Foundations of Cryptography Lecture 11 Lecturer: Moni Naor

Recap of Lecture 10 Pseudo-randomness of subset sum Composing pseudo-random generators Hybrid arguments The next-bit test Pseudo-random functions

Next-bit Test Definition : a function g:{0,1} * → {0,1}* is said to pass the next bit test if It is polynomial time computable It stretches the input |g(x)|>|x| – denote by ℓ(n) the length of the output on inputs of length n If the input (seed) is random, then the output passes the next-bit test For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that receives the first i bits of y= g(x) and tries to guess the next bit, or any polynomial p(n) and sufficiently large n |Prob[A(y i,y 2,…, y i )= y i+1 ] – 1/2 | < 1/p(n) Theorem : a function g:{0,1} * → {0,1}* passes the next bit test if and only if it is a pseudo-random generator

Next- block Undpredictable Suppose that the function G maps a given a seed into a sequence of blocks let ℓ(n) be the length of the number of blocks given a seed of length n If the input (seed) is random, then the output passes the next-block unpredicatability test For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that receives the first i blocks of y= g(x) and tries to guess the next block y i+1, for any polynomial p(n) and sufficiently large n |Prob[A(y 1,y 2,…, y i )= y i+1 ] | < 1/p(n) Homework : show how to convert a next-block unpredictable generator into a pseudo-random generator. G: S y 1 y 2, …,

Pseudo-Random Generators concrete version G n :  0,1  m  0,1  n A cryptographically strong pseudo-random sequence generator - if passes all polynomial time statistical tests (t,  )- pseudo-random - no test A running in time t can distinguish with advantage 

Three Basic issues in cryptography Identification Authentication Encryption Solve in a shared key environment S S  

Identification - Remote login using pseudo-random sequence A and B share key S  0,1  k In order for A to identify itself to B Generate sequence G n (S) For each identification session - send next block of G n (S) G n (S) G: S

Problems... More than two parties Malicious adversaries - add noise Coordinating the location block number Better approach: Challenge-Response

Challenge-Response Protocol B selects a random location and sends to A A sends value at random location   What’s this?

Desired Properties Very long string - prevent repetitions Random access to the sequence Unpredictability - cannot guess the value at a random location –even after seeing values at many parts of the string to the adversary’s choice. –Pseudo-randomness implies unpredictability Not the other way around for blocks

Authenticating Messages A wants to send message M  0,1  n to B B should be confident that A is indeed the sender of M One-time application: S  a,b) - where a,b  R  0,1  n To authenticate M: supply aM  b Computation is done in GF[2 n ]

Problems and Solutions Problems - same as for identification If a very long random string available - –can use for one-time authentication –Works even if only random looking a,b   Use this!

Encryption of Messages A wants to send message M  0,1  n to B only B should be able to learn M One-time application: S  a  - where a  R  0,1  n To encrypt M send a  M

Encryption of Messages If a very long random looking string available - –can use as in one-time encryption   Use this!

Pseudo-random Functions Concrete Treatment: F:  0,1  k   0,1  n   0,1  m key Domain Range Denote Y= F S (X) A family of functions Φ k ={F S | S  0,1  k  is (t, , q)- pseudo-random if it is Efficiently computable - random access and...

(t, ,q)- pseudo-random The tester A that can choose adaptively –X 1 and get Y 1 = F S (X 1 ) –X 2 and get Y 2 = F S (X 2 )  … –X q and get Y q = F S (X q ) Then A has to decide whether – F S  R  Φ k  or – F S  R R n  m =  F | F :  0,1  n   0,1  m 

(t, ,q)- pseudo-random For a function F chosen at random from (1) Φ k ={F S | S  0,1  k  (2) R n  m =  F | F :  0,1  n   0,1  m  For all t -time machines A that choose q locations and try to distinguish (1) from (2)  Prob  A  ‘1’  F  R F k  - Prob  A  ‘1’  F  R R n  m    

Equivalent/Non-Equivalent Definitions Instead of next bit test: for X  X 1,X 2, , X q  chosen by A, decide whether given Y is –Y= F S (X) or –Y  R  0,1  m Adaptive vs. Non-adaptive Unpredictability vs. pseudo-randomness A pseudo-random sequence generator g:  0,1  m  0,1  n –a pseudo-random function on small domain  0,1  log n  0,1  with key in  0,1  m

Application to the basic issues in cryptography Solution using a shared key S Identification: B to A: X  R  0,1  n A to B: Y= F S (X) A verifies Authentication: A to B: Y= F S (M) replay attack Encryption: A chooses X  R  0,1  n A to B:

Goal Construct an ensemble {Φ k | k  L  such that for any {t k, 1/  k, q k | k  L  polynomial in k, for all but finitely many k’s Φ k is a (t k,  k, q k )- pseudo-random family

Construction Construction via Expansion –Expand n or m Direct constructions

Effects of Concatenation Given ℓ Functions F 1, F 2, , F ℓ decide whether they are –ℓ random and independent functions OR –F S 1, F S 2, , F S ℓ for S 1,S 2, , S ℓ  R  0,1  k Claim: If Φ k ={F S | S  0,1  k  is (t, ,q)- pseudo-random: cannot distinguish two cases –using q queries –in time t’=t - ℓ  q –with advantage better than ℓ 

Proof: Hybrid Argument i=0 F S 1, F S 2, , F S ℓ p 0 … i R 1, R 2, , R i-1,F S i, F S i+1, , F S ℓ p i … i=ℓ R 1, R 2, , R ℓ p ℓ  p ℓ - p 0     i  p i+1 - p i   /ℓ

...Hybrid Argument Can use this i to distinguish whether – F S  R  Φ k  or F S  R R n  m Generate F S i+1, , F S ℓ Answer queries to first i-1 functions at random (consistently) Answer query to F S i, using (black box) input Answer queries to functions i+1 through ℓ with F S i+1, , F S ℓ Running time of test - t’  ℓ  q

Doubling the domain Suppose F (n) :  0,1  k   0,1  n   0,1  m which is (t, ,q)- p.r. Want F (n+1) :  0,1  k   0,1  n+1   0,1  m which is (t’,  ’,q’)- p.r. Use G:  0,1  k   0,1  2k which is (t,  ) p.r G(S)  G 0 (S) G 1 (S) Let F S (n+1) (bx)  F G b (s) (n) (x)

Claim If G is (t  q,  1 ) -p.r and F (n)  is (t  2q,  2,q) -p.r, then F (n+1)  is (t,  1  2  2,q) -p.r Proof: three distributions (1) F (n+1) (2) F S 0 (n), F S 1 (n) for independent S 0, S 1 (3) Random D   1  2  2

...Proof Given that (1) and (3) can be distinguished with advantage  1  2  2, then either (1) and (2) with advantage  1 –G can be distinguished with advantage  1 or (2) and (3) with advantage 2  2 –F (n)  can be distinguished with advantage  2 Running time of test - t’  q

Getting from G to F (n) Idea: Use recursive construction F S (n) (b n b n-1  b 1 )  F G b 1 (s) (n-1) (b n-1 b n-2  b 1 )  G b n (G b n-1 (  G b 1 (S))  ) Each evaluation of F S (n) (x) : n invocations of G

Tree Description G 0 (S) G 1 (S) S G 0 (G 0 (S)) G 1 (G 0 (G 0 (S))) Each leaf corresponds to an X. Label on leaf – value of pseudo- random function

Security claim If G is (t  qn,  ) p.r, then F (n)  is (t,  ’  n  q ,q) p.r Proof: Hybrid argument by levels D i : – truly random labels for nodes at level i. – Pseudo-random from i down Each D i - a collection of q functions  i  p i+1 - p i   ’/n  q 

Hybrid S0S0 S1S1 ?S?S G 0 (S 0 ) G 1 (G 0 (S 0 )) n-i i Di

…Proof of Security Can use this i to distinguish concatenation of q sequence generators G from random. The concatenation is (t,q  ) p.r Therefore the construction is (t, ,q) p.r

Disadvantages Expensive - n invocations of G Sequential Deterioration of  But does the job! From any pseudo-random sequence generator construct a pseudo-random function. Theorem: one-way functions exist if and only if pseud- random functions exist.

Applications of Pseudo-random Functions Learning Theory - lower bounds –Cannot PAC learn any class containing pseudo-random function Complexity Theory - impossibility of natural proofs for separating classes. Any setting where huge shared random string is useful Caveat: what happens when the seed is made public?

Application to Signatures Shared secret seed - can get authentication What about public-key? Can we use the techniques? Yes!? – Private key is S – Public key is commitment to F S –To sign M - provide F S (M) and a proof of consistency with the commitment

Pseudo-Random Permutations Block-Ciphers : Shared-key encryption schemes where: the encryption of every plaintext block is a ciphertext block of the same length.  ey CC Plaintext Ciphertext

Block Ciphers Advantages –Saves up on memory and communication bandwidth –Easy to incorporate within existing systems. Main Disadvantage –Every block is always encrypted in the same way. Important Examples: DES, AES

Modeling Block Ciphers Pseudo-random Permutations F :  0,1  k   0,1  n   0,1  n Key Domain Range F -1 :  0,1  k   0,1  n   0,1  n Key Range Domain Want: –X= F S -1 (F S (X)) Correct inverse –Efficiently computable

The Test The tester A that can choose adaptively –X 1 and get Y 1 = F S (X 1 ) –Y 2 and get X 2 = F S -1 (Y 2 ) … –X q and get Y q = F S (X q ) Then A has to decide whether – F S  R Φ k  or – F S  R P (n) =  F | 1-1 F :  0,1  n   0,1  n  Can choose to evaluate or invert any point!

(t, ,q)- pseudo-random For a function F chosen at random from (1) Φ k  ={F S | S  0,1  k  (2) P (n) =  F | 1-1 F :  0,1  n   0,1  n  For all t-time machines A that choose q locations and try to distinguish (1) from (2)  Pr  A= ‘1’  F  R F k  - Pr  A= ‘1’  F  R P (n)    

Construction of Pseudo-Random Permutations Possible to construct p.r. permutation from p.r. functions (and vice versa..) Based on 4 Feistal Permutations

Feistal Permutation Any f :  0,1  n   0,1  n defines a Feistal Permutation D f (L,R)=(R, L  f(R)) Feistal permutations are as easy to invert as to compute: D f -1 (L,R)=(R  f(L),L) Many Block Cipher based on such permutations where the function f is derived from secret key

Feistal Permutation f L1L1 R1R1 L2L2 R2R2

Composing Feistal Permutations Make the function f:  0,1  n   0,1  n a pseudo-random function F S  R Φ k = {F S | S  0,1  k  This defines a keyed family of permutations  0,1  2n   0,1  2n Clearly it is not pseudo-random –Right block goes unchanged to left block What about composing two such keyed permutations With independent keys Not pseudo-random: D S 2 (D S 1 (L,R)= (F S 1 (L)  R, F S 2 (F S 1 (L)  R)  R) -For two inputs sharing the same left block Looks pretty good for random attacks!

Main Construction Let F 1, F 2,F 3,F 4  R PRF, then the composition of D F 1, D F 2, D F 3, D F 4 is a pseudo-random permutation. Each F i :  0,1  n   0,1  n Resulting Permutation  0,1  2n   0,1  2n. F 1 and F 4 can be ``combinatorial”: –pair-wise independent. –low probability of collision on first block Error probability is ~ q 2 /2 n

References Blum-Micali : SIAM J. Computing 1984 Yao: Blum, Blum, Shub: SIAM J. Computing, 1988 Goldreich, Goldwasser and Micali: J. of the ACM, 1986 Luby-Rackoff: SIAM J. Computing, 1988 Naor-Reingold: Journal of Cryptology, 1999

...References O. Goldreich, The Foundations of Cryptography - a book in preparation, M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press. S. Goldwasser and M. Bellare Lecture Notes on Cryptography, www-cse.ucsd.edu/~mihir/papers/gb.html