Probabilistic Encryption - Cryptography - Lecture Slides, Slides of Cryptography and System Security

Download Probabilistic Encryption - Cryptography - Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity!

Probabilistic Encryption

2

Symmetric Encryption

DEF: A symmetric encryption scheme consists of a tuple ( M, K, G, E, D ) where

M - message space

K - key space

G - randomized key generator picks key k of security parameter l. Write:

E - randomized (possibly stateful ) encryption algorithm producing ciphertext from key and plaintext. Write:

D - determinisic (possibly stateful) decryption algorithm producing plaintexts from ciphertexts s.t.

c

R

← Ek ( m )

∀ m , Dk ( Ek ( m )) = m

k

R

← G ( 1

l

4

BG PKE - encryption

E ( n, m ) // key n , message m L = | m | // r picked uniformly at random s = BBS-PRG( n, r, L ) t = bitstring( ) // keep leading 0’s return ( m s ) || t // xor and concatenate NOTES:

1. | t | = | n | as keeping leading 0’s of number
2. Could replace BBS-PRG by any PRG

r ∈ R Z n

r

2 L + 1

mod n

5

Blum-Blum-Shub PRG

INPUT: key n , seed r , expansion L OUTPUT: bitstring s of length L BBS-PRG( n, r, L ) // for i = 1 to L { // least significant bit // replace by square } return // concatenate bits

x = x

2

mod n

si = x mod 2

x = r

2

mod n

s 1 ‖ s 2 ‖... ‖ s L

r ∈ R Z n ⇒ x ∈ R QR( n )

7

Multi-Message

Distinguisher

DEF: A multi-message distinguisher for an encryption scheme ( M, K, G, E, D ) is a decision algorithm A that attempts to discover which of two chosen message-sequences a cipher-sequence corresponds to. Define the the a-b advantage of A :

= Prob( A ( Ek ( mi , a )) = 1 ) − Prob( A ( Ek ( mi , b )) = 1 )

[ m 1 , a , m 2 , a ,... , mq , a ], [ m 1 , b , m 2 , b ,... , mq , b ]

[ Ek ( m 1 ,? ), Ek ( m 2 ,? ),... , Ek ( mq ,? )]

Adv( A , [ mi , a ], [ mi , b ])

8

Computational Security

DEF: Let ( M, K, G, E, D ) be an encryption scheme with G, E, D running in poly-time. The scheme is computationally in secure if there is a PPT multi-message distinguisher A with non-negligible a-b advantage for some equal-size messages. I.e. can find a poly- number of messages , with but non-negligible.

Measure time/space/negligibility in terms of security parameter l for the key generator.

Say computationally secure if not computationally insecure - no such A exists.

mi , a mi , b | m

i , a |^ =^ | mi , b |

Adv( A , mi , a , mi , b )

10

Non-negligible

Function

DEF: A function is non-negligible if there is a polynomial p ( n ) such that

f : N → R

| f ( n )| =!

p ( n )

11

Stateless Deterministic

Encryption

THM: Any stateless, deterministic encryption is insecure. In fact, there is an adversary A with advantage 1 for some well chosen message sequences. NOTE: One-time-pad avoids this problem because under this paradigm, there is an implicit counter whose value > 1 implies encryption is refused and the output “ ” is returned for any plaintext.