Recall We studied security of function families (in particular, block ciphers) against key recovery. But we saw that security against key recovery is not su ffi cient to ensure that natural usages of a block cipher are secure. PSEUDO-RANDOM FUNCTIONS We want to answer the question: What is a good block cipher? where “good” means that natural uses of the block cipher are secure. We could try to define “good” by a list of necessary conditions: • Key recovery is hard • Recovery of M from C = E K ( M ) is hard • . . . But this is neither necessarily correct nor appealing. Mihir Bellare UCSD 1 Mihir Bellare UCSD 2 Turing Intelligence Test Turing Intelligence Test Q: What does it mean for a program to be “intelligent” in the sense of a human? Possible answers: Q: What does it mean for a program to be “intelligent” in the sense of a • It can be happy human? • It recognizes pictures Turing’s answer: A program is intelligent if its input/output behavior is • It can multiply indistinguishable from that of a human. • But only small numbers! • • Clearly, no such list is a satisfactory answer to the question. Mihir Bellare UCSD 3 Mihir Bellare UCSD 4
Turing Intelligence Test Turing Intelligence Test Game: • Put tester in room 0 and let it interact with object behind wall Behind the wall: • Put tester in rooom 1 and let it interact with object behind wall • Room 1: The program P • Now ask tester: which room was which? • Room 0: A human The measure of “intelligence” of P is the extent to which the tester fails. Mihir Bellare UCSD 5 Mihir Bellare UCSD 6 Real versus Ideal Real versus Ideal Notion Real object Ideal object Notion Real object Ideal object Intelligence Program Human Intelligence Program Human PRF Block cipher ? PRF Block cipher Random function Mihir Bellare UCSD 7 Mihir Bellare UCSD 8
Random functions Random functions Game Rand R / / here R is a set procedure Fn (x) Game Rand { 0 , 1 } 3 $ if T[ x ] = ? then T[ x ] R adversary A return T[ x ] procedure Fn (x) y Fn (01) { 0 , 1 } 3 $ if T[ x ] = ? then T[ x ] return ( y = 000) return T[ x ] Adversary A • Make queries to Fn h i Rand A • Eventually halts with some output Pr { 0 , 1 } 3 ) true = We denote by h i Rand A Pr R ) d the probability that A outputs d Mihir Bellare UCSD 9 Mihir Bellare UCSD 10 Random functions Random function Game Rand { 0 , 1 } 3 Game Rand { 0 , 1 } 3 adversary A adversary A y 1 Fn (00) procedure Fn (x) procedure Fn (x) y Fn (01) y 2 Fn (11) { 0 , 1 } 3 $ { 0 , 1 } 3 $ if T[ x ] = ? then T[ x ] if T[ x ] = ? then T[ x ] return ( y = 000) return ( y 1 = 010 ^ y 2 = 011) return T[ x ] return T[ x ] h i h i = 2 − 3 Rand A Rand A Pr { 0 , 1 } 3 ) true Pr { 0 , 1 } 3 ) true = Mihir Bellare UCSD 11 Mihir Bellare UCSD 12
Random function Random function Game Rand { 0 , 1 } 3 Game Rand { 0 , 1 } 3 adversary A adversary A y 1 Fn (00) y 1 Fn (00) procedure Fn (x) procedure Fn (x) y 2 Fn (11) y 2 Fn (11) { 0 , 1 } 3 $ { 0 , 1 } 3 $ if T[ x ] = ? then T[ x ] if T[ x ] = ? then T[ x ] return ( y 1 = 010 ^ y 2 = 011) return ( y 1 � y 2 = 101) return T[ x ] return T[ x ] h i h i = 2 − 6 Rand A Rand A Pr { 0 , 1 } 3 ) true Pr { 0 , 1 } 3 ) true = Mihir Bellare UCSD 13 Mihir Bellare UCSD 14 Random function Recall: Function families Game Rand { 0 , 1 } 3 adversary A A family of functions (also called a function family) is a two-input function y 1 Fn (00) procedure Fn (x) F : Keys ⇥ D ! R. For K 2 Keys we let F K : D ! R be defined by y 2 Fn (11) { 0 , 1 } 3 $ if T[ x ] = ? then T[ x ] F K ( x ) = F ( K , x ) for all x 2 D. return ( y 1 � y 2 = 101) return T[ x ] Examples: • DES: Keys = { 0 , 1 } 56 , D = R = { 0 , 1 } 64 h i = 2 − 3 Rand A Pr { 0 , 1 } 3 ) true • Any block cipher: D = R and each F K is a permutation Mihir Bellare UCSD 15 Mihir Bellare UCSD 16
Real versus Ideal Games defining prf advantage of an adversary against F Let F : Keys ⇥ D ! R be a family of functions. Game Real F Game Rand R Notion Real object Ideal object procedure Fn ( x ) procedure Initialize PRF Family of functions Random function $ Keys $ K if T[ x ] = ? then T[ x ] R (eg. a block cipher) Return T[ x ] procedure Fn ( x ) Return F K ( x ) F is a PRF if the input-output behavior of F K looks to a tester like the input-output behavior of a random function. Associated to F , A are the probabilities Tester does not get the key K ! h i h i Real A Rand A Pr F ) 1 Pr R ) 1 that A outputs 1 in each world. The advantage of A is h i h i Adv prf Real A Rand A F ( A ) = Pr F ) 1 � Pr R ) 1 Mihir Bellare UCSD 17 Mihir Bellare UCSD 18 PRF advantage PRF security Adversary advantage depends on its • strategy • resources: Running time t and number q of oracle queries A ’s output d Intended meaning: I think I am in game Security: F is a (secure) PRF if Adv prf 1 Real F ( A ) is “small” for ALL A that use 0 Random “practical” amounts of resources. Example: 80-bit security could mean that for all n = 1 , . . . , 80 we have Adv prf F ( A ) ⇡ 1 means A is doing well and F is not prf-secure. Adv prf F ( A ) ⇡ 0 (or 0) means A is doing poorly and F resists the attack Adv prf F ( A ) 2 − n A is mounting. for any A with time and number of oracle queries at most 2 80 − n . Insecurity: F is insecure (not a PRF) if we can specify an A using “few” resources that achieves “high” advantage. Mihir Bellare UCSD 19 Mihir Bellare UCSD 20
Example Example Define F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` by F K ( x ) = K � x for all Define F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` by F K ( x ) = K � x for all K , x 2 { 0 , 1 } ` . Is F a secure PRF? K , x 2 { 0 , 1 } ` . Is F a secure PRF? Game Real F Game Rand { 0 , 1 } ` Game Real F Game Rand { 0 , 1 } ` procedure Fn ( x ) procedure Fn ( x ) procedure Initialize procedure Initialize { 0 , 1 } ` $ { 0 , 1 } ` $ { 0 , 1 } ` $ { 0 , 1 } ` $ K K if T[ x ] = ? then T[ x ] if T[ x ] = ? then T[ x ] Return T[ x ] Return T[ x ] procedure Fn ( x ) procedure Fn ( x ) Return K � x Return K � x So we are asking: Can we design a low-resource A so that So we are asking: Can we design a low-resource A so that h i h i h i h i Adv prf Adv prf Real A Rand A Real A Rand A F ( A ) = Pr F ) 1 � Pr { 0 , 1 } ` ) 1 F ( A ) = Pr F ) 1 � Pr { 0 , 1 } ` ) 1 is close to 1? is close to 1? Exploitable weakness of F : For all K we have F K (0 ` ) � F K (1 ` ) = ( K � 0 ` ) � ( K � 1 ` ) = 1 ` Mihir Bellare UCSD 21 Mihir Bellare UCSD 22 Example: The adversary Example: Real game analysis F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . adversary A if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . Game Real F adversary A procedure Initialize if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 $ { 0 , 1 } ` K procedure Fn ( x ) Return K � x h i Real A Pr F ) 1 = Mihir Bellare UCSD 23 Mihir Bellare UCSD 24
Example: Real game analysis Example: Rand game analysis F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . adversary A if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 adversary A if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 Game Real F procedure Initialize Game Rand { 0 , 1 } ` $ { 0 , 1 } ` K procedure Fn ( x ) procedure Fn ( x ) $ { 0 , 1 } ` if T[ x ] = ? then T[ x ] Return K � x Return T[ x ] h i Real A h i Pr F ) 1 = 1 Rand A Pr { 0 , 1 } ` ) 1 = because Fn (0 ` ) � Fn (1 ` ) = F K (0 ` ) � F K (1 ` ) ( K � 0 ` ) � ( K � 1 ` ) = 1 ` = Mihir Bellare UCSD 25 Mihir Bellare UCSD 26 Example: Rand game analysis Example: Rand game analysis F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . F : { 0 , 1 } ` ⇥ { 0 , 1 } ` ! { 0 , 1 } ` is defined by F K ( x ) = K � x . adversary A adversary A if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 if Fn (0 ` ) � Fn (1 ` ) = 1 ` then return 1 else return 0 Game Rand { 0 , 1 } ` Game Rand { 0 , 1 } ` procedure Fn ( x ) procedure Fn ( x ) $ $ { 0 , 1 } ` { 0 , 1 } ` if T[ x ] = ? then T[ x ] if T[ x ] = ? then T[ x ] Return T[ x ] Return T[ x ] h i h Fn (1 ` ) � Fn (0 ` ) = 1 ` i h i h Fn (1 ` ) � Fn (0 ` ) = 1 ` i Rand A Rand A = 2 − ` Pr { 0 , 1 } ` ) 1 = Pr = Pr { 0 , 1 } ` ) 1 = Pr because Fn (0 ` ) , Fn (1 ` ) are random ` -bit strings. Mihir Bellare UCSD 27 Mihir Bellare UCSD 28
Recommend
More recommend