Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Published byΣώστρατος Κουντουριώτης Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 9 Arpita Patra © Arpita Patra."— Presentation transcript:

1 Cryptography Lecture 9 Arpita Patra © Arpita Patra

2 Recall Authenticated Encryption (AE)
Construction of AE from- cpa-secure SKE + scma-secure MAC Proof AE → cca-secure SKE

3

4 Looking Back & Forward Authenticated Encryption cca-security
cma/scma-security PRF cpa-security PRF MACs coa-security PRG Computational Security Ind / Sem Paradigm Perfect Security Dual Limitations Classical SKEs

5 Minicrypt AE, CCA SKE (S)CMA MAC CPA SKE COA SKE
Secret Key World: SKE, MAC (3) (2) (4) (1) (5) PRF (6) > These results have profound theoretical value! PRG > Direct Constructions From Number Theory > Only the practical construction from stream ciphers/ AES are used in practice (7) From Number Theory OWF

6 Today’s Goal If PRG exists, then so does PRF
Construction of PRF using PRG Introduction to Hybrid Proof Technique (non-trivial) Proof

7 PRG Security | - | s R {0,1}n y: = G(s)
U : uniform distribution over {0,1}l(n) PPT distinguisher D Challenger A string of length l(n) please yR {0,1}l(n) b= 0 y How I selected it ? b= 1 s R {0,1}n y: = G(s) G: Probability distribution over {G(s): s R {0,1}n} G G is a PRG if for every PPT D, there is a negligible function negl | - | Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}l(n) s R {0,1}n Probability taken over >> Random Choice of r >> the randomness of D Probability taken over >> Random Choice of s >> the randomness of D

8 PRF Security y1 , y2 , …, yt R {0,1}n k R{0,1}n b x1, …, xt
Keyed F: {0, 1}n x {0, 1}n  {0, 1}n y1 , y2 , …, yt R {0,1}n Value of the function at x1, …, xt b= 0 F y1, …, yt (How I computed them?) k R{0,1}n PPT distinguisher D b= 1 b x1, …, xt y1, …, yt D can adaptively ask its queries D allowed to ask polynomial number of queries

9 | | - PRF Security Pr [D (1n) = 1]  negl(n) Pr [D (1n) = 1]
Keyed F: {0, 1}n x {0, 1}n  {0, 1}n y1 , y2 , …, yt R {0,1}n Value of the function at x1, …, xt b= 0 F y1, …, yt (How I computed them?) k R{0,1}n PPT distinguisher D b= 1 b x1, …, xt y1, …, yt F is a PRF if for every PPT D there is a negl(n) | Pr [D (1n) = 1] f( ) | Pr [D (1n) = 1] Fk( ) -  negl(n) >> uniform choice of f >> D’s randomness >> uniformly random k >> D‘s randomness >> D not given k in the above game --- otherwise D can distinguish with high probability

10 → From PRG to PRF PRG G: {0, 1}n  {0, 1}2n
PRF F: {0, 1}n x {0, 1}n  {0, 1}n Seed of G Key of F R1: Need to define a mapping from every input of F to an output both of n-bit string (2n mappings) R2: A mapping should be poly-computable. Given x, Fk (x) should be poly-computable Complete binary tree of depth n. Example: depth 3 complete binary tree

11 Complete Binary Tree of Depth n
1 1 1 1 1 1 1 Example: depth 3 complete binary tree (P1) No. of leaf nodes: 2n How to fill up the contents of leaves ?? (P2) No. of Paths from root to leaves: 2n We can define a bijective mapping from the set of paths to the set of leaf nodes The unique path taken to reach a leaf node x ↔ x Encoding of a Path: Every path can be encoded to a unique n-bit string A path can correspond to an n-bit input of Fk The leaf nodes can correspond to the n-bit output of Fk

12 → From PRG to PRF k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k))
PRG G: {0, 1}n  {0, 1}2n PRF F: {0, 1}n x {0, 1}n  {0, 1}n k: seed of G Key of F Compute Fk(x): Follow the path that corresponds x and output the content of the unique leaf node LB RB G0 : {0, 1}n  {0, 1}n G(k) G1 : {0, 1}n  {0, 1}n Leaves represent the truth table of Fk G0(k) = LB of G(k) G1(k) = RB of G(k) k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))

13 An Example with n=3 k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k))
PRG G: {0, 1}3  {0, 1}6 PRF F: {0, 1}3 x {0, 1}3  {0, 1}3 k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k)) G0(G0(G0(k))) G1(G0(G0(k))) G0(G1(G0(k))) G1(G1(G0(k))) G0(G0(G1(k))) G1(G0(G1(k))) G0(G1(G1(k))) G1(G1(G1(k))) Depth 3 complete binary tree specifying F

14 An Example with n=3 Fk(x) computation is a poly computable job
Compute Fk (011) k G0(k) 1 G1(G0(k)) 1 G1(G1(G0(k))) How many G evaluations are needed to compute Fk (x) for some x: 3 = n (in general)

15 Nice Observations k G0(k) G1(k) G0(G0(k)) G0(G1(k)) G1(G1(k))

16 Proof Theorem: If G : {0, 1}n  {0, 1}2n is PRG, then the discussed construction is a PRF. Proof: Pr [D(r) = 1] - | Pr [D(G(s)) = 1] | Lemma 1: If G: {0, 1}n  {0, 1}2n is PRG i.e.  negl(n) r R {0,1}2n s R {0,1}n then | Pr [A(r1,……, rt) = 1] - Pr [A(G(s1), ……, G(st)) = 1] |  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n Hybrid Argument Lemma 2: If G: {0, 1}n  {0, 1}2n is s.t - | Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1] |  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n Then the discussed construction is a PRF.

17 Hybrid Arguments World/View 1 PPT Adv World/View 2
If some problem is hard, then it cannot distinguish between View 1 and View 2 World/View 2

18 Hybrid Arguments + + + Polynomially Many World/View 1
|Pr[A(View1) = 1 – Pr[A(View1.1) = 1]| < negl(n) + World/View 1.1 |Pr[A(View1.1) = 1 – Pr[A(View1.2) = 1]| < negl(n) + World/View 1.2 Instance of his hard problem Used to create View 1 / View 2 World/View 1.i Answer to hard problem Answer whether View 1 /View 2 PPT Adv PPT Adv Can break a known hard problem If it can distinguish between View 1 and View 2 World/View 1.t + |Pr[A(View1.t) = 1 – Pr[A(View2) = 1]| < negl(n) World/View 2 |Pr[A(View1) = 1 – Pr[A(View2) = 1]| < t. negl(n) The intermediate views are called hybrids

19 Proof via Hybrid Argument
| - | Lemma: If G: {0, 1}n  {0, 1}2n is PRG i.e. Pr [D(r) = 1] Pr [D(G(s)) = 1]  negl(n) r R {0,1}2n s R {0,1}n then | - |  negl(n) Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1] s1,…..., st R {0,1}n r1,……rt R {0,1}2n Proof: Hard to reduce to PRG experiment (r1, r2 ……, rt ) Break into a number of hybrids (t+1) hybrids (G(s1), r2 ……, rt ) (G(s1),…G(si-1),ri…, rt ) (G(s1),…G(si-1),G(si)…, rt ) (G(s1), ……, G(st))

20 Proof via Hybrid Argument
(r1, r2 ……, rt ) - < Pr [A(r1, r2 ……, rt ) = 1] Pr [A(G(s1), r2 ……, rt ) = 1] negl(n) (G(s1), r2 ……, rt ) + (G(s1),…G(si-1),ri…, rt ) - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) (G(s1),…G(si-1),G(si)…, rt ) + - < Pr [A(G(s1),…G(st-1),rt ) = 1] Pr [A(G(s1), ……, G(st)) = 1] negl(n) (G(s1), ……, G(st))

21 Proof via Hybrid Argument
- < Pr [A(r1, r2 ……, rt ) = 1] Pr [A(G(s1), ……, G(st)) = 1] t. negl(n)

22 Indistinguishability of i and (i+1)th Hybrid
(r1, r2 ……, rt ) (G(s1), r2 ……, rt ) (G(s1),…G(si-1),ri…, rt ) - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) (G(s1),…G(si-1),G(si)…, rt ) (G(s1), ……, G(st))

23 Indistinguishability of i and (i+1)th Hybrid
(G(s1),…G(si-1),ri…, rt ) If G is a PRG - < Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] negl(n) By reduction to PRG (G(s1),…G(si-1),G(si)…, rt )

24 Indistinguishability of i and (i+1)th Hybrid by Reduction to PRG
(G(s1),…G(si-1),ri…, rt ) Pr [A(G(s1),…G(si-1),ri…, rt ) = 1] y: RS Pr [D(y) = 1] PPT Adv breaking PRG PPT Distinguisher RS or PRS? G(s1),…G(si), y, ri+1…, rt y  {0,1}2n Pick s1,…si R {0,1}n Pick ri+1,…rt R {0,1}2n b  {0, 1} b Pr [A(G(s1),…G(si-1),G(si)…, rt ) = 1] y: PRS Pr [D(y) = 1] (G(s1),…G(si-1),G(si)…, rt )

25 Proof Theorem: If G is PRG, then the discussed construction is a PRF.
k G0(k) G1(k) G0(G0(k)) G0(G1(k)) G0(G1(k)) G1(G1(k)) Truth Table for Fk

26 Proof Theorem: If G is PRG, then the discussed construction is a PRF.
Fk(): k randomly chosen Poly (t) calls f(): f randomly chosen

27 Proof H0 : Distribution on the leaves when the root (0th level) is a random string H0 : Uniform Distribution on the keyed functions KFunc Poly (t) calls - Can you think of a reduction to the distinguisher that distinguishes t RSs from t PSRs? - Hybrids?? Hn : Distributions on the leaves when the leaves (nth level) are random strings Hn : Uniform Distribution on ALL functions Func

28 Proof - < - < - < + + Poly (t) calls negl(n) negl(n) negl(n)
H0 : Distribution on the leaves when the 0th level node is a random string Fk( ) - f1( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) + Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) - fi( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hi : Distributions on the leaves when the ith level nodes are random strings + fn-1( ) - fn( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hn : Distributions on the leaves when the nth level nodes are random strings

29 Proof via Hybrid Argument
Fk( ) - f( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] n. negl(n)

30 Proof - < Poly (t) calls negl(n)
Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) - fi( ) < Poly (t) calls Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Hi : Distributions on the leaves when the ith level nodes are random strings

31 Proof - < | - | Lemma: If G: {0, 1}n  {0, 1}2n is s.t then
Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings Lemma: If G: {0, 1}n  {0, 1}2n is s.t | - | Pr [A(r1,……, rt) = 1] Pr [A(G(s1), ……, G(st)) = 1]  negl(n) s1,…..., st R {0,1}n r1,……rt R {0,1}2n then fi-1( ) - fi( ) < Pr [D (1n) = 1] Pr [D (1n) = 1] negl(n) Poly (t) calls Hi : Distributions on the leaves when the ith level nodes are random strings

32 Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 Fill the reached node’s (l & r) children with z1 Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl1 zr1

33 Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 - Check if the previous x had same prefix. - If yes, the reached node’s children are already filled - Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl1 zr1

34 Proof Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y - Scan first i-1 bits x1,…xi-1 - Check if any previous x had same prefix. b  {0, 1} b - If no, fill the reached node with z2 - Scan rest of x and compute output y as per tree construction Hi : Distributions on the leaves when the ith level nodes are random strings zl2 zr2

35 Proof x y z1,…zt :PRSs Pr [A(z1,…zt) = 1] b  {0, 1} b z1,…zt :RSs
Hi-1 : Distributions on the leaves when the (i-1)th level nodes are random strings fi-1( ) z1,…zt :PRSs Pr [A(z1,…zt) = 1] Pr [D (1n) = 1] PPT Adv breaking PRG PPT Distinguisher RSs or PRSs? x z1,…zt {0,1}2n y b  {0, 1} b fi( ) z1,…zt :RSs Pr [A(z1,…zt) = 1] Pr [D (1n) = 1] We need t z strings since the t queried x’s may have different prefixes. Hi : Distributions on the leaves when the ith level nodes are random strings

36 CT16 (two): If PRF exists, then so does PRP. (KL)

37

Download ppt "Cryptography Lecture 9 Arpita Patra © Arpita Patra."

Similar presentations

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Cryptography Lecture 9 Arpita Patra.

Cryptography Lecture 9 Arpita Patra.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.

Cryptography Lecture 4 Arpita Patra. Recall o Various Definitions and their equivalence (Shannon’s Theorem) o Inherent Drawbacks o Cannot afford perfect.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 9 Arpita Patra © Arpita Patra.

Cryptography Lecture 9 Arpita Patra © Arpita Patra.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.
Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Cryptography Lecture 6 Arpita Patra. Quick Recall and Today’s Roadmap >> MAC for fixed-length messages >> Domain Extension for MAC >> Authenticated Encryption:

Similar presentations

Ads by Google