1 / 28

Foundations of Cryptography Lecture 12

Foundations of Cryptography Lecture 12. Lecturer: Moni Naor. Recap of Lecture 11. Pseudo-random functions Combining pseudo-random functions Concatenation Composing The GGM tree construction Pseudo-Random Permutations Feistal Permutations. Block-Ciphers :

azura
Download Presentation

Foundations of Cryptography Lecture 12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of CryptographyLecture 12 Lecturer:Moni Naor

  2. Recap of Lecture 11 • Pseudo-random functions • Combining pseudo-random functions • Concatenation • Composing • The GGM tree construction • Pseudo-Random Permutations • Feistal Permutations

  3. Block-Ciphers: Shared-key encryption schemes where: the encryption of every plaintext block is a ciphertext block of the same length. Plaintext Key BC Ciphertext Pseudo-Random Permutations

  4. Block Ciphers Advantages • Saves up on memory and communication bandwidth • Easy to incorporate within existing systems. Main Disadvantage • Every block is always encrypted in the same way. • Important Examples: DES, AES

  5. Modeling Block Ciphers • Pseudo-random Permutations F : 0,1k  0,1n  0,1n Key Domain Range F-1: 0,1k  0,1n  0,1n Key Range Domain Want: • X= FS-1 (FS (X)) • Correct inverse • Efficiently computable

  6. The Test The tester A that can choose adaptively • X1and get Y1= FS (X1) • Y2 and get X2= FS-1(Y2) … • Xq and get Yq= FS (Xq) • Then A has to decide whether • FS RΦk or • FS R P(n)= F|1-1F:0,1n  0,1n  Can choose to evaluate or invert any point!

  7. (t,,q)-pseudo-random For a function F chosen at random from (1) Φk={FS | S0,1k  (2)P(n)=  F|1-1F:0,1n  0,1n  For all t-time machines A that choose q locations and try to distinguish (1) from (2)  PrA= ‘1’  FR Fk - PrA= ‘1’  FRP(n)   

  8. Construction of Pseudo-Random Permutations • Possible to construct p.r. permutation from p.r. functions (and vice versa..) • Based on 4 Feistal Permutations

  9. Feistal Permutation Anyf:0,1n  0,1n defines a Feistal Permutation Df(L,R)=(R, Lf(R)) Feistal permutations are as easy to invert as to compute: Df-1(L,R)=(R f(L),L) Many Block Cipher based on such permutations where the function fis derived from secret key

  10. Feistal Permutation L1 R1 f L2 R2

  11. Composing Feistal Permutations • Make the function f:0,1n  0,1n a pseudo-random function GS RΦ’k • This defines a keyed family of permutations 0,12n  0,12n • Clearly it is not pseudo-random • Right block goes unchanged to left block What about composing two such keyed permutations With independent keys • Not pseudo-random: DS2(DS1(L,R))= (GS1(L) R, GS2(GS1(L) R) R) -For two inputs sharing the same left block • Looks pretty good for random attacks! • No repetitions on the pseudo-random part

  12. Main Construction Let GS1 , GS2 , GS3 , GS4RPRF. Then the composition of DS1 , DS2 , DS3 , DS4 is a pseudo-random permutation. • Each Gi :0,1n  0,1n Resulting Permutation 0,12n  0,12n. • G1and G4can be ``combinatorial”: • pair-wise independent. • low probability of collision on first block • Error probability is ~ q2/2n

  13. Security Theorem Let • be the set of permutations obtained when The two middleG2 ,G3 are truly random functions and the first and last are (h1 ,h2 )chosen from a pairwise independent family. (2)P(n)=  F|1-1F:0,1n  0,1n  Theorem: For any adversary A • (not necessarily efficient) • that makes at most q queries the advantage in distinguishing between a random permutation from P(n)and a radnom one from  is at most q2/2n + q2/22n Corollary: the original construction is computationally secure

  14. Back to two permutations For each pair of input and output blocks (L1,R1) is mapped to (L2,R2) if and only if • GS1(R1) = L1 L2 • GS2(L2) = R1 R2 • So we have “one-wise independence”: • Happens with probability 1/22n • Furthermore: for any q pairs (L11,R11) (L21,R21), (L12,R12) (L22,R22),… , (L1q,R1q) (L2q,R2q) such that For j i: R1jR1i and L2jL2i The probability that all are mapped to each other is 1/22qn

  15. The Transcript • May assume A is deterministic • Since this it is not computationally bounded • The transcript T is the set of pairs of inputs/outputs (X1,Y1), (X2,Y2), … , (Xq,Yq) queries by A • Queries can go either way (evaluate or invert) • Consider a third distribution P of responses if A • asks for F(x) and x appeared before in and <x,y>, query: • answer y • asks for F-1(y) and y appeared before in and <x,y>, query: • answer x • Otherwise answer a random z 0,12n. • P is not always consistent with some permutation • Call the resulting transcript inconsistent

  16. P is close to P Claim: Amay differentiate betweenP and P only if transcript is inconsistent Claim [“inconsistent”]: Prob[T is inconsistent]  q2/22n Proof: birthday It remains to bound the difference between P and 

  17. The BAD event Thought experiment: choose the functions (h1 ,h2 ) also for process P Serve a no purpose there If T =(X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, we say that it is BAD for functions(h1 ,h2 )if there existj i such that either • h1(xi)collides with the right half ofh1(xj) • h2(yi)collides with the left half ofh2(yj) BAD event: eitherTis inconsistent orTis BAD for(h1 ,h2 ) Claim: ProbP[BAD]  q2/2n + q2/22n

  18. Key Lemma Lemma: For any adversary A,for any possible value V= (X1,Y1), (X2,Y2), … , (Xq,Yq) ProbP[T=V and not BAD] = ProbG[T=V and not BAD]

  19. Concluding the proof By summing Key Lemma over all transcripts • ProbP[not BAD] = ProbG[not BAD] this implies • ProbP[BAD] = ProbG[BAD] By summing Key Lemma over all transcripts for which A outputs ‘1’: ProbP[A outputs ‘1’ and not BAD] =ProbG[A outputs ‘1’ and not BAD] Hence: ProbP[A outputs ‘1’]-ProbG[A outputs ‘1’] • ProbP [BAD]  q2/2n + q2/22n By the “inconsistent” Claim P and P are close and we are done

  20. K-wise independent permutations • Simple constructions for k-wise independent functions • For instance random polynomial of degree k-1 • No equivalent ones known for k-wise independent permutations • In the 4 Feistal permutation construction If two middle functions are k-wise independent • Security Theorem implies that the result is q2/2n close to k–wise independent permutation • T. Gowers: alternative construction of approximate k-wise independent permutations

  21. Other Constructions • Generalized Feistal Permutations • Generalized construction of pseudo-random permutations: • The first and last rounds as before. • The two middle Feistal permutations are replaced with t generalized Feistel permutations. • The distinguishing probability is roughly q2/22(1-1/t)n • construction of long pseudo-random permutations from short ones: • First and last round combinatorial • In the middle independent applications of the short pseudo-random permutations

  22. Encryption Using Pseudo-Random Permutations • Sender and Receiver share a secret key S R {0,1}k • S defines a function FSFk • What is wrong with encrypting X with FS (x)?

  23. Several setting Shared key vs public key How active is the adversary Sender and receiver want to prevent Eve from learning anything about the message Want to simulate as much as possible the protection that an information theoretic encryption scheme provides Information Theoretic Setting If Eve has some knowledge of m should remain the same Probability of guessing m Min entropy of m Probability of guess whether m is m0 or m1 Probability of computing some function f of m Ideally: the message sent is a independent of the message m Implies all the above Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy If no special knowledge about m then |m| Definition of the Security of Encryption

  24. To specify security of encryption • The power of the adversary • computational • Probabilistic polynomial time machine (PPTM) • access to the system • Can it change the messages? • What constitute a failure of the system • what it means to break the system. • Reading a message • Forging a message?

  25. Computational Security of EncryptionIndistinguishability of Encryptions Indistinguishability of encrypted strings: • Adversary A chooses X0 , X1 0,1n • receives encryption ofXb for bR0,1 • has to decide whether b  0 or b  1. For every pptm A, choosing a pairX0 , X1 0,1n  PrA ‘1’  b  1- PrA ‘1’  b  0  is negligible. Probability is over the choice of keys, randomization in the encryption and A‘s coins. In other words: encryptions ofX0 , X1 are indistinguishable Quantification over the choice ofX0 , X1 0,1n

  26. Computational Security of EncryptionSemantic Security Whatever Adversary A can compute on encrypted string X0,1nso can A’ that does not see the encryption of X yet simulates A ‘s knowledge with respect to X A selects: • Distribution Dn on0,1n • Relation R(X,Y) - computable in probabilistic polynomial time For every pptm A choosing a distribution Dn on0,1n there is an pptm A’ so that for all pptm relation R forXR Dn  PrR(X,A(E(X))- Pr R(X,A’())   is negligible In other words: The outputs of A andA’are indistinguishable even for a test who is aware of X Note: presentation of semantic security is non-standard (but equivalent)

  27. References • Blum-Micali : SIAM J. Computing 1984 • Yao: • Blum, Blum, Shub: SIAM J. Computing, 1988 • Goldreich, Goldwasser and Micali: J. of the ACM, 1986 • Luby-Rackoff: SIAM J. Computing, 1988 • Naor-Reingold: Journal of Cryptology, 1999

  28. ...References • O. Goldreich, The Foundations of Cryptography - www.wisdom.weizmann.ac.il/~oded/foc-book.html • M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press. • S. Goldwasser and M. Bellare Lecture Notes on Cryptography, www-cse.ucsd.edu/~mihir/papers/gb.html

More Related