Private-Key Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

August 9, 2024

Computational Secrecy

• Computational Secrecy: Weaker notion of secrecy

• Perfect secrecy requirement

  • Absolutely no information about an encrypted message is leaked, even to an adversary with unlimited computational power

• Computational secrecy requirement

  • Information about the encrypted message is leaked with a tiny probability to eavesdroppers with bounded computational power

Computational Security Definitions

• In general, computational security definitions incorporate two relaxations

  • Security is only guaranteed against realistic adversaries that run for some feasible amount of time

  • Adversaries can potentially succeed with some very small probability

• Precise definitions of the above relaxations are needed

• Two approaches: concrete and asymptotic

The Concrete Approach

• Upper bounds the success probability of an adversary running for some specified time

• A concrete definition of security takes the following form

  A scheme is (t,\epsilon)\textsf{-secure} if any adversary running for time at most t succeeds in breaking the scheme with probability at most \epsilon.

• Example: A (200 years, 2^{-60})-secure scheme would guarantee that no adversary running for at most 200 years can break the scheme with probability better than 2^{-60}

• More convenient to measure running time in terms of CPU cycles, as in (2^{80} cycles, 2^{-60})

Values for t and \epsilon

• How large can t be? How small should \epsilon be?
• Consider an private-key encryption scheme with a n-bit key
  • Key space has size 2^n
  • Brute-force adversary succeeds in breaking scheme with probability at most \frac{ct}{2^n} for some constant c
  • For c=1 and n=64, a 4 GHz processor with 16 cores requires at most 10 years
• Minimum recommended key length is n=128
• Estimates of time since Big Bang = 2^{58} seconds
• An event that occurs with probability 2^{-60} each second is expected to occur once every 10 billion years
• In general, precise concrete guarantees are difficult to provide

Number of atoms in the universe is about 10^{80}

The Asymptotic Approach

• Based on complexity theory
• Cryptographic schemes are parametrized by an integer-valued security parameter n (typically the key length)
• Running time of the adversary and its success probability are viewed as functions of n
• This notion of security is asymptotic since it depends on a scheme’s behavior for sufficiently large values of n

Efficient Adversaries

• Realistic adversaries are modeled by probabilistic algorithms running in time polynomial in n

• An algorithm A runs in polynomial time if there exists a polynomial p such that, for every input x \in \{0,1\}^*, the computation of A(x) terminates within at most p(|x|) steps where |x| denotes the length of x

• An algorithm with polynomial running time is said to be efficient

• Composition of efficient algorithms is efficient

  • If p_1, p_2 are two polynomials, then p(n) = p_1(p_2(n)) is also a polynomial

Probabilistic Algorithm

• Algorithms having access to a sequence of unbiased, independent random bits

• Random bits can be represented as r \leftarrow \{0,1\}^*

• An algorithm A runs in polynomial time if there exists a polynomial p such that, for every input x \in \{0,1\}^* and r \leftarrow \{0,1\}^*, the computation of A(x,r) terminates within at most p(|x| +|r|) steps

Negligible Probabilities

• Small probabilities of success are modeled by probabilities smaller than any inverse polynomial in n

  • Called negligible probabilities

• Definition: A function f from the natural numbers to the non-negative real numbers is negligible if for every positive polynomial p there is an N such that for all integers n > N it holds that f(n) < \frac{1}{p(n)}.

• Examples: 2^{-n}, 2^{-\sqrt{n}}, n^{-\log n}

• An arbitrary negligible function is denoted by \textsf{negl}

Compare to \frac{1}{n^5}. N has to be at least 23, 3500, 33 respectively.

Properties of Negligible Probabilities

• Let \textsf{negl}_1 and \textsf{negl}_2 be negligible functions.
  • The function \textsf{negl}_3 defined by \textsf{negl}_3(n) = \textsf{negl}_1(n) + \textsf{negl}_2(n) is negligible.
  • For any positive polynomial p, the function \textsf{negl}_4 defined by \textsf{negl}_4(n) = p(n) \cdot \textsf{negl}_1(n) is negligible.

General Framework for Asymptotic Security Definitions

• A scheme is secure if for every probabilistic polynomial-time adversary \mathcal{A} carrying out an attack of a formally specified type, the probability that \mathcal{A} succeeds in the attack (where success is also formally specified) is negligible
• A scheme is secure if for every PPT adversary \mathcal{A} carrying out an attack, and every polynomial p, there is an integer N such that when n > N the probability that \mathcal{A} succeeds in the attack is less than \frac{1}{p(n)}

Asymptotic Security Example

• Suppose that a scheme is asymptotically secure
• Suppose an adversary running for n^3 minutes can succeed in “breaking the scheme” with probability \le \frac{2^{40}}{2^n}
• For n \le 40, this adversary can run for 40^3 minutes (about 6 weeks) and break the scheme with probability 1
• For n = 50, this adversary can run for 50^3 minutes (about 3 months) and break the scheme with probability \frac{1}{1000}
• For n = 500, this adversary running for 200 years can break the scheme with probability \approx 2^{-500}
• Security parameter allows us to “tune” the security level of the scheme to a desired level

Choices Made in Defining Asymptotic Security

• Probabilistic polynomial-time adversaries
  • Not unique to cryptography
  • Frees us from specifying the model of computation precisely
  • Extended Church-Turing thesis: All “reasonable” models of computation are polynomially equivalent
  • Closure property
• Negligible probabilities of success
  • Closure property

Necessity of the Relaxations

• Both PPT adversaries and negligible probabilities of success are needed to allow practical encryption schemes

• Consider private-key encryption where |\mathcal{K}| < |\mathcal{M}|

• Two attacks are always applicable

  • Given ciphertext c, an adversary can decrypt c using all keys k \in \mathcal{K}.
    • As |\mathcal{K}| < |\mathcal{M}|, there is information leakage.
  • Given ciphertexts c_1,c_2,\ldots,c_l corresponding to known messages m_1, m_2,\ldots,m_l, an adversary can guess a uniform key k \in \mathcal{K} and check \textsf{Dec}_k(c_i) = m_i for all i.
    • If checks pass, adversary can use k to decrypt subsequent ciphertexts
    • Adversary runs in constant time and succeeds with probability \frac{1}{|\mathcal{K}|}

• Setting |\mathcal{K}| large enough avoids these attacks

Defining Computationally Secure Encryption

• We need to introduce the security parameter n in our syntax of private-key encryption.
• We assume \mathcal{M} = \{0,1\}^*
• We allow the decryption algorithm to output an error in case it is presented with an invalid ciphertext

Private-key Encryption

• A private-key encryption scheme is a triple of PPT algorithms (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) such that:

  1. k \leftarrow \textsf{Gen}(1^n).
  2. For m \in \left\{ 0,1 \right\}^*, c \leftarrow \textsf{Enc}_k(m).
  3. m \coloneqq \textsf{Dec}_k(c) or error indicator \perp.

• For every m, c, k, we have \textsf{Dec}_k\left( \textsf{Enc}_k\left( m \right) \right) = m

• Why is 1^n input to \textsf{Gen} instead of n?

Indistinguishability in the presence of an eavesdropper

• We consider the ciphertext-only attack where the adversary observes a single ciphertext
• Our definition will resemble perfect indistinguishability definition except for two differences
  • The experiment is parametrized by n
  • We require the adversary to output equal length messages m_0, m_1

Why equal length messages?

• We require |m_0| = |m_1| because it is impossible to support arbitrary length messages
• All commonly used encryption schemes reveal length of the plaintext
• Padding must be used if length of the message has sensitive information

Adversarial Indistinguishability Experiment

• Consider the following experiment \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n):
  • \mathcal{A} is given 1^n and outputs arbitrary m_0, m_1 \in \mathcal{M} with |m_0| = |m_1|
  • A key k is generated using \textsf{Gen}(1^n), and a uniform bit b \in \{0,1\} is chosen
  • Ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}
  • This ciphertext c is called the challenge ciphertext
  • \mathcal{A} outputs a bit b'
  • The output of the experiment is defined to be 1 if b' = b, and 0 otherwise
• We write \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n) = 1 if the output of the experiment is 1 and say that \mathcal{A} succeeds

Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions in the presence of an eavesdropper, or is EAV-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that, for all n, \Pr\left[ \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

• Any perfectly secure scheme is also EAV-secure

Alternative Definition of EAV-Security

• Let \textsf{out}_{\mathcal{A}}\left( \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n,b)\right) denote the output b' of \mathcal{A} when m_b is encrypted
• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) is EAV-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that, for all n, \begin{align*} & \left| \Pr\left[ \textsf{out}_{\mathcal{A}}\left( \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n,0)\right)= 1\right] \right. \\ & \quad\quad \left. - \Pr\left[ \textsf{out}_{\mathcal{A}}\left( \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n,1)\right)= 1\right]\right| \\ & \quad\quad\quad\quad \le \textsf{negl}(n). \end{align*}
• Adversary “behaves the same” irrespective of whether it observes an encryption of m_0 or of m_1

Semantic Security

• Can we define computationally secure encryption without an experiment?
• Definition needs to be the analog of perfect secrecy for computationally bounded adversaries
• Semantic security is that analog
  • First definition of computationally secure encryption to be proposed
  • Difficult to work with
  • EAV-security and semantic security are equivalent

Semantic Security Definition

• A private-key encryption scheme \Pi = (\textsf{Enc}, \textsf{Dec}) is semantically secure in the presence of an eavesdropper if for every PPT algorithm \mathcal{A} there exists a PPT algorithm \mathcal{A}' such that for any PPT algorithm \textsf{Samp} and polynomial-time computable functions f and h, the following is negligible: \begin{align*} & \bigg| \Pr\left[ \mathcal{A}\left( 1^n, \textsf{Enc}_k(m), h(m)\right) =f(m) \right] \\ & \quad\quad - \Pr\left[ \mathcal{A}'\left( 1^n, |m|, h(m) \right) =f(m) \right] \bigg| \end{align*}
• where
  • k is chosen uniformly from \{0,1\}^n
  • m \leftarrow \textsf{Samp}(1^n)
  • h(m) accounts for any external information about m

Semantic Security and EAV-Security are Equivalent

• A private-key encryption scheme is EAV-secure if and only if it is semantically secure in the presence of an eavesdropper
• EAV-security is simpler and easier to work with
• We will follow a similar strategy for other definitions of secure encryption

Constructing an EAV-Secure Encryption Scheme

Strategy

1. Define pseudorandom generators
2. Construct an encryption scheme using a pseudorandom generator
3. Prove that the existence of an attacker that can “break” the encryption scheme implies that the generator is not pseudorandom

Pseudorandom Generators

• A pseudorandom generator is a polynomial-time deterministic algorithm for transforming a short, uniform bitstring called the seed into a longer, “uniform-looking” output string.

• Pseudorandomness is a property of a distribution on strings

• Some desirable properties of a pseudorandom generator:

  • Any bit of the output should be equal to 1 with probability close to \frac{1}{2}.
  • The parity of any subset of the output bits should be even with probability close to \frac{1}{2}.

Good Pseudorandom Generators

• A good pseudorandom generator should pass all efficient statistical tests
• For any efficient statistical test or distinguisher D, the probability that D returns 1 given the output of the pseudorandom generator should be close to the probability that D returns 1 when given a uniform string of the same length.

Pseudorandom Generator Definition

• Let l be a polynomial and let G be a deterministic polynomial-time algorithm such that for any n and s \in \{0,1\}^n, we have |G(s)| = l(n)

• G is a pseudorandom generator if the following conditions hold:

  1. Expansion: For every n it holds that l(n) > n.
  2. Pseudorandomness: For any PPT algorithm D, there is a negligible function \textsf{negl} such that \begin{equation*} \left| \Pr\left[ D\left( G(s) \right) = 1 \right] - \Pr\left[ D(r) = 1 \right] \right| \le \textsf{negl}(n), \end{equation*} where

     • the first probability is taken over uniform choice of s \in \{0,1\}^n and the randomness of D

     • the second probability is taken over uniform choice of r \in \{0,1\}^{l(n)} and the randomness of D.

• We call l the expansion factor of G.

Understanding the Definition

• Example of a non-pseudorandom generator
  • Define G : \{0,1\}^n \rightarrow \{0,1\}^{n+1} as G(s) = s \| \left(\oplus_{i=1}^{n} s_i \right)
  • The \| operator represents string concatenation
• What happens if remove the restriction that D is polynomial time?

Stream Ciphers

• Stream ciphers are practical systems which behave like pseudorandom generator

• Example: A5/1

• Used to provide voice encryption in the GSM cellular system.
• Developed in 1987. Reverse engineered in 1999.

A Secure Fixed-Length Encryption Scheme

• Let G be a PG with expansion factor l
• Define a private-key encryption scheme for messages of length l as follows:
  • \textsf{Gen}: On input 1^n, choose k uniformly from \{0,1\}^n.
  • \textsf{Enc}: Given k \in \{0,1\}^n and message m \in \{0,1\}^{l(n)}, output the ciphertext \begin{equation*} c := G(k) \oplus m. \end{equation*}
  • \textsf{Dec}: Given k \in \{0,1\}^n and ciphertext c \in \{0,1\}^{l(n)}, output the message \begin{equation*} m \coloneqq G(k) \oplus c. \end{equation*}

Security of Construction

• If G is a pseudorandom generator, then the construction is EAV-secure, i.e. for any PPT adversary \mathcal{A} there is a negligible function \textsf{negl} such that \begin{equation*} \Pr\left[ \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n). \end{equation*}

Security Proof Overview

• Note: If a one-time pad is used instead of G(k), the system is EAV-secure
• Key idea: If a PPT adversary \mathcal{A} can distinguish between the encryptions of m_0 and m_1, then it can distinguish between G(k) and a uniformly random bitstring
• We will construct a distinguisher \mathcal{D} that uses \mathcal{A} as a subroutine

Distinguisher Definition

• D is given a string w \in \{0,1\}^{l(n)}

  • Run \mathcal{A}(1^n) to obtain a pair of messages m_0, m_1 \in \{0,1\}^{l(n)}
  • Choose a uniform bit b \in \{0,1\}. Set c:= w \oplus m_b.
  • Give c to \mathcal{A} and get b'. If b = b' output 1 and output 0 otherwise.

• If \mathcal{A} succeeds, D decides that w is a pseudorandom string and if \mathcal{A} fails D decides w is a random string.

View of the Adversary

• Let \tilde{\Pi} be the one-time pad scheme with length l(n)
• When w is chosen uniformly from \{0,1\}^{l(n)}, then the view of \mathcal{A} is identical to the view of \mathcal{A} in \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A},\tilde{\Pi}}(n)
• When w generated by choosing k uniformly from \{0,1\}^{n} and setting w \coloneqq G(k), then the view of \mathcal{A} is identical to the view of \mathcal{A} in \textsf{PrivK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n)

Stronger Security Notions

• Security for Multiple Encryptions
• CPA-Security
• CPA-Security for Multiple Encryptions

Multiple-Message Eavesdropping Experiment

• Consider the following experiment \textsf{PrivK}^{\textsf{mult}}_{\mathcal{A}, \Pi}(n):
  • \mathcal{A} is given 1^n and outputs a pair of equal-length lists of messages \vec{M}_0 = (m_{0,1},\ldots, m_{0,t}) and \vec{M}_1 = (m_{1,1},\ldots, m_{1,t}) with |m_{0,i}| = |m_{1,i}| for all i
  • A key k is generated using \textsf{Gen}, and a uniform bit b \in \{0,1\} is chosen
  • Ciphertext vector \vec{C} = (c_1,\ldots,c_t) is given to \mathcal{A} where c_i \leftarrow \textsf{Enc}_k(m_{b,i})
  • \mathcal{A} outputs a bit b'
  • The output of the experiment is defined to be 1 if b' = b, and 0 otherwise
• We write \textsf{PrivK}^{\textsf{mult}}_{\mathcal{A}, \Pi}(n) = 1 if the output of the experiment is 1 and say that \mathcal{A} succeeds

Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable multiple encryptions in the presence of an eavesdropper if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that, \Pr\left[ \textsf{PrivK}^{\textsf{mult}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

• The one-time pad does not have indistinguishable multiple encryptions in the presence of an eavesdropper

Chosen-Plaintext Attacks

• Adversary can influence the honest parties sharing the key to encrypt messages of its choice and send it over the public channel

• Chosen-plaintext attacks in the real world

  • In WW2, British placed mines knowing that the Germans would encrypt and transmit the mine locations
  • Battle of Midway

• How can we model such an adversary?

The Encryption Oracle

• Chosen-plaintext attacks are modeled by giving the adversary \mathcal{A} access to an encryption oracle
• Oracle: a place where people could go to ask the gods for advice and information about the future
• \mathcal{A} has access to \textsf{Enc}_k(\cdot) as a black box for an unknown k
• When \mathcal{A} queries this oracle with a message m as input, the oracle returns a ciphertext c \leftarrow \textsf{Enc}_k(m)

CPA Indistinguishability Experiment

• Consider the following experiment \textsf{PrivK}^{\textsf{cpa}}_{\mathcal{A}, \Pi}(n):
  • A key k is generated using \textsf{Gen}(1^n)
  • \mathcal{A} is given 1^n and oracle access to \textsf{Enc}_k(\cdot), and outputs pair of messages m_0, m_1 of the same length
  • A uniform bit b \in \{0,1\} is chosen
  • Ciphertext c \leftarrow \textsf{Enc}_k(m_b) is computed and given to \mathcal{A}
  • \mathcal{A} continues to have oracle access to \textsf{Enc}_k(\cdot), and outputs a bit b'
  • The output of the experiment is 1 if b' = b, and 0 otherwise

Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions under a chosen-plaintext attack, or is CPA-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{cpa}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

CPA-Security for Multiple Encryptions

• We could extend the CPA indistinguishability experiment to multiple encryptions using lists of plaintexts
• We take a different approach that models attackers that can adaptively choose its input to the encryption oracle
• Instead of \textsf{Enc}_k(\cdot) we give the adversary access to a left-or-right oracle \textsf{LR}_{k,b}
• On input m_0, m_1, the oracle gives \textsf{LR}_{k,b}(m_0, m_1) = \textsf{Enc}_k(m_b)

LR-Oracle Experiment

• Consider the following experiment \textsf{PrivK}^{\textsf{LR-cpa}}_{\mathcal{A}, \Pi}(n):
  • A key k is generated using \textsf{Gen}(1^n)
  • A uniform bit b \in \{0,1\} is chosen
  • \mathcal{A} is given 1^n and oracle access to \textsf{LR}_{k,b}(\cdot,\cdot)
  • \mathcal{A} outputs a bit b'
  • The output of the experiment is 1 if b' = b, and 0 otherwise

Security Definition

• A private-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable multiple encryptions under a chosen-plaintext attack, or is CPA-secure for multiple encryptions, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that \Pr\left[ \textsf{PrivK}^{\textsf{LR-cpa}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

Equivalence of CPA-Security Notions

• We have seen three security notions stronger than EAV-security
  • Security for Multiple Encryptions
  • CPA-Security
  • CPA-Security for Multiple Encryptions
• CPA-Security for Multiple Encryptions \implies Security for Multiple Encryptions
• Theorem: CPA-Security \implies CPA-Security for Multiple Encryptions

Constructing a CPA-Secure Encryption Scheme

Strategy

1. Define pseudorandom functions
2. Construct an encryption scheme using a pseudorandom function
3. Prove that the existence of an attacker that can “break” the encryption scheme implies that the function is not pseudorandom

Pseudorandom Functions

• Pseudorandom functions are “random-looking” functions
• In this case, pseudorandomness will be a property of a distribution over functions
• Given a security parameter n, a keyed function F : \{0,1\}^{l_{key}(n)} \times \{0,1\}^{l_{in}(n)} \rightarrow \{0,1\}^{l_{out}(n)} is a two-input function, where the first input is called the key and is denoted by k
• We will only consider efficient keyed functions
• If the key k is fixed, we get a single-input function F_k: \{0,1\}^{l_{in}(n)} \rightarrow \{0,1\}^{l_{out}(n)} defined by F_k(x) = F(k,x).
• F is said to be length-preserving when l_{key}(n) = l_{in}(n) = l_{out}(n) = n.
• For simplicity, assume that F is length-preserving

Uniformly Choosing a Function

• Let \textsf{Func}_n be the set of all functions with domain and range equal to \{0,1\}^n
• A keyed function F is said to be pseudorandom if the function F_k (for a uniform key k) is indistinguishable from a function chosen uniformly from \textsf{Func}_n
• Note that \left| \textsf{Func}_n\right| = 2^{n \cdot 2^n}
• For a length-preserving F_k, choosing k \leftarrow \{0,1\}^n induces a distribution over at most 2^n functions with domain and range equal \{0,1\}^n

Distinguisher for Pseudorandom Functions

• The distinguisher should be allowed to query the function
• D is given access to an oracle \mathcal{O} which is either equal to F_k (for uniform k) or f (for uniform f from \textsf{Func}_n)
• D can query the oracle \mathcal{O} at any point x \in \{0,1\}^n and the oracle returns \mathcal{O}(x)
• D can adaptively query the oracle but can ask only polynomially many queries.

Pseudorandom Function Definition

• Let F be an efficient, length-preserving, keyed function. F is a pseudorandom function if for all PPT distinguishers D, there is a negligible function \textsf{negl} such that: \begin{align*} & \bigg| \Pr\left[ D^{F_k(\cdot)}(1^n) = 1 \right] - \Pr\left[ D^{f(\cdot)}(1^n) = 1 \right]\bigg| \\ & \quad\quad\quad\quad \le \textsf{negl}(n), \end{align*} where

  • the first probability is taken over uniform choice of k \in \{0,1\}^n and the randomness of D, and

  • the second probability is taken over uniform choice of f \in \textsf{Func}_n and the randomness of D

Distinguisher does not know the Key

• D is not given access to the key k
• If k is known, it is easy to construct a distinguisher which succeeds with non-negligible probability

Example of a Non-Pseudorandom Function

• Example of a non-pseudorandom, length-preserving, keyed function F(k,x) = k \oplus x

CPA-Secure Encryption from Pseudorandom Functions

• Let F be a pseudorandom function
• Define a private-key encryption scheme for messages of length n as follows:
  • \textsf{Gen}: On input 1^n, choose k uniformly from \{0,1\}^n.
  • \textsf{Enc}: Given k \in \{0,1\}^n and message m \in \{0,1\}^{n}, choose uniform r \in \{0,1\}^n and output the ciphertext \begin{equation*} c := \langle r, F_k(r) \oplus m \rangle. \end{equation*}
  • \textsf{Dec}: Given k \in \{0,1\}^n and ciphertext c = \langle r, s \rangle, output the plaintext message \begin{equation*} m := F_k(r) \oplus s. \end{equation*}

Some Observations

• Ciphertext is longer than the plaintext
• Every message m has 2^n possible ciphertexts for same key
  • All of them decrypt to the same m
• Ciphertexts of different messages can be the same for different keys

Security Claim

• Theorem: If F is a pseudorandom function, then the above construction is a CPA-secure private-key encryption scheme for messages of length n

• Security Proof Overview

  • Key idea: If a PPT adversary \mathcal{A} can distinguish between message encryptions using f and F_k, then it can be used to distinguish between f and F_k
  • We will construct a distinguisher \mathcal{D} that uses \mathcal{A} as a subroutine

Proof of Security for CPA-Secure Scheme

Replacing the Pseudorandom Function with a Random Function

• Let \widetilde{\Pi} = (\widetilde{\textsf{Gen}}, \widetilde{\textsf{Enc}}, \widetilde{\textsf{Dec}}) be the same as \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) with F_k replaced with f \leftarrow \textsf{Func}_n
• \widetilde{\textsf{Gen}}(1^n) chooses a uniform f from \textsf{Func}_n
  • Not practical but can be defined for the sake of the proof
• Let \mathcal{A} be any PPT adversary which uses at most q(n) encryption oracle queries
• We will show that \begin{align*} & \bigg| \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \Pi}^{\textsf{cpa}}(n) = 1 \right] - \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \right]\bigg| \\ & \quad\quad\quad\quad \le \textsf{negl}(n), \end{align*}

Distinguisher Definition (1/3)

D is given 1^n and access to an oracle \mathcal{O}: \{0,1\}^n \rightarrow \{0,1\}^n. It uses \mathcal{A} as a subroutine

1. Whenever \mathcal{A} queries the encryption oracle on message m\in \{0,1\}^n, answer as follows

   1. Choose uniform r\in \{0,1\}^n
   2. Query \mathcal{O}(r) and obtain response y
   3. Return the ciphertext \langle r, y \oplus m \rangle to \mathcal{A}

Distinguisher Definition (2/3)

2. When \mathcal{A} outputs messages m_0, m_1 \in \{0,1\}^n, choose a uniform bit b \in \{0,1\} and then

   1. Choose uniform r\in \{0,1\}^n
   2. Query \mathcal{O}(r) and obtain response y
   3. Return the ciphertext \langle r, y \oplus m_b \rangle to \mathcal{A}

Distinguisher Definition (3/3)

3. Continue answering encryption oracle queries of \mathcal{A}
4. Once \mathcal{A} outputs a bit b', output 1 if b=b' and 0 otherwise.

Finishing the Proof

• We have \begin{align*} & \bigg| \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \Pi}^{\textsf{cpa}}(n) = 1 \right] - \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \right]\bigg| \\ = & \bigg| \Pr\left[ D^{F_k(\cdot)}(1^n) = 1 \right] - \Pr\left[ D^{f(\cdot)}(1^n) = 1 \right]\bigg| \\ & \quad\quad\quad\quad \le \textsf{negl}(n), \end{align*}
• We will show that \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \right] \le \frac{1}{2} + \frac{q(n)}{2^n}

Upperbound on the Adversary’s Success Probability (1/2)

• In \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) the ciphertext corresponding to m is \langle r, f(r) \oplus m \rangle
• Let r^* be the randomness used when generating the challenge ciphertext \langle r^*, f(r^*) \oplus m_b \rangle
• Two possibilities
  • r^* is never used when answering any of \mathcal{A}’s encryption-oracle queries
  • r^* is used when answering at least one of \mathcal{A}’s encryption-oracle queries

Upperbound on the Adversary’s Success Probability (2/2)

• Let \textsf{repeat} denote the event that r^* was used by the oracle to answer at least one of \mathcal{A}’s queries

• Let \textsf{repeat}^c be the complement of \textsf{repeat}. Then we have \begin{align*} & \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \right] \\ & = \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \bigcap \textsf{repeat}\right] \\ & \quad + \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \widetilde{\Pi}}^{\textsf{cpa}}(n) = 1 \bigcap \textsf{repeat}^c\right] \\ & \le \frac{q(n)}{2^n} + \frac{1}{2}. \end{align*}

• Finally, we have \Pr\left[ \textsf{PrivK}_{\mathcal{A}, \Pi}^{\textsf{cpa}}(n) = 1 \right] \le \frac{1}{2} + \frac{q(n)}{2^n} + \textsf{negl}(n)

Pseudorandom Permutations

• In practice, constructions of pseudorandom permutations are used instead of pseudorandom functions
• We will consider pseudorandom permutations abstractly for now
• Practical candidate constructions will be described later

Pseudorandom Permutations

• Let \texttt{Perm}_n be the set of all permutations (bijections) on \{0,1\}^n
• \left|\texttt{Perm}_n \right| = \left( 2^n \right)!
• A function F : \{0,1\}^{l_{key}(n)} \times \{0,1\}^{l_{in}(n)} \rightarrow \{0,1\}^{l_{in}(n)} is called a keyed permutation if for all k \in \{0,1\}^{l_{key}(n)}, F_k is a permutation.
• F is said to be efficient if both F_k(x) and F_k^{-1}(y) have polynomial-time algorithms for all k,x,y.
• l_{in}(n) is called the block length of F.
• F is length-preserving if l_{key}(n) = l_{in}(n) = n.

• An f \in \texttt{Perm}_n can be seen as a lookup table where any two distinct rows must be different

Definition of Pseudorandom Permutation

• A pseudorandom permutation is a permutation which cannot be efficiently distinguished from a random permutation

• Let F be an efficient, length-preserving, keyed permutation. F is a pseudorandom permutation if for all PPT distinguishers D, there is a negligible function \textsf{negl} such that: \begin{align*} & \bigg| \Pr\left[ D^{F_k(\cdot)}(1^n) = 1 \right] - \Pr\left[ D^{f(\cdot)}(1^n) = 1 \right]\bigg| \\ & \quad\quad\quad\quad \le \textsf{negl}(n), \end{align*} where

  • the first probability is taken over uniform choice of k \in \{0,1\}^n and the randomness of D, and

  • the second probability is taken over uniform choice of f \in \textsf{Perm}_n and the randomness of D

Strong Pseudorandom Permutations

• A strong pseudorandom permutation is a permutation which cannot be efficiently distinguished from a random permutation even if the distinguisher is given oracle access to the inverse of the permutation

• In practice, constructions of strong pseudorandom permutations are called block ciphers

Definition of Strong Pseudorandom Permutation

• Let F be an efficient, length-preserving, keyed permutation. F is a strong pseudorandom permutation if for all PPT distinguishers D, there is a negligible function \textsf{negl} such that: \begin{align*} & \bigg| \Pr\left[ D^{F_k(\cdot),F_k^{-1}(\cdot)}(1^n) = 1 \right] \\ &\quad\quad - \Pr\left[ D^{f(\cdot),f^{-1}(\cdot)}(1^n) = 1 \right]\bigg| \\ & \quad\quad\quad\quad \le \textsf{negl}(n), \end{align*} where

  • the first probability is taken over uniform choice of k \in \{0,1\}^n and the randomness of D, and

  • the second probability is taken over uniform choice of f \in \textsf{Perm}_n and the randomness of D

Block Cipher Modes of Operation

• Our CPA-secure construction has ciphertext length which is double the plaintext length
• Fortunately, there exist secure constructions based on block ciphers that have lower overheads

Electronic Code Book (ECB) Mode

• Insecure: Should not be used in practice!

• Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n.

• Let F be a block cipher with block length n.

• \vec{c} \coloneqq \langle F_k(m_1), F_k(m_2),\ldots,F_k(m_l) \rangle
  

• ECB is deterministic and cannot be CPA-secure.

ECB Example

Image encrypted using ECB mode¹

1. Encrypted Image Attribution: Larry Ewing, lewing@isc.tamu.edu

Cipher Block Chaining (CBC) Mode

• Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n.

• Let F be a length-preserving block cipher with block length n.

• A uniform initialization vector (IV) of length n is chosen.

• c_0 = IV. For i = 1,\ldots,l, c_i \coloneqq F_k(c_{i-1}\oplus m_i)

• For i = 1,2,\ldots,l, m_i \coloneqq F_k^{-1}(c_i)\oplus c_{i-1}.

• Ciphertext is larger than the plaintext by n bits

• Decryption can be parallelized

• If F is a pseudorandom permutation, then the CBC-mode encryption is CPA-secure.

Counter (CTR) Mode

• Let \vec{m} = \langle m_1,m_2,\ldots,m_l\rangle where m_i \in \{0,1\}^n.

• Let F be a length-preserving block cipher with length n

• To encrypt a message of length l < 2^{n/4} blocks, a uniform IV of length 3n/4 is chosen

• c_0 = IV. For i = 1,\ldots,l, c_i \coloneqq F_k(IV \| i) \oplus m_i.

• For i = 1,2,\ldots,l, m_i \coloneqq F_k(IV \| i)\oplus c_{i}.

• Ciphertext is larger than the plaintext by 3n/4 bits

• Both encryption and decryption can be parallelized

• The generated stream can be truncated to exactly the plaintext length

• F does not need to be a permutation

• If F is a pseudorandom function, then the CTR-mode encryption is CPA-secure.

Further Reading

Chapter 3 from Katz & Lindell