290 likes | 492 Views
CIS 5371 Cryptography. 3c. Pseudorandom Functions B ased on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography. Definition. Definition 3.23. Let F be an efficient length preserving keyed function. F is a pseudorandom function if
E N D
CIS 5371 Cryptography 3c. Pseudorandom Functions Based on: Jonathan Katz and Yehuda LindellIntroduction to Modern Cryptography
Definition 3.23 • Let F be an efficient length preserving keyed function. F is a pseudorandom function if PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all functions mapping n-bit strings to n-bit strings.
Existence of pseudorandom functions • We cannot prove that pseudorandom functions exist! • In practice there exist very efficient primitives called block ciphers that are widely believed to behave as pseudorandom functions.
CPA secure encryption using PRFProtocol • Let be a pseudorandom function. Define a • private-key encryption scheme for messages of • length as follows: • Gen: on input choose uniformly at • random and output as key. • Enc:on input a key and a message • m, choose choose uniformly at • random and output the ciphertext • Dec:on input a key and a ciphertext • output the plaintext
Theorem 3.25 Let be a pseudorandom function. Then protocol is a fixed-length private-key encryption scheme for messages of length n that has indistinguishable encryptions under CPA.
A secure fixed length encryption Proof We have, . Let . Then =+ . If is negligible then we should not be able to distinguish these. Otherwise a gap between them would make it possible to distinguish truly random from pseudorandom.
A secure fixed length encryption Reduction Distinguisher D with oracle O: Adversary A with Protocol or , O Query encryption oracle to get encryptions of chosen plaintexts Choose uniformly at random Query O to get Repeat: Query to get encryptions of chosen plaintexts choose a random bit Query O to get return 1 if 0 if
A secure fixed length encryption Proof From, and we get that must be negligible. So is negligible.
A secure variable length encryption The messages can be securely encrypted as .
Corollary 3.26 Let be a pseudorandom function. Then the scheme sketched in the previous slide is an arbitrarylength private-key encryption scheme that has indistinguishable encryptions under CPA.
Pseudorandom permutations • one-to-one • A efficient if there is a • polynomial-time algorithm that will compute given and . • A pseudorandom permutation is defined in a • manner analogous to Definition 3.23, by replacing the term “function” by “permutation”.
Definition 3.28Strong Pseudorandom permutations • Let F be an efficient keyed permutation. We say that is a strong pseudorandom permutation if, PPT distinguishers D, a negl function such that | where is chosen uniformly at random and f is chosen at random from the set of all permutations on n-bit strings. • The analogue for strong pseudorandom permutations are block ciphers.
Pseudorandom permutationsmodes of operation Electronic Code Book (ECB) Cipher Block Chaining (CBC) Output Feedback (OFB) Counter(CTR)
Pseudorandom permutations Electronic Code Book (ECB)
Pseudorandom permutations IV IV Cipher Block Chaining (CBC)
Pseudorandom permutations IV IV Output Feedback (OFB)
Pseudorandom permutations ctr ctr+1 ctr+2 ctr+3 Counter mode (CTR) ctr
Pseudorandom permutationsmodes of operation Electronic Code Book (ECB) Encryption is deterministic : no CPA-security Worse: ECB-mode does not have indistinguishable encryptions in the presence of an eavesdropper.
Pseudorandom permutationsmodes of operation Cipher Block Chaining (CBC) . Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation. Drawback: encryption is sequential.
Pseudorandom permutationsmodes of operation Output Feedback (OFB) , . Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom permutation. Drawback: both encryption and encryption are sequential.
Pseudorandom permutationsmodes of operation Counter(CTR) -- randomized counter mode , , Encryption is probabilistic: it can been shown that we get CPA-security if is a pseudorandom function. Both encryption and encryption can be fully parallelized. We do not require that is a permutation (that is, it need not be invertible).
Chosen Ciphertext Attacks (CCA) In a CCA the adversary not only can encrypt messages of his choice (CPA) but also can decrypt ciphertexts of his choice (with one exception). Formally this is captured by giving the adversary access to a decryption oracle (as well as the encryption oracle). Let be a private-key encryption scheme, an adversary and the value of the security parameter.
CCA indistinguishability experiment • A • The adversary on the challenge ciphertext itself. Eventually
Indistinguishable encryptions under CCA --Definition A private-key encryption scheme has indistinguishable encryptions under CCAif ∀ PPT adversaries , =1] where the probabilities is taken over the coins used in the experiment.
Insecurity of the encryption schemes that we have studied All the earlier discussed private-key encryption schemes are not CCA-secure Example. Let and , to get the ciphertext. The adversary flips the first bit of and asks for the decryption. He gets either () or (. A similar type of chosen ciphertext attack applies to all the others.