|
|
|
|
Second Pre-image Resistance. |
is de nition is similar to the rst pre-image resis- |
|
|
tanceexceptthattheadversaryisalreadygivenonepre-imageofthehash y andistasked |
|
||
with nding another one. |
at is, a hash function is secure against second pre-image |
|
|
attacks if |
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|
|
|
|
|
|
K |
R f0; 1g |
|
|
|||||
Pr |
HK (x) = HK (x0) |
|
x = x0 |
x0 |
|
R2Domain(HK ) |
|
2 n |
|||||
|
4 |
|
^ |
̸ |
|
|
2 |
|
A |
|
5 |
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
x |
|
(x0) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
CollisionResistance. isisthestrongestattackasitgrantstotheadversarythepower
to choose the hash for which she has to provide two di erent values x1 ≠ x2 such that HK (x1) = HK (x2). Contrarily to the two attacks before, there exists an attack in 2n/2 due to the birthday paradox ( is attack consists in picking two random values and
checking whether they are mapped to the same value and repeating until the condition is satis ed). A hash function family is then said to be collision resistant if no adversary can do better than the birthday attack.
Although considering a family of functions is essential for the correctness of the de nition of collision resistance, widely used hash functions such as SHA- , SHA- [NIS ], and even the current SHAnalists, consist of a single function. Clearly, when only pre-image resistance is required those hash functions can t the
. . Universal Hash Functions
In many situations, the hardness of nding collisions is a too strong requirement and we only need that collisions for two random values happen with a small enough probability. is is
the case for example in hash tables and for extracting randomness [ILL ]. |
e functions |
|||||||||||||
satisfying this notion are called universal hash functions. |
|
|
|
|
|
|
|
|||||||
De |
nition . (Universal Hash Function Family) |
|
|
|
|
: f0; 1gℓ ! f0; 1gn that |
||||||||
A universal hash function family is a family of functions HK2f0;1g |
||||||||||||||
satis |
es the following property. |
|
|
|
|
|
|
|
|
|
|
|||
|
x; y |
2 f |
0; 1 |
ℓ; s:t:x = y : Pr [HK (x) = HK (y) |
K |
2 |
R |
0; 1 ] |
|
2 n: |
||||
|
8 |
g |
̸ |
h |
2 |
H |
j |
|
f g |
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note that contrarily to most cryptographic primitives universal hash functions does not need to rely on any assumption. Instead, they can be instantiated using simple modular arithmetic as in the Carter-Wegman construction [CW ].
. . Pseudo-Random Functions
As true randomness is di cult to obtain, it is essential to have a mean to generate sequences that look random to the adversary. Two cryptographic primitives can be used to implement
.
|
|
Mallory
m |
c |
Decrypt |
m |
Alice |
Encrypt |
Bob |
sk
Key |
pk |
Authenticated |
Generation |
|
Channel |
Figure 2.3: Components of a Public-key encryption scheme.
such functionality: Pseudo-random functions (PRF) and pseudo-random number generators (PRNG).
De nition . (Pseudo-Random Function - PRF)
Let FK2f0;1g : f0; 1gℓ ! f0; 1gn be a family of functions indexed by a key K. We say that F is a family of pseudo-random functions if it satis es
For every K 2 f0; 1g and every x 2 f0; 1gℓ, FK (x) is computable in polynomial-time.
For a randomly chosen K, FK is indistinguishable om a function R, chosen randomly among the set of functions om f0; 1gℓ to f0; 1gn. In other words, for every distinguisher D, we have that
2.4Public-Key Encryption Schemes
Public-key encryption, also known as asymmetric encryption, is one of the greatest achievements of modern cryptography. It allows one sender to encrypt messages that only a particular receiver can decrypt and that with only having a public key. On the other hand, the receiver is given a secret key that is used for decryption. at is, anyone with access to the public key can encrypt messages that only the receiver can decrypt.
De nition . (Public-Key Encryption Scheme)
A public-key encryption scheme is a triplet of algorithms (KeyGen, Enc, Dec) de ned as follows
KeyGen(1k) ! (sk; pk). is is the key generation algorithm. On input a security parameter k, written in unary, this algorithm generates in polynomial-time a secret key sk that is securely transmitted to its intended owner, while a public key pk is published. e latter also characterises a, usually nite, message space M. Note that this algorithm has to be probabilistic.
.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Adversary |
Common Input: |
Challenger |
|
||
|
(A1; A2) |
k 2 N |
C |
|
|
|
|
|
|
pk |
(sk; pk) KeyGen(1k) |
|
|
|
|
|
|
|
||
|
(m0; m1) ^ |
A1(pk)! |
m0;m1 |
b 2R f0; 1g |
|
|
|
c |
|
||||
|
b |
A2(c) |
^ |
c Encpk(mb) |
|
|
|
|
|
Win if b = b |
|
|
|
|
Figure 2.4: |
e IND-CPA Security Experiment. |
|
|||
Encpk(m) ! c. |
is, usually probabilistic, polynomial-time algorithm is used to encrypt |
|
||||
a message m 2 M under the public key pk by forming a ciphertext c. |
|
|||||
Decsk(c) ! m. |
is last algorithm is used to decrypt a ciphertext c. at is, given c and |
|
||||
the secret key sk, the algorithm reco ers m in a polynomial-time number of steps. |
|
|||||
Obviously, these algorithms have to be consistent with each other in the sense that using a secret key sk to decrypt a ciphertext c that is the encryption of a message m under the corresponding public key pk yields m. In other words,
|
|
|
4 |
|
|
KeyGen(1k) ! (sk; pk) |
5 |
|
||
k |
|
N : Pr |
Decsk(c) = m |
|
m |
|
R M |
= 1 |
||
8 |
2 |
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
Encpk(m) ! c |
|
|
||
|
|
|
|
|
|
|
|
|||
Regarding the security of encryption schemes, we retain the two classical notions of semantic security and non-malleability. Semantic security formalizes the fact that ciphertexts conceal all information about their underlying plaintexts. is property is captured by indistinguishability under chosen message attacks, commonly abbreviated IND-CPA [GM ].
De nition . (IND-CPA Security)
We consider the IND-CPA security experiment shown in Figure . . A scheme is called INDCPA secure, if no probabilistic polynomial-time adversary wins the IND-CPA experiment with an advantage greater than a negligible function of the security parameter. In other words, for every probabilistic polynomial-time two-stage algorithm (A1; A2), IND-CPA security requires that
|
|
A |
|
6 |
|
|
|
|
|
6 |
2(c; st) |
Pr |
2 |
|
|
4 |
|
|
|
|
|
|
|
|
|
KeyGen(1k) ! (sk; pk) |
||||
|
|
|
|
R |
|
|
= b |
|
A |
1(pk) |
! |
(m0; m1; st) |
|
|
|
b |
0; 1 |
|||
|
|
|
|
|
|
|
|
|
|
|
2 |
|
f g |
|
|
|
|
|
||
|
|
|
Encpk(mb) ! c |
|||
|
|
|
||||
|
2 |
|
|
7 |
|
|
|
|
|
|
|
7 |
1 |
|
|
3 |
|
|
= negl(k) |
5 |
|
|
|
|
|
|
|
|
|
|
|
IND-CPA secure encryption schemes include classical examples such as the GoldwasserMicali cryptosystem [GM ], Elgamal’s encryption scheme [Elg ], and Paillier’s encryption scheme [Pai ].
. -
|
|
|
|
|||
|
|
|
|
|
||
|
|
Adversary Common Input: |
Challenger |
|||
|
|
(A1; A2) |
k 2 N |
C |
|
|
|
|
|
|
pk |
(sk; pk) KeyGen(1k) |
|
|
|
|
|
|
||
|
|
|
! |
m0;m1 |
b 2R f0; 1g |
|
|
^ |
c |
||||
|
|
b |
A2(c) |
^ |
c Encpk(mb) |
|
|
|
|
|
Win if b = b |
|
|
|
|
|
Figure 2.5: |
e IND-CCA Security Experiment. |
||
Non-malleability is a stronger notion, not only requiring that no adversary can learn any information on the message but also mandating that it is not possible to transform the encryptedplaintextbyapplyingsomeoperations. islevelofsecurityisclearlyhigherandmore di cult to attain than IND-CPA security. More formally, it was shown to correspond to indistinguishability against chosen-ciphertext attacks, IND-CCA for short [RS ]. In short, this notion is similar to the IND-CPA property except that the adversary, in both phases, can query a decryption oracle on every ciphertext but c. A weaker notion in which only A1 is granted that access has been considered by Naor and Yung [NY ]. To distinguish both variants, the former notion is commonly refered to as IND-CCA security and the later one by IND-CCA security. We give the formal de nition of IND-CCA security.
De nition . (IND-CCA Security)
Let us consider the IND-CCA security experiment depicted in Figure . . A public-key encryption scheme is called IND-CCA secure if no probabilistic polynomial-time adversary wins the IND-CCA experiment with an advantage greater than a negligible function of the security parameter. In other words, for every probabilistic polynomial-time two-stage algorithm (A1; A2), IND-CCA security requires that
|
|
|
2 |
|
b |
|
|
|
0; 1 |
|
|
|
|
|
|
|
|
A |
|
|
KeyGen(1k) ! (sk; pk) |
|
2 |
|
|
||||||
|
|
|
|
R |
|
|
|
|
|
|
|||||
Pr |
2 |
|
ODec (c; st) = b |
|
A1ODec (pk) |
! (m0; m1; st) |
3 |
1 |
|
= negl(k) |
|||||
|
|
||||||||||||||
6 |
|
|
|
|
pk |
(mb) |
! |
c |
7 |
|
|
|
|||
|
4 |
|
|
|
Enc |
2 |
|
f |
|
|
5 |
|
|
|
|
|
6 |
|
|
|
|
|
g |
|
7 |
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
When the probability abo e only holds for adversaries that are such that A2 does not query ODec, then the scheme is said to be IND-CCA secure.
RSA-OAEP [BR a] and Rabin-SAEP [Bon ] are two examples of systems that achieve IND-CCA security (in the Random Oracle model explained in Section . ). e CramerShoup [CS ] cryptosystem is also IND-CCA secure, but in the standard model.
.