Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.

Published byAmice Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer."— Presentation transcript:

1 Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering Pseudorandom Generators, Functions, and Permutations Author & Instructor: Mohammad Sadeq Dousti 1 / 47

2 Introduction to Modern Cryptography Sharif University Spring 2015  These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.  Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0.  For further information, please consult: o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-nc-sa/4.0 o https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode Copyright Notice 2 / 47

3 Introduction to Modern Cryptography Sharif University Spring 2015  Randomness  Statistical tests of randomness  Pseudorandom Generators (PRG)  Pseudorandom Functions (PRF)  Pseudorandom Permutations (PRP) Outline 3 / 47

4 Introduction to Modern Cryptography Sharif University Spring 2015 Randomness 4 / 47

5 Introduction to Modern Cryptography Sharif University Spring 2015  Definition [MvOV96]: A (true) random bit generator is a device which outputs a sequence of statistically independent and unbiased bits.  Two types of randomness generators: o Hardware based; o Software based.  Natural sources of randomness might produce bits which are biased or correlated.  Randomness extraction: A subfield of cryptography which studies the extraction of true randomness from natural sources. Randomness 5 / 47

6 Introduction to Modern Cryptography Sharif University Spring 2015  Elapsed time between emission of particles during radioactive decay;  Thermal noise from a semiconductor diode or resistor;  The frequency instability of a free running oscillator;  The amount a metal insulator semiconductor capacitor is charged during a fixed period of time;  Air turbulence within a sealed disk drive which causes random fluctuations in disk drive sector read latency times; and  Sound from a microphone or video input from a camera. Sources for HW generators [MvOV96] 6 / 47

7 Introduction to Modern Cryptography Sharif University Spring 2015  The system clock;  Elapsed time between keystrokes or mouse movement;  Content of input/output buffers;  User input; and  Operating system values such as system load and network statistics. Sources for SW generators [MvOV96] 7 / 47

8 Introduction to Modern Cryptography Sharif University Spring 2015 011101110000010100101111010001000000000110100 101110010101101101010000000110101000101110000 0100110011…  Given a bit string, can we decisively determine whether it is output by a random generator?  No way! o Bit strings are equiprobably output by a random generator.  However, certain properties are not equiprobable. For instance, very long runs of 0’s are rarely seen.  We can run the generator many times, and count the number of times it does not satisfy our intuition. Is it random? 8 / 47

9 Introduction to Modern Cryptography Sharif University Spring 2015 Statistical tests of randomness 9 / 47

10 Introduction to Modern Cryptography Sharif University Spring 2015  D (distinguisher) is a probabilistic test of randomness if: o It outputs a single bit; o If x is “similar to” random, D(x) is 1 with high probability; o Otherwise, D(x) is 0 with high probability;  NIST 800-22 defines 15 probabilistic tests. o Many more are defined in “Diehard tests.”  In NIST 800-22, observed values (o) are compared to expected values (e), using techniques of hypothesis testing. Probabilistic tests of randomness 10 / 47

11 Introduction to Modern Cryptography Sharif University Spring 2015 Test 1: Frequency (monobit) test 11 / 47

12 Introduction to Modern Cryptography Sharif University Spring 2015 Plot of erfc( x ) for non-negative x xerfc(x) 0.01 0.50.480 1.00.157 1.50.034 1.820.010 2.00.005 …… 12 / 47

13 Introduction to Modern Cryptography Sharif University Spring 2015  Let b = 0 m 1 m.  Monobit’s P-value = 1  0.01, thus the test outputs “random.”  But b is improbably output by a random generator.  NIST 800-22 remedies this by presenting another test (BlockFrequency), which partitions b into blocks of size M. The frequency test should hold in many blocks. o Use a chi-squared (  2 ) test for goodness of fit. o P-value is computed by applying an “incomplete gamma function” to the computed  2 value. o Deficiency: Let b = (01) m. Deficiency in monobit test 13 / 47

14 Introduction to Modern Cryptography Sharif University Spring 2015 PRG’s Pseudorandom Generators 14 / 47

15 Introduction to Modern Cryptography Sharif University Spring 2015  We informally argued that for any single test, one could construct a nonrandom-looking string which passes the test. (Note the order of quantifiers!)  The same holds for any finite collection of tests.  In theory, we can conceive of an ideal source of randomness, and an infinite number of tests.  Informally: A generator is pseudorandom if it passes all PPT tests… o …with approximately the same probability that a truly random source would pass the test. Pseudo-randomness 15 / 47

16 Introduction to Modern Cryptography Sharif University Spring 2015 Pseudorandom Generator (PRG) [KL08, p. 70] 16 / 47

17 Introduction to Modern Cryptography Sharif University Spring 2015  The output of a PRG is actually very far from random:  Let ℓ (n) = 2n.  A uniform distribution over S = {0, 1} 2n outputs each member of S with probability exactly 2  2n.  A PRG can only output a subset of S of size 2 n. (Why?) o A negligible fraction of S. o An exponential-time D can easily distinguish the output of a PRG from random. (How?) Important note Example for n = 2. 17 / 47

18 Introduction to Modern Cryptography Sharif University Spring 2015 Distinguishing arbitrary distributions 18 / 47

19 Introduction to Modern Cryptography Sharif University Spring 2015 Distinguishing arbitrary distributions (Cont’d) 19 / 47

20 Introduction to Modern Cryptography Sharif University Spring 2015 Distinguishing arbitrary distributions (Cont’d) [KL08, p. 233] We call this the “advantage of D in distinguishing X n and Y n.” 20 / 47

21 Introduction to Modern Cryptography Sharif University Spring 2015 Two useful theorems 21 / 47

22 Introduction to Modern Cryptography Sharif University Spring 2015 Another theorem! [KL08, p. 234] Very important theorem! For instance, in proving that encryption of multiple messages under the same key does NOT reduce security. Very important theorem! For instance, in proving that encryption of multiple messages under the same key does NOT reduce security. 22 / 47

23 Introduction to Modern Cryptography Sharif University Spring 2015 Pseudorandomness: Equivalent definition [KL08, p. 233] 23 / 47

24 Introduction to Modern Cryptography Sharif University Spring 2015  The output of a PRG is as good as random, so long as PPT computations are considered.  Therefore, the output of a PRG can be kept secret, and fed back into it as a new seed.  Let ℓ (n) = n + 1. (Minimal expansion.)  Consider m applications of G to seed: G m (U n ) = G(G(G( ⋯ G(U n ) ⋯ )))  Theorem: G m is a PRG with ℓ (n) = n + m. o Assignment: Prove this formally using reductions.  Corollary: From 1-bit expansion, we can construct PRG’s with an arbitrary polynomial expansion. Constructing PRG’s with arbitrary expansion This theorem is simple to prove; but it’s difficult to apply in practice: We need to define various G’s over many domains. 24 / 47

25 Introduction to Modern Cryptography Sharif University Spring 2015  Another idea: Let ℓ (n) = n + 1. o In each round, compute G over the n-bit seed. o Obtain (n + 1)-bit from G. o Output the least significant bit (LSB). o Feedback the remaining n-bits into G.  Programmatically, G m (U n ) is as follows: Constructing PRG’s with arbitrary expansion (Cont’d) s = U n //initial seed for i = 1 to n + m o = G(s) output (o % 2) //LSB s = (o >> 1) //remaining bits s = U n //initial seed for i = 1 to n + m o = G(s) output (o % 2) //LSB s = (o >> 1) //remaining bits 25 / 47

26 Introduction to Modern Cryptography Sharif University Spring 2015  Håstad, Impagliazzo, Levin, and Luby (HILL) showed that PRG’s can be constructed from any OWF’s.  Therefore, PRG’s exist in Impagliazzo’s Minicrypt.  However, HILL’s construction is very complicated.  A very easy construction follows from OWP’s (instead of OWF’s). Constructing PRG’s from simpler assumptions 26 / 47

27 Introduction to Modern Cryptography Sharif University Spring 2015  Assignment: Prove the above theorem. PRG’s from OWP’s [KL08, p. 214] 27 / 47

28 Introduction to Modern Cryptography Sharif University Spring 2015 Example: Blum–Blum–Shub PRG s = (U n )^2 % n for i = 1 to n + m output (s % 2) //LSB s = s^2 % n s = (U n )^2 % n for i = 1 to n + m output (s % 2) //LSB s = s^2 % n 28 / 47

29 Introduction to Modern Cryptography Sharif University Spring 2015 Random Functions/Permutations 29 / 47

30 Introduction to Modern Cryptography Sharif University Spring 2015 A collection of functions… n |Fn||Fn| 14 2256 317 million 418 billion billion …… 30 / 47

31 Introduction to Modern Cryptography Sharif University Spring 2015 A collection of permutations… n |n||n| 12 224 340 thousand 421 thousand billion …… 31 / 47

32 Introduction to Modern Cryptography Sharif University Spring 2015 Distinguishing a random function from a random permutation hnhn hnhn hn(x)hn(x)x 32 / 47

33 Introduction to Modern Cryptography Sharif University Spring 2015 Formalization of the “black box” 33 / 47

34 Introduction to Modern Cryptography Sharif University Spring 2015 Formalization of the “black box” (Cont’d) 34 / 47

35 Introduction to Modern Cryptography Sharif University Spring 2015  This proof presents an important technique called “game hopping” [Sho06].  We first define an initial game, called Game 0.  We then define a series of games.  Game i+1 is obtained from Game i by applying a small transformation.  Let G i be the output of Game i.  G i+1 is derived from G i and the aforementioned transformation. Proof (Overview) 35 / 47

36 Introduction to Modern Cryptography Sharif University Spring 2015  Game 0. Here, we assume that the black box contains a permutation. Proof (1)   R  n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) y[i] =  (x[i]) b = D(r; y[1],…,y[q]) output b   R  n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) y[i] =  (x[i]) b = D(r; y[1],…,y[q]) output b 36 / 47

37 Introduction to Modern Cryptography Sharif University Spring 2015  Game 1. Here, we do NOT use the permutation at all. Proof (2) Y[1],…,Y[q]  R {0,1} n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) if Y[i]  {y[1],…,y[i-1]} y[i]  R {0,1} n ∖ {y[1],…,y[i-1]} else y[i] = Y[i] b = D(r; y[1],…,y[q]) output b Y[1],…,Y[q]  R {0,1} n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) if Y[i]  {y[1],…,y[i-1]} y[i]  R {0,1} n ∖ {y[1],…,y[i-1]} else y[i] = Y[i] b = D(r; y[1],…,y[q]) output b Pr[G 1 = 1] = Pr[G 0 = 1] 37 / 47

38 Introduction to Modern Cryptography Sharif University Spring 2015  Game 2. Here, we drop the IF condition. This way, it acts exactly as a function (rather than permutation). Proof (3) Y[1],…,Y[q]  R {0,1} n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) y[i] = Y[i] b = D(r; y[1],…,y[q]) output b Y[1],…,Y[q]  R {0,1} n r  R {0,1} * for i = 1 to q x[i] = D(r; y[1],…,y[i-1]) y[i] = Y[i] b = D(r; y[1],…,y[q]) output b 38 / 47

39 Introduction to Modern Cryptography Sharif University Spring 2015 Proof (4) 39 / 47

40 Introduction to Modern Cryptography Sharif University Spring 2015 PRF’s and PRP’s Pseudorandom Functions/Permutations 40 / 47

41 Introduction to Modern Cryptography Sharif University Spring 2015  Informally: o A PRF is a function with short description which is computationally indistinguishable from a random function. o A PRP is a permutation with short description which is computationally indistinguishable from a random permutation.  PRF’s can be constructed from PRG’s.  PRP’s can be constructed from PRF’s.  Applications: Constructing secure (symmetric) encryptions schemes, message authentication codes (MAC), identification schemes, etc. o All in Minicrypt! Overview 41 / 47

42 Introduction to Modern Cryptography Sharif University Spring 2015 Keyed functions/permutations 42 / 47

43 Introduction to Modern Cryptography Sharif University Spring 2015 PRF/PRP [KL08, p. 87] 43 / 47

44 Introduction to Modern Cryptography Sharif University Spring 2015 Strong PRPs [KL08, p. 95] 44 / 47

45 Introduction to Modern Cryptography Sharif University Spring 2015  Let G be a PRG with expansion factor ℓ(n) = 2n.  Denote G(s) = (G 0 (s), G 1 (s)).  A PRF can be constructed as depicted below: PRF from PRG [KL08, p. 223] 45 / 47

46 Introduction to Modern Cryptography Sharif University Spring 2015  It can be proven that a Feistel network will do the job.  3 rounds is sufficient for PRP’s.  4 rounds is sufficient for strong PRP’s. (Strong) PRP from PRF [KL08, p. 226] 46 / 47

47 Introduction to Modern Cryptography Sharif University Spring 2015  Chapter 3 of [Knu97]  Chapter 5 of [MvOV96]  Sections 3.3 and 6.4 to 6.6 of [KL08] [ACGS88] W. Alexi, B. Chor, O. Goldreich, and C.P. Schnorr. RSA and Rabin Functions: Certain Parts are as Hard as The Whole, SIAM Journal on Computing, 1988. [KL08] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols. CRC Press, 2007. [Sho06] V. Shoup. Sequences of Games: A Tool for Taming Complexity in Security Proofs. Cryptology ePrint Archive: Report 2004/332, 2006. [MvOV96] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography, CRC Press, 1996. [NIST10] A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST Special Publication 800-22 Revision 1a, 2010. References 47 / 47

Download ppt "Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer."

Similar presentations

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Cryptography 1b Elias Athanasopoulos
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Random number generation Algorithms and Transforms to Univariate Distributions.

Random number generation Algorithms and Transforms to Univariate Distributions.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.

Pseudorandom Bit Generation Artur Gadomski Piero Giammarino Henrik Goldman Massimo Giulio Caterino.
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.

1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.

EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Similar presentations

Ads by Google