onetime encryption
play

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 - PowerPoint PPT Presentation

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen


  1. Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability

  2. Recall Onetime Encryption Perfect Secrecy Perfect secrecy : ∀ m, m’ ∈ M K 0 1 2 3 M {Enc(m,K)} K ← KeyGen = {Enc(m’,K)} K ← KeyGen a x y y z Distribution of the ciphertext is defined 
 Distribution of the ciphertext by the randomness in the key b y x z y In addition, require correctness Assuming K uniformly drawn from K ∀ m, K, Dec( Enc(m,K), K) = m Pr[ Enc(a,K)=x ] = ¼ , 
 Pr[ Enc(a,K)=y ] = ½ , 
 E.g. One-time pad: M = K = C = {0,1} n and Pr[ Enc(a,K)=z ] = ¼ ______________ 
 Enc(m,K) = m ⊕ K, Dec(c,K) = c ⊕ K Same for Enc(b,K). More generally M = K = C = G (a finite group) and Enc(m,K) = m+K, Dec(c,K) = c-K

  3. Recall Onetime Encryption SIM-Onetime Security Class of environments which send only one message Key/ Key/ Recv Enc Dec Send SIM-Onetime secure if: ∀ ∃ s.t. ∀ IDEAL=REAL Env Env IDEAL REAL

  4. Recall Onetime Encryption Equivalent to perfect secrecy SIM-Onetime Security + correctness Class of environments which send only one message Key/ Key/ Recv Enc Dec Send SIM-Onetime secure if: ∀ ∃ s.t. ∀ IDEAL=REAL Env Env IDEAL REAL

  5. Onetime Encryption IND-Onetime Security

  6. Onetime Encryption IND-Onetime Security IND-Onetime Experiment

  7. Onetime Encryption IND-Onetime Security IND-Onetime Experiment .

  8. Onetime Encryption IND-Onetime Security IND-Onetime Experiment .

  9. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Experiment picks a random bit b. It also runs KeyGen to get a key K . b ← {0,1}

  10. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K . b ← {0,1}

  11. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Adversary sends two messages m 0 , m 1 to the experiment m 0 ,m 1 . b ← {0,1}

  12. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Adversary sends two messages m 0 , m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 . b ← {0,1}

  13. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 . b ← {0,1}

  14. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 Adversary returns a guess b’ b’ . b ← {0,1}

  15. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 Adversary returns a guess b’ b’ . b ← {0,1} b’=b?

  16. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 Adversary returns a guess b’ b’ . Experiments outputs 1 iff b’=b b ← {0,1} b’=b? Yes/No

  17. Onetime Encryption IND-Onetime Security IND-Onetime Experiment Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 Adversary returns a guess b’ b’ . Experiments outputs 1 iff b’=b b ← {0,1} b’=b? IND-Onetime secure if for every Yes/No adversary, Pr[b’=b] = 1/2

  18. Onetime Encryption IND-Onetime Security Equivalent to perfect IND-Onetime Experiment secrecy Key/ Enc Experiment picks a random bit b. It also runs KeyGen to get a key K Enc(m b ,K) Adversary sends two messages m 0 , m b m 1 to the experiment Experiment replies with Enc(m b ,K) m 0 ,m 1 Adversary returns a guess b’ b’ . Experiments outputs 1 iff b’=b b ← {0,1} b’=b? IND-Onetime secure if for every Yes/No adversary, Pr[b’=b] = 1/2

  19. Perspective on Definitions

  20. Perspective on Definitions “Technical” vs. “Convincing”

  21. Perspective on Definitions “Technical” vs. “Convincing” For simple scenarios technical definitions could be convincing

  22. Perspective on Definitions “Technical” vs. “Convincing” For simple scenarios technical definitions could be convincing e.g. Perfect Secrecy

  23. Perspective on Definitions “Technical” vs. “Convincing” For simple scenarios technical definitions could be convincing e.g. Perfect Secrecy IND- definitions tend to be technical: more low-level details, but may not make the big picture clear. Could have “weaknesses”

  24. Perspective on Definitions “Technical” vs. “Convincing” For simple scenarios technical definitions could be convincing e.g. Perfect Secrecy IND- definitions tend to be technical: more low-level details, but may not make the big picture clear. Could have “weaknesses” SIM- definitions give the big picture, but may not give details of what is involved in satisfying it. Could be “too strong”

  25. Perspective on Definitions “Technical” vs. “Convincing” For simple scenarios technical definitions could be convincing e.g. Perfect Secrecy IND- definitions tend to be technical: more low-level details, but may not make the big picture clear. Could have “weaknesses” SIM- definitions give the big picture, but may not give details of what is involved in satisfying it. Could be “too strong” Best of both worlds when they are equivalent: use IND- definition while say, proving security of a construction; use SIM- definition when low-level details are not important

  26. Security of Encryption

  27. Security of Encryption Perfect secrecy is too strong for multiple messages (though too weak in some other respects...)

  28. Security of Encryption Perfect secrecy is too strong for multiple messages (though too weak in some other respects...) Requires keys as long as the messages

  29. Security of Encryption Perfect secrecy is too strong for multiple messages (though too weak in some other respects...) Requires keys as long as the messages Relax the requirement by restricting to computationally bounded adversaries (and environments)

  30. Security of Encryption Perfect secrecy is too strong for multiple messages (though too weak in some other respects...) Requires keys as long as the messages Relax the requirement by restricting to computationally bounded adversaries (and environments) Coming up: Formalizing notions of “computational” security (as opposed to perfect/statistical security)

  31. Security of Encryption Perfect secrecy is too strong for multiple messages (though too weak in some other respects...) Requires keys as long as the messages Relax the requirement by restricting to computationally bounded adversaries (and environments) Coming up: Formalizing notions of “computational” security (as opposed to perfect/statistical security) Then, security definitions used for encryption of multiple messages

  32. Symmetric-Key Encryption The Syntax Shared-key (Private-key) Encryption Key Generation: Randomized K ← K , uniformly randomly drawn from the key-space (or according to a key-distribution) Encryption: Randomized Enc: M × K × R → C . During encryption a fresh random string will be chosen uniformly at random from R Decryption: Deterministic Dec: C × K → M

  33. Symmetric-Key Encryption SIM-CPA Security Key/ Key/ Recv Enc Dec Send SIM-CPA secure if: ∀ ∃ s.t. ∀ IDEAL ≈ REAL Env Env IDEAL REAL

  34. Symmetric-Key Encryption SIM-CPA Security Same as SIM-onetime security, but not restricted to environments which send only one message. All entities “efficient. ” Key/ Key/ Recv Enc Dec Send SIM-CPA secure if: ∀ ∃ s.t. ∀ IDEAL ≈ REAL Env Env IDEAL REAL

  35. Symmetric-Key Encryption SIM-CPA Security Same as SIM-onetime security, but not restricted to environments which send only one message. All entities “efficient. ” Key/ Key/ Recv Enc Dec Send SIM-CPA secure if: ∀ ∃ s.t. ∀ IDEAL ≈ REAL Env Env Later IDEAL REAL

  36. Symmetric-Key Encryption IND-CPA Security

  37. Symmetric-Key Encryption IND-CPA Security Experiment picks a random bit b. It also runs KeyGen to get a key K Key/ Enc b ← {0,1}

  38. Symmetric-Key Encryption IND-CPA Security Experiment picks a random bit b. It also runs KeyGen to get a key K Key/ Enc For as long as Adversary wants b ← {0,1}

  39. Symmetric-Key Encryption IND-CPA Security Experiment picks a random bit b. It also runs KeyGen to get a key K Key/ Enc For as long as Adversary wants Adv sends two messages m 0 , m 1 to the experiment m 0 ,m 1 b ← {0,1}

Recommend


More recommend