provable security iiyuyu.hk/files/slide3.pdf · 2019. 3. 18. · title: provable security ii...
TRANSCRIPT
![Page 1: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/1.jpg)
Provable Security III
![Page 2: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/2.jpg)
Modern cryptography: computational security
• Information-theoretic cryptography• Security: statistical or even perfect• Efficiency: bad… (key length ≤ message length)• Other: not beyond symmetric cryptography (public-key crypto impossible)
• Modern cryptography (achieves only computational security)
![Page 3: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/3.jpg)
computational security: relaxing statistical security
• A cryptographic scheme E is (𝑡, 𝜀)-secure if every adversary of running time at most 𝑡 succeeds in breaking E (e.g., distinguishes from a random system) with probability at most 𝜀".• Prefect security: 𝑡 = ∞, 𝜀=0
• Statistical security: 𝑡 = ∞, 𝜀=𝑛𝑒𝑔𝑙 𝑛 = 𝑛−𝜔(1) (n is security parameter)
• Computational security: 𝑡 = 𝑛𝜔(1), 𝜀=𝑛−𝜔(1)
• Asymptotic setting
![Page 4: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/4.jpg)
private-key encryption scheme
![Page 5: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/5.jpg)
Computationally indistinguishable encryptions
![Page 6: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/6.jpg)
computationally indistinguishable encryptions
![Page 7: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/7.jpg)
![Page 8: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/8.jpg)
![Page 9: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/9.jpg)
Semantic Security
![Page 10: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/10.jpg)
Pseudorandom generator (PRG)
• (Pseudorandom generator). Let g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛)be a deterministic polynomial-time algorithm. We say that g is a pseudorandom generator (PRG) if for all PPT distinguishers D, there exists a negligible function negl(∙):
|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|=negl(n)
where the probabilities are taken over 𝑈𝑛 (or 𝑈ℓ) and the random coins used by D.
• (𝒕, 𝜺)-secure PRG: g:{0,1}𝑛→ 0,1 ℓ (ℓ > 𝑛) is a (𝑡, 𝜀)-secure PRG if every probabilistic distinguisher D of running time 𝑡 satisfies:
|Pr[D(g(𝑈𝑛))=1]−Pr[D(𝑈ℓ)=1]|≤ 𝜀
![Page 11: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/11.jpg)
PRG has only computational security
• A useful replacement lemma: if X and Y is (𝑡, 𝜀)-indistinguishable and function f (defined over the domain of X and Y) is T-computable, then f(X) and f(Y) is at least (𝑡 − T, 𝜀)-indistinguishable.• Corollary. SD(f(X),f(Y)) ≤ SD(X,Y)
Proof. Consider unbounded adversaries (where 𝑡 = ∞)
![Page 12: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/12.jpg)
A PRG with small stretch implies one with arbitrary (polynomial) stretch• 𝑠1
𝑠0 𝑠1 𝑠2 𝑠𝑖… …
𝑟1 𝑟2 𝑟3
𝑠3
𝑟i+1
𝑠𝑖+1
![Page 13: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/13.jpg)
![Page 14: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/14.jpg)
PRG-based fixed encryption
![Page 15: Provable Security IIyuyu.hk/files/slide3.pdf · 2019. 3. 18. · Title: Provable Security II Author: Yu Created Date: 3/18/2019 2:17:01 PM](https://reader033.vdocument.in/reader033/viewer/2022052104/603fbf580b02966f19775818/html5/thumbnails/15.jpg)