Lecture 11: Pseudorandom functions

Transcription

1 COM S 6830 Cryptography Oct 1, 2009 Istructor: Rafael Pass 1 Recap Lecture 11: Pseudoradom fuctios Scribe: Stefao Ermo Defiitio 1 (Ge, Ec, Dec) is a sigle message secure ecryptio scheme if for all uppt A, there exists a egligible fuctio ɛ( ) such that N ad for all m, m {0, 1}, A distiguishes {k Ge(1 ) : Ec k (m)} with probability ɛ() {k Ge(1 ) : Ec k (m )} This defiitio of security is similar to the Shao s oe, except that here the esembles of probability distributios eed to be idistiguishable istead of idetical. We proved that the ecryptio scheme Ec k (m) = m G(k) is secure if G is a double legtheig PRG, but is it secure if the same key is used to ecrypt may messages? 2 Multi message security Defiitio 2 (Multi-message secure ecryptio) (Ge, Ec, Dec) is a multi-message secure ecryptio scheme if for all uppt A, for all polyomial q( ) there exists a egligible fuctio ɛ( ) such that N ad for all pairs of sequeces of messages m 0, m 1,..., m q(), m 0, m 1,..., m q() {0, 1}, A distiguishes with probability at most ɛ(). {k Ge(1 ) : Ec k (m 0 ),..., Ec k (m q() )} {k Ge(1 ) : Ec k (m 0),..., Ec k (m q())} Accordig to this defiitio the ecryptio scheme Ec k (m) = m G(k) itroduced before is ot multi-message secure, ad more geerally: Theorem 1 There is o determiistic stateless multi-message secure ecryptio scheme. Proof. Cosider two messages m 0, m 1, with m 0 m 1 ad the sequeces m 0 m 0 ad m 0, m 1. Sice the scheme is stateless ad determiistic the ecryptio of the first sequece is Ec k (m 0 ), Ec k (m 0 ). The secod oe ecrypts to Ec k (m 0 ), Ec k (m 1 ), where Ec k (m 0 ) Ec k (m 1 ), so that the sequeces ca be trivially distiguished with high probability i polyomial time. 11-1

2 2.1 Stateful ad determiistic scheme If we allow a ecryptio scheme to be stateful, it is easy to build a multi-message secure scheme. I fact give a key of fixed legth it is possible to geerate a arbitrarily log strig of pseudoradom bits with a PRG, ad the XOR each message i the sequece with a portio of this larger key. I this case state is used to keep track of how may bits have bee already used. The problem of this approach is that Alice ad Bob eed to be sychroized, so that they always kow which portio of the larger key has bee used to ecrypt a certai message. 2.2 Stateless ad o determiistic scheme Oe possible idea to build a stateless ad radomized scheme is to geerate a log pseudoradom strig of bits from a key k with a PRG G, the pick a idex i at radom ad let Ec k (m) = i m G(k)[i] where G(k)[i] represets the i-th block of the strig geerated with the PRG. The problem with this approach is that PRGs ca expad oly polyomially, so that i would be O(log ) ad the same idex would be chose more tha oce with reasoably high probability, so that the scheme would ot be multi-message secure. The idea to solve this problem is to itroduce a pseudoradom fuctio that allows us to idex expoetially may bits i polyomial time, so that i ca be of order. Ituitively this object should have a short descriptio, but should be able to emulate a expoetially log strig of radom bits. 3 Pseudoradom fuctios Defiitio 3 A radom fuctio F : {0, 1} {0, 1} is a map that associates at each x {0, 1} a radom strig y = F (x) {0, 1}. This object ca be completely described by a array of 2 etries that stores the image of each possible iput through F. Sice each etry is bits log, 2 bits are eeded to store the etire table, ad for ay there are 2 2 possible fuctios of this type. A radom fuctio ca be also iterpreted i a algorithmic view, as a machie that works as follows. Give a iput x, if it has ot bee see before, the machie outputs y {0, 1} ad stores the pair (x, y = F (x)) i a table. If x has bee see before, the it outputs the pair (x, F (x)) stored i the table. It is easy to see that a polyomial umber of queries to the machie ca be aswered i polyomial time. 3.1 Pseudoradom fuctios Ituitively we would like a pseudoradom fuctio (PRF) to look like a radom fuctio to ay uppt adversary, eve if the PRF starts oly with small bit seed. I other 11-2

3 words, we would like a way to compress expoetially (exp()) may bits ito bits, similarly as we did with PRGs. To defie this cocept formally, we will eed a ew otio of idistiguishability. I fact a computatioally bouded adversary would ot be able to effectively compare somethig to a radom fuctio, because it has a expoetially log descriptio. For this reaso we will cosider a ew class of adversaries that have oracle access to a black box that ca be either a PRF or a truly radom fuctio, ad they are supposed to decide which oe they are iteractig with. Defiitio 4 (Oracle idistiguishability) Let {O } N, {O } N be esembles of probability distributios, where O ad O are distributios over fuctios {0, 1} l1() {0, 1} l2() ad l 1 ad l 2 are polyomials. We say that {O } N, {O } N are computatioally idistiguishable if for all oracle uppt D, there exists a egligible fuctio ɛ( ) such that N P r[f O : D F (1 ) = 1] P r[f O : D F (1 ) = 1] ɛ() I this defiitio D F is a oracle Turig machie, that is a Turig machie augmeted with a compoet called a oracle that is used to sample F. It ca be proved that the otio of oracle idistiguishability satisfies the 3 lemmas previously proved for stadard idistiguishability (efficiet operatios, the Hybrid Lemma, ad the Predictio Lemma). We are ow ready to defie pseudoradom fuctios. Let RF be the distributio that picks oe of the 2 2 fuctios mappig {0, 1} {0, 1} uiformly at radom. Defiitio 5 (Pseudoradom fuctio) A family of fuctios F = {f s : {0, 1} l( s ) {0, 1} l( s ) } s {0,1} is a family of pseudoradom fuctios if (Easy to compute): Give s {0, 1} ad x {0, 1} l(), f s (x) ca be efficietly computed (i p.p.t time). (Pseudoradom): {s {0, 1} : f s } N is computatioally idistiguishable from {F RF l() : F } N Notice that to get idistiguishability it is fudametal that the seed s is ot revealed to the adversary. Otherwise it would be easy to distiguish them by queryig the oracle for ay value x ad check whether the respose is equal to f s (x). 4 Existece of Pseudoradom fuctios We will show that the existece of a pseudoradom geerator (PRG) implies the existece of a pseudoradom fuctio (PRF). By usig previously proved results we have that OW P P RG P RF where OW P stads for the existece of oe way permutatios. 11-3

4 It is also possible to prove that OW F P RG P RF, where OW F stads for the existece of oe way fuctios. Moreover it is possible to see that the existece of P RF implies the existece of P RG (a PRG is obtaied by callig the PRF a sufficiet umber of times i order to get expasio). Theorem 2 If there exists a pseudoradom geerator, the there exists a pseudoradom fuctio. Proof. Let without loss of geerality G(x) = G 0 (x) G 1 (x) be a legth doublig PRG, so that G 0 (x) = G 1 (x) = x. We defie the cadidate pseudoradom fuctio f s (b 1, b 2,..., b ) = G b (G b 1 (... G b2 (G b1 (s))...)) It is easy to see that f keeps oly oe half of the output of the pseudoradom geerator at each of the calls, so that the recursive calls to G i ca be represeted as a tree, where the leafs are the possible fial outputs of f. s s 0 = G 0 (s) s 1 = G 1 (s) s 00 = G 0 (s 0 ) s 01 = G 1 (s 0 ) s 10 = G 0 (s 1 ) s 11 = G 1 (s 1 ) We eed to show that f is a PRF. By cotradictio, assume there exists a distiguisher D ad a polyomial p( ) such that D distiguishes {s {0, 1} : f s } from {F RF : F } with probability 1 for ifiitely may. p() Oe possible approach here is to use the hybrid lemma, buildig hybrids by successively replacig each leaf with a truly radom distributio. This approach does ot work because there are too may (expoetially may) hybrids ad therefore the lemma is ot useful i this case. Istead we defie a family of hybrids HF, i where the i-th hybrid is costructed by pickig the first i layers of the tree uiformly at radom ad the applyig the tree costructio as before. I this way HF 1 = {s {0, 1} : f s } (oly the seed is chose at radom) HF = RF (all the leaves are chose at radom) Notice that each hybrid HF i ca be efficietly emulated (as we did before for the radom fuctio, but keepig a table of the i-th layer of the tree). By the hybrid lemma there exists i such that D distiguishes HF i ad HF i+1 with 1 probability, sice there are hybrids. p() 11-4

5 Notice that the differece betwee HF i ad HF i+1 is that level i + 1 i HF i is pseudoradom (each block is distributed as G(U ) ), while i HF i+1 level i + 1 is truly radom. Sice the size of the layers grows expoetially, it gets difficult to effectively distiguish betwee the two hybrids ad to complete the proof we eed aother set of hybrids. Sice D rus i polyomial time, there exists a polyomial q() such that the umber of queries to the oracle made by D is bouded by q(). We defie a ew family of hybrids HHF j for j = 0,..., q(), where HHF j aswers the first j uique queries cosistetly with HF, i ad the remaiig oes cosistetly with HF i+1. Furthermore otice that HHF 0 = HF i+1 HHF q() = HF i By usig the hybrid lemma, there exists j such that D ca distiguish HHF j ad HHF j+1 1 with probability. q()p() The oly differece betwee HHF j ad HHF j+1 is that HHF j+1 aswers its (j + 1)-th query usig the output of a pseudoradom geerator o a radomly chose value, while HHF j aswers its (j + 1)-th query startig with a radomly chose value. As we oted before, queries to HHF j ad HHF j+1 ca be efficietly emulated i probabilistic polyomial time. The it follows by the closure uder efficiet operatios lemma ad the pseudoradomess of G that D caot distiguish them. 11-5