Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Transcription

1 Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

2 Motivation Discussion 1 We ve seen a small set of objects: {G(x)} x {0,1} n, that looks like" a larger set of objects: {x} x {0,1} 2n. 2 We want small set of objects: efficient function families, that looks like a huge set of objects: the set of all functions. Solution Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

3 Function families 1 F = {F n } n N, where F n = {f : {0, 1} m(n) {0, 1} l(n) } 2 We write F = {F n : {0, 1} m(n) {0, 1} l(n) } 3 If m(n) = l(n) = n, we omit it from the notation 4 We identify function with their description Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

4 Random functions Definition 1 (random functions) For n, k N, let Π n,k be the family of all functions from {0, 1} n to {0, 1} k. Let Π n = Π n,n. π R Π n is a random access" source of randomness Parties with access to a common π R Π n can do a lot How long does it take to describe π Π n? 2 n n bits The truth table of π R Π n is a uniform string of length 2 n n For integer function m, we will consider the function family {Π n,m(n) }. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

5 Efficient function families Definition 2 (efficient function family) An ensemble of function families F = {F n } n N is efficient, if: Samplable. F is samplable in polynomial-time: there exists a PPT that given 1 n, outputs (the description of) a uniform element in F n. Efficient. There exists a polynomial-time algorithm that given x {0, 1} n and (a description of) f F n, outputs f (x). Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

6 Pseudorandom Functions Definition 3 (pseudorandom functions (PRFs)) An efficient function family ensemble F = {F n : {0, 1} m(n) {0, 1} l(n) } is pseudorandom, if Pr f R F n [ D f (1 n ) = 1 for any oracle-aided PPT D. ] Pr [D π (1 n ) = 1] = neg(n), π Π R m(n),l(n) C Why oracle-aided"? Easy to construct (no assumption!) with logarithmic input length PRFs of super logarithmic input length, which is the interesting case, imply PRGs We will mainly focus on the case m(n) = l(n) = n We write D F to stand for (D f ) R. f F Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

7 Section 2 PRF from OWF Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

8 Naive Construction Let G : {0, 1} n {0, 1} 2n, and for s {0, 1} n define f s : {0, 1} {0, 1} n by Claim 4 f s (0) = G(s) 1,...,n f s (1) = G(s) n1,...,2n. Assume G is a PRG, then {F n = {f s } s {0,1} n} n N is a PRF. Proof: The truth table of f U 2n R F n is G(U n ), where the truth table of π R Π 1,n is Naturally extends to input of length O(log n) :-) Miserably fails for longer length (which is the only interesting case) :-( Problem, we are constructing the whole truth table, even to compute a single output Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

9 The GGM Construction Construction 5 (GGM) For G : {0, 1} n {0, 1} 2n and s {0, 1} n, G 0 (s) = G(s) 1,...,n G 1 (s) = G(s) n+1,...,2n For x {0, 1} k let f s(x) = G xk (f s(x 1,...,k 1 )), letting f s() = s. 0 s s 00 s s 000 s 001 s 010 s 011 s x = f s(x) s 1 s 1 s 10 s s 100 s s 110 s 111 Example: f s (001) = s 001 = G 1 (s 00 ) = G 1 (G 0 (s 0 )) = G 1 (G 0 (G 0 (s))) G is poly-time = F := {F n = {f s : s {0, 1} n }} is efficient Theorem 6 (Goldreich-Goldwasser-Micali (GGM)) If G is a PRG then F is a PRF. Corollary 7 OWFs imply PRFs. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

10 Proof Idea Assume PPT D, p poly and infinite set I N with Pr[D Fn (1 n ) = 1] Pr[D Πn (1 n ) = 1] 1 p(n), (1) for any n I. Fix n N and let t = t(n) be a bound on the running time of D(1 n ). We use D to construct a PPT D such that Pr[D ((U 2n ) t ) = 1] Pr[D (G(U n )) t ) = 1 > 1 np(n), where (U 2n ) t = U (1) 2n,..., U(t) 2n and G(U n) t = G(U (1) n ),..., G(U (t) n ). Hence, D violates the security of G.(?) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

11 The Hybrid 0 s 1 s 0 s s 00 s 01 s 10 s s 000 s 001 s 010 s 011 s 100 s 101 s 110 s 111 s x = f s(x) Let T i be the set of all possible trees, in which the i + 1,..., n levels are obtained by applying GGM" to the i th level. Given a tree t, let h t (x) return the x th leaf of t. What family is H 1 = {h t } t T1? F n. What is H n? Π n. For some i {1,..., i 1}, algorithm D distinguishes H i from H i+1 by 1 np(n) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

12 The Hybrid cont. We assume wlg. that D distinguishes between H n 1 and H n (?) D distinguishes (via t samples) between R a uniform string of length 2 n n, and P - a string generated by 2 n 1 independent calls to G We would like to use D for breaking the security of G, but R and P seem too long :-( Solution: focus on the part (i.e., cells) that D sees Algorithm 8 (D on y 1,..., y t ({0, 1} 2n ) t ) Emulate D. On the i th query q i made by D: If the cell queries by q i th is empty, fill it with the next y Answer with the content of the q i th cell. D (U 2n ) t ) / D (G(U n)) t ) emulates D with access to R / P Hence, Pr[D ((U 2n ) t ) = 1] Pr[D (G(U n)) t ) = 1 > 1 np(n) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

13 Part I Pseudorandom Permutations Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

14 Formal Definition Let Π n be the set of all permutations over {0, 1} n. Definition 9 (pseudorandom permutations (PRPs)) A permutation ensemble F = {F n : {0, 1} n {0, 1} n } is a pseudorandom permutation, if Pr[D Fn (1 n ) = 1] Pr[D Π n (1 n ) = 1 = neg(n), (2) for any oracle-aided PPT D Eq 2 holds for any PRF (taking the role of F) Hence, PRPs are indistinguishable from PRFs... If no one can distinguish between PRFs and PRPs, let s use PRFs (partial) Perfect security" Inversion Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

15 Section 3 PRP from PRF Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

16 Feistel Permutation How does one turn a function into a permutation? Definition 10 (LR) For f : {0, 1} n {0, 1} n, let LR f : {0, 1} 2n {0, 1} 2n be defined by LR f (l, r) = (r, f (r) l). LR f is a permutation: LR 1 f (z, w) = (f (z) w, z) LR f is efficiently computable and invertible given oracle access to f For i N and f 1,..., f i, define LR f 1,...,f i : {0, 1}2n {0, 1} 2n by LR f 1,...,f (l, r) = (r i 1, f i (r i 1 ) l i 1 ), for (l i 1, r i 1 ) = LR i f 1,...,f i 1(l, r). (letting (l 0, r 0 ) = (l, r) Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

17 Luby-Rackoff Thm. Recall LR f (l, r) = (r, f (r) l). Definition 11 Given a function family F = {F n : {0, 1} n {0, 1} n }, let LR i (F) = {LR i F n = {LR f 1,...,f i : f 1,..., f i F n }}, LR i F is always a permutation family, and is efficient if F is. Is LR 1 F pseudorandom? LR 2 F? LR f 1,f 2(0n, 0 n ) = LR f 2(0 n, f 1 (0 n )) = (f 1 (0 n ), ) and LR f 1,f 2(1n, 0 n ) = LR f 2(0 n, f 1 (0 n ) 1 n ) = (f 1 (0 n ) 1 n, ) LR 3 F? Theorem 12 (Luby-Rackoff) Assuming that F is a PRF, then LR 3 F is a PRP LR 4 (F) is pseudorandom even if inversion queries are allowed Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

18 Proving Luby-Rackoff It suffices to prove that LR 3 Π n is pseudorandom (?) How would you prove that? Maybe LR 3 (Π n ) Π 2n? description length of element in LR 3 (Π n ) is 2 n 3n, where that of element in Π ( ) 2n is log(2 2n!) > log ( 22n e > 2 2n n )22n Claim 13 For any q-query D, Pr[D LR3 (Π n) (1 n ) = 1] Pr[D Π 2n (1 n ) = 1] O(q 2 /2 n ). We assume for simplicity that D is deterministic, non-repeating and non-adaptive. Let x 0, x 1,..., x q be D s queries. We show (f (x 0 ),..., f (x q )) f R LR 3 (Π n) is O(q2 /2 n ) close (i.e., in statistical distance) to (f (x 0 ),..., f (x q )) f R Π To do that, we show both distributions are O(q 2 /2 n ) close) to Distinct := ((z 1,... z q ) R ({0, 1} 2n ) q i j : (z i ) 0 (z j ) 0. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

19 Reminder: Statistical Distance Definition 14 The statistical distance between distributions P and Q over U, is defined by SD(P, Q) = 1 2 P(u) Q(u) = max u U {Pr S U Q [S] Pr P [S]} In case SD(P, Q) ε, we say that P and Q are ε close. Fact 15 Let E be an event (i.e., set) and assume SD(P E, Q) δ 1 and Pr P [E] δ 2. Then SD(P, Q) δ 1 + δ 2 Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

20 Proving Fact 15 For any set S, it holds that Hence, Thus, SD(P, Q) = max S Pr P Pr Q {Pr [S] = Pr [E] Pr P [S] + Pr P E P (1 δ 2 ) Pr P E [S] [ E] Pr P E [S] (3) [S] Pr [S] Pr [S] (1 δ 2) Pr [S] (4) P Q P E Q [S] Pr P Pr [S] Pr [S] + δ 2 Q P E [S]} max S {Pr Q [S] Pr P E [S]} + δ 2 = δ 1 + δ 2. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

21 (f (x 0 ),..., f (x q )) f R Π is close to Distinct Recall Distinct := ((z 1,... z q ) R ({0, 1} 2n ) q i j : (z i ) 0 (z j ) 0 ). For f Π, let Bad(f ) := i j : f (x i ) 0 = f (x j ) 0. Claim 16 Pr R [Bad(f )] (q 2) f Π 2 q2 n 2 n Proof:? Claim 17 ( R (f (x 0 ),..., f (x q )); f Π ) Bad(f ) Distinct Proof:? By Fact 15, (f (x 0 ),..., f (x q )) f R Π is q2 2 n close to Distinct Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

22 (f (x 0 ),..., f (x q )) R is close to Distinct f LR 3 (Π n) Let (l 0 1, r 0 1 ),..., (l0 q, r 0 q ) = (x 1,..., x k ). The following rv s are defined w.r.t. (f 1, f 2, f 3 ) R Π 3 n. l 0 1 r1 0 l 0 2 r l 0 q rq 0 l 1 1 r1 1 l 1 2 r l 1 q rq 1 l 2 1 r1 2 l 2 2 r l 2 q rq 2 l 3 1 r1 3 l 3 2 r l 3 q rq 3 where l j b = r j 1 b Claim 18 and r j b = f j (r j 1 b ) l j 1 b. ] Pr [Bad f 1 Π R 1 := i j : ri 1 = rj 1 n ( q 2) 2 n Proof: r 0 i = r 0 r 0 i r 0 j = Pr f 1 j = ri 1 rj 1 and [ ] ri 1 = rj 1 = 2 n Claim 19 Pr (f 1,f 2 ) R Π 2 n ( [ ] q 2) Bad 2 := i j : ri 1 = rj 1 ri 2 = rj n O( q2 2 n ) Proof: similar to the above Claim 20 ( l 3 1, r 3 1 ),..., (l3 q, r 3 q ) Bad 2) Distinct Proof:? Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

23 Proving Claim 20 Let S = {(z 1,..., z q ) ({0, 1} n ) q : i j : z i z j }. Claim 21 ( (l 3 1,..., l3 q) Bad 2) is uniform over S. Proof: For any z = (z 1,..., z q ) ({0, 1} n ) q and π Π n : Pr [ (l 3 1,..., l3 q) = z ] = Pr [ (l 3 1,..., l3 q) = π(z) := (π(z 1 ),..., π(z q )) ] Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

24 Section 4 Applications Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

25 General paradigm Design a scheme assuming that you have random functions, and the realize them using PRFs. Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

26 Private-key Encryption Construction 22 (PRF-based encryption) Given an (efficient) PRF F, define the encryption scheme (Gen, E, D)): Key generation: Gen(1 n ) returns k R F n Encryption: E k (m) returns U n, k(u n ) m Decryption: D k (c = (c 1, c n )) returns k(c 1 ) c 2 Advantages over the PRG based scheme? Proof of security? Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27

27 Conclusion We constructed PRFs and PRPs from length-doubling PRG (and thus from one-way functions) Main question: find a simpler, more efficient construction or at least, a less adaptive one Iftach Haitner (TAU) Foundation of Cryptography March 11, / 27