Key-Dependent Passive Attacks

The following discussion, as well as the entire subsection, refers only to public-key encryption schemes. For sake of simplicity, we present the single-message definitions of security. We note that, as in the basic case (for public-key encryption schemes), the single-message definitions of security are equivalent to the multiple-message ones.

In Definitions 5.2.2 and 5.2.4, the plaintext distribution (or pair) is fixed obliviously of the encryption-key. This suffices for the natural case in which the (high-level) appli-cation (using the encryption scheme) is oblivious of the encryption-key.²³However, in some settings, the adversary may have partial control on the application. Furthermore, in the public-key case, the adversary knows the encryption-key in use, and so (if it may partially control the application then) it may be able to cause the application to invoke the encryption scheme on plaintexts that are related to the encryption-key in use. Thus, for such settings, we need stronger definitions of security that postulate that partial information about the plaintext remains secret even if the plaintext does depend on the encryption-key in use. Note that here we merely consider the dependence of the “test”

plaintext (i.e., the one for which the adversary wishes to obtain partial information) on the encryption-key, and ignore the fact that the foregoing motivation also suggests that the adversary can obtain the encryptions of additional plaintexts chosen by it (as discussed in Section 5.4.3). However, it is easy to see that (in the public-key setting discussed here) these additional encryptions are of no use because the adversary can generate them by itself (see Section 5.4.3).

5.4.2.1. Definitions

Recall that we seek a definition that guarantees that partial information about the plain-text remains secret even if the plainplain-text does depend on the encryption-key in use. That is, we seek a strengthening of semantic security (as defined in Definition 5.2.2) in which one allows the plaintext distribution ensemble (denoted {Xn}n∈N in Definition 5.2.2) to depend on the encryption-key in use (i.e., for encryption-key e, we consider the distribution X_eover{0, 1}^poly(|e|)). Furthermore, we also allow the partial information functions (denoted f and h in Definition 5.2.2) to depend on the encryption-key in use (i.e., for encryption-key e, we consider the functions f_eand h_e). In the actual definition

23Indeed, it is natural (and even methodologically imperative) that a high-level application that uses encryption as a tool be oblivious of the keys used by that tool. However, this refers only to a proper operation of the application, and deviation may be caused (in some settings) by an improper behavior (i.e., an adversary).

it is important to restrict the scope of the functions{he}e and the distributions{Xe}e

so that their dependency on e is polynomial-time computable (see Exercise 28). This yields the definition presented in Exercise 29, which is equivalent to the following formulation.²⁴

Definition 5.4.1 (semantic security under key-dependent passive attacks): The se-quence{( fe, he, Xe)}e∈{0,1}^∗isadmissiblefor the current definition if

1. The functions fe:{0, 1}^∗→ {0, 1}^∗are polynomially bounded; that is, there exists a polynomial such that | fe(x)| ≤ (|x| + |e|).

2. There exists a non-uniform family of polynomial-size (h-evaluation) circuits{Hn}n∈N

such that for every e in the range of G1(1ⁿ) and every x in the support of Xe, it holds that H_n(e, x)= he(x).

3. There exists a non-uniform family of (probabilistic) polynomial-size (sampling) cir-cuits{Sn}n∈Nsuch that for every e in the range of G1(1ⁿ) and for some m = poly(|e|), the random variables S_n(e, U_m) and X_eare identically distributed.²⁵

An encryption scheme, (G, E, D), issemantically secure under key-dependent pas-sive attacks if for every probabilistic polynomial-time algorithm A, there exists a probabilistic polynomial-time algorithm A^ such that for every admissible sequence {( fe, h_e, X_e)}e∈{0,1}^∗, every positive polynomial p, and all sufficiently large n it holds that

Pr

A(e, E_e(X_e), 1^|Xe|, h_e(X_e))= fe(X_e)

< ^Pr

A^(e, 1^|Xe|, h_e(X_e))= fe(X_e)

+ 1

p(n)

where (e, d)← G(1ⁿ), and the probability is taken over the internal coin tosses of algorithms G, E, A, and A^, as well as over Xe.

We stress that the performance of A^ is measured against the same distribution of triplets ( f_e, h_e, X_e) (i.e., e← G1(1ⁿ)) as the one considered for algorithm A. Unlike in other versions of the definition of semantic security, here it is important to let A^ have the encryption-key e because the task (i.e., the evaluation of f_e(X_e)) as well as its main input (i.e., the value h_e(X_e)) are related to e. (Indeed, if e were not given to A^, then no encryption scheme (G, E, D) could have satisfied the revised Definition 5.4.1:

Considering h_e(x)= x ⊕ e (for |x| = |e|) and fe(x)= x, note that it is easy for A to compute x from e and he(x), which are explicit in (e, Ee(x), 1^|x|, he(x)), whereas no

A^can compute x from (1ⁿ, 1^|x|, h_e(x)).)

Using Exercise 14.2, one may verify that Definition 5.2.2 is a special case of Def-inition 5.4.1. An analogous modification (or generalization) of Definition 5.2.4 yields the following:

24Recall that without loss of generality, we may assume that the keys generated by G(1ⁿ) have length n. Thus, there is no point in providing the algorithms with 1ⁿas an auxiliary input (as done in Definition 5.2.2).

25As usual, Sn(e, r ) denotes the output of the circuit Snon input e and coins r . We stress that for every e, the length of Xeis fixed.

5.4* BEYOND EAVESDROPPING SECURITY

Definition 5.4.2 (indistinguishability of encryptions under key-dependent passive at-tacks): The sequence{(xe, ye)}e∈{0,1}^∗isadmissiblefor the current definition if there ex-ists a non-uniform family of polynomial-size circuits{Pn}n∈Nthat maps each encryption-key e∈ {0, 1}^∗to the corresponding pair of (equal-length) strings (x_e, y_e). That is, for every e in the range of G1(1ⁿ), it holds that Pn(e)= (xe, ye). An encryption scheme, (G, E, D), hasindistinguishable encryptions under key-dependent passive attacks if for every non-uniform family of polynomial-size circuits{Cn}, every admissible se-quence{(xe, y_e)}e∈{0,1}^∗, every positive polynomial p, and all sufficiently large n it holds that

|^Pr[Cn(e, E_e(x_e))=1] −^Pr[Cn(e, E_e(y_e))=1] | < 1 p(n)

where (e, d)← G(1ⁿ), and the probability is taken over the internal coin tosses of algorithms G and E.

As in the basic case (i.e., Section 5.2), the two definitions are equivalent.

Theorem 5.4.3 (equivalence of definitions for key-dependent passive attacks): A public-key encryption scheme (G, E, D) is semantically secure under key-dependent passive attacks if and only if it has indistinguishable encryptions under key-dependent passive attacks.

Proof Sketch: In order to show that indistinguishability of encryptions implies semantic security, we follow the proof of Proposition 5.2.6. Specifically, A^is constructed and analyzed almost as before, with the exception that A^ gets and uses the encryption-key e (rather than letting it generate a random encryption-encryption-key by itself ).²⁶That is, we let A^(e, 1^|x|, he(x))= A(e, Ee(1^|x|), 1^|x|, he(x)), and show that for all (deterministic) polynomial-size circuit families{S^n}n∈Nand{Hn}n∈Nit holds that

Pr



A(e, Ee(S_n^(e)), 1^|Sn(e)|, Hn(e, S_n^(e)))= fe(S_n^(e))



(5.11)

<^Pr

A(e, E_e(1^|Sn(e)|), 1^|Sn(e)|, H_n(e, S_n^(e)))= fe(S_n^(e))

+ 1

poly(n)

where e← G1(1ⁿ) and µ:N→[0,1] is a negligible function. Once established, Eq. (5.11) implies that (G, E, D) satisfies Definition 5.4.1.

On how Eq. (5.11) implies Definition 5.4.1:The issue is that Eq. (5.11) refers to deterministic plaintext-selecting circuits (i.e., the S_n^’s), whereas Definition 5.4.1 refers to probabilistic plaintext-sampling circuits (i.e., the Sn’s). This small gap can be bridged by fixing a sequence of coins for the latter probabilistic (sam-pling) circuits. Specifically, starting with any admissible (for Definition 5.4.1) se-quence{( fe, he, Xe)}e∈{0,1}^∗, where Hn(e, x)= he(x) and Xe≡ Sn(e, Upoly(n)), we consider some sequence of coins rn (for Sn) that maximizes the gap between Pr[ A(e, Ee(xe), 1^|xe|, Hn(e, xe))= fe(xe)] and Pr[ A^(e, 1^|xe|, Hn(e, xe))= fe(xe)],

26Here we use the convention by which A^gets e along with he(x) (and 1^|x|). This is important because A^must feed a matching pair (e, he(x)) to A.

where e is random and xe= Sn(e, rn). Recalling that A^(e, 1^,γ ) = A(e, Ee(1^), 1^,γ ) and incorporating the sequence of rn’s in A, we obtain a contra-diction to Eq. (5.11) (i.e., by letting S^_n(e)= Sn(e, rn)= xe).

Assuming (to the contrary of the above claim) that Eq. (5.11) does not hold, we obtain a sequence of admissible pairs {(xe, y_e)}e∈{0,1}^∗ for Definition 5.4.2 such that their encryptions can be distinguished (in contradiction to our hypothesis). Specifically, we set xe

def= Sn^(e) and ye

def= 1^|xe|, and let C_n^(e,α)^def= A(e, α, 1^|xe|, Hn(e, xe)). Thus, we obtain a (poly(n)-size) circuit C_n^such that for some positive polynomial p and infinitely many n’s

_Pr[C_n^(e, E_e(x_e))= fe(x_e)]−Pr[C^_n(e, E_e(y_e))= fe(x_e)] > 1 p(n)

where e is distributed according to G₁(1ⁿ). Using an idea as in the proof of Theo-rem 5.2.15, we derive a (poly(n)-size) circuit Cn that distinguishes (e, E_e(x_e)) from (e, Ee(ye)), where e← G1(1ⁿ), in contradiction to our hypothesis.

Details:We refer to the proof of Claim 5.2.15.1 (contained in the proof of The-orem 5.2.15). Recall that the idea was to proceed in two stages. First, using only e (which also yields xe and ye), we find an arbitrary value v such that

Pr[C^_n(e, Ee(xe))=v] −^Pr[C_n^(e, Ee(ye))=v]is large. In the second stage, we use this valuev in order to distinguish the case in which we are given an encryption of xe from the case in which we are given an encryption of ye. (We comment if (e, x)→ fe(x) were computable by a poly(n)-size circuit, then converting C_n^into a distinguisher Cnwould have been much easier; we further comment that as a corol-lary to the current proof, one can conclude that the restricted form is equivalent to the general one.)

This concludes the proof that indistinguishability of encryptions (as per Definition 5.4.2) implies semantic security (as per Definition 5.4.1), and we now turn to the opposite direction.

Suppose that (G, E, D) does not have indistinguishable encryptions, and consider an admissible sequence{(xe, ye)}e∈{0,1}^∗that witnesses this failure. Following the proof of Proposition 5.2.7, we define a probability ensemble{Xe}e∈{0,1}^∗and function ensembles {he}e∈{0,1}^∗ and{ fe}e∈{0,1}^∗ in an analogous manner:

rThe distribution X_eis uniformly distributed over{xe, y_e}.

rThe function fesatisfies fe(xe)= 1 and fe(ye)= 0.

rThe function h_eis defined such that h_e(X_e) equals the description of the circuit C_nthat distinguishes (e, E_e(x_e)) from (e, E_e(y_e)), where e← G1(1ⁿ) (and (x_e, y_e)= Pn(e)).

Using the admissibility of the sequence{(xe, y_e)}e(for Definition 5.4.2), it follows that {( fe, h_e, X_e)}eis admissible for Definition 5.4.1. Using the same algorithm A as in the proof of Proposition 5.2.7 (i.e., A(e,β, Cn)= Cn(e,β), where β is a ciphertext and C_n = he(X_e)), and using the same analysis, we derive a contradiction to the hypothesis that (G, E, D) satisfies Definition 5.4.1.

5.4* BEYOND EAVESDROPPING SECURITY

Details:Without loss of generality, suppose that

Pr[C_n(e, Ee(xe))=1] >^Pr[C_n(e, Ee(ye))=1] + 1 p(n) for e← G1(1ⁿ). Then, as shown in Claim 5.2.7.1,

Pr[ A(e, E_e(X_e), h_e(X_e))= fe(X_e)]> 1

2+ 1

2 p(n) On the other hand, as shown in Fact 5.2.7.2, for every algorithm A^

Pr

A^(e, 1^|Xe|, he(Xe))= fe(Xe)

≤ 1 2

because (e, 1^|Xe|, he(Xe)) contains no information about the value of fe(Xe) (which is uniformly distributed in{0, 1}). This violates Definition 5.4.1, and so our initial contradiction hypothesis (i.e., that one can distinguish encryptions under (G, E, D)) must be false.

The theorem follows.

Multiple-Message Security. Definitions 5.4.1 and 5.4.2 can be easily generalized to handle the encryption of many messages (as in Section 5.2.4), yielding again two equivalent definitions. Since we are in the public-key setting, one can show (analo-gously to Theorem 5.2.11) that the single-message definitions of security are equiv-alent to the multiple-message ones (i.e., by showing that Definition 5.4.2 implies its multiple-message generalization). One important observation is that admissibility for the multiple-message definition enables one to carry out a hybrid argument (as in the proof of Theorem 5.2.11). For details, see Exercise 31. The bottom-line is that we can freely use any of the four security definitions for key-dependent passive attacks, and security under that definition implies security under any of the other definitions.

5.4.2.2. Constructions

All the results presented in Section 5.3.4 extend to security under key-dependent passive attacks. That is, for each of the constructions presented in Section 5.3.4, the same assumption used to prove security under key-oblivious passive attacks actually suffices for proving security under key-dependent passive attacks. Before demonstrating this fact, we comment that (in general) security under key-oblivious passive attacks does not necessarily imply security under key-dependent passive attacks; see Exercise 32.

Initial observations. We start by observing that Construction 5.3.7 (i.e., the transfor-mation of block-ciphers to general encryption schemes) maintains its security in our context. That is:

Proposition 5.4.4: (extension of Proposition 5.3.8): Let (G, E , D) and (G^, E^, D^) be as in Construction 5.3.7; that is, let (G^, E^, D^) be the full-fledged encryption constructed based on the block-cipher (G, E, D). Then if (G, E, D) is secure under key-dependent passive attacks, then so is (G^, E^, D^).

Proof Idea: As in the proof of Proposition 5.3.8, we merely observe that multiple-message security of (G^, E^, D^) is equivalent to multiple-message security of (G, E, D).

We next observe that Construction 5.3.13 (a block-cipher with block-length ≡ 1) maintains its security also under a key-dependent passive attack. This is a special case of the following observation:

Proposition 5.4.5: Let (G, E , D) be a block-cipher with logarithmically bounded block-length (i.e.,(n) = O(log n)). If (G, E, D) is secure under key-oblivious pas-sive attacks, then it is also secure under key-dependent paspas-sive attacks.

Proof Sketch: Here we use the definition of ciphertext-indistinguishability in the single-message setting. The key observation is that the set of possible single-messages is relatively small, and so selecting a message in a key-dependent manner does not give much advantage over selecting a message at random (i.e., obliviously of the key).

Consider an arbitrary admissible (for Definition 5.4.2) set of pairs,{(xe, y_e)}e∈{0,1}^∗, where |xe| = |ye| = O(log |e|), and a circuit family {Cn} that tries to distinguish (e, E_e(x_e)) from (e, E_e(y_e)). We shall show that{Cn} necessarily fails by relating its distinguishing gap to the distinguishing gap of a key-oblivious attack (represented in the next paragraph by the Cn^{x, y}’s).

Let{Pn}n∈Nbe the circuit family producing the aforementioned admissible set (i.e., Pn(e)= (xe, ye)). Fixing some n∈ N and an arbitrary (x, y) ∈ {0, 1}^∗× {0, 1}^∗, we consider a circuit Cn^{x, y} (depending on the circuits C_n and P_n and the pair (x, y)) that, on input (e,α), operates as follows:

1. Using the hard-wired circuit Pnand the input (key) e, the circuit Cn^{x, y}checks whether (x_e, y_e) equals the hard-wired pair (x, y) (i.e., C_n^{x, y}checks whether P_n(e)= (x, y)).

In case the check fails, Cn^{x, y} outputs an arbitrary value (e.g., 1) obliviously of the ciphertextα.

2. Otherwise (i.e., Pn(e)= (x, y)), the circuit Cn^{x, y} invokes Cn on its own input and answers accordingly (i.e., outputs C_n(e,α)).

Since (G, E, D) is secure under key-oblivious passive attacks, it follows that (for every (x, y)∈ {0, 1}^m× {0, 1}^m, where m≤ poly(n)) the circuit Cn^{x, y} cannot distinguish the caseα = Ee(x) from the caseα = Ee(y). Thus, for some negligible functionµ:N→

[0,1] and every pair (x, y)∈ {0, 1}^m× {0, 1}^m, the following holds:

µ(n) >Pr_e[C_n^{x, y}(e, E_e(x))= 1] −^Pre[C_n^{x, y}(e, E_e(y))= 1]

=

^Pre

C_n(e, E_e(x_e))=1

∧ (xe, ye)=(x, y)

−^Pre

C_n(e, E_e(y_e))=1

∧ (xe, ye)=(x, y)



where e ← G1(1ⁿ), and equality holds because in case (x_e, y_e)=(x, y), the output of Cn^{x, y}(e,α) is independent of α (and so in this case Cn^{x, y}(e, Ee(x))= Cn^{x, y}(e, Ee(y))).

Since this holds for any pair (x, y)∈ {0, 1}^m× {0, 1}^m, and since|xe| = |ye| = (n), it

5.4* BEYOND EAVESDROPPING SECURITY

follows that

|Pre[C_n(e, E_e(x_e))= 1] −Pre[C_n(e, E_e(y_e))= 1]|

≤ 

|x|=|y|=(n)

^Pre

C_n(e, E_e(x_e))=1

∧ (xe, ye)=(x, y)

−^Pre

C_n(e, E_e(y_e))=1

∧ (xe, ye)=(x, y)



< 2^2(n)· µ(n)

and the proposition follows (because(n) = O(log n)).

A Feasibility Result. Combining Theorem 5.3.15 with Propositions 5.4.4 and 5.4.5, we obtain a feasibility result:

Theorem 5.4.6: If there exist collections of (non-uniformly hard) trapdoor

在文檔中 Foundations of Cryptography (頁 76-82)