5.3 KiB
CSE442T Introduction to Cryptography (Lecture 14)
Recap
\exists one-way functions \implies \exists PRG expand by any polynomial amount
\exists G:\{0,1\}^n \to \{0,1\}^{l(n)} s.t. G is efficiently computable, l(n) > n, and G is pseudorandom
\{G(U_n)\}\approx \{U_{l(n)}\}
Back to the experiment we did long time ago:
| Group 1 | Group 2 | |
|---|---|---|
00000 or 11111 |
3 | 16 |
| 4 of 1's | 42 | 56 |
| balanced | too often | usual |
| consecutive repeats | 0 | 4 |
So Group 1 is human, Group 2 is computer.
Chapter 3: Indistinguishability and Pseudorandomness
Computationally secure encryption
Recall with perfect security,
P[k\gets Gen(1^n):Enc_k(m_1)=c] = P[k\gets Gen(1^n):Enc_k(m_2)=c]
for all m_1,m_2\in M and c\in C.
(Gen,Enc,Dec) is single message secure if \forall n.u.p.p.t \mathcal{D} and for all n\in \mathbb{N}, \forall m_1,m_2\gets \{0,1\}^n \in M^n, \mathcal{D} distinguishes Enc_k(m_1) and Enc_k(m_2) with at most negligble probability.
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(m_1),Enc_k(m_2))=1] \leq \epsilon(n)
By the prediction lemma, (\mathcal{A} is a ppt, you can also name it as \mathcal{D})
P[b\gets \{0,1\}:k\gets Gen(1^n):\mathcal{A}(Enc_k(m_b)) = b] \leq \frac{1}{2} + \frac{\epsilon(n)}{2}
and the above equation is \frac{1}{2} for perfect secrecy.
Construction of single message secure cryptosystem
cryptosystem with shorter keys. Mimic OTP(one time pad) with shorter keys with pseudorandom randomness.
K=\{0,1\}^n, \mathcal{M}=\{0,1\}^{l(n)}, G:K \to \mathcal{M} is a PRG.
Gen(1^n): k\gets \{0,1\}^n; output k.
Enc_k(m): r\gets \{0,1\}^{l(n)}; output G(k)\oplus m.
Dec_k(c): output G(k)\oplus c.
Proof of security:
Let m_0,m_1\in \mathcal{M} be two messages, and \mathcal{D} is a n.u.p.p.t distinguisher.
Suppose \{K\gets Gen(1^n):Enc_k(m_i)\} is distinguished for i=0,1 by \mathcal{D} and by \mu(n)\geq\frac{1}{poly(n)}.
Strategy: Move to OTP, then flip message.
H_0(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_0\oplus G(k)\}
H_1(OTP(m_1)) = \{u\gets U_{l(n)}: m_o\oplus u\}
H_2(OTP(m_1)) = \{u\gets U_{l(n)}: m_1\oplus u\}
H_3(Enc_k(m_0)) = \{k\gets \{0,1\}^n: m_1\oplus G(k)\}
By hybrid argument, 2 neighboring messages are indistinguishable.
However, H_0 and H_1 are indistinguishable since G(U_n) and U_{l(n)} are indistinguishable.
H_1 and H_2 are indistinguishable by perfect secrecy of OTP.
H_2 and H_3 are indistinguishable since G(U_n) and U_{l(n)} are indistinguishable.
Which leads to a contradiction.
Multi-message secure encryption
(Gen,Enc,Dec) is multi-message secure if \forall n.u.p.p.t \mathcal{D} and for all n\in \mathbb{N}, and q(n)\in poly(n).
\overline{m}=(m_1,\dots,m_{q(n)})
\overline{m}'=(m_1',\dots,m_{q(n)}')
are list of q(n) messages in \{0,1\}^n.
\mathcal{D} distinguishes Enc_k(\overline{m}) and Enc_k(\overline{m}') with at most negligble probability.
P[k\gets Gen(1^n):\mathcal{D}(Enc_k(\overline{m}),Enc_k(\overline{m}'))=1] \leq \frac{1}{2} + \epsilon(n)
THIS IS NOT MULTI-MESSAGE SECURE.
We can take \overline{m}=(0^n,0^n)\to (G(k),G(k)) and \overline{m}'=(0^n,1^n)\to (G(k),G(k)+1^n) the distinguisher can easily distinguish if some message was sent twice.
What we need is that the distinguisher cannot distinguish if some message was sent twice. To achieve multi-message security, we need our encryption function to use randomness (or change states) for each message, otherwise Enc_k(0^n) will return the same on consecutive messages.
Our fix is, if we can agree on a random function F:\{0,1\}^n\to \{0,1\}^n satisfied that: for each input x\in\{0,1\}^n, F(x) is chosen uniformly at random.
Gen(1^n): Choose random function F:\{0,1\}^n\to \{0,1\}^n.
Enc_F(m): let r\gets U_n; output (r,F(r)\oplus m).
Dec_F(m): Given (r,c), output m=F(r)\oplus c.
Ideas: Adversary sees r but has no Ideas about F(r). (we choose all outputs at random)
If we could do this, this is MMS (multi-message secure).
Proof:
Suppose m_1,m_2,\dots,m_{q(n)}, m_1',\dots,m_{q(n)}' are sent to the encryption oracle.
Suppose the encryption are distinguished by \mathcal{D} with probability \frac{1}{2}+\epsilon(n).
Strategy: move to OTP with hybrid argument.
Suppose we choose a random function
H_0:\{F\gets RF_n:((r_1,m_1\oplus F(r_1)),(r_2,m_2\oplus F(r_2)),\dots,(r_{q(n)},m_{q(n)}\oplus F(r_{q(n)})))\}
and
H_1:\{OTP:(r_1,m_1\oplus u_1),(r_2,m_2\oplus u_2),\dots,(r_{q(n)},m_{q(n)}\oplus u_{q(n)})\}
r_i,u_i\in U_n.
By hybrid argument, H_0 and H_1 are indistinguishable if r_1,\dots,r_{q(n)} are different, these are the same.
F(r_1),\dots,F(r_{q(n)}) are chosen uniformly and independently at random.
only possible problem is r_i=r_j for some i\neq j, and P[r_i=r_j]=\frac{1}{2^n}.
And the probability that at least one pair are equal
P[\text{at least one pair are equal}] =P[\bigcup_{i\neq j}\{r_i=r_j\}] \leq \sum_{i\neq j}P[r_i=r_j]=\binom{n}{2}\frac{1}{2^n} < \frac{n^2}{2^{n+1}}
which is negligible.
Unfortunately, we cannot do this in practice.
How many random functions are there?
The length of description of F is n 2^n.
For each x\in \{0,1\}^n, there are 2^n possible values for F(x).
So the total number of random functions is (2^n)^{2^n}=2^{n2^n}.