Pseudo-radom Fuctos Debdeep Muhopadhyay IIT Kharagpur PRG vs PRF We have see the costructo of PRG (pseudo-radom geerators) beg costructed from ay oe-way fuctos. Now we shall cosder a related cocept: Pseudo-radom fuctos stead of strgs we cosder fuctos It does ot mae much sese to call a fxed fucto pseudo-radom. 1
Keyed Fuctos So, we have eyed fuctos. A eyed fucto F:{0,1} * x{0,1} * {0,1} * The frst put s called the ey. The ey s chose radomly ad the fxed, resultg a sgle argumet fucto, F : {0,1} * {0,1} * Assume that the fuctos are legth preservg, meag that the puts, output ad ey are all of the same sze. Pseudo-radom fuctos No polyomal tme adversary should be able to dstgush whether t s teractg wth: F (for a radomly chose ) or, f (where f s chose at radom from the set of all fuctos mappg bt strgs to bt strgs).
Cardalty of all possble fuctos Set of all eyed fuctos: The former s chose from a dstrbuto over at most dstct fuctos. Set of all possble radom fuctos: The later s from fuctos. Despte ths, the behavor of the fuctos must loo the same to a PPT adversary. Formally * * * Let F :{0,1} {0,1} {0,1} be a effcet legth preservg, eyed fucto. F s sad to be pseudo-radom fucto f for all probablstc polyomal tme dstgusher D, there exsts eglgble fucto (): F(.) f(.) Pr[D ()=1]-Pr[D ()=1] () where s chose uformly at radom ad f s chose uformly at radom from the set of fuctos mappg -bt strgs to -bt strgs. 3
Ecrypto wth a PRF Fresh Radom strg r Pseudoradm Fucto Pad platext xor cphertext Some fer pots If x ad x dffer, outputs of F (x) ad F (x ) should ot be correlated. Dstgusher D s ot gve the ey: t s meagless to tal about pseudoradomess oce the ey s gve. oe ca compute y =F (0 ) the query the oracle at 0 f the oracle s for F, always y=y f the oracle s for radom f, y=y wth a probablty of -. thus we have a dstgusher. 4
Securty agast Def: A adversary, A, should ot be able to dstgush the ecryptos of two arbtrary messages. Expermet: Prv ( ) A, Id Exp 1. A ey s geerated by rug Ge(). Adversary A s gve ad oracle access to Ec (.), ad outputs a par of messages m, m of the same legth. 0 1 3. A radom bt b {0,1} s chose, ad a cphertext c=ec ( ) s computed ad gve to A as a challege. We call c the challege cphertext. 4. Adversary A cotues to have oracle access to Ec (.) ad outputs a bt b'. 5. Output of the expermet s 1, f b'=b, ad 0 otherwse. m b A succeeds whe Prv ( ) 1 A, 5
Defto of Idstgushable uder Ay ecrypto scheme =(Ge,Ec,Dec) has dstgushable ecryptos uder (called -secure) s for all PPT adversary A, there exsts a eglgble () st., 1 Pr[Prv A, ( ) 1] () where the probabltes are tae over the radom cos used by A, as well as the radom cos used the expermet. secured ecrypto the scheme has to be probablstc: cosder a determstc ecrypto: ENC (m)=f (m) Gve c=enc (m b ) t s possble to as for ENC (m 0 ) ad ENC (m 1 ) ad see for a match. Accordgly b s dscovered easly. thus the scheme s ot secured. 6
A secure ecrypto scheme from ay PRF Let F be a PRF. Defe a ecrypto as follows: 1. Ge: o put (securty parameter), choose {0,1} uformly at radom as the ey.. Ec: o put a ey {0,1} ad a message m {0,1}, choose r {0,1} uformly at radom ad output the cphertext: c=<r,f ( r) m 3.Dec: O put a ey ad a cphertext <r,s>: m=f ( r) s Theorem If F s a pseudoradom fucto, the the above costructo s a fxed legth symmetrc ey scheme for messages of legth that has dstgushable ecryptos uder a chose platext attac. 7
Proof Follows a geeral prcple. Prove that the system s secured whe a truly radom fucto s used. Next prove that f the system was secure whe the pseudoradom fucto was used, the we ca mae a dstgusher agast the PRF. Proof Let =(Ge, Ec, Dec ) be a ecrypto scheme that s exactly the same as =(Ge,Ec,Dec), except that a true radom fucto f s used place of F. Thus Ge( ) chooses a radom fucto f Fuc ad E c just le Ec except that f s used stead of F. 8
Clam : For every adversary A that maes at most q() queres to ts ecrypto oracle: 1 q ( ) Pr[Prv A, ( ) 1] Proof: Each tme a message m s ecrypted a radom r {0,1} s chose ad the cphertext s {r,m f(r)} Let r be the radom strg used whe geeratg the challege c cphertext c=<r, f( r ) m. c c Defe, Repeat as the evet that r s used by the ecrypto oracle to aswer at least oe of A's queres. q() Clearly, Pr[Repeat] 1 Also, Pr[Prv A, ( ) 1 Repeat]. c Pr[Prv ( ) 1] Pr[Prv ( ) 1 Re peat]+pr[prv ( ) 1 Re peat] A, A, A, 1 q() Pr[Repeat]+Pr[Prv A, ( ) 1 Repeat] Costruct a Dstgusher for the PRF 1 Let Pr[Prv A, ( ) 1] ( ) If s ot eglgble the the dfferece betwee ths s also o-eggble. Such a gap wll eable us to dstgush the PRF from a true radom fucto. 9
Dstgusher D: D s gve put ad oracle O:{0,1} {0,1}. D aswers the queres made by A the IND EXP. 1. Ru A(). Wheever A queres ts ecrypto oracle o a message m, aswer ths query the followg way: a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m>. Whe A outputs m 0,m 1{0,1}, choose a radom bt b {0,1}. a) Choose r {0,1} uformly at radom. b) Query O(r) ad obta respose s' c) Retur to A the cphertext <r,s' m > 3. Cotue aswerg A's queres as above. Whe A outputs a bt b', D outputs 1 f b=b' ad 0 otherwse. b 1. If D's oracle s a PRF, the the vew of A whe ru as a sub-route by D s dstrbuted detcally to the vew of A expermet Prv ( ). F Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]..If D's oracle s a radom fucto, the the vew of A whe ru as a sub-route f Thus, Pr[D ( ) 1] Pr[Prv A, ( ) 1]. F A, by D s dstrbuted detcally to the vew of A expermet Prv ( ). Thus, Pr[D f ( ) 1] Pr[D ( ) 1] ( ), whch s o-eglgble f () s so. Ths volates the PRF property of the F. q() A, 10
A -secured scheme for messages of arbtrary legth Cosder, m mm 1... ml, each m s a -bt bloc. The cphertext s: < r1, F( r1) m1, r, F( r) m,..., r, F( rl) ml Corollary : If F s a pseudoradom fucto, the the scheme above s a prvate-ey ecrypto scheme for arbtrary message that has dstgushable ecryptos uder a chose-platext attac. Pseudo-radom Permutatos ad Bloc Cphers * * * Let F :{0,1} {0,1} {0,1} be a effcet, legth preservg, eyed fucto. It s called a eyed permutato f for every ey, the fucto, F s oe-oe. Sce the fucto s legth preservg, t s also a bjecto, ad hece a verse permutato exsts. 1 We call t F. The eyed permutato s effcet f gve ad x, 1 t s easy to compute both F ( x) ad F ( x). 11
Radomly chose permutatos ad radomly chose fuctos are ot dstgushable by polyomal queres If F s a pseudoradom permutato the t s also a pseudoradom fucto. Pseudoradom Permutato It s also a permutato. Moreover there exsts a effcet verse, P -1 K. A pseudoradom permutato s also a pseudoradom fucto. Strog pseudoradom permutato: No effcet algorthm A ca dstgush well betwee <P K (.),P -1 K (.)> from <Π(.), Π -1 (.)> for a radomly chose ey ad radom permutato, Π. A K 1 1 K behaves le A P (.), P (.) (.), (.) 1
Buldg Pseudoradom Permutatos We ca buld pseudoradom permutatos from pseudoradom fuctos, F Defe DF ( x, y) y, F( y) x Note that ths s jectve ad that does ot deped whether F s jectve or ot. Note that D F ad D -1 F are effcetly computable. Ths costructo was orgally due to Horst Festel. Strog Pseudoradom Permutatos * * * Let :{0,1} {0,1} {0,1} be a effcet, F eyed permutato. We say that F s a strog pseudoradom permutato f for all probablstc polyomal tme dstgushers D, there exsts a eglgble fucto egl such that: 1 1 F(.), F Pr[ D (.) f (.), f ( ) 1]- Pr[ D (.) ()=1] (), where {0,1} s chose uformly at radom ad f s chose uformly from the set of permutatos o bt strgs. 13
Bloc Cphers The aalogue for strog pseudoradom permutatos s bloc cphers. Note: Bloc cphers themselves are ot secured ecrypto schemes. c=f (m) s ot secured (Why?) So, bloc cphers are buldg blocs for effcet ecrypto schemes ad ot ecrypto schemes by themselves. Modes of Operatos of bloc cphers These are ways of ecryptg arbtrary legth messages usg a bloc cpher. The dfferece betwee the cphertext legth ad the message legth s small ths case. It may be oted, that messages of arbtrary legth ca be padded so that they are multples of the bloc legth,. Sce ths ca be doe wthout ay ambguty, we assume that the messages are made of l blocs, each of legth. 14
Modes of Ecrypto Electroc Code Boo (ECB) m 1 m m 3 Determstc ecrypto ad thus caot be secure. c 1 c c 3 Not message dstgushable ether. Cpher Bloc Chag (CBC) m 1 m m 3 + + + Parallelzato ot possble. IV c 1 c c 3 A radom IV (tal vector) of sze bts s chose. IV s set the clear for decrypto. Probablstc ad f F s a pseudo-radom permutato the CBC s -secure. 15
Output Feedbac Mode (OFB) IV m 1 m m + 3 + + c 1 c c 3 If F s a Pseudoradom fucto the ths s secure agast. Note that F eed ot be a permutato. Parallelsm ot possble. But pre-processg of the ey stream ca lead to extremely fast operatos. Couter Mode ctr ctr+1 ctr+ ctr+3 m 1 + m + m 3 + ctr 16
Theorem If F s a pseudo-radom fucto, the radomzed couter mode has dstgushable ecryptos uder a chose-platext attac (). Proof Idea Frst cosder that a truly radom fucto, f, s used. Let ctr* deote the tal value ctr, whe the challege cphertext cpa s geerated the expermet Prv. th For the bloc of the message, t whether m 0 or 1 hus ctr*+ was used to geerate f(ctr*+). Now, f ctr*+ was ever accessed before, the the ey stream s radom ad le a oe tme pad. Thus the adversary has o advatage decdg m was the correspodg platext for the challege cphertext. So, we have to fd what s the probablty that ctr*+ was actually "matches" wth oe of the queres of the adversary A. 17
Proof Idea The adversary A maes q() queres. The startg IV value for the th query s deoted by ctr. Let each message be of bloc-legth, q(). We dvde the etre scearo to two mutually exclusve cases: 1. There do ot exst ay, j, j' for whch ctr*+j=ctr j '. 1 Here :Pr[PrvA, 1].. There exsts,j,j' for whch ctr*+j=ctr +j'. I ths case, A ca easly determe f(ctr*+j)=f(ctr +j') ad thus compute m. Thus he ca predct whether m or m was ecrypted. j 0 1 Let Overlap deote the eve that the sequece ctr +1,...,ctr +q() overlaps the sequece ctr*+1,...,ctr*+q(). Cosder, ctr*+1,...,ctr*+q() ctr 1,..., ctr q( ) Overlap occurs whe ctr 1 ctr*+q() ad whe ctr q( ) ctr*+1 Ths happes whe: ctr*+1-q() ctr ctr*+q()-1 Proof We defe the evet Overlap, as whe Overlap occurs for ay, q( ) that s: Pr[Overlap] Pr[Overlap ] 1 q ( ) 1 q ( ) Now, Pr[Overlap ] Pr[Overlap]. Pr[Pr v 1] Pr[ Overlap] Pr[Pr v 1 Overlap] A, A, q ( ) 1 = The ext step s to reaso that f the radom fucto s replaced by the pseudo-radom fucto, ad the scheme s ot -secure, the we ca frame a PPT algorthm D, whch s able to dstgush the fucto F from a radom fucto f. Ths proof s left as a exercse. 18
Bloc legth ad securty Iterestgly, we see that t s ot oly the ey legth but the bloc legth also whch decdes the securty. Cosder a bloc legth of 64 bts. The adversary s success probablty the sese s thus aroud ½ +q / 63. Thus f we have aroud 30 guesses, the we have a practcal attac! (oly 1 GB queres ad storage requred). So, we eed to crease the bloc legth. 19