5 Security against chosen plaintext attacks (KL3.5) --------------------------------------------------- We now consider security of cryptosystems against stronger adversaries which may request the encryption of arbitrary plaintexts of their choice. There are some practical scenarios where this might occur, e.g. a smartcard which can be interacted with arbitrarily or by preparing some situation whose description will then be transmitted by the opposite party in encrpyted form. Given a scheme Pi=(Gen,Enc,Dec) and an adversary A the experiment PrivK^cpa_{A,Pi}(n) is now defined as follows: 1. Key k is generated by Gen(n) 2. The adversary A is given the security parameter n and the procedure Enc_k as a black box (oracle access). After some interaction with the oracle it then outputs two messages m0 and m1 from {0,1}^{l(n)} (or of the same length in the case of variable length schemes). 3. A bit b <- {0,1} is chosen uniformly at random (50/50). The (or rather a) ciphertext c = Enc_k(m_b) is given to A. 4. A continues to have oracle access to Enc_k and then answers by outputting a bit b'. 4. The output of the experiment is defined 1 if b=b' and 0 otherwise. Definition: A scheme Pi=(Gen,Enc,Dec) has *indistinguishable encryptions under a chosen plaintext attack* (is cpa-secure for short) if there is a negligible function negl(n) such that for all (pr.-polytime) adversaries A Pr[PrivK^cpa_{A,Pi}(n) = 1] <= 1/2 + negl(n) There is also a "known plaintext version" where the adversary does not get full-blown oracle access to Enc_k but can merely request encryptions of a previously submitted list of plaintexts. The details of this are left to the reader. We first notice that no deterministic scheme can possibly be cpa-secure. Given c simply compute (using the oracle) c_0=Enc_k(m_0) and c_1=Enc_k(m_1) and return b' such that c_b'=c. Thus, any cpa-secure scheme must include a random element into the encryption. But naive ways of doing so will not be successful either. Suppose for example that Pi=(Gen,Enc,Dec,l) is a deterministic scheme, i.e. Enc_k( ) is a function. Design a new scheme Pi' as follows: For bitstrings u,v we let u || v stand for the concatenation of u and v. If w is a bitstring of even length 2n then we let w.1 and w.2 stand for its first and second halves. Gen' = Gen l'(n) = l(n)/2 /* w.l.o.g. l(n) is even */ Enc'_k(m) = Enc_k(r || m) where r is a random bitstring of length l(n)/2. Dec'_k(c) = Dec_k(c).1 Clearly, Pi' has indistinguishable encryptions in the presence of an eavesdropper if Pi has, but Pi' does not in general withstand chosen plaintext attacks. Namely, consider that Enc_k(m)=G(k)+m as above. We then have Enc'_k(m) = G(k).1 + r || G(k).2 + m. As a result, the adversary can take the first half of the received ciphertext c, request encryptions c_0 nd c_1 of m_0 and m_1 and determine b' so that c.1 = (c_b').1 . In order to achieve the desired security we need a *pseudorandom function* Definition: A pseudorandom function (PRF) is a binary function on bitstrings F : {0,1}^* x {0,1}^* -> {0,1}^* with application F(k,x) written F_k(x) such that 1) |k|=|x| implies |F_k(x)|=|k|=|x| (and F need not be defined on arguments of different length) 2) F is deterministic, polynomial-time computable 3) For all probabilistic polynomial-time distinguishers D and all n one has | Pr[ D^{F_k()}(n)=1 ] - Pr[D^{f()}(n)=1] | = negl(n) for some negligible function negl() and probabilities taken over k and f(), see below. The distinguisher has access to an oracle, i.e. a subroutine of type {0,1}^n->{0,1}^n. In the experiment, first k:{0,1}^n is drawn uniformly at random and then a function f from {0,1}^n->{0,1}^n is drawn uniformly at random (from the 2^{n*2^n} many possibilities). The oracle is then instantiated with F_k() on the one hand and with f on the other. The probabilities for the distinguisher to output 1 in either case should differ only negligibly. So, where a pseudorandom generator expands a size n key k to a size l(n) bitstring that looks random a pseudorandom function expands a size n key to a function F_k which could be written as a size n*2^n bitstring. Again, this "very large" object should look random. However, only a polynomial portion of it can be examined by the distinguisher. On the other hand, which portion that is is up to the distinguisher to decide and not priori fixed. We remark that one often uses variants of PRF where the size of argument x and results are functions of a security parameter other than the identity function. (The security parameter must then be supplied explicitly to F) Relationship between PRF and PRG: It is not hard to see that every PRF can serve as a PRG. Given k simply output the string F(k,0) || F(k,1) || F(k,2) || ... || F(k,N) for sufficiently large N and where e.g. 2 stands for the encoding of 2 as a length n bitstring. If a distinguisher could tell this from a random string one could easily use it to distinguish F_k from a random function. Surprisingly, the converse also holds, see (KL6.5). However, we still do not know whether PRG exist. In practice, PRF are constructed using heuristic approaches. A CPA-secure cryptosystem from a PRF (KL3.6.2) - - - - - - - - - - - - - - - - - - - - - - - - Here is, how we use a PRF to construct a CPA-secure cryptosystem. Note that by our earlier observation the scheme itself must be randomised. Gen(n): return a random bitstring of length n as key. Enc_k(m): choose r:{0,1}^n uniformly at random and output the ciphertext c := r || F_k(r)+m Dec_k(c): given c extract c.1=r and c.2=F_k(r)+m then return c.2+F_k(r) Notice that Dec_k(Enc_k(m)) = F(k,r)+F(k,r)+m = m Remark: A random element like r added to a piece of data is known as a *nonce*. Theorem: If F is a PRF then the above construction yields a fixed length (l(n)=n) CPA-secure cryptosystem. Proof: Let Pi stand for the scheme constructed above from F and l(n). Assume further, that A is an adversary against Pi. We construct from A a distinguisher D for the PRF F as follows: Given security parameter n and oracle access to a function h (which is instantiated as either F_k() or a truly random f()) the distinguisher begins by passing the security parameter n to the adversary A. Now, whenever the adversary queries its own oracle which it assumes to be of the form Enc_k() then the distinguisher chooses r:{0,1}^n at random and returns r || h(r)+m to A. When the adversary enters the second phase and outputs two messages m_0, m_1 to distinguish based on their encryptions the distinguisher then chooses a random bit b:{0,1} and r:{0,1}^n uniformly at random and returns r || h(r)+m_b to A. Further oracle queries from A are answered as before. When A eventually outputs a bit b' reply 1 if b=b' and 0 otherwise. Let us see what the adversary can do when h is a truly random function. Unlike in the "eavesdropper" case, A has a certain advantage: namely suppose it has already requested encryptions c_0 and c_1 of the messages m_0 and m_1 it then forwards (and it would be "wise" for A to do so). If it now happens by accident that c.1=c_0.1=c_1.1, i.e. the three random nonces used were all equal, then since the rest is deterministic, the adversary can pick b' such that c.2=c_{b'}.2 and be correct. Since, however, the adversary can only make polynomially many queries the likelihood for this to happen is negligible. If, however, the random nonce used in the preparation of c is different from all the ones used in oracle queries then c looks completely random to A and its success probability is exactly 1/2. Summing up, if h is truly random then A's success probability is 1/2+negl(n). If, on the other hand, h is F_k(), then let p be the success probability of the adversary A on our new cryptosystem. It is clear that our distinguisher will output 1 with probability p for we have used A according to the rules of the PrivK^cpa-experiment. Since F was assumed to be a PRF we thus know that |p-(1/2+negl(n))| is itself negligible. It then follows that p is bounded by 1/2 plus a negligible function. Q.E.D. Notice that this proof newly introduces negligible probabilities rather than (or in addition to) just move them around and thus gives further evidence as to why allowing negligible deviations from the ideal situation is reasonable. We also remark that the way the system was presented the length of the key equals that of the message. However, in the case of a CPA-secure system we can encrypt several messages with the same key without compromising security. We generalise this idea in the next chapter. Proposition: Let Pi=(Gen,Enc,Dec) be cpa-secure and define Pi'=(Gen,Enc',Dec') by Enc'_k(m1 || m2) = Enc_k(m1) || Enc_k(m2). Then Pi' is cpa-secure. Here m1, m2, as well as, c1,c2 are assumed to be of equal length. Proof: From a hypothetical cpa-adversary A' against Pi' we construct a cpa-adversary A against the original system Pi as follows: A runs A' and answers any oracle requests according to Pi'. E.g. if A' asks for an encryption of m1||m2 it requests encryptions c1 and c2 of m1, m2, respectively and then provides the answer c1||c2. When A' outputs the challenge m1^0||m2^0 vs m1^1||m2^1 A submits the challenge m2^0 vs m2^1 and receives a ciphertext c2 (which should be an encryption of m2^0 or m2^1). A then requests an encryption c1 of m1^0 and passes c1||c2 to A'. The answer bit b' supplied by A' is then output. Let p be the success probability of A'. If the secret bit b is equal to 0 then the success probability of A is p as well.