1. Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.

2. Recap of last week’s lecture Application of GL Theorem to Pseudo-randomness of Subset sum Hybrid arguments: from single bit expansion to many bits expansion Next Bit unpredictability equivalent to Computational Pseudo-Randomness Why extremely long random looking strings are useful Pseudo-random functions definition

3. The world so far Pseudo-random generators Signature Schemes UOWHFs One-way functions Two guards Identification Will soon see: Computational Pseudorandomness Shared-key Encryption and Authentication P  NP

4. Reading Assignment Naor and Reingold, From Unpredictability to Indistinguishability: A Simple Construction of Pseudo- Random Functions from MACs, Crypto'98. www.wisdom.weizmann.ac.il/~naor/PAPERS/mac_abs.html Gradwohl, Naor, Pinkas and Rothblum, Cryptographic and Physical Zero-Knowledge Proof Systems for Solutions of Sudoku Puzzles – Especially Section 1-3 www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html

5. Homework How to have a one-time signature scheme with shorter public keys –Let f be one-way permutation… How to construct –a signature scheme existentially secure against an adaptively chosen message attack, –from a scheme that is existentially secure against a random message attack.

6. Pseudo-Random Generators concrete version G n :  0,1  m  0,1  n Instead of passing all polynomial time statistical tests: (t,  )- pseudo-random - no test A running in time t can distinguish with advantage 

7. Recall: Three Basic issues in cryptography Identification Authentication Encryption Solve in a shared key environment S S B A

8. Identification: remote login using pseudo-random sequence A and B share a key S  0,1  k In order for A to identify itself to B Generate sequence G n (S) For each identification session: send next block of G n (S) G n (S) G:G: S

9. Problems... More than two parties Malicious adversaries - add noise Coordinating the location block number Better approach: Challenge-Response

10. Challenge-Response Protocol B selects a random location and sends to A A sends value at random location AB What’s this?

11. Desired Properties Very long string - prevent repetitions Random access to the sequence Unpredictability - cannot guess the value at a random location –even after seeing values at many parts of the string to the adversary’s choice. –Pseudo-randomness implies unpredictability Not the other way around for blocks

12. Authenticating Messages A wants to send message M  0,1  n to B B should be confident that A is indeed the sender of M One-time application: S =(a,b) : where a,b  R  0,1  n To authenticate M : supply aM  b Computation is done in GF[2 n ]

13. Problems and Solutions Problems - same as for identification If a very long random string available - –can use for one-time authentication –Works even if only random looking a,b AB Use this!

14. Encryption of Messages A wants to send message M  0,1  n to B only B should be able to learn M One-time application: S = a : where a  R  0,1  n To encrypt M send a  M

15. Encryption of Messages If a very long random looking string available - –can use as in one-time encryption AB Use this!

16. Pseudo-random Function A way to provide an extremely long shared string

17. Pseudo-random Functions Concrete Treatment: F:  0,1  k   0,1  n   0,1  m key Domain Range Denote Y= F S (X) A family of functions Φ k ={F S | S  0,1  k  is (t, , q)- pseudo-random if it is Efficiently computable - random access and...

18. (t, ,q)- pseudo-random The tester A that can choose adaptively –X 1 and gets Y 1 = F S (X 1 ) –X 2 and gets Y 2 = F S (X 2 )  … –X q and gets Y q = F S (X q ) Then A has to decide whether – F S  R  Φ k  or – F S  R R n  m =  F | F :  0,1  n   0,1  m 

19. (t, ,q)- pseudo-random For a function F chosen at random from (1) Φ k ={F S | S  0,1  k  (2) R n  m =  F | F :  0,1  n   0,1  m  For all t -time machines A that choose q locations and try to distinguish (1) from (2)  Prob  A  ‘1’  F  R Φ k  - Prob  A  ‘1’  F  R R n  m    

20. Equivalent/Non-Equivalent Definitions Instead of next bit test: for X  X 1,X 2, , X q  chosen by A, decide whether given Y is –Y= F S (X) or –Y  R  0,1  m Adaptive vs. Non-adaptive Unpredictability vs. pseudo-randomness A pseudo-random sequence generator g:  0,1  m  0,1  n –a pseudo-random function on small domain  0,1  log n  0,1  with key in  0,1  m

21. Application to the basic issues in cryptography Solution using a shared key S Identification: B to A: X  R  0,1  n A to B: Y= F S (X) B verifies Authentication: A to B: Y= F S (M) replay attack Encryption: A chooses X  R  0,1  n A to B:

22. Goal Construct an ensemble {Φ k | k  L  such that for any {t k, 1/  k, q k | k  L  polynomial in k, for all but finitely many k’s Φ k is a (t k,  k, q k )- pseudo-random family

23. Construction Construction via Expansion –Expand n or m Direct constructions

24. Effects of Concatenation Given ℓ Functions F 1, F 2, , F ℓ decide whether they are –ℓ random and independent functions OR –F S 1, F S 2, , F S ℓ for S 1, S 2, , S ℓ  R  0,1  k Claim: If Φ k ={F S | S  0,1  k  is (t, ,q)- pseudo-random: cannot distinguish two cases –using q queries –in time t’=t - ℓ  q –with advantage better than ℓ 

25. Proof: Hybrid Argument i=0 F S 1, F S 2, , F S ℓ p 0 … i R 1, R 2, , R i-1,F S i, F S i+1, , F S ℓ p i … i=ℓ R 1, R 2, , R ℓ p ℓ  p ℓ - p 0     i s.t.  p i+1 - p i   /ℓ

26. ...Hybrid Argument Can use this i to distinguish whether – F S  R  Φ k  or F S  R R n  m Generate F S i+1, , F S ℓ Answer queries to first i-1 functions at random (consistently) Answer query to F S i, using (black box) input Answer queries to functions i+1 through ℓ with F S i+1, , F S ℓ Running time of test - t’  ℓ  q

27. Doubling the domain Suppose we have F (n) :  0,1  k   0,1  n   0,1  m which is (t, ,q)- p.r. Want F (n+1) :  0,1  k   0,1  n+1   0,1  m which is (t’,  ’,q’)- p.r. Use G:  0,1  k   0,1  2k which is (t,  ) p.r G(S)  G 0 (S) G 1 (S) Let F S (n+1) (bx)  F G b (s) (n) (x) G 0 (S)G 1 (S) S G

28. Claim If G is (t  q,  1 ) -p.r and F (n)  is (t  2q,  2,q) -p.r, then F (n+1)  is (t,  1  2  2,q) -p.r Proof: three distributions (1) F (n+1) (2) F S 0 (n), F S 1 (n) for independent S 0, S 1 (3) Random   1  2  2

29. ...Proof Given that (1) and (3) can be distinguished with advantage  1  2  2, then either (1) and (2) with advantage  1 –G can be distinguished with advantage  1 or (2) and (3) with advantage 2  2 –F (n)  can be distinguished with advantage  2 Running time of test: t’  q

30. Getting from G to F (n) Idea: Use recursive construction F S (n) (b n b n-1  b 1 )  F G b 1 (s) (n-1) (b n-1 b n-2  b 1 )  G b n (G b n-1 (  G b 1 (S))  ) Each evaluation of F S (n) (x) : n invocations of G

31. Tree Description G 0 (S) G 1 (S) S G 0 (G 0 (S)) G 1 (G 0 (G 0 (S))) Each leaf corresponds to x 2 {0,1} n. Label of leaf: value of pseudo-random function at x

32. Security claim If G is (t  qn,  ) p.r, then F (n)  is (t, q,  ’  n  q  ) p.r Proof: Hybrid argument by levels D i : – truly random labels for nodes at level i. – Pseudo-random from i down Each D i : a collection of q functions  i  p i+1 - p i   ’/n  q 

33. Hybrid S0S0 S1S1 S G 0 (S 0 ) G 1 (G 0 (S 0 )) n-i i DiDi

34. …Proof of Security Can use this i to distinguish concatenation of q sequence generators G from random. The concatenation is (t, q  ) pseudo-random Therefore the construction is (t, , q) pseudo-random

35. Disadvantages Expensive - n invocations of G Sequential Deterioration of  But does the job! From any pseudo-random sequence generator construct a pseudo-random function. Theorem: one-way functions exist if and only if pseudo-random functions exist.

36. Applications of Pseudo-random Functions Learning Theory - lower bounds –Cannot PAC learn any class containing pseudo-random function Complexity Theory - impossibility of natural proofs for separating classes. Any setting where huge shared random string is useful Caveat: what happens when the seed is made public?

37. Application to Signatures Can make the UOWHF signature scheme into a memoryless/history independent one. Identify the tree of the signature scheme and the tree of pseudo- random function –Can add labels on the internal nodes Add to the secret-key of the signature scheme a key to a pseudo- random function Generate the one-time signatures of the triples using the label on the node –Guarantees consistency To always get the same signature on a message: the path to the leaf used is determined by the message

38. Construction of UOWHF signatures Key generation : generate the root –Three sets of keys for a one-time signature scheme –A function g  G from a family of UOWHF Signing algorithm: Traverse the tree in a BFS manner –Generate a new triple –Sign the message using the middle part of node –Put the generated triple in the next available node in the current level If all nodes in current level are assigned, create a new one. –The signature consists of: The one-time signature on the message The nodes along the path to the root the one-time signatures on the hashed nodes along the path to the root Keep secret the private keys of all triples Verification of signature: Verify the one-times signature given. triple Size of signature: Depth of tree ¢ triple size

39. Another paradigm for obtaining Signatures Shared secret seed - can get authentication What about public-key? Can we use the techniques? Yes!? – Private key is S – Public key is commitment to F S –To sign M - provide F S (M) and a proof of consistency with the commitment

40. Pseudo-Random Permutations Block-Ciphers : Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Key BC Plaintext Ciphertext

41. Block Ciphers Advantages –Saves up on memory and communication bandwidth –Easy to incorporate within existing systems. Main Disadvantage –Every block is always encrypted in the same way. Important Examples: DES, AES

42. Modeling Block Ciphers Pseudo-random Permutations F :  0,1  k   0,1  n   0,1  n Key Domain Range F -1 :  0,1  k   0,1  n   0,1  n Key Range Domain Want: –X= F S -1 (F S (X)) Correct inverse –Efficiently computable

43. The Test The tester A that can choose adaptively –X 1 and get Y 1 = F S (X 1 ) –Y 2 and get X 2 = F S -1 (Y 2 ) … –X q and get Y q = F S (X q ) Then A has to decide whether – F S  R Φ k  or – F S  R P (n) =  F | 1-1 F :  0,1  n   0,1  n  Can choose to evaluate or invert any point!

44. (t, ,q)- pseudo-random For a function F chosen at random from (1) Φ k  ={F S | S  0,1  k  (2) P (n) =  F | 1-1 F :  0,1  n   0,1  n  For all t -time machines A that choose q locations and try to distinguish (1) from (2)  Pr  A= ‘1’  F  R F k  - Pr  A= ‘1’  F  R P (n)    

45. Construction of Pseudo-Random Permutations Possible to construct pseudo-random permutations from pseudo-random functions (and vice versa...) Based on 4 Feistal Permutations

46. Feistal Permutation Any function f :  0,1  n   0,1  n defines a Feistal Permutation  0,1  2n   0,1  2n D f (L,R)=(R, L  f(R)) Feistal permutations are as easy to invert as to compute: D f -1 (L,R)=(R  f(L),L) Many Block Cipher based on such permutations, where the function f is derived from secret key

47. Feistal Permutation f L1L1 R1R1 L2L2 R2R2

48. Composing Feistal Permutations Make the function f:  0,1  n   0,1  n a pseudo-random function F S  R Φ k This defines a keyed family of permutations  0,1  2n   0,1  2n Clearly it is not pseudo-random –Right block goes unchanged to left block What about composing two such keyed permutations With independent keys Not pseudo-random: D S 2 (D S 1 (L,R))= (F S 1 (L)  R, F S 2 (F S 1 (L)  R)  R) -For two inputs sharing the same left block Looks pretty good for random attacks!

49. Composing Feistal Permutations Make the function f:  0,1  n   0,1  n a pseudo-random function F S  R Φ k This defines a keyed family of permutations  0,1  2n   0,1  2n Clearly it is not pseudo-random –Right block goes unchanged to left block What about composing two such keyed permutations With independent keys Not pseudo-random: D S 2 (D S 1 (L,R))= (F S 1 (R)  L, F S 2 (F S 1 (R)  L)  R) –For two inputs sharing the same left block –Looks pretty good for random attacks! Protects left block Protects right block

50. Main Construction Let F 1, F 2,F 3,F 4  R PRF, then the composition of D F 1, D F 2, D F 3, D F 4 is a pseudo-random permutation. Each F i :  0,1  n   0,1  n. Resulting Permutation  0,1  2n   0,1  2n. F 1 and F 4 can be ``combinatorial”: –pair-wise independent. –low probability of collision on first block Error probability is ~ q 2 /2 n

51. Security Theorem Let (1)   be the set of permutations obtained when The two middle G 2,G 3 are truly random functions and the first and last are (h 1,h 2 ) chosen from a pairwise independent family. (2) P (n) =  F | 1-1 F :  0,1  n   0,1  n  Theorem: For any adversary A –(not necessarily efficient) –that makes at most q queries the advantage in distinguishing between a random permutation from P (n) and a random one from   is at most q 2 /2 n + q 2 /2 2n Corollary: the original construction is computationally secure

52. Sources Goldreich’s Foundations of Cryptography, volumes 1 and 2 Goldreich, Goldwasser and Micali, How to construct random functions, Journal of the ACM 33, 1986, 792 - 807.How to construct random functions Luby-Rackoff: How to construct pseudorandom permutations from pseudorandom functions, SIAM J. Computing, 1988. Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999.