Cryptography Lecture - PowerPoint Presentation

Cryptography Lecture 8

Pseudorandom functions

Keyed functions Let F: {0,1} * x {0,1} *  {0,1} * be an efficient, deterministic algorithm Define F k (x) = F(k, x) The first input is called the key A ssume F is length preserving : F(k, x) only defined if |k|=|x|, in which case |F(k, x)| = |k| = |x| Choosing a uniform k  {0,1} n is equivalent to choosing the function F k : {0,1} n  { 0,1} n I.e., for fixed key length n, the algorithm F d efines a distribution over functions in Func n !

?? (poly-time) World 1 k  {0,1} n chosen uniformly at random F k x 1 F k (x 1 ) … x t F k (xt) x 1 f  Funcn chosen uniformly at random World 0 f f(x 1 ) … x t f( x t )

Pseudorandom permutations (PRPs) Let f  Func n f is a permutation if it is a bijection This means that the inverse f-1 existsLet Permn  Funcn be the set of permutationsWhat is |Permn|?

Pseudorandom permutations Let F be a length-preserving, keyed function F is a keyed permutation if Fk is a permutation for every kFk-1 is efficiently computable (where Fk-1(Fk(x)) = x) F is a pseudorandom permutation if Fk , for uniform key k  {0,1}n, is indistinguishable from a uniform permutation f  Permn

Note For large enough n, a random permutation is indistinguishable from a random function So in practice, PRPs are also good PRFs

PRFs vs. PRGs PRF F immediately implies a PRG G: Define G(k) = F k (0…0) | F k(0…1)I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where < i> denotes the n-bit encoding of iPRF can be viewed as a PRG with random access to exponentially long outputThe function Fk can be viewed as the n2n-bit string Fk(0…0) | … | Fk(1…1)

Do PRFs/PRPs exist? They are a stronger primitive than PRGs… …though can be built from PRGs In practice, block ciphers are used

Block ciphers Block ciphers are practical constructions of pseudorandom permutations No asymptotics : F: {0,1}n x {0,1} m  {0,1}mn = “key length”m = “block length” Hard to distinguish Fk from uniform f  Permm even for attackers running in time 2n

AES Advanced encryption standard (AES) Standardized by NIST in 2000 based on a public, worldwide competition lasting over 3 years Block length = 128 bits Key length = 128, 192, or 256 bits Will discuss details later in the course No real reason to use anything else

CPA-security Fix , A Define a randomized exp’t PrivKCPA A,(n):k  Gen(1n) A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same lengthb  {0,1}, c  Enck(mb), give c to AA can continue to interact with Enck(·)A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

CPA-security  is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

CPA-secure encryption Let F be a length-preserving, keyed function Gen(1 n ): choose a uniform key k  {0, 1} nEnck(m), for |m| = |k|: Choose uniform r  {0, 1}n (nonce/initialization vector) Output ciphertext < r, Fk(r)  m >Deck(c1, c2): output c2  Fk(c1)Correctness is immediate

key message F pseudorandom r ciphertext pseudorandom message

Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure

Note The key may be as long as the message… …but the same key can be used to safely encrypt multiple messages

Security? Theorem: if F is a pseudorandom function, then this scheme is CPA-secure Proof by reduction… Let  denote the scheme

m m r, f(r)  m PR/random D r ← {0,1} n f(r)

m 0 , m 1 b ←{0,1} m b r *, f(r*)  m b b’ if (b=b’) output 1 PR/random D r * ← {0,1} n f(r*)

Analysis Let µ(n) = Pr [PrivCPA Adv,Π(n) = 1] Let q(n) be a bound on the number of encryption queries made by attackerIf f = Fk for uniform k, then the view of Adv is exactly as in PrivCPAAdv,Π(n) Prk{0,1}n[DFk (·) =1] = Pr[PrivCPAAdv,Π(n) = 1] = µ(n)

Analysis If f is uniform, there are two sub-cases r * was used for some other ciphertext (call this event Repeat)r* was not used for some other ciphertextPrf[Df(·) =1] ≤ Prf[Df(·) =1|Repeat] + Pr [Repeat]Pr[Repeat] ≤ q(n)/2nPrf[Df(·) =1 | Repeat] = ½

Analysis Since F is pseudorandom…  | µ(n) – Pr f [Df(·) =1] | ≤ ε (n) µ(n) ≤ Prf[Df(·) =1] + ε(n) ≤ ½ + q(n)/2n + ε(n)For any polynomial q, the term q(n)/2 n is negligible Pr[PrivCPAAdv,Π(n) = 1] = µ(n) ≤ ½ + ε’(n) QED

Real-world security? The security bound we proved is tight What happens if a nonce r is ever reused? What is the probability that the nonce used in some challenge ciphertext is also used for some other ciphertext?What happens to the bound if the nonce is chosen non-uniformly?

CPA-secure encryption We have shown a CPA-secure encryption scheme based on any block cipher/PRF Enc k (m) = <r, Fk (r)  m>Drawbacks?A 1-block plaintext results in a 2-block ciphertextOnly defined for encryption of n -bit messages

Encrypting long messages? Recall that CPA-security  security for the encryption of multiple messages So, can encrypt the message m 1 , …, mt as Enck(m1 ), Enck(m2), …, Enck(mt)This is also CPA-secure!

k c 1 , …, c t m 1 , …, mtc1  Enck(m1) …c t  Enck(mt)k c1ct...

Drawback The ciphertext is twice the length of the plaintextI.e., ciphertext expansion by a factor of twoCan we do better?Modes of operationBlock-cipher modes of operationStream-cipher modes of operation

CTR mode Enc k (m 1 , …, mt ) // note: t is arbitraryChoose ctr  {0,1}n, set c0 = ctrFor i=1 to t:ci = mi  Fk(ctr + i)Output c0, c1, …, ctDecryption?Ciphertext expansion is just 1 block

CTR mode F k F k F k … ctr m 1 m 2 m t ctr+1 ctr+2 ctr+t    c 0 c 1 c 2 c t

CTR mode Theorem: If F is a pseudorandom function, then CTR mode is CPA-secure Proof sketch: The sequence F k (ctri + 1), …, Fk(ctri + t) used to encrypt the ith message is pseudorandom Moreover, it is independent of every other such sequence unless ctri + j = ctri’ + j’ for some i, j, i’, j’Just need to bound the probability of that event

CBC mode Enc k (m 1 , …, m t) // note: t is arbitraryChoose random c0  {0,1}n (also called the IV)For i=1 to t:ci = Fk(mi  ci-1)Output c0, c1, …, ctDecryption? R equires F to be invertibleCiphertext expansion is just 1 block

CBC mode F k IV m 1 c 0 c 1  F k m 2 c 2  F k m t c t  …

CBC mode Theorem: If F is a pseudorandom permutation, then CBC mode is CPA-secureProof is more complicated than for CTR mode

ECB mode Enc k (m 1 , …, mt ) = Fk(m1), …, Fk(mt )DeterministicNot CPA-secure!Can tell from the ciphertext whether mi = mjNot even EAV-secure!

Not just a theoretical problem! (Taken from http :// en.wikipedia.org and derived from images created by Larry Ewing (lewing@isc.tamu.edu) using The GIMP.) original encrypted using ECB mode