Cryptography Lecture 9 Arpita Patra © Arpita Patra

Recall Authenticated Encryption (AE) Construction of AE from- cpa-secure SKE + scma-secure MAC Proof AE → cca-secure SKE

Looking Back & Forward Authenticated Encryption cca-security cma/scma-security PRF cpa-security PRF MACs coa-security PRG Computational Security Ind / Sem Paradigm Perfect Security Dual Limitations Classical SKEs

Minicrypt AE, CCA SKE (S)CMA MAC CPA SKE COA SKE Secret Key World: SKE, MAC (3) (2) (4) (1) (5) PRF (6) > These results have profound theoretical value! PRG > Direct Constructions From Number Theory > Only the practical construction from stream ciphers/ AES are used in practice (7) From Number Theory OWF

Today’s Goal If PRG exists, then so does PRF Construction of PRF using PRG Introduction to Hybrid Proof Technique (non-trivial) Proof

PRG Security | - | s R {0,1}n y: = G(s) U : uniform distribution over {0,1}l(n) PPT distinguisher D Challenger A string of length l(n) please yR {0,1}l(n) b= 0 y How I selected it ? b= 1 s R {0,1}n y: = G(s) G: Probability distribution over {G(s): s R {0,1}n} G G is a PRG if for every PPT D, there is a negligible function negl | - | Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}l(n) s R {0,1}n Probability taken over >> Random Choice of r >> the randomness of D Probability taken over >> Random Choice of s >> the randomness of D

PRF Security y1 , y2 , …, yt R {0,1}n k R{0,1}n b x1, …, xt Keyed F: {0, 1}n x {0, 1}n  {0, 1}n y1 , y2 , …, yt R {0,1}n Value of the function at x1, …, xt b= 0 F y1, …, yt (How I computed them?) k R{0,1}n PPT distinguisher D b= 1 b x1, …, xt y1, …, yt D can adaptively ask its queries D allowed to ask polynomial number of queries

| | - PRF Security Pr [D (1n) = 1]  negl(n) Pr [D (1n) = 1] Keyed F: {0, 1}n x {0, 1}n  {0, 1}n y1 , y2 , …, yt R {0,1}n Value of the function at x1, …, xt b= 0 F y1, …, yt (How I computed them?) k R{0,1}n PPT distinguisher D b= 1 b x1, …, xt y1, …, yt F is a PRF if for every PPT D there is a negl(n) | Pr [D (1n) = 1] f( ) | Pr [D (1n) = 1] Fk( ) -  negl(n) >> uniform choice of f >> D’s randomness >> uniformly random k >> D‘s randomness >> D not given k in the above game --- otherwise D can distinguish with high probability

→ From PRG to PRF PRG G: {0, 1}n  {0, 1}2n PRF F: {0, 1}n x {0, 1}n  {0, 1}n Seed of G Key of F R1: Need to define a mapping from every input of F to an output both of n-bit string (2n mappings) R2: A mapping should be poly-computable. Given x, Fk (x) should be poly-computable Complete binary tree of depth n. Example: depth 3 complete binary tree

Complete Binary Tree of Depth n 1 1 1 1 1 1 1 Example: depth 3 complete binary tree (P1) No. of leaf nodes: 2n How to fill up the contents of leaves ?? (P2) No. of Paths from root to leaves: 2n We can define a bijective mapping from the set of paths to the set of leaf nodes The unique path taken to reach a leaf node x ↔ x Encoding of a Path: Every path can be encoded to a unique n-bit string A path can correspond to an n-bit input of Fk The leaf nodes can correspond to the n-bit output of Fk

→ From PRG to PRF k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) PRG G: {0, 1}n  {0, 1}2n PRF F: {0, 1}n x {0, 1}n  {0, 1}n k: seed of G Key of F Compute Fk(x): Follow the path that corresponds x and output the content of the unique leaf node LB RB G0 : {0, 1}n  {0, 1}n G(k) G1 : {0, 1}n  {0, 1}n Leaves represent the truth table of Fk G0(k) = LB of G(k) G1(k) = RB of G(k) k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))

An Example with n=3 k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) PRG G: {0, 1}3  {0, 1}6 PRF F: {0, 1}3 x {0, 1}3  {0, 1}3 k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k)) G0(G0(G0(k))) G1(G0(G0(k))) G0(G1(G0(k))) G1(G1(G0(k))) G0(G0(G1(k))) G1(G0(G1(k))) G0(G1(G1(k))) G1(G1(G1(k))) Depth 3 complete binary tree specifying F

An Example with n=3 Fk(x) computation is a poly computable job Compute Fk (011) k G0(k) 1 G1(G0(k)) 1 G1(G1(G0(k))) How many G evaluations are needed to compute Fk (x) for some x: 3 = n (in general)

Nice Observations k G0(k) G1(k) G0(G0(k)) G0(G1(k)) G1(G1(k))

Proof Theorem: If G : {0, 1}n  {0, 1}2n is PRG, then the discussed construction is a PRF. Proof: Pr [D(r) = 1] - | Pr [D(G(s)) = 1] | Lemma 1: If G: {0, 1}n  {0, 1}2n is PRG i.e.  negl(n) r R {0,1}2n s R {0,1}n then | Pr [A(r1,……, rt) = 1] - Pr [A(G(s1), ……, G(st)) = 1] |  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n Hybrid Argument Lemma 2: If G: {0, 1}n  {0, 1}2n is s.t - | Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1] |  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n Then the discussed construction is a PRF.

Hybrid Arguments World/View 1 PPT Adv World/View 2 If some problem is hard, then it cannot distinguish between View 1 and View 2 World/View 2

Hybrid Arguments + + + Polynomially Many World/View 1 |Pr[A(View1) = 1 – Pr[A(View1.1) = 1]| < negl(n) + World/View 1.1 |Pr[A(View1.1) = 1 – Pr[A(View1.2) = 1]| < negl(n) + World/View 1.2 Instance of his hard problem Used to create View 1 / View 2 World/View 1.i Answer to hard problem Answer whether View 1 /View 2 PPT Adv PPT Adv Can break a known hard problem If it can distinguish between View 1 and View 2 World/View 1.t + |Pr[A(View1.t) = 1 – Pr[A(View2) = 1]| < negl(n) World/View 2 |Pr[A(View1) = 1 – Pr[A(View2) = 1]| < t. negl(n) The intermediate views are called hybrids

Proof via Hybrid Argument | - | Lemma: If G: {0, 1}n  {0, 1}2n is PRG i.e. Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}2n s R {0,1}n then | - |  negl(n) Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1] s1,…..., st R {0,1}n r1,……rt R {0,1}2n Proof: Hard to reduce to PRG experiment (r1, r2 ……, rt ) Break into a number of hybrids (t+1) hybrids (G(s1), r2 ……, rt ) (G(s1),…G(si-1),ri…, rt ) (G(s1),…G(si-1),G(si)…, rt ) (G(s1), ……, G(st))

Proof via Hybrid Argument (r1, r2 ……, rt ) - < Pr [A(r1, r2 ……, rt ) = 1] Pr [A(G(s1), r2 ……, rt ) = 1] negl(n) (G(s1), r2 ……, rt ) + (G(s1),…G(si-1),ri…, rt ) - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) (G(s1),…G(si-1),G(si)…, rt ) + - < Pr [A(G(s1),…G(st-1),rt ) = 1] Pr [A(G(s1), ……, G(st)) = 1] negl(n) (G(s1), ……, G(st))

Proof via Hybrid Argument - < Pr [A(r1, r2 ……, rt ) = 1] Pr [A(G(s1), ……, G(st)) = 1] t. negl(n)

Indistinguishability of i and (i+1)th Hybrid (r1, r2 ……, rt ) (G(s1), r2 ……, rt ) (G(s1),…G(si-1),ri…, rt ) - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) (G(s1),…G(si-1),G(si)…, rt ) (G(s1), ……, G(st))

Indistinguishability of i and (i+1)th Hybrid (G(s1),…G(si-1),ri…, rt ) If G is a PRG - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) By reduction to PRG (G(s1),…G(si-1),G(si)…, rt )

Indistinguishability of i and (i+1)th Hybrid by Reduction to PRG (G(s1),…G(si-1),ri…, rt ) Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] y: RS Pr [D(y) = 1] PPT Adv breaking PRG PPT Distinguisher RS or PRS? G(s1),…G(si), y, ri+1…, rt y  {0,1}2n Pick s1,…si R {0,1}n Pick ri+1,…rt R {0,1}2n b  {0, 1} b Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] y: PRS Pr [D(y) = 1] (G(s1),…G(si-1),G(si)…, rt )

Proof Theorem: If G is PRG, then the discussed construction is a PRF. k G0(k) G1(k) G0(G0(k)) G0(G1(k)) G0(G1(k)) G1(G1(k)) Truth Table for Fk

Proof Theorem: If G is PRG, then the discussed construction is a PRF. Fk(): k randomly chosen Poly (t) calls f(): f randomly chosen

Proof H0 : Distribution on the leaves when the root (0th level) is a random string H0 : Uniform Distribution on the keyed functions KFunc Poly (t) calls - Can you think of a reduction to the distinguisher that distinguishes t RSs from t PSRs? - Hybrids?? Hn : Distributions on the leaves when the leaves (nth level) are random strings Hn : Uniform Distribution on ALL functions Func

Proof - < - < - < + + Poly (t) calls negl(n) negl(n) negl(n) H0 : Distribution on the leaves when the 0th level node is a random string Fk( ) - f1( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) + Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) - fi( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hi : Distributions on the leaves when the ith level nodes are random strings + fn-1( ) - fn( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hn : Distributions on the leaves when the nth level nodes are random strings

Proof via Hybrid Argument Fk( ) - f( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] n. negl(n)

Proof - < Poly (t) calls negl(n) Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) - fi( ) < Poly (t) calls Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hi : Distributions on the leaves when the ith level nodes are random strings

Proof - < | - | Lemma: If G: {0, 1}n  {0, 1}2n is s.t then Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings Lemma: If G: {0, 1}n  {0, 1}2n is s.t | - | Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1]  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n then fi-1( ) - fi( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Poly (t) calls Hi : Distributions on the leaves when the ith level nodes are random strings

Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 Fill the reached node’s (l & r) children with z1 Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl1 zr1

Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 - Check if the previous x had same prefix. - If yes, the reached node’s children are already filled - Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl1 zr1

Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 - Check if any previous x had same prefix. b  {0, 1} b - If no, fill the reached node with z2 - Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl2 zr2

Proof x y z1,…zt :PRSs Pr [A(z1,…zt) = 1] b  {0, 1} b z1,…zt :RSs Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) z1,…zt :PRSs Pr [A(z1,…zt) = 1] Pr [D (1n) = 1] PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y b  {0, 1} b fi( ) z1,…zt :RSs Pr [A(z1,…zt) = 1] Pr [D (1n) = 1] We need t z strings since the t queried x’s may have different prefixes. Hi : Distributions on the leaves when the ith level nodes are random strings

CT16 (two): If PRF exists, then so does PRP. (KL)