Encryption Debdeep Mukhopadhyay IIT Kharagpur Notion of Security - - PDF document

1

Encryption

Debdeep Mukhopadhyay IIT Kharagpur

Notion of Security

• “A Good disguise should not reveal the

person’s height”

– Shafi Goldwasser and Silvio Micali, 1982

2

Design of Encryption Algorithms

• Encryption algorithms are used for privacy
• f data.

– which means they do not leak any information about the plaintext

• The question is when are we satisfied that

the cipher really does not leak?

– For this we need to know the power of the adversary.

What Shannon said?

• Shannon said in his classical work that

using a one-time pad, the cipher achieved “perfect secrecy”

– no attacker, even with infinite power of computation can obtain any information about the plain-text. – But the one-time pad is impractical.

3

But Cryptographers want provable security

• Lets assume that the attacker is a

“probabilistic polynomial time” (PPT) machine

– that’s a more practical assumption!

• So, now the question is can the adversary

(attacker) obtain information about the plaintext efficiently?

– for our purpose efficiently means in polynomial time.

PPT

• Probabilistic Algorithms or randomized

algorithms, A, may toss a coin a finite number of times during its computation.

• The output y, and the next step may

depend on the results of the preceding coin tosses.

• The coin is in general fair.
• Examples: Primality test algorithms,

factoring algorithms etc.

4

Definition of Semantic Security (SS)

• Here ε(n) is a negligible quantity.
• Notion tries to attempt ideal security.
• That is the eavesdropper is disconnected from the communication.
• In spite of observing the ciphertext, he obtains no extra interesting
• bservation than the case when he has not seen the ciphertext.

n *

For every distribution X over {0,1} and For every partial information h: {0,1} {0,1} For every interesting information f: {0,1} {0,1} For every attacking algorithm A running in time t' t(n) [t(n)

n n n

→ → ≤

k

m X (p , ) ( )

is a polynomial in n], there exists a simulating algorithm S such that: Pr [ ( ( , ), , ( )) ( )] Pr [ ( ( )) ( )] ( )

k

k k m X s G n

A E m p p h m f m S h m f m n ε

← ← ←

= ≤ = +

Message Indistinguishability (MI)

• SS and MI are equivalent

k

1 i {0,1} (p , ) ( )

For every two messages m , {0,1} For every attacking algorithm A that runs in time t(n) 1 Pr [ ( ( , ), ) ] ( ) 2

k

n i k k s G n

m A E m p p i n ε

∈ ←

∈ ≤ = ≤ +

5

Proofs : SS => MI

k

1 1 m X (p , ) ( )

If X={m , }, : ( ) 0, ( ) 1, h(): empty output string From SS, for every adversary A there is a simulator S, st. Pr [ ( ( , ), ) ] Pr [ () ] ( ) Now, since the simulator receives

k

k k m X s G n

m f f m f m A E m p p i S i n ε

← ← ←

= = = ≤ = +

k

i {0,1} (p , ) ( )

no information: Pr[ () ] 1/ 2, regardless of . 1 Thus, Pr [ ( ( , ), ) ] ( ) 2

k

i k k s G n

S i S A E m p p i n ε

∈ ←

= = = ≤ +

SS=>MI

1 * ( , ) ( ) 1 ( , ) ( )

For every , {0,1} , for every algorithm A that runs in time ( ), for every {0,1} , Pr [ ( ( , ), ) ] Pr [ ( ( , ), ) ] 2 ( ) (*) ( , ) * (*) ( , )

k k k k

n p s G n k k p s G n k k

m m t n a A E m p p a A E m p p a n t MI t MI

∈ ∈

∈ ≤ ∈ = − = ≤ ∈ ∈ − ⇒ ≡ ¬ ⇒ ¬ ∈ −

6

SS=>MI

k (p , ) ( ) (p , ) ( ) k k (p , ) ( ) k

i {0,1} (p , ) ( ) 1

1, if ( , ) Define, '( , )= 0, otherwise Pr [ '( ( , ), ) ] 1 1 Pr [ '( ( , ), ) 0] Pr [ '( ( , ), ) 1] 2 2 1 (1 Pr [ ( ( , ), ) 2

k s G n s G n k k s G n k

i k k s G n k k k k k k

A c p a A c p A E m p p i A E m p p A E m p p A E m p p a

← ← ←

∈ ←

= ⎧ ⎨ ⎩ ∴ = = = + = = − =

(p , ) ( ) k (p , ) ( ) (p , ) ( ) k k

1 1

1 ]) Pr [ ( ( , ), ) ] 2 1 1 (Pr [ ( ( , ), ) ] Pr [ ( ( , ), ) ]) 2 2 1 ( ) ( , ) is violated. 2

s G n k s G n s G n k k

k k k k k k

A E m p p a A E m p p a A E m p p a n t MI

← ← ←

+ = = + = − = > +∈ ⇒ ∈ −

(t,ε)-MI=>(t’,2ε)-SS

• Thus ┐(t’,2ε)-SS =>┐ (t,ε)-MI

define ( ), where z is some information on m Pick ( , ) ( ) at random Return ( (0, ), , ) /* Note that the run time of S is running time of A+poly(n) */

k k k k

S z p s G n A E p p z ∈

7

(t,ε)-MI=>(t’,2ε)-SS

k k k

m X (p , ) ( ) m X (p , ) ( ) m X (p , ) ( )

(t',2 )-SS Pr [ ( ( , ), , ( )) ( )] Pr [ ( ( )) ( )] 2 ( ) , Pr [ ( ( , ), , ( )) ( )] Pr [ ( (0, ), , ( )) (

k k k

k k m X s G n k k s G n k k s G n

A E m p p h m f m S h m f m n

• r

A E m p p h m f m A E p p h m f ε ε

← ← ← ← ← ← ←

¬ ⇒ = > = + = > =

k k k

(p , ) ( ) m (p , ) ( ) (p , ) ( )

)] 2 ( ) , Pr[ ](Pr [ ( ( , ), , ( )) ( )] Pr [ ( (0, ), , ( )) ( )]) 2 ( ) ' , st. Pr [ ( ( ', ), , ( ')) ( ')]

k k k

s G n k k s G n k k s G n k k

m n

• r

X m A E X p p h X f X A E p p h X f X n m X A E m p p h m f m ε ε

← ← ←

+ = = − = > ⇒ ∃ ∈ =

∑

k

(p , ) ( )

Pr [ ( (0, ), , ( ')) ( ')]) 2 ( ) as there exists a pair of messages for which (*) does not hold ( , ) does not hold.

k

s G n k k

A E p p h m f m n t MI ε

←

− = > ⇒ ⇒ ∈ −