Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations. Lecturer: Moni Naor.

Download Report

Transcript Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations. Lecturer: Moni Naor. 

Foundations of Cryptography
Lecture 9: Pseudo-Random Functions and Permutations.
Lecturer: Moni Naor
Recap of last week’s lecture
• Application of GL Theorem to Pseudo-randomness of
Subset sum
• Hybrid arguments: from single bit expansion to many
bits expansion
• Next Bit unpredictability equivalent to Computational
Pseudo-Randomness
• Why extremely long random looking strings are
useful
• Pseudo-random functions definition
The world so far
Signature
Schemes
One-way
functions
Two guards
Identification
UOWHFs
P  NP
Will soon see:
•Computational Pseudorandomness
•Shared-key Encryption and Authentication
Pseudo-random
generators
Reading Assignment
• Naor and Reingold, From Unpredictability to
Indistinguishability: A Simple Construction of PseudoRandom Functions from MACs, Crypto'98.
www.wisdom.weizmann.ac.il/~naor/PAPERS/mac_abs.html
• Gradwohl, Naor, Pinkas and Rothblum, Cryptographic and
Physical Zero-Knowledge Proof Systems for Solutions of
Sudoku Puzzles
– Especially Section 1-3
www.wisdom.weizmann.ac.il/~naor/PAPERS/sudoku_abs.html
Homework
• How to have a one-time signature scheme with
shorter public keys
– Let f be one-way permutation…
• How to construct
– a signature scheme existentially secure against an
adaptively chosen message attack,
– from a scheme that is existentially secure against a
random message attack.
Pseudo-Random Generators
concrete version
Gn:0,1m 0,1n
Instead of passing all polynomial time statistical tests:
(t,)-pseudo-random - no test A running in time
t can distinguish with advantage 
Recall: Three Basic issues in cryptography
• Identification
• Authentication
• Encryption
Solve in a shared key environment
A
B
S
S
Identification: remote login using
pseudo-random sequence
A and B share a key S0,1k
In order for A to identify itself to B
• Generate sequence Gn(S)
G:
S
Gn(S)
• For each identification session: send next block of Gn(S)
Problems...
•
•
•
•
More than two parties
Malicious adversaries - add noise
Coordinating the location block number
Better approach: Challenge-Response
Challenge-Response Protocol
• B selects a random location and sends to A
• A sends value at random location
A
B
What’s this?
Desired Properties
• Very long string - prevent repetitions
• Random access to the sequence
• Unpredictability - cannot guess the value at a
random location
– even after seeing values at many parts of the string to
the adversary’s choice.
– Pseudo-randomness implies unpredictability
• Not the other way around for blocks
Authenticating Messages
• A wants to send message M0,1n to B
• B should be confident that A is indeed the sender of
M
One-time application:
S =(a,b): where a,bR 0,1n
To authenticate M: supply aM b
Computation is done in GF[2n]
Problems and Solutions
• Problems - same as for identification
• If a very long random string available – can use for one-time authentication
– Works even if only random looking
a,b
A
B
Use this!
Encryption of Messages
• A wants to send message M0,1n to B
• only B should be able to learn M
One-time application:
S = a: where aR 0,1n
To encrypt M send a  M
Encryption of Messages
• If a very long random looking string available – can use as in one-time encryption
A
B
Use this!
Pseudo-random Function
• A way to provide an extremely long shared string
Pseudo-random Functions
Concrete Treatment:
F: 0,1k  0,1n  0,1m
key
Domain
Range
Denote Y= FS (X)
A family of functions Φk ={FS | S0,1k  is
(t, , q)-pseudo-random if it is
• Efficiently computable - random access
and...
(t,,q)-pseudo-random
The tester A that can choose adaptively
– X1 and gets Y1= FS (X1)
– X2 and gets Y2 = FS (X2 )
…
– Xq and gets Yq= FS (Xq)
• Then A has to decide whether
– FS R Φk or
– FS R R n  m =  F | F :0,1n  0,1m 
(t,,q)-pseudo-random
For a function F chosen at random from
(1) Φk ={FS | S0,1k 
(2) R n  m =  F | F :0,1n  0,1m 
For all t-time machines A that choose q locations
and try to distinguish (1) from (2)
 ProbA ‘1’  FR Φk 
- ProbA ‘1’  FR R
nm
 
Equivalent/Non-Equivalent Definitions
• Instead of next bit test: for XX1,X2 ,, Xq
chosen by A, decide whether given Y is
– Y= FS (X) or
– YR0,1m
• Adaptive vs. Non-adaptive
• Unpredictability vs. pseudo-randomness
• A pseudo-random sequence generator
g:0,1m 0,1n
– a pseudo-random function on small domain 0,1log n0,1
with key in 0,1m
Application to the basic issues in cryptography
Solution using a shared key S
Identification:
B to A: X R 0,1n
A to B: Y= FS (X)
B verifies
Authentication:
A to B: Y= FS (M)
replay attack
Encryption:
A chooses XR 0,1n
A to B: <X , Y= FS (X)  M >
Goal
• Construct an ensemble {Φk | kL  such that
• for any {tk, 1/k, qk | kL  polynomial in k, for
all but finitely many k’s
Φk is a (tk, k, qk )-pseudo-random family
Construction
• Construction via Expansion
– Expand n or m
• Direct constructions
Effects of Concatenation
Given ℓ Functions F1 , F2 ,, Fℓ decide whether they are
– ℓ random and independent functions
OR
– FS1 , FS2 ,, FSℓ for S1, S2 ,, Sℓ R 0,1k
Claim: If Φk ={FS | S0,1k  is (t,,q)-pseudo-random:
cannot distinguish two cases
– using q queries
– in time t’=t - ℓq
– with advantage better than ℓ
Proof: Hybrid Argument
• i=0
• i
• i=ℓ
FS1 , FS2 ,, FSℓ
…
R1, R2 ,  , Ri-1,FSi , FSi+1 ,, FSℓ
…
R1, R2 ,  , Rℓ
 pℓ - p0  
  i s.t. pi+1 - pi  /ℓ
p0
pi
pℓ
...Hybrid Argument
Can use this i to distinguish whether
– FS R Φk or FS R R
nm
• Generate FSi+1 ,, FSℓ
• Answer queries to first i-1 functions at random (consistently)
• Answer query to FSi , using (black box) input
• Answer queries to functions i+1 through ℓ with FSi+1 ,, FSℓ
Running time of test - t’  ℓq
Doubling the domain
• Suppose we have
F(n): 0,1k  0,1n  0,1m
which is (t,,q)-p.r.
• Want F(n+1): 0,1k  0,1n+1  0,1m
which is (t’,’,q’)-p.r.
Use G: 0,1k  0,12k which is (t ,) p.r
S
G(S)  G0(S) G1(S)
Let FS (n+1)(bx)  FGb(s) (n)(x)
G
G0(S)
G1(S)
Claim
If G is (tq,1)-p.r and F(n) is (t2q,2,q)-p.r, then
F(n+1) is (t,1 2 2,q)-p.r
Proof: three distributions
(1) F(n+1)
(2) FS0 (n) , FS1 (n) for independent S0, S1
(3) Random
 1 2 2
...Proof
Given that (1) and (3) can be distinguished with
advantage 1 2 2 , then either
• (1) and (2) with advantage 1
– G can be distinguished with advantage 1
or
• (2) and (3) with advantage 2 2
– F(n) can be distinguished with advantage 2
Running time of test: t’  q
Getting from G to F(n)
Idea: Use recursive construction
FS (n)(bnbn-1 b1)
 FGb (s) (n-1)(bn-1bn-2 b1)
1
 Gb (Gb (  Gb (S)) )
n
n-1
1
Each evaluation of FS (n)(x): n invocations of G
Tree Description
S
G0(S)
G1(S)
G0(G0(S))
G1(G0(G0(S)))
Each leaf corresponds to x2{0,1}n. Label of
leaf: value of pseudo-random function at x
Security claim
If G is (tqn, ) p.r,
then F(n) is (t, q, ’  nq) p.r
Proof: Hybrid argument by levels
Di :
– truly random labels for nodes at level i.
– Pseudo-random from i down
Each Di: a collection of q functions
 i pi+1 - pi  ’/n q
Hybrid
S
i
S0
G0(S0)
S1
Di
n-i
G1(G0(S0))
…Proof of Security
• Can use this i to distinguish concatenation of q
sequence generators G from random.
• The concatenation is (t, q) pseudo-random
Therefore the construction is (t, , q) pseudo-random
Disadvantages
• Expensive - n invocations of G
• Sequential
• Deterioration of 
But does the job!
From any pseudo-random sequence generator
construct a pseudo-random function.
Theorem: one-way functions exist if and only if
pseudo-random functions exist.
Applications of Pseudo-random
Functions
• Learning Theory - lower bounds
– Cannot PAC learn any class containing pseudo-random
function
• Complexity Theory - impossibility of natural proofs for
separating classes.
• Any setting where huge shared random string is useful
• Caveat: what happens when the seed is made public?
Application to Signatures
Can make the UOWHF signature scheme into a memoryless/history
independent one.
• Identify the tree of the signature scheme and the tree of pseudorandom function
– Can add labels on the internal nodes
• Add to the secret-key of the signature scheme a key to a pseudorandom function
• Generate the one-time signatures of the triples using the label on the
node
– Guarantees consistency
• To always get the same signature on a message: the path to the leaf
used is determined by the message
Construction of UOWHF signatures
Key generation:
• generate the root
– Three sets of keys for a one-time signature scheme
– A function g  G from a family of UOWHF
triple
Signing algorithm:
• Traverse the tree in a BFS manner
– Generate a new triple
– Sign the message using the middle part of node
– Put the generated triple in the next available node in the current level
• If all nodes in current level are assigned, create a new one.
– The signature consists of:
• The one-time signature on the message
• The nodes along the path to the root
• the one-time signatures on the hashed nodes along the path to the root
• Keep secret the private keys of all triples
Verification of signature:
• Verify the one-times signature given.
Size of signature:
Depth of tree ¢ triple size
Another paradigm for obtaining Signatures
• Shared secret seed - can get authentication
• What about public-key? Can we use the
techniques?
• Yes!?
– Private key is S
– Public key is commitment to FS
– To sign M - provide FS(M) and a proof of consistency
with the commitment
Pseudo-Random Permutations
Block-Ciphers:
• Shared-key encryption
schemes where:
The encryption of every plaintext
block is a ciphertext block of
the same length.
Plaintext
Key
BC
Ciphertext
Block Ciphers
Advantages
– Saves up on memory and communication bandwidth
– Easy to incorporate within existing systems.
Main Disadvantage
– Every block is always encrypted in the same way.
• Important Examples: DES, AES
Modeling Block Ciphers
• Pseudo-random Permutations
F : 0,1k  0,1n  0,1n
Key
Domain
Range
F-1: 0,1k  0,1n  0,1n
Key
Range
Domain
Want:
– X= FS-1 (FS (X))
• Correct inverse
– Efficiently computable
The Test
The tester A that can choose adaptively
– X1 and get Y1= FS (X1)
– Y2 and get X2= FS-1(Y2)
…
– Xq and get Yq= FS (Xq)
• Then A has to decide whether
– FS R Φk
Can choose to evaluate
or invert any point!
or
– FS R P(n) =  F | 1-1 F :0,1n  0,1n 
(t,,q)-pseudo-random
For a function F chosen at random from
(1) Φk ={FS | S0,1k 
(n)
(2) P =  F | 1-1 F :0,1n  0,1n 
For all t-time machines A that choose q locations and
try to distinguish (1) from (2)
 PrA= ‘1’  FR Fk 
- PrA= ‘1’  FR P(n)    
Construction of Pseudo-Random
Permutations
• Possible to construct
pseudo-random permutations
from
pseudo-random functions (and vice versa...)
• Based on 4 Feistal Permutations
Feistal Permutation
Any function f :0,1n  0,1n defines a Feistal
Permutation 0,12n  0,12n
Df(L,R)=(R, L f(R))
Feistal permutations are as easy to invert as to compute:
Df-1(L,R)=(R f(L),L)
Many Block Cipher based on such permutations, where the
function f is derived from secret key
Feistal Permutation
L1
R1
f
L2
R2
Composing Feistal Permutations
• Make the function f:0,1n  0,1n a pseudo-random
function FS R Φk
• This defines a keyed family of permutations
0,12n  0,12n
• Clearly it is not pseudo-random
– Right block goes unchanged to left block
What about composing two such keyed permutations
With independent keys
• Not pseudo-random:
DS2(DS1(L,R))= (FS1(L)  R, FS2(FS1(L)  R)  R)
-For two inputs sharing the same left block
• Looks pretty good for random attacks!
Composing Feistal Permutations
• Make the function f:0,1n  0,1n a pseudo-random
function FS R Φk
• This defines a keyed family of permutations
0,12n  0,12n
• Clearly it is not pseudo-random
– Right block goes unchanged to left block
What about composing two such keyed permutations
With independent keys
• Not pseudo-random:
Protects left
block
Protects right
block
DS2(DS1(L,R))= (FS1(R)L, FS2(FS1(R)L)R)
– For two inputs sharing the same left block
– Looks pretty good for random attacks!
Main Construction
Let F1, F2 ,F3 ,F4 R PRF, then the composition of
DF1 , DF2 , DF3 , DF4 is a pseudo-random
permutation.
• Each Fi :0,1n  0,1n.
Resulting Permutation 0,12n  0,12n.
• F1 and F4 can be ``combinatorial”:
– pair-wise independent.
– low probability of collision on first block
• Error probability is ~ q2/2n
Security Theorem
Let
(1)  be the set of permutations obtained when
The two middle G2 ,G3 are truly random functions
and
the first and last are (h1 ,h2 ) chosen from a pairwise independent family.
(2) P(n) =  F | 1-1 F :0,1n  0,1n 
Theorem: For any adversary A
–
–
(not necessarily efficient)
that makes at most q queries
the advantage in distinguishing between a random permutation from
P(n) and a random one from  is at most q2/2n + q2/22n
Corollary: the original construction is computationally secure
Sources
• Goldreich’s Foundations of Cryptography, volumes
1 and 2
• Goldreich, Goldwasser and Micali, How to construct random
functions , Journal of the ACM 33, 1986, 792 - 807.
• Luby-Rackoff: How to construct pseudorandom
permutations from pseudorandom functions, SIAM J.
Computing, 1988.
• Naor-Reingold: Luby-Rackoff Revisited, Journal of
Cryptology, 1999.