Cryptography Lecture 7 Pseudorandom functions Keyed functions Let F 01 x 01 01 be an efficient deterministic algorithm Define F k x Fk x The first input is called the ID: 770236
Download Presentation The PPT/PDF document "Cryptography Lecture" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Cryptography Lecture 7
Pseudorandom functions
Keyed functions Let F: {0,1} * x {0,1} * {0,1} * be an efficient, deterministic algorithm Define F k (x) = F(k, x) The first input is called the key A ssume F is length preserving : F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x| Choosing a uniform k {0,1} n is equivalent to choosing the function F k : {0,1} n { 0,1} n I.e., for fixed key length n, the algorithm F d efines a distribution over functions in Func n !
?? (poly-time) World 1 k {0,1} n chosen uniformly at random F k x 1 F k (x 1 ) … x t F k (xt) x 1 f Funcn chosen uniformly at random World 0 f f(x 1 ) … x t f( x t )
Pseudorandom permutations (PRPs) Let f Func n f is a permutation if it is a bijection This means that the inverse f-1 existsLet Permn Funcn be the set of permutationsWhat is |Permn|?
Pseudorandom permutations Let F be a length-preserving, keyed function F is a keyed permutation if Fk is a permutation for every kFk-1 is efficiently computable (where Fk-1(Fk(x)) = x) F is a pseudorandom permutation if Fk , for uniform key k {0,1}n, is indistinguishable from a uniform permutation f Permn
Note For large enough n, a random permutation is indistinguishable from a random function So in practice, PRPs are also good PRFs Proof in the book (required!)
PRFs vs. PRGs PRF F immediately implies a PRG G: Define G(k) = F k (0…0) | F k(0…1)I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where < i> denotes the n-bit encoding of iPRF can be viewed as a PRG with random access to exponentially long outputThe function Fk can be viewed as the n2n-bit string Fk(0…0) | … | Fk(1…1)
Do PRFs/PRPs exist? They are a stronger primitive than PRGs… …though can be built from PRGs In practice, block ciphers are used
Block ciphers Block ciphers are practical constructions of pseudorandom permutations No asymptotics : F: {0,1}n x {0,1} m {0,1}mn = “key length”m = “block length” Hard to distinguish Fk from uniform f Permm even for attackers running in time 2n
AES Advanced encryption standard (AES) Standardized by NIST in 2000 based on a public, worldwide competition lasting over 3 years Block length = 128 bits Key length = 128, 192, or 256 bits Will not discuss details later in the courseNo real reason to use anything else
CPA-security Fix , A Define a randomized exp’t PrivKCPA A,(n):k Gen(1n) A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same lengthb {0,1}, c Enck(mb), give c to AA can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case
CPA-security is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)
CPA-secure encryption Let F be a length-preserving, keyed function Gen(1 n ): choose a uniform key k {0, 1} nEnck(m), for |m| = |k|: Choose uniform r {0, 1}n (nonce/initialization vector) Output ciphertext < r, Fk(r) m >Deck(c1, c2): output c2 Fk(c1)Correctness is immediate
key message F pseudorandom r ciphertext pseudorandom message
Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure
Note The key may be as long as the message… …but the same key can be used to safely encrypt multiple messages
Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure Proof by reduction… Let denote the scheme
m m r, f(r) m PR/random D r ← {0,1} n f(r)
m 0 , m 1 b ←{0,1} m b r *, f(r*) m b b’ if (b=b’) output 1 PR/random D r * ← {0,1} n f(r*)
Analysis Let µ(n) = Pr [PrivCPA Adv,Π(n) = 1] Let q(n) be a bound on the number of encryption queries made by attackerIf f = Fk for uniform k, then the view of Adv is exactly as in PrivCPAAdv,Π(n) Prk{0,1}n[DFk (·) =1] = Pr[PrivCPAAdv,Π(n) = 1] = µ(n)
Analysis If f is uniform, there are two sub-cases r * was used for some other ciphertext (call this event Repeat)r* was not used for some other ciphertextPrf[Df(·) =1] ≤ Prf[Df(·) =1|Repeat] + Pr [Repeat]Pr[Repeat] ≤ q(n)/2nPrf[Df(·) =1 | Repeat] = ½
Analysis Since F is pseudorandom… | µ(n) – Pr f [Df(·) =1] | ≤ ε (n) µ(n) ≤ Prf[Df(·) =1] + ε(n) ≤ ½ + q(n)/2n + ε(n)For any polynomial q, the term q(n)/2 n is negligible Pr[PrivCPAAdv,Π(n) = 1] = µ(n) ≤ ½ + ε’(n) QED
Real-world security? The security bound we proved is tight What happens if a nonce r is ever reused? What is the probability that the nonce used in some challenge ciphertext is also used for some other ciphertext?What happens to the bound if the nonce is chosen non-uniformly?
CPA-secure encryption We have shown a CPA-secure encryption scheme based on any block cipher/PRF Enc k (m) = <r, Fk (r) m>Drawbacks?A 1-block plaintext results in a 2-block ciphertextOnly defined for encryption of n -bit messages
Encrypting long messages? Recall that CPA-security security for the encryption of multiple messages So, can encrypt the message m 1 , …, mt as Enck(m1 ), Enck(m2), …, Enck(mt)This is also CPA-secure!
k c 1 , …, c t m 1 , …, mtc1 Enck(m1) …c t Enck(mt)k c1ct...
Drawback The ciphertext is twice the length of the plaintextI.e., ciphertext expansion by a factor of twoCan we do better?Modes of operationBlock-cipher modes of operationStream-cipher modes of operation
CTR mode Enc k (m 1 , …, mt ) // note: t is arbitraryChoose ctr {0,1}n, set c0 = ctrFor i=1 to t:ci = mi Fk(ctr + i)Output c0, c1, …, c tDecryption?Ciphertext expansion is just 1 block
CTR mode F k F k F k … ctr m 1 m 2 m t ctr+1 ctr+2 ctr+t c 0 c 1 c 2 c t
CTR mode Theorem: If F is a pseudorandom function, then CTR mode is CPA-secure Proof sketch: The sequence F k (ctri + 1), …, Fk(ctri + t) used to encrypt the ith message is pseudorandom Moreover, it is independent of every other such sequence unless ctri + j = ctri’ + j’ for some i, j, i’, j’Just need to bound the probability of that event
CBC mode Enc k (m 1 , …, m t) // note: t is arbitraryChoose random c0 {0,1}n (also called the IV)For i=1 to t:ci = Fk(mi ci-1)Output c0, c1, …, ctDecryption? Requires F to be invertible Ciphertext expansion is just 1 block
CBC mode F k IV m 1 c 0 c 1 F k m 2 c 2 F k m t c t …
CBC mode Theorem: If F is a pseudorandom permutation, then CBC mode is CPA-secureProof is more complicated than for CTR mode
ECB mode Enc k (m 1 , …, mt ) = Fk(m1), …, Fk(mt )DeterministicNot CPA-secure!Can tell from the ciphertext whether mi = mjNot even EAV-secure!
Not just a theoretical problem! (Taken from http :// en.wikipedia.org and derived from images created by Larry Ewing (lewing@isc.tamu.edu) using The GIMP.) original encrypted using ECB mode