Pseudo-random Functions

Transcription

1 Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom fuctos stead of strgs we cosder fuctos It does ot make much sese to call a fxed fucto pseudo-radom. 1

2 So, we have keyed fuctos. A keyed fucto F:{0,1} * x{0,1} * {0,1} * The frst put s called the key. The key s chose radomly ad the fxed, resultg a sgle argumet fucto, F k : {0,1} * {0,1} * Assume that the fuctos are legth preservg, meag that the puts, output ad key are all of the same sze. Pseudo-radom fuctos No polyomal tme adversary should be able to dstgush whether t s teractg wth F k (for a radomly chose k) or f (where f s chose at radom from the set of all fuctos mappg bt strgs to bt strgs).

3 The former s chose from a dstrbuto over at most dstct fuctos. The later s from fuctos. Despte ths, the behavor of the fuctos must look the same to a PPT adversary. Formally F * * * Let :{0,1} {0,1} {0,1} be a effcet legth preservg, keyed fucto. F s sad to be pseudo-radom fucto f for all probablstc polyomal tme dstgusher D, there exsts eglgble fucto ε (): F(.) k f(.) Pr[D ()=1]-Pr[D ()=1] ε () where k s chose uformly at radom ad f s chose uformly at radom from the set of fuctos mappg -bt strgs to -bt strgs. 3

4 Ecrypto wth a PRF Fresh Radom strg r Pseudoradm Fucto Pad platext xor cphertext Some fer pots If x ad x dffer, outputs of F k (x) ad F k (x ) should ot be correlated. Dstgusher D s ot gve the key: t s meagless to talk about pseudoradomess oce the key s gve. oe ca compute y =F k (0 ) the query the oracle at 0 f the oracle s for F k, always y=y f the oracle s for radom f, y=y wth a probablty of -. thus we have a dstgusher. 4

5 Securty agast Def: A (adversary) should ot be able to dstgush the ecryptos of two arbtrary messages. Expermet: Prv ( ) Id Exp 1. A key s geerated by rug Ge(). Adversary A s gve ad oracle access to Ec (.), ad outputs a par of messages m, m of the same legth A radom bt b {0,1} s chose, ad a cphertext c=ec ( ) s computed ad gve to A as a challege. We call c the challege cphertext. 4. Adversary A cotues to have oracle access to Ec (.) ad outputs a bt b'. 5. Output of the expermet s 1, f b'=b, ad 0 otherwse. k k k m b A succeeds whe Prv ( ) 1 = 5

6 Defto of Idstgushable uder Ay ecrypto scheme Π=(Ge,Ec,Dec) has dstgushable ecryptos uder (called -secure) s for all PPT adversary A, there exsts a eglgble ε () st., 1 Pr[Prv ( ) = 1] ε () where the probabltes are take over the radom cos used by A, as well as the radom cos used the expermet. secured ecrypto the scheme has to be probablstc: cosder a determstc ecrypto: ENC k (m)=f k (m) Gve c=enc k (m b ) t s possble to ask for ENC k (m 0 ) ad ENC k (m 1 ) ad see for a match. Accordgly b s dscovered easly. thus the scheme s ot secured. 6

7 A secure ecrypto scheme from ay PRF Let F be a PRF. Defe a ecrypto as follows: 1. Ge: o put (securty parameter), choose k {0,1} uformly at radom as the key.. Ec: o put a key k {0,1} ad a message m {0,1}, choose r {0,1} uformly at radom ad output the cphertext: c=<r,f k ( r) m> 3.Dec: O put a key k ad a cphertext <r,s>: m=f ( r) s k Theorem If F s a pseudoradom fucto, the the above costructo s a fxed legth symmetrc key scheme for messages of legth that has dstgushable ecryptos uder a chose platext attack. 7

8 Proof Follows a geeral prcple. Prove that the system s secured whe a truly radom fucto s used. Next prove that f the system was secure whe the pseudoradom fucto was used, the we ca make a dstgusher agast the PRF. Proof Let Π=(Ge, Ec, Dec ) be a ecrypto scheme that s exactly the same as Π=(Ge,Ec,Dec), except that a true radom fucto f s used place of F k. Thus Ge( ) chooses a radom fucto f Fuc ad E c just lke Ec except that f s used stead of F k. 8

9 Clam : For every adversary A that makes at most q() queres to ts ecrypto oracle: 1 q ( ) Pr[Prv ( ) = 1] Proof: Each tme a message m s ecrypted a radom r {0,1} s chose ad the cphertext s {r,m f(r)} Let r be the radom strg used whe geeratg the challege c cphertext c=<r, f( r ) m>. c c Defe, Repeat as the evet that r s used by the ecrypto oracle to aswer at least oe of A's queres. q() Clearly, Pr[Repeat] 1 Also, Pr[Prv A, ( ) = 1 Repeat] =. Π c Pr[Prv ( ) = 1] = Pr[Prv ( ) = 1 Re peat]pr[prv ( ) = 1 Re peat] Pr[Repeat]Pr[Prv A, ( ) = 1 Repeat] = 1 q() Π Costruct a Dstgusher for the PRF 1 Let Pr[Prv A, ( ) = 1] = ε ( ) Π If ε s ot eglgble the the dfferece betwee ths s also o-eggble. Such a gap wll eable us to dstgush the PRF from a true radom fucto. 9

10 Dstgusher D: D s gve put ad oracle O:{0,1} {0,1}. D aswers the queres made by A the IND EXP. 1. Ru A(). Wheever A queres ts ecrypto oracle o a message m, aswer ths query the followg way: a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m>. Whe A outputs m 0,m 1 {0,1}, choose a radom bt b {0,1}. a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m > 3. Cotue aswerg A's queres as above. Whe A outputs a bt b', D outputs 1 f b=b' ad 0 otherwse. b 1. If D's oracle s a PRF, the the vew of A whe ru as a sub-route by D s dstrbuted detcally to the vew of A expermet Prv ( ). = = = Fk Thus, Pr[D ( ) 1] Pr[Prv ( ) 1]..If D's oracle s a radom fucto, the the vew of A whe ru as a sub-route f Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]. Π Fk by D s dstrbuted detcally to the vew of A expermet Prv ( ). Thus, Pr[D = = = f ( ) = 1] Pr[D ( ) = 1] ε ( ), whch s o-eglgble f ε () s so. Ths volates the PRF property of the F. k q() 10

11 Modes of Ecrypto Electroc Code Book (ECB) m 1 m m 3 Determstc ecrypto ad thus caot be secure. c 1 c c 3 Cpher Block Chag (CBC) m 1 m m 3 Parallelzato ot possble. IV c 1 c c 3 A radom IV (tal vector) of sze bts s chose Probablstc ad f F s a pseudo-radom permutato the CBC s -secure. 11

12 Output Feedback Mode (OFB) IV m 1 m m 3 c 1 c c 3 If F s a Pseudoradom fucto the ths s secure agast. Note that F eed ot be a permutato. Parallelsm ot possble. But pre-processg of the key stream ca lead to extremely fast operatos. Couter Mode ctr ctr1 ctr ctr3 m 1 m m 3 ctr 1

13 Theorem If F s a pseudo-radom fucto, the radomzed couter mode has dstgushable ecryptos uder a chose-platext attack (). Proof Idea Frst cosder that a truly radom fucto, f, s used. Let ctr* deote the tal value ctr, whe the challege cphertext cpa s geerated the expermet Prv. th For the block of the message, t whether m 0 or 1 hus ctr* was used to geerate f(ctr*). Now, f ctr* was ever accessed before, the the key stream s radom ad lke a oe tme pad. Thus the adversary has o advatage decdg m was the correspodg platext for the challege cphertext. So, we have to fd what s the probablty that ctr* was actually "matches" wth oe of the queres of the adversary A. 13

14 Proof Idea The adversary A makes q() queres. The startg IV value for the th query s deoted by ctr. Let each message be of block-legth, q(). We dvde the etre scearo to two mutually exclusve cases: 1. There do ot exst ay, j, j' for whch ctr*j=ctr j '. 1 Here :Pr[PrvA, Π = 1] =.. There exsts,j,j' for whch ctr*j=ctr j'. I ths case, A ca easly determe f(ctr*j)=f(ctr j') ad thus compute m. Thus he ca predct whether m or m was ecrypted. j 0 1 Let Overlap deote the eve that the sequece ctr 1,...,ctr q() overlaps the sequece ctr*1,...,ctr*q(). Cosder, ctr*1,...,ctr*q() ctr 1,..., ctr q( ) Overlap occurs whe ctr 1 ctr*q() ad whe ctr q( ) ctr*1 Ths happes whe: ctr*1-q() ctr ctr*q()-1 Proof We defe the evet Overlap, as whe Overlap occurs for ay, q( ) that s: Pr[Overlap] Pr[Overlap ] = 1 q ( ) 1 q ( ) Now, Pr[Overlap ] = Pr[Overlap]. Pr[Pr v = 1] Pr[ Overlap] Pr[Pr v = 1 Overlap] q ( ) 1 = The ext step s to reaso that f the radom fucto s replaced by the pseudo-radom fucto, ad the scheme s ot -secure, the we ca frame a PPT algorthm D, whch s able to dstgush the fucto F from a radom fucto f. Ths proof s left as a exercse. k 14

15 Block legth ad securty Iterestgly, we see that t s ot oly the key legth but the block legth also whch decdes the securty. Cosder a block legth of 64 bts. The adversary s success probablty the sese s thus aroud ½ q / 63. Thus f we have aroud 30 guesses, the we have a practcal attack! (oly 1 GB queres ad storage requred). So, we eed to crease the block legth. 15