B504/I538: Introduction to Cryptography Spring 2017 • Lecture 9 (2017—02—07)

About security! Free pizza+brownies! This Thursday!

Assignment 3 is due next Tuesday! (2017—02—14) (That’s just one week from today!!)

Recall: pseudorandom generators (PRGs) A PRG is a function with two properties: Expansion: Its output is always longer than its input (length-n inputs yield length-ℓ(n) outputs) Pseudorandom: If the inputs are uniformly distributed in {0，1}ⁿ, then the distribution of outputs is computationally indistinguishable from a uniform random variable on {0，1}ℓ(n) In other words: a PRG is a random variable that “mimics” the uniform random variable on some larger sample space

Pseudorandom function families Intuitively, a pseudorandom function family (PRF family) is a collection of efficiently computable functions that “mimics” a random function． Q: Wait! Functions are deterministic… So what in the @#%★‽! is a “random function”?! A: Let Func(n) be the set of all functions with domain and range both equal to {0，1}ⁿ. A random function on {0，1}ⁿ is the uniform random variable on Func(n)

Function families Defⁿ: A function family is an infinite sequence of functions fk：Xk→Yk, indexed by an infinite set Ｋ, where each Xk and each Yk is a finite set． The function family is length-preserving if ∀k∈Ｋ and ∀x∈Xk, |x|=|f(x)|. The function family is uniform PPT if there is a PPT algorithm that， given any k∈Ｋ， outputs fk(x).

Oracles and oracle machines Defn: An oracle is a (hypothetical) entity capable of solving some problem or computing some function in a single algorithmic time step Defn: An oracle machine is an efficient Turing Machine that is connected to some oracle; that is, the oracle machine can ask the oracle to solve some problem or compute some function at a “cost” of one operation Eg 1: The algorithms from a1q2 and a2q1 are modeled by oracle machines Eg 2: The distinguisher in the “stream cipher to PRG” reduction

Oracle machines We write Df(•) to denote that D is an oracle machine with access to an oracle for f The oracle is treated as a black box: Df(•) can provide arbitrary inputs x to f and thereby learn f(x) in a single time step Df(•) learns nothing about the “internal structure” of f; however, it may be able to infer the structure by observing input-output pairs

Pseudorandom function families Intuitively, a pseudorandom function family (PRF family) is a collection of efficiently computable functions that “mimics” a random function What does it mean for a function to be “random”? Let Func[s]be the set of all functions from {0, 1}s to {0, 1}s Q: How many functions are in Func[s]? Short A: A whole heck of a lot! Long A: Func[s]contains 2s·2s functions! (Why?) A “random function” is just a function on f: {0, 1}s → {0, 1}s chosen uniformly at random from Func[s] ( Each of the 2s values in {0, 1}s can map to 2s values; hence, the total number of mappings is (2s)2s )

Formally defining PRF families Defn: A (length-preserving, uniform PPT) family of functions {fk}k∈K is a pseudorandom function family (PRF family) if, for every PPT oracle machine D, there exists a negligible function 𝜀:ℕ→ ℝ + such that 1 Pr[ Dfk(·)(1s) = 1 1 k ∈ 𝑅 {0, 1}s ]- Pr[Df(·)(1s) = 1 1 f ∈ 𝑅 Func[s]]1 < 𝜀(s) 2s possibilities 2s·2s possibilities

Keyed functions and PRFs We can represent any uniform PPT function family {fk}k∈K as a single “keyed” function F: K x X → Y, where X = Uk∈K Xk and Y = Uk∈K Yk We refer to such a keyed function, constructed from a PRF family, as a pseudorandom function (PRF) Q: Where have we seen this idea before? A: If (Gen, Enc, Dec) is an encryption scheme, then we can view Enc and Dec either as function families or as keyed functions union of Xk over all k∈K

PRF indistinguishability game Game 0: (oracle has access to a PRF) 1 s ∈ 1 ℕ x1 ∈ {0, 1}s 1 s ∈ 1 ℕ Challenger Distinguisher (D) F(k, x1) ⋮ k ∈ 𝑅 {0, 1}s xn ∈ {0, 1}s b’{0, 1} F(k, xn) Game 1: (oracle has access to a random function) 1 s ∈ 1 ℕ x1 ∈ {0, 1}s 1 s ∈ 1 ℕ Challenger Distinguisher (D) f(x1) ⋮ f ∈ 𝑅 Func[s] xn ∈ {0, 1}s b’{0, 1} f(xn) Let E be the event that b′ = 0 in Game 0 or b′ = 1 in Game 1 Defn: AdvPRF(D) := 1 Pr[E]- 1/2 1

PRGs vs PRFs PRG: G(•) PRF: F(•, •) k ∈ {0, 1}s k ∈ {0, 1}s G(s) ∈ {0,1}ℓ(s) k ∈ {0, 1}s PRF: F(•, •) x1,…,xn ∈ {0, 1}s F(k, x1),…,F(k, xn) ∈ {0, 1}s

Fixed-length encryption from PRFs Plaintexts, ciphertexts, and keys are all s-bit longs Gen(1s) outputs a uniform random key k ∈ 𝑅 {0, 1}s Enck(m) chooses r ∈ 𝑅 {0, 1}s and exclusive-ORs the message with F(k, r); that is, c := m ⊕ F(k, r). The ciphertext is the ordered pair (c, r). Deck(c, r) exclusive-ORs the ciphertext with F(k, r); that is, m := c ⊕ F(k, r) Is this IND-CPA secure? Each plaintext maps to 2s ciphertexts! Yes! (But how do we prove it?)

Recall: IND-CPA security game Challenger (C) Attacker (A) 1 s 1 s k ← Gen(1 s) b ∈ 𝑅 {0, 1} (m10, m11) m10, m11 ∈ M (1 m10 1 = 1 m11 1) (c1, r1) (c1, r1) ← Enck(m1b) (m20, m21) m20, m21 ∈ M (1 m20 1 = 1 m21 1) (c2, r2) (c2, r2)← Enck(m2b) ⋮ (mn0, mn1) mn0, mn1 ∈ M (1 mn0 1 = 1 mn1 1) (cn, rn) (cn, rn) ← Enck(mnb) b‘ ∈ {0, 1} Attacker can win if some ri = rj when i ≠ j. Is this likely to occur?

That’s all for today, folks!