Pseudo-random Functions

Similar documents
Pseudo-random Functions. PRG vs PRF

Hard Core Predicates: How to encrypt? Recap

Lecture 9: Tolerant Testing

PTAS for Bin-Packing

CIS 800/002 The Algorithmic Foundations of Data Privacy October 13, Lecture 9. Database Update Algorithms: Multiplicative Weights

Lecture 11: Pseudorandom functions

Lecture 6: October 10, DES: Modes of Operation

CHAPTER VI Statistical Analysis of Experimental Data

Discrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand DIS 10b

Simulation Output Analysis

Introduction to Probability

1 Onto functions and bijections Applications to Counting

best estimate (mean) for X uncertainty or error in the measurement (systematic, random or statistical) best

Econometric Methods. Review of Estimation

Introduction to local (nonparametric) density estimation. methods

8.1 Hashing Algorithms

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

CS286.2 Lecture 4: Dinur s Proof of the PCP Theorem

NP!= P. By Liu Ran. Table of Contents. The P versus NP problem is a major unsolved problem in computer

Lecture 1. (Part II) The number of ways of partitioning n distinct objects into k distinct groups containing n 1,

Random Variables and Probability Distributions

{ }{ ( )} (, ) = ( ) ( ) ( ) Chapter 14 Exercises in Sampling Theory. Exercise 1 (Simple random sampling): Solution:

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

L5 Polynomial / Spline Curves

1 Mixed Quantum State. 2 Density Matrix. CS Density Matrices, von Neumann Entropy 3/7/07 Spring 2007 Lecture 13. ψ = α x x. ρ = p i ψ i ψ i.

1. BLAST (Karlin Altschul) Statistics

Algorithms Design & Analysis. Hash Tables

Special Instructions / Useful Data

(b) By independence, the probability that the string 1011 is received correctly is

Bayes (Naïve or not) Classifiers: Generative Approach

For combinatorial problems we might need to generate all permutations, combinations, or subsets of a set.

NP!= P. By Liu Ran. Table of Contents. The P vs. NP problem is a major unsolved problem in computer

18.413: Error Correcting Codes Lab March 2, Lecture 8

Class 13,14 June 17, 19, 2015

Lecture 3. Sampling, sampling distributions, and parameter estimation

A tighter lower bound on the circuit size of the hardest Boolean functions

Indistinguishable of AES-Based PRNG against Modification Attack Based on Statistical Distance Tests and Entropy Measures

Wireless Link Properties

CS 109 Lecture 12 April 22th, 2016

Algorithms Theory, Solution for Assignment 2

å 1 13 Practice Final Examination Solutions - = CS109 Dec 5, 2018

BIOREPS Problem Set #11 The Evolution of DNA Strands

Exercises for Square-Congruence Modulo n ver 11

Summary of the lecture in Biostatistics

Multiple Choice Test. Chapter Adequacy of Models for Regression

The Selection Problem - Variable Size Decrease/Conquer (Practice with algorithm analysis)

Introduction Cryptography and Security Fall 2009 Steve Lai

Parameter, Statistic and Random Samples

Lecture 7. Confidence Intervals and Hypothesis Tests in the Simple CLR Model

The Mathematical Appendix

AN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET

ENGI 4421 Joint Probability Distributions Page Joint Probability Distributions [Navidi sections 2.5 and 2.6; Devore sections

Third handout: On the Gini Index

CTR mode of operation

1. A real number x is represented approximately by , and we are told that the relative error is 0.1 %. What is x? Note: There are two answers.

Attribute-Based Key-Insulated Encryption *

Statistics Descriptive and Inferential Statistics. Instructor: Daisuke Nagakura

12.2 Estimating Model parameters Assumptions: ox and y are related according to the simple linear regression model

X ε ) = 0, or equivalently, lim

The Occupancy and Coupon Collector problems

Homework 1: Solutions Sid Banerjee Problem 1: (Practice with Asymptotic Notation) ORIE 4520: Stochastics at Scale Fall 2015

2.28 The Wall Street Journal is probably referring to the average number of cubes used per glass measured for some population that they have chosen.

Lecture 2 - What are component and system reliability and how it can be improved?

Lecture 3 Probability review (cont d)

2. Independence and Bernoulli Trials

Chapter 8: Statistical Analysis of Simulated Data

Functions of Random Variables

MA 524 Homework 6 Solutions

2SLS Estimates ECON In this case, begin with the assumption that E[ i

Chapter 5 Properties of a Random Sample

Chapter 14 Logistic Regression Models

Some Notes on the Probability Space of Statistical Surveys

Assignment 5/MATH 247/Winter Due: Friday, February 19 in class (!) (answers will be posted right after class)

9 U-STATISTICS. Eh =(m!) 1 Eh(X (1),..., X (m ) ) i.i.d

Taylor s Series and Interpolation. Interpolation & Curve-fitting. CIS Interpolation. Basic Scenario. Taylor Series interpolates at a specific

Module 7: Probability and Statistics

This lecture and the next. Why Sorting? Sorting Algorithms so far. Why Sorting? (2) Selection Sort. Heap Sort. Heapsort

STA 105-M BASIC STATISTICS (This is a multiple choice paper.)

Mean is only appropriate for interval or ratio scales, not ordinal or nominal.

Unimodality Tests for Global Optimization of Single Variable Functions Using Statistical Methods

Feature Selection: Part 2. 1 Greedy Algorithms (continued from the last lecture)

Chapter 11 Systematic Sampling

Chapter 3 Sampling For Proportions and Percentages

Lecture Notes Types of economic variables

Runtime analysis RLS on OneMax. Heuristic Optimization

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

ENGI 3423 Simple Linear Regression Page 12-01

Median as a Weighted Arithmetic Mean of All Sample Observations

Continuous Distributions

Investigation of Partially Conditional RP Model with Response Error. Ed Stanek

CHAPTER 4 RADICAL EXPRESSIONS

Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Randomized Quicksort and the Entropy of the Random Number Generator

Bounds on the expected entropy and KL-divergence of sampled multinomial distributions. Brandon C. Roy

CHAPTER 3 POSTERIOR DISTRIBUTIONS

22 Nonparametric Methods.

Investigating Cellular Automata

MEASURES OF DISPERSION

Physics 114 Exam 2 Fall Name:

Chapter 8. Inferences about More Than Two Population Central Values

Transcription:

Pseudo-radom Fuctos Debdeep Mukhopadhyay IIT Kharagpur We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom fuctos stead of strgs we cosder fuctos It does ot make much sese to call a fxed fucto pseudo-radom. 1

So, we have keyed fuctos. A keyed fucto F:{0,1} * x{0,1} * {0,1} * The frst put s called the key. The key s chose radomly ad the fxed, resultg a sgle argumet fucto, F k : {0,1} * {0,1} * Assume that the fuctos are legth preservg, meag that the puts, output ad key are all of the same sze. Pseudo-radom fuctos No polyomal tme adversary should be able to dstgush whether t s teractg wth F k (for a radomly chose k) or f (where f s chose at radom from the set of all fuctos mappg bt strgs to bt strgs).

The former s chose from a dstrbuto over at most dstct fuctos. The later s from fuctos. Despte ths, the behavor of the fuctos must look the same to a PPT adversary. Formally F * * * Let :{0,1} {0,1} {0,1} be a effcet legth preservg, keyed fucto. F s sad to be pseudo-radom fucto f for all probablstc polyomal tme dstgusher D, there exsts eglgble fucto ε (): F(.) k f(.) Pr[D ()=1]-Pr[D ()=1] ε () where k s chose uformly at radom ad f s chose uformly at radom from the set of fuctos mappg -bt strgs to -bt strgs. 3

Ecrypto wth a PRF Fresh Radom strg r Pseudoradm Fucto Pad platext xor cphertext Some fer pots If x ad x dffer, outputs of F k (x) ad F k (x ) should ot be correlated. Dstgusher D s ot gve the key: t s meagless to talk about pseudoradomess oce the key s gve. oe ca compute y =F k (0 ) the query the oracle at 0 f the oracle s for F k, always y=y f the oracle s for radom f, y=y wth a probablty of -. thus we have a dstgusher. 4

Securty agast Def: A (adversary) should ot be able to dstgush the ecryptos of two arbtrary messages. Expermet: Prv ( ) Id Exp 1. A key s geerated by rug Ge(). Adversary A s gve ad oracle access to Ec (.), ad outputs a par of messages m, m of the same legth. 0 1 3. A radom bt b {0,1} s chose, ad a cphertext c=ec ( ) s computed ad gve to A as a challege. We call c the challege cphertext. 4. Adversary A cotues to have oracle access to Ec (.) ad outputs a bt b'. 5. Output of the expermet s 1, f b'=b, ad 0 otherwse. k k k m b A succeeds whe Prv ( ) 1 = 5

Defto of Idstgushable uder Ay ecrypto scheme Π=(Ge,Ec,Dec) has dstgushable ecryptos uder (called -secure) s for all PPT adversary A, there exsts a eglgble ε () st., 1 Pr[Prv ( ) = 1] ε () where the probabltes are take over the radom cos used by A, as well as the radom cos used the expermet. secured ecrypto the scheme has to be probablstc: cosder a determstc ecrypto: ENC k (m)=f k (m) Gve c=enc k (m b ) t s possble to ask for ENC k (m 0 ) ad ENC k (m 1 ) ad see for a match. Accordgly b s dscovered easly. thus the scheme s ot secured. 6

A secure ecrypto scheme from ay PRF Let F be a PRF. Defe a ecrypto as follows: 1. Ge: o put (securty parameter), choose k {0,1} uformly at radom as the key.. Ec: o put a key k {0,1} ad a message m {0,1}, choose r {0,1} uformly at radom ad output the cphertext: c=<r,f k ( r) m> 3.Dec: O put a key k ad a cphertext <r,s>: m=f ( r) s k Theorem If F s a pseudoradom fucto, the the above costructo s a fxed legth symmetrc key scheme for messages of legth that has dstgushable ecryptos uder a chose platext attack. 7

Proof Follows a geeral prcple. Prove that the system s secured whe a truly radom fucto s used. Next prove that f the system was secure whe the pseudoradom fucto was used, the we ca make a dstgusher agast the PRF. Proof Let Π=(Ge, Ec, Dec ) be a ecrypto scheme that s exactly the same as Π=(Ge,Ec,Dec), except that a true radom fucto f s used place of F k. Thus Ge( ) chooses a radom fucto f Fuc ad E c just lke Ec except that f s used stead of F k. 8

Clam : For every adversary A that makes at most q() queres to ts ecrypto oracle: 1 q ( ) Pr[Prv ( ) = 1] Proof: Each tme a message m s ecrypted a radom r {0,1} s chose ad the cphertext s {r,m f(r)} Let r be the radom strg used whe geeratg the challege c cphertext c=<r, f( r ) m>. c c Defe, Repeat as the evet that r s used by the ecrypto oracle to aswer at least oe of A's queres. q() Clearly, Pr[Repeat] 1 Also, Pr[Prv A, ( ) = 1 Repeat] =. Π c Pr[Prv ( ) = 1] = Pr[Prv ( ) = 1 Re peat]pr[prv ( ) = 1 Re peat] Pr[Repeat]Pr[Prv A, ( ) = 1 Repeat] = 1 q() Π Costruct a Dstgusher for the PRF 1 Let Pr[Prv A, ( ) = 1] = ε ( ) Π If ε s ot eglgble the the dfferece betwee ths s also o-eggble. Such a gap wll eable us to dstgush the PRF from a true radom fucto. 9

Dstgusher D: D s gve put ad oracle O:{0,1} {0,1}. D aswers the queres made by A the IND EXP. 1. Ru A(). Wheever A queres ts ecrypto oracle o a message m, aswer ths query the followg way: a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m>. Whe A outputs m 0,m 1 {0,1}, choose a radom bt b {0,1}. a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m > 3. Cotue aswerg A's queres as above. Whe A outputs a bt b', D outputs 1 f b=b' ad 0 otherwse. b 1. If D's oracle s a PRF, the the vew of A whe ru as a sub-route by D s dstrbuted detcally to the vew of A expermet Prv ( ). = = = Fk Thus, Pr[D ( ) 1] Pr[Prv ( ) 1]..If D's oracle s a radom fucto, the the vew of A whe ru as a sub-route f Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]. Π Fk by D s dstrbuted detcally to the vew of A expermet Prv ( ). Thus, Pr[D = = = f ( ) = 1] Pr[D ( ) = 1] ε ( ), whch s o-eglgble f ε () s so. Ths volates the PRF property of the F. k q() 10

Modes of Ecrypto Electroc Code Book (ECB) m 1 m m 3 Determstc ecrypto ad thus caot be secure. c 1 c c 3 Cpher Block Chag (CBC) m 1 m m 3 Parallelzato ot possble. IV c 1 c c 3 A radom IV (tal vector) of sze bts s chose Probablstc ad f F s a pseudo-radom permutato the CBC s -secure. 11

Output Feedback Mode (OFB) IV m 1 m m 3 c 1 c c 3 If F s a Pseudoradom fucto the ths s secure agast. Note that F eed ot be a permutato. Parallelsm ot possble. But pre-processg of the key stream ca lead to extremely fast operatos. Couter Mode ctr ctr1 ctr ctr3 m 1 m m 3 ctr 1

Theorem If F s a pseudo-radom fucto, the radomzed couter mode has dstgushable ecryptos uder a chose-platext attack (). Proof Idea Frst cosder that a truly radom fucto, f, s used. Let ctr* deote the tal value ctr, whe the challege cphertext cpa s geerated the expermet Prv. th For the block of the message, t whether m 0 or 1 hus ctr* was used to geerate f(ctr*). Now, f ctr* was ever accessed before, the the key stream s radom ad lke a oe tme pad. Thus the adversary has o advatage decdg m was the correspodg platext for the challege cphertext. So, we have to fd what s the probablty that ctr* was actually "matches" wth oe of the queres of the adversary A. 13

Proof Idea The adversary A makes q() queres. The startg IV value for the th query s deoted by ctr. Let each message be of block-legth, q(). We dvde the etre scearo to two mutually exclusve cases: 1. There do ot exst ay, j, j' for whch ctr*j=ctr j '. 1 Here :Pr[PrvA, Π = 1] =.. There exsts,j,j' for whch ctr*j=ctr j'. I ths case, A ca easly determe f(ctr*j)=f(ctr j') ad thus compute m. Thus he ca predct whether m or m was ecrypted. j 0 1 Let Overlap deote the eve that the sequece ctr 1,...,ctr q() overlaps the sequece ctr*1,...,ctr*q(). Cosder, ctr*1,...,ctr*q() ctr 1,..., ctr q( ) Overlap occurs whe ctr 1 ctr*q() ad whe ctr q( ) ctr*1 Ths happes whe: ctr*1-q() ctr ctr*q()-1 Proof We defe the evet Overlap, as whe Overlap occurs for ay, q( ) that s: Pr[Overlap] Pr[Overlap ] = 1 q ( ) 1 q ( ) Now, Pr[Overlap ] = Pr[Overlap]. Pr[Pr v = 1] Pr[ Overlap] Pr[Pr v = 1 Overlap] q ( ) 1 = The ext step s to reaso that f the radom fucto s replaced by the pseudo-radom fucto, ad the scheme s ot -secure, the we ca frame a PPT algorthm D, whch s able to dstgush the fucto F from a radom fucto f. Ths proof s left as a exercse. k 14

Block legth ad securty Iterestgly, we see that t s ot oly the key legth but the block legth also whch decdes the securty. Cosder a block legth of 64 bts. The adversary s success probablty the sese s thus aroud ½ q / 63. Thus f we have aroud 30 guesses, the we have a practcal attack! (oly 1 GB queres ad storage requred). So, we eed to crease the block legth. 15

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback