1. Cryptography
Lecture 8

2. Clicker quiz
Which of the following encryption schemes is CPA-secure (G is a PRG, F is a PRF)?
Enck(m) chooses uniform r; outputs <r, G(r)  m>
Enck(m) chooses uniform r; outputs <r, Fk(r)  m>
The one-time pad
Enck(m) chooses uniform r; outputs <r, Fr(k)  m>

3. Keyed functions
Let F: {0,1}n x {0,1}n  {0,1}n be an efficient, deterministic algorithm
Define Fk(x) = F(k, x)
The first input is called the key
Security parameter = key length = n
F is pseudorandom if Fk (for uniform k) is indistinguishable from a random function on the same domain/range

4. ?? f … Fk … x1 f  Funcn chosen uniformly at random World 0 f(x1) xt
f(xt) ??
World 1
k  {0,1}n chosen uniformly at random Fk x1
Fk(x1) … xt
Fk(xt)
(poly-time)

5. PRFs vs. PRGs PRF F immediately implies a PRG G:
Define G(k) = Fk(0…0) | Fk(0…1)
I.e., G(k) = Fk(<0>) | Fk(<1>) | Fk(<2>) | …, where <i> denotes the n-bit encoding of i
PRF can be viewed as a PRG with random access to exponentially long output
The function Fk can be viewed as the n2n-bit string Fk(0…0) | … | Fk(1…1)

6. Pseudorandom permutations (PRPs)
Let f  Funcn
f is a permutation if it is a bijection
This means that the inverse f-1 exists
Let Permn  Funcn be the set of permutations
What is |Permn|?

7. Pseudorandom permutations
Let F be a length-preserving, keyed function
F is a keyed permutation if
Fk is a permutation for every k
Fk-1, the inverse of Fk, is efficiently computable
F is a pseudorandom permutation if Fk , for uniform key k  {0,1}n, is indistinguishable from a uniform permutation f  Permn
Even if attacker can query the function and its inverse

8. Note
For large enough n, a random permutation is indistinguishable from a random function
So in practice, PRPs are also good PRFs

9. Do PRFs/PRPs exist? They are a stronger primitive than PRGs…
…though they can be built from PRGs
In practice, block ciphers are used
Will discuss extensively later

10. Block ciphers
Block ciphers are practical constructions of pseudorandom permutations
No asymptotics: F: {0,1}n x {0,1}m  {0,1}m
n = “key length”
m = “block length”
Hard to distinguish Fk from uniform f  Permm even for attackers running in time 2n

11. AES Advanced encryption standard (AES)
Key length = 128, 192, or 256 bits
Block length = 128 bits
Will discuss details later in the course
Available in standard crypto libraries
No real reason to use anything else

12. CPA-security Fix , A Define a randomized exp’t PrivKCPAA,(n):
k  Gen(1n)
A(1n) interacts with an encryption oracle Enck(·), and then outputs m0, m1 of the same length
b  {0,1}, c  Enck(mb), give c to A
A can continue to interact with Enck(·)
A outputs b’; A succeeds if b = b’, and experiment evaluates to 1 in this case

13. CPA-security
 is secure against chosen-plaintext attacks (CPA-secure) if for all PPT attackers A, there is a negligible function  such that Pr[PrivKCPAA,(n) = 1] ≤ ½ + (n)

14. CPA-secure encryption
Let F be a length-preserving, keyed function
Gen(1n): choose a uniform key k  {0, 1}n
Enck(m), where|m| = |k| = n:
Choose uniform r  {0, 1}n (nonce/initialization vector)
Output ciphertext < r, Fk(r)  m >
Deck(c1, c2): output c2  Fk(c1)
Correctness is immediate

15. r F
key
pseudorandom
pseudorandom
ciphertext
message
message

16. Security?
Theorem: if F is a pseudorandom function, then this scheme is CPA-secure

17. Note The key is as long as the message…
…but the same key can be used to securely encrypt multiple messages

18. Security?
Theorem: if F is a pseudorandom function, then this scheme is CPA-secure
Proof by reduction…
See book for formal proof
Here: high-level intuition

19. m
r ← {0,1}n
r, Fk(r)  m

20. m0, m1
b ← {0,1}
r* ← {0,1}n
r* , Fk(r*)  m

21. Analysis
Since F is a pseudorandom function, we can replace Fk with a truly random function f
See book for details

22. Analysis
What is the success probability of A when the experimentuses a random function f?
There are two sub-cases
r* was used for some other ciphertext (call this event Repeat)
r* was not used for some other ciphertext
Let q(n) be a bound on the number of encryption queries made by A

23. Analysis Pr[success] ≤ Pr[success|Repeat] + Pr[Repeat]
Pr[Repeat] ≤ q(n)/2n
Why?
Pr[ success | Repeat] = ½
Analogous to the one-time pad in this case, since f(r*) is uniform and independent of everything else
Pr[A succeeds] ≤ ½ + q(n)/2n
I.e., the scheme is secure!

24. Real-world security? The security bound we proved is tight
What happens if a nonce r is ever reused?
What happens to the bound if the nonce is chosen non-uniformly?

25. Attacks? If r repeats, security fails
Exactly analogous to multiple encryptions using the (pseudo)one-time pad scheme
When r is a uniform, n-bit string, the probability of a repeat is negligible
If r is too short, or is chosen from another distribution, repeats may happen!
May make scheme insecure