1 Intro To Encryption Exercise 4

2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A f denote A with oracle to f:{0,1} k  {0,1} k Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Let ADV PRP E,k (t)=MAX{ADV PRP A,E,k } for A limited to time t  Should be negligible for feasible t  Ideally: ADV PRP E,k (t)=constant /(2 k -t) Adversary controls plaintext  chosen plaintext attack  modify definition to allow also chosen ciphertext

3 Solution Let f’ :{0,1} k  {0,1} k be an inverse function to f, meaning f’=f -1.  (for each cipher text we now have a reverse function to give us the plain text) Let r’ be a reversible function to r.  Why?  (If we want to fool adversary with a random function we must have a reversible function) Notation: let A f,f’ denote A with oracle to both f, f’

4 Solution Let where key  R {0,1} k and r is a random function over {0,1} k  Notation: x  R X means x is chosen randomly from set X Adversary controls plaintext and ciphertext

5 Problem You wish for your users to access a remote server via user and password. All of the users have modems and you trust the phone company to have secured phone lines (no eaves dropping on the line). All the users must use “good” passwords. 1. What is a “good” password? 2. What is the problem with “good” passwords? 3. How can you build a device that can help the user? Hint: the device may generate the passwords

6 Problem Construct a PRF from a random oracle.

7 Solution Let A be the Random oracle, which receives input x. Use PRF k (x)=A(k||x) Is this a sufficient solution?

8 Problem Does random oracle provide CRHF and OWF properties?

9 Solution Yes!! By counting arguments  Consider the random function as being defined incrementally  When the oracle is asked for f(x) for the first time, it selects random value  Example: OWF Let x 1,x 2,…x m be the queries of the adversary, with x m being the adversary’s reply (i.e. success if f(x m )=f(x)). Claim: for every i=1,…,m, Prob(f(x i )=f(x))<i/2 n Proof: By induction…

10 Problem What are the differences between PRF and Universal Hash Functions?

11 Problem construct a PRP from a random oracle.

12 Solution Construct PRF from Random Oracle. Use Feistel rounds to build a PRP. How many rounds? How many rounds?

13 Problem construct CPA-IND secure cryptosystem from random oracle.

14 Solution Build a PRP from random oracle Use CBC construction for the PRP.

15 Problem construct OWF h() from PRF F k ()

16 Solution In order to build h(x) use:  h(x)=PRF x (0)

17 Problem can we use OWF to construct PRF like we used random oracle?

18 Solution NO!!!! Evaluate the following:  h(x) is OWF.  h’(x)=001100||h(x)  Clearly h’ is OWF but can be distinguished from a random output.

19 Problem Is every (weak) CRHF also a OWF