› ! , ๐‘› " : Pr ๐‘™ โ† K ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐น ๐‘™, ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ โ‰ค 1 2 + ๐œˆ(๐‘œ)

  15. Our First Crypto Tool: Pseudorandom Generators (PRG)

  16. PRG Definition A function ๐ป: {0,1} % โ†’ {0,1} %+" is a pseudorandom generator if for no p.p.t. EVE can distinguish between ๐ป(๐‘‰ % ) and ๐‘‰ %+" . ๐‘‰ % = uniform distribution on n bits. ๐‘‰ %+" = uniform distribution on n+1 bits.

  17. PRG Definition A function ๐ป: {0,1} % โ†’ {0,1} %+" is a pseudorandom generator if for for all p.p.t. EVE, there is a negligible function ๐œˆ s.t. | Pr ๐‘ง โ† ๐‘‰ %+" : ๐น๐‘Š๐น ๐‘ง = 0 โˆ’ Pr[๐‘ฆ โ† ๐‘‰ % ; y = G x : EVE y = 0] | โ‰ค ๐œˆ(n) Question: What happens to this de_inition if EVE is unbounded?

  18. PRG โŸน Overcoming Shannonโ€™s Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐ป๐‘“๐‘œ 1 % : Generate a random ๐‘œ -bit key k. ๐น๐‘œ๐‘‘ ๐‘™, ๐‘› where ๐‘› is an (๐’ + ๐Ÿ) -bit message: Expand k into a (n+1)-bit pseudorandom string k , = ๐ป(k) One-time pad with k , : ciphertext is ๐‘™โ€ฒโจ๐‘› ๐ธ๐‘“๐‘‘ ๐‘™, ๐‘‘ outputs G(๐‘™)โจ๐‘‘ ๐ƒ๐ฉ๐ฌ๐ฌ๐Ÿ๐๐ฎ๐จ๐Ÿ๐ญ๐ญ: ๐ธ๐‘“๐‘‘ ๐‘™, ๐‘‘ outputs G ๐‘™ โจ๐‘‘ = G ๐‘™ โจ๐ป ๐‘™ โจm = m

  19. PRG โŸน Overcoming Shannonโ€™s Conundrum Security: by contradiction. Suppose for contradiction that there is a p.p.t. EVE, a polynomial function ๐‘ž and ๐‘› ! , ๐‘› " ๐‘ก. ๐‘ข. Pr ๐‘™ โ† K ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐น ๐‘™, ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ โ‰ฅ 1 2 + 1/๐‘ž(๐‘œ)

  20. PRG โŸน Overcoming Shannonโ€™s Conundrum Security: by contradiction. Suppose for contradiction that there is a p.p.t. EVE, a polynomial function ๐‘ž and ๐‘› ! , ๐‘› " ๐‘ก. ๐‘ข. ฯ = Pr ๐‘™ โ† {0,1} % ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐ป(๐‘™)โจ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ โ‰ฅ 1 2 + 1/๐‘ž(๐‘œ) Let ฯ , = Pr ๐‘™โ€ฒ โ† 0,1 %+" ; ๐‘ โ† 0,1 ; ๐‘‘ = ๐‘™โ€ฒโจ๐‘› # : ๐น๐‘Š๐น ๐‘‘ = ๐‘ = " - This will give us a distinguisher EVEโ€™ for G, contradicting the assumption that G is a pseudorandom generator. QED.

  21. PRG โŸน Overcoming Shannonโ€™s Conundrum Distinguisher EVEโ€™ for G. Get as input a string y, run EVE( yโจ๐‘› # ) for a random b, and let EVEโ€™s output be bโ€™. Output โ€œPRGโ€ if b=bโ€™ and โ€œRANDOMโ€ otherwise. Pr ๐น๐‘Š๐น , ๐‘๐‘ฃ๐‘ข๐‘ž๐‘ฃ๐‘ข๐‘ก โ€œ๐‘„๐‘†๐ปโ€ ๐‘ง ๐‘—๐‘ก ๐‘ž๐‘ก๐‘“๐‘ฃ๐‘’๐‘๐‘ ๐‘๐‘œ๐‘’๐‘๐‘›] = ฯ โ‰ฅ " - + 1/๐‘ž(๐‘œ) Pr ๐น๐‘Š๐น , ๐‘๐‘ฃ๐‘ข๐‘ž๐‘ฃ๐‘ข๐‘ก โ€œ๐‘„๐‘†๐ปโ€ ๐‘ง ๐‘—๐‘ก ๐‘ ๐‘๐‘œ๐‘’๐‘๐‘›] = ฯ , = 1 2 Therefore, Pr ๐น๐‘Š๐น , ๐‘๐‘ฃ๐‘ข๐‘ž๐‘ฃ๐‘ข๐‘ก โ€œ๐‘„๐‘†๐ปโ€ ๐‘ง ๐‘—๐‘ก ๐‘ž๐‘ก๐‘“๐‘ฃ๐‘’๐‘๐‘ ๐‘๐‘œ๐‘’๐‘๐‘›] โˆ’ Pr ๐น๐‘Š๐น , ๐‘๐‘ฃ๐‘ข๐‘ž๐‘ฃ๐‘ข๐‘ก โ€œ๐‘„๐‘†๐ปโ€ ๐‘ง ๐‘—๐‘ก ๐‘ ๐‘๐‘œ๐‘’๐‘๐‘›] โ‰ฅ 1/๐‘ž(๐‘œ)

  22. PRG โŸน Overcoming Shannonโ€™s Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐‘น๐Ÿ: Do PRGs exist? (Exercise: If P=NP, PRGs do not exist.) How do we encrypt ๐‘œ "!! message bits with ๐‘œ key bits? ๐‘น๐Ÿ‘: (Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)

  23. Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โ€œappropriately chosen functions composed appropriately many times look randomโ€)

  24. Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โ€œappropriately chosen functions composed appropriately many times look randomโ€) 2. Come up with a candidate construction Rijndael MATH TH (now the Advanced MA Encryption Standard)

  25. Constructing PRGs: Two Methodologies The Practical Methodology 1. Start from a design framework (e.g. โ€œappropriately chosen functions composed appropriately many times look randomโ€) 2. Come up with a candidate construction 3. Do extensive cryptanalysis.

  26. Constructing PRGs: Two Methodologies The Foundational Methodology (much of this course) Reduce to simpler primitives. โ€œScience wins either wayโ€ โ€“Silvio Micali Digital PRF Signatures PRG Hashing OWF well-studied , average-case hard, problems

  27. Constructing PRGs: Two Methodologies The Foundational Methodology (much of this course) A PRG Candidate from the hardness of Subset-sum: % ๐‘ฆ . ๐‘ . mod 2 %+" ) G( ๐‘ " , โ€ฆ , ๐‘ % , ๐‘ฆ " , โ€ฆ , ๐‘ฆ % ) = ( ๐‘ " , โ€ฆ , ๐‘ % , โˆ‘ ./" where ๐‘ . are random (n+1)-bit numbers, and ๐‘ฆ . are random bits. Beautiful Function: If G is a one-way function, then G is a PRG (Pset 1). If lattice problems are hard on the worst-case, G is a PRG (6.876 Fall18 / CS294-168 Spring20)

  28. PRG โŸน Overcoming Shannonโ€™s Conundrum (or, How to Encrypt n+1 bits using an n-bit key) ๐‘น๐Ÿ: Do PRGs exist? (Exercise: If P=NP, PRGs do not exist.) How do we encrypt ๐‘œ "!! message bits with ๐‘œ key bits? ๐‘น๐Ÿ‘: (Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)

Recommend


More recommend