Lecturer: Moni Naor

1
Foundations of CryptographyLecture 10
Pseudo-Random Permutations and the Security of
Encryption Schemes

• Lecturer Moni Naor

2
Recap of last weeks lecture

• Pseudo-random functions constructions
• Pseudo-random function applications
• Pseudo-random Permutation Motivation nad
  Definition
• Feistal Permutations

3
Good question on pseudo-random functions

• Want to construct a pseudo-random permutation on
  very large domain, from one on large domain
• FS 0,1n ? 0,1m
• Construct FS 0,1n ? 0,1m
• Idea let H a family of universal hash functions
  where
• h 0,1n ? 0,1n for h 2 H
• for any x ? x we have Probh 2 H h(x) h(x)
  ?
• Then FS,h(x) FS (h(x))
• What can you say about the quality of F

4
Pseudo-Random Permutations

• Block-Ciphers
• Shared-key encryption schemes where
• The encryption of every plaintext block is a
  ciphertext block of the same length.

5
Block Ciphers

• Advantages
• Saves up on memory and communication bandwidth
• Easy to incorporate within existing systems.
• Main Disadvantage
• Every block is always encrypted in the same way.
• Important Examples DES, AES

6
Modeling Block Ciphers

• Pseudo-random Permutations
• F ?0,1?k ? ?0,1?n ? ?0,1?n
• Key Domain Range
• F-1 ?0,1?k ? ?0,1?n ? ?0,1?n
• Key Range Domain
• Want
• X FS-1 (FS (X))
• Correct inverse
• Efficiently computable

7
The Test

• The tester A that can choose adaptively
• X1 and get Y1 FS (X1)
• Y2 and get X2 FS-1(Y2)
• Xq and get Yq FS (Xq)
• Then A has to decide whether
• FS ?R Fk
• or
• FS ?R P(n) ? F 1-1 F ?0,1?n ? ?0,1?n
  ?

Can choose to evaluate or invert any point!
8
(t,?,q)-pseudo-random

• For a function F chosen at random from
• (1) Fk FS S??0,1?k ?
• (2) P(n) ? F 1-1 F ?0,1?n ? ?0,1?n ?
  
• For all t-time machines A that choose q locations
  and try to distinguish (1) from (2)
• ? Pr?A 1 ? F?R Fk ?
• - Pr?A 1 ? F?R P(n) ? ? ? ?

9
Construction of Pseudo-Random Permutations

• Possible to construct
• pseudo-random permutations
• from
• pseudo-random functions (and vice versa...)
• Based on 4 Feistal Permutations

10
Feistal Permutation

• Any function f ?0,1?n ? ?0,1?n defines a
  Feistal Permutation ?0,1?2n ? ?0,1?2n
• Df(L,R)(R, L? f(R))
• Feistal permutations are as easy to invert as to
  compute
• Df-1(L,R)(R?f(L),L)
• Many Block Cipher based on such permutations,
  where the function f is derived from secret key

11
Feistal Permutation
Df(L1,R1)(R1, L1?f(R1))
Df-1(L2,R2)(R2?f(L2),L2)
12
Composing Feistal Permutations

• Make the function f?0,1?n ? ?0,1?n a
  pseudo-random function FS ?R Fk
• This defines a keyed family of permutations
• ?0,1?2n ? ?0,1?2n
• Clearly it is not pseudo-random
• Right block goes unchanged to left block
• What about composing two such keyed permutations
• With independent keys
• Not pseudo-random
• DS2(DS1(L,R)) (FS1(R)?L, FS2(FS1(R)?L)?R)
• For two inputs sharing the same left block
• Looks pretty good for random attacks!

Protects left block
Protects right block
13
Main Construction

• Let F1, F2 ,F3 ,F4 ?R PRF, then the composition
  of DF1, DF2, DF3, DF4 is a pseudo-random
  permutation.
• Each Fi ?0,1?n ? ?0,1?n.
• Resulting Permutation ?0,1?2n ? ?0,1?2n.
• F1 and F4 can be combinatorial
• pair-wise independent.
• low probability of collision on first block
• Error probability is q2/2n

14
Security Theorem
h1
D1

• Let
• (1) ? be the set of permutations obtained when
• The two middle are Feistal permutations based
• on truly random functions GS1, GS2
• and
• the first and last are (h1, h2) chosen from a
  pairwise independent family.
• (2) P(2n) ? F 1-1 F ?0,1?2n ? ?0,1?2n
  ?
• Theorem For any adversary A
• not necessarily efficient
• that makes at most q queries
• the advantage in distinguishing between a random
  permutation from P(2n) and a random one from ? is
  at most q2/2n q2/22n
• Corollary the original construction is
  computationally secure

D2
h-12
15
Back to two permutations

• For each pair of input and output blocks (L1,R1)
  is mapped to (L2,R2) if and only if
• GS1(R1) L1 ? L2
• GS2(L2) R1 ? R2
• So we have one-wise independence
• Happens with probability 1/22n
• Furthermore for any q pairs
• h(L11,R11) (L21,R21)i, h(L12,R12) (L22,R22)i,
  , h(L1q,R1q) (L2q,R2q)i
• such that
• For j ?i R1j ?R1i and L2j ?L2i
• The probability that all are mapped to each other
  is 1/22qn

L2
R2
(GS1(R1)?L1, GS2(GS1(R1)?L1)?R1)
16
The Transcript

• May assume A is deterministic
• Since this it is not computationally bounded
• The transcript T is the set of pairs of
  inputs/outputs
• (X1,Y1), (X2,Y2), , (Xq,Yq)
• queries by A
• Queries can go either way (evaluate or invert)
• Consider a third distribution P of responses
• if A
• asks for F(x) and x appeared before in and ltx,ygt,
  query
• answer y
• asks for F-1(y) and y appeared before in and
  ltx,ygt, query
• answer x
• Otherwise answer a random z ??0,1?2n.
• P is not always consistent with some permutation
• Call the resulting transcript inconsistent

17
P is close to P

• Claim A may differentiate between P and P only
  if transcript is inconsistent
• Claim inconsistent
• ProbPT is inconsistent ? q2/22n
• Proof birthday
• It remains to bound the difference between P and
  ?

18
The BAD event

• Thought experiment choose the functions (h1,
  h2) also for process P
• Serves no purpose there
• If T (X1,Y1), (X2,Y2), , (Xq,Yq) is
  consistent, it is BAD for functions (h1, h2) if
  there exist j?i such that either
• h1(xi) collides with the right half of h1(xj)
• h2(yi) collides with the left half of h2(yj)
• BAD event either T is inconsistent or T is BAD
  for (h1, h2)
• Claim ProbPBAD ? q2/2n q2/22n

For a query the probability of collision based on
pairwise independence
19
Key Lemma

• Lemma For any adversary A, for any possible
  value
• V (X1,Y1), (X2,Y2), , (Xq,Yq)
• ProbPTV and not BAD
• ProbGTV and not BAD
• It is either 2-2qn or 0

20
Concluding the proof

• By summing Key Lemma over all transcripts
• ProbPnot BAD ProbGnot BAD
• this implies
• ProbPBAD ProbGBAD
• By summing Key Lemma over all transcripts for
  which A outputs 1
• ProbPA outputs 1 and not BAD
• ProbGA outputs 1 and not BAD
• Hence
• ProbPA outputs 1- ProbGA outputs 1
• ProbP BAD ? q2/2n q2/22n
• By the inconsistent Claim P and P are close and
  we are done

21
The world so far
Pseudo-random generators
Pseudo-random Functions
Signature Schemes
One-way functions
Two guards Identification
Pseudo-random Permutations
UOWHFs
P ? NP

• Will soon see
• Computational Pseudorandomness
• Shared-key Encryption and Authentication

22
Other Constructions

• Generalized Feistal Permutations
• Generalized construction of pseudo-random
  permutations
• The first and last rounds as before.
• The two middle Feistal permutations are replaced
  with t generalized Feistel permutations.
• The distinguishing probability is roughly
  q2/22(1-1/t)n
• Construction of long pseudo-random permutations
  from short ones
• First and last round combinatorial
• In the middle independent applications of the
  short pseudo-random permutations

23
Encryption Using Pseudo-Random Permutations

• Sender and Receiver share a secret key S ?R
  0,1k
• S defines a function FS ? Fk
• What is wrong with encrypting X with FS (x)?

24
Definition of the Security of Encryption

• Information Theoretic Setting
• If Eve has some knowledge of m should remain the
  same
• Probability of guessing m
• Min entropy of m
• Probability of guessing whether m is m0 or m1
• Probability of computing some function f of m
• Ideally the ciphertext sent is independent of
  the message m
• Implies all the above
• Shannon achievable only if the entropy of the
  shared secret is at least as large as the message
  m entropy
• If no special knowledge about m
• then m shared bits that may be used once!

• Several settings
• Shared key vs public key
• How active is the adversary
• Sender and receiver want to prevent Eve from
  learning anything about the message
• Want to simulate as much as possible the
  protection that an information theoretic
  encryption scheme provides

25
To specify security of encryption

• The power of the adversary
• computational
• Probabilistic polynomial time machine (PPTM)
• access to the system
• Can it change the messages?
• What constitute a failure of the system
• What it means to break the system.
• Reading a message
• Forging a message?

26
Computational Security of EncryptionIndistinguish
ability of Encryptions

• Indistinguishability of encrypted strings
• Adversary A chooses X0 , X1 ??0,1?n
• receives encryption of Xb for b?R?0,1?
• has to decide whether b ? 0 or b ? 1.
• For every pptm A, choosing a pair X0, X1 ??0,1?n
  
• ? Pr?A? 1 ? b ? 1 ? - Pr?A? 1 ? b ? 0 ?
  ?
• is negligible.
• Probability is over the choice of keys,
  randomization in the encryption and As coins.
• In other words encryptions of X0, X1 are
  indistinguishable
• Quantification over the choice of X0, X1 ??0,1?n

27
Computational Security of EncryptionSemantic
Security

• Whatever Adversary A can compute on encrypted
  string X ??0,1?n, so can A that does not see
  the encryption of X, yet simulates As knowledge
  with respect to X
• A selects
• Distribution Dn on ?0,1?n
• Relation R(X,Y) - computable in probabilistic
  polynomial time
• For every pptm A choosing a distribution Dn on
  ?0,1?n there is an pptm A so that for all pptm
  relation R
• for X?R Dn
• ? Pr?R(X,A(E(X))? - Pr?R(X,A(?)) ? ?
• is negligible
• In other words
• The outputs of A and A are indistinguishable
  even for a tester who is aware of X
• Note presentation of semantic security is
  non-standard (but equivalent)

28
A Dn
A Dn
X 2R Dn
E(X)
.
A
A
X
Y
X
Y
R
R
¼
29
What is a public-key encryption scheme

• Allows Alice to publish public key KP while
  keeping hidden a secret key KS
• Key generation G0,1?0,1x0,1 outputting
  KP (Public) and KS (secret)
• Anyone who is given KP and m can encrypt it
• Encryption a method
• E0,1 x 0,1 x 0,1 ? 0,1
• taking public key KP, message (plaintext) m,
  random coins r and outputs an encrypted message
  (ciphertext).
• Given a ciphertext and secret key it is possible
  to decrypt it
• Decryption a method
• D0,1 x 0,1 x 0,1 ? 0,1
• taking secret key KS, public key KP, and
  ciphertext c and outputs a plaintext m. Require
• D(KS, KP, E(KP, m, r)) m

30
Equivalence of Semantic Security and
Indistinguishability of Encryptions

• Would like to argue their equivalence
• Must define the attack
• Otherwise cannot fully talk about an attack
• Chosen plaintext attacks
• Adversary can obtain the encryption of any
  message it wishes
• In an adaptive manner
• Certainly feasible in a public-key setting
• Minimal one that makes sense there
• What about shared-key encryption?
• More severe attacks
• Chosen ciphertext

Encryption process must be probabilistic!
31
Security of public key cryptosystemsexact
timing

• Adversary A gets public key KP
• Then A can mount an adaptive attack
• No need for further interaction since can do all
  the encryption on its own
• Then A chooses
• In semantic security the distribution Dn and the
  relation R
• In indistinguishability of encryptions the pair
  X0, X1 ??0,1?n
• Then A is given the test
• In semantic security E(KP, X ,r) for X?R Dn and
  r?R ?0,1?m
• In indistinguishability of encryptions E(KP, Xb,
  r) for b?R?0,1? and r?R?0,1?m

32
The Equivalence Theorem

• For adaptive chosen plaintext attack in a public
  key setting a cryptosystem is semantically
  secure if and only if it has the
  indistinguishability of encryptions property

33
Equivalence Proof

• If a scheme has the indistinguishability
  property, then it is semantically secure
• Suppose not, and A chooses
• some distribution Dn
• some relation R
• Choose X0, X1 ?R Dn and run A twice on
• C0 E(KP, X0 ,r0) call the output Y0
• C1 E(KP, X1 ,r1) call the output Y1
• For X0, X1 ?R Dn let
• ?0 ProbR(X0, Y0)
• ?1 ProbR(X0, Y1)
• If ?0-?1 is not negligible can distinguish
  between encryption of X0 of X1
• Contradicting the indistinguishability property
• If ?0-?1 is negligible can run A with no
  access to real ciphertext
• sample X ?R Dn and C E(KP, X, r)
• Run A on C and output Y

Here we Use the power to generate encryptions
34
Equivalence Proof
E(Xb)

• For X0, X1 ?R Dn let
• ?0 ProbR(X0, Y0)
• ?1 ProbR(X0, Y1)
• If ?0-?1 is not negligible can distinguish
  between encryption of X0 of X1
• Contradicting the indistinguishability property

A
X0
Y
R
35
Equivalence Proof
A
X
E(X)
E(X)

• For X0, X1 ?R Dn let
• ?0 ProbR(X0, Y0)
• ?1 ProbR(X0, Y1)
• If ?0-?1 is negligible can run A with no
  access to real ciphertext
• sample X ?R Dn and CE(KP, X, r)
• Run A on C and output Y

A
A
X
Y
X
Y
R
R
36
Equivalence Proof

• If a scheme is semantically secure, then it has
  the indistinguishability of encryptions property
• Suppose not, and A chooses
• A pair X0, X1??0,1?n
• For which it can distinguish with advantage ?
• Choose
• Distribution Dn X0, X1
• Relation R which is equality with X
• For any A that does not get C E(KP, X, r) and
  outputs Y
• ProbAR(X, Y) ½
• By simulating A and outputting Y Xb for guess
  b??0,1?
• ProbAR(X, Y) ½ ?

Even if A is computationally unbounded
37
Similar setting

• The same proof works for the shared key case with
  adaptive chosen plaintext attack
• Standard definition of semantic security
• Instead of A trying to find Y such that R(X,Y), A
  tries to find Y such that
• Yf(X)
• f is any function (not necessarily polynomial
  time computable)
• In spite of difference equivalent to our
  definition

38
What happens if

• There is extra information about X
• Both A and A get h(X) for some polynomial time
  computable function h
• h might not be invertible
• Relation R is not polynomial time
• Try to encrypt information about the secret key

39
When is each definition useful

• Semantic security seems to convey that the
  message is protected
• Not the strongest possible definition
• Easier to prove indistinguishability of
  encryptions

40
Sources

• Luby-Rackoff How to construct pseudorandom
  permutations from pseudorandom functions, SIAM J.
  Computing, 1988.
• Naor-Reingold Luby-Rackoff Revisited, Journal of
  Cryptology, 1999.
• Goldwasser-Micali Probabilistic Encryption,
  Journal of Computer and System Sciences, 1984.
• Goldreichs Foundations of Cryptography, volume 2