Lecture 11: Pseudorandom functions

Similar documents
Lecture 9: Pseudo-random generators against space bounded computation,

Lecture 11: Hash Functions and Random Oracle Model

Lecture 9: Expanders Part 2, Extractors

Message Authentication Codes. Reading: Chapter 4 of Katz & Lindell

Notes for Lecture 11

6.867 Machine learning, lecture 7 (Jaakkola) 1

Lecture 2: Uncomputability and the Haling Problem

Context-free grammars and. Basics of string generation methods

7. Modern Techniques. Data Encryption Standard (DES)

Last time, we talked about how Equation (1) can simulate Equation (2). We asserted that Equation (2) can also simulate Equation (1).

Math 155 (Lecture 3)

Review of Elementary Cryptography. For more material, see my notes of CSE 5351, available on my webpage

Polynomial identity testing and global minimum cut

UC Berkeley CS 170: Efficient Algorithms and Intractable Problems Handout 17 Lecturer: David Wagner April 3, Notes 17 for CS 170

Lecture 1: Basic problems of coding theory

Recursive Algorithm for Generating Partitions of an Integer. 1 Preliminary

Convergence of random variables. (telegram style notes) P.J.C. Spreij

Quantum Computing Lecture 7. Quantum Factoring

Lecture 16: Monotone Formula Lower Bounds via Graph Entropy. 2 Monotone Formula Lower Bounds via Graph Entropy

Here, e(a, B) is defined as the number of edges between A and B in the n dimensional boolean hypercube.

OPTIMAL ALGORITHMS -- SUPPLEMENTAL NOTES

An Introduction to Randomized Algorithms

Lecture 14: Graph Entropy

Advanced Stochastic Processes.

Lecture 2: April 3, 2013

Lecture 4: Unique-SAT, Parity-SAT, and Approximate Counting

Introduction to Computational Molecular Biology. Gibbs Sampling

Computability and computational complexity

lim za n n = z lim a n n.

1 Review and Overview

Lecture 12: November 13, 2018

Lecture 2 Long paths in random graphs

Problem Set 2 Solutions

Lecture 10: Universal coding and prediction

Davenport-Schinzel Sequences and their Geometric Applications

Chapter 7: The z-transform. Chih-Wei Liu

6.895 Essential Coding Theory October 20, Lecture 11. This lecture is focused in comparisons of the following properties/parameters of a code:

Infinite Sequences and Series

Lecture 7: Channel coding theorem for discrete-time continuous memoryless channel

4.3 Growth Rates of Solutions to Recurrences

The picture in figure 1.1 helps us to see that the area represents the distance traveled. Figure 1: Area represents distance travelled

ECEN 655: Advanced Channel Coding Spring Lecture 7 02/04/14. Belief propagation is exact on tree-structured factor graphs.

Lecture 14: Randomized Computation (cont.)

Lecture 9: Hierarchy Theorems

CHAPTER I: Vector Spaces

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Lecture Overview. 2 Permutations and Combinations. n(n 1) (n (k 1)) = n(n 1) (n k + 1) =

6.3 Testing Series With Positive Terms

Notes for Lecture 5. 1 Grover Search. 1.1 The Setting. 1.2 Motivation. Lecture 5 (September 26, 2018)

Discrete Mathematics for CS Spring 2007 Luca Trevisan Lecture 22

subcaptionfont+=small,labelformat=parens,labelsep=space,skip=6pt,list=0,hypcap=0 subcaption ALGEBRAIC COMBINATORICS LECTURE 8 TUESDAY, 2/16/2016

Axioms of Measure Theory

1 Hash tables. 1.1 Implementation

The natural exponential function

Chapter 3. Strong convergence. 3.1 Definition of almost sure convergence

Sequences and Series of Functions

Discrete-Time Systems, LTI Systems, and Discrete-Time Convolution

Hashing and Amortization

(3) If you replace row i of A by its sum with a multiple of another row, then the determinant is unchanged! Expand across the i th row:

Rademacher Complexity

Lecture Notes for Analysis Class

The multiplicative structure of finite field and a construction of LRC

11.6 Absolute Convergence and the Ratio and Root Tests

Machine Learning Theory Tübingen University, WS 2016/2017 Lecture 11

Basics of Probability Theory (for Theory of Computation courses)

Design and Analysis of Algorithms

ACO Comprehensive Exam 9 October 2007 Student code A. 1. Graph Theory

Worksheet on Generating Functions

1. Universal v.s. non-universal: know the source distribution or not.

Intro to Learning Theory

Lecture 15: Strong, Conditional, & Joint Typicality

Math 341 Lecture #31 6.5: Power Series

LONG SNAKES IN POWERS OF THE COMPLETE GRAPH WITH AN ODD NUMBER OF VERTICES

1 Convergence in Probability and the Weak Law of Large Numbers

MA131 - Analysis 1. Workbook 3 Sequences II

Approximations and more PMFs and PDFs

CS151 Complexity Theory

Fortgeschrittene Datenstrukturen Vorlesung 11

Polynomials with Rational Roots that Differ by a Non-zero Constant. Generalities

Glivenko-Cantelli Classes

Section 11.8: Power Series

2 High-level Complexity vs. Concrete Complexity

6.003 Homework #3 Solutions

Quantum Information & Quantum Computation

Entropies & Information Theory

62. Power series Definition 16. (Power series) Given a sequence {c n }, the series. c n x n = c 0 + c 1 x + c 2 x 2 + c 3 x 3 +

On the Linear Complexity of Feedback Registers

Correction of Samplable Additive Errors

Machine Learning Brett Bernstein

is also known as the general term of the sequence

Randomized Algorithms I, Spring 2018, Department of Computer Science, University of Helsinki Homework 1: Solutions (Discussed January 25, 2018)

Square-Congruence Modulo n

Gentry s ideal-lattice based encryption scheme. Gentry s STOC 09 paper - Part III

De Bruijn Sequences for the Binary Strings with Maximum Specified Density

De Bruijn Sequences for the Binary Strings with Maximum Density

The Maximum-Likelihood Decoding Performance of Error-Correcting Codes

CHAPTER 10 INFINITE SEQUENCES AND SERIES

Chapter 2 The Monte Carlo Method

NICK DUFRESNE. 1 1 p(x). To determine some formulas for the generating function of the Schröder numbers, r(x) = a(x) =

Fall 2013 MTH431/531 Real analysis Section Notes

Transcription:

COM S 6830 Cryptography Oct 1, 2009 Istructor: Rafael Pass 1 Recap Lecture 11: Pseudoradom fuctios Scribe: Stefao Ermo Defiitio 1 (Ge, Ec, Dec) is a sigle message secure ecryptio scheme if for all uppt A, there exists a egligible fuctio ɛ( ) such that N ad for all m, m {0, 1}, A distiguishes {k Ge(1 ) : Ec k (m)} with probability ɛ() {k Ge(1 ) : Ec k (m )} This defiitio of security is similar to the Shao s oe, except that here the esembles of probability distributios eed to be idistiguishable istead of idetical. We proved that the ecryptio scheme Ec k (m) = m G(k) is secure if G is a double legtheig PRG, but is it secure if the same key is used to ecrypt may messages? 2 Multi message security Defiitio 2 (Multi-message secure ecryptio) (Ge, Ec, Dec) is a multi-message secure ecryptio scheme if for all uppt A, for all polyomial q( ) there exists a egligible fuctio ɛ( ) such that N ad for all pairs of sequeces of messages m 0, m 1,..., m q(), m 0, m 1,..., m q() {0, 1}, A distiguishes with probability at most ɛ(). {k Ge(1 ) : Ec k (m 0 ),..., Ec k (m q() )} {k Ge(1 ) : Ec k (m 0),..., Ec k (m q())} Accordig to this defiitio the ecryptio scheme Ec k (m) = m G(k) itroduced before is ot multi-message secure, ad more geerally: Theorem 1 There is o determiistic stateless multi-message secure ecryptio scheme. Proof. Cosider two messages m 0, m 1, with m 0 m 1 ad the sequeces m 0 m 0 ad m 0, m 1. Sice the scheme is stateless ad determiistic the ecryptio of the first sequece is Ec k (m 0 ), Ec k (m 0 ). The secod oe ecrypts to Ec k (m 0 ), Ec k (m 1 ), where Ec k (m 0 ) Ec k (m 1 ), so that the sequeces ca be trivially distiguished with high probability i polyomial time. 11-1

2.1 Stateful ad determiistic scheme If we allow a ecryptio scheme to be stateful, it is easy to build a multi-message secure scheme. I fact give a key of fixed legth it is possible to geerate a arbitrarily log strig of pseudoradom bits with a PRG, ad the XOR each message i the sequece with a portio of this larger key. I this case state is used to keep track of how may bits have bee already used. The problem of this approach is that Alice ad Bob eed to be sychroized, so that they always kow which portio of the larger key has bee used to ecrypt a certai message. 2.2 Stateless ad o determiistic scheme Oe possible idea to build a stateless ad radomized scheme is to geerate a log pseudoradom strig of bits from a key k with a PRG G, the pick a idex i at radom ad let Ec k (m) = i m G(k)[i] where G(k)[i] represets the i-th block of the strig geerated with the PRG. The problem with this approach is that PRGs ca expad oly polyomially, so that i would be O(log ) ad the same idex would be chose more tha oce with reasoably high probability, so that the scheme would ot be multi-message secure. The idea to solve this problem is to itroduce a pseudoradom fuctio that allows us to idex expoetially may bits i polyomial time, so that i ca be of order. Ituitively this object should have a short descriptio, but should be able to emulate a expoetially log strig of radom bits. 3 Pseudoradom fuctios Defiitio 3 A radom fuctio F : {0, 1} {0, 1} is a map that associates at each x {0, 1} a radom strig y = F (x) {0, 1}. This object ca be completely described by a array of 2 etries that stores the image of each possible iput through F. Sice each etry is bits log, 2 bits are eeded to store the etire table, ad for ay there are 2 2 possible fuctios of this type. A radom fuctio ca be also iterpreted i a algorithmic view, as a machie that works as follows. Give a iput x, if it has ot bee see before, the machie outputs y {0, 1} ad stores the pair (x, y = F (x)) i a table. If x has bee see before, the it outputs the pair (x, F (x)) stored i the table. It is easy to see that a polyomial umber of queries to the machie ca be aswered i polyomial time. 3.1 Pseudoradom fuctios Ituitively we would like a pseudoradom fuctio (PRF) to look like a radom fuctio to ay uppt adversary, eve if the PRF starts oly with small bit seed. I other 11-2

words, we would like a way to compress expoetially (exp()) may bits ito bits, similarly as we did with PRGs. To defie this cocept formally, we will eed a ew otio of idistiguishability. I fact a computatioally bouded adversary would ot be able to effectively compare somethig to a radom fuctio, because it has a expoetially log descriptio. For this reaso we will cosider a ew class of adversaries that have oracle access to a black box that ca be either a PRF or a truly radom fuctio, ad they are supposed to decide which oe they are iteractig with. Defiitio 4 (Oracle idistiguishability) Let {O } N, {O } N be esembles of probability distributios, where O ad O are distributios over fuctios {0, 1} l1() {0, 1} l2() ad l 1 ad l 2 are polyomials. We say that {O } N, {O } N are computatioally idistiguishable if for all oracle uppt D, there exists a egligible fuctio ɛ( ) such that N P r[f O : D F (1 ) = 1] P r[f O : D F (1 ) = 1] ɛ() I this defiitio D F is a oracle Turig machie, that is a Turig machie augmeted with a compoet called a oracle that is used to sample F. It ca be proved that the otio of oracle idistiguishability satisfies the 3 lemmas previously proved for stadard idistiguishability (efficiet operatios, the Hybrid Lemma, ad the Predictio Lemma). We are ow ready to defie pseudoradom fuctios. Let RF be the distributio that picks oe of the 2 2 fuctios mappig {0, 1} {0, 1} uiformly at radom. Defiitio 5 (Pseudoradom fuctio) A family of fuctios F = {f s : {0, 1} l( s ) {0, 1} l( s ) } s {0,1} is a family of pseudoradom fuctios if (Easy to compute): Give s {0, 1} ad x {0, 1} l(), f s (x) ca be efficietly computed (i p.p.t time). (Pseudoradom): {s {0, 1} : f s } N is computatioally idistiguishable from {F RF l() : F } N Notice that to get idistiguishability it is fudametal that the seed s is ot revealed to the adversary. Otherwise it would be easy to distiguish them by queryig the oracle for ay value x ad check whether the respose is equal to f s (x). 4 Existece of Pseudoradom fuctios We will show that the existece of a pseudoradom geerator (PRG) implies the existece of a pseudoradom fuctio (PRF). By usig previously proved results we have that OW P P RG P RF where OW P stads for the existece of oe way permutatios. 11-3

It is also possible to prove that OW F P RG P RF, where OW F stads for the existece of oe way fuctios. Moreover it is possible to see that the existece of P RF implies the existece of P RG (a PRG is obtaied by callig the PRF a sufficiet umber of times i order to get expasio). Theorem 2 If there exists a pseudoradom geerator, the there exists a pseudoradom fuctio. Proof. Let without loss of geerality G(x) = G 0 (x) G 1 (x) be a legth doublig PRG, so that G 0 (x) = G 1 (x) = x. We defie the cadidate pseudoradom fuctio f s (b 1, b 2,..., b ) = G b (G b 1 (... G b2 (G b1 (s))...)) It is easy to see that f keeps oly oe half of the output of the pseudoradom geerator at each of the calls, so that the recursive calls to G i ca be represeted as a tree, where the leafs are the possible fial outputs of f. s s 0 = G 0 (s) s 1 = G 1 (s) s 00 = G 0 (s 0 ) s 01 = G 1 (s 0 ) s 10 = G 0 (s 1 ) s 11 = G 1 (s 1 ) We eed to show that f is a PRF. By cotradictio, assume there exists a distiguisher D ad a polyomial p( ) such that D distiguishes {s {0, 1} : f s } from {F RF : F } with probability 1 for ifiitely may. p() Oe possible approach here is to use the hybrid lemma, buildig hybrids by successively replacig each leaf with a truly radom distributio. This approach does ot work because there are too may (expoetially may) hybrids ad therefore the lemma is ot useful i this case. Istead we defie a family of hybrids HF, i where the i-th hybrid is costructed by pickig the first i layers of the tree uiformly at radom ad the applyig the tree costructio as before. I this way HF 1 = {s {0, 1} : f s } (oly the seed is chose at radom) HF = RF (all the leaves are chose at radom) Notice that each hybrid HF i ca be efficietly emulated (as we did before for the radom fuctio, but keepig a table of the i-th layer of the tree). By the hybrid lemma there exists i such that D distiguishes HF i ad HF i+1 with 1 probability, sice there are hybrids. p() 11-4

Notice that the differece betwee HF i ad HF i+1 is that level i + 1 i HF i is pseudoradom (each block is distributed as G(U ) ), while i HF i+1 level i + 1 is truly radom. Sice the size of the layers grows expoetially, it gets difficult to effectively distiguish betwee the two hybrids ad to complete the proof we eed aother set of hybrids. Sice D rus i polyomial time, there exists a polyomial q() such that the umber of queries to the oracle made by D is bouded by q(). We defie a ew family of hybrids HHF j for j = 0,..., q(), where HHF j aswers the first j uique queries cosistetly with HF, i ad the remaiig oes cosistetly with HF i+1. Furthermore otice that HHF 0 = HF i+1 HHF q() = HF i By usig the hybrid lemma, there exists j such that D ca distiguish HHF j ad HHF j+1 1 with probability. q()p() The oly differece betwee HHF j ad HHF j+1 is that HHF j+1 aswers its (j + 1)-th query usig the output of a pseudoradom geerator o a radomly chose value, while HHF j aswers its (j + 1)-th query startig with a radomly chose value. As we oted before, queries to HHF j ad HHF j+1 ca be efficietly emulated i probabilistic polyomial time. The it follows by the closure uder efficiet operatios lemma ad the pseudoradomess of G that D caot distiguish them. 11-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback