1. Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes
Lecturer: Moni Naor
Announce home )deadline Dec 20) next lecture given by Gil

2. Recap of last week’s lecture
Pseudo-random functions constructions
Pseudo-random function applications
Pseudo-random Permutation Motivation nad Definition
Feistal Permutations

3. Good question on pseudo-random functions
Want to construct a pseudo-random permutation on very large domain, from one on large domain
FS: {0,1}n  {0,1}m
Construct F’S’: {0,1}n’  {0,1}m
Idea: let H a family of universal hash functions where
h: {0,1}n’  {0,1}n for h 2 H
for any x  x’ we have Probh 2 H h(x) = h(x’) · 
Then F’S,h(x) = FS (h(x))
What can you say about the quality of F’

4. Pseudo-Random Permutations
Block-Ciphers:
Shared-key encryption schemes where:
The encryption of every plaintext block is a ciphertext block of the same length.
Key BC
Plaintext
Ciphertext

5. Block Ciphers Advantages Main Disadvantage
Saves up on memory and communication bandwidth
Easy to incorporate within existing systems.
Main Disadvantage
Every block is always encrypted in the same way.
Important Examples: DES, AES

6. Modeling Block Ciphers
Pseudo-random Permutations
F : 0,1k  0,1n  0,1n
Key Domain Range
F-1: 0,1k  0,1n  0,1n
Key Range Domain
Want:
X= FS-1 (FS (X))
Correct inverse
Efficiently computable

7. The Test The tester A that can choose adaptively
X1 and get Y1= FS (X1)
Y2 and get X2= FS-1(Y2) …
Xq and get Yq= FS (Xq)
Then A has to decide whether
FS R Φk or
FS R P(n) =  F | 1-1 F :0,1n  0,1n 
Can choose to evaluate or invert any point!

8. (t,,q)-pseudo-random For a function F chosen at random from
(1) Φk ={FS | S0,1k 
(2) P(n) =  F | 1-1 F :0,1n  0,1n 
For all t-time machines A that choose q locations and try to distinguish (1) from (2)
 PrA= ‘1’  FR Fk 
- PrA= ‘1’  FR P(n)    

9. Construction of Pseudo-Random Permutations
Possible to construct
pseudo-random permutations
from
pseudo-random functions (and vice versa...)
Based on 4 Feistal Permutations

10. Feistal Permutation
Any function f :0,1n  0,1n defines a Feistal Permutation 0,12n  0,12n
Df(L,R)=(R, L f(R))
Feistal permutations are as easy to invert as to compute:
Df-1(L,R)=(Rf(L),L)
Many Block Cipher based on such permutations, where the function f is derived from secret key

11. Feistal Permutation L1 R1 Df(L1,R1)=(R1, L1f(R1)) f
Df-1(L2,R2)=(R2f(L2),L2)

12. Composing Feistal Permutations
Make the function f:0,1n  0,1n a pseudo-random function FS R Φk
This defines a keyed family of permutations
0,12n  0,12n
Clearly it is not pseudo-random
Right block goes unchanged to left block
What about composing two such keyed permutations
With independent keys
Not pseudo-random:
DS2(DS1(L,R))= (FS1(R)L, FS2(FS1(R)L)R)
For two inputs sharing the same left block
Looks pretty good for random attacks!
Protects left block
Protects right block

13. Main Construction
Let F1, F2 ,F3 ,F4 R PRF, then the composition of DF1, DF2, DF3, DF4 is a pseudo-random permutation.
Each Fi :0,1n  0,1n.
Resulting Permutation 0,12n  0,12n.
F1 and F4 can be ``combinatorial”:
pair-wise independent.
low probability of collision on first block
Error probability is ~ q2/2n

14. Security Theorem (1)  be the set of permutations obtained when
Let
(1)  be the set of permutations obtained when
The two middle are Feistal permutations based
on truly random functions GS1, GS2
and
the first and last are (h1, h2) chosen from a pairwise independent family.
(2) P(2n) =  F | 1-1 F :0,12n  0,12n 
Theorem: For any adversary A
not necessarily efficient
that makes at most q queries
the advantage in distinguishing between a random permutation from P(2n) and a random one from  is at most q2/2n + q2/22n
Corollary: the original construction is computationally secure D2
h-12

15. Back to two permutations
For each pair of input and output blocks (L1,R1) is mapped to (L2,R2) if and only if
GS1(R1) = L1  L2
GS2(L2) = R1  R2
So we have “one-wise independence”:
Happens with probability 1/22n
Furthermore: for any q pairs
h(L11,R11) (L21,R21)i, h(L12,R12) (L22,R22)i, … , h(L1q,R1q) (L2q,R2q)i
such that
For j i: R1j R1i and L2j L2i
The probability that all are mapped to each other is 1/22qn L2 R2
(GS1(R1)L1, GS2(GS1(R1)L1)R1)

16. The Transcript May assume A is deterministic
Since this it is not computationally bounded
The transcript T is the set of pairs of inputs/outputs
(X1,Y1), (X2,Y2), … , (Xq,Yq)
queries by A
Queries can go either way (evaluate or invert)
Consider a third distribution P of responses
if A
asks for F(x) and x appeared before in and <x,y>, query:
answer y
asks for F-1(y) and y appeared before in and <x,y>, query:
answer x
Otherwise answer a random z 0,12n.
P is not always consistent with some permutation
Call the resulting transcript inconsistent

17. ProbP[T is inconsistent]  q2/22n
P is close to P
Claim: A may differentiate between P and P only if transcript is inconsistent
Claim [“inconsistent”]:
ProbP[T is inconsistent]  q2/22n
Proof: birthday
It remains to bound the difference between P and 

18. The BAD event
Thought experiment: choose the functions (h1, h2) also for process P
Serves no purpose there
If T = (X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, it is BAD for functions (h1, h2) if there exist ji such that either
h1(xi) collides with the right half of h1(xj)
h2(yi) collides with the left half of h2(yj)
BAD event: either T is inconsistent or T is BAD for (h1, h2)
Claim: ProbP[BAD]  q2/2n + q2/22n
For a query the probability of collision based on pairwise independence

19. Key Lemma Lemma: For any adversary A, for any possible value
V= (X1,Y1), (X2,Y2), … , (Xq,Yq)
ProbP[T=V and not BAD]
= ProbG[T=V and not BAD]
It is either 2-2qn or 0

20. Concluding the proof By summing Key Lemma over all transcripts
ProbP[not BAD] = ProbG[not BAD]
this implies
ProbP[BAD] = ProbG[BAD]
By summing Key Lemma over all transcripts for which A outputs ‘1’:
ProbP[A outputs ‘1’ and not BAD]
= ProbG[A outputs ‘1’ and not BAD]
Hence:
ProbP[A outputs ‘1’]- ProbG[A outputs ‘1’]
ProbP [BAD]  q2/2n + q2/22n
By the “inconsistent” Claim P and P are close and we are done

21. Two guards Identification
The world so far
Signature Schemes
One-way functions
Pseudo-random generators
Pseudo-random Functions
Two guards Identification
Pseudo-random Permutations
UOWHFs
P  NP
Will soon see:
Computational Pseudorandomness
Shared-key Encryption and Authentication

22. Other Constructions Generalized Feistal Permutations
Generalized construction of pseudo-random permutations:
The first and last rounds as before.
The two middle Feistal permutations are replaced with t generalized Feistel permutations.
The distinguishing probability is roughly q2/22(1-1/t)n
Construction of long pseudo-random permutations from short ones:
First and last round combinatorial
In the middle independent applications of the short pseudo-random permutations

23. Encryption Using Pseudo-Random Permutations
Sender and Receiver share a secret key S R {0,1}k
S defines a function FS  Fk
What is wrong with encrypting X with FS (x)?

24. Definition of the Security of Encryption
Information Theoretic Setting
If Eve has some knowledge of m should remain the same
Probability of guessing m
Min entropy of m
Probability of guessing whether m is m0 or m1
Probability of computing some function f of m
Ideally: the ciphertext sent is independent of the message m
Implies all the above
Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy
If no special knowledge about m
then |m| shared bits that may be used once!
Several settings
Shared key vs public key
How active is the adversary
Sender and receiver want to prevent Eve from learning anything about the message
Want to simulate as much as possible the protection that an information theoretic encryption scheme provides

25. To specify security of encryption
The power of the adversary
computational
Probabilistic polynomial time machine (PPTM)
access to the system
Can it change the messages?
What constitute a failure of the system
What it means to break the system.
Reading a message
Forging a message?

26. Computational Security of Encryption Indistinguishability of Encryptions
Indistinguishability of encrypted strings:
Adversary A chooses X0 , X1 0,1n
receives encryption of Xb for bR0,1
has to decide whether b  0 or b  1.
For every pptm A, choosing a pair X0, X1 0,1n
 PrA ‘1’  b  1  - PrA ‘1’  b  0  
is negligible.
Probability is over the choice of keys, randomization in the encryption and A‘s coins.
In other words: encryptions of X0, X1 are indistinguishable
Quantification over the choice of X0, X1 0,1n

27. Computational Security of Encryption Semantic Security
Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X
A selects:
Distribution Dn on 0,1n
Relation R(X,Y) - computable in probabilistic polynomial time
For every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all pptm relation R
for XR Dn
 PrR(X,A(E(X)) - PrR(X,A’())  
is negligible
In other words:
The outputs of A and A’ are indistinguishable even for a tester who is aware of X
Note: presentation of semantic security is non-standard (but equivalent)

28. A: Dn
A’: Dn
X 2R Dn
E(X) . A A’ X Y X Y R R

29. What is a public-key encryption scheme
Allows Alice to publish public key KP while keeping hidden a secret key KS
Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public) and KS (secret)
``Anyone” who is given KP and m can encrypt it
Encryption: a method
E:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking public key KP, message (plaintext) m, random coins r and outputs an encrypted message (ciphertext).
Given a ciphertext and secret key it is possible to decrypt it
Decryption: a method
D:{0,1}* x {0,1}* x {0,1}*  {0,1}*
taking secret key KS, public key KP, and ciphertext c and outputs a plaintext m. Require
D(KS, KP, E(KP, m, r)) = m

30. Equivalence of Semantic Security and Indistinguishability of Encryptions
Would like to argue their equivalence
Must define the attack
Otherwise cannot fully talk about an attack
Chosen plaintext attacks
Adversary can obtain the encryption of any message it wishes
In an adaptive manner
Certainly feasible in a public-key setting
Minimal one that makes sense there
What about shared-key encryption?
More severe attacks
Chosen ciphertext
Encryption process must be probabilistic!

31. Security of public key cryptosystems: exact timing
Adversary A gets public key KP
Then A can mount an adaptive attack
No need for further interaction since can do all the encryption on its own
Then A chooses
In semantic security: the distribution Dn and the relation R
In indistinguishability of encryptions: the pair X0, X1 0,1n
Then A is given the test
In semantic security: E(KP, X ,r) for XR Dn and rR 0,1m
In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m

32. The Equivalence Theorem
For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

33. Here we Use the power to generate encryptions
Equivalence Proof
If a scheme has the indistinguishability property, then it is semantically secure:
Suppose not, and A chooses
some distribution Dn
some relation R
Choose X0, X1 R Dn and run A twice on
C0 = E(KP, X0 ,r0) call the output Y0
C1 = E(KP, X1 ,r1) call the output Y1
For X0, X1 R Dn let
0 = Prob[R(X0, Y0)]
1 = Prob[R(X0, Y1)]
If |0-1| is not negligible: can distinguish between encryption of X0 of X1
Contradicting the indistinguishability property
If |0-1| is negligible: can run A’ with no access to real ciphertext
sample X’ R Dn and C’ = E(KP, X’, r)
Run A on C’ and output Y’
Here we Use the power to generate encryptions

34. Equivalence Proof For X0, X1 R Dn let
E(Xb)
For X0, X1 R Dn let
0 = Prob[R(X0, Y0)]
1 = Prob[R(X0, Y1)]
If |0-1| is not negligible: can distinguish between encryption of X0 of X1
Contradicting the indistinguishability property A X0 Y R

35. Equivalence Proof A’ X’ E(X) E(X’) For X0, X1 R Dn let
0 = Prob[R(X0, Y0)]
1 = Prob[R(X0, Y1)]
If |0-1| is negligible: can run A’ with no access to real ciphertext
sample X’ R Dn and C’=E(KP, X’, r)
Run A on C’ and output Y’ A A X Y X Y’ R R

36. Equivalence Proof…
If a scheme is semantically secure, then it has the indistinguishability of encryptions property:
Suppose not, and A chooses
A pair X0, X10,1n
For which it can distinguish with advantage 
Choose
Distribution Dn = {X0, X1}
Relation R which is “equality with X”
For any A’ that does not get C = E(KP, X, r) and outputs Y’
ProbA’[R(X, Y’)] = ½
By simulating A and outputting Y= Xb for guess b0,1
ProbA[R(X, Y)] ¸ ½ + 
Even if A’ is computationally unbounded

37. Similar setting
The same proof works for the shared key case with adaptive chosen plaintext attack
``Standard” definition of semantic security:
Instead of A trying to find Y such that R(X,Y), A tries to find Y such that
Y=f(X)
f is any function (not necessarily polynomial time computable)
In spite of difference equivalent to our definition

38. What happens if… There is extra information about X:
Both A and A’ get h(X) for some polynomial time computable function h
h might not be invertible
Relation R is not polynomial time
Try to encrypt information about the secret key

39. When is each definition useful
Semantic security seems to convey that the message is protected
Not the strongest possible definition
Easier to prove indistinguishability of encryptions

40. Sources
Luby-Rackoff: How to construct pseudorandom permutations from pseudorandom functions, SIAM J. Computing,
Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999.
Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 1984.
Goldreich’s Foundations of Cryptography, volume 2