Lecturer: Moni Naor

1
Foundations of CryptographyLecture 9
Pseudo-Random Functions and Permutations.

• Lecturer Moni Naor

2
Recap of last weeks lecture

• Application of GL Theorem to Pseudo-randomness of
  Subset sum
• Hybrid arguments from single bit expansion to
  many bits expansion
• Next Bit unpredictability equivalent to
  Computational Pseudo-Randomness
• Why extremely long random looking strings are
  useful
• Pseudo-random functions definition

3
The world so far
Signature Schemes
Pseudo-random generators
One-way functions
Two guards Identification
UOWHFs
P ? NP

• Will soon see
• Computational Pseudorandomness
• Shared-key Encryption and Authentication

4
Reading Assignment

• Naor and Reingold, From Unpredictability to
  Indistinguishability A Simple Construction of
  Pseudo-Random Functions from MACs, Crypto'98.
• www.wisdom.weizmann.ac.il/naor/PAPERS/mac_abs.htm
  l
• Gradwohl, Naor, Pinkas and Rothblum,
  Cryptographic and Physical Zero-Knowledge Proof
  Systems for Solutions of Sudoku Puzzles
• Especially Section 1-3
• www.wisdom.weizmann.ac.il/naor/PAPERS/sudoku_abs.
  html

5
Homework

• How to have a one-time signature scheme with
  shorter public keys
• Let f be one-way permutation
• How to construct
• a signature scheme existentially secure against
  an adaptively chosen message attack,
• from a scheme that is existentially secure
  against a random message attack.

6
Pseudo-Random Generatorsconcrete version

• Gn?0,1?m ??0,1?n
• Instead of passing all polynomial time
  statistical tests
• (t,?)-pseudo-random - no test A running in time t
  can distinguish with advantage ?

7
Recall Three Basic issues in cryptography

• Identification
• Authentication
• Encryption
• Solve in a shared key environment

A
B
S
S
8
Identification remote login using pseudo-random
sequence

• A and B share a key S??0,1?k
• In order for A to identify itself to B
• Generate sequence Gn(S)
• For each identification session send next block
  of Gn(S)

Gn(S)
9
Problems...

• More than two parties
• Malicious adversaries - add noise
• Coordinating the location block number
• Better approach Challenge-Response

10
Challenge-Response Protocol

• B selects a random location and sends to A
• A sends value at random location

A
B
Whats this?
11
Desired Properties

• Very long string - prevent repetitions
• Random access to the sequence
• Unpredictability - cannot guess the value at a
  random location
• even after seeing values at many parts of the
  string to the adversarys choice.
• Pseudo-randomness implies unpredictability
• Not the other way around for blocks

12
Authenticating Messages

• A wants to send message M??0,1?n to B
• B should be confident that A is indeed the sender
  of M
• One-time application
• S (a,b) where a,b?R ?0,1?n
• To authenticate M supply aM? b
• Computation is done in GF2n

13
Problems and Solutions

• Problems - same as for identification
• If a very long random string available -
• can use for one-time authentication
• Works even if only random looking
• a,b

A
B
Use this!
14
Encryption of Messages

• A wants to send message M??0,1?n to B
• only B should be able to learn M
• One-time application
• S a where a?R ?0,1?n
• To encrypt M send a ? M

15
Encryption of Messages

• If a very long random looking string available -
• can use as in one-time encryption

A
B
Use this!
16
Pseudo-random Function

• A way to provide an extremely long shared string

17
Pseudo-random Functions

• Concrete Treatment
• F ?0,1?k ? ?0,1?n ? ?0,1?m
• key Domain
  Range
• Denote Y FS (X)
• A family of functions Fk FS S??0,1?k ? is
  (t, ?, q)-pseudo-random if it is
• Efficiently computable - random access
• and...

18
(t,?,q)-pseudo-random

• The tester A that can choose adaptively
• X1 and gets Y1 FS (X1)
• X2 and gets Y2 FS (X2 )
• Xq and gets Yq FS (Xq)
• Then A has to decide whether
• FS ?R Fk or
• FS ?R R n ? m ? F F ?0,1?n ? ?0,1?m ?

19
(t,?,q)-pseudo-random

• For a function F chosen at random from
• (1) Fk FS S??0,1?k ?
• (2) R n ? m ? F F ?0,1?n ? ?0,1?m ?
• For all t-time machines A that choose q
  locations and try to distinguish (1) from (2)
• ? Prob?A? 1 ? F?R Fk ?
• - Prob?A? 1 ? F?R R n ? m ? ? ? ?

20
Equivalent/Non-Equivalent Definitions

• Instead of next bit test for X??X1,X2 ,?, Xq?
  chosen by A, decide whether given Y is
• Y FS (X) or
• Y?R?0,1?m
• Adaptive vs. Non-adaptive
• Unpredictability vs. pseudo-randomness
• A pseudo-random sequence generator
• g?0,1?m ??0,1?n
• a pseudo-random function on small domain ?0,1?log
  n??0,1? with key in ?0,1?m

21
Application to the basic issues in cryptography

• Solution using a shared key S
• Identification
• B to A X ?R ?0,1?n
• A to B Y FS (X)
• B verifies
• Authentication
• A to B Y FS (M)
• replay attack
• Encryption
• A chooses X?R ?0,1?n
• A to B ltX , Y FS (X) ? M gt

22
Goal

• Construct an ensemble Fk k?L ? such that
• for any tk, 1/?k, qk k?L ? polynomial in k,
  for all but finitely many ks
• Fk is a (tk, ?k, qk )-pseudo-random family

23
Construction

• Construction via Expansion
• Expand n or m
• Direct constructions

24
Effects of Concatenation

• Given l Functions F1 , F2 ,?, Fl decide whether
  they are
• l random and independent functions
• OR
• FS1 , FS2 ,?, FSl for S1, S2 ,?, Sl ?R ?0,1?k
• Claim If Fk FS S??0,1?k ? is
  (t,?,q)-pseudo-random
• cannot distinguish two cases
• using q queries
• in time tt - l?q
• with advantage better than l??

25
Proof Hybrid Argument

• i0 FS1 , FS2 ,?, FSl p0
• i R1, R2 , ? , Ri-1,FSi , FSi1 ,?, FSl
  pi
• il R1, R2 , ? , Rl
  pl
• ? pl - p0 ?? ? ? ? i s.t. ?pi1 - pi ?? ?/l

26
...Hybrid Argument

• Can use this i to distinguish whether
• FS ?R Fk or FS ?R R n ? m
• Generate FSi1 ,?, FSl
• Answer queries to first i-1 functions at random
  (consistently)
• Answer query to FSi , using (black box) input
• Answer queries to functions i1 through l with
  FSi1 ,?, FSl
• Running time of test - t ? l?q

27
Doubling the domain

• Suppose we have
• F(n) ?0,1?k ? ?0,1?n ? ?0,1?m
• which is (t,?,q)-p.r.
• Want F(n1) ?0,1?k ? ?0,1?n1 ? ?0,1?m which
  is (t,?,q)-p.r.
• Use G ?0,1?k ? ?0,1?2k which is (t ,?) p.r
• G(S) ? G0(S) G1(S)
• Let FS (n1)(bx) ? FGb(s) (n)(x)

S
G
G0(S)
G1(S)
28
Claim

• If G is (t?q,?1)-p.r and F(n) is (t?2q,?2,q)-p.r,
  then F(n1) is (t,?1 ?2 ?2,q)-p.r
• Proof three distributions
• (1) F(n1)
• (2) FS0 (n) , FS1 (n) for independent S0, S1
• (3) Random

? ?1 ?2 ?2
29
...Proof

• Given that (1) and (3) can be distinguished with
  advantage ?1 ?2 ?2 , then either
• (1) and (2) with advantage ?1
• G can be distinguished with advantage ?1
• or
• (2) and (3) with advantage 2 ?2
• F(n) can be distinguished with advantage ?2
• Running time of test t ? q

30
Getting from G to F(n)

• Idea Use recursive construction
• FS (n)(bnbn-1 ?b1)
• ? FGb1(s) (n-1)(bn-1bn-2 ?b1)
• ? Gbn(Gbn-1 ( ? Gb1(S)) ?)
• Each evaluation of FS (n)(x) n invocations of G

31
Tree Description
S
G1(S)
G0(S)
G0(G0(S))
G1(G0(G0(S)))
Each leaf corresponds to x20,1n. Label of leaf
value of pseudo-random function at x
32
Security claim

• If G is (t?qn, ?) p.r,
• then F(n) is (t, q, ? ? n?q??) p.r
• Proof Hybrid argument by levels
• Di
• truly random labels for nodes at level i.
• Pseudo-random from i down
• Each Di a collection of q functions
• ? i ?pi1 - pi ?? ?/n? q??

33
Hybrid
S
i
S1
S0
Di
G0(S0)
n-i
G1(G0(S0))
34
Proof of Security

• Can use this i to distinguish concatenation of q
  sequence generators G from random.
• The concatenation is (t, q?) pseudo-random
• Therefore the construction is (t, ?, q)
  pseudo-random

35
Disadvantages

• Expensive - n invocations of G
• Sequential
• Deterioration of ?
• But does the job!
• From any pseudo-random sequence generator
  construct a pseudo-random function.
• Theorem one-way functions exist if and only if
  pseudo-random functions exist.

36
Applications of Pseudo-random Functions

• Learning Theory - lower bounds
• Cannot PAC learn any class containing
  pseudo-random function
• Complexity Theory - impossibility of natural
  proofs for separating classes.
• Any setting where huge shared random string is
  useful
• Caveat what happens when the seed is made
  public?

37
Application to Signatures

• Can make the UOWHF signature scheme into a
  memoryless/history independent one.
• Identify the tree of the signature scheme and the
  tree of pseudo-random function
• Can add labels on the internal nodes
• Add to the secret-key of the signature scheme a
  key to a pseudo-random function
• Generate the one-time signatures of the triples
  using the label on the node
• Guarantees consistency
• To always get the same signature on a message
  the path to the leaf used is determined by the
  message

38
Construction of UOWHF signatures

• Key generation
• generate the root
• Three sets of keys for a one-time signature
  scheme
• A function g ? G from a family of UOWHF
• Signing algorithm
• Traverse the tree in a BFS manner
• Generate a new triple
• Sign the message using the middle part of node
• Put the generated triple in the next available
  node in the current level
• If all nodes in current level are assigned,
  create a new one.
• The signature consists of
• The one-time signature on the message
• The nodes along the path to the root
• the one-time signatures on the hashed nodes along
  the path to the root
• Keep secret the private keys of all triples
• Verification of signature
• Verify the one-times signature given.

triple
Size of signature Depth of tree triple size
39
Another paradigm for obtaining Signatures

• Shared secret seed - can get authentication
• What about public-key? Can we use the techniques?
• Yes!?
• Private key is S
• Public key is commitment to FS
• To sign M - provide FS(M) and a proof of
  consistency with the commitment

40
Pseudo-Random Permutations

• Block-Ciphers
• Shared-key encryption schemes where
• The encryption of every plaintext block is a
  ciphertext block of the same length.

41
Block Ciphers

• Advantages
• Saves up on memory and communication bandwidth
• Easy to incorporate within existing systems.
• Main Disadvantage
• Every block is always encrypted in the same way.
• Important Examples DES, AES

42
Modeling Block Ciphers

• Pseudo-random Permutations
• F ?0,1?k ? ?0,1?n ? ?0,1?n
• Key Domain Range
• F-1 ?0,1?k ? ?0,1?n ? ?0,1?n
• Key Range Domain
• Want
• X FS-1 (FS (X))
• Correct inverse
• Efficiently computable

43
The Test

• The tester A that can choose adaptively
• X1 and get Y1 FS (X1)
• Y2 and get X2 FS-1(Y2)
• Xq and get Yq FS (Xq)
• Then A has to decide whether
• FS ?R Fk
• or
• FS ?R P(n) ? F 1-1 F ?0,1?n ? ?0,1?n
  ?

Can choose to evaluate or invert any point!
44
(t,?,q)-pseudo-random

• For a function F chosen at random from
• (1) Fk FS S??0,1?k ?
• (2) P(n) ? F 1-1 F ?0,1?n ? ?0,1?n ?
  
• For all t-time machines A that choose q
  locations and try to distinguish (1) from (2)
• ? Pr?A 1 ? F?R Fk ?
• - Pr?A 1 ? F?R P(n) ? ? ? ?

45
Construction of Pseudo-Random Permutations

• Possible to construct
• pseudo-random permutations
• from
• pseudo-random functions (and vice versa...)
• Based on 4 Feistal Permutations

46
Feistal Permutation

• Any function f ?0,1?n ? ?0,1?n defines a
  Feistal Permutation ?0,1?2n ? ?0,1?2n
• Df(L,R)(R, L? f(R))
• Feistal permutations are as easy to invert as to
  compute
• Df-1(L,R)(R? f(L),L)
• Many Block Cipher based on such permutations,
  where the function f is derived from secret key

47
Feistal Permutation
48
Composing Feistal Permutations

• Make the function f?0,1?n ? ?0,1?n a
  pseudo-random function FS ?R Fk
• This defines a keyed family of permutations
• ?0,1?2n ? ?0,1?2n
• Clearly it is not pseudo-random
• Right block goes unchanged to left block
• What about composing two such keyed permutations
• With independent keys
• Not pseudo-random
• DS2(DS1(L,R)) (FS1(L) ? R, FS2(FS1(L) ? R) ? R)
• -For two inputs sharing the same left block
• Looks pretty good for random attacks!

49
Composing Feistal Permutations

• Make the function f?0,1?n ? ?0,1?n a
  pseudo-random function FS ?R Fk
• This defines a keyed family of permutations
• ?0,1?2n ? ?0,1?2n
• Clearly it is not pseudo-random
• Right block goes unchanged to left block
• What about composing two such keyed permutations
• With independent keys
• Not pseudo-random
• DS2(DS1(L,R)) (FS1(R)?L, FS2(FS1(R)?L)?R)
• For two inputs sharing the same left block
• Looks pretty good for random attacks!

Protects left block
Protects right block
50
Main Construction

• Let F1, F2 ,F3 ,F4 ?R PRF, then the composition
  of DF1 , DF2 , DF3 , DF4 is a pseudo-random
  permutation.
• Each Fi ?0,1?n ? ?0,1?n.
• Resulting Permutation ?0,1?2n ? ?0,1?2n.
• F1 and F4 can be combinatorial
• pair-wise independent.
• low probability of collision on first block
• Error probability is q2/2n

51
Security Theorem

• Let
• (1) ? be the set of permutations obtained when
• The two middle G2 ,G3 are truly random functions
• and
• the first and last are (h1 ,h2 ) chosen from a
  pairwise independent family.
• (2) P(n) ? F 1-1 F ?0,1?n ? ?0,1?n ?
• Theorem For any adversary A
• (not necessarily efficient)
• that makes at most q queries
• the advantage in distinguishing between a random
  permutation from P(n) and a random one from ? is
  at most q2/2n q2/22n
• Corollary the original construction is
  computationally secure

52
Sources

• Goldreichs Foundations of Cryptography, volumes
  1 and 2
• Goldreich, Goldwasser and Micali, How to
  construct random functions , Journal of the ACM
  33, 1986, 792 - 807.
• Luby-Rackoff How to construct pseudorandom
  permutations from pseudorandom functions, SIAM J.
  Computing, 1988.
• Naor-Reingold Luby-Rackoff Revisited, Journal of
  Cryptology, 1999.