Foundations of Cryptography

Lecture 12

Lecturer: Moni Naor

Recap of Lecture 11Pseudo-random functionsCombining pseudo-random functionsConcatenationComposingThe GGM tree constructionPseudo-Random PermutationsFeistal Permutations

Pseudo-Random PermutationsBlock-Ciphers:Shared-key encryption schemes where: the encryption of every plaintext block is a ciphertext block of the same length.

Block CiphersAdvantagesSaves up on memory and communication bandwidthEasy to incorporate within existing systems. Main DisadvantageEvery block is always encrypted in the same way.Important Examples: DES, AES

Modeling Block CiphersPseudo-random PermutationsF : 0,1k 0,1n 0,1n Key Domain RangeF-1: 0,1k 0,1n 0,1n Key Range Domain Want:X= FS-1 (FS (X))Correct inverseEfficiently computable

The TestThe tester A that can choose adaptivelyX1 and get Y1= FS (X1)Y2 and get X2= FS-1(Y2) Xq and get Yq= FS (Xq)Then A has to decide whether FS R k or FS R P(n) = F | 1-1 F :0,1n 0,1n Can choose to evaluate or invert any point!

(t,,q)-pseudo-randomFor a function F chosen at random from(1) k ={FS | S0,1k (2) P(n) = F | 1-1 F :0,1n 0,1n For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= 1 FR Fk - PrA= 1 FR P(n)

Construction of Pseudo-Random PermutationsPossible to construct p.r. permutation from p.r. functions (and vice versa..)Based on 4 Feistal Permutations

Feistal PermutationAny f :0,1n 0,1n defines a Feistal Permutation Df(L,R)=(R, L f(R))Feistal permutations are as easy to invert as to compute:Df-1(L,R)=(R f(L),L)

Many Block Cipher based on such permutations where the function f is derived from secret key

Feistal PermutationfL1R1L2R2

Composing Feistal PermutationsMake the function f:0,1n 0,1n a pseudo-random function GS R kThis defines a keyed family of permutations 0,12n 0,12n Clearly it is not pseudo-randomRight block goes unchanged to left blockWhat about composing two such keyed permutations With independent keysNot pseudo-random:DS2(DS1(L,R))= (GS1(L) R, GS2(GS1(L) R) R)-For two inputs sharing the same left blockLooks pretty good for random attacks!No repetitions on the pseudo-random part

Main ConstructionLet GS1 , GS2 , GS3 , GS4 R PRF. Then the composition of DS1 , DS2 , DS3 , DS4 is a pseudo-random permutation.Each Gi :0,1n 0,1n Resulting Permutation 0,12n 0,12n . G1 and G4 can be ``combinatorial:pair-wise independent.low probability of collision on first blockError probability is ~ q2/2n

Security TheoremLet be the set of permutations obtained whenThe two middle G2 ,G3 are truly random functions and the first and last are (h1 ,h2 ) chosen from a pairwise independent family.(2) P(n) = F | 1-1 F :0,1n 0,1n

Theorem: For any adversary A(not necessarily efficient) that makes at most q queriesthe advantage in distinguishing between a random permutation from P(n) and a radnom one from is at most q2/2n + q2/22nCorollary: the original construction is computationally secure

Back to two permutationsFor each pair of input and output blocks (L1,R1) is mapped to (L2,R2) if and only ifGS1(R1) = L1 L2 GS2(L2) = R1 R2So we have one-wise independence:Happens with probability 1/22nFurthermore: for any q pairs (L11,R11) (L21,R21), (L12,R12) (L22,R22), , (L1q,R1q) (L2q,R2q) such thatFor j i: R1j R1i and L2j L2i The probability that all are mapped to each other is 1/22qn

The TranscriptMay assume A is deterministicSince this it is not computationally boundedThe transcript T is the set of pairs of inputs/outputs(X1,Y1), (X2,Y2), , (Xq,Yq) queries by AQueries can go either way (evaluate or invert)Consider a third distribution P of responses if Aasks for F(x) and x appeared before in and , query: answer yasks for F-1(y) and y appeared before in and , query: answer xOtherwise answer a random z 0,12n.P is not always consistent with some permutationCall the resulting transcript inconsistent

P is close to P Claim: A may differentiate between P and P only if transcript is inconsistentClaim [inconsistent]: Prob[T is inconsistent] q2/22nProof: birthday

It remains to bound the difference between P and

The BAD eventThought experiment: choose the functions (h1 ,h2 ) also for process PServe a no purpose thereIf T =(X1,Y1), (X2,Y2), , (Xq,Yq) is consistent, we say that it is BAD for functions (h1 ,h2 ) if there exist j i such that eitherh1(xi) collides with the right half of h1(xj) h2(yi) collides with the left half of h2(yj)

BAD event: either T is inconsistent or T is BAD for (h1 ,h2 )

Claim: ProbP[BAD] q2/2n + q2/22n

Key LemmaLemma: For any adversary A, for any possible value V= (X1,Y1), (X2,Y2), , (Xq,Yq)

ProbP[T=V and not BAD] = ProbG[T=V and not BAD]

Concluding the proofBy summing Key Lemma over all transcriptsProbP[not BAD] = ProbG[not BAD] this impliesProbP[BAD] = ProbG[BAD]By summing Key Lemma over all transcripts for which A outputs 1:ProbP[A outputs 1 and not BAD]= ProbG[A outputs 1 and not BAD]Hence:ProbP[A outputs 1]- ProbG[A outputs 1]ProbP [BAD] q2/2n + q2/22n

By the inconsistent Claim P and P are close and we are done

K-wise independent permutationsSimple constructions for k-wise independent functionsFor instance random polynomial of degree k-1No equivalent ones known for k-wise independent permutationsIn the 4 Feistal permutation construction If two middle functions are k-wise independent Security Theorem implies that the result is q2/2n close to kwise independent permutationT. Gowers: alternative construction of approximate k-wise independent permutations

Other ConstructionsGeneralized Feistal PermutationsGeneralized construction of pseudo-random permutations:The first and last rounds as before.The two middle Feistal permutations are replaced with t generalized Feistel permutations. The distinguishing probability is roughly q2/22(1-1/t)n construction of long pseudo-random permutations from short ones:First and last round combinatorial In the middle independent applications of the short pseudo-random permutations

Encryption Using Pseudo-Random PermutationsSender and Receiver share a secret key S R {0,1}k S defines a function FS FkWhat is wrong with encrypting X with FS (x)?

Definition of the Security of EncryptionSeveral settingShared key vs public keyHow active is the adversary

Sender and receiver want to prevent Eve from learning anything about the messageWant to simulate as much as possible the protection that an information theoretic encryption scheme providesInformation Theoretic Setting

If Eve has some knowledge of m should remain the sameProbability of guessing mMin entropy of mProbability of guess whether m is m0 or m1 Probability of computing some function f of m Ideally: the message sent is a independent of the message m Implies all the aboveShannon: achievable only if the entropy of the shared secret is at least as large as the message m entropyIf no special knowledge about mthen |m|

To specify security of encryptionThe power of the adversary computational Probabilistic polynomial time machine (PPTM)access to the systemCan it change the messages?What constitute a failure of the system what it means to break the system.Reading a messageForging a message?

Computational Security of EncryptionIndistinguishability of EncryptionsIndistinguishability of encrypted strings:Adversary A chooses X0 , X1 0,1n receives encryption of Xb for bR0,1has to decide whether b 0 or b 1.

For every pptm A, choosing a pair X0 , X1 0,1n PrA 1 b 1 - PrA 1 b 0 is negligible.Probability is over the choice of keys, randomization in the encryption and As coins.

In other words: encryptions of X0 , X1 are indistinguishable

Quantification over the choice of X0 , X1 0,1n

Computational Security of EncryptionSemantic SecurityWhatever Adversary A can compute on encrypted string X 0,1n so can A that does not see the encryption of X yet simulates A s knowledge with respect to XA selects:Distribution Dn on 0,1n Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm A so that for all pptm relation R for XR Dn PrR(X,A(E(X)) - Pr R(X,A())

is negligible

In other words: The outputs of A and A are indistinguishable even for a test who is aware of X

Note: presentation of semantic security is non-standard (but equivalent)

ReferencesBlum-Micali : SIAM J. Computing 1984 Yao:Blum, Blum, Shub: SIAM J. Computing, 1988 Goldreich, Goldwasser and Micali: J. of the ACM, 1986Luby-Rackoff: SIAM J. Computing, 1988Naor-Reingold: Journal of Cryptology, 1999

...References O. Goldreich, The Foundations of Cryptography - www.wisdom.weizmann.ac.il/~oded/foc-book.htmlM. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press.S. Goldwasser and M. Bellare Lecture Notes on Cryptography, www-cse.ucsd.edu/~mihir/papers/gb.html

Give the handouts (course web page)