Lecturer: Moni Naor

Foundations of Cryptography

Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes

Recap of last week’s lecture• Pseudo-random functions constructions • Pseudo-random function applications• Pseudo-random Permutation Motivation nad

Definition• Feistal Permutations

Good question on pseudo-random functionsWant to construct a pseudo-random permutation on

very large domain, from one on large domain • FS: {0,1}n {0,1}m

• Construct F’S’: {0,1}n’ {0,1}m Idea: let H a family of universal hash functions where

– h: {0,1}n’ {0,1}n for h 2 H– for any x x’ we have Probh 2 H h(x) = h(x’) ·

Then F’S,h(x) = FS (h(x))

What can you say about the quality of F’

Pseudo-Random Permutations

Block-Ciphers:• Shared-key encryption

schemes where: The encryption of every plaintext

block is a ciphertext block of the same length.

Key BC

Plaintext

Ciphertext

Block Ciphers

Advantages– Saves up on memory and communication bandwidth– Easy to incorporate within existing systems.

Main Disadvantage– Every block is always encrypted in the same way.

• Important Examples: DES, AES

Modeling Block Ciphers

• Pseudo-random Permutations

F : 0,1k 0,1n 0,1n

Key Domain Range

F-1: 0,1k 0,1n 0,1n

Key Range Domain

Want:– X= FS

-1 (FS (X))• Correct inverse

– Efficiently computable

The Test

The tester A that can choose adaptively– X1 and get Y1= FS (X1)– Y2 and get X2= FS

-1(Y2) …

– Xq and get Yq= FS (Xq)• Then A has to decide whether

– FS R Φkor– FS R P

(n) = F | 1-1 F :0,1n 0,1n

Can choose to evaluate or invert any point!

(t,,q)-pseudo-random

For a function F chosen at random from

(1) Φk={FS | S0,1k

(2) P(n) = F | 1-1 F :0,1n 0,1n

For all t-time machines A that choose q locations and try to distinguish (1) from (2) PrA= ‘1’ FR Fk

- PrA= ‘1’ FR P(n)

Construction of Pseudo-Random Permutations

• Possible to construct pseudo-random permutations from pseudo-random functions (and vice versa...)

• Based on 4 Feistal Permutations

Feistal Permutation

Any function f :0,1n 0,1n defines a Feistal Permutation 0,12n 0,12n

Df(L,R)=(R, L f(R))

Feistal permutations are as easy to invert as to compute:Df

-1(L,R)=(Rf(L),L)

Many Block Cipher based on such permutations, where the function f is derived from secret key

Feistal Permutation

f

L1 R1

L2 R2

Df(L1,R1)=(R1, L1f(R1))

Df-1(L2,R2)=(R2f(L2),L2)

Composing Feistal Permutations• Make the function f:0,1n 0,1n a pseudo-random

function FS R Φk

• This defines a keyed family of permutations 0,12n 0,12n

• Clearly it is not pseudo-random– Right block goes unchanged to left block

What about composing two such keyed permutations With independent keys

• Not pseudo-random:DS2

(DS1(L,R))= (FS1

(R)L, FS2(FS1

(R)L)R)

– For two inputs sharing the same left block– Looks pretty good for random attacks!

Protects left block

Protects right block

Main ConstructionLet F1, F2 ,F3 ,F4 R PRF, then the composition of

DF1, DF2

, DF3, DF4

is a pseudo-random permutation.

• Each Fi :0,1n 0,1n.Resulting Permutation 0,12n 0,12n.

• F1 and F4 can be ``combinatorial”:– pair-wise independent.– low probability of collision on first block

• Error probability is ~ q2/2n

Security TheoremLet(1) be the set of permutations obtained when

The two middle are Feistal permutations based on truly random functions GS1, GS2 and the first and last are (h1, h2) chosen from a pairwise independent family.

(2) P(2n) = F | 1-1 F :0,12n 0,12n

Theorem: For any adversary A– not necessarily efficient – that makes at most q queries

the advantage in distinguishing between a random permutation from P(2n) and a random one from is at most q2/2n + q2/22n

Corollary: the original construction is computationally secure

h1

h-12

D1

D2

Back to two permutationsFor each pair of input and output blocks (L1,R1) is mapped

to (L2,R2) if and only if• GS1

(R1) = L1 L2

• GS2(L2) = R1 R2

• So we have “one-wise independence”:– Happens with probability 1/22n

• Furthermore: for any q pairs h(L1

1,R11) (L2

1,R21)i, h(L1

2,R12) (L2

2,R22)i, … , h(L1

q,R1q) (L2

q,R2q)i

such thatFor j i: R1

j R1i and L2

j L2i

The probability that all are mapped to each other is 1/22qn

(GS1(R1)L1, GS2

(GS1(R1)L1)R1)

L2 R2

The Transcript• May assume A is deterministic

– Since this it is not computationally bounded• The transcript T is the set of pairs of inputs/outputs

(X1,Y1), (X2,Y2), … , (Xq,Yq)

queries by A– Queries can go either way (evaluate or invert)

• Consider a third distribution P of responses if A– asks for F(x) and x appeared before in and <x,y>, query:

• answer y– asks for F-1(y) and y appeared before in and <x,y>, query:

• answer x– Otherwise answer a random z 0,12n.

• P is not always consistent with some permutation– Call the resulting transcript inconsistent

P is close to P

Claim: A may differentiate between P and P only if transcript is inconsistent

Claim [“inconsistent”]:

ProbP[T is inconsistent] q2/22n

Proof: birthday

It remains to bound the difference between P and

The BAD event

Thought experiment: choose the functions (h1, h2) also for process P

Serves no purpose there

If T = (X1,Y1), (X2,Y2), … , (Xq,Yq) is consistent, it is BAD for functions (h1, h2) if there exist ji such that either– h1(xi) collides with the right half of h1(xj) – h2(yi) collides with the left half of h2(yj)

BAD event: either T is inconsistent or T is BAD for (h1, h2)

Claim: ProbP[BAD] q2/2n + q2/22n

For a query the probability of collision based on pairwise independence

Key Lemma

Lemma: For any adversary A, for any possible value

V= (X1,Y1), (X2,Y2), … , (Xq,Yq)

ProbP[T=V and not BAD]

= Prob[T=V and not BAD]

It is either 2-2qn or 0

Concluding the proofBy summing Key Lemma over all transcripts• ProbP[not BAD] = Prob[not BAD] this implies• ProbP[BAD] = Prob[BAD]

By summing Key Lemma over all transcripts for which A outputs ‘1’:ProbP[A outputs ‘1’ and not BAD]

= Prob[A outputs ‘1’ and not BAD]Hence:

ProbP[A outputs ‘1’]- Prob[A outputs ‘1’] ProbP [BAD] q2/2n + q2/22n

By the “inconsistent” Claim P and P are close and we are done

The world so far

Pseudo-random generators

Signature Schemes

UOWHFs

One-way functions

Two guards Identification

Will soon see:

•Computational Pseudorandomness

•Shared-key Encryption and Authentication

P NP

Pseudo-random Permutations

Pseudo-random Functions

Other Constructions• Generalized Feistal Permutations

• Generalized construction of pseudo-random permutations:– The first and last rounds as before.– The two middle Feistal permutations are replaced with t generalized

Feistel permutations.– The distinguishing probability is roughly q2/22(1-1/t)n

• Construction of long pseudo-random permutations from short ones:– First and last round combinatorial – In the middle independent applications of the short pseudo-random

permutations

Encryption Using Pseudo-Random Permutations

• Sender and Receiver share a secret key S R {0,1}k

• S defines a function FS k

• What is wrong with encrypting X with FS (x)?

Definition of the Security of Encryption

• Several settings– Shared key vs public key– How active is the adversary

• Sender and receiver want to prevent Eve from learning anything about the message

• Want to simulate as much as possible the protection that an information theoretic encryption scheme provides

Information Theoretic Setting

• If Eve has some knowledge of m should remain the same

– Probability of guessing m• Min entropy of m

– Probability of guessing whether m is m0 or m1

– Probability of computing some function f of m

• Ideally: the ciphertext sent is independent of the message m

– Implies all the above• Shannon: achievable only if the entropy of

the shared secret is at least as large as the message m entropy

• If no special knowledge about m– then |m| shared bits that may be used

once!

To specify security of encryption

• The power of the adversary – computational

• Probabilistic polynomial time machine (PPTM)– access to the system

• Can it change the messages?

• What constitute a failure of the system What it means to break the system.– Reading a message– Forging a message?

Computational Security of EncryptionIndistinguishability of Encryptions

Indistinguishability of encrypted strings:• Adversary A chooses X0 , X1 0,1n

• receives encryption of Xb for bR0,1• has to decide whether b 0 or b 1.

For every pptm A, choosing a pair X0, X1 0,1n

PrA ‘1’ b 1 - PrA ‘1’ b 0 is negligible.

Probability is over the choice of keys, randomization in the encryption and A‘s coins.

In other words: encryptions of X0, X1 are indistinguishable

Quantification over the choice of X0, X1 0,1n

Computational Security of EncryptionSemantic Security

Whatever Adversary A can compute on encrypted string X 0,1n, so can A’ that does not see the encryption of X, yet simulates A’s knowledge with respect to X

A selects:• Distribution Dn on 0,1n

• Relation R(X,Y) - computable in probabilistic polynomial timeFor every pptm A choosing a distribution Dn on 0,1n there is an pptm A’ so that for all

pptm relation R for XR Dn

PrR(X,A(E(X)) - PrR(X,A’())

is negligible

In other words:

The outputs of A and A’ are indistinguishable even for a tester who is aware of X

Note: presentation of semantic security is non-standard (but equivalent)

X Y

R

E(X)

A

X Y

R

.

A’

A: Dn A’: Dn

¼

X 2R Dn

What is a public-key encryption scheme• Allows Alice to publish public key KP while keeping hidden a

secret key KS Key generation: G:{0,1}*{0,1}*x{0,1}* outputting KP (Public)

and KS (secret)

• ``Anyone” who is given KP and m can encrypt itEncryption: a method

E:{0,1}* x {0,1}* x {0,1}* {0,1}* taking public key KP, message (plaintext) m, random coins r and outputs

an encrypted message (ciphertext).

• Given a ciphertext and secret key it is possible to decrypt itDecryption: a method

D:{0,1}* x {0,1}* x {0,1}* {0,1}* taking secret key KS, public key KP, and ciphertext c and outputs a plaintext

m. Require D(KS, KP, E(KP, m, r)) = m

Equivalence of Semantic Security and Indistinguishability of Encryptions

• Would like to argue their equivalence• Must define the attack

– Otherwise cannot fully talk about an attack• Chosen plaintext attacks

– Adversary can obtain the encryption of any message it wishes– In an adaptive manner– Certainly feasible in a public-key setting

• Minimal one that makes sense there– What about shared-key encryption?

• More severe attacks– Chosen ciphertext

Encryption process must be probabilistic!

Security of public key cryptosystems:exact timing

• Adversary A gets public key KP • Then A can mount an adaptive attack

– No need for further interaction since can do all the encryption on its own

• Then A chooses– In semantic security: the distribution Dn and the relation R

– In indistinguishability of encryptions: the pair X0, X1 0,1n

• Then A is given the test– In semantic security: E(KP, X ,r) for XR Dn

and rR 0,1m

– In indistinguishability of encryptions: E(KP, Xb, r) for bR0,1 and rR0,1m

The Equivalence Theorem

• For adaptive chosen plaintext attack in a public key setting a cryptosystem is semantically secure if and only if it has the indistinguishability of encryptions property

Equivalence ProofIf a scheme has the indistinguishability property, then it is semantically secure:• Suppose not, and A chooses

– some distribution Dn

– some relation R• Choose X0, X1 R Dn

and run A twice on– C0 = E(KP, X0 ,r0) call the output Y0

– C1 = E(KP, X1 ,r1) call the output Y1

• For X0, X1 R Dn let

– 0 = Prob[R(X0, Y0)] – 1 = Prob[R(X0, Y1)]

• If 0-1 is not negligible: can distinguish between encryption of X0 of X1 – Contradicting the indistinguishability property

• If 0-1 is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn

and C’ = E(KP, X’, r) – Run A on C’ and output Y’

Here we Use the power to generate encryptions

Equivalence Proof• For X0, X1 R Dn

let – 0 = Prob[R(X0, Y0)]

– 1 = Prob[R(X0, Y1)]

• If 0-1 is not negligible: can distinguish between encryption of X0 of X1

– Contradicting the indistinguishability property

X0 Y

R

E(Xb)

A

Equivalence Proof

• For X0, X1 R Dn let

– 0 = Prob[R(X0, Y0)]

– 1 = Prob[R(X0, Y1)]

• If 0-1 is negligible: can run A’ with no access to real ciphertext– sample X’ R Dn

and C’=E(KP, X’, r)

– Run A on C’ and output Y’

X Y

R

E(X)

A

X Y’

R

E(X’)

A

X’A’

Equivalence Proof…If a scheme is semantically secure, then it has the indistinguishability

of encryptions property:• Suppose not, and A chooses

– A pair X0, X10,1n

– For which it can distinguish with advantage • Choose

– Distribution Dn = {X0, X1}

– Relation R which is “equality with X”

• For any A’ that does not get C = E(KP, X, r) and outputs Y’

ProbA’[R(X, Y’)] = ½

• By simulating A and outputting Y= Xb for guess b0,1

ProbA[R(X, Y)] ¸ ½ +

Even if A’ is computationally unbounded

Similar setting

• The same proof works for the shared key case with adaptive chosen plaintext attack

• ``Standard” definition of semantic security:– Instead of A trying to find Y such that R(X,Y), A tries

to find Y such that• Y=f(X)• f is any function (not necessarily polynomial time computable)

– In spite of difference equivalent to our definition

What happens if…

• There is extra information about X:– Both A and A’ get h(X) for some polynomial time

computable function h– h might not be invertible

• Relation R is not polynomial time

• Try to encrypt information about the secret key

When is each definition useful

• Semantic security seems to convey that the message is protected– Not the strongest possible definition

• Easier to prove indistinguishability of encryptions

Sources• Luby-Rackoff: How to construct pseudorandom

permutations from pseudorandom functions, SIAM J. Computing, 1988.

• Naor-Reingold: Luby-Rackoff Revisited, Journal of Cryptology, 1999.

• Goldwasser-Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 1984.

• Goldreich’s Foundations of Cryptography, volume 2