Pseudo-random Functions. PRG vs PRF

Similar documents
Pseudo-random Functions

Hard Core Predicates: How to encrypt? Recap

Lecture 9: Tolerant Testing

Discrete Mathematics and Probability Theory Fall 2016 Seshia and Walrand DIS 10b

1 Onto functions and bijections Applications to Counting

PTAS for Bin-Packing

CIS 800/002 The Algorithmic Foundations of Data Privacy October 13, Lecture 9. Database Update Algorithms: Multiplicative Weights

1 Mixed Quantum State. 2 Density Matrix. CS Density Matrices, von Neumann Entropy 3/7/07 Spring 2007 Lecture 13. ψ = α x x. ρ = p i ψ i ψ i.

CHAPTER VI Statistical Analysis of Experimental Data

Simulation Output Analysis

Introduction to local (nonparametric) density estimation. methods

best estimate (mean) for X uncertainty or error in the measurement (systematic, random or statistical) best

18.413: Error Correcting Codes Lab March 2, Lecture 8

(b) By independence, the probability that the string 1011 is received correctly is

The Mathematical Appendix

CS286.2 Lecture 4: Dinur s Proof of the PCP Theorem

Econometric Methods. Review of Estimation

Lecture 6: October 10, DES: Modes of Operation

Algorithms Design & Analysis. Hash Tables

Lecture 11: Pseudorandom functions

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

Lecture 1. (Part II) The number of ways of partitioning n distinct objects into k distinct groups containing n 1,

Introduction to Probability

Algorithms Theory, Solution for Assignment 2

{ }{ ( )} (, ) = ( ) ( ) ( ) Chapter 14 Exercises in Sampling Theory. Exercise 1 (Simple random sampling): Solution:

L5 Polynomial / Spline Curves

Introduction Cryptography and Security Fall 2009 Steve Lai

Random Variables and Probability Distributions

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

1. BLAST (Karlin Altschul) Statistics

Summary of the lecture in Biostatistics

Class 13,14 June 17, 19, 2015

MA 524 Homework 6 Solutions

For combinatorial problems we might need to generate all permutations, combinations, or subsets of a set.

8.1 Hashing Algorithms

A tighter lower bound on the circuit size of the hardest Boolean functions

å 1 13 Practice Final Examination Solutions - = CS109 Dec 5, 2018

Special Instructions / Useful Data

Wireless Link Properties

AN UPPER BOUND FOR THE PERMANENT VERSUS DETERMINANT PROBLEM BRUNO GRENET

Bayes (Naïve or not) Classifiers: Generative Approach

Lecture 7. Confidence Intervals and Hypothesis Tests in the Simple CLR Model

Parameter, Statistic and Random Samples

BIOREPS Problem Set #11 The Evolution of DNA Strands

Exercises for Square-Congruence Modulo n ver 11

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Lecture 3. Sampling, sampling distributions, and parameter estimation

2. Independence and Bernoulli Trials

ENGI 4421 Joint Probability Distributions Page Joint Probability Distributions [Navidi sections 2.5 and 2.6; Devore sections

The Selection Problem - Variable Size Decrease/Conquer (Practice with algorithm analysis)

Chapter 5 Properties of a Random Sample

Indistinguishable of AES-Based PRNG against Modification Attack Based on Statistical Distance Tests and Entropy Measures

Multiple Choice Test. Chapter Adequacy of Models for Regression

NP!= P. By Liu Ran. Table of Contents. The P versus NP problem is a major unsolved problem in computer

Lecture 3 Probability review (cont d)

1. A real number x is represented approximately by , and we are told that the relative error is 0.1 %. What is x? Note: There are two answers.

9 U-STATISTICS. Eh =(m!) 1 Eh(X (1),..., X (m ) ) i.i.d

Chapter 11 Systematic Sampling

Attribute-Based Key-Insulated Encryption *

Homework 1: Solutions Sid Banerjee Problem 1: (Practice with Asymptotic Notation) ORIE 4520: Stochastics at Scale Fall 2015

Functions of Random Variables

CS 109 Lecture 12 April 22th, 2016

NP!= P. By Liu Ran. Table of Contents. The P vs. NP problem is a major unsolved problem in computer

MATH 247/Winter Notes on the adjoint and on normal operators.

Chapter 3 Sampling For Proportions and Percentages

X ε ) = 0, or equivalently, lim

Assignment 5/MATH 247/Winter Due: Friday, February 19 in class (!) (answers will be posted right after class)

This lecture and the next. Why Sorting? Sorting Algorithms so far. Why Sorting? (2) Selection Sort. Heap Sort. Heapsort

Polynomial Encryption Using The Subset Problem Based On Elgamal. Raipur, Chhattisgarh , India. Raipur, Chhattisgarh , India.

12.2 Estimating Model parameters Assumptions: ox and y are related according to the simple linear regression model

Logistic regression (continued)

Chapter 14 Logistic Regression Models

MEASURES OF DISPERSION

The Occupancy and Coupon Collector problems

Some Notes on the Probability Space of Statistical Surveys

2.28 The Wall Street Journal is probably referring to the average number of cubes used per glass measured for some population that they have chosen.

Third handout: On the Gini Index

Overcoming Limitations of Sampling for Aggregation Queries

A Markov Chain Competition Model

To use adaptive cluster sampling we must first make some definitions of the sampling universe:

2SLS Estimates ECON In this case, begin with the assumption that E[ i

Computations with large numbers

Feature Selection: Part 2. 1 Greedy Algorithms (continued from the last lecture)

Statistics Descriptive and Inferential Statistics. Instructor: Daisuke Nagakura

Dimensionality Reduction and Learning

Solutions for HW4. x k n+1. k! n(n + 1) (n + k 1) =.

Taylor s Series and Interpolation. Interpolation & Curve-fitting. CIS Interpolation. Basic Scenario. Taylor Series interpolates at a specific

Increasing Kolmogorov Complexity

Bounds on the expected entropy and KL-divergence of sampled multinomial distributions. Brandon C. Roy

Complete Convergence and Some Maximal Inequalities for Weighted Sums of Random Variables

X X X E[ ] E X E X. is the ()m n where the ( i,)th. j element is the mean of the ( i,)th., then

Maps on Triangular Matrix Algebras

Mu Sequences/Series Solutions National Convention 2014

Module 7: Probability and Statistics

STA 105-M BASIC STATISTICS (This is a multiple choice paper.)

Lecture 2 - What are component and system reliability and how it can be improved?

1. Overview of basic probability

Chapter 11 The Analysis of Variance

D KL (P Q) := p i ln p i q i

Solving Constrained Flow-Shop Scheduling. Problems with Three Machines

Transcription:

Pseudo-radom Fuctos Debdeep Muhopadhyay IIT Kharagpur PRG vs PRF We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom fuctos stead of strgs we cosder fuctos It does ot mae much sese to call a fxed fucto pseudo-radom. 1

Keyed Fuctos So, we have eyed fuctos. A eyed fucto F:{0,1} * x{0,1} * {0,1} * The frst put s called the ey. The ey s chose radomly ad the fxed, resultg a sgle argumet fucto, F : {0,1} * {0,1} * Assume that the fuctos are legth preservg, meag that the puts, output ad ey are all of the same sze. Pseudo-radom fuctos No polyomal tme adversary should be able to dstgush whether t s teractg wth: F (for a radomly chose ) or, f (where f s chose at radom from the set of all fuctos mappg bt strgs to bt strgs).

Cardalty of all possble fuctos Set of all eyed fuctos: The former s chose from a dstrbuto over at most dstct fuctos. Set of all possble radom fuctos: The later s from fuctos. Despte ths, the behavor of the fuctos must loo the same to a PPT adversary. Formally * * * Let F :{0,1} {0,1} {0,1} be a effcet legth preservg, eyed fucto. F s sad to be pseudo-radom fucto f for all probablstc polyomal tme dstgusher D, there exsts eglgble fucto (): F(.) f(.) Pr[D ()=1]-Pr[D ()=1] () where s chose uformly at radom ad f s chose uformly at radom from the set of fuctos mappg -bt strgs to -bt strgs. 3

Ecrypto wth a PRF Fresh Radom strg r Pseudoradm Fucto Pad platext xor cphertext Some fer pots If x ad x dffer, outputs of F (x) ad F (x ) should ot be correlated. Dstgusher D s ot gve the ey: t s meagless to tal about pseudoradomess oce the ey s gve. oe ca compute y =F (0 ) the query the oracle at 0 f the oracle s for F, always y=y f the oracle s for radom f, y=y wth a probablty of -. thus we have a dstgusher. 4

Securty agast Def: A adversary, A, should ot be able to dstgush the ecryptos of two arbtrary messages. Expermet: Prv ( ) A, Id Exp 1. A ey s geerated by rug Ge(). Adversary A s gve ad oracle access to Ec (.), ad outputs a par of messages m, m of the same legth. 0 1 3. A radom bt b {0,1} s chose, ad a cphertext c=ec ( ) s computed ad gve to A as a challege. We call c the challege cphertext. 4. Adversary A cotues to have oracle access to Ec (.) ad outputs a bt b'. 5. Output of the expermet s 1, f b'=b, ad 0 otherwse. m b A succeeds whe Prv ( ) 1 A, 5

Defto of Idstgushable uder Ay ecrypto scheme =(Ge,Ec,Dec) has dstgushable ecryptos uder (called -secure) s for all PPT adversary A, there exsts a eglgble () st., 1 Pr[Prv A, ( ) 1] () where the probabltes are tae over the radom cos used by A, as well as the radom cos used the expermet. secured ecrypto the scheme has to be probablstc: cosder a determstc ecrypto: ENC (m)=f (m) Gve c=enc (m b ) t s possble to as for ENC (m 0 ) ad ENC (m 1 ) ad see for a match. Accordgly b s dscovered easly. thus the scheme s ot secured. 6

A secure ecrypto scheme from ay PRF Let F be a PRF. Defe a ecrypto as follows: 1. Ge: o put (securty parameter), choose {0,1} uformly at radom as the ey.. Ec: o put a ey {0,1} ad a message m {0,1}, choose r {0,1} uformly at radom ad output the cphertext: c=<r,f ( r) m 3.Dec: O put a ey ad a cphertext <r,s>: m=f ( r) s Theorem If F s a pseudoradom fucto, the the above costructo s a fxed legth symmetrc ey scheme for messages of legth that has dstgushable ecryptos uder a chose platext attac. 7

Proof Follows a geeral prcple. Prove that the system s secured whe a truly radom fucto s used. Next prove that f the system was secure whe the pseudoradom fucto was used, the we ca mae a dstgusher agast the PRF. Proof Let =(Ge, Ec, Dec ) be a ecrypto scheme that s exactly the same as =(Ge,Ec,Dec), except that a true radom fucto f s used place of F. Thus Ge( ) chooses a radom fucto f Fuc ad E c just le Ec except that f s used stead of F. 8

Clam : For every adversary A that maes at most q() queres to ts ecrypto oracle: 1 q ( ) Pr[Prv A, ( ) 1] Proof: Each tme a message m s ecrypted a radom r {0,1} s chose ad the cphertext s {r,m f(r)} Let r be the radom strg used whe geeratg the challege c cphertext c=<r, f( r ) m. c c Defe, Repeat as the evet that r s used by the ecrypto oracle to aswer at least oe of A's queres. q() Clearly, Pr[Repeat] 1 Also, Pr[Prv A, ( ) 1 Repeat]. c Pr[Prv ( ) 1] Pr[Prv ( ) 1 Re peat]+pr[prv ( ) 1 Re peat] A, A, A, 1 q() Pr[Repeat]+Pr[Prv A, ( ) 1 Repeat] Costruct a Dstgusher for the PRF 1 Let Pr[Prv A, ( ) 1] ( ) If s ot eglgble the the dfferece betwee ths s also o-eggble. Such a gap wll eable us to dstgush the PRF from a true radom fucto. 9

Dstgusher D: D s gve put ad oracle O:{0,1} {0,1}. D aswers the queres made by A the IND EXP. 1. Ru A(). Wheever A queres ts ecrypto oracle o a message m, aswer ths query the followg way: a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m>. Whe A outputs m 0,m 1{0,1}, choose a radom bt b {0,1}. a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m > 3. Cotue aswerg A's queres as above. Whe A outputs a bt b', D outputs 1 f b=b' ad 0 otherwse. b 1. If D's oracle s a PRF, the the vew of A whe ru as a sub-route by D s dstrbuted detcally to the vew of A expermet Prv ( ). F Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]..If D's oracle s a radom fucto, the the vew of A whe ru as a sub-route f Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]. F A, by D s dstrbuted detcally to the vew of A expermet Prv ( ). Thus, Pr[D f ( ) 1] Pr[D ( ) 1] ( ), whch s o-eglgble f () s so. Ths volates the PRF property of the F. q() A, 10

A -secured scheme for messages of arbtrary legth Cosder, m mm 1... ml, each m s a -bt bloc. The cphertext s: < r1, F( r1) m1, r, F( r) m,..., r, F( rl) ml Corollary : If F s a pseudoradom fucto, the the scheme above s a prvate-ey ecrypto scheme for arbtrary message that has dstgushable ecryptos uder a chose-platext attac. Pseudo-radom Permutatos ad Bloc Cphers * * * Let F :{0,1} {0,1} {0,1} be a effcet, legth preservg, eyed fucto. It s called a eyed permutato f for every ey, the fucto, F s oe-oe. Sce the fucto s legth preservg, t s also a bjecto, ad hece a verse permutato exsts. 1 We call t F. The eyed permutato s effcet f gve ad x, 1 t s easy to compute both F ( x) ad F ( x). 11

Radomly chose permutatos ad radomly chose fuctos are ot dstgushable by polyomal queres If F s a pseudoradom permutato the t s also a pseudoradom fucto. Pseudoradom Permutato It s also a permutato. Moreover there exsts a effcet verse, P -1 K. A pseudoradom permutato s also a pseudoradom fucto. Strog pseudoradom permutato: No effcet algorthm A ca dstgush well betwee <P K (.),P -1 K (.)> from <Π(.), Π -1 (.)> for a radomly chose ey ad radom permutato, Π. A K 1 1 K behaves le A P (.), P (.) (.), (.) 1

Buldg Pseudoradom Permutatos We ca buld pseudoradom permutatos from pseudoradom fuctos, F Defe DF ( x, y) y, F( y) x Note that ths s jectve ad that does ot deped whether F s jectve or ot. Note that D F ad D -1 F are effcetly computable. Ths costructo was orgally due to Horst Festel. Strog Pseudoradom Permutatos * * * Let :{0,1} {0,1} {0,1} be a effcet, F eyed permutato. We say that F s a strog pseudoradom permutato f for all probablstc polyomal tme dstgushers D, there exsts a eglgble fucto egl such that: 1 1 F(.), F Pr[ D (.) f (.), f ( ) 1]- Pr[ D (.) ()=1] (), where {0,1} s chose uformly at radom ad f s chose uformly from the set of permutatos o bt strgs. 13

Bloc Cphers The aalogue for strog pseudoradom permutatos s bloc cphers. Note: Bloc cphers themselves are ot secured ecrypto schemes. c=f (m) s ot secured (Why?) So, bloc cphers are buldg blocs for effcet ecrypto schemes ad ot ecrypto schemes by themselves. Modes of Operatos of bloc cphers These are ways of ecryptg arbtrary legth messages usg a bloc cpher. The dfferece betwee the cphertext legth ad the message legth s small ths case. It may be oted, that messages of arbtrary legth ca be padded so that they are multples of the bloc legth,. Sce ths ca be doe wthout ay ambguty, we assume that the messages are made of l blocs, each of legth. 14

Modes of Ecrypto Electroc Code Boo (ECB) m 1 m m 3 Determstc ecrypto ad thus caot be secure. c 1 c c 3 Not message dstgushable ether. Cpher Bloc Chag (CBC) m 1 m m 3 + + + Parallelzato ot possble. IV c 1 c c 3 A radom IV (tal vector) of sze bts s chose. IV s set the clear for decrypto. Probablstc ad f F s a pseudo-radom permutato the CBC s -secure. 15

Output Feedbac Mode (OFB) IV m 1 m m + 3 + + c 1 c c 3 If F s a Pseudoradom fucto the ths s secure agast. Note that F eed ot be a permutato. Parallelsm ot possble. But pre-processg of the ey stream ca lead to extremely fast operatos. Couter Mode ctr ctr+1 ctr+ ctr+3 m 1 + m + m 3 + ctr 16

Theorem If F s a pseudo-radom fucto, the radomzed couter mode has dstgushable ecryptos uder a chose-platext attac (). Proof Idea Frst cosder that a truly radom fucto, f, s used. Let ctr* deote the tal value ctr, whe the challege cphertext cpa s geerated the expermet Prv. th For the bloc of the message, t whether m 0 or 1 hus ctr*+ was used to geerate f(ctr*+). Now, f ctr*+ was ever accessed before, the the ey stream s radom ad le a oe tme pad. Thus the adversary has o advatage decdg m was the correspodg platext for the challege cphertext. So, we have to fd what s the probablty that ctr*+ was actually "matches" wth oe of the queres of the adversary A. 17

Proof Idea The adversary A maes q() queres. The startg IV value for the th query s deoted by ctr. Let each message be of bloc-legth, q(). We dvde the etre scearo to two mutually exclusve cases: 1. There do ot exst ay, j, j' for whch ctr*+j=ctr j '. 1 Here :Pr[PrvA, 1].. There exsts,j,j' for whch ctr*+j=ctr +j'. I ths case, A ca easly determe f(ctr*+j)=f(ctr +j') ad thus compute m. Thus he ca predct whether m or m was ecrypted. j 0 1 Let Overlap deote the eve that the sequece ctr +1,...,ctr +q() overlaps the sequece ctr*+1,...,ctr*+q(). Cosder, ctr*+1,...,ctr*+q() ctr 1,..., ctr q( ) Overlap occurs whe ctr 1 ctr*+q() ad whe ctr q( ) ctr*+1 Ths happes whe: ctr*+1-q() ctr ctr*+q()-1 Proof We defe the evet Overlap, as whe Overlap occurs for ay, q( ) that s: Pr[Overlap] Pr[Overlap ] 1 q ( ) 1 q ( ) Now, Pr[Overlap ] Pr[Overlap]. Pr[Pr v 1] Pr[ Overlap] Pr[Pr v 1 Overlap] A, A, q ( ) 1 = The ext step s to reaso that f the radom fucto s replaced by the pseudo-radom fucto, ad the scheme s ot -secure, the we ca frame a PPT algorthm D, whch s able to dstgush the fucto F from a radom fucto f. Ths proof s left as a exercse. 18

Bloc legth ad securty Iterestgly, we see that t s ot oly the ey legth but the bloc legth also whch decdes the securty. Cosder a bloc legth of 64 bts. The adversary s success probablty the sese s thus aroud ½ +q / 63. Thus f we have aroud 30 guesses, the we have a practcal attac! (oly 1 GB queres ad storage requred). So, we eed to crease the bloc legth. 19

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback