Upload
pktc-bk
View
220
Download
0
Embed Size (px)
Citation preview
8/10/2019 s-prf
1/88
PSEUDO-RANDOM FUNCTIONS
1 /6 5
http://find/8/10/2019 s-prf
2/88
Recall
We studied security of a block cipher against key recovery.
But we saw that security against key recovery is not sufficient to ensurethat natural usages of a block cipher are secure.
We want to answer the question:
What is a good block cipher?where good means that natural uses of the block cipher are secure.
We could try to dene good by a list of necessary conditions:
Key recovery is hard Recovery of M from C = E K (M ) is hard . . .
But this is neither necessarily correct nor appealing.
2 /6 5
http://find/8/10/2019 s-prf
3/88
Turing Intelligence Test
Q: What does it mean for a program to be intelligent in the sense of a human?
3 /6 5
http://find/http://goback/8/10/2019 s-prf
4/88
Turing Intelligence Test
Q: What does it mean for a program to be intelligent in the sense of a human?
Possible answers:
It can be happy It recognizes pictures It can multiply But only small numbers!
3 /6 5
http://find/8/10/2019 s-prf
5/88
Turing Intelligence Test
Q: What does it mean for a program to be intelligent in the sense of a human?
Possible answers:
It can be happy It recognizes pictures It can multiply But only small numbers!
Clearly, no such list is a satisfactory answer to the question.
3 /6 5
http://find/http://goback/8/10/2019 s-prf
6/88
8/10/2019 s-prf
7/88
Turing Intelligence Test
Behind the wall:
Room 1: The program P Room 0: A human
5 /6 5
http://find/8/10/2019 s-prf
8/88
8/10/2019 s-prf
9/88
8/10/2019 s-prf
10/88
8/10/2019 s-prf
11/88
Real versus Ideal
Notion Real object Ideal object
Intelligence Program HumanPRF Block cipher ?
8 /6 5
http://find/8/10/2019 s-prf
12/88
Real versus Ideal
Notion Real object Ideal object
Intelligence Program HumanPRF Block cipher Random function
8 /6 5
http://find/8/10/2019 s-prf
13/88
Random functions
A random function with L-bit outputs is implemented by the followingbox Fn, where T is initially everywhere:
Fn
Callerx
T[x ]
If T[x ] = thenT[x ] $ {0, 1}LReturn T[x ]
9 /6 5
http://find/8/10/2019 s-prf
14/88
Random function
Game Rand {0,1}Lprocedure Fn (x)if T[x ] = then T[x ] $ {0, 1}Lreturn T[x ]
Adversary A
Make queries to Fn Eventually halts with some output
We denote byPr Rand A{0,1}l d
the probability that A outputs d
10/65
http://find/8/10/2019 s-prf
15/88
Random function
Game Rand {0,1}3procedure Fn (x)if T[x ] = then T[x ] $ {0, 1}3return T[x ]
adversary Ay Fn(01)return (y = 000)
Pr Rand A{0,1}3 true =
11/65
http://find/8/10/2019 s-prf
16/88
Random function
Game Rand {0,1}3procedure Fn (x)if T[x ] = then T[x ] $ {0, 1}3return T[x ]
adversary Ay Fn(01)return (y = 000)
Pr Rand A{0,1}3 true = 2 3
11/65
http://find/8/10/2019 s-prf
17/88
8/10/2019 s-prf
18/88
d f
8/10/2019 s-prf
19/88
Random function
Game Rand {0,1}3procedure Fn (x)if T[x ] = then T[x ] $ {0, 1}3return T[x ]
adversary Ay 1 Fn(00)y 2 Fn(11)return
(y
1y
2 = 101)
Pr Rand A{0,1}3 true =
13/65
R d f i
http://find/8/10/2019 s-prf
20/88
Random function
Game Rand {0,1}3procedure Fn (x)if T[x ] = then T[x ] $ {0, 1}3return T[x ]
adversary Ay 1 Fn(00)y 2 Fn(11)return
(y
1y
2 = 101)
Pr Rand A{0,1}3 true = 2 3
13/65
F i f ili
http://goforward/http://find/http://goback/8/10/2019 s-prf
21/88
Function families
A family of functions F : Keys(F ) Dom(F ) Range(F ) is atwo-argument map. For K Keys(F ) we let F K : Dom(F ) Range(F )be dened byx Dom(F ) : F K (x ) = F (K , x )
Examples:
DES: Keys(F ) = {0, 1}56 , Dom(F ) = Range( F ) = {0, 1}64
Any block cipher: Dom(F ) = Range( F ) and each F K is apermutation
14/65
http://find/8/10/2019 s-prf
22/88
PRF d i
8/10/2019 s-prf
23/88
PRF-adversaries
Let F : Keys(F ) Dom(F ) Range (F ) be a family of functions.A prf-adversary (our tester) has an oracle Fn for a function fromDom(F ) to Range( F ). It can
Make an oracle query x of its choice and get back Fn(x ) Do this many times
Eventually halt and output a bit d
d
A
x 1
Fn(x 1)
...x q
Fn(x q )
Fn
16/65
Repeat queries
http://find/8/10/2019 s-prf
24/88
Repeat queries
We said earlier that a random function must be consistent, meaningonce it has returned y in response to x , it must return y again if queried
again with the same x . This is why we have the if in the following:written as
GameRand Range( F )
procedure Fn (x )if T[x ] = then T[x ] $
Range(F )
Return T[x ]
Henceforth we make a rule:
A prf-adversary is not allowed to repeat an oracle query.Then our game is:
GameRand Range( F )
procedure Fn (x )T[x ] $Range(F )Return T[x ]
17/65
PRF adversaries
http://find/8/10/2019 s-prf
25/88
PRF-adversaries
Let F : Keys(F ) Dom(F ) Range (F ) be a family of functions.
Real world
Ax y
Fny F K (x )
Ideal (Random) world
Ax y
Fny $Range(F )
Intended meaning:As output d I think I am in the
1 Real world0 Ideal (Random) world
The harder it is for A to guess world it is in, the better F is as a PRF.
18/65
http://find/8/10/2019 s-prf
26/88
Example
8/10/2019 s-prf
27/88
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Game Real F procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )
Real world
Ax y
Fny F K (x )
20/65
Example
http://find/8/10/2019 s-prf
28/88
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Game Real F procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )
Real world
Ax y
Fny F K (x )
ThenPr Real AF 1 =
20/65
Example
http://find/8/10/2019 s-prf
29/88
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Game Real F
procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )
Real worldA
x y
Fny F K (x )
ThenPr Real AF 1 = 1
because the value returned by Fn will be Fn(0128) = F K (0128) = 0 128 soA
will always return 1. 20/65
Example
http://find/8/10/2019 s-prf
30/88
Example
Let F :
{0, 1
}k
{0, 1
}128
{0, 1
}128 be dened by F K (x ) = x . Let
prf-adversary A be dened by
adversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1}128Return T[x ]
Ideal (Random) world
Ax y
Fny ${0, 1}128
ThenPr Rand ARange( F ) 1 =
21/65
Example
http://find/8/10/2019 s-prf
31/88
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1}128Return T[x ]
Ideal (Random) world
Ax y
Fny ${0, 1}128
ThenPr Rand ARange( F ) 1 = Pr Fn(0
128) = 0 128 = 2 128
because Fn(0128) is a random 128-bit string.
21/65
Example: Advantage computation.
http://find/8/10/2019 s-prf
32/88
Example: Advantage computation.
Let F : {0, 1}k
{0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0
Then
Advprf F (A) =
1
Pr Real AF 1 2 128
Pr Rand ARange( F ) 1= 1 2 128
22/65
The measure of success
http://find/8/10/2019 s-prf
33/88
Let F : Keys(F )
Domain (F )
Range(F ) be a family of functions
and A a prf adversary. Then
Advprf F (A) = Pr RealAF 1 Pr Rand ARange( F ) 1
is a number between 1 and 1.A large (close to 1) advantage means
A is doing well F is not secure
A small (close to 0 or
0) advantage means
A is doing poorly F resists the attack A is mounting
23/65
PRF security
http://find/8/10/2019 s-prf
34/88
y
Adversary advantage depends on its
strategy resources: Running time t and number q of oracle queries
Security: F is a (secure) PRF if Advprf F (A) is small for ALL A thatuse practical amounts of resources.
Example: 80-bit security could mean that for all n = 1 , . . . ,80 we have
Advprf F (A) 2 nfor any A with time and number of oracle queries at most 280 n .
Insecurity: F is insecure (not a PRF) if there exists A using fewresources that achieves high advantage.
24/65
Example 1
http://find/8/10/2019 s-prf
35/88
p
Dene F : {0, 1}k {0, 1}128 {0, 1}128 by F K (x ) = x for all k , x .Is F a secure PRF?
Real
Ax y
Fny
F
K (x
)
Rand
Ax y
Fny $
{0, 1}128
Can we design A so that
Advprf F (A) = Pr RealAF 1
Pr Rand ARange( F ) 1
is close to 1?
25/65
Example 1
http://find/8/10/2019 s-prf
36/88
p
Dene F : {0, 1}k {0, 1}128 {0, 1}128 by F K (x ) = x for all k , x .Is F a secure PRF?
Real
Ax y
Fny
F
K (x )
Rand
Ax y
Fny $
{0, 1
}128
Can we design A so that
Advprf F (A) = Pr RealAF 1
Pr Rand ARange( F ) 1
is close to 1?
Exploitable weakness of F : F K (0128) = 0 128 for all K . We candetermine which world we are in by testing whether Fn(0128) = 0 128 .
25/65
Example 1
http://find/8/10/2019 s-prf
37/88
Real
Ax y
Fny F K (x )
Rand
Ax y
Fny $ {0, 1}128
Now F is dened by F K (x ) = x .
adversary Aif Fn(0128) = 0 128 then return 1 else return 0
26/65
http://find/http://goback/8/10/2019 s-prf
38/88
Example 1: Conclusion
8/10/2019 s-prf
39/88
F is dened by F K (x ) = x .
adversary Aif Fn(0128) = 0 128 then return 1 else return 0
Then
Advprf F (A) =
1
Pr Real AF 1 2 128
Pr Rand ARange( F ) 1= 1 2
128
and A is efficient.
Conclusion: F is not a secure PRF.
28/65
http://find/8/10/2019 s-prf
40/88
Example 2
8/10/2019 s-prf
41/88
Dene F : {0, 1} {0, 1} {0, 1} by F K (x ) = K x for all K , x .Is F a secure PRF?Real
Ax y
Fny F K (x )
Rand
Ax y
Fny ${0, 1}
Can we design A so that
Advprf F (A) = Pr RealAF 1 Pr Rand ARange( F ) 1
is close to 1?
Exploitable weakness of F :F K (0 ) F K (1 ) = ( K 0 ) (K 1 ) = 1
for all K . We can determine which world we are in by testing whether
Fn(0 ) Fn(1 ) = 1 . 29/65
Example 2: The adversary
http://find/8/10/2019 s-prf
42/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
30/65
http://find/8/10/2019 s-prf
43/88
Example 2: Real world analysis
8/10/2019 s-prf
44/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
Game Real F procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )
Real world
Ax y
Fny F K (x )
Then Pr Real AF 1 =
31/65
Example 2: Real world analysis
http://find/8/10/2019 s-prf
45/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
Game Real F procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )
Real world
Ax y
Fny F K (x )
Then Pr Real AF 1 = 1
because
Fn(0 ) Fn(1 ) = F K (0 ) F K (1 ) = ( K 0 ) (K 1 ) = 131/65
Example 2: Ideal world analysis
http://find/8/10/2019 s-prf
46/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1} return T[x ]
Ideal (random) world
Ax y
Fny $ {0, 1}
32/65
Example 2: Ideal world analysis
http://find/8/10/2019 s-prf
47/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1} return T[x ]
Ideal (random) world
Ax y
Fny $ {0, 1}
ThenPr Real AF 1 =
32/65
Example 2: Ideal world analysis
http://find/8/10/2019 s-prf
48/88
F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0
Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1} return T[x ]
Ideal (random) world
Ax y
Fny $ {0, 1}
ThenPr Real AF 1 = Pr Fn(1 ) Fn(0 ) = 1 =
32/65
http://find/8/10/2019 s-prf
49/88
8/10/2019 s-prf
50/88
Birthday Problem
8/10/2019 s-prf
51/88
q people 1, . . . ,q with birthdays
y 1, . . . ,y q
{1 . . . , 365
}Assume each persons birthday is a random day of the year. LetC (365, q ) = Pr [2 or more persons have same birthday ]
= Pr [ y 1, . . . ,y q are not all different ]
What is the value of C (365, q )? How large does q have to be before C (365, q ) is at least 1/2?
34/65
http://find/8/10/2019 s-prf
52/88
8/10/2019 s-prf
53/88
Birthday collision bounds
8/10/2019 s-prf
54/88
C (365, q ) is the probability that some two people have the samebirthday in a room of q people with random birthdays
q C (365, q )15 0.25318 0.34720 0.41121 0.44423 0.50725 0.56927 0.627
30 0.70635 0.81440 0.89150 0.970
35/65
Birthday Problem
http://find/8/10/2019 s-prf
55/88
Pick y 1, . . . ,y q $
{1, . . . ,N } and letC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]
Birthday setting: N = 365
36/65
Birthday Problem
http://find/8/10/2019 s-prf
56/88
Pick y 1, . . . ,y q $
{1, . . . ,N } and letC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]
Birthday setting: N = 365
Fact: C (N , q ) q 2
2N
36/65
Birthday collisions formula
http://find/8/10/2019 s-prf
57/88
Let y 1, . . . ,y q $
{1, . . . ,N
}. Then
1 C (N , q ) = Pr [ y 1, . . . ,y q all distinct ]= 1
N 1N
N 2N
N (q 1)N
=q 1
i =11
i N
so
C (N , q ) = 1 q 1
i =11
i N
37/65
Birthday bounds
http://find/http://goback/8/10/2019 s-prf
58/88
LetC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]
Fact: Then
0.3 q (q 1)
N C (N , q ) 0.5 q (q 1)
N
where the lower bound holds for 1q 2N .
38/65
Union bound
http://find/8/10/2019 s-prf
59/88
C 1
C 2
Pr [C 1 C 2] = Pr [C 1] + Pr [C 2] Pr [C 1 C 2] Pr [C 1] + Pr [C 2]
More generally
Pr [C 1 C 2 C q ] Pr [C 1] + Pr [C 2] + Pr [C q ]39/65
Arithmetic sums
http://find/8/10/2019 s-prf
60/88
0 + 1 + 2 +
+ ( q
1) =
40/65
Arithmetic sums
http://find/8/10/2019 s-prf
61/88
0 + 1 + 2 +
+ ( q
1) =
q (q 1)2
40/65
http://find/8/10/2019 s-prf
62/88
Block ciphers as PRFs
8/10/2019 s-prf
63/88
Let E : {0, 1}k
{0, 1} {0, 1} be a block cipher.Real
Ax y
Fny E K (x )
Rand
Ax y
Fny ${0, 1}
Can we design A so that
Advprf E (A) = Pr RealAE 1
Pr Rand A{0,1} 1
is close to 1?
42/65
Block ciphers as PRFs
http://find/8/10/2019 s-prf
64/88
Dening property of a block cipher: E K is a permutation for every K
So if x 1, . . . ,x q are distinct then
Fn = E K Fn(x 1), . . . ,Fn(x q ) distinct Fn random Fn(x 1), . . . ,Fn(x q ) not necessarily distinctLet us turn this into an attack.
43/65
http://find/8/10/2019 s-prf
65/88
Real world analysis
8/10/2019 s-prf
66/88
Let E : {0, 1}k {0, 1} {0, 1} be a block cipherGame Real E procedure InitializeK ${0, 1}k procedure Fn (x )Return E K (x )
adversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinctthen return 1 else return 0
ThenPr Real AE 1 =
45/65
Real world analysis
http://find/http://goback/8/10/2019 s-prf
67/88
Let E : {0, 1}k {0, 1} {0, 1} be a block cipherGame Real E procedure InitializeK ${0, 1}k procedure Fn (x )Return E K (x )
adversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinctthen return 1 else return 0
ThenPr Real AE 1 = 1
because y 1, . . . ,y q will be distinct because E K is a permutation.
45/65
Ideal world analysis
Let E : {0 1}K {0 1} {0 1} be a block cipher
http://find/http://goback/8/10/2019 s-prf
68/88
Let E : {0, 1} {0, 1} {0, 1} be a block cipher
Game Rand {0,1}procedure Fn (x )T[x ] ${0, 1}Return T[x ]
adversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinctthen return 1 else return 0
Then
Pr RandA{0,1} 1 = Pr [ y 1, . . . ,y q all distinct]
= 1 C (2 , q )because y 1, . . . ,y q are randomly chosen from {0, 1}.
46/65
Birthday attack on a block cipher
E : {0, 1}k {0, 1} {0, 1} a block cipher
http://find/http://goback/8/10/2019 s-prf
69/88
{ , } {, } {, } padversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinct then return 1 else return 0
Advprf E (A) =
1
Pr Real AF 1 1 C (2 ,q )
Pr Rand ARange( F ) 1= C (2 , q )
0.3 q (q 1)2so
q 2 / 2 Advprf E (A) 1 .
47/65
Birthday attack on a block cipher
http://find/http://goback/8/10/2019 s-prf
70/88
Conclusion: If E : {0, 1}k {0, 1} {0, 1} is a block cipher, there isan attack on it as a PRF that succeeds in about 2 / 2 queries.Depends on block length, not key length!
2 / 2 StatusDES, 2DES, 3DES3 64 232 InsecureAES 128 264 Secure
48/65
KR-security versus PRF-security
http://find/8/10/2019 s-prf
71/88
We have seen two possible metrics of security for a block cipher E
KR-security: It should be hard to get K from input-outputexamples of E K
PRF-security: It should be hard to distinguish the input-outputbehavior of E K from that of a random function.
Question: Is it possible for E to be
PRF-secure, but
NOT KR-secure?
49/65
KR-security versus PRF-security
http://find/8/10/2019 s-prf
72/88
Question: Is it possible for a block cipher E to be PRF-secure but notKR-secure?
Why do we care? Because we
agreed that KR-security is necessary claim that PRF-security is sufficientfor secure use of E , so a YES answer would render our claim false.
Luckily the answer to the above question is NO.
50/65
KR-security versus PRF-security
http://find/8/10/2019 s-prf
73/88
Fact: PRF-security implies
KR-security
Many other security attributes
51/65
Key recovery security, formally
Let F : Keys(F ) Domain (F ) Range(F ) a family of functions
http://find/8/10/2019 s-prf
74/88
Let : Keys( ) ( ) Range( ) a family of functionsLet B be an adversary
Game KR F procedure InitializeK $
Keys(F )
procedure Fn (x )return F K (x )procedure Finalize (K )
return (K = K )The kr-advantage of B is dened as
AdvkrF (B ) = Pr KRB F true
The oracle allows a chosen message attack.
F is secure against key recovery if AdvkrF (B ) is small for all B of practical resources.
52/65
Example
http://find/8/10/2019 s-prf
75/88
Let k = L and dene F = {0, 1}k
{0, 1} {0, 1}L
by
F K (X ) =
K [1, 1] K [1, 2] K [1, ]K [2, 1] K [2, 2] K [2, ]... ...K [L, 1] K [L, 2] K [L, ]
X [1]X [2]
...
X [ ]
=
Y [1]Y [2]
...
Y [L]Here the bits in the matrix are the bits in the key, and arithmetic ismodulo two.
Question: Is F secure against key-recovery?
53/65
Example
http://find/8/10/2019 s-prf
76/88
Let k = L and dene F = {0, 1}k
{0, 1} {0, 1}L
by
F K (X ) =
K [1, 1] K [1, 2] K [1, ]K [2, 1] K [2, 2] K [2, ]... ...K [L, 1] K [L, 2] K [L, ]
X [1]X [2]
...
X [ ]
=
Y [1]Y [2]
...
Y [L]Here the bits in the matrix are the bits in the key, and arithmetic ismodulo two.
Question: Is F secure against key-recovery?
Answer: NO
53/65
http://find/8/10/2019 s-prf
77/88
KR attack on example
8/10/2019 s-prf
78/88
Adversary B K // is the empty stringfor j = 1 , . . . , do y j Fn(e j ) ; K K y j return K
Then
AdvkrF (B ) = 1 .
The time-complexity of B is t = O ( 2L) since it makes q = calls to its
oracle and each computation of Fn = F K takes O ( L) time.So F is insecure against key-recovery.
55/65
http://find/8/10/2019 s-prf
79/88
Why does PRF-security imply KR-security?
8/10/2019 s-prf
80/88
Issues: To run B , adversary A must give it input-output examples underF K .
We have A give B input-output examples under Fn. This is correct inthe real world but not in the random world. Nonetheless we can show itworks.
57/65
If F is a PRF then it is KR-secure
http://find/8/10/2019 s-prf
81/88
Our rst example of a proof by reduction!
Given: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversary B Construct: efficient PRF-adversary A such that:
AdvkrF (B ) Advprf F (A) + How to infer that PRF-secure KR-secure:
F is PRF secure Advprf F (A) is small
Advkr
F (B ) is small F is KR-secure
58/65
If F is a PRF then it is KR-secure
http://find/8/10/2019 s-prf
82/88
Our rst example of a proof by reduction!
Given: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversary B Construct: efficient PRF-adversary A such that:
AdvkrF (B ) Advprf F (A) +
Contrapositive:
F not KR-secure AdvkrF (B ) is bigAdv
prf
F (A) is big F is not PRF-secure
59/65
How reductions work
A will run B as a subroutine
http://find/8/10/2019 s-prf
83/88
Bs world: How A runs B
A itself answers Bs oracle queries, giving B the impression that B is inits own correct world.
60/65
If F is a PRF then it is KR-secureGiven: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversaryB
http://find/8/10/2019 s-prf
84/88
Given: efficient KR adversary B Construct: efficient PRF-adversary A such that:
AdvkrF (B ) Advprf F (A) +
Idea:
A uses B to nd key K
Tests whether K is the right keyIssues:
B needs an F K oracle, which A only has in the real world
How to test K ?How they are addressed:
A gives B its Fn oracle Test by seeing whether F K agrees with Fn on a new point.
61/65
If F is a PRF then it is KR-secure
Given: F : {0, 1}k {0, 1} {0, 1}L
http://find/8/10/2019 s-prf
85/88
{ } { } { }Given: efficient KR-adversary B Construct: efficient PRF-adversary A such that:
AdvkrF (B ) Advprf F (A) +
adversary Ai 0K B FnKRSimx $ {0, 1} {x 1, . . . ,x i }if F K (x ) = Fn(x ) then return 1else return 0
subroutine FnKRSim (x )i i + 1x i x y i Fn(x )return y i
62/65
Analysis
adversary A
http://find/8/10/2019 s-prf
86/88
adversary Ai
0
K B FnKRSimx $ {0, 1} {x 1, . . . ,x i }if F K (x ) = Fn(x ) then return 1else return 0
subroutine FnKRSim (x )i i + 1x i x y i Fn(x )return y i
If Fn = F K then K = K with probability the KR-advantage of B ,so
Pr Real AF 1 AdvkrF (B )
If Fn is a random function, then due to the fact thatx / {x 1, . . . ,x i },Pr Rand ARange( F ) 1 = 2
L
So Advprf F (A) AdvkrF (B ) 2 L
63/65
If F is PRF-secure then it is KR-secure
http://find/8/10/2019 s-prf
87/88
Proposition: Let F : {0, 1}k
{0, 1} {0, 1}L
be a family of functions, and B a kr-adversary making q oracle queries. Then there isa PRF adversary A making q + 1 oracle queries such that:
AdvkrF (B ) Advprf F (A) + 2
L
The running time of A is that of B plus O (q ( + L)) plus the time forone computation of F .
Implication:
F PRF-secure F is KR-secure.
64/65
Our Assumptions
http://find/8/10/2019 s-prf
88/88
DES, AES are good block ciphers in the sense of being PRF-secure tothe maximum extent possible.
65/65
http://find/