s-prf

8/10/2019 s-prf

1/88

PSEUDO-RANDOM FUNCTIONS

1 /6 5
http://find/

8/10/2019 s-prf

2/88

Recall

We studied security of a block cipher against key recovery.

But we saw that security against key recovery is not sufficient to ensurethat natural usages of a block cipher are secure.

We want to answer the question:

What is a good block cipher?where good means that natural uses of the block cipher are secure.

We could try to dene good by a list of necessary conditions:

Key recovery is hard Recovery of M from C = E K (M ) is hard . . .

But this is neither necessarily correct nor appealing.

2 /6 5
http://find/

8/10/2019 s-prf

3/88

Turing Intelligence Test

Q: What does it mean for a program to be intelligent in the sense of a human?

3 /6 5
http://find/http://goback/

8/10/2019 s-prf

4/88



Possible answers:

It can be happy It recognizes pictures It can multiply But only small numbers!

3 /6 5
http://find/

8/10/2019 s-prf

5/88



Possible answers:

It can be happy It recognizes pictures It can multiply But only small numbers!

Clearly, no such list is a satisfactory answer to the question.

3 /6 5

8/10/2019 s-prf

6/88

8/10/2019 s-prf

7/88


Behind the wall:

Room 1: The program P Room 0: A human

5 /6 5
http://find/

8/10/2019 s-prf

8/88

8/10/2019 s-prf

9/88

8/10/2019 s-prf

10/88

8/10/2019 s-prf

11/88

Real versus Ideal

Notion Real object Ideal object

Intelligence Program HumanPRF Block cipher ?

8 /6 5
http://find/

8/10/2019 s-prf

12/88

Real versus Ideal

Notion Real object Ideal object

Intelligence Program HumanPRF Block cipher Random function

8 /6 5
http://find/

8/10/2019 s-prf

13/88

Random functions

A random function with L-bit outputs is implemented by the followingbox Fn, where T is initially everywhere:

Fn

Callerx

T[x ]

If T[x ] = thenT[x ] $ {0, 1}LReturn T[x ]

9 /6 5
http://find/

8/10/2019 s-prf

14/88

Random function

Game Rand {0,1}Lprocedure Fn (x)if T[x ] = then T[x ] $ {0, 1}Lreturn T[x ]

Adversary A

Make queries to Fn Eventually halts with some output

We denote byPr Rand A{0,1}l d

the probability that A outputs d

10/65
http://find/

8/10/2019 s-prf

15/88

Random function

Game Rand {0,1}3procedure Fn (x)if T[x ] = then T[x ] $ {0, 1}3return T[x ]

adversary Ay Fn(01)return (y = 000)

Pr Rand A{0,1}3 true =

11/65
http://find/

8/10/2019 s-prf

16/88

Random function


adversary Ay Fn(01)return (y = 000)

Pr Rand A{0,1}3 true = 2 3

11/65
http://find/

8/10/2019 s-prf

17/88

8/10/2019 s-prf

18/88

d f

8/10/2019 s-prf

19/88

Random function


adversary Ay 1 Fn(00)y 2 Fn(11)return

(y

1y

2 = 101)

Pr Rand A{0,1}3 true =

13/65

R d f i
http://find/

8/10/2019 s-prf

20/88

Random function


adversary Ay 1 Fn(00)y 2 Fn(11)return

(y

1y

2 = 101)

Pr Rand A{0,1}3 true = 2 3

13/65

F i f ili
http://goforward/http://find/http://goback/

8/10/2019 s-prf

21/88

Function families

A family of functions F : Keys(F ) Dom(F ) Range(F ) is atwo-argument map. For K Keys(F ) we let F K : Dom(F ) Range(F )be dened byx Dom(F ) : F K (x ) = F (K , x )

Examples:

DES: Keys(F ) = {0, 1}56 , Dom(F ) = Range( F ) = {0, 1}64

Any block cipher: Dom(F ) = Range( F ) and each F K is apermutation

14/65
http://find/

8/10/2019 s-prf

22/88

PRF d i

8/10/2019 s-prf

23/88

PRF-adversaries

Let F : Keys(F ) Dom(F ) Range (F ) be a family of functions.A prf-adversary (our tester) has an oracle Fn for a function fromDom(F ) to Range( F ). It can

Make an oracle query x of its choice and get back Fn(x ) Do this many times

Eventually halt and output a bit d

d

A

x 1

Fn(x 1)

...x q

Fn(x q )

Fn

16/65

Repeat queries
http://find/

8/10/2019 s-prf

24/88

Repeat queries

We said earlier that a random function must be consistent, meaningonce it has returned y in response to x , it must return y again if queried

again with the same x . This is why we have the if in the following:written as

GameRand Range( F )

procedure Fn (x )if T[x ] = then T[x ] $

Range(F )

Return T[x ]

Henceforth we make a rule:

A prf-adversary is not allowed to repeat an oracle query.Then our game is:

GameRand Range( F )

procedure Fn (x )T[x ] $Range(F )Return T[x ]

17/65

PRF adversaries
http://find/

8/10/2019 s-prf

25/88

PRF-adversaries

Let F : Keys(F ) Dom(F ) Range (F ) be a family of functions.

Real world

Ax y

Fny F K (x )

Ideal (Random) world

Ax y

Fny $Range(F )

Intended meaning:As output d I think I am in the

1 Real world0 Ideal (Random) world

The harder it is for A to guess world it is in, the better F is as a PRF.

18/65
http://find/

8/10/2019 s-prf

26/88

Example

8/10/2019 s-prf

27/88

Example

Let F : {0, 1}k {0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0

Game Real F procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )

Real world

Ax y

Fny F K (x )

20/65

Example
http://find/

8/10/2019 s-prf

28/88

Example



Real world

Ax y

Fny F K (x )

ThenPr Real AF 1 =

20/65

Example
http://find/

8/10/2019 s-prf

29/88

Example


Game Real F

procedure InitializeK $ {0, 1}k procedure Fn (x )Return F K (x )

Real worldA

x y

Fny F K (x )

ThenPr Real AF 1 = 1

because the value returned by Fn will be Fn(0128) = F K (0128) = 0 128 soA

will always return 1. 20/65

Example
http://find/

8/10/2019 s-prf

30/88

Example

Let F :

{0, 1

}k

{0, 1

}128

{0, 1

}128 be dened by F K (x ) = x . Let

prf-adversary A be dened by

adversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0

Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1}128Return T[x ]


Ax y

Fny ${0, 1}128

ThenPr Rand ARange( F ) 1 =

21/65

Example
http://find/

8/10/2019 s-prf

31/88

Example


Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1}128Return T[x ]


Ax y

Fny ${0, 1}128

ThenPr Rand ARange( F ) 1 = Pr Fn(0

128) = 0 128 = 2 128

because Fn(0128) is a random 128-bit string.

21/65

Example: Advantage computation.
http://find/

8/10/2019 s-prf

32/88

Example: Advantage computation.

Let F : {0, 1}k

{0, 1}128 {0, 1}128 be dened by F K (x ) = x . Letprf-adversary A be dened byadversary Aif Fn(0128) = 0 128 then Ret 1 else Ret 0

Then

Advprf F (A) =

1

Pr Real AF 1 2 128

Pr Rand ARange( F ) 1= 1 2 128

22/65

The measure of success
http://find/

8/10/2019 s-prf

33/88

Let F : Keys(F )

Domain (F )

Range(F ) be a family of functions

and A a prf adversary. Then

Advprf F (A) = Pr RealAF 1 Pr Rand ARange( F ) 1

is a number between 1 and 1.A large (close to 1) advantage means

A is doing well F is not secure

A small (close to 0 or

0) advantage means

A is doing poorly F resists the attack A is mounting

23/65

PRF security
http://find/

8/10/2019 s-prf

34/88

y

Adversary advantage depends on its

strategy resources: Running time t and number q of oracle queries

Security: F is a (secure) PRF if Advprf F (A) is small for ALL A thatuse practical amounts of resources.

Example: 80-bit security could mean that for all n = 1 , . . . ,80 we have

Advprf F (A) 2 nfor any A with time and number of oracle queries at most 280 n .

Insecurity: F is insecure (not a PRF) if there exists A using fewresources that achieves high advantage.

24/65

Example 1
http://find/

8/10/2019 s-prf

35/88

p

Dene F : {0, 1}k {0, 1}128 {0, 1}128 by F K (x ) = x for all k , x .Is F a secure PRF?

Real

Ax y

Fny

F

K (x

)

Rand

Ax y

Fny $

{0, 1}128

Can we design A so that

Advprf F (A) = Pr RealAF 1

Pr Rand ARange( F ) 1

is close to 1?

25/65

Example 1
http://find/

8/10/2019 s-prf

36/88

p

Dene F : {0, 1}k {0, 1}128 {0, 1}128 by F K (x ) = x for all k , x .Is F a secure PRF?

Real

Ax y

Fny

F

K (x )

Rand

Ax y

Fny $

{0, 1

}128


Advprf F (A) = Pr RealAF 1

Pr Rand ARange( F ) 1

is close to 1?

Exploitable weakness of F : F K (0128) = 0 128 for all K . We candetermine which world we are in by testing whether Fn(0128) = 0 128 .

25/65

Example 1
http://find/

8/10/2019 s-prf

37/88

Real

Ax y

Fny F K (x )

Rand

Ax y

Fny $ {0, 1}128

Now F is dened by F K (x ) = x .

adversary Aif Fn(0128) = 0 128 then return 1 else return 0

26/65

8/10/2019 s-prf

38/88

Example 1: Conclusion

8/10/2019 s-prf

39/88

F is dened by F K (x ) = x .

adversary Aif Fn(0128) = 0 128 then return 1 else return 0

Then

Advprf F (A) =

1

Pr Real AF 1 2 128

Pr Rand ARange( F ) 1= 1 2

128

and A is efficient.

Conclusion: F is not a secure PRF.

28/65
http://find/

8/10/2019 s-prf

40/88

Example 2

8/10/2019 s-prf

41/88

Dene F : {0, 1} {0, 1} {0, 1} by F K (x ) = K x for all K , x .Is F a secure PRF?Real

Ax y

Fny F K (x )

Rand

Ax y

Fny ${0, 1}


Advprf F (A) = Pr RealAF 1 Pr Rand ARange( F ) 1

is close to 1?

Exploitable weakness of F :F K (0 ) F K (1 ) = ( K 0 ) (K 1 ) = 1

for all K . We can determine which world we are in by testing whether

Fn(0 ) Fn(1 ) = 1 . 29/65

Example 2: The adversary
http://find/

8/10/2019 s-prf

42/88

F : {0, 1} {0, 1} {0, 1} is dened by F K (x ) = K x .adversary Aif Fn(0 ) Fn(1 ) = 1 then return 1 else return 0

30/65
http://find/

8/10/2019 s-prf

43/88

Example 2: Real world analysis

8/10/2019 s-prf

44/88



Real world

Ax y

Fny F K (x )

Then Pr Real AF 1 =

31/65

Example 2: Real world analysis
http://find/

8/10/2019 s-prf

45/88



Real world

Ax y

Fny F K (x )

Then Pr Real AF 1 = 1

because

Fn(0 ) Fn(1 ) = F K (0 ) F K (1 ) = ( K 0 ) (K 1 ) = 131/65

Example 2: Ideal world analysis
http://find/

8/10/2019 s-prf

46/88


Game Rand Range( F )procedure Fn (x )T[x ] $ {0, 1} return T[x ]

Ideal (random) world

Ax y

Fny $ {0, 1}

32/65

http://find/

8/10/2019 s-prf

47/88




Ax y

Fny $ {0, 1}

ThenPr Real AF 1 =

32/65

http://find/

8/10/2019 s-prf

48/88




Ax y

Fny $ {0, 1}

ThenPr Real AF 1 = Pr Fn(1 ) Fn(0 ) = 1 =

32/65
http://find/

8/10/2019 s-prf

49/88

8/10/2019 s-prf

50/88

Birthday Problem

8/10/2019 s-prf

51/88

q people 1, . . . ,q with birthdays

y 1, . . . ,y q

{1 . . . , 365

}Assume each persons birthday is a random day of the year. LetC (365, q ) = Pr [2 or more persons have same birthday ]

= Pr [ y 1, . . . ,y q are not all different ]

What is the value of C (365, q )? How large does q have to be before C (365, q ) is at least 1/2?

34/65
http://find/

8/10/2019 s-prf

52/88

8/10/2019 s-prf

53/88

Birthday collision bounds

8/10/2019 s-prf

54/88

C (365, q ) is the probability that some two people have the samebirthday in a room of q people with random birthdays

q C (365, q )15 0.25318 0.34720 0.41121 0.44423 0.50725 0.56927 0.627

30 0.70635 0.81440 0.89150 0.970

35/65

Birthday Problem
http://find/

8/10/2019 s-prf

55/88

Pick y 1, . . . ,y q $

{1, . . . ,N } and letC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]

Birthday setting: N = 365

36/65

Birthday Problem
http://find/

8/10/2019 s-prf

56/88

Pick y 1, . . . ,y q $

{1, . . . ,N } and letC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]

Birthday setting: N = 365

Fact: C (N , q ) q 2

2N

36/65

Birthday collisions formula
http://find/

8/10/2019 s-prf

57/88

Let y 1, . . . ,y q $

{1, . . . ,N

}. Then

1 C (N , q ) = Pr [ y 1, . . . ,y q all distinct ]= 1

N 1N

N 2N

N (q 1)N

=q 1

i =11

i N

so

C (N , q ) = 1 q 1

i =11

i N

37/65

Birthday bounds

8/10/2019 s-prf

58/88

LetC (N , q ) = Pr [ y 1, . . . ,y q not all distinct]

Fact: Then

0.3 q (q 1)

N C (N , q ) 0.5 q (q 1)

N

where the lower bound holds for 1q 2N .

38/65

Union bound
http://find/

8/10/2019 s-prf

59/88

C 1

C 2

Pr [C 1 C 2] = Pr [C 1] + Pr [C 2] Pr [C 1 C 2] Pr [C 1] + Pr [C 2]

More generally

Pr [C 1 C 2 C q ] Pr [C 1] + Pr [C 2] + Pr [C q ]39/65

Arithmetic sums
http://find/

8/10/2019 s-prf

60/88

0 + 1 + 2 +

+ ( q

1) =

40/65

Arithmetic sums
http://find/

8/10/2019 s-prf

61/88

0 + 1 + 2 +

+ ( q

1) =

q (q 1)2

40/65
http://find/

8/10/2019 s-prf

62/88

Block ciphers as PRFs

8/10/2019 s-prf

63/88

Let E : {0, 1}k

{0, 1} {0, 1} be a block cipher.Real

Ax y

Fny E K (x )

Rand

Ax y

Fny ${0, 1}


Advprf E (A) = Pr RealAE 1

Pr Rand A{0,1} 1

is close to 1?

42/65

Block ciphers as PRFs
http://find/

8/10/2019 s-prf

64/88

Dening property of a block cipher: E K is a permutation for every K

So if x 1, . . . ,x q are distinct then

Fn = E K Fn(x 1), . . . ,Fn(x q ) distinct Fn random Fn(x 1), . . . ,Fn(x q ) not necessarily distinctLet us turn this into an attack.

43/65
http://find/

8/10/2019 s-prf

65/88

Real world analysis

8/10/2019 s-prf

66/88

Let E : {0, 1}k {0, 1} {0, 1} be a block cipherGame Real E procedure InitializeK ${0, 1}k procedure Fn (x )Return E K (x )

adversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinctthen return 1 else return 0

ThenPr Real AE 1 =

45/65

Real world analysis

8/10/2019 s-prf

67/88

Let E : {0, 1}k {0, 1} {0, 1} be a block cipherGame Real E procedure InitializeK ${0, 1}k procedure Fn (x )Return E K (x )


ThenPr Real AE 1 = 1

because y 1, . . . ,y q will be distinct because E K is a permutation.

45/65

Ideal world analysis

Let E : {0 1}K {0 1} {0 1} be a block cipher

8/10/2019 s-prf

68/88

Let E : {0, 1} {0, 1} {0, 1} be a block cipher

Game Rand {0,1}procedure Fn (x )T[x ] ${0, 1}Return T[x ]


Then

Pr RandA{0,1} 1 = Pr [ y 1, . . . ,y q all distinct]

= 1 C (2 , q )because y 1, . . . ,y q are randomly chosen from {0, 1}.

46/65

Birthday attack on a block cipher

E : {0, 1}k {0, 1} {0, 1} a block cipher

8/10/2019 s-prf

69/88

{ , } {, } {, } padversary ALet x 1, . . . ,x q {0, 1} be distinctfor i = 1 , . . . ,q do y i Fn(x i )if y 1, . . . ,y q are all distinct then return 1 else return 0

Advprf E (A) =

1

Pr Real AF 1 1 C (2 ,q )

Pr Rand ARange( F ) 1= C (2 , q )

0.3 q (q 1)2so

q 2 / 2 Advprf E (A) 1 .

47/65

Birthday attack on a block cipher

8/10/2019 s-prf

70/88

Conclusion: If E : {0, 1}k {0, 1} {0, 1} is a block cipher, there isan attack on it as a PRF that succeeds in about 2 / 2 queries.Depends on block length, not key length!

2 / 2 StatusDES, 2DES, 3DES3 64 232 InsecureAES 128 264 Secure

48/65

KR-security versus PRF-security
http://find/

8/10/2019 s-prf

71/88

We have seen two possible metrics of security for a block cipher E

KR-security: It should be hard to get K from input-outputexamples of E K

PRF-security: It should be hard to distinguish the input-outputbehavior of E K from that of a random function.

Question: Is it possible for E to be

PRF-secure, but

NOT KR-secure?

49/65

http://find/

8/10/2019 s-prf

72/88

Question: Is it possible for a block cipher E to be PRF-secure but notKR-secure?

Why do we care? Because we

agreed that KR-security is necessary claim that PRF-security is sufficientfor secure use of E , so a YES answer would render our claim false.

Luckily the answer to the above question is NO.

50/65

http://find/

8/10/2019 s-prf

73/88

Fact: PRF-security implies

KR-security

Many other security attributes

51/65

Key recovery security, formally

Let F : Keys(F ) Domain (F ) Range(F ) a family of functions
http://find/

8/10/2019 s-prf

74/88

Let : Keys( ) ( ) Range( ) a family of functionsLet B be an adversary

Game KR F procedure InitializeK $

Keys(F )

procedure Fn (x )return F K (x )procedure Finalize (K )

return (K = K )The kr-advantage of B is dened as

AdvkrF (B ) = Pr KRB F true

The oracle allows a chosen message attack.

F is secure against key recovery if AdvkrF (B ) is small for all B of practical resources.

52/65

Example
http://find/

8/10/2019 s-prf

75/88

Let k = L and dene F = {0, 1}k

{0, 1} {0, 1}L

by

F K (X ) =

K [1, 1] K [1, 2] K [1, ]K [2, 1] K [2, 2] K [2, ]... ...K [L, 1] K [L, 2] K [L, ]

X [1]X [2]

...

X [ ]

=

Y [1]Y [2]

...

Y [L]Here the bits in the matrix are the bits in the key, and arithmetic ismodulo two.

Question: Is F secure against key-recovery?

53/65

Example
http://find/

8/10/2019 s-prf

76/88

Let k = L and dene F = {0, 1}k

{0, 1} {0, 1}L

by

F K (X ) =

K [1, 1] K [1, 2] K [1, ]K [2, 1] K [2, 2] K [2, ]... ...K [L, 1] K [L, 2] K [L, ]

X [1]X [2]

...

X [ ]

=

Y [1]Y [2]

...

Y [L]Here the bits in the matrix are the bits in the key, and arithmetic ismodulo two.

Question: Is F secure against key-recovery?

Answer: NO

53/65
http://find/

8/10/2019 s-prf

77/88

KR attack on example

8/10/2019 s-prf

78/88

Adversary B K // is the empty stringfor j = 1 , . . . , do y j Fn(e j ) ; K K y j return K

Then

AdvkrF (B ) = 1 .

The time-complexity of B is t = O ( 2L) since it makes q = calls to its

oracle and each computation of Fn = F K takes O ( L) time.So F is insecure against key-recovery.

55/65
http://find/

8/10/2019 s-prf

79/88

Why does PRF-security imply KR-security?

8/10/2019 s-prf

80/88

Issues: To run B , adversary A must give it input-output examples underF K .

We have A give B input-output examples under Fn. This is correct inthe real world but not in the random world. Nonetheless we can show itworks.

57/65

If F is a PRF then it is KR-secure
http://find/

8/10/2019 s-prf

81/88

Our rst example of a proof by reduction!

Given: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversary B Construct: efficient PRF-adversary A such that:

AdvkrF (B ) Advprf F (A) + How to infer that PRF-secure KR-secure:

F is PRF secure Advprf F (A) is small

Advkr

F (B ) is small F is KR-secure

58/65

http://find/

8/10/2019 s-prf

82/88

Our rst example of a proof by reduction!

Given: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversary B Construct: efficient PRF-adversary A such that:

AdvkrF (B ) Advprf F (A) +

Contrapositive:

F not KR-secure AdvkrF (B ) is bigAdv

prf

F (A) is big F is not PRF-secure

59/65

How reductions work

A will run B as a subroutine
http://find/

8/10/2019 s-prf

83/88

Bs world: How A runs B

A itself answers Bs oracle queries, giving B the impression that B is inits own correct world.

60/65

If F is a PRF then it is KR-secureGiven: F : {0, 1}k {0, 1} {0, 1}LGiven: efficient KR-adversaryB
http://find/

8/10/2019 s-prf

84/88

Given: efficient KR adversary B Construct: efficient PRF-adversary A such that:


Idea:

A uses B to nd key K

Tests whether K is the right keyIssues:

B needs an F K oracle, which A only has in the real world

How to test K ?How they are addressed:

A gives B its Fn oracle Test by seeing whether F K agrees with Fn on a new point.

61/65


Given: F : {0, 1}k {0, 1} {0, 1}L
http://find/

8/10/2019 s-prf

85/88

{ } { } { }Given: efficient KR-adversary B Construct: efficient PRF-adversary A such that:


adversary Ai 0K B FnKRSimx $ {0, 1} {x 1, . . . ,x i }if F K (x ) = Fn(x ) then return 1else return 0

subroutine FnKRSim (x )i i + 1x i x y i Fn(x )return y i

62/65

Analysis

adversary A
http://find/

8/10/2019 s-prf

86/88

adversary Ai

0

K B FnKRSimx $ {0, 1} {x 1, . . . ,x i }if F K (x ) = Fn(x ) then return 1else return 0

subroutine FnKRSim (x )i i + 1x i x y i Fn(x )return y i

If Fn = F K then K = K with probability the KR-advantage of B ,so

Pr Real AF 1 AdvkrF (B )

If Fn is a random function, then due to the fact thatx / {x 1, . . . ,x i },Pr Rand ARange( F ) 1 = 2

L

So Advprf F (A) AdvkrF (B ) 2 L

63/65

If F is PRF-secure then it is KR-secure
http://find/

8/10/2019 s-prf

87/88

Proposition: Let F : {0, 1}k

{0, 1} {0, 1}L

be a family of functions, and B a kr-adversary making q oracle queries. Then there isa PRF adversary A making q + 1 oracle queries such that:

AdvkrF (B ) Advprf F (A) + 2

L

The running time of A is that of B plus O (q ( + L)) plus the time forone computation of F .

Implication:

F PRF-secure F is KR-secure.

64/65

Our Assumptions
http://find/

8/10/2019 s-prf

88/88

DES, AES are good block ciphers in the sense of being PRF-secure tothe maximum extent possible.

65/65
http://find/

Documents

s-prf