177 lines
5.3 KiB
Markdown
177 lines
5.3 KiB
Markdown
# Lecture 14
|
|
|
|
## Recap
|
|
|
|
$\exists$ one-way functions $\implies$ $\exists$ PRG expand by any polynomial amount
|
|
|
|
$\exists G:\{0,1\}^n \to \{0,1\}^{l(n)}$ s.t. $G$ is efficiently computable, $l(n) > n$, and $G$ is pseudorandom
|
|
|
|
$$
|
|
\{G(U_n)\}\approx \{U_{l(n)}\}
|
|
$$
|
|
|
|
Back to the experiment we did long time ago:
|
|
|
|
||Group 1|Group 2|
|
|
|---|---|---|
|
|
|$00000$ or $11111$|3|16|
|
|
|4 of 1's|42|56|
|
|
|balanced|too often|usual|
|
|
|consecutive repeats|0|4|
|
|
|
|
So Group 1 is human, Group 2 is computer.
|
|
|
|
## Chapter 3: Indistinguishability and Pseudorandomness
|
|
|
|
### Computationally secure encryption
|
|
|
|
Recall with perfect security,
|
|
|
|
$$
|
|
P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]
|
|
$$
|
|
|
|
for all $m_1,m_2\in M$ and $c\in C$.
|
|
|
|
$(Gen,Enc,Dec)$ is **single message secure** if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, $\forall m_1,m_2\gets \{0,1\}^n \in M^n$, $\mathcal{D}$ distinguishes $Enc_k(m_1)$ and $Enc_k(m_2)$ with at most negligble probability.
|
|
|
|
$$
|
|
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)
|
|
$$
|
|
|
|
By the prediction lemma, ($\mathcal{A}$ is a ppt, you can also name it as $\mathcal{D}$)
|
|
|
|
$$
|
|
P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}
|
|
$$
|
|
|
|
and the above equation is $\frac{1}{2}$ for perfect secrecy.
|
|
|
|
### Construction of single message secure cryptosystem
|
|
|
|
cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.
|
|
|
|
$K=\{0,1\}^n$, $\mathcal{M}=\{0,1\}^{l(n)}$, $G:K \to \mathcal{M}$ is a PRG.
|
|
|
|
$Gen(1^n)$: $k\gets \{0,1\}^n$; output $k$.
|
|
|
|
$Enc_k(m)$: $r\gets \{0,1\}^{l(n)}$; output $G(k)\oplus m$.
|
|
|
|
$Dec_k(c)$: output $G(k)\oplus c$.
|
|
|
|
Proof of security:
|
|
|
|
Let $m_0,m_1\in \mathcal{M}$ be two messages, and $\mathcal{D}$ is a n.u.p.p.t distinguisher.
|
|
|
|
Suppose $\{K\gets Gen(1^n):Enc_k(m_i)\}$ is distinguished for $i=0,1$ by $\mathcal{D}$ and by $\mu(n)\geq\frac{1}{poly(n)}$.
|
|
|
|
Strategy: Move to OTP, then flip message.
|
|
|
|
$$
|
|
H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}
|
|
$$
|
|
$$
|
|
H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}
|
|
$$
|
|
$$
|
|
H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}
|
|
$$
|
|
$$
|
|
H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}
|
|
$$
|
|
|
|
By hybrid argument, 2 neighboring messages are indistinguishable.
|
|
|
|
However, $H_0$ and $H_1$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
|
|
|
|
$H_1$ and $H_2$ are indistinguishable by perfect secrecy of OTP.
|
|
|
|
$H_2$ and $H_3$ are indistinguishable since $G(U_n)$ and $U_{l(n)}$ are indistinguishable.
|
|
|
|
Which leads to a contradiction.
|
|
|
|
### Multi-message secure encryption
|
|
|
|
$(Gen,Enc,Dec)$ is multi-message secure if $\forall n.u.p.p.t \mathcal{D}$ and for all $n\in \mathbb{N}$, and $q(n)\in poly(n)$.
|
|
|
|
$$
|
|
\overline{m}=(m_1,\dots,m_{q(n)})
|
|
$$
|
|
$$
|
|
\overline{m}'=(m_1',\dots,m_{q(n)}')
|
|
$$
|
|
|
|
are list of $q(n)$ messages in $\{0,1\}^n$.
|
|
|
|
$\mathcal{D}$ distinguishes $Enc_k(\overline{m})$ and $Enc_k(\overline{m}')$ with at most negligble probability.
|
|
|
|
$$
|
|
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)
|
|
$$
|
|
|
|
**THIS IS NOT MULTI-MESSAGE SECURE.**
|
|
|
|
We can take $\overline{m}=(0^n,0^n)\to (G(k),G(k))$ and $\overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n)$ the distinguisher can easily distinguish if some message was sent twice.
|
|
|
|
What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise $Enc_k(0^n)$ will return the same on consecutive messages.
|
|
|
|
Our fix is, if we can agree on a random function $F:\{0,1\}^n\to \{0,1\}^n$ satisfied that: for each input $x\in\{0,1\}^n$, $F(x)$ is chosen uniformly at random.
|
|
|
|
$Gen(1^n):$ Choose random function $F:\{0,1\}^n\to \{0,1\}^n$.
|
|
|
|
$Enc_F(m):$ let $r\gets U_n$; output $(r,F(r)\oplus m)$.
|
|
|
|
$Dec_F(m):$ Given $(r,c)$, output $m=F(r)\oplus c$.
|
|
|
|
Ideas: Adversary sees $r$ but has no Ideas about $F(r)$. (we choose all outputs at random)
|
|
|
|
If we could do this, this is MMS (multi-message secure).
|
|
|
|
Proof:
|
|
|
|
Suppose $m_1,m_2,\dots,m_{q(n)}$, $m_1',\dots,m_{q(n)}'$ are sent to the encryption oracle.
|
|
|
|
Suppose the encryption are distinguished by $\mathcal{D}$ with probability $\frac{1}{2}+\epsilon(n)$.
|
|
|
|
Strategy: move to OTP with hybrid argument.
|
|
|
|
Suppose we choose a random function
|
|
|
|
$$
|
|
H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}
|
|
$$
|
|
|
|
and
|
|
|
|
$$
|
|
H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}
|
|
$$
|
|
|
|
$r_i,u_i\in U_n$.
|
|
|
|
By hybrid argument, $H_0$ and $H_1$ are indistinguishable if $r_1,\dots,r_{q(n)}$ are different, these are the same.
|
|
|
|
$F(r_1),\dots,F(r_{q(n)})$ are chosen uniformly and independently at random.
|
|
|
|
only possible problem is $r_i=r_j$ for some $i\neq j$, and $P[r_i=r_j]=\frac{1}{2^n}$.
|
|
|
|
And the probability that at least one pair are equal
|
|
|
|
$$
|
|
P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}
|
|
$$
|
|
|
|
which is negligible.
|
|
|
|
Unfortunately, we cannot do this in practice.
|
|
|
|
How many random functions are there?
|
|
|
|
The length of description of $F$ is $n 2^n$.
|
|
|
|
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
|
|
|
|
So the total number of random functions is $(2^n)^{2^n}=2^{n2^n}$.
|
|
|
|
|