Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography

Lecture 12

Lecturer: Moni Naor

Recap of Lecture 11

• Pseudo-random functions• Combining pseudo-random functions

– Concatenation– Composing

• The GGM tree construction• Pseudo-Random Permutations• Feistal Permutations

Pseudo-Random Permutations

Block-Ciphers:• Shared-key encryption

schemes where: the encryption of every plaintext

block is a ciphertext block of the same length.

ey C

Plaintext

Ciphertext

Block Ciphers

Advantages– Saves up on memory and communication bandwidth– Easy to incorporate within existing systems.

Main Disadvantage– Every block is always encrypted in the same way.

• Important Examples: DES, AES

Modeling Block Ciphers

• Pseudo-random Permutations

F : 0,1k 0,1n 0,1n

Key Domain Range

F-1: 0,1k 0,1n 0,1n

Key Range Domain

Want:– X= FS

-1 (FS (X))• Correct inverse

– Efficiently computable

The Test

The tester A that can choose adaptively– X1 and get Y1= FS (X1)– Y2 and get X2= FS

-1(Y2) …

– Xq and get Yq= FS (Xq)• Then A has to decide whether

– FS R Φkor– FS R P

(n) = F | 1-1 F :0,1n 0,1n

Can choose to evaluate or invert any point!

(t,,q)-pseudo-random

For a function F chosen at random from

(1) Φk={FS | S0,1k

(2) P(n) = F | 1-1 F :0,1n 0,1n

For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= ‘1’ FR Fk

- PrA= ‘1’ FR P(n)

Construction of Pseudo-Random Permutations

• Possible to construct p.r. permutation from p.r. functions (and vice versa..)

• Based on 4 Feistal Permutations

Feistal Permutation

Any f :0,1n 0,1n defines a Feistal Permutation

Df(L,R)=(R, L f(R))

Feistal permutations are as easy to invert as to compute:Df

-1(L,R)=(R f(L),L)

Many Block Cipher based on such permutations where the function f is derived from secret key

Feistal Permutation

f

L1 R1

L2 R2

Composing Feistal Permutations• Make the function f:0,1n 0,1n a pseudo-random function

GS R Φ’k

• This defines a keyed family of permutations 0,12n 0,12n

• Clearly it is not pseudo-random– Right block goes unchanged to left block

What about composing two such keyed permutations With independent keys

• Not pseudo-random:DS2

(DS1(L,R))= (GS1

(L) R, GS2(GS1

(L) R) R)

-For two inputs sharing the same left block• Looks pretty good for random attacks!

– No repetitions on the pseudo-random part

Main Construction

Let GS1 , GS2

, GS3 , GS4

R PRF. Then the composition of DS1

, DS2 , DS3

, DS4 is a

pseudo-random permutation.• Each Gi :0,1n 0,1n Resulting Permutation 0,12n 0,12n . • G1 and G4 can be ``combinatorial”:

– pair-wise independent.– low probability of collision on first block

• Error probability is ~ q2/2n

Security TheoremLet

(1) be the set of permutations obtained whenThe two middle G2 ,G3 are truly random functions and the first and last are (h1 ,h2 ) chosen from a pairwise independent family.

(2) P(n) = F | 1-1 F :0,1n 0,1n

Theorem: For any adversary A– (not necessarily efficient) – that makes at most q queries

the advantage in distinguishing between a random permutation from P(n) and a radnom one from is at most q2/2n + q2/22n

Corollary: the original construction is computationally secure

Back to two permutationsFor each pair of input and output blocks (L1,R1) is

mapped to (L2,R2) if and only if• GS1

(R1) = L1 L2

• GS2(L2) = R1 R2

• So we have “one-wise independence”:– Happens with probability 1/22n

• Furthermore: for any q pairs (L1

1,R11) (L2

1,R21), (L1

2,R12) (L2

2,R22),… , (L1

q,R1q) (L2

q,R2q)

such thatFor j i: R1

j R1i and L2

j L2i

The probability that all are mapped to each other is 1/22qn

The Transcript• May assume A is deterministic

– Since this it is not computationally bounded• The transcript T is the set of pairs of inputs/outputs

(X1,Y1), (X2,Y2), … , (Xq,Yq)

queries by A– Queries can go either way (evaluate or invert)

• Consider a third distribution P of responses if A– asks for F(x) and x appeared before in and <x,y>, query:

• answer y– asks for F-1(y) and y appeared before in and <x,y>, query:

• answer x– Otherwise answer a random z 0,12n.

• P is not always consistent with some permutation– Call the resulting transcript inconsistent

P is close to P

Claim: A may differentiate between P and P only if transcript is inconsistent

Claim [“inconsistent”]:

Prob[T is inconsistent] q2/22n

Proof: birthday

It remains to bound the difference between P and

The BAD eventThought experiment: choose the functions (h1 ,h2 ) also for

process PServe a no purpose there

If T =(X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, we say that it is BAD for functions (h1 ,h2 ) if there exist j i such that either– h1(xi) collides with the right half of h1(xj) – h2(yi) collides with the left half of h2(yj)

BAD event: either T is inconsistent or T is BAD for (h1 ,h2 )

Claim: ProbP[BAD] q2/2n + q2/22n

Key Lemma

Lemma: For any adversary A, for any possible value

V= (X1,Y1), (X2,Y2), … , (Xq,Yq)

ProbP[T=V and not BAD]

= Prob[T=V and not BAD]

Concluding the proofBy summing Key Lemma over all transcripts• ProbP[not BAD] = Prob[not BAD] this implies• ProbP[BAD] = Prob[BAD]By summing Key Lemma over all transcripts for which A outputs ‘1’:

ProbP[A outputs ‘1’ and not BAD]

= Prob[A outputs ‘1’ and not BAD]Hence:

ProbP[A outputs ‘1’]- Prob[A outputs ‘1’] ProbP [BAD] q2/2n + q2/22n

By the “inconsistent” Claim P and P are close and we are done

K-wise independent permutations• Simple constructions for k-wise independent functions

– For instance random polynomial of degree k-1• No equivalent ones known for k-wise independent

permutations• In the 4 Feistal permutation construction If two middle

functions are k-wise independent – Security Theorem implies that the result is q2/2n close to k–wise

independent permutation• T. Gowers: alternative construction of approximate k-wise

independent permutations

Other Constructions• Generalized Feistal Permutations• Generalized construction of pseudo-random permutations:

– The first and last rounds as before.– The two middle Feistal permutations are replaced with t generalized

Feistel permutations.– The distinguishing probability is roughly q2/22(1-1/t)n

• construction of long pseudo-random permutations from short ones:– First and last round combinatorial – In the middle independent applications of the short pseudo-random

permutations

Encryption Using Pseudo-Random Permutations

• Sender and Receiver share a secret key S R {0,1}k

• S defines a function FS k

• What is wrong with encrypting X with FS (x)?

Definition of the Security of Encryption• Several setting

– Shared key vs public key– How active is the adversary

• Sender and receiver want to prevent Eve from learning anything about the message

• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides

Information Theoretic Setting

• If Eve has some knowledge of m should remain the same

– Probability of guessing m• Min entropy of m

– Probability of guess whether m is m0 or m1

– Probability of computing some function f of m

• Ideally: the message sent is a independent of the message m

– Implies all the above• Shannon: achievable only if the entropy of

the shared secret is at least as large as the message m entropy

• If no special knowledge about m– then |m|

To specify security of encryption

• The power of the adversary – computational

• Probabilistic polynomial time machine (PPTM)– access to the system

• Can it change the messages?

• What constitute a failure of the system – what it means to break the system.– Reading a message– Forging a message?

Computational Security of EncryptionIndistinguishability of Encryptions

Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n

• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.

For every pptm A, choosing a pair X0 , X1 0,1n PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.

Probability is over the choice of keys, randomization in the encryption and A‘s coins.

In other words: encryptions of X0 , X1 are indistinguishable

Quantification over the choice of X0 , X1 0,1n

Computational Security of EncryptionSemantic Security

Whatever Adversary A can compute on encrypted string X 0,1n so can A’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm

A’ so that for all pptm relation R for XR Dn

PrR(X,A(E(X)) - Pr R(X,A’())

is negligible

In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X

Note: presentation of semantic security is non-standard (but equivalent)

References

• Blum-Micali : SIAM J. Computing 1984 • Yao:• Blum, Blum, Shub: SIAM J. Computing, 1988• Goldreich, Goldwasser and Micali: J. of the

ACM, 1986• Luby-Rackoff: SIAM J. Computing, 1988• Naor-Reingold: Journal of Cryptology, 1999

...References

• O. Goldreich, The Foundations of Cryptography - www.wisdom.weizmann.ac.il/~oded/foc-book.html

• M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press.

• S. Goldwasser and M. Bellare Lecture Notes on Cryptography,

www-cse.ucsd.edu/~mihir/papers/gb.html