Homework 7 Solutions

Transcription

1 Homework 7 Solutions Due: March 22, 2018 CS 151: Intro. to Cryptography and Computer Security 1 Fun with PRFs a. F a s = F 0 k(x) F s (x) is not a PRF, for any choice of F. Consider a distinguisher D a given access to an oracle O a : (a) Choose some x {0, 1} k. (b) Calculate z = F 0 k(x). (c) Query y = y 1 y 2 = O a (x). (d) If y 1 = z, return 1 (pseudorandom); else, return 0 (random). If run on F a s, D a will be correct with probability 1, by definition of the function. If run on a random function, D a will only incorrectly guess pseudorandom with probability 1 2 k. Thus, F a s is never a PRF. b. F b s (x) = G(s) x is not a PRF, for any choice of G. Consider a distinguisher D b given access to an oracle O b : (a) Choose two distinct x 1, x 2 {0, 1} 2k. (b) Query y 1 = O b (x 1 ). (c) Query y 2 = O b (x 2 ). (d) If y 1 y 2 = x 1 x 2, return 1 (pseudorandom); else, return 0 (random). If run on F b s, D b will be correct with probability 1, by definition of the function. If run on a random function, D b will only incorrectly guess pseudorandom with probability 1 2 2k. Thus, F b s is never a PRF. c. F c s (x) = F s1 (x) s 2 is a family of PRFs. For the sake of contradiction, assume that F c were not a PRF, and that we had a PPT adversary A which could distinguish F c s (x) from random with non-negligible advantage. We could use A to construct a PPT B that distinguishes F s from random. A expects to interact with an oracle O A that responds to its queries either in accordance with F c s or in accordance with a truly random function R 1. B interacts with an oracle O B that responds to its queries either in accordance with F s1, or in accordance with a truly random function R 2. Homework 7 Solutions Page 1 / 6

2 B simulates O A as follows: First B picks a random s 2 {0, 1} k. Whenever A makes a query x, B queries O B on x to get a response y, and then returns z = y s 2. When A returns a response, B returns the same response. If O B acts in accordance with F s1, then B will be providing A with an oracle that acts exactly like F c s (x). If O B outputs the results of a truly random function, then y s 2 is also truly random, because s 2 is fixed and a truly random value XORed with a fixed value is truly random. Thus, B s advantage for distinguishing F s (x) from the output of a random function is the same as A s advantage at distinguishing F c s (x) from random. Meaning, if A has non-negligible advantage, so does B, which is a contradiction. d. Fs d F s (x) when x 0 k (x) =, where we define a to be the first k/2 bits of s, and k a b when x = 0 b to be the last k/2 bits of F s (x), is not necessarily a family of PRFs. Let G {0, 1} k/2 {0, 1} k be a PRG, and let F be a PRF. Then if we define F s (x) = F G(s 1 ) (x), where s 1 is defined as the first k/2 bits of s, then F d would not be a PRF. First, we sketch why the F defined is a PRF. Suppose it were not, and we had an adversary A which could distinguish F G(s 1 ) from a truly random function with non-negligible advantage. If A distinguishes F s from a truly random function with non-negligible advantage, then we can use A to show that F is not a PRF. Otherwise, we would be able to use A to show that G is not a PRG. But if F d is instantiated with F, then we can query the oracle on 0 k to obtain s 1. We can then compute F d s (x) for any x, so we can distinguish F d from a truly random function. e. F e s (x) = F s (0 x) F s (1 x) is a PRF. Assume for the sake of contradiction that Fs e is not a PRF, and that there exists an adversary A which can distinguish Fs e from a random function with non-negligible probability. Using A, we can construct an adversary B that distinguishes F s from a random function with non-negligible advantage. On input 1 k and with oracle access to O e, B runs A(1 k ). Every time A makes a query x, B makes two queries to O e getting y 0 = O e (0 x) and y 1 = O e (1 x), and returns to A the value y = y 0 y 1. When A outputs a decision, B outputs the same decision. If O e was F s, then B is precisely mimicking the behavior of F e s for A, so by assumption B will be correct with the same probability as A. If O e was truly random, then B is also providing A with true randomness, so B will still be correct with the same Homework 7 Solutions Page 2 / 6

3 probability as A. Since A had a non-negligible advantage, B does too, contradicting our assumption that F is a PRF. Thus, F e must be a PRF. 2 Pseudorandom Fun(ctions) We know that we want the output of F s(x) to be of the form y 0 y 2... y k 1, where y i 1 represents the ith bit of the output y. To construct F s(x) from F s (z), we can set y i = F s (x i) for all 0 i < k. Because there are k bits in the output, it will take log k bits to represent i and so the input x i will have k + log k bits and be valid input to the function F s ( ). Now we just need to show that, if F s (x) is pseudorandom, then so is F s(x). To do this, assume that F s(x) is not pseudorandom; i.e. that there exists an adversary A that can distinguish between F s(x) and a random oracle with non-negligible advantage. Then we construct an adversary B that uses A to distinguish between F s (x) and a random oracle. On A s query x, B queries its own oracle k times, using x 0,..., x (k 1) as its inputs, where each number is represented in binary using log k bits. B gets back k bits from its oracle, which it then concatenates together and passes along to A in answer to A s oracle query. This means that if R B is the function that B is querying, then the function that A queries is R A (x) = R B (x 0) R B (x (k 1)) If A returns 0, then B returns 0; otherwise, B returns 1. By the construction of B, if R B is equal to F s, then R A is equal to F s. On the other hand, if R B is a random oracle, then each bit of the string returned was selected at random by R B, and so R A is equivalent to a random oracle. This means that, whenever B sees a random oracle, A will also see a random oracle, and whenever B sees F s, A will see F s. This means that B is correct whenever A is correct, so B also has a non-negligible probability of distinguishing F s from random. This means that F s is not pseudorandom, which is a contradiction. Therefore, F s must be a pseudorandom function. 3 PRFs as MACs a. For the sake of contradiction, assume that it is not a MAC. Let us define a PPT A which uses Eve to determine whether an oracle O is a PRF or a random function R. First, A invokes Eve k. Whenever Eve k puts a query m i onto its query tape, provide Eve k with the output of O on m i (i.e. O(m i )). After polynomially many queries, Homework 7 Solutions Page 3 / 6

4 Eve k should produce an output (m, x) Q. (If it breaks down without an output, or runs longer than it is supposed to, or if (m, x) Q, then we just set (m, x) at random from the set of k-bit strings.) Now, A calculates O(m), and compares it to x. If O(m) = x, then A outputs pseudorandom ; otherwise, it outputs random. Note that, in the case where O is actually F s for some s, A will be correct whenever Eve k successfully forged a MAC, i.e. with probability ɛ(k). Conversely, whenever O is a random function, A is correct unless Eve k manages to guess R(m) correctly. Since R(m) is completely random, and independent of any observed values, this happens with probability exactly 2 k, so A will be correct with probability 1 2 k. Pr[A is correct] = 1 2 Pr[A is correct O is random] + 1 Pr[A is correct O is a PRF] 2 = ɛ(k) k 2 Thus, A will have an advantage of ɛ(k) ν(k) for negligible ν, which is non-negligible. This contradicts our assumption that F s is a PRF, so our assumption must be false: F s is a MAC. b. A MAC is not always a PRF. Consider a MAC M s, and let M s(m) = 0 M s (m) forall m and for all s. M s is still a MAC by a simple reduction (i.e. an adversary could use a forged (m, M s(m)) to forge an equivalent (m, M s (m)) pair). But M s cannot be a PRF, as we can distinguish it from random with high probability. We can define a distinguisher A which, given an oracle O that is either M s or random, samples a random value x and calculates O(x). If the first bit of the output is 0, then we guess pseudorandom ; otherwise, we guess random. Since half of all random outputs start with 0, but all outputs of M s begin with 0, A will be correct with probability 3/4. c. Yes, if MACs exist then PRFs must also exist. We asked for a brief justification, but we provide a complete proof for reference. Recall that, by HILL, the existence of OWFs implies the existence of PRGs. Then, by GGM, the existence of PRGs implies the existence of PRFs. Thus, it is sufficient to show that MAC OWF. Let {M s {0, 1} s {0, 1} p( s ) } be a MAC. Let us define a function f {0, 1} k+2k2 {0, 1} 2kp(k), where 1 f(x) = f(s, m 1,..., m 2k ) = m 1 m 2k M s (m 1 ) M s (m 2k ). 1 This function doesn t work on every input size as stated, but we can define a function f from any input size j which finds the maximum k such that k + 2k 2 j and runs f on the first k + 2k 2 bits of its input. Homework 7 Solutions Page 4 / 6

5 We will now show that inverting this function is equivalent to forging authentication. Assume for the sake of contradiction that there exists some adversary A k that inverts f. We will construct Eve Ms k that can output a forged (m, M s (m)) with non-negligible probability. Let us pause for a moment, and note that this problem may be harder than you thought at first. Just because we have inverted the function, obtaining a possible shared secret s, does not mean that it is the same secret s that Alice and Bob have! Care must be taken to ensure that s is helpful to Eve, even if it is not equal to s. First, our PPT Eve k samples random messages m 1,..., m 2k, and queries M s on each one, obtaining x 1,..., x 2k. Then, Eve k runs A k (x 1,..., x 2k ), obtaining (s, m 1,..., m 2k ). It then chooses a random m, finally outputting (m, M s (m)). Our claim is that, with non-negligible probability, M s (m) = M s (m). Suppose that s is fixed. Let bad(s) denote the strings s {0, 1} s such that Pr[m {0, 1} s M s (m) = M s (m)] 1 2. If the s given to us by A k is not in bad(s), then our Eve k succeeds with probability at least 1 2. Thus, we want to make sure that there are no bad s s among the preimages of f(s, m 1,..., m 2k ). First, by the union bound, 2 we have that p bad = Pr [s {0, 1} k ; {m i {0, 1} k 1 i 2k} s f 1 (f(... )) bad(s)] Pr[s] Pr [{m i {0, 1} k 1 i 2k} s f 1 (f(... )) bad(s)] Pr[s] s bad(s) Pr [{m i {0, 1} k 1 i 2k} s f 1 (f(... ))]. We can then simplify this expression further to find a more explicit bound on p bad : p bad Pr[s] Pr[s] s bad(s) 2 2k s bad(s) < Pr[s]2 k 2 2k < 2 k. Pr [{m i {0, 1} k 1 i 2k} M s (m i ) = M s (m i ) 1 i 2k] Thus, the probability that there exists a bad s is negligible. Assuming A k succeeds with probability ɛ(k), this leaves Eve k with probability ɛ(k)(1 2k ) 2 of success. This contradicts the assumption that M s was a MAC, and thus f must be one-way. 2 Pr[A B] Pr[A] + Pr[B] Homework 7 Solutions Page 5 / 6

6 One common erroneous solution is to go directly from MAC to PRF. This is very difficult. The problem is that GL bit, i.e., taking a random r and setting F s (x) = M s (x).r won t work. This is because a MAC can be designed such that M s (r).r is always 0! So there is hope only if r is kept secret. The actual proof is tricky. Homework 7 Solutions Page 6 / 6