Professional Documents
Culture Documents
Alperen Tunçkıran 2517100
Alperen Tunçkıran 2517100
Alperen Tunçkıran 2517100
Alperen Tunçkıran
29 January 2024
Slide Topics
Challenge
We want to provide the function to the adversary for inspection
while ensuring its security. The traditional approach of defining
security based on the knowledge of F makes it too easy for the
adversary to win.
To address the challenge of defining security for a function F while
allowing the adversary to inspect it, we turn to Kerckhoffs’
principle. This principle states that the security of a public
algorithm should rely entirely on the secrecy of the key.
Key-Based PRF Family
We define a family of pseudo-random functions indexed by a key k
chosen from a set K. Each key defines a new random function
within the family, and the adversary starts by knowing the function
family but not the key.
Security Definition
The security of a pseudo-random function family FkK is defined
based on a game. The adversary is given a description of the
function family but not the specific function selected from it. The
adversary’s goal is to distinguish whether the function
input/output pair she receives is from the real PRF-family FkK or
from a random function. The key k is not given to the adversary.
It’s important to note that this game gives significant power to the
challenger. Winning this game is highly unlikely for adversaries,
except for very simple PRF families. In some cases, the game may
even be unwinnable for infinitely powerful adversaries, such as
when using a function family with specific properties (e.g., taking
K = D = C = 0,1n and Fk(x) = k x).
Pseudo-Random Functions (PRFs)
Lemma 11.1:
Let A be an adversary against the PRF security of the function family {Fk
q2
|AdvPRF(A; q) − AdvPRP(A, q)| <
|D|
Proof
Suppose we run A in the PRF game, and we let E denote the
event that the oracle called by A returns the same value in the
codomain for two distinct input values. We have
Pr[A wins the PRF game]
= Pr[A wins the PRF game|E ] · Pr[E ] + Pr[A wins the PRF game|¬E ] · P
≤ Pr[E ] + Pr[A wins the PRF game|¬E ]
= Pr[E ] + Pr[A wins the PRP game|¬E ].
Now we note that the probability of E occurring is, from the
q2
birthday bound, at most 2·|D| .
So we have, where we assume the probability of A winning is
always at least 21 (which we can do without loss of generality),
|AdvPRF(A; q) − AdvPRP(A; q)|
1
≤ 2 · Pr[A wins the PRF game] −
2
≤ 2 · Pr[E ]
One-Way Functions (OWFs)
The discrete logarithm problem is an example of a one-way
function: we give the adversary a public function (in this case the
function f (x) = g x ) and ask her to invert the function on an
element of the challenger’s choosing.
In fact, even more is true: since the RSA function FN,e (x) = x e
mod N acts as a permutation on the group Z/NZ, we actually
have a trapdoor one-way permutation.
We can think of the RSA game as the one-way function game
above, but with F being the RSA function for some specific
modulus N and an exponent e. It is believed that for values of N
which are a product of two randomly generated primes of roughly
the same size, AdvOWF(A) is very small indeed.
Introduction to Public Key Cryptography
c ← ek (m) (Encryption)
m ← dk (c) (Decryption)
For public key algorithms:
∀k ∈ K , ∀m ∈ P, dk (ek (m)) = m
IND-PASS Security
An adversary can always guess the hidden bit b, so we define the
advantage of adversary A as:
Probabilistic Encryption
IND-CPA security implies that any encryption function must be
probabilistic. Otherwise, an adversary can determine the hidden bit
by comparing ciphertexts.
Accepted Definitions
Definition 11.3
A symmetric key (or public key) encryption algorithm is considered
secure if it is semantically secure against a chosen ciphertext
attack. In other words, for all polynomial-time adversaries A, the
value AdvSEM−CCA (A) is ”small.”
Definition 11.4
Alternatively, a symmetric key (or public key) encryption algorithm
is considered secure if it is IND-CCA secure. This means that for
all polynomial-time adversaries A, the value AdvIND−CCA (A) is
”small.”
Theorem 11.5
It’s important to note that these two notions are related.
Specifically, a system that is IND-PASS secure must necessarily be
semantically secure against passive adversaries.
Proof of Theorem 11.5
Π is IND-CCA ⇒ Π is OW-CCA.
This argument can be extended trivially for CPA and PASS
adversaries, as well as in the public key case.
Many Time Security
In addition to the standard security notions for encryption
schemes, there are other notions worth considering. One of these is
Many Time Security.
In the IND game, if we allow the adversary to call the OLR oracle
many times, we denote the notions by Advm-IND-PASS(A), etc.
It’s important to modify the decryption oracle in the CCA game so
that it aborts if any ciphertext returned by the OLR oracle is passed
to the decryption oracle, as otherwise, the game can be easily won.
In the symmetric case, when we have access to the OLR oracle for
many calls, we do not need access to the Oek oracle, since we can
simulate one via the other using the fact that Oek(m) = OLR(m,
m). Thus, the m-IND-PASS game is equivalent to the m-IND-CPA
game. Returning to our implications, we also have that:
Π is m-IND-XXX ⇒ Π is IND-XXX
Thus, if a scheme Π is m-IND-XXX secure (i.e.,
Advm-IND-XXX(B) is ”small” for all poly-time B), then it is also
Hybrid Argument
The other implication holds, but not as tightly as one would like.
One can prove the following result, but it requires a technique
called a hybrid argument, which is a little too advanced for this
book:
Theorem 11.7: Let A be a poly-time adversary against the
m-IND-XXX security of the symmetric encryption scheme Π, which
makes qLR queries to its OLR oracle. Then there is a poly-time
adversary B against the IND-XXX security of Π, with:
Theorem
A symmetric encryption scheme that is IND-CCA secure is also
RoR-CCA secure. In particular, if A is an adversary against
RoR-CCA security for a symmetric encryption scheme Π, we can
build an adversary B against IND-CCA security of Π with:
AdvRoR-CCA(A) = AdvIND-CCA(B).