Lecturer: Moni Naor

Foundations of CryptographyLecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer:Moni Naor

Recap of last week’s lecture • Pseudo-random functions constructions • Pseudo-random function applications • Pseudo-random Permutation Motivation nad Definition • Feistal Permutations

Good question on pseudo-random functions Want to construct a pseudo-random permutation on very large domain, from one on large domain • FS: {0,1}n {0,1}m • Construct F’S’: {0,1}n’  {0,1}m Idea: let H a family of universal hash functions where • h: {0,1}n’  {0,1}n for h 2 H • for any x  x’ we have Probh 2 H h(x) = h(x’) · Then F’S,h(x) =FS (h(x)) What can you say about the quality of F’

Block-Ciphers: Shared-key encryption schemes where: The encryption of every plaintext block is a ciphertext block of the same length. Plaintext Key BC Ciphertext Pseudo-Random Permutations

Block Ciphers Advantages • Saves up on memory and communication bandwidth • Easy to incorporate within existing systems. Main Disadvantage • Every block is always encrypted in the same way. • Important Examples: DES, AES

Modeling Block Ciphers • Pseudo-random Permutations F : 0,1k  0,1n  0,1n Key Domain Range F-1: 0,1k  0,1n  0,1n Key Range Domain Want: • X= FS-1 (FS (X)) • Correct inverse • Efficiently computable

The Test The tester Athat can choose adaptively • X1and get Y1= FS (X1) • Y2and get X2= FS-1(Y2) … • Xqand get Yq= FS (Xq) • Then A has to decide whether • FS RΦk or • FS R P(n)= F|1-1F:0,1n  0,1n  Can choose to evaluate or invert any point!

(t,,q)-pseudo-random For a function F chosen at random from (1) Φk={FS | S0,1k  (2)P(n)=  F|1-1F:0,1n  0,1n  For all t-time machines A that choose qlocations and try to distinguish (1) from (2)  PrA= ‘1’  FR Fk - PrA= ‘1’  FRP(n)  

Construction of Pseudo-Random Permutations • Possible to construct pseudo-random permutations from pseudo-random functions (and vice versa...) • Based on 4 Feistal Permutations

Feistal Permutation Any function f:0,1n  0,1n defines a Feistal Permutation 0,12n  0,12n Df(L,R)=(R, Lf(R)) Feistal permutations are as easy to invert as to compute: Df-1(L,R)=(Rf(L),L) Many Block Cipher based on such permutations, where the functionfis derived from secret key

L1 R1 f L2 R2 Feistal Permutation Df(L1,R1)=(R1, L1f(R1)) Df-1(L2,R2)=(R2f(L2),L2)

Composing Feistal Permutations • Make the function f:0,1n  0,1n a pseudo-random function FS RΦk • This defines a keyed family of permutations 0,12n  0,12n • Clearly it is not pseudo-random • Right block goes unchanged to left block What about composing two such keyed permutations With independent keys • Not pseudo-random: DS2(DS1(L,R))= (FS1(R)L, FS2(FS1(R)L)R) • For two inputs sharing the same left block • Looks pretty good for random attacks! Protects left block Protects right block

Main Construction Let F1, F2 ,F3 ,F4RPRF, then the composition of DF1, DF2, DF3, DF4is a pseudo-random permutation. • Each Fi :0,1n  0,1n. Resulting Permutation 0,12n  0,12n. • F1and F4can be ``combinatorial”: • pair-wise independent. • low probability of collision on first block • Error probability is ~ q2/2n

Security Theorem h1 D1 D2 Let (1)be the set of permutations obtained when The two middle are Feistal permutations based on truly random functions GS1, GS2 and the first and last are (h1, h2)chosen from a pairwise independent family. (2)P(2n)=  F|1-1F:0,12n  0,12n  Theorem: For any adversary A • not necessarily efficient • that makes at most q queries the advantage in distinguishing between a random permutation from P(2n)and a random one from is at most q2/2n + q2/22n Corollary: the original construction is computationally secure h-12

Back to two permutations For each pair of input and output blocks (L1,R1) is mapped to (L2,R2) if and only if • GS1(R1) = L1 L2 • GS2(L2) = R1  R2 • So we have “one-wise independence”: • Happens with probability 1/22n • Furthermore: for any q pairs h(L11,R11) (L21,R21)i, h(L12,R12) (L22,R22)i, … , h(L1q,R1q) (L2q,R2q)i such that For j i: R1jR1i and L2jL2i The probability that all are mapped to each other is 1/22qn L2 R2 • (GS1(R1)L1, GS2(GS1(R1)L1)R1)

The Transcript • May assume A is deterministic • Since this it is not computationally bounded • The transcript T is the set of pairs of inputs/outputs (X1,Y1), (X2,Y2), … , (Xq,Yq) queries by A • Queries can go either way (evaluate or invert) • Consider a third distribution P of responses if A • asks for F(x) and x appeared before in and <x,y>, query: • answer y • asks for F-1(y) and y appeared before in and <x,y>, query: • answer x • Otherwise answer a random z 0,12n. • P is not always consistent with some permutation • Call the resulting transcript inconsistent

P is close to P Claim: Amay differentiate betweenP and P only if transcript is inconsistent Claim [“inconsistent”]: ProbP[T is inconsistent]  q2/22n Proof: birthday It remains to bound the difference between P and 

The BAD event Thought experiment: choose the functions (h1, h2) also for process P Serves no purpose there If T = (X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, it is BAD for functions(h1, h2)if there existji such that either • h1(xi)collides with the right half ofh1(xj) • h2(yi)collides with the left half ofh2(yj) BAD event: eitherT is inconsistent orTis BAD for(h1, h2) Claim: ProbP[BAD] q2/2n + q2/22n For a query the probability of collision based on pairwise independence

Key Lemma Lemma: For any adversary A,for any possible value V= (X1,Y1), (X2,Y2), … , (Xq,Yq) ProbP[T=V and not BAD] = ProbG[T=V and not BAD] It is either 2-2qnor 0

Concluding the proof By summing Key Lemma over all transcripts • ProbP[not BAD] = ProbG[not BAD] this implies • ProbP[BAD] = ProbG[BAD] By summing Key Lemma over all transcripts for which A outputs ‘1’: ProbP[A outputs ‘1’ and not BAD] =ProbG[A outputs ‘1’ and not BAD] Hence: ProbP[A outputs ‘1’]-ProbG[A outputs ‘1’] • ProbP [BAD]  q2/2n + q2/22n By the “inconsistent” Claim P and P are close and we are done

The world so far Pseudo-random generators Pseudo-random Functions Signature Schemes One-way functions Two guards Identification Pseudo-random Permutations UOWHFs P  NP • Will soon see: • Computational Pseudorandomness • Shared-key Encryption and Authentication

Other Constructions • Generalized Feistal Permutations • Generalized construction of pseudo-random permutations: • The first and last rounds as before. • The two middle Feistal permutations are replaced with t generalized Feistel permutations. • The distinguishing probability is roughly q2/22(1-1/t)n • Construction of long pseudo-random permutations from short ones: • First and last round combinatorial • In the middle independent applications of the short pseudo-random permutations

Encryption Using Pseudo-Random Permutations • Sender and Receiver share a secret key S R {0,1}k • S defines a function FSFk • What is wrong with encrypting X with FS (x)?

Several settings Shared key vs public key How active is the adversary Sender and receiver want to prevent Eve from learning anything about the message Want to simulate as much as possible the protection that an information theoretic encryption scheme provides Information Theoretic Setting If Eve has some knowledge of m should remain the same Probability of guessing m Min entropy of m Probability of guessing whether m is m0 or m1 Probability of computing some function f of m Ideally: the ciphertext sent is independent of the message m Implies all the above Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy If no special knowledge about m then |m| shared bits that may be used once! Definition of the Security of Encryption

To specify security of encryption • The power of the adversary • computational • Probabilistic polynomial time machine (PPTM) • access to the system • Can it change the messages? • What constitute a failure of the system What it means to break the system. • Reading a message • Forging a message?

Computational Security of EncryptionIndistinguishability of Encryptions Indistinguishability of encrypted strings: • AdversaryAchoosesX0 , X1 0,1n • receives encryption ofXb for bR0,1 • has to decide whether b  0 or b  1. For every pptm A, choosing a pairX0, X1 0,1n  PrA ‘1’  b  1 - PrA ‘1’  b  0  is negligible. Probability is over the choice of keys, randomization in the encryption and A‘s coins. In other words: encryptions ofX0, X1 are indistinguishable Quantification over the choice ofX0, X1 0,1n

Computational Security of EncryptionSemantic Security Whatever Adversary A can compute on encrypted string X0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X A selects: • Distribution Dn on0,1n • Relation R(X,Y) - computable in probabilistic polynomial time For every pptmA choosing a distributionDn on0,1n there is an pptmA’so that for all pptm relation R forXR Dn  PrR(X,A(E(X)) - PrR(X,A’())  is negligible In other words: The outputs of A andA’are indistinguishable even for a tester who is aware of X Note: presentation of semantic security is non-standard (but equivalent)

A: Dn A’: Dn X 2R Dn E(X) . A A’ X Y X Y R R ¼

What is a public-key encryption scheme • Allows Alice to publish public key KP while keeping hidden a secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputtingKP (Public) and KS (secret) • ``Anyone” who is given KP and m can encrypt it Encryption: a method E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public key KP, message (plaintext) m, random coins r and outputs an encrypted message (ciphertext). • Given a ciphertext and secret key it is possible to decrypt it Decryption: a method D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret key KS, public key KP, and ciphertext c and outputs a plaintext m. Require D(KS, KP, E(KP, m, r)) = m

Equivalence of Semantic Security and Indistinguishability of Encryptions • Would like to argue their equivalence • Must define the attack • Otherwise cannot fully talk about an attack • Chosen plaintext attacks • Adversary can obtain the encryption of any message it wishes • In an adaptive manner • Certainly feasible in a public-key setting • Minimal one that makes sense there • What about shared-key encryption? • More severe attacks • Chosen ciphertext Encryption process must be probabilistic!

Security of public key cryptosystems:exact timing • Adversary A gets public key KP • Then A can mount an adaptive attack • No need for further interaction since can do all the encryption on its own • Then A chooses • In semantic security: the distribution Dnand the relation R • In indistinguishability of encryptions: the pair X0, X1 0,1n • Then A is given the test • In semantic security: E(KP, X ,r) for XR Dnand rR 0,1m • In indistinguishability of encryptions: E(KP,Xb, r) for bR0,1and rR0,1m

The Equivalence Theorem • For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

Equivalence Proof If a scheme has the indistinguishability property, then it is semantically secure: • Suppose not, and A chooses • some distribution Dn • some relation R • Choose X0, X1 R Dnand run A twice on • C0 = E(KP, X0 ,r0) call the output Y0 • C1 = E(KP, X1 ,r1) call the output Y1 • For X0, X1 R Dnlet • 0 = Prob[R(X0, Y0)] • 1 = Prob[R(X0, Y1)] • If |0-1| is not negligible: can distinguish between encryption of X0of X1 • Contradicting the indistinguishability property • If |0-1| is negligible: can run A’ with no access to real ciphertext • sample X’R Dnand C’ = E(KP, X’, r) • Run A on C’and output Y’ Here we Use the power to generate encryptions

For X0, X1 R Dnlet 0 = Prob[R(X0, Y0)] 1 = Prob[R(X0, Y1)] If |0-1| is not negligible: can distinguish between encryption of X0of X1 Contradicting the indistinguishability property Equivalence Proof E(Xb) A X0 Y R

For X0, X1 R Dnlet 0 = Prob[R(X0, Y0)] 1 = Prob[R(X0, Y1)] If |0-1| is negligible: can run A’ with no access to real ciphertext sample X’R Dnand C’=E(KP, X’, r) Run A on C’and output Y’ A’ Equivalence Proof X’ E(X) E(X’) A A X Y X Y’ R R

Equivalence Proof… If a scheme is semantically secure, then it has the indistinguishability of encryptions property: • Suppose not, and A chooses • A pair X0, X10,1n • For which it can distinguish with advantage  • Choose • Distribution Dn= {X0, X1} • Relation R which is “equality with X” • For any A’ that does not get C = E(KP,X, r) and outputs Y’ ProbA’[R(X, Y’)] = ½ • By simulating A and outputting Y= Xb for guess b0,1 ProbA[R(X, Y)] ¸ ½ +  Even if A’ is computationally unbounded

Similar setting • The same proof works for the shared key case with adaptive chosen plaintext attack • ``Standard” definition of semantic security: • Instead of A trying to find Y such that R(X,Y),A tries to find Y such that • Y=f(X) • f is any function (not necessarily polynomial time computable) • In spite of difference equivalent to our definition

What happens if… • There is extra information about X: • Both A and A’ get h(X) for some polynomial time computable function h • h might not be invertible • Relation R is not polynomial time • Try to encrypt information about the secret key

When is each definition useful • Semantic security seems to convey that the message is protected • Not the strongest possible definition • Easier to prove indistinguishability of encryptions

Sources • Luby-Rackoff: How to construct pseudorandom permutations from pseudorandom functions, SIAM J. Computing, 1988. • Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999. • Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 1984. • Goldreich’s Foundations of Cryptography, volume 2

Lecturer: Moni Naor