# Cryptography - University Of Maryland Cryptography Lecture 8 Clicker quiz Which of the following encryption schemes is CPA-secure (G is a PRG, F is a PRF)? 1. Enck(m) chooses uniform r; outputs 2. Enck(m) chooses uniform r; outputs 3. The one-time pad 4. Enck(m) chooses uniform r; outputs

Keyed functions Let F: {0,1}n x {0,1}n {0,1}n be an efficient, deterministic algorithm Define Fk(x) = F(k, x) The first input is called the key Security parameter = key length = n F is pseudorandom if Fk (for uniform k) is

indistinguishable from a random function on the same domain/range World 0 World 1 k {0,1}n chosen uniformly at random

Fk f xt f(xt)

?? x1 Fk(x1) (poly-time)

f Funcn chosen uniformly at random x1 f(x1) xt Fk(xt)

PRFs vs. PRGs PRF F immediately implies a PRG G: Define G(k) = Fk(00) | Fk(01) I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | , where denotes the n-bit encoding of i PRF can be viewed as a PRG with random access to exponentially long output The function Fk can be viewed as the n2n-bit string

Fk(00) | | Fk(11) Pseudorandom permutations (PRPs) Let f Funcn f is a permutation if it is a bijection This means that the inverse f-1 exists Let Permn Funcn be the set of permutations What is |Permn|?

Pseudorandom permutations Let F be a length-preserving, keyed function F is a keyed permutation if Fk is a permutation for every k Fk-1, the inverse of Fk, is efficiently computable F is a pseudorandom permutation if Fk , for uniform key k {0,1}n, is indistinguishable from a uniform

permutation f Permn Even if attacker can query the function and its inverse Note For large enough n, a random permutation is indistinguishable from a random function So in practice, PRPs are also good PRFs Do PRFs/PRPs exist?

They are a stronger primitive than PRGs though they can be built from PRGs In practice, block ciphers are used Will discuss extensively later Block ciphers Block ciphers are practical constructions of pseudorandom permutations

No asymptotics: F: {0,1}n x {0,1}m {0,1}m n = key length m = block length Hard to distinguish Fk from uniform f Permm even for attackers running in time 2n AES Advanced encryption standard (AES) Key length = 128, 192, or 256 bits

Block length = 128 bits Will discuss details later in the course Available in standard crypto libraries No real reason to use anything else CPA-security Fix , A Define a randomized expt PrivKCPAA,(n):

1. k Gen(1n) 2. A(1n) interacts with an encryption oracle Enck(), and then outputs m0, m1 of the same length 3. b {0,1}, c Enck(mb), give c to A 4. A can continue to interact with Enck() 5. A outputs b; A succeeds if b = b, and experiment evaluates to 1 in this case CPA-security

is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivKCPAA,(n) = 1] + (n) CPA-secure encryption Let F be a length-preserving, keyed function Gen(1n): choose a uniform key k {0, 1}n Enck(m), where|m| = |k| = n:

Choose uniform r {0, 1}n (nonce/initialization vector) Output ciphertext < r, Fk(r) m > Deck(c1, c2): output c2 Fk(c1) Correctness is immediate r key

F ciphertext message pseudorandom

Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure Note The key is as long as the message but the same key can be used to securely encrypt multiple messages

Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure Proof by reduction See book for formal proof Here: high-level intuition m r {0,1}n

r, Fk(r) m m0 , m 1 b {0,1} r* {0,1}n r* , Fk(r*) m Analysis Since F is a pseudorandom function, we can

replace Fk with a truly random function f See book for details Analysis What is the success probability of A when the experimentuses a random function f? There are two sub-cases r* was used for some other ciphertext (call this event Repeat)

r* was not used for some other ciphertext Let q(n) be a bound on the number of encryption queries made by A Analysis Pr[success] Pr[success|Repeat] + Pr[Repeat] Pr[Repeat] q(n)/2n Why?

Pr[ success | Repeat] = Analogous to the one-time pad in this case, since f(r*) is uniform and independent of everything else Pr[A succeeds] + q(n)/2n I.e., the scheme is secure! Real-world security? The security bound we proved is tight

What happens if a nonce r is ever reused? What happens to the bound if the nonce is chosen non-uniformly? Attacks? If r repeats, security fails Exactly analogous to multiple encryptions using the (pseudo)one-time pad scheme

When r is a uniform, n-bit string, the probability of a repeat is negligible If r is too short, or is chosen from another distribution, repeats may happen! May make scheme insecure

## Recently Viewed Presentations

• January 6th (12 days after Christmas) Kids write letters to their favorite king about what they want to receive on the 6th - Melchor, Gaspar or Baltasar On the night of the 5th, kids put their shoes by the door...
• In English, sentences are 'front-loaded' so the most important information appears early on, and later information may be lost, meaning that writers might separate very long sentences and use signpost words to demonstrate the link. Exercise where they have to...
• A Guide to Understanding the Model of Human Occupation (MOHO) Presented by : (your name) By: Ashwini Apte & the MOHO Clearinghouse at the University of Illinois at Chicago Focus of MOHO HUMAN OCCUPATION C - Choose O - Organize...
• Changes to the schedule Please note changes to the schedule (on course webpage) Key: mid-term moved to Oct. 5 (one week prior) * * Outline Recap What is evaluative feedback N-arm Bandit Problem (test case) Action-Value Methods Softmax Action Selection...
• Arial Tahoma Wingdings Times New Roman Times Symbol Ocean Default Design GENETICĂ BACTERIANĂ I Slide 2 Planul capitolului Planul cursului EREDITATEA - Metabolismul ADN-ului INTRODUCERE Genetica= Ereditate + variabilitate Slide 7 Slide 8 Variabilitatea STRUCTURA ADN şi modelul replicării semiconservative...
• Valuing People Now sets a challenge for public services and everyone who works with people with learning disabilities to take an approach which starts with each individual, their wishes, aspirations and needs, and which seeks to give them control and...
• Lyon, a Harvard-trained attorney with a doctorate in psychology from Stanford, is a USC professor of Law and Psychology, and a leader in the field of child interviewing. Lyon has taken a different approach and instead of researching all of...
• MLA Style. Integrating Sources into Your Writing. The Writing Center will make reasonable accommodations for persons with disabilities who wish to participate in this event. If you require an accommodation, contact the Writing Center at (408)848-4811. Please include the requested...