Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Zheyuan Wu
2024-12-07 15:33:14 -06:00
parent 94817e8381
commit f5f0e2a5c3
10 changed files with 203 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
pages/CSE442T/CSE442T_L22.md
View File

@@ -10,7 +10,9 @@ $$
Adversary knows $c$, but nothing else.
### Known plaintext attack (KPA)
### Attack models
#### Known plaintext attack (KPA)
Adversary has seen $(m_1,Enc_k(m_1)),(m_2,Enc_k(m_2)),\cdots,(m_q,Enc_k(m_q))$.
@@ -18,7 +20,7 @@ $m_1,\cdots,m_q$ are known to the adversary.
Given new $c=Enc_k(m)$, is previous knowledge helpful?
### Chosen plaintext attack (CPA)
#### Chosen plaintext attack (CPA)
Adversary can choose $m_1,\cdots,m_q$ and obtain $Enc_k(m_1),\cdots,Enc_k(m_q)$.
@@ -32,35 +34,24 @@ So US use Axis: $Enc_k(AF)$ and ran out of supplies.
Then US know Japan will attack Midway.
### Chosen ciphertext attack (CCA)
#### Chosen ciphertext attack (CCA)
Adversary can choose $c_1,\cdots,c_q$ and obtain $Dec_k(c_1),\cdots,Dec_k(c_q)$.
#### Definition 168.1 (Secure private key encryption against attacks)
Capture these ideas with the adversary having oracle access.
$$
\Pi=(Gen,Enc,Dec)
$$
Let $\Pi=(Gen,Enc,Dec)$ be a private key encryption scheme. Let a random variable $IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)$ where $\mathcal{A}$ is an n.u.p.p.t. The security parameter is $n\in \mathbb{N}$, $b\in\{0,1\}$ denoting the real scheme or the adversary's challenge.
private key encryption scheme.
$$
IND_b^{O_1,O_2}(\Pi,\mathcal{A},n)
$$
where $O_1$ and $O_2$ are the round 1 and round 2 oracle access.
$b$ is zero or one denoting the real scheme or the adversary's challenge.
$n$ is the security parameter.
is the following experiment:
The experiment is the following:
- Key $k\gets Gen(1^n)$
- Adversary $\mathcal{A}^{O_1(k)}(1^n)$ queries oracles
- $m_0,m_1\gets \mathcal{A}^{O_2(k)}(1^n)$
- Adversary $\mathcal{A}^{O_1(k)}(1^n)$ queries oracle $O_1$
- $m_0,m_1\gets \mathcal{A}^{O_1(k)}(1^n)$
- $c\gets Enc_k(m_b)$
- $\mathcal{A}^{O_2(c)}(1^n,c)$ queries oracles
- $\mathcal{A}^{O_2(c)}(1^n,c)$ queries oracle $O_2$ to distinguish $c$ is encryption of $m_0$ or $m_1$
- $\mathcal{A}$ outputs bit $b'$ which is either zero or one
$\Pi$ is CPA/CCA1/CCA2 secure if for all PPT adversaries $\mathcal{A}$,
@@ -79,9 +70,75 @@ where $\approx$ is statistical indistinguishability.
Note that $Dec_k^*$ will not allowed to query decryption of a functioning ciphertext.
You can imagine the experiment is a class as follows:
```python
n = 1024
@lru_cache(None)
def oracle_1(m,key,**kwargs):
"""
Query oracle 1
"""
pass
@lru_cache(None)
def oracle_2(c,key,**kwargs):
"""
Query oracle 2
"""
pass
class Experiment:
def __init__(self, key, oracle_1, oracle_2):
self.key = key
self.oracle_1 = oracle_1
self.oracle_2 = oracle_2
def sufficient_trial(self):
pass
def generate_test_message(self):
pass
def set_challenge(self, c):
self.challenge = c
def query_1(self):
while not self.sufficient_trial():
self.oracle_1(m,self.key,**kwargs)
def challenge(self):
"""
Return m_0, m_1 for challenge
"""
m_0, m_1 = self.generate_test_message()
self.m_0 = m_0
self.m_1 = m_1
return m_0, m_1
def query_2(self, c):
while not self.sufficient_trial():
self.oracle_2(c,self.key,**kwargs)
def output(self):
return 0 if self.challenge==m_0 else 1
if __name__ == "__main__":
key = random.randint(0, 2**n)
exp = Experiment(key, oracle_1, oracle_2)
exp.query_1()
m_0, m_1 = exp.challenge()
choice = random.choice([m_0, m_1])
exp.set_challenge(choice)
exp.query_2()
b_prime = exp.output()
print(f"b'={b_prime}, b={choice==m_0}")
```
#### Theorem: Our mms private key encryption scheme is CPA, CCA1 secure.
Have a PRF family $\{f_k\}:\{0,1\}^|k|\to\{0,1\}^{|k|}$
Have a PRF family $\{f_k\}:\{0,1\}^{|k|}\to\{0,1\}^{|k|}$
$Gen(1^n)$ outputs $k\in\{0,1\}^n$ and samples $f_k$ from the PRF family.