1. Ryan Henry I 538 /B 609 : Introduction to Cryptography

2. Ryan Henry 1 Tuesday’s lecture: Pseudorandom generators (PRGs) Today’s lecture: Pseudorandom functions (PRFs)

3. Ryan Henry Assignment 2 is due on Tuesday, September 22 (that’s next Tuesday!) 2 Tuesday, September 29

4. Ryan Henry Recall: pseudorandom generators (PRGs) 3

5. Ryan Henry Pseudorandom function families ▪I▪Intuitively, a pseudorandom function family (PRF family) is a collection of efficiently computable functions that “mimics” a random function –N–No efficient algorithm should be able to distinguish between a function chosen uniformly at random from the PRF family and an “oracle” whose output are fixed uniformly at random, except with negligible probability 4

6. Ryan Henry Function families 5

7. Ryan Henry Oracles and oracle machines Def n : An oracle is a (hypothetical) entity capable of solving some problem or computing some function in a single algorithmic time step Def n : An oracle machine is an efficient Turing Machine that is connected to some oracle; that is, the oracle machine can ask the oracle to solve some problem or compute some function at a “cost” of one operation Eg 1: The algorithms from a1q2 and a2q1 are modeled by oracle machines Eg 2: The distinguisher in the “stream cipher to PRG” reduction 6

8. Ryan Henry Oracle machines ▪W▪We write D f( ) to denote that D is an oracle machine with access to an oracle for f ▪T▪The oracle is treated as a black box: –D–D f( ) can provide arbitrary inputs x to f and thereby learn f(x) in a single time step –D–D f( ) learns nothing about the “internal structure” of f; however, it may be able to infer the structure by observing input-output pairs 7

9. Ryan Henry Pseudorandom function families ▪ Intuitively, a pseudorandom function family (PRF family) is a collection of efficiently computable functions that “mimics” a random function 8 What does it mean for a function to be “random”? Let Func[s]be the set of all functions from {0, 1} s to {0, 1} s Q: How many functions are in Func[s]? Short A: A whole heck of a lot! Long A: Func[s]contains 2 s · 2 s functions! (Why?) A “random function” is just a function on f: {0, 1} s → {0, 1} s chosen uniformly at random from Func[s] ( Each of the 2 s values in {0, 1} s can map to 2 s values; hence, the total number of mappings is (2 s ) 2 s )

10. Ryan Henry Formally defining PRF families 9 2 s p o s s i b i l i t i e s 2 s · 2 s p o s s i b i l i t i e s

11. Ryan Henry Keyed functions and PRFs 10

12. Ryan Henry PRF indistinguishability game 11 Game 0: (oracle has access to a PRF) Game 1: (oracle has access to a random function) Distinguisher (D) Distinguisher (D) Challenger Challenger Def n : Adv PRF (D) := 1 Pr[E]- 1/2 1 F(k, x 1 ) F(k, x n ) f(x 1 ) f(x n )

13. Ryan Henry PRGs vs PRFs 12 PRG: G() PRF: F(, )

14. Ryan Henry Fixed-length encryption from PRFs 13 Yes! (But how do we prove it?) Each plaintext maps to 2 s ciphertexts!

15. Ryan Henry Recall: IND-CPA security game 14 Challenger (C) Attacker (A) k ← Gen(1 s ) (c 1, r 1 ) ← Enc k (m 1b ) 1 s1 s 1 s1 s m 10, m 11 (c 1, r 1 ) (c 2, r 2 ) ← Enc k (m 2b ) m 10, m 11 (c 2, r 2 ) (c n, r n ) ← Enc k (m nb ) m n0, m n1 (c n, r n ) Attacker can win if some r i = r j when i ≠ j. Is this likely to occur?

16. Ryan Henry That’s all for today, folks! 15