Probabilistic Encryption - Cryptography - Lecture Slides, Slides of Cryptography and System Security

Download Probabilistic Encryption - Cryptography - Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity! Probabilistic Encryption Docsity.com 2 Symmetric Encryption DEF: A symmetric encryption scheme consists of a tuple (M, K, G, E, D) where • M - message space • K - key space • G - randomized key generator picks key k of security parameter l. Write: • E - randomized (possibly stateful) encryption algorithm producing ciphertext from key and plaintext. Write: • D - determinisic (possibly stateful) decryption algorithm producing plaintexts from ciphertexts s.t. c R←Ek(m) ∀m,Dk(Ek(m)) = m k R←G(1l) Docsity.com 5 Blum-Blum-Shub PRG INPUT: key n, seed r, expansion L OUTPUT: bitstring s of length L BBS-PRG(n, r, L) // for i = 1 to L { // least significant bit // replace by square } return // concatenate bits x= x2 mod n si = x mod 2 x= r2 mod n s1‖s2‖ . . .‖sL r ∈R Zn⇒ x ∈R QR(n) Docsity.com 6 BG PKE - decryption D( (p, q) , c){ // private key p,q , ciphertext c L = |c| - |p⋅q| // subtract the length of t y = binarynumber(c[L+1, |c|]) // last |t|-bits r = s = BBS-PRG(n, r, L) return c[1,L] ⊕ s // xor first L bits of cipher NOTE: r above only has probability¼ of being same r as during encryption; however, squares the same so is an equivalent BBS-PRG seed. rp = y[(p+1)/4] L+1 mod p rq = y[(q+1)/4] L+1 mod q [q(q−1 mod p)rp+ p(p−1 mod q)rq] mod n Docsity.com 7 Multi-Message Distinguisher DEF: A multi-message distinguisher for an encryption scheme (M, K, G, E, D) is a decision algorithm A that attempts to discover which of two chosen message-sequences a cipher-sequence corresponds to. Define the the a-b advantage of A : = Prob(A(Ek(mi,a)) = 1)−Prob(A(Ek(mi,b)) = 1) [m1,a,m2,a, . . . ,mq,a], [m1,b,m2,b, . . . ,mq,b] [Ek(m1,?),Ek(m2,?), . . . ,Ek(mq,?)] Adv(A, [mi,a], [mi,b]) Docsity.com 10 Non-negligible Function DEF: A function is non-negligible if there is a polynomial p(n) such that f : N→ R | f (n)| =! ( 1 p(n) ) Docsity.com 11 Stateless Deterministic Encryption THM: Any stateless, deterministic encryption is insecure. In fact, there is an adversary A with advantage 1 for some well chosen message sequences. NOTE: One-time-pad avoids this problem because under this paradigm, there is an implicit counter whose value > 1 implies encryption is refused and the output “⊥” is returned for any plaintext. Docsity.com 12 Weaker Notions Consider instead ciphertext security: DEF: The cryptosystem (M, K, G, E, D) is NOT ciphertext-secure under chosen plaintext attack if there is a PPT cryptanalysis algorithm P and some polynomial number of plaintexts which when given as input the known ciphertexts and unknown ciphertext c, P returns the plaintext m corresponding to c with non-negligible probability for a non- negligible fraction of ciphertexts c. LEMMA: adaptive-CPA computational security implies ciphertext security. [mi] [Ek(mi)] Docsity.com