Foundations of Cryptography Lecture 12 Lecturer: Moni Naor

Recap of Lecture 11 Pseudo-random functions Combining pseudo-random functions –Concatenation –Composing The GGM tree construction Pseudo-Random Permutations Feistal Permutations

Pseudo-Random Permutations Block-Ciphers : Shared-key encryption schemes where: the encryption of every plaintext block is a ciphertext block of the same length.  ey CC Plaintext Ciphertext

Block Ciphers Advantages –Saves up on memory and communication bandwidth –Easy to incorporate within existing systems. Main Disadvantage –Every block is always encrypted in the same way. Important Examples: DES, AES

Modeling Block Ciphers Pseudo-random Permutations F :  0,1  k   0,1  n   0,1  n Key Domain Range F -1 :  0,1  k   0,1  n   0,1  n Key Range Domain Want: –X= F S -1 (F S (X)) Correct inverse –Efficiently computable

The Test The tester A that can choose adaptively –X 1 and get Y 1 = F S (X 1 ) –Y 2 and get X 2 = F S -1 (Y 2 ) … –X q and get Y q = F S (X q ) Then A has to decide whether – F S  R Φ k  or – F S  R P (n) =  F | 1-1 F :  0,1  n   0,1  n  Can choose to evaluate or invert any point!

(t, ,q)- pseudo-random For a function F chosen at random from (1) Φ k  ={F S | S  0,1  k  (2) P (n) =  F | 1-1 F :  0,1  n   0,1  n  For all t-time machines A that choose q locations and try to distinguish (1) from (2)  Pr  A= ‘1’  F  R F k  - Pr  A= ‘1’  F  R P (n)    

Construction of Pseudo-Random Permutations Possible to construct p.r. permutation from p.r. functions (and vice versa..) Based on 4 Feistal Permutations

Feistal Permutation Any f :  0,1  n   0,1  n defines a Feistal Permutation D f (L,R)=(R, L  f(R)) Feistal permutations are as easy to invert as to compute: D f -1 (L,R)=(R  f(L),L) Many Block Cipher based on such permutations where the function f is derived from secret key

Feistal Permutation f L1L1 R1R1 L2L2 R2R2

Composing Feistal Permutations Make the function f:  0,1  n   0,1  n a pseudo-random function G S  R Φ’ k This defines a keyed family of permutations  0,1  2n   0,1  2n Clearly it is not pseudo-random –Right block goes unchanged to left block What about composing two such keyed permutations With independent keys Not pseudo-random: D S 2 (D S 1 (L,R))= (G S 1 (L)  R, G S 2 (G S 1 (L)  R)  R) -For two inputs sharing the same left block Looks pretty good for random attacks! –No repetitions on the pseudo-random part

Main Construction Let G S 1, G S 2, G S 3, G S 4  R PRF. Then the composition of D S 1, D S 2, D S 3, D S 4 is a pseudo-random permutation. Each G i :  0,1  n   0,1  n Resulting Permutation  0,1  2n   0,1  2n. G 1 and G 4 can be ``combinatorial”: –pair-wise independent. –low probability of collision on first block Error probability is ~ q 2 /2 n

Security Theorem Let (1)   be the set of permutations obtained when The two middle G 2,G 3 are truly random functions and the first and last are (h 1,h 2 ) chosen from a pairwise independent family. (2) P (n) =  F | 1-1 F :  0,1  n   0,1  n  Theorem: For any adversary A –(not necessarily efficient) –that makes at most q queries the advantage in distinguishing between a random permutation from P (n) and a radnom one from   is at most q 2 /2 n + q 2 /2 2n Corollary: the original construction is computationally secure

Back to two permutations For each pair of input and output blocks (L 1,R 1 ) is mapped to (L 2,R 2 ) if and only if G S 1 (R 1 ) = L 1  L 2 G S 2 (L 2 ) = R 1  R 2 So we have “one-wise independence”: –Happens with probability 1/2 2n Furthermore: for any q pairs (L 1 1,R 1 1 ) (L 2 1,R 2 1 ), (L 1 2,R 1 2 ) (L 2 2,R 2 2 ),…, (L 1 q,R 1 q ) (L 2 q,R 2 q ) such that For j  i: R 1 j  R 1 i and L 2 j  L 2 i The probability that all are mapped to each other is 1/2 2qn

The Transcript May assume A is deterministic –Since this it is not computationally bounded The transcript T is the set of pairs of inputs/outputs (X 1,Y 1 ), (X 2,Y 2 ), …, (X q,Y q ) queries by A –Queries can go either way (evaluate or invert) Consider a third distribution P of responses if A –asks for F(x) and x appeared before in and, query: answer y –asks for F -1 (y) and y appeared before in and, query: answer x –Otherwise answer a random z  0,1  2n. P is not always consistent with some permutation –Call the resulting transcript inconsistent

P is close to P Claim: A may differentiate between P and P only if transcript is inconsistent Claim [“inconsistent”]: Prob[T is inconsistent]  q 2 /2 2n Proof: birthday It remains to bound the difference between P and 

The BAD event Thought experiment: choose the functions (h 1,h 2 ) also for process P Serve a no purpose there If T = (X 1,Y 1 ), (X 2,Y 2 ), …, (X q,Y q ) is consistent, we say that it is BAD for functions (h 1,h 2 ) if there exist j  i such that either –h 1 (x i ) collides with the right half of h 1 (x j ) –h 2 (y i ) collides with the left half of h 2 (y j ) BAD event : either T is inconsistent or T is BAD for (h 1,h 2 ) Claim: Prob P [BAD]  q 2 /2 n + q 2 /2 2n

Key Lemma Lemma: For any adversary A, for any possible value V= (X 1,Y 1 ), (X 2,Y 2 ), …, (X q,Y q ) Prob P [T=V and not BAD] = Prob  [T=V and not BAD]

Concluding the proof By summing Key Lemma over all transcripts Prob P [not BAD] = Prob  [not BAD] this implies Prob P [BAD] = Prob  [BAD] By summing Key Lemma over all transcripts for which A outputs ‘1’: Prob P [A outputs ‘1’ and not BAD] = Prob  [A outputs ‘1’ and not BAD] Hence: Prob P [A outputs ‘1’]- Prob  [A outputs ‘1’]  Prob P [BAD]  q 2 /2 n + q 2 /2 2n By the “inconsistent” Claim P and P are close and we are done

K-wise independent permutations Simple constructions for k -wise independent functions –For instance random polynomial of degree k-1 No equivalent ones known for k -wise independent permutations In the 4 Feistal permutation construction If two middle functions are k -wise independent –Security Theorem implies that the result is q 2 /2 n close to k –wise independent permutation T. Gowers: alternative construction of approximate k -wise independent permutations

Other Constructions Generalized Feistal Permutations Generalized construction of pseudo-random permutations: –The first and last rounds as before. –The two middle Feistal permutations are replaced with t generalized Feistel permutations. – The distinguishing probability is roughly q 2 /2 2(1-1/t)n construction of long pseudo-random permutations from short ones: –First and last round combinatorial –In the middle independent applications of the short pseudo-random permutations

Encryption Using Pseudo-Random Permutations Sender and Receiver share a secret key S  R {0,1} k S defines a function F S   k What is wrong with encrypting X with F S (x)?

Definition of the Security of Encryption Several setting –Shared key vs public key –How active is the adversary Sender and receiver want to prevent Eve from learning anything about the message Want to simulate as much as possible the protection that an information theoretic encryption scheme provides Information Theoretic Setting If Eve has some knowledge of m should remain the same –Probability of guessing m Min entropy of m –Probability of guess whether m is m 0 or m 1 –Probability of computing some function f of m Ideally: the message sent is a independent of the message m –Implies all the above Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy If no special knowledge about m –then |m|

To specify security of encryption The power of the adversary – computational Probabilistic polynomial time machine (PPTM) –access to the system Can it change the messages? What constitute a failure of the system – what it means to break the system. –Reading a message –Forging a message?

Computational Security of Encryption Indistinguishability of Encryptions Indistinguishability of encrypted strings: Adversary A chooses X 0, X 1  0,1  n receives encryption of X b for b  R  0,1  has to decide whether b  0 or b  1. For every pptm A, choosing a pair X 0, X 1  0,1  n  Pr  A  ‘1’  b  1  - Pr  A  ‘1’  b  0   is negligible. Probability is over the choice of keys, randomization in the encryption and A ‘s coins. In other words: encryptions of X 0, X 1 are indistinguishable Quantification over the choice of X 0, X 1  0,1  n

Computational Security of Encryption Semantic Security Whatever Adversary A can compute on encrypted string X  0,1  n so can A ’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X A selects: Distribution D n on  0,1  n Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution D n on  0,1  n there is an pptm A’ so that for all pptm relation R for X  R D n  Pr  R(X,A(E(X))  - Pr  R(X,A’(  ))   is negligible In other words: The outputs of A and A’ are indistinguishable even for a test who is aware of X Note: presentation of semantic security is non-standard (but equivalent)

References Blum-Micali : SIAM J. Computing 1984 Yao: Blum, Blum, Shub: SIAM J. Computing, 1988 Goldreich, Goldwasser and Micali: J. of the ACM, 1986 Luby-Rackoff: SIAM J. Computing, 1988 Naor-Reingold: Journal of Cryptology, 1999

...References O. Goldreich, The Foundations of Cryptography - M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press. S. Goldwasser and M. Bellare Lecture Notes on Cryptography, www-cse.ucsd.edu/~mihir/papers/gb.html