1

CIS 5371 Cryptography3c. Pseudorandom Functions

Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography

2

Definition

.

3

Definition 3.23

• Let F be an efficient length preserving keyed function. F is a pseudorandom function if PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all functions mapping n-bit strings to n-bit strings.

4

A secure fixed length encryption scheme

h𝐹𝑟𝑒𝑠 𝑟𝑎𝑛𝑑𝑜𝑚𝑠𝑡𝑟𝑖𝑛𝑔𝑟

𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡 h𝑐𝑖𝑝 𝑒𝑟𝑡𝑒𝑥𝑡𝑋𝑂𝑅

𝑝𝑎𝑑

5

Existence of pseudorandom functions

• We cannot prove that pseudorandom

functions exist!• In practice there exist very efficient

primitives called block ciphers that are widely believed to behave as pseudorandom functions.

6

CPA secure encryption using PRF

Protocol Let be a pseudorandom function. Define a private-key encryption scheme for messages of length as follows:• Gen: on input choose uniformly at random and output as key.• Enc: on input a key and a message m, choose choose uniformly at random and output the ciphertext

• Dec: on input a key and a ciphertext output the plaintext

7

Theorem 3.25Let be a pseudorandom function. Then protocol is a fixed-length private-key encryption scheme for messages of length n that has indistinguishable encryptions under CPA.

8

A secure fixed length encryption Proof

Then,

9

A secure fixed length encryption Proof

We have, .Let . Then = + . If is negligible then we should not be able to distinguish these. Otherwise a gap between them would make it possible to distinguish truly random from pseudorandom.

10

A secure fixed length encryption Reduction

Adversary A with Protocol or

, O

𝑏 ′

𝑐𝑏

(𝑟 , 𝑠′ 𝑚)

1 if 0 if

Choose uniformly at random

Query O to get

Distinguisher D with oracle O:

choose a random bit Query O to get

return

𝑒𝑛𝑐𝑟𝑦𝑝𝑡𝑚

𝑚0 ,𝑚1 Repeat: Query to get encryptions of chosen

plaintexts

Query encryption oracle to get encryptions of chosen

plaintexts

h𝑜𝑡 𝑒𝑟 : (𝑟 , 𝑠′ 𝑚)

11

A secure fixed length encryption Proof

From, and we get that must be negligible. So is negligible.

12

A secure variable length encryption

The messages can be securely encrypted as .

13

Corollary 3.26

Let be a pseudorandom function. Then the scheme sketched in the previous slide is an arbitrary length private-key encryption scheme that has indistinguishable encryptions under CPA.

14

Pseudorandom permutations

one-to-one • A efficient if there is a polynomial-time algorithm that will compute given and .• A pseudorandom permutation is defined in a manner analogous to Definition 3.23, by replacing the term “function” by “permutation”.

15

Definition 3.28Strong Pseudorandom permutations• Let F be an efficient keyed permutation. We say that is a strong pseudorandom permutation if, PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all permutations on n-bit strings.• The analogue for strong pseudorandom permutations are block ciphers.

16

Pseudorandom permutationsmodes of operation

1. Electronic Code Book (ECB)2. Cipher Block Chaining (CBC)3. Output Feedback (OFB)4. Counter(CTR)

Electronic Code Book (ECB)

17

Pseudorandom permutations

𝐹 𝑘

𝑐1

𝑚1

𝐹 𝑘

𝑐2

𝑚2

𝐹 𝑘

𝑐3

𝑚3

Cipher Block Chaining (CBC)

18

Pseudorandom permutations

𝐹 𝑘

𝑐1

𝑚1

𝐹 𝑘

𝑐2

𝑚2

𝐹 𝑘

𝑐3

𝑚3

IV

IV

Output Feedback (OFB)19

Pseudorandom permutations

𝐹 𝑘

𝑐1

𝐹 𝑘

𝑐2

𝑚2

𝐹 𝑘

𝑐3

IV

IV𝑚1 𝑚3

Counter mode (CTR)20

Pseudorandom permutations

𝐹 𝑘

𝑐1

𝐹 𝑘

𝑐2

𝑚2

𝐹 𝑘

𝑐3

ctr

ctr

𝑚1 𝑚3

ctr+1 ctr+2 ctr+3

21

Pseudorandom permutationsmodes of operation

Electronic Code Book (ECB) Encryption is deterministic : no CPA-securityWorse: ECB-mode does not have indistinguishable encryptions in the presence of an eavesdropper.

22

Pseudorandom permutationsmodes of operation

Cipher Block Chaining (CBC).Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation.Drawback: encryption is sequential.

23

Pseudorandom permutationsmodes of operation

Output Feedback (OFB), .Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation.Drawback: both encryption and encryption are sequential.

24

Pseudorandom permutationsmodes of operationCounter(CTR) -- randomized counter mode, , Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom function.Both encryption and encryption can be fully parallelized.We do not require that is a permutation (that is, it need not be invertible).

25

Chosen Ciphertext Attacks (CCA)In a CCA the adversary not only can encrypt messages of his choice (CPA) but also can decrypt ciphertexts of his choice (with one exception).Formally this is captured by giving the adversary access to a decryption oracle (as well as the encryption oracle).Let be a private-key encryption scheme, an adversary and the value of the security parameter.

26

CCA indistinguishability experiment

3. A 4. The adversary

on the challenge ciphertext itself. Eventually

27

Indistinguishable encryptions under CCA --

DefinitionA private-key encryption scheme has indistinguishable encryptions under CCA if ∀ PPT adversaries ,

=1] where the probabilities is taken over the coins used in the experiment.

28

Insecurity of the encryption schemes that we have studied1. All the earlier discussed private-key encryption schemes are not CCA-secure2. Example. Let and , to get the ciphertext . The adversary flips the first bit of and asks for the decryption. He gets either () or (.3. A similar type of chosen ciphertext attack applies to all the others.