Presentation is loading. Please wait.

Presentation is loading. Please wait.

Topic 7: Pseudorandom Functions and CPA-Security

Published byCollin Bell Modified over 6 years ago

Similar presentations

Presentation on theme: "Topic 7: Pseudorandom Functions and CPA-Security"— Presentation transcript:

1 Topic 7: Pseudorandom Functions and CPA-Security
Cryptography CS 555 Topic 7: Pseudorandom Functions and CPA-Security

2 Recap Pseudorandom Generators G(s)
Chosen Plaintext Attacks/CPA-Security Build CPA-secure encryption scheme Today’s Goal: Construct encryption scheme with CPA-security Recall: CPA-Security for single encryptions implies CPA-Security for multiple encryptions.

3 CPA-Security (Single Message)
m0,m1 c = EncK(mb) m2 c2 = EncK(m2) m3 c3 = EncK(m3) ∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr 𝐴 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≤ 1 2 +𝜇(𝑛) b’ Random bit b K = Gen(.)

4 Pseudorandom Function (PRF)
A keyed function F: 0,1 ℓ 𝑘𝑒𝑦 𝑛 × 0,1 ℓ 𝑖𝑛 𝑛 → 0,1 ℓ 𝑜𝑢𝑡 𝑛 , which “looks random” without the secret key k. ℓ 𝑘𝑒𝑦 𝑛 - length of secret key k ℓ 𝑖𝑛 𝑛 - length of input ℓ 𝑜𝑢𝑡 𝑛 - length of output Typically, ℓ 𝑘𝑒𝑦 𝑛 = ℓ 𝑖𝑛 𝑛 = ℓ 𝑜𝑢𝑡 𝑛 =n (unless otherwise specified) Computing FK(x) is efficient (polynomial-time)

5 PRF vs. PRG Pseudorandom Generator G is not a keyed function
PRG Security Model: Attacker sees only output G(r) Attacker who sees r can easily distinguish G(r) from random PRF Security Model: Attacker sees both inputs and outputs (ri,Fk(ri)) In fact, attacker can select inputs ri Attacker Goal: distinguish F from a truly random function

6 Truly Random Function Let Funcn denote the set of all functions 𝑓: 0,1 𝑛 → 0,1 𝑛 . Question: How big is the set Funcn? Hint: Consider the lookup table. 2n entries in lookup table n bits per entry n2n bits to encode f∈Funcn Answer: Funcn = 2 𝑛 2 𝑛 (by comparison only 2n n-bit keys)

7 Truly Random Function Let Funcn denote the set of all functions 𝑓: 0,1 𝑛 → 0,1 𝑛 . Can view entries in lookup table as populated in advance (uniformly) Space: n2n bits to encode f∈Funcn Alternatively, can view entries as populated uniformly “on-the-fly” Space: 2n×q(n) bits after q(n) queries To store past responses

8 Oracle Notation We use Af(.) to denote an algorithm A with oracle access to a function f. A may adaptively query f(.) on multiple different inputs x1,x2,… and A receives the answers f(x1),f(x2),… However, A can only use f(.) as a blackbox (no peaking at the source code in the box)

9 PRF Security Definition 3.25: A keyed function F: 0,1 𝑛 × 0,1 𝑛 → 0,1 𝑛 is a pseudorandom function if for all PPT distinguishers D there is a negligible function 𝜇 s.t. 𝑃𝑟 𝐷 𝐹 𝑘 (.) 1 𝑛 −𝑃𝑟 𝐷 𝑓(.) 1 𝑛 ≤𝜇 𝑛 Notes: the first probability is taken over the uniform choice of 𝑘∈ 0,1 𝑛 as well as the randomness of D. the second probability is taken over uniform choice of f ∈Funcnas well as the randomness of D. D is not given the secret k in the first probability (otherwise easy to distinguish…how?)

10 PRF-Security as a Game …
∀𝑃𝑃𝑇 𝐴 ∃𝜇 (negligible) s.t Pr 𝐴 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≤ 1 2 +𝜇(𝑛) b’ Random bit b K = Gen(.) Truly random func R ri = FK(mi) if b=1 R(mi) o.w

11 CPA-Secure Encryption
Gen: on input 1n pick uniform 𝑘∈ 0,1 𝑛 Enc: Input 𝑘∈ 0,1 𝑛 and 𝑚∈ 0,1 𝑛 Output 𝑐= 𝑟, 𝐹 𝑘 𝑟 ⨁𝑚 for uniform 𝑟∈ 0,1 𝑛 Dec: Input 𝑘∈ 0,1 𝑛 and 𝑐= 𝑟,𝑠 Output 𝑚= 𝐹 𝑘 𝑟 ⨁𝑠 Theorem: If F is a pseudorandom function, then (Gen,Enc,Dec) is a CPA- secure encryption scheme for messages of length n. How to begin proof?

12 Breaking CPA-Security (Single Message)
m0,m1 𝑟, 𝐹 𝑘 𝑟 ⨁ 𝑚 𝑏 m2 𝑟, 𝐹 𝑘 𝑟 ⨁ 𝑚 2 m3 𝑟, 𝐹 𝑘 𝑟 ⨁ 𝑚 3 Assumption: ∃ PPT 𝐴, P (non−negligible) s.t Pr 𝐴 𝐺𝑢𝑒𝑠𝑠𝑒𝑠 𝑏 ′ =𝑏 ≥ 1 2 +𝑃(𝑛) b’ Random bit b K = Gen(.)

13 Pr D 𝐹 𝑘 =1 = Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1
Security Reduction Step 1: Assume for contraction that we have a PPT attacker A that breaks CPA-Security. Step 2: Construct a PPT distinguisher D which breaks PRF security. Distinguisher DO (oracle O --- either f or Fk) Simulate A Whenever A queries its encryption oracle on a message m Select random r Return 𝑐= 𝑟,𝑂 𝑟 ⨁𝑚 Whenever A outputs messages m0,m1 Select random r and bit b Return 𝑐= 𝑟,𝑂 𝑟 ⨁𝑚𝑏 Whenever A outputs b’ Output 1 if b=b’ Output 0 otherwise Analysis: Suppose that O = f then Pr D 𝐹 𝑘 =1 = Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 Suppose that O = f then Pr D 𝑓 =1 =Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 where Π denotes the encryption scheme in which Fk is replaced by truly random f.

14 Security Reduction Step 1: Assume for contraction that we have a PPT attacker A that breaks CPA-Security. Step 2: Construct a PPT distinguisher D which breaks PRF security. Distinguisher DO (oracle O --- either f or Fk) Simulate A Whenever A queries its encryption oracle on a message m Select random r Return 𝑐= 𝑟,𝑂 𝑟 ⨁𝑚 Whenever A outputs messages m0,m1 Select random r and bit b Return 𝑐= 𝑟,𝑂 𝑟 ⨁ 𝑚 𝑏 Whenever A outputs b’ Output 1 if b=b’ Output 0 otherwise Analysis: Suppose that O = Fk then by PRF security, for some negligible function 𝜇, we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 −Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 = Pr[ D 𝐹 𝑘 =1]−Pr[ D 𝑓 =1] ≤𝜇(𝑛) Implies: Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≥Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 -𝜇(𝑛)

15 Security Reduction Fact: Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≥Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 -𝜇(𝑛) Claim: For any attacker A making at most q(n) queries we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≤ 𝑞(𝑛) 2 𝑛 Conclusion: For any attacker A making at most q(n) queries we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 ≤ 𝑞 𝑛 2 𝑛 +𝜇 𝑛 where 𝑞 𝑛 2 𝑛 +𝜇 𝑛 is negligible.

16 Finishing Up Claim: For any attacker A making at most q(n) queries we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≤ 𝑞(𝑛) 2 𝑛 Proof: Let m0,m1 denote the challenge messages and let r* denote the random string used to produce the challenge ciphertext 𝑐= 𝑟 ∗ ,𝑓 𝑟 ∗ ⨁ 𝑚 𝑏 And let r1,…,rq denote the random strings used to produce the other ciphertexts 𝑐𝑖= 𝑟 𝑖 ,𝑓 𝑟 𝑖 ⨁ 𝑚 𝑏 . If r*≠ r1,…,rq then then c leaks no information about b (information theoretically).

17 Finishing Up Claim: For any attacker A making at most q(n) queries we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≤ 𝑞(𝑛) 2 𝑛 Proof: If r*≠ r1,…,rq then then c leaks no information about b (information theoretically). We have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 ≤Pr 𝑃𝑟𝑖𝑣𝐾 𝐴, Π 𝑐𝑝𝑎 =1 r∗≠r1,…,rq +Pr r∗∈ r1,…,rq ≤ 𝑞(𝑛) 2 𝑛

18 Conclusion Enck(m)= 𝑟, 𝐹 𝑘 𝑟 ⨁𝑚 Deck( 𝑟,𝑠 )= 𝐹 𝑘 𝑟 ⨁𝑠 For any attacker A making at most q(n) queries we have Pr 𝑃𝑟𝑖𝑣𝐾 𝐴,Π 𝑐𝑝𝑎 =1 ≤ 𝑞 𝑛 2 𝑛 +𝜇 𝑛 PRF Security

19 Are PRFs or PRGs more Powerful?
Easy to construct a secure PRG from a PRF G(s) = Fs(1)|…|Fs(ℓ) Construct a PRF from a PRG? Tricky, but possible… (Katz and Lindell Section 7.5)

20 Construct PRF from PRG Define: G(s)= G0(s)| G1(s) PRF: 𝐹 𝑘 𝑥 = 𝐺 𝑥 1 …𝐺 𝑥 𝑛−1 𝐺 𝑥 𝑛 𝑘 Recursive Definition: 𝐹 𝑘 𝑥 =Hk(x) where Hk(1):= G1(k) Hk(0):= G0(k) Hk(1|x):=G1(Hk(x)) Hk(0|x):= G0(Hk(x)) Theorem: If G is a PRG then Fk is a PRF

21 Next Class Read Katz and Lindell 3.6.2-3.6.7 Modes of Operation
Stream-Cipher/Block-Cipher

Download ppt "Topic 7: Pseudorandom Functions and CPA-Security"

Similar presentations

CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.

CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.

CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.

CS555Spring 2012/Topic 31 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
Cryptography Lecture 6 Arpita Patra © Arpita Patra.

Cryptography Lecture 6 Arpita Patra © Arpita Patra.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.

Cryptography Lecture 10 Arpita Patra © Arpita Patra.
Topic 26: Discrete LOG Applications

Topic 26: Discrete LOG Applications
Cryptography Lecture 5 Arpita Patra © Arpita Patra.

Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Updated Office Hours Tuesday: 10:30 AM-11:30 AM

Updated Office Hours Tuesday: 10:30 AM-11:30 AM
B504/I538: Introduction to Cryptography

B504/I538: Introduction to Cryptography
Homework 1 Due: Thursday at 9 AM (beginning of class)

Homework 1 Due: Thursday at 9 AM (beginning of class)
Cryptography CS 555 Topic 15: Stream Ciphers.

Cryptography CS 555 Topic 15: Stream Ciphers.
Modern symmetric-key Encryption

Modern symmetric-key Encryption

Similar presentations

Ads by Google