Constructions of Secure Encryption Schemes

objects), rather than handed down from heaven (where it might have been selected non-uniformly or using non-recursive procedures).

5.2.5.5. An Alternative Treatment

An alternative uniform-complexity treatment of security (in the current passive setting) can be derived from the treatment of security under chosen plaintext attacks (presented in Section 5.4.3). Specifically, the definitions presented in Section 5.4.3.1 should be modified as follows:

rReplace the input pair (e, z), which is given to the attacker’s first part (i.e., A₁), by 1ⁿ. That is, eliminate the (non-uniform) auxiliary input z, and omit the encryption-key e (also in the public-key version).

rRemove the encryption oracle (i.e., Ee) from the definitions; that is, model the attacker by an ordinary (probabilistic polynomial-time) algorithm, rather than by an oracle machine.

Consequently, the definition of semantic security (Definition 5.4.8) can be simplified by using A^₁ = A1and omitting Condition 2 (which refers to the distributions produced by A₁ and A^₁). Doing so requires a minor change in the first part of the proof of Theorem 5.4.11 (i.e., letting A^₂ rather than A^₁generate a random encryption-key).

In the resulting definitions, the first part of the attacker is confined to an oblivious selection of a challenge template (i.e., the challenge template is selected independently of the encryption-key), whereas the second part of the attacker is given an adequate challenge (and nothing else). In the case of semantic security, this means that the adver-sary first selects the “application” that consists of the plaintext distribution, the partial information function h, and the desired information function f . These three objects are represented by circuits. Next, a plaintext x is selected according to the specified distribution, and the adversary is given a corresponding ciphertext (i.e., E_e(x)), as well as the corresponding partial information h(x).

5.3. Constructions of Secure Encryption Schemes

In this section we present constructions of secure private-key and public-key encryption schemes. Here and throughout this sectionsecurity means semantic security in the multiple-message setting. Recall that this is equivalent to ciphertext-indistinguishability (in the multiple-message setting). Also recall that for public-key schemes it suffices to prove ciphertext-indistinguishability in the single-message setting. Following are the main results of this section:

rUsing any (non-uniformly robust) pseudorandom function, one can construct secure private-key encryption schemes. Recall that the former can be constructed using any (non-uniformly strong) one-way function.

rUsing any (non-uniform strong) trapdoor one-way permutation, one can construct secure public-key encryption schemes.

In addition, we review some popular suggestions for private-key and public-key en-cryption schemes.

Probabilistic Encryption. Before starting, we recall that a secure public-key encryp-tion scheme must employ a probabilistic (i.e., randomized) encrypencryp-tion algorithm. Oth-erwise, given the encryption-key as (additional) input, it is easy to distinguish the encryption of the all-zero message from the encryption of the all-ones message. The same holds for private-key encryption schemes when considering the multi-message setting.¹⁰For example, using a deterministic (private-key) encryption algorithm allows the adversary to distinguish two encryptions of the same message from the encryptions of a pair of different messages. Thus, the common practice of using pseudorandom per-mutations as “block-ciphers” (see definition in Section 5.3.2) is not secure (again, one can distinguish two encryptions of the same message from encryptions of two different messages). This explains the linkage between our security definitions and randomized (aka probabilistic) encryption schemes. Indeed, all our encryption schemes will employ randomized encryption algorithms.¹¹

5.3.1.* Stream-Ciphers

It is common practice to use “pseudorandom generators” as a basis for private-key stream-ciphers (see definition in Section 5.3.1.1). Specifically, the pseudorandom gen-erator is used to produce a stream of bits that are XORed with the corresponding plaintext bits to yield corresponding ciphertext bits. That is, the generated pseudoran-dom sequence (which is determined by the a priori shared key) is used as a “one-time pad” instead of a truly random sequence, with the advantage that the generated se-quence may be much longer than the key (whereas this is not possible for a truly random sequence). This common practice is indeed sound, provided one actually uses pseudorandom generators (as defined in Section 3.3 of Volume 1), rather than programs that are called “pseudorandom generators” but actually produce sequences that are easy to predict (such as the linear congruential generator or some modifications of it that output a constant fraction of the bits of each resulting number).

As we shall see, by using any pseudorandom generator one may obtain a secure private-key stream-cipher that allows for the encryption of a stream of plaintext bits.

We note that such a stream-cipher does not conform to our formulation of an encryption scheme (i.e., as in Definition 5.1.1), because in order to encrypt several messages one is required to maintain a counter (to prevent reusing parts of the pseudorandom “one-time pad”). In other words, we obtain a secure encryption scheme with a variable state that is modified after the encryption of each message. We stress that constructions of secure

10We note that this does not hold with respect to private-key schemes in the single-message setting (or for the augmented model of state-based ciphers discussed in Section 5.3.1). In such a case, the private-key can be augmented to include a seed for a pseudorandom generator, the output of which can be used to eliminate randomness from the encryption algorithm. (Question: Why does the argument fail in the public-key setting and in the multi-message private-key setting?)

11The (private-key) stream-ciphers discussed in Section 5.3.1 are an exception, but (as further explained in Sec-tion 5.3.1) these schemes do not adhere to our (basic) formulaSec-tion of encrypSec-tion schemes (as in DefiniSec-tion 5.1.1).

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

and stateless encryption schemes (i.e., conforming with Definition 5.1.1) are known and are presented in Sections 5.3.3 and 5.3.4. The traditional interest in stream-ciphers is due to efficiency considerations. We discuss this issue at the end of Section 5.3.3.

But before doing so, let us formalize the discussion.

5.3.1.1. Definitions

We start by extending the simple mechanism of encryption schemes (as presented in Definition 5.1.1). The key-generation algorithm remains unchanged, but both the encryption and decryption algorithm take an additional input and emit an additional output, corresponding to their state before and after the operation. The length of the state is not allowed to grow by too much during each application of the encryption algorithm (see Item 3 in Definition 5.3.1), or else the efficiency of the entire “repeated encryption”

process cannot be guaranteed. For the sake of simplicity, we incorporate the key in the state of the corresponding algorithm. Thus, the initial state of each of the algorithms is set to equal its corresponding key. Furthermore, one may think of the intermediate states as updated values of the corresponding key. For clarity, the reader may consider the special case in which the state contains the initial key, the number of times the scheme was invoked (or the total number of bits in such invocations), and auxiliary information that allows a speedup of the computation of the next ciphertext (or plaintext).

For simplicity, we assume that the decryption algorithm (i.e., D) is deterministic (otherwise formulating the reconstruction condition would be more complex). Intu-itively, the main part of the reconstruction condition (i.e., Item 2 in Definition 5.3.1) is that the (proper) iterative encryption–decryption process recovers the original plain-texts. The additional requirement in Item 2 is that the state of the decryption algorithm is updated correctly so long as it is fed with strings of length equal to the length of the valid ciphertexts. The reason for this additional requirement is discussed following Definition 5.3.1. We comment that in traditional stream-ciphers, the plaintexts (and ci-phertexts) are individual bits or blocks of a fixed number of bits (i.e.,|α^{(i )}| = |β^{(i )}| =  for all i ’s).

Definition 5.3.1 (state-based cipher – the mechanism): A state-based encryption schemeis a triple, (G, E, D), of probabilistic polynomial-time algorithms satisfying the following three conditions:

1. On input 1ⁿ, algorithm G outputs a pair of bit strings.

2. For every pair (e⁽⁰⁾, d⁽⁰⁾) in the range of G(1ⁿ), and every sequence of plaintextsα^{(i )}’s, the following holds: If (e^{(i )},β^{(i )})← E(e⁽ⁱ⁻¹⁾,α^{(i )}) and (d^{(i )},γ^{(i )})← D(d⁽ⁱ⁻¹⁾,β^{(i )}), for i = 1, 2, ..., then γ^{(i )}= α^{(i )}for every i . Furthermore, for every i and everyβ ∈ {0, 1}^{|β(i )|}, it holds that D(d⁽ⁱ⁻¹⁾,β) = (d^{(i )},·). That is, d^{(i )}is actually determined by d⁽ⁱ⁻¹⁾and|β^{(i )}|.¹²

12Alternatively, we may decompose the decryption (resp., encryption) algorithm into two algorithms, where the first takes care of the actual decryption (resp., encryption) and the second takes care of updating the state. For details see Exercise 24.

3. There exists a polynomial p such that for every pair (e⁽⁰⁾, d⁽⁰⁾) in the range of G(1ⁿ), and every sequence of α^{(i )}’s and e^{(i )}’s as in Item 2, it holds that |e^{(i )}| ≤

|e⁽ⁱ⁻¹⁾| + |α^{(i )}| · p(n). Similarly for the d^{(i )}’s.

That is, as in Definition 5.1.1, the encryption–decryption process operates properly (i.e., the decrypted message equals the plaintext), provided that the corresponding algorithms get the corresponding keys (or states). Note that in Definition 5.3.1, the keys are modified by the encryption–decryption process, and so correct decryption requires holding the correctly updated decryption-key. We stress that the furthermore-clause in Item 2 guarantees that the decryption-key is correctly updated so long as the decryption process is fed with strings of the correct lengths (but not necessarily with the correct ciphertexts). This extra requirement implies that given the initial decryption-key and the current ciphertext, as well as the lengths of all previous ciphertexts (which may be actually incorporated in the current ciphertext), one may recover the current plaintext. This fact is interesting for two reasons:

A theoretical reason: It implies that without loss of generality (albeit with possible loss in efficiency), the decryption algorithm may be stateless. Furthermore, without loss of generality (again, with possible loss in efficiency), the state of the encryption algorithm may consist of the initial encryption-key and the lengths of the plaintexts encrypted so far.

A practical reason: It allows for recovery from the loss of some of the ciphertexts. That is, assuming that all ciphertexts have the same (known) length (which is typically the case in the relevant applications), if the receiver knows (or is given) the total number of ciphertexts sent so far, then it can recover the current plaintext from the current ciphertext, even if some of the previous ciphertexts were lost. See the special provision in Construction 5.3.3.

We comment that in Construction 5.3.3, it holds that|e^{(i )}| ≤ |e⁽⁰⁾| + log₂i

j=1|α^{( j )}|, which is much stronger than the requirement in Item 3 (of Definition 5.3.1).

We stress that Definition 5.3.1 refers to the encryption of multiple messages (and meaningfully extends Definition 5.1.1 only when considering the encryption of multiple messages). However, Definition 5.3.1 by itself does not explain why one should encrypt the i th message using the updated encryption-key e⁽ⁱ⁻¹⁾, rather than reusing the initial encryption-key e⁽⁰⁾in all encryptions (where decryption is done by reusing the initial decryption-key d⁽⁰⁾). Indeed, the reason for updating these keys is provided by the following security definition that refers to the encryption of multiple messages, and holds only in case the encryption-keys in use are properly updated (in the multiple-message encryption process). Here we present only the semantic security definition for private-key schemes.

Definition 5.3.2 (semantic security – state-based cipher): For a state-based encryp-tion scheme, (G, E, D), and any x = (x⁽¹⁾,..., x^(t)), we let E_e(x)= (y⁽¹⁾,..., y^(t)) be the result of the following t-step (possibly random) process, where e^{(0) def}= e. For i = 1, ..., t, we let (e^{(i )}, y^{(i )})← E(e⁽ⁱ⁻¹⁾, x^{(i )}), where each of the t invocations E utilizes

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

independently chosen random coins. The scheme (G, E, D) issemantically securein the state-based private-key model if for every polynomial t and every probabilistic polynomial-time algorithm A there exists a probabilistic polynomial-time algorithm A^ such that for every{Xn = (X⁽¹⁾n ,..., Xn^(t(n)))}n∈N, f , h, p, and n as in Definition 5.2.8, it holds that

Pr



A(1ⁿ, E_G1(1ⁿ₎(X_n), 1^|Xn|, h(1ⁿ, X_n))= f (1ⁿ, X_n)



< Pr



A^(1ⁿ, t(n), 1^|Xn|, h(1ⁿ, Xn))= f (1ⁿ, Xn)

+ 1 p(n)

Note that Definition 5.3.2 (only) differs from Definition 5.2.8 in the preamble defin-ing the random variable E_e(x), which mandates that the encryption-key e⁽ⁱ⁻¹⁾is used in the i th encryption. Furthermore, Definition 5.3.2 guarantees nothing regarding an encryption process in which the plaintext sequence x⁽¹⁾,..., x^(t) is encrypted by E(e, x⁽¹⁾), E(e, x⁽²⁾),..., E(e, x^(t)) (i.e., the initial encryption-key e itself is used in all encryptions, as in Definition 5.2.8).

5.3.1.2. A Sound Version of a Common Practice

Using any (on-line) pseudorandom generator, one can easily construct a secure state-based private-key encryption scheme. Recall that on-line pseudorandom generators are a special case of variable-output pseudorandom generators (see Section 3.3.3), in which a hidden state is maintained and updated so as to allow generation of the next output bit in time polynomial in the length of the initial seed, regardless of the number of bits generated so far. Specifically, the next (hidden) state and output bit are produced by applying a (polynomial-time computable) function g :{0, 1}ⁿ→{0, 1}ⁿ⁺¹to the current state (i.e., s^σ ← g(s), where s is the current state, s^is the next state andσ is the next output bit). The suggested state-based private-key encryption scheme will be initialized with a key equal to the seed of such a generator, and will maintain and update a state allowing it to quickly produce the next output bit of the generator. The stream of plaintext bits will be encrypted by XORing these bits with the corresponding output bits of the generator.

Construction 5.3.3 (how to construct stream-ciphers [i.e., state-based private-key encryption schemes]): Let g be a polynomial-time computable function such that

|g(s)| = |s| + 1 for all s ∈ {0, 1}^∗.

Key-generation and initial state: On input 1ⁿ, uniformly select s∈ {0, 1}ⁿ, and output the key-pair (s, s). The initial state of each algorithm is set to (s, 0, s).

(We maintain the initial key s and a step-counter in order to allow recovery from loss of ciphertexts.)

Encrypting the next plaintext bit x with state (s, t, s^): Let s^σ = g(s^), where |s^| =

|s^| and σ ∈ {0, 1}. Output the ciphertext bit x ⊕ σ, and set the new state to (s, t + 1, s^).

Decrypting the ciphertext bit y with state (s, t, s^): Let s^σ = g(s^), where|s^| = |s^| andσ ∈ {0, 1}. Output the plaintext bit y ⊕ σ, and set the new state to (s, t + 1, s^).

Special recovery procedure: When notified that some ciphertext bits may have been lost and that the current ciphertext bit has index t^, the decryption procedure first recovers the correct current state, denoted st^, to be used in decryption instead of s^. This can be done by computing s_iσi = g(si−1), for i = 1, ..., t^, where s₀ ^def= s.¹³ Note that both the encryption and decryption algorithms are deterministic, and that the state after encryption of t bits has length 2n+ log2t < 3n (for t < 2ⁿ).

Recall that g (as in Construction 5.3.3) is called a next-step function of an on-line pseudorandom generator if for every polynomial p the ensemble{Gn^p}n∈N is pseudorandom (with respect to polynomial-size circuits), where G_n^p is defined by the following random process:

Uniformly select s0 ∈ {0, 1}ⁿ;

For i = 1 to p(n), let siσi ← g(si−1), whereσi ∈ {0, 1} (and si ∈ {0, 1}ⁿ);

Outputσ1σ2· · · σp(n).

Also recall that if g is itself a pseudorandom generator, then it constitutes a next-step function of an on-line pseudorandom generator (see Exercise 21 of Chapter 3). We have:

Proposition 5.3.4: Suppose that g is a next-step function of an on-line pseudoran-dom generator. Then Construction 5.3.3 constitutes a secure state-based private-key encryption scheme.

Proof Idea: Consider an ideal version of Construction 5.3.3 in which a truly random sequence is used instead of the output produced by the on-line pseudorandom gener-ator defined by g. The ideal version coincides with the traditional one-time pad, and thus is perfectly secure. The security of the actual Construction 5.3.3 follows by the pseudorandomness of the on-line generator.

5.3.2. Preliminaries: Block-Ciphers

Many encryption schemes are conveniently presented by first constructing a restricted type of encryption scheme that we call a block-cipher.¹⁴ In contrast to encryption schemes (as defined in Definition 5.1.1), block-ciphers (as defined in Definition 5.3.5) are only required to operate on plaintexts of a specific length (which is a function of the security parameter). As we shall see, given a secure block-cipher, we can easily construct a (general) secure encryption scheme.

13More generally, if the decryption procedure holds the state at time t< t^then it needs only compute st+1,..., st^.

14In using the term block-cipher, we abuse standard terminology by which a block-cipher must, in addition to op-erating on plaintext of specific length, produce ciphertexts of a length that equals the length of the corresponding plaintexts. We comment that the latter cannot be semantically secure; see Exercise 25.

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

5.3.2.1. Definitions

We start by considering the syntax (cf. Definition 5.1.1).

Definition 5.3.5 (block-cipher): Ablock-cipheris a triple, (G, E, D), of probabilistic polynomial-time algorithms satisfying the following two conditions:

1. On input 1ⁿ, algorithm G outputs a pair of bit strings.

2. There exists a polynomially bounded function : N→N, called theblock length, so that for every pair (e, d) in the range of G(1ⁿ), and for eachα ∈ {0, 1}^(n), algorithms E and D satisfy

Pr[D_d(E_e(α)) = α] = 1

Typically, we use either(n) = (n) or (n) = 1. Analogously to Definition 5.1.1, this definition does not distinguish private-key encryption schemes from public-key ones.

The difference between the two types is captured in the security definitions, which are essentially as before, with the modification that we only consider plaintexts of length

(n). For example, the analogue of Definition 5.2.8 (for private-key schemes) reads:

Definition 5.3.6 (semantic security – private-key block-ciphers): A block-cipher, (G, E, D), with block length issemantically secure(in the private-key model) if for every probabilistic time algorithm A there exists a probabilistic polynomial-time algorithm A^ such that for every ensemble {Xn = (X⁽¹⁾n ,..., Xn^(t(n)))}n∈N, with

|Xn⁽¹⁾| = · · · = |X^(t(n))n | = (n) and t(n) ≤ poly(n), every pair of polynomially bounded functions f, h, every positive polynomial p, and all sufficiently large n, it holds that

Pr



A(1ⁿ, E_G1(1ⁿ₎(X_n), 1^|Xn|, h(1ⁿ, X_n))= f (1ⁿ, X_n)



<^Pr

A^(1ⁿ, t(n), 1^|Xn|, h(1ⁿ, Xn))= f (1ⁿ, Xn)

+ 1 p(n) where E_e(x⁽¹⁾,..., x^(t))= (Ee(x⁽¹⁾),..., Ee(x^(t))), as in Definition 5.2.8.

Note that, in case  is polynomial-time computable, we can omit the auxiliary input 1^|Xn| = 1^t(n)·(n), because it can be reconstructed from the security parameter n and the value t(n).

5.3.2.2. Transforming Block-Ciphers into General Encryption Schemes There are obvious ways of transforming a block-cipher into a general encryption scheme. The basic idea is to break the plaintexts (for the resulting scheme) into blocks and encode each block separately by using the block-cipher. Thus, the security of the block-cipher (in the multiple-message settings) implies the security of the resulting encryption scheme. The only technicality we need to deal with is how to encrypt plain-texts of length that is not an integer multiple of the block-length (i.e., of(n)). This

is easily resolved by padding the last block (while indicating the end of the actual plaintext).¹⁵

Construction 5.3.7 (from block-ciphers to general encryption schemes): Let (G, E, D) be a block-cipher with block length function . We construct an encryp-tion scheme, (G^, E^, D^), as follows. The key-generation algorithm, G^, is identical to G. To encrypt a messageα (with encryption-key e generated under security parameter n), we break it into consecutive blocks of length(n), while possibly augmenting the last block. Letα1,..., αtbe the resulting blocks. Then

E_e^(α)^def= (|α|, Ee(α1),..., Ee(αt))

To decrypt the ciphertext (m,β1,..., βt) (with decryption-key d), we letαi = Dd(βi) for i = 1, ..., t, and let the plaintext be the m-bit long prefix of the concatenated string α1· · · αt.

This construction yields ciphertexts that reveal the exact length of the plaintext. Recall that this is not prohibited by the definitions of security, and that we cannot hope to totally hide the plaintext length. However, we can easily construct encryption schemes that hide some information about the length of the plaintext; see examples in Exercise 5. Also, note that the above construction applies even to the special case where is identically 1.

Proposition 5.3.8: Let (G, E , D) and (G^, E^, D^) be as in Construction 5.3.7. Suppose that the former is a secure private-key¹⁶(resp., public-key) block-cipher. Then the latter is a secure private-key (resp., public-key) encryption scheme.

Proof Sketch: The proof is by a reducibility argument. Assuming toward the contra-diction that the encryption scheme (G^, E^, D^) is not secure, we conclude that neither is (G, E, D), contradicting our hypothesis. Specifically, we rely on the fact that in both schemes, security means security in the multiple-message setting. Note that in case the security of (G^, E^, D^) is violated via t(n) messages of length L(n), the se-curity of (G, E, D) is violated via t(n)· L(n)/(n) messages of length (n). Also, the argument may utilize any of the two notions of security (i.e., semantic security or ciphertext-indistinguishability).

5.3.3. Private-Key Encryption Schemes

Secure private-key encryption schemes can be easily constructed using any efficiently computable pseudorandom function ensemble (see Section 3.6). Specifically, we present a block-cipher with block length(n) = n. The key-generation algorithm consists of

15We choose to use a very simple indication of the end of the actual plaintext (i.e., to include its length in the ciphertext). In fact, it suffices to include the length of the plaintext modulo(n). Another natural alternative is to use a padding of the form 10⁽(n)−|α|−1) mod (n), while observing that no padding is ever required in case

(n) = 1.

16Recall that throughout this section security means security in the multiple-message setting.

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

selecting a seed, denoted s, for such a function, denoted f_s. To encrypt a message x ∈ {0, 1}ⁿ(using key s), the encryption algorithm uniformly selects a string r ∈ {0, 1}ⁿ and produces the ciphertext (r, x⊕ fs(r )). To decrypt the ciphertext (r, y) (using key s), the decryption algorithm just computes y⊕ fs(r ). Formally, we have:

Construction 5.3.9 (a private-key block-cipher based on pseudorandom functions):

Let F = {Fn} be an efficiently computable function ensemble and let I and V be the

Let F = {Fn} be an efficiently computable function ensemble and let I and V be the

在文檔中 Foundations of Cryptography (頁 54-62)