Keyed functions Let F 01 x 01 01 be an efficient deterministic algorithm Define F k x Fk x The first input is called the key A ssume F is length preserving ID: 1001432
Download Presentation The PPT/PDF document "Cryptography Lecture 8 Pseudorandom fun..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. CryptographyLecture 8
2. Pseudorandom functions
3. Keyed functionsLet F: {0,1}* x {0,1}* {0,1}* be an efficient, deterministic algorithmDefine Fk(x) = F(k, x)The first input is called the keyAssume F is length preserving: F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x|Choosing a uniform k {0,1}n is equivalent to choosing the function Fk : {0,1}n {0,1}nI.e., for fixed key length n, the algorithm F defines a distribution over functions in Funcn!
4. ??(poly-time)World 1k {0,1}n chosen uniformly at randomFkx1Fk(x1)…xtFk(xt)x1f Funcn chosen uniformly at randomWorld 0ff(x1)…xtf(xt)
5. Pseudorandom permutations (PRPs)Let f Funcnf is a permutation if it is a bijectionThis means that the inverse f-1 existsLet Permn Funcn be the set of permutationsWhat is |Permn|?
6. Pseudorandom permutationsLet F be a length-preserving, keyed functionF is a keyed permutation ifFk is a permutation for every kFk-1 is efficiently computable (where Fk-1(Fk(x)) = x)F is a pseudorandom permutation if Fk , for uniform key k {0,1}n, is indistinguishable from a uniform permutation f Permn
7. NoteFor large enough n, a random permutation is indistinguishable from a random functionSo in practice, PRPs are also good PRFs
8. PRFs vs. PRGsPRF F immediately implies a PRG G:Define G(k) = Fk(0…0) | Fk(0…1)I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where <i> denotes the n-bit encoding of iPRF can be viewed as a PRG with random access to exponentially long outputThe function Fk can be viewed as the n2n-bit string Fk(0…0) | … | Fk(1…1)
9. Do PRFs/PRPs exist?They are a stronger primitive than PRGs……though can be built from PRGsIn practice, block ciphers are used
10. Block ciphersBlock ciphers are practical constructions of pseudorandom permutationsNo asymptotics: F: {0,1}n x {0,1}m {0,1}mn = “key length”m = “block length”Hard to distinguish Fk from uniform f Permm even for attackers running in time 2n
11. AESAdvanced encryption standard (AES)Standardized by NIST in 2000 based on a public, worldwide competition lasting over 3 yearsBlock length = 128 bitsKey length = 128, 192, or 256 bitsWill discuss details later in the courseNo real reason to use anything else
12. CPA-securityFix , ADefine a randomized exp’t PrivKCPAA,(n):k Gen(1n)A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same lengthb {0,1}, c Enck(mb), give c to AA can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
13. CPA-security is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)
14. CPA-secure encryptionLet F be a length-preserving, keyed functionGen(1n): choose a uniform key k {0, 1}nEnck(m), for |m| = |k|: Choose uniform r {0, 1}n (nonce/initialization vector)Output ciphertext < r, Fk(r) m >Deck(c1, c2): output c2 Fk(c1)Correctness is immediate
15. key messageF pseudorandom rciphertext pseudorandom message
16. Security?Theorem: if F is a pseudorandom function, then this scheme is CPA-secure
17. NoteThe key may be as long as the message……but the same key can be used to safely encrypt multiple messages
18. Security?Theorem: if F is a pseudorandom function, then this scheme is CPA-secureProof by reduction…Let denote the scheme
19. mmr, f(r) mPR/randomDr ← {0,1}n f(r)
20. m0, m1b←{0,1}mbr*, f(r*) mbb’if (b=b’)output 1PR/randomDr* ← {0,1}n f(r*)
21. AnalysisLet µ(n) = Pr[PrivCPAAdv,Π(n) = 1] Let q(n) be a bound on the number of encryption queries made by attackerIf f = Fk for uniform k, then the view of Adv is exactly as in PrivCPAAdv,Π(n) Prk{0,1}n[DFk(·) =1] = Pr[PrivCPAAdv,Π(n) = 1] = µ(n)
22. AnalysisIf f is uniform, there are two sub-casesr* was used for some other ciphertext (call this event Repeat)r* was not used for some other ciphertextPrf[Df(·) =1] ≤ Prf[Df(·) =1|Repeat] + Pr[Repeat]Pr[Repeat] ≤ q(n)/2nPrf[Df(·) =1 | Repeat] = ½
23. AnalysisSince F is pseudorandom… | µ(n) – Prf[Df(·) =1] | ≤ ε(n) µ(n) ≤ Prf[Df(·) =1] + ε(n) ≤ ½ + q(n)/2n + ε(n)For any polynomial q, the term q(n)/2n is negligible Pr[PrivCPAAdv,Π(n) = 1] = µ(n) ≤ ½ + ε’(n) QED
24. Real-world security?The security bound we proved is tightWhat happens if a nonce r is ever reused?What is the probability that the nonce used in some challenge ciphertext is also used for some other ciphertext?What happens to the bound if the nonce is chosen non-uniformly?
25. CPA-secure encryptionWe have shown a CPA-secure encryption scheme based on any block cipher/PRFEnck(m) = <r, Fk(r) m>Drawbacks?A 1-block plaintext results in a 2-block ciphertextOnly defined for encryption of n-bit messages
26. Encrypting long messages?Recall that CPA-security security for the encryption of multiple messagesSo, can encrypt the message m1, …, mt as Enck(m1), Enck(m2), …, Enck(mt)This is also CPA-secure!
27. kc1, …, ctm1, …, mtc1 Enck(m1)…ct Enck(mt)kc1ct...
28. DrawbackThe ciphertext is twice the length of the plaintextI.e., ciphertext expansion by a factor of twoCan we do better?Modes of operationBlock-cipher modes of operationStream-cipher modes of operation
29. CTR modeEnck(m1, …, mt) // note: t is arbitraryChoose ctr {0,1}n, set c0 = ctrFor i=1 to t:ci = mi Fk(ctr + i)Output c0, c1, …, ctDecryption?Ciphertext expansion is just 1 block
30. CTR modeFkFkFk…ctrm1m2mtctr+1ctr+2ctr+tc0c1c2ct
31. CTR modeTheorem: If F is a pseudorandom function, then CTR mode is CPA-secureProof sketch:The sequence Fk(ctri + 1), …, Fk(ctri + t) used to encrypt the ith message is pseudorandomMoreover, it is independent of every other such sequence unless ctri + j = ctri’ + j’ for some i, j, i’, j’Just need to bound the probability of that event
32. CBC modeEnck(m1, …, mt) // note: t is arbitraryChoose random c0 {0,1}n (also called the IV)For i=1 to t:ci = Fk(mi ci-1)Output c0, c1, …, ctDecryption? Requires F to be invertibleCiphertext expansion is just 1 block
33. CBC modeFkIVm1c0c1Fkm2c2Fkmtct…
34. CBC modeTheorem: If F is a pseudorandom permutation, then CBC mode is CPA-secureProof is more complicated than for CTR mode
35. ECB modeEnck(m1, …, mt) = Fk(m1), …, Fk(mt)DeterministicNot CPA-secure!Can tell from the ciphertext whether mi = mjNot even EAV-secure!
36. Not just a theoretical problem!(Taken from http://en.wikipedia.org and derived from images created by Larry Ewing (lewing@isc.tamu.edu) using The GIMP.)originalencrypted using ECB mode