Foundations of Cryptography

Lecture 9: Pseudo-Random Functions and Permutations.

Lecturer: Moni Naor

Recap of last weeks lectureApplication of GL Theorem to Pseudo-randomness of Subset sumHybrid arguments: from single bit expansion to many bits expansionNext Bit unpredictability equivalent to Computational Pseudo-RandomnessWhy extremely long random looking strings are usefulPseudo-random functions definition

The world so farPseudo-random generatorsSignature SchemesUOWHFsOne-way functionsTwo guards IdentificationWill soon see:Computational PseudorandomnessShared-key Encryption and AuthenticationP NP

Reading AssignmentNaor and Reingold, From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs, Crypto'98. www.wisdom.weizmann.ac.il/~naor/PAPERS/mac_abs.html

Gradwohl, Naor, Pinkas and Rothblum, Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku PuzzlesEspecially Section 1-3www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html

HomeworkHow to have a one-time signature scheme with shorter public keysLet f be one-way permutation

How to construct a signature scheme existentially secure against an adaptively chosen message attack, from a scheme that is existentially secure against a random message attack.

Pseudo-Random Generatorsconcrete version

Gn:0,1m 0,1n

Instead of passing all polynomial time statistical tests:

(t,)-pseudo-random - no test A running in time t can distinguish with advantage

Recall: Three Basic issues in cryptographyIdentificationAuthenticationEncryptionSolve in a shared key environmentSSBA

Identification: remote login using pseudo-random sequenceA and B share a key S0,1kIn order for A to identify itself to BGenerate sequence Gn(S)

For each identification session: send next block of Gn(S)

Gn(S)

Problems...More than two partiesMalicious adversaries - add noiseCoordinating the location block numberBetter approach: Challenge-Response

Challenge-Response ProtocolB selects a random location and sends to A A sends value at random location

AB Whats this?

Desired PropertiesVery long string - prevent repetitions

Random access to the sequence

Unpredictability - cannot guess the value at a random locationeven after seeing values at many parts of the string to the adversarys choice. Pseudo-randomness implies unpredictabilityNot the other way around for blocks

Authenticating MessagesA wants to send message M0,1n to BB should be confident that A is indeed the sender of M

One-time application:S =(a,b): where a,bR 0,1nTo authenticate M: supply aM bComputation is done in GF[2n]

Problems and SolutionsProblems - same as for identificationIf a very long random string available - can use for one-time authenticationWorks even if only random looking a,b

ABUse this!

Encryption of MessagesA wants to send message M0,1n to Bonly B should be able to learn M

One-time application:S = a: where aR 0,1nTo encrypt M send a M

Encryption of Messages

If a very long random looking string available - can use as in one-time encryption

AB Use this!

Pseudo-random FunctionA way to provide an extremely long shared string

Pseudo-random FunctionsConcrete Treatment:F: 0,1k 0,1n 0,1m key Domain RangeDenote Y= FS (X)A family of functions k ={FS | S0,1k is (t, , q)-pseudo-random if it isEfficiently computable - random access and...

(t,,q)-pseudo-randomThe tester A that can choose adaptivelyX1 and gets Y1= FS (X1)X2 and gets Y2 = FS (X2 ) Xq and gets Yq= FS (Xq)Then A has to decide whether FS R k or FS R R n m = F | F :0,1n 0,1m

(t,,q)-pseudo-randomFor a function F chosen at random from(1) k ={FS | S0,1k (2) R n m = F | F :0,1n 0,1m For all t-time machines A that choose q locations and try to distinguish (1) from (2) ProbA 1 FR k - ProbA 1 FR R n m

Equivalent/Non-Equivalent DefinitionsInstead of next bit test: for XX1,X2 ,, Xq chosen by A, decide whether given Y is Y= FS (X) or YR0,1m Adaptive vs. Non-adaptiveUnpredictability vs. pseudo-randomnessA pseudo-random sequence generator g:0,1m 0,1n a pseudo-random function on small domain 0,1log n0,1 with key in 0,1m

Application to the basic issues in cryptographySolution using a shared key SIdentification:B to A: X R 0,1nA to B: Y= FS (X) B verifiesAuthentication:A to B: Y= FS (M)replay attackEncryption:A chooses XR 0,1n A to B:

GoalConstruct an ensemble {k | kL such that for any {tk, 1/k, qk | kL polynomial in k, for all but finitely many ksk is a (tk, k, qk )-pseudo-random family

ConstructionConstruction via ExpansionExpand n or mDirect constructions

Effects of ConcatenationGiven Functions F1 , F2 ,, F decide whether they are random and independent functions ORFS1 , FS2 ,, FS for S1, S2 ,, S R 0,1k

Claim: If k ={FS | S0,1k is (t,,q)-pseudo-random: cannot distinguish two casesusing q queries in time t=t - q with advantage better than

Proof: Hybrid Argumenti=0 FS1 , FS2 ,, FS p0 i R1, R2 , , Ri-1,FSi , FSi+1 ,, FS pi

i= R1, R2 , , R p

p - p0 i s.t. pi+1 - pi /

...Hybrid ArgumentCan use this i to distinguish whether FS R k or FS R R n m

Generate FSi+1 ,, FS Answer queries to first i-1 functions at random (consistently)Answer query to FSi , using (black box) inputAnswer queries to functions i+1 through with FSi+1 ,, FS

Running time of test - t q

Doubling the domainSuppose we have F(n): 0,1k 0,1n 0,1m which is (t,,q)-p.r.Want F(n+1): 0,1k 0,1n+1 0,1m which is (t,,q)-p.r.

Use G: 0,1k 0,12k which is (t ,) p.rG(S) G0(S) G1(S)

Let FS (n+1)(bx) FGb(s) (n)(x) G0(S)G1(S)SG

ClaimIf G is (tq,1)-p.r and F(n) is (t2q,2,q)-p.r, then F(n+1) is (t,1 2 2,q)-p.r Proof: three distributions (1) F(n+1)(2) FS0 (n) , FS1 (n) for independent S0, S1 (3) Random 1 2 2

...ProofGiven that (1) and (3) can be distinguished with advantage 1 2 2 , then either (1) and (2) with advantage 1G can be distinguished with advantage 1 or (2) and (3) with advantage 2 2F(n) can be distinguished with advantage 2

Running time of test: t q

Getting from G to F(n) Idea: Use recursive construction

FS (n)(bnbn-1 b1) FGb1(s) (n-1)(bn-1bn-2 b1) Gbn(Gbn-1 ( Gb1(S)) )

Each evaluation of FS (n)(x): n invocations of G

Tree DescriptionG0(S)G1(S)S G0(G0(S)) G1(G0(G0(S)))Each leaf corresponds to x2{0,1}n. Label of leaf: value of pseudo-random function at x

Security claimIf G is (tqn, ) p.r, then F(n) is (t, q, nq) p.rProof: Hybrid argument by levels Di :truly random labels for nodes at level i. Pseudo-random from i down Each Di: a collection of q functions i pi+1 - pi /n q

HybridS0S1SG0(S0) G1(G0(S0))n-iiDi

Proof of SecurityCan use this i to distinguish concatenation of q sequence generators G from random.The concatenation is (t, q) pseudo-random

Therefore the construction is (t, , q) pseudo-random

DisadvantagesExpensive - n invocations of GSequentialDeterioration of

But does the job! From any pseudo-random sequence generator construct a pseudo-random function. Theorem: one-way functions exist if and only if pseudo-random functions exist.

Applications of Pseudo-random FunctionsLearning Theory - lower boundsCannot PAC learn any class containing pseudo-random functionComplexity Theory - impossibility of natural proofs for separating classes.Any setting where huge shared random string is useful

Caveat: what happens when the seed is made public?

Application to SignaturesCan make the UOWHF signature scheme into a memoryless/history independent one.

Identify the tree of the signature scheme and the tree of pseudo-random functionCan add labels on the internal nodesAdd to the secret-key of the signature scheme a key to a pseudo-random functionGenerate the one-time signatures of the triples using the label on the nodeGuarantees consistency

To always get the same signature on a message: the path to the leaf used is determined by the message

Construction of UOWHF signatures Key generation: generate the rootThree sets of keys for a one-time signature schemeA function g G from a family of UOWHFSigning algorithm: Traverse the tree in a BFS mannerGenerate a new triple Sign the message using the middle part of nodePut the generated triple in the next available node in the current levelIf all nodes in current level are assigned, create a new one.The signature consists of:The one-time signature on the message The nodes along the path to the rootthe one-time signatures on the hashed nodes along the path to the root Keep secret the private keys of all triplesVerification of signature: Verify the one-times signature given. tripleSize of signature:Depth of tree triple size

Another paradigm for obtaining SignaturesShared secret seed - can get authenticationWhat about public-key? Can we use the techniques?Yes!? Private key is S Public key is commitment to FSTo sign M - provide FS(M) and a proof of consistency with the commitment

Pseudo-Random PermutationsBlock-Ciphers:Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length.

Block CiphersAdvantagesSaves up on memory and communication bandwidthEasy to incorporate within existing systems. Main DisadvantageEvery block is always encrypted in the same way.Important Examples: DES, AES

Modeling Block CiphersPseudo-random PermutationsF : 0,1k 0,1n 0,1n Key Domain RangeF-1: 0,1k 0,1n 0,1n Key Range Domain Want:X= FS-1 (FS (X))Correct inverseEfficiently computable

The TestThe tester A that can choose adaptivelyX1 and get Y1= FS (X1)Y2 and get X2= FS-1(Y2) Xq and get Yq= FS (Xq)Then A has to decide whether FS R k or FS R P(n) = F | 1-1 F :0,1n 0,1n Can choose to evaluate or invert any point!

(t,,q)-pseudo-randomFor a function F chosen at random from(1) k ={FS | S0,1k (2) P(n) = F | 1-1 F :0,1n 0,1n For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= 1 FR Fk - PrA= 1 FR P(n)

Construction of Pseudo-Random PermutationsPossible to construct pseudo-random permutations from pseudo-random functions (and vice versa...)Based on 4 Feistal Permutations

Feistal PermutationAny function f :0,1n 0,1n defines a Feistal Permutation 0,12n 0,12n Df(L,R)=(R, L f(R))

Feistal permutations are as easy to invert as to compute:Df-1(L,R)=(R f(L),L)

Many Block Cipher based on such permutations, where the function f is derived from secret key

Feistal Permutation

Composing Feistal PermutationsMake the function f:0,1n 0,1n a pseudo-random function FS R kThis defines a keyed family of permutations 0,12n 0,12n Clearly it is not pseudo-randomRight block goes unchanged to left blockWhat about composing two such keyed permutations With independent keysNot pseudo-random:DS2(DS1(L,R))= (FS1(L) R, FS2(FS1(L) R) R)-For two inputs sharing the same left blockLooks pretty good for random attacks!

Composing Feistal PermutationsMake the function f:0,1n 0,1n a pseudo-random function FS R kThis defines a keyed family of permutations 0,12n 0,12n Clearly it is not pseudo-randomRight block goes unchanged to left blockWhat about composing two such keyed permutations With independent keysNot pseudo-random:DS2(DS1(L,R))= (FS1(R)L, FS2(FS1(R)L)R)

For two inputs sharing the same left blockLooks pretty good for random attacks!Protects left blockProtects right block

Main ConstructionLet F1, F2 ,F3 ,F4 R PRF, then the composition of DF1 , DF2 , DF3 , DF4 is a pseudo-random permutation.Each Fi :0,1n 0,1n.Resulting Permutation 0,12n 0,12n.

F1 and F4 can be ``combinatorial:pair-wise independent.low probability of collision on first blockError probability is ~ q2/2n

Security TheoremLet(1) be the set of permutations obtained whenThe two middle G2 ,G3 are truly random functions and the first and last are (h1 ,h2 ) chosen from a pairwise independent family.(2) P(n) = F | 1-1 F :0,1n 0,1n

Theorem: For any adversary A(not necessarily efficient) that makes at most q queriesthe advantage in distinguishing between a random permutation from P(n) and a random one from is at most q2/2n + q2/22n

Corollary: the original construction is computationally secure

SourcesGoldreichs Foundations of Cryptography, volumes 1 and 2Goldreich, Goldwasser and Micali, How to construct random functions , Journal of the ACM 33, 1986, 792 - 807. Luby-Rackoff: How to construct pseudorandom permutations from pseudorandom functions, SIAM J. Computing, 1988.Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999.

Announce home )deadline Dec 20) next lecture given by Gil