mit 6.875 & berkeley cs276
TRANSCRIPT
MIT 6.875 & Berkeley CS276
Lecture 2Foundations of Cryptography
Administrivia
o Piazza Time-zone Survey & Office hours
o PS1 Released, due Sept 15
The Secure Communication Problem
Alice
Key k
o Alice and Bob have a common key k
Bob
Key k
Eve
o Algorithms (Gen, Enc, Dec)o Correctness: Dec(k, Enc(k,m)) = m o Security: No Eve learns anything about m.
m
How to Define Security
Perfect secrecy: A Posteriori = A Priori
Perfect indistinguishability:
The two definitions are equivalent!
For all π, π: Pr π = π πΈ πΎ,π = π] = Pr[π = π]
For all π!, π", π: Pr[πΈ πΎ,π! = π] = Pr[πΈ πΎ,π" = π]
Is there a perfectly secure scheme?
β’ One-time Pad: πΈ π,π = πβ¨π
β’ However: Keys are as long as Messages
β’ WORSE, Shannonβs theorem: for any perfectly secure scheme, |key|β₯|message|.
Can we overcome Shannonβs conundrum?
Letβs first rewriteβ¦Perfect indistinguishability: as a Turing test
For all π!, π", π: Pr[πΈ πΎ,π! = π] = Pr[πΈ πΎ,π" = π]
World 0: World 1:
π = πΈ π,π! π = πΈ π,π"
is a distinguisher.
For all EVE and all π!, π": Pr π β K; π = πΈ π,π! : πΈππΈ π = 0= Pr π β K; π = πΈ π,π" : πΈππΈ π = 0
kβ K kβ K
Letβs first rewriteβ¦Perfect indistinguishability: as a Turing test
For all π!, π", π: Pr[πΈ πΎ,π! = π] = Pr[πΈ πΎ,π" = π]
World 0: World 1:
π = πΈ π,π! π = πΈ π,π"
is a distinguisher.
For all EVE and all π!, π":Pr π β K; π β 0,1 ; π = πΈ π,π# : πΈππΈ π = π = 1/2
kβ K kβ K
The Axiom of Modern Crypto
Feasible Computation = Probabilistic polynomial-time*
(p.p.t. = Probabilistic polynomial-time)
So, Alice and Bob are fixed p.p.t. algorithms. (e.g., run in time n^2)
Eve is any p.p.t. algorithm. (e.g., run in time n^4, or n^100, or n^10000,β¦)
* in recent years, quantum polynomial-time
(polynomial in a security parameter n)
Computational Indistinguishability
World 0: World 1:
π = πΈ π,π! π = πΈ π,π"
is a p.p.t. distinguisher.
For all p.p.t. EVE and all π!, π":Pr π β K; π β 0,1 ; π = πΈ π,π# : πΈππΈ π = π = 1/2
kβ K kβ K
Still subject to Shannonβs impossibility!
(take 1)
Still subject to Shannonβs impossibility!
cSet of messages consistent with c= {D(k,c): all k}
Messages n+1 bits
π!
π"
ciphertexts
Consider Eve that picks a random key k and outputs 0 if D(k,c) = π!outputs 1 if D(k,c) = π"and a random bit if neither holds.
w.p β₯ π/ππ
w.p = 0
Bottomline: Pr[EVE succeeds] β₯ 1/2 + 1/2%
New Notion: Negligible Functions
Functions that grow slower than 1/p(n) for any polynomial p.
Definition: A function π:β β β is negligible if for every polynomial function p,for all sufficiently large n:
π(n) < 1/p(n)
there exists an π! s.t.for all π > π!:
Key property: Events that occur with negligible probability look to poly-time algorithms like they never occur.
New Notion: Negligible Functions
Functions that grow slower than 1/p(n) for any polynomial p.
Definition: A function π:β β β is negligible if for every polynomial function p,for all sufficiently large n:
π(n) < 1/p(n)
there exists an π! s.t.for all π > π!:
Question: Let π π = π/ππ₯π¨π π. Is π negligible?
New Notion: Negligible Functions
Functions that grow slower than 1/p(n) for any polynomial p.
Definition: A function π:β β β is negligible if for every polynomial function p,for all sufficiently large n:
π(n) < 1/p(n)
there exists an π! s.t.for all π > π!:
Question: Let π π = π/ππππ if n is prime and π π = π/ππ otherwise. Is π negligible?
Computational Indistinguishability
World 0: World 1:
π = πΈ π,π! π = πΈ π,π"
is a distinguisher.
For all p.p.t. EVE, there is a negligible function πs.t. for all π!, π":
Pr π β K; π β 0,1 ; π = πΈ π,π# : πΈππΈ π = π β€12+ π(π)
kβ K kβ K
Our First Crypto Tool: Pseudorandom Generators (PRG)
PRG Definition
A function πΊ: {0,1}%β {0,1}%+" is a pseudorandom generator if for no p.p.t. EVE can distinguish between πΊ(π%) and π%+".
π%= uniform distribution on n bits.
π%+"= uniform distribution on n+1 bits.
PRG Definition
A function πΊ: {0,1}%β {0,1}%+" is a pseudorandom generator if for for all p.p.t. EVE, there is a negligible function π s.t.
|Pr π¦ β π%+": πΈππΈ π¦ = 0 βPr[π₯ β π%; y = G x : EVE y = 0]| β€ π(n)
Question: What happens to this de_inition if EVE is unbounded?
PRG βΉ Overcoming Shannonβs Conundrum
πΊππ 1% : Generate a random π-bit key k.
πΈππ π,π where π is an (π + π)-bit message:
Expand k into a (n+1)-bit pseudorandom string k, = πΊ(k)
One-time pad with k,: ciphertext is πβ²β¨π
π·ππ π, π outputs G(π)β¨π
(or, How to Encrypt n+1 bits using an n-bit key)
ππ¨π«π«ππππ§ππ¬π¬:π·ππ π, π outputs G π β¨π = G π β¨πΊ π β¨m = m
PRG βΉ Overcoming Shannonβs Conundrum
Suppose for contradiction that there is a p.p.t. EVE, a polynomial function π and π!, π" π . π‘.
Pr π β K; π β 0,1 ; π = πΈ π,π# : πΈππΈ π = π β₯12 + 1/π(π)
Security: by contradiction.
PRG βΉ Overcoming Shannonβs Conundrum
Suppose for contradiction that there is a p.p.t. EVE, a polynomial function π and π!, π" π . π‘.
Ο = Pr π β {0,1}% ; π β 0,1 ; π = πΊ(π)β¨π#: πΈππΈ π = π
β₯12+ 1/π(π)
Security: by contradiction.
Let Ο, = Pr πβ² β 0,1 %+" ; π β 0,1 ; π = πβ²β¨π#: πΈππΈ π = π= "
-
This will give us a distinguisher EVEβ for G, contradicting the assumption that G is a pseudorandom generator. QED.
PRG βΉ Overcoming Shannonβs Conundrum
Get as input a string y, run EVE(yβ¨π#) for a random b, and let EVEβs output be bβ. Output βPRGβ if b=bβ and βRANDOMβ otherwise.
Distinguisher EVEβ for G.
Pr πΈππΈ,ππ’π‘ππ’π‘π βππ πΊβ π¦ ππ ππ ππ’ππππππππ]= Ο β₯ "
-+ 1/π(π)
Pr πΈππΈ,ππ’π‘ππ’π‘π βππ πΊβ π¦ ππ ππππππ] = Ο, =12
Therefore, Pr πΈππΈ,ππ’π‘ππ’π‘π βππ πΊβ π¦ ππ ππ ππ’ππππππππ] βPr πΈππΈ,ππ’π‘ππ’π‘π βππ πΊβ π¦ ππ ππππππ]
β₯ 1/π(π)
PRG βΉ Overcoming Shannonβs Conundrum
πΈπ: Do PRGs exist?
(or, How to Encrypt n+1 bits using an n-bit key)
πΈπ:
(Exercise: If P=NP, PRGs do not exist.)
How do we encrypt π"!! message bits with π key bits?
(Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)
Constructing PRGs: Two MethodologiesThe Practical Methodology
1. Start from a design framework (e.g. βappropriately chosen functions composed appropriately many times look randomβ)
Constructing PRGs: Two MethodologiesThe Practical Methodology
1. Start from a design framework (e.g. βappropriately chosen functions composed appropriately many times look randomβ)
2. Come up with a candidate construction
MATH
Rijndael(now the Advanced Encryption Standard)
Constructing PRGs: Two MethodologiesThe Practical Methodology
1. Start from a design framework (e.g. βappropriately chosen functions composed appropriately many times look randomβ)
2. Come up with a candidate construction
3. Do extensive cryptanalysis.
Constructing PRGs: Two MethodologiesThe Foundational Methodology (much of this course)
Reduce to simpler primitives.
OWF
well-studied, average-case hard, problems
βScience wins either wayβ βSilvio Micali
PRG
PRF
Hashing
Digital Signatures
Constructing PRGs: Two MethodologiesThe Foundational Methodology (much of this course)
A PRG Candidate from the hardness of Subset-sum:
G(π", β¦ , π%, π₯", β¦ , π₯%) = (π", β¦ , π%,β./"% π₯.π. mod 2%+")
where π. are random (n+1)-bit numbers, and π₯.are random bits.
Beautiful Function:
If G is a one-way function, then G is a PRG (Pset 1).
If lattice problems are hard on the worst-case, G is a PRG (6.876 Fall18 / CS294-168 Spring20)
PRG βΉ Overcoming Shannonβs Conundrum
πΈπ: Do PRGs exist?
(or, How to Encrypt n+1 bits using an n-bit key)
πΈπ:
(Exercise: If P=NP, PRGs do not exist.)
How do we encrypt π"!! message bits with π key bits?
(Length extension: If there is a PRG that stretches by one bit, there is one that stretches by polynomially many bits)
Length extension: One bit to Many bits
Let G: {0,1}% β {0,1}%+" be a pseudorandom generator.
Goal: use G to generate many pseudorandom bits.
Let G: {0,1}% β {0,1}%+" be a pseudorandom generator.
Goal: use G to generate poly many pseudorandom bits.
Length extension: One bit to Many bits
Let G: {0,1}% β {0,1}%+" be a pseudorandom generator.
Gπ₯! π₯" = πΊ(π₯!)
Construction of Gβ(π₯!)
Goal: use G to generate poly many pseudorandom bits.
Length extension: One bit to Many bits
Let G: {0,1}% β {0,1}%+" be a pseudorandom generator.
Gπ₯! π₯"
Construction of Gβ(π₯!)
Goal: use G to generate poly many pseudorandom bits.
Length extension: One bit to Many bits
π"π¦"
Let G: {0,1}% β {0,1}%+" be a pseudorandom generator.
Gπ₯!
π"
Construction of Gβ(π₯!)
Goal: use G to generate poly many pseudorandom bits.
Length extension: One bit to Many bits
π¦"G
π¦-
π-
Gπ¦01"
π01"
β¦
Output π" π- π2 π3 π4 β¦π¦0.
Also called a stream cipher by the applied people.
G
π0 π¦0
Are we all set with encryption?
To encrypt the i-th bit, use the i-th pseudorandom bit.
1. Runtime (an efficiency issue)
2. Need to remember state (a security issue)
In a couple of weeks, Shafi will solve both problems in one shot.
Two problems:
Next Lecture:
Define one-way functions (OWF),
Hardcore bits (HCB),
Goldreich-Levin Theorem: every OWF has a HCB.
Show that OWF β PRG (how to construct a PRG from any OWF*)