Foundations of Cryptography Lecture 11

Foundations of CryptographyLecture 11 Lecturer:Moni Naor

Recap of Lecture 10 • Pseudo-randomness of subset sum • Composing pseudo-random generators • Hybrid arguments • The next-bit test • Pseudo-random functions

Next-bit Test Definition: a function g:{0,1}* → {0,1}* is said to pass the next bit test if • It is polynomial time computable • It stretches the input |g(x)|>|x| • denote by ℓ(n) the length of the output on inputs of length n • If the input (seed) is random, then the output passes the next-bit test For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that receives the first i bits of y= g(x) and tries to guess the next bit, or any polynomial p(n) and sufficiently large n |Prob[A(yi,y2,…,yi)= yi+1] – 1/2 | < 1/p(n) Theorem: a function g:{0,1}* → {0,1}* passes the next bit test if and only if it is a pseudo-random generator

G: S Next-block Undpredictable Suppose that the function G maps a given a seed into a sequence of blocks let ℓ(n) be the length of the number of blocks given a seed of length n • If the input (seed) is random, then the output passes the next-block unpredicatability test For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that receives the first i blocks of y= g(x) and tries to guess the next block yi+1, for any polynomial p(n) and sufficiently large n |Prob[A(y1,y2,…,yi)= yi+1] | < 1/p(n) Homework: show how to convert a next-block unpredictable generator into a pseudo-random generator. y1y2, … ,

Pseudo-Random Generatorsconcrete version Gn:0,1m 0,1n A cryptographically strong pseudo-random sequence generator - if passes all polynomial time statistical tests (t,)-pseudo-random - no testArunning in timetcan distinguish with advantage

Three Basic issues in cryptography • Identification • Authentication • Encryption Solve in a shared key environment A B S S

G: S Identification - Remote login using pseudo-random sequence A and B share key S0,1k In order for A to identify itself to B • Generate sequence Gn(S) • For each identification session - send next block ofGn(S) Gn(S)

Problems... • More than two parties • Malicious adversaries - add noise • Coordinating the location block number • Better approach: Challenge-Response

Challenge-Response Protocol • B selects a random location and sends to A • Asends value at random location A B What’s this?

Desired Properties • Very long string - prevent repetitions • Random access to the sequence • Unpredictability - cannot guess the value at a random location • even after seeing values at many parts of the string to the adversary’s choice. • Pseudo-randomness implies unpredictability • Not the other way around for blocks

Authenticating Messages • A wants to send message M0,1nto B • B should be confident that A is indeed the sender of M One-time application: S =(a,b) - where a,bR 0,1n To authenticate M: supply aM b Computation is done in GF[2n]

Problems and Solutions • Problems - same as for identification • If a very long random string available - • can use for one-time authentication • Works even if only random looking a,b A B Use this!

Encryption of Messages • A wants to send message M0,1nto B • only B should be able to learn M One-time application: S = a- where aR 0,1n To encrypt M send a M

Encryption of Messages • If a very long random looking string available - • can use as in one-time encryption A B Use this!

Pseudo-random Functions Concrete Treatment: F: 0,1k  0,1n  0,1m key Domain Range DenoteY= FS (X) A family of functionsΦk ={FS | S0,1k is (t, , q)-pseudo-random if it is • Efficiently computable - random access and...

(t,,q)-pseudo-random The tester A that can choose adaptively • X1 and get Y1= FS (X1) • X2 and get Y2 = FS (X2 ) … • Xq and get Yq= FS (Xq) • Then A has to decide whether • FS R Φkor • FS R R n  m =  F| F:0,1n  0,1m 

(t,,q)-pseudo-random For a function F chosen at random from (1) Φk ={FS | S0,1k  (2)R n  m =  F| F:0,1n  0,1m  For all t-time machines A that choose qlocations and try to distinguish (1) from (2)  ProbA ‘1’  FR Fk - ProbA ‘1’  FRR n  m   

Equivalent/Non-Equivalent Definitions • Instead of next bit test: for XX1,X2 ,,Xqchosen by A, decide whether given Yis • Y= FS (X)or • YR0,1m • Adaptive vs. Non-adaptive • Unpredictability vs. pseudo-randomness • A pseudo-random sequence generator g:0,1m 0,1n • a pseudo-random function on small domain 0,1log n0,1with key in 0,1m

Application to the basic issues in cryptography Solution using a sharedkey S Identification: B to A: X R 0,1n A to B: Y= FS (X) A verifies Authentication: A to B: Y= FS (M) replay attack Encryption: A chooses XR 0,1n A to B: <X , Y= FS (X)M >

Goal • Construct an ensemble {Φk | kLsuch that • for any {tk, 1/k, qk | kL polynomial in k, for all but finitely many k’s Φk is a (tk, k, qk )-pseudo-random family

Construction • Construction via Expansion • Expand n or m • Direct constructions

Effects of Concatenation Given ℓ Functions F1 , F2 ,,Fℓdecide whether they are • ℓrandom and independent functions OR • FS1, FS2,,FSℓforS1,S2 ,,SℓR0,1k Claim: IfΦk ={FS | S0,1k is (t,,q)-pseudo-random: cannot distinguish two cases • using q queries • in time t’=t - ℓq • with advantage better than ℓ

Proof: Hybrid Argument • i=0 FS1, FS2,,FSℓp0 … • i R1, R2 ,  ,Ri-1,FSi, FSi+1,,FSℓpi … • i=ℓR1, R2 ,  ,Rℓpℓ  pℓ- p0     i pi+1 - pi  /ℓ

...Hybrid Argument Can use this i to distinguish whether • FS R Φkor FS R R n  m • Generate FSi+1,,FSℓ • Answer queries to first i-1 functions at random (consistently) • Answer query to FSi, using (black box) input • Answer queries to functions i+1 throughℓwithFSi+1,,FSℓ Running time of test - t’ ℓq

Doubling the domain • Suppose F(n): 0,1k  0,1n  0,1mwhich is (t,,q)-p.r. • Want F(n+1): 0,1k  0,1n+1  0,1mwhich is (t’,’,q’)-p.r. Use G: 0,1k  0,12kwhich is (t ,)p.r G(S)  G0(S) G1(S) Let FS (n+1)(bx)  FGb(s) (n)(x)

Claim If Gis (tq,1)-p.r and F(n)is (t2q,2,q)-p.r, then F(n+1)is (t,1 2 2,q)-p.r Proof: three distributions (1) F(n+1) (2) FS0(n) , FS1(n)for independent S0, S1 (3) Random D1 2 2

...Proof Given that (1) and (3) can be distinguished with advantage 1 2 2, then either • (1) and (2) with advantage 1 • G can be distinguished with advantage 1 or • (2) and (3) with advantage 2 2 • F(n)can be distinguished with advantage 2 Running time of test - t’ q

Getting from G to F(n) Idea: Use recursive construction FS (n)(bnbn-1b1)  FGb1(s) (n-1)(bn-1bn-2b1)  Gbn(Gbn-1 ( Gb1(S)) ) Each evaluation of FS (n)(x): ninvocations of G

Tree Description S G1(S) G0(S) G0(G0(S)) Each leaf corresponds to an X. Label on leaf – value of pseudo-random function G1(G0(G0(S)))

Security claim If Gis (t qn ,)p.r, then F(n)is (t, ’  nq,q)p.r Proof: Hybrid argument by levels Di: • truly random labels for nodes at level i. • Pseudo-random from i down Each Di- a collection of q functions  i pi+1 - pi  ’/n q

Hybrid ?S i S1 S0 Di G0(S0) n-i G1(G0(S0))

…Proof of Security • Can use this i to distinguish concatenation of q sequence generators G from random. • The concatenation is (t,q)p.r Therefore the construction is (t,,q)p.r

Disadvantages • Expensive - n invocations of G • Sequential • Deterioration of  But does the job! From any pseudo-random sequence generator construct a pseudo-random function. Theorem: one-way functions exist if and only if pseud-random functions exist.

Applications of Pseudo-random Functions • Learning Theory - lower bounds • Cannot PAC learn any class containing pseudo-random function • Complexity Theory - impossibility of natural proofs for separating classes. • Any setting where huge shared random string is useful • Caveat: what happens when the seed is made public?

Application to Signatures • Shared secret seed - can get authentication • What about public-key? Can we use the techniques? • Yes!? • Private key is S • Public key is commitment to FS • To sign M - provide FS(M) and a proof of consistency with the commitment

Block-Ciphers: Shared-key encryption schemes where: the encryption of every plaintext block is a ciphertext block of the same length. Plaintext Key BC Ciphertext Pseudo-Random Permutations

Block Ciphers Advantages • Saves up on memory and communication bandwidth • Easy to incorporate within existing systems. Main Disadvantage • Every block is always encrypted in the same way. • Important Examples: DES, AES

Modeling Block Ciphers • Pseudo-random Permutations F : 0,1k  0,1n  0,1n Key Domain Range F-1: 0,1k  0,1n  0,1n Key Range Domain Want: • X= FS-1 (FS (X)) • Correct inverse • Efficiently computable

The Test The tester A that can choose adaptively • X1and get Y1= FS (X1) • Y2 and get X2= FS-1(Y2) … • Xq and get Yq= FS (Xq) • Then A has to decide whether • FS RΦk or • FS R P(n)= F|1-1F:0,1n  0,1n  Can choose to evaluate or invert any point!

(t,,q)-pseudo-random For a function F chosen at random from (1) Φk={FS | S0,1k  (2)P(n)=  F|1-1F:0,1n  0,1n  For all t-time machines A that choose q locations and try to distinguish (1) from (2)  PrA= ‘1’  FR Fk - PrA= ‘1’  FRP(n)   

Construction of Pseudo-Random Permutations • Possible to construct p.r. permutation from p.r. functions (and vice versa..) • Based on 4 Feistal Permutations

Feistal Permutation Anyf:0,1n  0,1n defines a Feistal Permutation Df(L,R)=(R, Lf(R)) Feistal permutations are as easy to invert as to compute: Df-1(L,R)=(R f(L),L) Many Block Cipher based on such permutations where the function fis derived from secret key

L1 R1 f L2 R2 Feistal Permutation

Composing Feistal Permutations • Make the function f:0,1n  0,1n a pseudo-random function FS RΦk = {FS | S0,1k  • This defines a keyed family of permutations 0,12n  0,12n • Clearly it is not pseudo-random • Right block goes unchanged to left block What about composing two such keyed permutations With independent keys • Not pseudo-random: DS2(DS1(L,R)= (FS1(L) R, FS2(FS1(L) R) R) -For two inputs sharing the same left block • Looks pretty good for random attacks!

Main Construction Let F1, F2 ,F3 ,F4RPRF, then the composition of DF1 , DF2 , DF3 , DF4 is a pseudo-random permutation. • Each Fi :0,1n  0,1n Resulting Permutation 0,12n  0,12n. • F1and F4can be ``combinatorial”: • pair-wise independent. • low probability of collision on first block • Error probability is ~ q2/2n

References • Blum-Micali : SIAM J. Computing 1984 • Yao: • Blum, Blum, Shub: SIAM J. Computing, 1988 • Goldreich, Goldwasser and Micali: J. of the ACM, 1986 • Luby-Rackoff: SIAM J. Computing, 1988 • Naor-Reingold: Journal of Cryptology, 1999

...References • O. Goldreich, The Foundations of Cryptography - a book in preparation, www.wisdom.weizmann.ac.il/~oded/foc-book.html • M. Luby, Pseudorandomness and Cryptographic Applications, Princeton University Press. • S. Goldwasser and M. Bellare Lecture Notes on Cryptography, www-cse.ucsd.edu/~mihir/papers/gb.html

Foundations of Cryptography Lecture 11

Foundations of Cryptography Lecture 11

Presentation Transcript

Foundations of Cryptography Lecture 1

Foundations of Cryptography Lecture 13: Zero-Knowledge Variants and Applications

Lecture 23 Cryptography

Foundations of Cryptography

Modern Cryptography Lecture 11

Foundations of Privacy Lecture 6

Lecture 24 Cryptography

Lecture 11: Elliptic Curve Cryptography

Introduction to Modern Cryptography, Lecture 11

Foundations of Computer Vision Lecture 11

Foundations of Cryptography Lecture 7

Foundations of Cryptography Lecture 2

Foundations of Cryptography Lecture 12

Foundations of Cryptography Lecture 8

Chapter 11: Cryptography

Foundations of Cryptography

Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge

Foundations of Privacy Lecture 11

Introduction to Modern Cryptography, Lecture 11

Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs

Chapter 11: Cryptography