Online

Cryptography Course Dan Boneh

Stream ciphers

Seman1c security
Goal: secure PRG secure stream cipher
Dan Boneh

What is a secure cipher?

AAackers abili1es: obtains one ciphertext (for now)
Possible security requirements:
aAempt #1: a/acker cannot recover secret key
aAempt #2: a/acker cannot recover all of plaintext
Recall Shannons idea:

CT should reveal no info about PT

Dan Boneh

Recall Shannons perfect secrecy

Let (E,D) be a cipher over (K,M,C)
(E,D) has perfect secrecy if m0, m1 M ( |m0| = |m1| )

{ E(k,m0) } = { E(k,m1) } where kK

(E,D) has perfect secrecy if m0, m1 M ( |m0| = |m1| )

{ E(k,m0) } p { E(k,m1) } where kK

but also need adversary to exhibit m0, m1 M explicitly

Dan Boneh

Seman1c Security (one-1me key)

For b=0,1 dene experiments EXP(0) and EXP(1) as:
b
Chal.
kK

m0 , m1 M : |m0| = |m1|

Adv. A

c E(k, mb)

for b=0,1: Wb := [ event that EXP(b)=1 ]

AdvSS[A,E] := | Pr[ W0 ] Pr[ W1 ] | [0,1]

b {0,1}

Dan Boneh

Seman1c Security (one-1me key)

Def: E is seman>cally secure if for all ecient A
AdvSS[A,E] is negligible.

for all explicit m0 , m1 M : { E(k,m0) } p { E(k,m1) }

Dan Boneh

Examples
Suppose ecient A can always deduce LSB of PT from CT.
E = (E,D) is not seman1cally secure.
b{0,1}
Chal.
kK

m 0,
m 1,

LSB(m0)=0

LSB(m1)=1

C E(k, mb)

Adv. B (us)

Adv. A
(given)

LSB(mb)=b

Then AdvSS[B, E] = | Pr[ EXP(0)=1 ] Pr[ EXP(1)=1 ] |= |0 1| = 1

Dan Boneh

OTP is seman1cally secure

b
Chal.
kK

m0 , m1 M : |m0| = |m1|

Adv. A

c km0 or c km1

b {0,1}
For all A: AdvSS[A,OTP] = | Pr[ A(km0)=1 ] Pr[ A(km1)=1 ] |= 0
Dan Boneh

End of Segment

Dan Boneh