Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 1
Introduction to Cryptography @ Rice
Olivier Pereira
Slide 02
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 2
Computational Security
Let Π := 〈Gen,Enc,Dec〉 be a scheme s.t. |K| < |M|Then Π is not a perfectly secret encryption scheme.
⇒ Somehow, we want imperfect encryption
What can we expect from imperfect security?
I Replace impossibility by infeasibility (what?)
I Practical scheme emulating perfect scheme for practicalpurposes
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 3
Computational Security
Emulating perfectness? (informally, for encryption)
Given Π := 〈Gen,Enc,Dec〉, and adversary ADefine the following experiment PrivKeavA,Π
′:
1. A not unbounded outputs m0,m1 ∈M2. Choose k ← Gen and b ← {0, 1}, and send c = Enck(mb)
to A3. A(c) outputs b′
4. Define PrivKeavA,Π′ := 1 iff b = b′
Pr[PrivKeavA,Π′ = 1] =
1
2+ negligible term
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 4
Computational Security: Concrete Bounds
Two relaxations:
1. A does not have unbounded powerI Suppose A makes a brute force search
I 109 keys/secI 106 computersI 109 seconds (≈ 30 years)⇒ makes ≈ 280 steps
2. A can have a small success probabilityI Say, 2−48
I Event with Pr ≈ 2−30/sec occurs 1/100 yearsI Proba. to win the Powerball Jackpot: ≈ 2−28
⇒ Suggests that |K| = 2128 would be very nice!
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 5
Computational Security: Concrete Bounds
Two relaxations:
1. A does not have unbounded power2. A can have small success probability
Proposed solution:
I design schemes that are (t, �)-secure
What does it say?
I Concrete bounds: we know what we can hold
I Contests can be organized, . . .
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 6
Computational Security: Concrete Bounds
See: https://www.certicom.com/content/certicom/en/
the-certicom-ecc-challenge.html
https://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.htmlhttps://www.certicom.com/content/certicom/en/the-certicom-ecc-challenge.html
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 7
Computational Security: Asymptotic Bounds
Concrete security bounds:
I Suppose 〈Gen,Enc,Dec〉 is (t, �)-secure.What about 5t?
I How does (t, �) change with key size?Can encryption cost become > cryptanalysis cost?
Another solution:
I Consider (t, �) as functions of a security parameter n(e.g., the length of the key)
I Define a class of “feasible” algorithmsNumber of steps as a f (n)
I Show: ∀ feasible strategy of A, Pr[A wins] → 0 fast whenn increases
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 8
Computational Security: Asymptotic Bounds
Asymptotic security:
Π is secure if
I every “feasible” adversary strategy
I succeeds with “negligible” probability
when security parameters increase
An increase of computational power is bad news for A
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 9
Feasible Strategy / Efficient Algorithm
Let n be the length of the numbers we use. . .
Simple computational problems:
I Addition: O(n)I Multiplication: O(n2)I (Modular) Exponentiation: O(n3)I Search in ordered list: O(log(n))
Computationally hard problems:
I Integer factorization: 2O(√
n·log(n))
I Exhaustive key search: 2n
(The complexities listed here reflect classical algorithms, not the bestknown algorithms, which have more complex expressions.)
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 10
Feasible Strategy / Efficient Algorithm
Observations suggest:
Polynomial-time algorithms are efficient
I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps
“Arbitrary” choice!?
I Various computing architectures can make complexitychange by a polynomial factor
I Algorithmic improvements typically change complexity by apolynomial factor
I But is |x |1000 less efficient than e|x|
1000 ?
I What tells asymptotic security about |x | = 128?For discussion see, e.g., http://www.cs.princeton.edu/theory/complexity/
http://www.cs.princeton.edu/theory/complexity/
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 11
Feasible Strategy / Efficient Algorithm
Observations suggest:
Polynomial-time algorithms are efficient
I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps
Does it capture what we want?
I Cryptography is about randomnesse.g., choosing a key, . . .
I If honest parties can use randomness, so should A!I Is a probabilistic A more powerful?I Where do we find randomness?
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 12
Feasible Strategy / Efficient Algorithm
Efficient ⇔ Probabilistic polynomial-time (PPT)I A is efficient if ∃ polynomial p s.t.A(x) takes ≤ p(|x |) steps
I Steps include tossing a coin
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 13
Negligible Functions
What should be a “negligible” success probability?
I 1/p(n) is not small for PPT A:Polynomial repetition of A is still PPT
⇒ “negligible” ⇔ “decreases faster than any inverse poly.”
f is negligible iff:∀ polynomial p, ∃N such that ∀n ≥ N:
f (n) ≤ 1p(n)
Examples: 2−n, 2−√n, n− log(n)
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 14
Asymptotic security
Why using such an asymptotic treatment?
I Tells us how primitives behaveI PPT algos and negl. functions are convenient:
I PPT algo running PPT algos is still PPTI f negl and p poly ⇒ p · f negl
I PPT/negl capture our experience
I PPT/negl are robust to model changes
This will be adopted in the rest of this course
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 15
Encryption
What would be encryption in a computational world?
A triple 〈Gen,Enc,Dec〉 of PPT algos: (Introduce n)I Gen probabilistically selects k ← Gen(1n)
1n := 111 · · · 1 (n times) n is the security parameterI Enc provides c ← Enck(m)I Dec provides m := Deck(c)
Correctness: “for any security parameter...”
I ∀n, k ← Gen(1n), and ∀m: Deck(Enck(m)) = m
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 16
Security for Encryption
What would this become in a computational world?
Given Π := 〈Gen,Enc,Dec〉, and adversary A, define theexperiment PrivKeavA,Π(n):
1. A(1n) outputs m0,m1 of identical lengths2. Pick k ← Gen(1n), b ← {0, 1}, and send c ← Enck(mb)
to A3. A(c) outputs b′
4. Define PrivKeavA,Π(n) := 1 iff b = b′
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 17
Security of Encryption
Π := 〈Gen,Enc,Dec〉 has indistinguishable encryptions in thepresence of eavesdroppers if ∀ PPT A, ∃ negl. � :
Pr[PrivKeavA,Π(n) = 1] =1
2+ �(n)
Efficiency and Security depend on the security parameter
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 18
Building Secure Encryption Schemes
Emulating a one-time pad!
Gen(1n): pick k ← {0, 1}l(n), set M = {0, 1}l(n)→ We want |k| < |m| = l(n), for any m ∈M→ Expand k ∈ {0, 1}n to G (k) ∈ {0, 1}l(n)
Enck(m): compute and return c = m ⊕ k→ Instead, compute c = m ⊕ G (k)→ Enough if G (k) is indistinguishable of random
Deck(c): compute and return m = c ⊕ k→ Instead, compute c ⊕ G (k)
G is called a pseudorandom generator
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 19
Pseudorandomness
A deterministic poly-time algorithm G is a pseudorandomgenerator (or simply a PRG) only if, for any n,
I ∀s ∈ {0, 1}n, G (s) ∈ {0, 1}l(n) and l(n) > nI ∀ PPT D, ∃ negligible function � s.t.∣∣Pr[D(r) = 1]− Pr[D(G (s)) = 1]∣∣ ≤ �(n)
where r ← {0, 1}l(n) and s ← {0, 1}n
String s is called the seedFunction l is called the expansion factor of G
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 20
Pseudorandomness
Pseudorandom generators:
I Can only be computationally secure: try l(n) = 2 · nI n should be large enough to avoid brute-force
Theorem: [Håstad, Impagliazzo, Levin, Luby, 1999]Pseudorandom generators exist iff one-way functions exist
Existence of one-way functions ⇒ P 6= NP
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 21
Pseudorandomness
Proving the existence of a pseudorandom generator is worth$1.000.000!
See: http://www.claymath.org/millennium-problems/p-vs-np-problem/
http://www.claymath.org/millennium-problems/p-vs-np-problem/
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 22
Pseudorandomness
Assumption:
Pseudorandom generators exist
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 23
Building Secure Encryption Schemes
Our intuition leads us to Π := 〈Gen,Enc,Dec〉:
Gen(1n): pick k ← {0, 1}n, set M = {0, 1}l(n)
Enck(m): compute and return c = m ⊕ G (k)Deck(c): compute and return m = c ⊕ G (k)
What about security?
Definition ⇒ Assumption ⇒ Reduction
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 24
Building Encryption Schemes
THEOREMIf G is a pseudorandom generator, then Π is a (fixed length)encryption scheme that has indistinguishable encryption in thepresence of an eavesdropper.
PROOF.I ∀ PPT A for Π with η advantage,I ∃ PPT D for G with η advantage.
Therefore, η must be negligible.
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 25
Reduction
Suppose Pr[PrivKeavA,Π(n) = 1] =12 + η(n)
A Ok, b
m0,m1
mb ⊕ G (k)b′
⇒ A is s.t. Pr[b = b′] = 12 + η(n)
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 26
Reduction
A b
D
O ′
b′′
m0,m1
mb ⊕ w
b′
1⇔ b = b′
b′′ = 0 ⇒ w ← {0, 1}l(n)
b′′ = 1 ⇒{s ← {0, 1}nw := G (s)
Observe:
I If b′′ = 0, Pr[D outputs 1] = 12 : one-time pad
I If b′′ = 1, Pr[D outputs 1] = 12 + η(n): PrivKeavA,Π(n)
I D distinguishes with advantage η(n)
I If A is PPT, then D is PPT too
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 27
Building Encryption Schemes
THEOREMIf G is a pseudorandom generator, then Π is a (fixed length)encryption scheme that has indistinguishable encryption in thepresence of an eavesdropper.
Observations:
I ∃ Encryption with shorter keys than messages!I Proof is conditional, by reduction
I Proof holds for computationally bounded adversaries, andleaves some probability of attack
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 28
Variable-length encryption
Π is restricted to messages with |m| ≤ l(|k |)I We need G with variable-length output
I Use G repeatedly until output is long enough (see KL, Fig.7.1)
I Preserves security if G is used polynomially many times
UCL Crypto GroupMicroelectronics Laboratory COMP477 - Slide 02 29
Conclusion
I Computational security opens doors for cryptography withshorter keys
We can encrypt m of length p(|k |)!
I What about encrypting multiple messages? (same key)
Even the one-time pad becomes insecure!
FrontComputational SecurityEncryptionPseudorandomnessRealizing Encryption