Pseudorandom functions and permutations

Transcription

1 Introduction Pseudorandom functions and permutations I Spring 2003 Informally, a Pseudorandom function family (PRF is a collection of functions which are indistinguishable from random functions PRFs are enormously useful for cryptography But they are also useful for several algorithmic applications We ll show two equivalent characterizations of PRFs, and give a construction of a PRF from a secure PRG (Thus we will have that if OWFs exist, then PRFs exist Notations PRFs: Statistical Test formulation A collection of functions is a set {ƒ s } s {0,1}* where each ƒ s :{0,1} p( s {0,1} q( s, for polynomials p(, q( ƒ is efficiently computable if there exists a PPT F such that F(s,x = ƒ s (x for all s, x {0,1} p( s We denote by F p,q the set of all functions from {0,1} p {0,1} q Given a PRG G: {0,1} k {0,1} 2k we define G 0, G 1 : {0,1} k {0,1} k so that G(x = G 0 (x,g 1 (x An efficiently computable collection ƒ s is statistical-test pseudorandom if for every probabilistic polynomial time oracle TM T, Adv(T,k = Pr[T f (1 k = 1] Pr[T g (1 k = 1] is negligible, where f denotes an oracle for ƒ s for s U k and g denotes an oracle drawn uniformly from F p(k,q(k We call Adv(T,k the advantage of T PRFs: Polynomial inference formulation Consider an experiment with t+1 stages: First, choose s U k Stage 1: A produces a query x 1 Stage j, 1<j<t+1: A is given x i,ƒ s (x i, for 0 < i < j, and produces query x j x i Stage t+1: Choose b U 1 Choose y 1-b U q(k Let y b = ƒ s (x t A is given x i, ƒ s (x i, x t,y 0 We say that PPTM A Q(k-infers ƒif Pr[A(ƒ s (x 1,,ƒ s (x t,y 0 = b] > ½ + 1/Q(k Equivalence Theorem: ƒ cannot be polynomially inferred if and only if it is statistical-test pseudorandom Proof: both directions in the contrapositive: (a if ƒ can be Q(k inferred, then there is a statistical test T which distinguishes between ƒ S and F p,q with advantage 1/Q(k (b if there is a statistical test T for ƒ that has advantage 1/Q(k and makes P(k queries then ƒ can be 2P(kQ(k inferred

2 Proof of (a Proof of (b Let A be the algorithm that Q-infers ƒ Then the oracle PPTM T AO works as follows: Stage 1: run A to get query x 1, respond with O(x 1 Stage j: Let x j = A(O(x 1 O(x j Stage t+1: Choose b U 1, let y b =O(x t, draw y 1-b U q(k If A(O(x 1 O(x t,y 0 = b, output 1, else output 0 Notice that Pr[T Ag (1 k = 1] = ½ But since A Q(k-infers ƒ, Pr[T Af (1 k =1] > ½ + 1/Q(k So T A has advantage 1/Q(k as claimed Suppose there is a statistical test T that has advantage 1/Q(k against ƒ and makes P(k (wlog, distinct oracle queries We will construct an algorithm A T that 2P(kQ(k infers ƒ Definition of A T Proof that this works: Choose j U {0,1, P(k} Stage i < j: Respond to T s query q i with ƒ s (x i ; run T until it makes query q i and return x i =q i Stage j: Respond to T s query q j with ƒ s (x i Run T to get query q j Return x j U p(k Stage i, j<i<p(k: Return x i U p( s Stage P(k: Return x P(k = q j Stage P(k+1: Run T with y 0 as O(q j Respond to additional queries from T with uniform bits, until T outputs bit b Return 1-b Consider doing an (k,j,ƒ s experiment: Run T, and on query q i, respond with: ƒ s (q i, if i < j y i U q(k otherwise Let p j (k denote the probability that T outputs 1 in an (k,j,ƒ s experiment Then p 0 (k = Pr[T g (1 k = 1] and p P(k (k = Pr[T f (1 k = 1] So we also have Σ j (p j (k p j (k = Adv(T,k Recap Then Pr[1-b = b] = Σ i Pr[j=i]Pr[1-b = b j=i] = 1/P(k Σ i Pr[1-b = b j=i] = 1/P(k Σ i (Pr[b=1 j=i] Pr[b =0 y 0 U q(k &j=i] + Pr[b=0 j=i] Pr[b =1 y 0 =ƒ s (q i &j=i] = 1/P(k Σ i (½ Pr[T outputs 0 in (k,i,ƒ s exp] +½ Pr[T outputs 1 in (k,i+1,ƒ s exp] = 1/2P(k Σ i ((1-p i (k + p i+1 (k = ½ + 1/2P(kQ(k, QED So a function family is statistical test pseudorandom iff it is polynomially uninferrable (Proof by Hybrid method! From now on, we will just say that a function family is pseudorandom if it is statistical test pseudorandom That is, a pseudorandom function family (PRF is a function family which is statistical test pseudorandom

3 Constructing PRFs from PRGs Let G:{0,1} k {0,1} 2k be a PRG Define ƒ s : {0,1} k {0,1} k by ƒ s (x 1 x 2 x k = G xk (G xk ( (G x2 (G x1 (s Theorem: ƒ s is a PRF Proof: Suppose that there is a statistical test T that makes Q(k queries and has Adv(T,k = 1/P(k We will construct a distinguisher for G with advantage 1/kQ(kP(k Proof of Theorem Define a sequence of PPTs A 0 A k A i : Let L be an associative array Run T, responding to queries (y 1 y k : If (y 1 L, let r = L(y 1 Else choose r U k and set L(y 1 = r respond with ƒ r (y i+1 y k Return output of T Notice: Pr[A 0 = 1] = Pr[T f (1 k = 1], Pr[A k = 1] = Pr[T g (1 k = 1]; E i [A i A i ] = 1/kP(k Proof, continued Properties of A T Construct adversary A T (r 1, r Q(k (r i {0,1} 2k : A T (r 1,,r Q(k = Choose i U {0, k} Let L be as in A j Set j = 0 Run T, responding to queries (y 1,,y k : If (y 1 +1 L, Let r = L(y 1 +1 Else: increment j; L(y 1 0 = Left-Half(r j ;L(y 1 1 = Right-Half(r j r = L(y 1 +1 Respond with ƒ r (y i+2 y k Return output of T Notice that Pr[A T (U 2kq(k = 1] Pr[A T (G(U kq(k ] = E i [A i -A i ] = 1/kP(k That is, if T distinguishes ƒ s from F p,q with advantage 1/P(k, A T distinguishes Q(k samples of G(U k from q(k samples of U 2k with advantage at least 1/kP(k But then A T can distinguish between a single sample of G(U k and U 2k with advantage 1/kQ(kP(k, QED Pseudorandom permutations Notation, definitions A Pseudorandom Permutation family (PRP is a PRF where every element ƒ s is a bijection on {0,1} p( s (PRPs have inverses Typically for P: {0,1} k {0,1} L(k {0,1} L(k there is an efficient algorithm to compute P K (x, given K A Strong Pseudorandom Permutation family (SPRP is a PRP which remains pseudorandom even when the adversary is given access to an oracle for P K and P K Naor and Reingold show that given a PRF ƒ s : {0,1} k {0,1} k we can construct a SPRP P ƒ on {0,1} 2k Let Π L denote the uniform distribution on permutations on {0,1} L Define the Advantage of A against permutation family P on {0,1} l(k by: Adv(A,k = Pr[A P(K, (1 k = 1] Pr[A Π l(k(1 k =1] For any function f: {0,1} k {0,1} k, define the permutation D f : {0,1} 2k by D f (l,r = (r, l f(r Note that D f is easy to compute

4 Intuition behind construction Let ƒ 1, ƒ 2 be chosen from a PRF family on {0,1} k Then P = D ƒ2 D ƒ1 is indistinguishable from a random permutation on uniformly chosen inputs There is a distinguisher for P on chosen inputs: Left-half(P(L 1,R P(L 2,R = L 1 L 2 whereas this holds with probability only 2 -n for a random permutation But if we can insure that the inputs to P, P are unique (whp, then we get what we need Construction: SPRP Let h 1,h 2 be chosen from a pairwiseindependent family of permutations on {0,1} 2k Let ƒ 1, ƒ 2 :{0,1} k {0,1} k be chosen from a PRF family Define the permutation P = h 2 D ƒ2 D ƒ1 h 1 SPRP Lemma: If ƒ 1, ƒ 2 are chosen according to F k,k, then P is statistically close to a random permutation SPRP Theorem: P is a SPRP Proof tools Proof tools, cont d Let M be a deterministic, unbounded oracle machine M makes two types of queries: (+,x: Querying G(x (-, y: Querying G (y Denote the i th query-answer pair of M by (x i,y i Wlog, assume M makes exactly m queries Denote by {(x 1,,(x m } the transcript of M with oracle G Denote by C M [{(x 1,,(x i,y j }] the deterministic function for the i th query of M, and let C M [{(x 1 (x m }] the output of M Call σ = {(x 1 (x m } a possible M transcript if for every 1< i < m, C M [{(x 1,,(x i,y i }] {(+,x i,(-,y i } Let T P be a random variable denoting the transcript of M with an oracle for P Let T Π be a random variable denoting the transcript of M with an oracle chosen from Π 2k More Proof Tools Lemma 1 Let T R be a random variable denoting transcripts from a random process which responds to M s i th query as follows: If the query is (+,x and for some j < i there is a queryanswer pair (x,y j, return y j If the query is (-,y and for some j < i there is a queryanswer pair (x j,y return x j Otherwise, return a uniformly chosen 2k-bit string T R might contain responses inconsistent with a permutation: Call a possible M-transcript σ = {(x 1, (x m } inconsistent if for some 1 < j < i < m, x i =x j and y i y j or y i =y j and x i x j Pr[C M (T R = 1] Pr[C M (T Π = 1] m 2 /2 2k+1 Proof: Pr[T R = σ T R is consistent] = Pr[T Π =σ] (because a consistent transcript is a permutation, and T R chooses uniformly from transcripts So Pr[C M (T R = 1] Pr[C M (T Π = 1] Pr[T R is inconsistent] Pr[T R is inconsistent] Σ i,j Pr[x i =x j and y i y j or y i =y j and x i x j ] = (m(m/22-2k m 2 /2 2k+1

5 BAD set Lemma 2 proof For a fixed h 1,h 2, define the set BAD(h 1,h 2 to be the set of possible and consistent M- transcripts {(x 1,,(x m } such that: There exist i<j with h 1 (x i R = h 1 (x j R OR There exist i<j with h 2 (y i L = h 2 (y j L Lemma 2 Fix a possible, consistent M- transcript σ Then Pr h1,h2 [σ BAD(h 1,h 2 ] < m 2 /2 k σ BAD(h 1,h 2 if there exist i < j with h 1 (x i R = h 2 (x j R (R i,j or h 2 (y i L = h 2 (y j L (L i,j So Pr[σ BAD(h 1,h 2 ] Σ i<j (Pr[R i,j ] + Pr[L i,j ] Σ i<j (2 -k +2 -k <m 2 /2 k, QED Key Lemma Lemma Proof, Cont d Lemma 3: Let σ = {(x 1,,(x m } be possible and consistent Then Pr[T P = σ σ BAD(h 1,h 2 ] = Pr[T R = σ] Proof: Given σ is consistent, Pr[T R = σ] = 2-2km But suppose σ BAD(h 1,h 2 Then for the i th queryanswer pair, y i = P(x i exactly when: h 1 (x i = (L i0,r i0, L i2 = L i0 ƒ 1 (R i0, R i2 = R i 0 ƒ 2 (L i2, and L i2,r i2 = h 2 (y i ie, when ƒ 1 (R i0 = L i0 L i2, and ƒ 2 (L i2 = R i0 R i 2 We get y i = P(x i when ƒ 1 (R i0 = L i0 L i2, and ƒ 2 (L i2 = R i0 R i2 But since we never have L i2 = L j2 or R i0 =R j 0 (otherwise σ is bad, these probabilities are independent And since ƒ 1,ƒ 2 are chosen randomly we get that Pr[T P = σ σ BAD(h 1,h 2 ] = 2-2km, QED SPRP Lemma: Proof SPRP Theorem: Proof SPRP Lemma: if ƒ 1,ƒ 2 F k,k then for any oracle adversary M which makes at most m queries, Pr[M P (1 k = 1] Pr[M Π 2k(1 k = 1] m 2 /2 2k+1 +m 2 /2 k Proof: composition of previous three lemmas SPRP Theorem: If ƒ 1,ƒ 2 ƒ s, where ƒ s is a PRF, then P is a SPRP Proof: Assume not Let M be an efficient oracle machine distinguishing P from a randomly chosen permutation Consider the hybrid distribution H where ƒ 1 F k,k, and ƒ 2 ƒ s Recall Pr[M P =1] Pr[M Π =1] > 1/poly(k

6 SPRP proof Then we must have either: (a Pr[M P =1] Pr[M H =1] > 1/poly; OR (b Pr[M H =1] Pr[M Π =1] > 1/poly This gives a statistical test against ƒ s : run M, answering queries using P with either : (a a random function; or (b a pseudrandom function for ƒ 1, and the function oracle for ƒ 2 Then in either case, we distinguish ƒ s with the same gap as M in distinguishing H from P or Π