SDU Crypto School - Computational Indistinguishability 1

Encryption: Computational security 1-4

Speaker: Li Zengpeng (Shandong University)

Reference materials: Jonathan Katz, Yehuda Lindell, Introduction to Modern Cryptography - Principles and Protocols.

---

what is encryption

First, the purpose of the encryption scheme is to complete secure communication between Alice and Bob. Specifically, any given plaintext $m$ , Alice encrypts it to get$c$ and send it to Bob through an insecure channel, and Bob has$After\; c$ is decrypted,$m$ , while the third party Eve cannot obtain$m$ any relevant information.

---

In order to achieve this, there have been many so-called cipher schemes since ancient times, such as Caesar cipher, Virginia cipher, fence encryption, Enigma machine and so on.

One of the common characteristics of these schemes is that there is no rigorous theory to ensure that they are safe. It is not so much the science of cryptography as it is the art of cryptography that carries the brilliant imagination of the ancients.

The second common feature of these schemes is that they are all broken. According to (Prof. Ding Jintai), the Argentines were still using a password system similar to the Enigma machine during the Falklands Battle, so battlefield information should be one-way transparent to the British.

---

Provable security is an important step in cryptography from art to science.

Another principle in designing modern cryptosystems is that the security of cryptosystems does not depend on the secrecy of encryption schemes or algorithms, but on the security of keys (Kerckhoffs Principle, 1883).

The reasons are as follows:

1. It is actually easier to protect the key than the algorithm;
2. Changing keys is also easier than changing algorithms;
3. The encryption algorithm is unified to facilitate the application;
4. The public algorithm is helpful for the analysis of algorithm loopholes.

So we can rewrite the general picture of the encryption system according to the Kerckhoffs principle:

• $m$ is the plaintext message
• key $k$ draws from a uniform distribution
• $c=En{c}_k\left(m\right)$ exposed to the attacker

Note that, compared to the most general case of an encryption system, here we introduce the key $k$ , hope that the attacker cannot obtain$k$ andmminformation about$m\; .$

---

perfect security

Some notation:

The question now is, how do we define the security of a cryptographic system within the framework of the Kerckhoffs principle?

---

Idea one:

Definition. If the attacker has no way to calculate $k$ , then this scheme is safe.

——It is true that the key is not known to others... Is it right?

A counterexample is, $En{c}_k(m)=m$ . In this case, you do not expose any$k$ information, but$m$ is running naked, and the security effect of encryption is similar to that of the emperor's new clothes.

---

Idea two:

Definition. If the attacker has no way to calculate $m$ , then this scheme is safe.

If an attacker only needs to compute the ciphertext $Some\; characteristics\; of\; m$ can infer enough information, so is this scheme safe?

For example, I guess whether a four-character place name is Qiqihar or Urumqi. I even only need to have a few words in these four words or whether there are repeated words to guess the answer.

---

Idea three:

Definition. If the attacker cannot obtain $m$ , then the scheme is safe.

But the attacker may have obtained some prior information, such as knowing the message $m$ is written in English.

---

Idea four:

Definition. If the attacker cannot obtain $m$ , then the scheme is safe.

This is more reliable, but how to express it formally?

An example is described using probability distributions/information theory:

The upper half of the Latour is before the communication. $m$ is in the hands of Alice, the attacker knows nothing aboutmA prior distribution for$m\; .$

The second half of the drawing is after the communication. $m$ is in Alice's hands, the attacker knows$c=En{c}_k\left(m\right)$ , knowing$Under\; the\; premise\; of\; c$ , the attacker's prior has not changed at all. This is the so-called "attacker cannot obtain information about$m$ any additional information".

Thus, we get the perfect security definition based on conditional probability formulation:

Equivalently, we have several definitions:

• Plain text $The\; distribution\; of\; m$ and$En{c}_k\left(m\right)$ are independent.
• $En{c}_k\left(m\right)$ distribution and$m$ is irrelevant.
• For any $m_0$、$m_1$, we have $En{c}_k(m_0)$、$En{c}_k\left(m_1\right)$ have the same distribution.

---

An equivalent definition of perfect security is Adversarial Indistinguishability. Here, we introduce an opponent $A$ , and define what isA \mathcal{A}The unrecognizabilityof$A$ (roughly speaking, given plaintext$m_0,m_1$And randomly pick one to encrypt to get $c$，$A$ has no way of knowing thisccThe plaintext corresponding to$c$$m_0,m_1$which of the).

In order to define perfect security, we introduce an indistinguishability experiment (experiment) or game (game), denoted as $Priv{K}_{A,P}^{andv}$. Π = ( Gen , Enc , D ec ) \Pi=(Gen, Enc, Dec )$Pi=(Gen,Enc,Dec)$ is a cryptographic system, this game only considers eavesdropping attacker$A$ , the attacker has only one$c$ and trying to base on this$c$ Determine some information of the plaintext.

Definition. $Priv{K}_{A,P}^{andv}$It is defined as follows:

1. Initialize the encryption scheme (e.g., generate the key $k$）。
2. The attacker gives a pair of plaintext $m_0,m_1\in \mathcal{M}$。
3. The communicating party randomly selects an mb , b ∈ { 0 , 1 } m_b, b\in \{0, 1\} without the attacker's knowledgemb​,b∈{ 0,1 } , return$c$。
4. The attacker according to $c$ gives abbEstimatedb'b'$of\; b$$b^{\text{'}}$ . Note that this$b^{’}$ may be a probability distribution.
5. if $b=b^{\prime }$ , then the attacker wins (return 1), otherwise loses (return 0).

If the system is secure, then your attacker has no control over $No\; matter\; how\; hard\; c$ is tossing, the final output result is the same as the guessing effect.

So we can define indistinguishability:

Definition. Defined in plaintext space M \mathcal MCryptosystem on$M$$(Gen,Enc,Dec)$ is indistinguishable if:

$$P[Priv{K}_{A,P}^{andv}=1]=\frac{1}{2}$$

---

one-time pad

In reality, there is an encryption scheme with perfect security: One Time Pad (OTP).

For a binary string $m$ , we randomly generate andmmA binary string of equal$length$$k$ , where$Each\; bit\; of\; k$ is an independent uniform distribution,$c=En{c}_k(m)=m\oplus k$ , where$\oplus$ is defined as an XOR operation.

The security of OTP is obvious. Because, for each $m$ ,$Each\; bit\; of\; c$ is evenly distributed.

We generalize the OTP:

$(G,+)$ is to add a group. $\mathcal{K}=\mathcal{M}=\mathcal{C}=G.$ _ then,

• $En{c}_k(m)=m+k$
• $De{c}_k\left(m\right)=m-k$
  constitutes the one-time pad.

---

But OTP is not practical because:

• The key and the plaintext are equal in length

• One-time password, burn after use, otherwise information may be leaked.

  For example, in OTP, if the same key encrypts $m_1,m_2$After getting $c_1,c_2$, then the attacker knows that $m_1\oplus m_2=c_1\oplus c_2$- This leaks information in plaintext.

In addition, we can prove that if a cryptographic system is perfectly secure, then it must be $|\mathcal{K}|\ge |\mathcal{M}|$。

(The reason is simple, if $|K|<|M|$ , the original attacker is to guess$m$ , now the attacker guesses$The\; odds\; of\; winning\; with\; k$ are better than guessing$The\; odds\; of\; winning\; for\; m$ are even higher, which means that the encryption process leaks information. )

Therefore, OTP has become the most efficient solution in perfect security.

---

"Can you stop, Azu?"

---

Limiting the ability of attackers: indistinguishability, semantic security

One idea to make a more practical cryptographic system is to limit the capabilities of the attacker.

Restriction methods include:

1. Limiting the computational power of attackers - computational security.
2. Other methods: Quantum cryptography, memory-bound models, etc.

---

The characteristic of quantum cryptography is that it is impossible for the attacker (Eve) to eavesdrop without the knowledge of the communicating parties (Alice and Bob). Once the attacker successfully eavesdrops, the quantum state will be disturbed, and the communicating party can know that he has been eavesdropped through the communication content based on the quantum state transmission.

(It should be noted that quantum cryptography and quantum computing are not the same thing)

---

The mainstream approach is to limit the attacker's computing power. If an attacker can perform a brute force attack regardless of the cost, then any password can be cracked.

Here comes the question: how to define the limit on the attacker's computing power?

Can an attacker buy several V100s and use them until they are scrapped, or rent several cloud servers within a year?

Even with these computing resources, what kind of attack algorithm does the attacker run?

Therefore, this definition is not very beautiful in theory, and it is not convenient for analysis.

Next, we abstract the calculation model. Specifically, we can use a Turing machine to describe the attacker's capabilities:

A system $X$ is$(t,ϵ)$ is safe if any running time does not exceed$The\; probability\; that\; a\; Turing\; machine\; of\; t$ can crack it does not exceed$ϵ$ .

In fact, there are many Turing machine models, and basically it can be proved that they are equivalent to the most general Turing machine. Then the Church-Turing proposition also tells us that any algorithmically computable problem is also computable by a Turing machine. So we can abstract various models based on Turing machines into algorithms, so all discussions are based on algorithms, which avoids trying to figure out how the paper tapes and read-write heads of Turing machines fly.

---

For the aforementioned $(t,ϵ)$ security, we use an asymptotic analysis approach for concretization.

• Turing machine runs $t$ step, means "efficient computation"
• $ϵ$ , is a very small (close to 0) number

The way to define these things is to use the idea of ​​asymptotic analysis.

Let’s talk about the conclusion directly. What we think is small is smaller than any polynomial reciprocal, that is, smaller than any $1/poly(n)$。

What we think of as efficient computations are computations with polynomial complexity.

This small defined by polynomials has better properties:

---

Based on the above, we further define computational security. First, we define the private-key encryption scheme:

Definition. The private key cryptography scheme is three probabilistic polynomial time (Probability polynomial time, PPT) algorithms $(Gen,Enc,Dec)$ , where:

1. $Gen$ : input security parameter$n$ returns a key$k$ . It is generally believed$|k|\ge n$。
2. $Enc$ : Enter key$k$ and plaintext messagem ∈ { 0 , 1 } ∗ = ⋃ N = 1 ∞ { 0 , 1 } N m \in \{0, 1\}^* = \bigcup_{N=1}^\infty \{0 , 1\}^Nm∈{ 0,1}∗=⋃N=1∞​{ 0,1}N. _ The output ciphertext may be random.
3. $Dec$ : Enter key$k$ and the ciphertext message$c$ , output$m$ or throw an error.

Requirements: For any $n,k,m$，$De{c}_k(En{c}_k(m))=m$。

We still don't make good assumptions about the attacker's capabilities. For example, what algorithm the attacker may use to attack. The security definition we devise next will defend against any attack by an attacker given the computing power.

In perfect security, the attacker cannot obtain any information about the plaintext from the ciphertext. After limiting the computational power of the attacker, we will define semantic security. Semantic security is not so practical, we have another thing called indistinguishability. Indistinguishability is equivalent to semantic security, but indistinguishability is easy to use.

We also engage in something like unrecognizability when the attacker's capabilities are limited. The difference from the game introduced in Perfect Security is that we change two places:

1. The attacker's ability is limited to polynomial time
2. The success rate of the attacker's attack is small, which is defined as $\frac{1}{2}+ϵ\left(n\right)$

So we get the game:

Definition. adversarial indistinguishabilityP $Priv{K}_{A,P}^{andv}(n)$：

1. Attacker $A$ Given security parameters, output two ciphertexts$m_0,m_1$, where $|m_0|=|m_1|$
2. The defender generates the key $k$ and a random bit$b$ . Calculate$c=En{c}_k(m_b)$
3. The attacker gets $After\; c,$ the output bit b' b'is calculated by one pass$b^{\prime }$
4. if $b^{\prime }=b$ , the attacker wins, recorded as$Priv{K}_{A,P}^{andv}(n)=1$

Based on this we have the definition of computational indistinguishability:

Definition. Encryption scheme $Pi=(Gen,Enc,Dec)$ is computationally indistinguishable (EAV-SECURE) under eavesdropping attacks, if all PPT algorithms attack$A$ , there exists a function small enough that for any$n$ ,
$$P[Priv{K}_{A,P}^{andv}(n)=1]\le \frac{1}{2}+ϵ\left(n\right)$$

where $ϵ\left(n\right)$ is the epsilon we defined earlier.

An equivalent definition is, suppose we give the experiment $Priv{K}_{A,P}^{andv}\left(n\right)$ Turn on the shadow clone, these two shadow clone experiments are selecting bit$In\; b$ , one chooses 0 and the other chooses 1, then the attacker can't actually tell which shadow clone he is fighting with.

Writing this definition is left as an exercise, or reference book.

Note that the encryption schemes involved here do not need to hide the length information of the plaintext. For the time being, we assume that the plaintext lengths are all equal. For specific reasons why we should make this assumption, you may wish to refer to the relevant content in the book, because this problem does not affect the main narrative for the time being.

---

To introduce semantic security, we first take a closer look at what computational indistinguishability means.

• Computational indistinguishability means that it is impossible for an attacker to have a significant advantage in guessing a certain bit of the plaintext through his computational tricks.

• The calculation is indistinguishable, which means that the attacker cannot learn any function f ( m ) f(m) of the plaintext through his calculation tricks$f\left(m\right)$ where$m$ is defined in any setS ⊂ { 0 , 1 } l \mathcal S \subset \{0, 1\}^lS⊂{ 0,1}l , andf ( m ) f(m)The value output by$f$$($$m$$)\; is\; 0-1\; bits.$That is, the attacker uses the ciphertext$c$ arithmetic function$The\; probability\; of\; f\left(m\right)$ should not be much different from the fact that the attacker knows nothing. (Otherwise the information is leaked).

Based on the above description, we give the definition of semantic security:

Definition. An encryption scheme $(Enc,Dec)$ is semantically secure under eavesdropping attacks, if for any PPT algorithm$A$ , there is a PPT algorithm${\mathcal{A}}^{\prime }$ such that the following are epsilons:

$$|P[\mathcal{A}(1^n,En{c}_k(m),h(m))=f(m)]-P[{\mathcal{A}}^{\prime }(1^n,|m|,h(m))=f(m)]|$$

where $h\left(m\right)$ is the external information that the attacker has mastered. In semantic security, the attacker uses the algorithm$A$ given$c=En{c}_k(m)$、 h ( m ) h(m) Calculatemm$in\; the\; case\; of\; h$$($$m$$)$function of$m$$f\left(m\right)$ , its effect should be the same as that of any algorithm A ′ \mathcal A'used by the attacker${\mathcal{A}}^{\prime }$ at a given$h\left(m\right)$ and$|m|$ case calculation$f\left(m\right)$ is about the same.

Theorem. Computational indistinguishability and semantic security equivalence.

---

Pseudorandomness and stream ciphers

Pseudo-random number generator $G$ is an efficient (polynomial time), deterministic algorithm that can transform a short bit string (seed) sampled from a uniform distribution into a long bit string that appears to be sampled from a uniform distribution.

The significance of studying pseudorandom numbers is to simulate randomness in a statistical sense. In order to judge where various pseudo-random numbers are not random, various statistics can be constructed.

One problem is how to judge the randomness of pseudo-random numbers? Similar to computational security, we can come up with something similar to computational randomness: a good pseudo-random number generator needs to fool all (that can be computed efficiently) statistics.

So, we give the formal definition:

define.ll $l$ is a polynomial,$G$ is a deterministic polynomial-time algorithm such that for any$n$ (the security parameter, here the length of the seed) and any inputs ∈ { 0 , 1 } ns \in \{0, 1\}^ns∈{ 0,1}n (this is the random seed),$G\left(s\right)$ is of length$A\; string\; of\; l\left(n\right)$ . we say$G$ is a pseudorandom number generator if:

1. for any $n$，有$l\left(n\right)>n$
2. For any probabilistic polynomial-time algorithm $D$ , there exists a small quantity$ϵ\left(n\right)$ so that∣
   $$|P[D(G(s))=1]-P[D(r)=1]|\le ϵ\left(n\right)$$

Among them, we call $l$ is the expansion factor of the pseudo-random number generator. We think$D$ is a random discriminator,$D(\cdot )=1$ indicates that it thinks the input is random, otherwise it thinks the input is not random. s ∈ { 0 , 1 } ns \in \{0, 1\}^ns∈{ 0,1}n，$r\in \{0,1{\}}^{l\left(n\right)}$ are all sampled from a uniform distribution.

In fact, the pseudo-random number generation stuff is obviously not uniform. For example, suppose we have $n$ -bit seed,$l\left(n\right)=2n$ . deterministic map$G$ will at most$2^n$ seeds are mapped to the image space ($2^n$ values), while$\{0,1{\}}^{}$There are 2 2 n − 2 n 2^{2n}-2^nin${}^2$${}^{n\; space}$$2^{2n}-2^n$ values ​​are not mapped to.

Another question is, do pseudo-random number generators really exist? We don't actually know how to unconditionally prove the existence of pseudo-random numbers, but we have very good reasons to believe they exist. First, if one-way function is assumed (one-way function $f$ has the property: given$x$ computes$f\left(x\right)$ is easy, but givenf ( x ) f(x)It is difficult to calculate the preimage of$f$$($$x$$)\; .$A typical example is a hash function) exists, and we can construct a pseudo-random number generator based on a one-way function. The assumption that one-way functions exist is a weak assumption. In addition, there are already many pseudo-random number generators (such as stream ciphers), and no efficient$D$。

stream cipher

A stream cipher is a bit different from a pseudo-random number generator: it can generate any number of "random" bits.

We define a stream cipher as two functions: $(Init,GetBits)$：

• Init input parameters include: seed $s$ and (optional) initialization vector$IV$ .$\_$output an initial state$x_0$
• The input parameters of GetBits include: state $x_k$, output a bit $y_k$Then update the state to $x_{k+1}$

So, if we let the stream cipher run ll after initialization$l$次$GetBits$ , you can get a possible "pseudo-random number generator", denoted as$G$$G_l$。

Roughly speaking, the above stream cipher is secure if it does not require $IV$ , and for any polynomial$l\left(n\right)$ where$l\left(n\right)>n$，$G_l$expansion factor llA pseudo-random number generator for$l\; .$