<<

CS 6260 Applied

Alexandra (Sasha) Boldyreva Block ciphers, pseudorandom functions and permutations

1

Block ciphers Building blocks for symmetric . M→ EK →C Examples: DES, 3DES, AES...

k n n • A is a function family E:{0,1} ×{0,1} →{0,1} , where k- length, n-input and output lengths are the parameters

∈ k • Notation: for every K {0,1} EK(M)=E(K,M)

∈ k • For every K {0,1} , EK(⋅) is a permutation (one-to-one and onto function). For every C∈{0,1}n there is a single M∈{0,1}n s.t. C=EK(M) -1 • Thus each block cipher has an inverse for every key: EK (⋅) -1 ∈ n s.t. EK(EK (M))=C for all M,C {0,1}

∈ k -1 n n • For every K {0,1} , EK(⋅),EK (⋅):{0,1} →{0,1} 2

DES • Key length k=56, input and output length n=64 • 1973. NBS (National Bureau of Standards) announced a search for a data protection algorithm to be standardized • 1974. IBM submits a design based on “” algorithm • 1975. The proposed DES is published • 1976. DES approved as a federal standard 7 • DES is highly efficient: ≈2.5⋅10 DES computations per second

3

Security of block ciphers

• Any block cipher E is subject to exhaustive key-search: given (M1,C1=E(K,M1),...,(Mq,Cq=E(K,Mq)) an adversary can recover K (or another key consistent with the given pairs) as follows:

EKSE((M1,C1),...(Mq,Cq)) For i=1,...,2k do if E(Ti,M1)=C1 then //Ti is i-th k-bit string// if E(Ti,Mj)=Cj for all 2≤j≤q then return Ti EndIf EndIf EndFor

4 Bellare and Rogaway 9

Bellare and Rogaway 9

feed the oracle M1 and get back C1 = EK (M1). It can then decide on a value M2, feed the oracle this, and get back C2, and so on. Clearly a chosen-message attack gives the adversary much more power, but is feed the oracle M1 and get back C1 = EK (M1). It can then decide on a value M2, also less realistic in practice. feed the oracle this, and get back C2, and so on. The most obvious attack strategy is exhaustive key search. The adversary goes Clearly a chosen-message attack gives thtehraoduvgerhsaarllypmossibuchlemokeysre pKower, b0u,t1isk until it finds one that explains the input- ! ∈ { } also less realistic in practice. output pairs. Here is the attack in detail, using q = 1, meaning one input-output The most obvious attack strategy is exhaustive key search. The akdversary goes example. For i = 1, . . . , 2 let Ti denote the i-th k-bit string (in lexicographic order). through all possible keys K 0, 1 k until it finds one that explains the input- ! ∈ { } output pairs. Here is the attack in detail, usinEKgSEq (=M1,,Cmea1) ning one input-output k for i = 1, . . . , 2k do example. For i = 1, . . . , 2 let Ti denote the i-th k-bit string (in lexicographic order). if E(Ti, M1) = C1 then return Ti fi EKS (M , C ) E 1 1 20 BLOCK CIPHERS for i = 1, . . . , 2k do This attack always returns a key consistent with the given input-output example (M , C ). Whether or not it is the target key depends on the block cipher, and if E(Ti, M1) = C1 then return Ti fi 1 1 in particular on its key length and block length, and in some cases the probability This attack always returns a key consistent owf itthisthise tgoivoensmainll.putT-ohuetplikueliht exaoompd olef the attack returning the target key can be (M1, C1). Whether or not it is the target kineycreadepsedendbys toestn tinhge abgloacinkstcipmoherre,inapnudt-output examples: in particular on its keybylensagyinth agn:d“bBuloctk, lencleagtrhly, ,anDdEinS soanmed AcaEsesS atrhee npotrobdabesigilityned like this.” True. But that of this is too small. The likelihood of the aEttKacSkEr(et(Mu1rn, Cin1g),t.h.e. ,t(aMrgqet, Cqk)ey) can be is missing the point. The point is thakt security against key-recovery alone does not increased by testing against more input-output exaformpi =les:1, . . . , 2 do make a “good” block ciphifer.E(Ti, M1) = C1 then EKSE((M1, C1), . . . , (Mq, Cq)) if ( E(T , M ) = C AND AND E(T , M ) = C ) then return T fi But then what does make a gooi d 2block 2cipher·?· · This questi ioqns tuqrns out to i for i = 1, . . . , 2k do not be so easy to anAswfaerirly. Csmaertllavinaulye ofnqe, casayn solistmewvahraiot umos rdeesirthaanbkle/np, risopenerotuies.gh thFaotrthis attack if E(T , M ) = C then i 1 exa1 mple, the ciphertwextill ushsuoaullyldretnoutrnrevtheeatal rhgaetlfkteyheitbselfits. oFforthDeESp,laqin=text2 is.enBuoutght.hat is if ( E(T , M ) = C AND AND E(T , M ) = C ) then return T fi i n2 ot en2ough eit· ·h· er. As wTehi seeus,qnmoo brloeqcuksacipgesherofiscipperhferects,ilywsecue burilde. Itupisaalolwnaysgerpaossibnd lelonfogreran attacker A fairly small vaue oflistq, saoyf sosecumewrithyatpmoropreertotthriesaecon kSv/erPn1,t,hiseSenPkey2o,u. gShAP3tgh,oao.td.t.hbtislohcakttcipacrkehernecessa, howevrery ,foisr dtesighe nsecued troitmay okfe this task will usually return thesotamergetbkloeyckitselfcip.herForbDacosedEmpS, uqatpa=ptio2licanisallytenioopnur.goh.ibitive. Thus, no block cipher is perfectly secure. ItHisowalwlonaysg dpooesssibexhleafuostr ivane kaey-seattackerrch take? Since q is small we can neglect the to recover the key. A gooSducbhlocak locipnhgerlist, hodwoiffevfernerenecessa,ceis indesigruynnnbedinutgtotnimeomat sukbeetffitwhcieneenis tatthskeprtwopoervertiessioniss onf othewaatytactko atbroeave,t and focus computationally prohibsecuitive.rity. What weSecuritnfeedor simpis onylicite ofsiy n oblockngleth“eMASTEfir stciphersattacRk.”Inprtohpe erwotyrstofcaase,bloitcuksescip2hk ercompwhuicthat,ions of the How long does exhifaumetstive, kguarey-seaanrtechestasecuke?blocSrkitincipyceohqferislots. Hsmaoofwllevnweraetitcaurconaulnldegusalectbegeslessthoesinf thceeocipne hcoeruld. get lucky. For example if the target key is in the first half of the search space, only 2k 1 computations would be difference in running time• ExhaustivSbuetcwheena ptrhoep ertkweytoy vissearchersiothants totakhf ethbeseloa ct2tkkac cipblockk ahberov e,bciphereaandpseuf ocomputationscudsorandom per inm u−tation (PRF), used. So a betterk measure is how long it takes on the average. This is for simplicity on the fiarstnoathettioa cnworstk.expInlot hcase.reedwoinrstacanose,therit ucseshap2terco. mputations of the block cipher. However it could be less since one2cok uld get lucky. For 2exak mple if the 2k k k k k 1 i 1 1 2 (2 + 1) 2 + 1 k 1 target key is in the first half of the search space, oinlyPr2[K =coTmpi] =utations w=ould be i = = 2 − • On the average: · − 2k 2k · 2k · 2 2 ≈ used. So a better measure is how long it takes o!i=1n the average. This !iis=1 !i=1 2.7 Problemcosmputations of the block cipher. This is because the target key is chosen at random, 2k 2k 2k k k k i 1 so w1ith2pr(o2ba+bilit1)y 1/22k equ+ 1als T ,kan1 d in that case the attack uses i E-computations i Pr[K = Ti] = = i = = 2i − · Prob2lemk 2.12k · Showtoth2fikantd· fito.r a2ll K 0, 12 56 ≈and all x 0, 1 64 !i=1 !i=1 !i=1 Thus to make∈key-r{ eco}very by exhau∈stiv{ e sea} rch computationally prohibitive, computations of the block cipDESher has. Th isa ispropertbecauseyt hthate tar g et k ey is c h o sen a t r a n d o m,, this speeds k• one must maDkEe SthKe(kxey-len) = DgEthSkKo(fxt)h.e block cipher large enough. so with probability 1/2 equupals exhaustivTi, and in teh asearcht case t hbeya tata factorck uses ofi E 2-co mputations to find it. This is called the key-coLetmp’slemenlook attaDtioESn. pWroepnerottedy oafboDvEe Sth.at there is VLSI chip that can compute Thus to make key-r•ecoFvorer yDESby exh(k=56)austivit eexhaustivaseat trhceh rcoatmpee osearchfut1a.6tioGnb aittakllys/sec.espro h Hib oit w iv loe, n g w o u ld key-recovery via exhaustive search one must make the key-leng55th k of the blo7ck cipher large enough. Prob2 lem/2⋅2.52.2⋅10Exp thatlain isho aboutw to u23se ytearshe key-complementation property of DES to Let’s look at DES. We noted above that there is VLSI chip that can compute it at the rate of 1.6 Gbspiteeds/sec.upHexhow loaunstg ivwoeuldkeykey-rseaecorchverby viaaboexhut aaustfaivcteosear orfchtwo. Explain any assumptions that you make.

1 Problem 2.3 Find a key K such that DES ( ) = DES− ( ). Such a key is some- K · K · times called a “weak” key. 5

Problem 2.4 As with AES, suppose we are working in the finite field with 28 elements, representing field points using the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1. Compute the byte that is the result of multiplying bytes: Security of DES e1 05 • There are more sophisticated attacks{ } · {known:} • differential cryptoanalysis: finds the key given about 247 chosen and the corresponding Prob• lemlinear2.5 cryptoanalysis:For AES, we hfindsave gtheiven keytw ogivdienffer aboutent descr 242ip t knownions of mix-cols: one using plaintextmatric m uandltip licaciphertexttion (in pairsGF(28)) and one based on multiplying by a fixed p•olynTheseomia attacksl c(x) mo requiredulo a secotoo nmand fixedy data,polyn henceomia l,exhaustivd(x) = xe4 +key1. Show that these twosearchmetho diss theare equbestiv aknownlent. attack. And it can be mounted in parallel! • A machine for DES exhaustive key search was built for $250,000. It finds the key in about 56 hours on average. • A new block cipher was needed.... • Triple-DES: 3DES(K1||K2,M)=DES(K2, DES-1(K1, DES(K2,M)). • 3DES’s keys are 112-bit long. Good, but needs 3 DES computations 6

Advanced Encryption Standard (AES)

• 1998. NIST announced a search for a new block cipher. • 15 algorithms from different countries were submitted • 2001. NIST announces the winner: an algorithm Rijndael, designed by Joan Daemen and from Belgium. • AES: block length n=128, key length k is variable: 128, 192 or 256 bits. • Exhaustive key search is believed infeasible

7

Limitations of key-recovery based security • A classical approach to block cipher security: key recovery should be infeasible. • I.e. given (M1,E(K,M1),...,Mq,E(K,Mq)), where K is chosen at random and M1,...Mq are chosen at random (or by an adversary), the adversary cannot compute K in time t with probability ε. • Necessary, but is it sufficient? • Consider E’(K,M1||M2)=E(K,M1)||M2 for some “good” E. Key recovery is hard for E’ as well, but it does not look secure. • Q. What property of a block cipher as a building block would ensure various security properties of different constructions?

8 Intuition

• We want that (informally) • key search is hard • a does not leak bits of the • a ciphertext does not leak any function of a plaintexts • .... • there is a “master” property of a block cipher as a building block that enables security analysis of protocols based on block ciphers • It is good if ciphertexts “look” random

9

• Pseudorandom functions (PRFs) and permutations (PRPs) are very important tools in cryptography. Let’s start with the notion of function families: • A function family F is a map Keys(F)×Dom(F) → Range(F). ∈ • For any K Keys(F) we define FK=F(K,M), call it an instance of F.

Notation f $ F is the shorthand for K Keys(F); f←F • ← K • Block cipher E is a function family with Dom(E)=Range(E)={0,1}n and Keys(K)={0,1}k

10

1

• Let Func(l,L) denote the set of all functions from {0,1}l to {0,1}L. • It’s a function family where a key specifying an instance is a description of this instance function. • Q. How large is the key space? L2l • A. 2

• We will often consider the case when l=L • Let’s try to understand how a random function (a random instance f of Func(l,L)) behaves

11

Random functions

• g F(l,L) • We are interested in the input-output behavior of a random function. Let’s imagine that we have access to a subroutine that implements such a function:

g(Xε{0,1}l) global array T If T[X] is not defined then L T[X] {0,1} EndIf Return T[X]

12 “Black box” access

X g(⋅) global array T If T[X] is not defined then $ L Y T[X] {0,1} EnIf Return← Y=T[X]

Note that for any Xε{0,1}l and Yε{0,1}L Pr[g(X)=Y]=2-L

13

1

Random permutations

• Perm(l) is the set of all permutations on {0,1}l • Q. How large is the key space? • A. l!

• We are interested in a random instance π Perm(l)

π(Xε{0,1}l) global array T, S; S←∅ If T[X] is not defined then T[X] {0,1}l-∅; S←S∪{T[X]} EndIf Return T[X]

14

4 “Black box” accessPSEUDORANDOM FUNCTIONS

The answer on any point isπ(r⋅a) ndom and independent of the answers on other points. X global array T, S; S←∅ It is this “dynamic” view tIfh T[X]at w ise notsu gdefigestnedt thenhe r eader have in mind when thinking about random functions or random permutations. l ∅ ← ∪ One must Yremember th a T[X]t th e t{0,1}erm- “r; aSndSom{T[X]}fun EndIfction” is misleading. It might Return Y=T[X] lead one to think that certain functions are “random” and others are not. (For example, maybe the constant function that always returns 0L on any input is not 4 random, but a function with many differenPt SrEUanDgeORvAaluNDesOMis FUranNCdoTm.)IONSThis is not right. The randomness of the function refers to the way it was chosen, not to an

4 attribute of the selected function itselfPSEU. DWORhAenNDyOMouFUcNChoToIONSse a function at random, the 4 PSEUDORANDOM FUNCTIONS 4 constant function is just asl likely tPoSEUapDpOReaAlNDr aOMs aFUnyNCoTtIhONSer funct-lion. It makes no sense to talk Foorf t hane 6rya nXdεomn{0,1}ess oandf an Yinεd{0,1}ividu aPr[l fuπnct(X)=Y]=2ion; the term “randPoSmEUfDuORnctAioNDn”OM FUNCTIONS 4 6 PSEUDORANDOM FUNCTIONSPSEUDORANDOM FUNCTIONS The answjuerst omean annys paofinutnctis ioranndcohmosenandaint 6rdaepndenom.dent of the answers on other pPoSinEUtDs.ORANDOM FUNCTIONS 4 PSEUDORANDOM FUNCTIONS 4 It TishethanisTswh“eerdanynoswn aernmic”yonpoainnyviewt pisoinratntisdhormaatnadnwodmeinasundPdepSgEUingendestDdepORenentAdhoNDenfettOMhroeeafatFUnhdsweerNCaernTswhsIONSaoervnseootninherotminhperoinptdos.inwts.hen thinking abToIthueistantrswhaItisnerisd“odtnynhmisaan“fmic”yudpynnoctinaviewmic”tioisnrsatviewnhodarotmrwtaheaanntsudwgoinegmdestsueppgentgerhestdemenrteatuhoetdfaerrteathiohedaernavns.eswhinaervemins inondminotwhdherenwphoteninhints.tkinhingking Itabisouthtisarab“nodduyntomraamic”nfudnomctviewiofunnscttohioranrtasnwoderorsumangpdgoerestmmtpuherteamtrioeauntdas.terionhs.ave in mind when thinking abOount eraEnmdxampuomstfTurnhememcteleaionnsw3.3serobroerrnaLetantndhyo’sapmotinpdtterohismifesoruatnTameerd[toXiom]ns.simpaisn“dnroaintnddleepdefioenpnmeddrenofbtuoanfbctthilisteioanswic”eriscos omisleanmpothuertpadotiniots.gn.s Ittomigundhert stand ran- One mOunste Itrmememuisstthrisbememer“dynthbaaermic”t tthheaviewtterthmethta“ertramwned“suoramgngdfest$oumnifctthfuioeTn[nrXctea”]iodisernn”misleahoistavdemisleaefiinndedinmingd.indItgw.hmigenIt migthhtinhkint g 15 then Y D S ; T [X$] Y ; S S T [X] The leaanswleaderOdoonnnoeendleaamenotyudtmostopoontrfinheememuintintnisokctkrttabhiohninteradhntkotams.cerhtthaatatInncertatdinhcerifineatdaftlltuerepainnTinmoctenf[fioXd“utrennhan]sct6ntectdisioaoorfionemotsnhllon“eoafrsuratnew←nactswd“inrioroefieaerm”gn−s”thd“,noristenednam”ahnonmisleadetYdhaoperontdrm”hpoD←derobinintshagtaerS.s.brn;seilitItdTan[←rmigXoeoyt]t.nisho∪t(terYF.t{o;sa(rSkFaoenr}ePSSoEUnvoDerTtOR[.XaA] ND(rFaOMonrdFUoNCmTIcONShoice The answer on any pointaisboruatnrdaonmdomandfuninctdioepnens odfirenratnodfomtheperanmswuteratsioonns.other←poin−ts. ← ← ∪ { } $ It is thleais “ddynonaemic”to thviewink tthhaatt cerwe tsuainggestfunctthioe nrseaadrere “hraavne$dinom”minfi adndwhotenhLerthsinLakinre ngot. L(For It is thexais exa“mpdynmpale,mic”oexale,fmampmafviewfle,ybroemaemttOhhtaybnehtFeecouwmentuncohcststsue(nagcor!nememstg,Ltneststaf)una,tnbnthctertmeathefiofurtreahnenetuactdcttnheriotinaiorhnntehYgntatThervlwta[etXmhthainys]a“DlwtrtminarnawetaysdlwedoumrrSwnhetafshysau;enn0vrctnTesrtioohet[execu0nXin”ukinaois]rnnymisleagsaintned0ypYuindtin;tpoishugnS.tenisItaootnnmigpyoerSthinat tpioutTnis[fXn]otFunc(!,L). about rexaandmpomle,fumanctybiones tohreraconndstomanpterfumnucttaiotion nts.hat always←retruetur−nsrn0LT [oXn] any in←put is not ← ∪ { ←} about rranrdadonomdm,ofm,urnactnbbduiouotnm,saaleaobfrufdurntaoctnnanctdioefountmionoctwntphioiterinhwnmkfiitmawuttithaanhttyiomamacernds.intffnayeryindenifdffutinerffctrenaeriontngenseraavtnragelure“aesvrnanlugisdeesorm”avisnadluaronam.)ndesdootm.)ishTerhsrisaTanrhiseisdnnooisom.)tt.no(Ft orThis is not random, but a function with man!y Tdihffeeraennswt reranogne aTvnahylueLpaesnoswinisterrisaonnrdaaonnm.)dyopm,oinTLtbhuistrisnanondtoinm,t depbutenndoent intdoepf enthdeenatnswof erthse aonswoerthseron other OnOenemrmuigstuhsttr.ememr1.rTememighhet.brFerbaTernixexahtdehtoamphXmnrtatntle,esshdtheomaemntoert0ybferessm,tmeh1“eto“hrfafreuantconhaddcteonomstiofdmuanfnuYfctturnnefiofctucternioioctsnrnefio”t0”oneris,isst1hmisleamisleataeot wta.hlwaeydTdainwysinithaggenyr.w.etaitItItu:srwnmigcshaso0hsencthoon,sennaon,ytntinootpuattno isannot rigrighht.t. Theerarnadrnoadnmndoomnessm, boessuftthaeofuffnructtnetuhctioepiononfwrinuitnrtnefs,hcterTmasinsio[nXcetyno it]dtrihffisefeperoerdweninistattsys,inritsintactnogwcefetaroithvsmaeiscluhtdeswohistsenoaisse.iny,rctanitnfordtoomwm.)toathsaonTse.chhisoissenno,t not to an lealead donoeneatotttorthibtinhuainkttekttrohibtfahutahttecereceroselectftatinhaine∈edfselectufun{fnctuctnioedctionnios}fusnanarctitereioself““rnra.aitnndWselfdoom”h∈m”.enifW{aTyahnon[enXdud]ocyois}htothohuneroerocsetshsdoaaefiorresefenuednnaoocttftu.io.nnct((Faiootrnrant draonm,dotm,hethe attribute of therselectight. edThfeurnactndioonmnitessself.ofWthheenfunyctouiocnhorLefoseersa$ tfoutnhcte iownayatitrwanads ocm,hoLsenth,e not to an exaexampmpale,tle,tcomaribmanybstuybaetncoeetthntofehstufencoatctncohntiostnefustnaselectnnaiscttntiojfufnunstnctisedctaiosjiounlikfstnutelyhtanhasctatliktaEiooaelylwxamplwanpaaysptitysoeaselfarleretpetpauu3.5eas.rrnathnrWsnsayen0RsE0PhLoaaxamptenrnnoYhodyn[ernofomayat(flenDohnuXypyerun3.5erctin)infcmSupioph=nRu;unocttaTt.anoY[ioistisXdItseioon]]nmn.mao=saIttpaerYkfrma2esuem;−nusoSkntctesaomewtiosen.ionSnosnhsesenaratTetseh[soXarmewr]aderndhtaotm,whaorrdkterhwteoithwotrhkawnitrhanth-an ran- constant functioanttisribjutste oafstlikheelyselecttoedapfpueanctrioasn aitnselfy o.tWherhenfu←nyctouio−cnho. oItsemaa fuk←nesctnioonsenat←rseand∪o{m, the} rarnadnodm,coom,nbtoustbtutatanlkaftuofnouffctuntacttniolkhioctnenowriofawittnhitdehoismamnrmaajnuessdnystoyTdmndihoffaiffferesseseraenliknaenotninftdelyrswoadrmanividngerintgfeuoedunvvividactoallufipnluiofespuesnaneas,islctnisdfdryiouruoranamennctnp;sdtdfoiouotoahnm.)inntm.)ncteh;yeioterhnlaoTTs,isemcthhkdthisiserur“oereafmrisisatninonfn“udtorhepotanemnm,ctenladcofiodkumennobnfctfce.uiniontdItbctnepetn”iomaenwoneend”tenkinceesvadbluetnepeswoeenenosenn vdaseiluenffesertenontodfpiffoterinhentes.t paonintsws. ers on other right. tTohetarlkanodfomntheessrcoanondfstotamnhnetessffunctofioannisrefinjuerdstivids atsouliktahlelyefuwrtnetuoactyaiopritpnnLeteaw;Trat[’sXhsaeslo]chaotnokerysenamtotso,h“menerraontfupdtrnoctbmaiobnnfilistu.nItcticmaioconmpk”esuntaotsenionsseinvolving them. In all of the following, right. ThjeustranmeadjoumnstnsessmeaaNfuonfntscticetahioefunfnutcctnhhctioaopiosenntoncinthrhaoeftseneers,raspLetnasintrdtoo’srm.btacelohnaedobkowitm.ilitatyissoyitmedwdistaopsresnocinhboactsenb’tilist,fdrnicepootcomentmpotdahuntoaose.tnion!s .invNolvinorg dthoem.es Initalldoepf thene fdolloowningt,he attribtoujtuetstaoflkmeatheonselectfs tahfuedentoctrfuationanlkctndiocohfnmnotitsenhselfeessra.RtnWdrandomoahmnnfendaoessm.ynouoinfchadnoividoinse dfunctionsaividufutahunleactlpfiorufuonbnactabtioilitiornay;ndist;h oetm,vstatkherentehm oetpermutationsv“erramandroamn“drofamuncctdhiooicenm” of uπnfrctomioPner”m("), meaning that we the proTbhaebailitnswy eris otnakaenny opvoerintaisrarnanddoomm,chbouicet $nootfinπdepfroenmdenPert mof(t"h),e meaanswnerinsgonthoattherwe attribute of the selectedvajfuluustnesctmeaioonnfits selfXa fu,.nYWctio.hnenchyoosenu chaotorseandaofm.uhnactveioexecun attredantdhoem,operthateion π Perm("). constjaunstt fumeanctionsis ajustfuansctlikioelyntochapopsenear aas tanryaonthderom.function. It makes no$ sense constant function is just as likely to Eapxamppear ashalenvye execuo3.5tphoerinttfs,eduRnsincttahceionendito.poisItermdamaisttiopinkneresctπmfnroumsenPtertahsemotse.io(")n. s←are somewhat harder to work with than ran- to talk oEfxampthe Eraxamplendo3.3mnleessLet3.3o’sf adLetno inso’sdmedivido sosimpumeal fleusimpnpctroiolebnap;brtilistohbeabticerilist1.comicmpF“rixcoaunXmptda,otYmioutnafsut←0iont,cton1siou!.tnoTd”uerhennstd:eranstdarnadnr-an- to talk oEf xampthe ralendo3.3mnessLeto’sf daon soinmedividsimpuallefupnrcto!bioanEb;ilistxamptheictlecoermpm3.5“urRta!aantndiodoonms ∈tpfou{ernuLmctnud}ioterantstio” nasndarerasonmew- hat harder to work with than ran- just means a fu2.dnoctmiofnuFncixcthoiosenXns.1a,IntXra2dnlldooofmm.th0efu,fo1.1nlloctwFinioixagnn,Xds,t,hYeYdp1ur,oeYb0a,2t1boilit.tyThis0he,ent1ala:kenck,ovaoernf adinradnssuepdomenmechdoeniceX1ce=bXet!2w. eenThenvalues on different points. just meandsoamfufnuctnctioion ncs.hEoxampsenIn aalltleorfa3.3nthdeom.Letfollo’swdino sog,methdesimpopmrofleubna∈pctbroilit{iobnas,ybilist}isduteicatkocoentmpheovlauertcaktaioofrnainsndtdoepo$umennddPcerenhrst[oceπicea(Xnbdet) r=waeennY-] =va2lu−es. on different points. dom funoctf fionfrs.omInFaullnco(f!,Lth)e, fmeao∈llo{wning,t}thhaet pwreobhaabvilite execuy is tt∈aedken{thoevoerp}era arationdno$fm chFouicenc(!,L)!. # of f from Funcd(o!m,Lf)u,nmeactionnLets.inIng’stahllalootfowthkeehafaoLettllovesow’sexecuinlomego,kthatpedte sorpTrotmeohbiseaapboisrbilitoptbilisterhayebaissailisttiometicaPnickr$enafco[sπifmpo(mpvXπerFu)h←tua=nudtrcioatbY(n!eena]s,Ldt=inoio)mselectv.2on−clvinhso.ediceLgintahvtem.roanlvindInomallgfrotfmhthFem.eunfocllo(",w"In)inrga,taherll tohafnthe following, Exampof f fromleFu3.3nc(!,LLet), mea’s dninogsothmeat wsimpe havPelerexecu[fpr(oXtedb1a)tbh=iliste opYeric1atcoiofn(mpXf 2u)tF←=autniocY(!n2,L]s$).t=o u2n−derst. and ran- of f from Fu!nc(!,L), meaningLtthheaptrwobeahbailitveyfexecurisomtaPkterenedmot("hv)ere. oHa←poerrwaevantdioeronm, tfhcehosimilaiceFunocfr(itπ!y,Lfvr)oa.mnishPesermw(h"en), meamorneinthgatnhoantewpeoint is to Example 3.3 1.Let’sFixdoXsome! 0simp, 1 leanpdroYbabilistL0,ic1Thcois.mpisThutenhtaet:saionmes toasuifndπ|erhstadanbdeenranselect- ed←at random from Func(",") rather than Exampdolem1.3.3fuFnLetixctX’siodnos.so0,me1In∈! {simpanlld}oleYtfhptrehobep0a,bfr∈1Loilistollo{b.icawTb}coinhilitenmpg:,yutthaisteiotnpasrkotboeenbucoanbndosidiliterversteryedan.isad rtra$ank-nendoomverchaoicerandoofmπ cfhroicem Perm("), meaning that we dom fu1.nctioFnixs. XIn allT0o,fh1teheaafbonllodovwYeingis, t0ha, e1! copr.onbTadhbfitrenilitoiohm:ayvnPiseaerexecutLlamkp(en"r)ted.oobHvteroahwebaevoLilitrpaerern,adyto,iohmenasimilacnπhdoicePsaerritysmy("v)at. nhishatesevwhenen moif rwe ethknan onwe ptohinet isvatolue ∈∈{{1.} }Fix X ∈0∈{, 1{ }an}d YPr [f0(,X1 ) =. TYh]en=: 2− . ←$ $ dom functions. In all of the followin∈g{, the} probabilit∈ {y is }taken ovLer a ra$n! dom choice! L of f ofrfomf Ffurnocm(!,LF)u, meanc(n!in,Lg)t,hameathwaevnheainveexecugPexecurt[hf(aXtted)1.edw=tehFYethix]hoa=pXever,2.eL2Yoa−texecupioFernix.0f,Xa11t,tioX.edFT2nuhnentcπ(h0!:,,Le1 )o.paPnererd Yam1t,ioY(2"n).f0, 1perm,Faundncassu(utation!,Lme )X.1 = X2. Then of f on X , itPsf-randomr v[fa(Xlub)ee=cooYnP]sidr=a[fer2(Xd−edi)ff.=. erYen] function=t$2 pL o. int X is equally likely to be any L-bit of f from Func(!,L),Nmeaoticenintghatht atthwe1eprhoabvaebexecuility dtedoesnth’te odpeperenatdio∈no{nf !←.} −NFuon∈rc{(d!o,L←es}).it2depend ∈on{ th←}e l = L % ! ← Pr [π(X)L= Y ] = 2 ! . 1 NNotoiceticet!htahtatthteheprporboabbaLilitbility ydodesn2.oesn’tF’tdixepdXenep1den, Xod2no!n. 0!N,.!1orNodaronesddoYites1,dYitep2 denepd0en,o1nd to,hnaentdheassu− me X1 = X2. ifTYh1en= Y2 1. Fix X 0, 1 vaastlundresinYoNgf oX.t!,0Y, 1.t1.ha.t TthFeenpix:robXab,ilitYLy doesn0’t,d1epen.d Tonh!en. PN:ro[πr(Xdoes) =itYdepπ(enXd)o=n Yth]e= 2! 1 % 1. Fix1.X F∈ixv0{a,lu1Xes!}aonfdXY0,,Y1∈. 0{, 1an}Ld. TYhen: 0, 1 . Then∈ {: } ∈1{ }1 2 2  % values of X, Y . values of X, Y . L ∈This{is the}same as if π had been select| ed at rand1om from0 F−unc(",if")Yra=therY than ∈ { } ∈ { ∈ }{ P}r [f(X! )∈={Y ] = 2}− . L  1 2 2. Fix X1, X2 0, 1 and Y1,!Y2 L f0r,o1m P,eramn(d")a. ssuHoLwmeeverLX,1th=e Xsimila2. Tritheny vanishes! when moif rYe1t=h!anY2one point is to 3. Fix X ,∈!PX!r{[f(X} ) =0,Y1!] =P2ar−∈nL[fd{.L(XY}) =Pr [YT0Lπh(,]eX1=a1b)o=2v.e−YisT1 ah.πco# en(nXdP2:it)ior=n[aπYl 2p(]rXo=ba)bilit=2y,Yan1]d=says2t−h%at .if we know the value of π No2.t2.ice FtFhixaixtXXt1h,1eX, Xp2r2.2oba0bF,ilit0ix11, 1Xy 1ad,noX2adesnn2dY’t1Y, Y10d,,2epY12enad0n,do10n,Y11!,.Yab2,neNdacoonrand0ssudsid,oa1esssuermeed,itmea.Xndd1epX=aenssu1X=dme2L.|XonTX2.ht1henT=ehXen2. Then −  ∈∈{ { } } ∈∈ P{r [f∈}(X{∈}1{) =} Y}1 f∈(X{∈2){}= Y2]}=# 2# − . # 0 if Y1 = Y2 Notice that the probability doesn’t depend on !. Nor doesonitXd1ep, itenLs vdaluoenotnLhae different point X2 is equally likely to be any L-bit string values of X, Y . Pr [f(X )|= Y f(X ) =L Y !] = 2− . L ! Notice that the PprPr[orf[b(fXa(1XbT)ilit1=h) =isYy1Yisd1fo(2.tXfesnh(21Xe)F2=ix’tsa) XY=1dme21],epYX2=]2oenat2h=2serd−0if,2t1ho−.aπ2nna.hπn!(d.aXdY)1N.,bYoS2eenor tdh0ero,selecte1esar,e2itaL2ndeddaep1ssucaenhmetoicesdrXa1onfo=nrdXπot(2mXh. Te)h,fenraoll mequaFllyunlikcely(",,if") rather than values of X, Y . The above is a conditional p|rTohb| eabailitboyv,eaisn|da saco∈ysn{dtithioa}tnaevl enpro1ifbawbeilit∈kn{y,owa2n}−tdhesavysa−lutifheatXif1w=e %knXow2 t2he value of π ! The above is a conLditional probability, Yan1 d=saY2ys. that even if we know the valu1e 2. Fix Xv1T,aXThluh2eeesababoo0vof,fev1feisXoisan,naYcoXdcon.1Yd,n1it,itdYioits2niovaPnlluarp0elr,[po1fobrno(aXba, ailitadb1noiilit)dffyn,era=yaXssuen,n1daY,tmenitsapdsoayssaXinvna1ystdluh=Xaetft2Xhoeva(nis%2tX.enaequevT2dhenif)ienffaw=erllyifeenwknYlikteo]pelyknwo=inotthtwoeXbtvh2eaeluisavneequayluLea-bllyitlikely t# o be any L-bit string ! frLom Perm("). However, the similaritLy va!nishesif Y1w=hYen2 more than one point is to 2. Fix X1, X2 ∈0{, 1 }andofYf1,oYn2 X∈1,{0it, 1s v}a,luaenodnaassudimefferenXt1 p=# oinXtP2.rX[Tπ2 (hisXen1equ) =aYlly1 likπ! (!Xely!2)t=o2Yb−2e] a=nyLL2if-bitX1 1 = X% 2 oof ff∈fo{nonstXr}X1in,1g,itP. sitr [svfa(vluXalue)eo=∈no{nYa adifff}d(eriXffener)ten=optYohpiner]otint=Xhta2Xn2is2π3.L(equ#is.XF1equaix).llyXaS1llyolik, Xtelyh2likerelyeto0a,rb1te|oe 2abaneydaY1Lny-bchitLo0-bices, 1it f.oTrh−πen(X: 2), all equally likely, if string1. 1 2 2 − ∈ { } − ∈ { } 0 if Y1 = Y2 string. ! |be consideredL. L  2. FixstrinXg1. , XP2r [f(X01,)1= Y1a!nfd(XY2)1=,YY122=] Y=2L.02−, 1 . , and assume X1 = X2. Then 0 if X1 = X2 The above3.is aFcoixndXit1∈io, Xn{a2l pro0}b,a1bilit| ayn,danY!d !says0% ,∈t1hTa{th.eevTaenbhLoen}vife: wiseakncoLonwdittioPhnrea[πvla(pXluro1eb) a=bilitY # ay,ndanπd(Xsa2ys) =thYat] =if we know the v% alue of π 4. Fix3. XFix1,X∈X1{, X2 2 } 00, 1, 1 a∈nd{aYnd} Y0, 1 . T0h,en1!!: . Then: L  L ! The above is a conditional p!ro!babilit∈ {y, an3.}d saLFysixL tXh∈a1t{, Xev2en} if0w, 1e knaonwd tYhe va0lu, 1e L. Then: $ 2− if X1 = X2 of 3.f3.onFFXixix1X, Xit1,s1X,vX2alu2 e o0n,01,a1daiffna2.erdn∈endPY tYr{Fp[foix0in(,Xt10}X,X1)2.1,Tis=.XhequTenYo2hn:enaXlly:1f∈, (likit0X{s,elyv1a)luteo=}oban2YeLnaadd]niyffYer=L1en-b,titY2p−2oint.X20is, 1equally, aliknelyd tao ssube anmey L-bXit 1str=ingX2. Then ∈∈{ { } } ∈ ∈{ { }1} 1 ∈ { 2 } 2− 2 2ifL∈X{1 =}X2! of f on X1, its value on a different point X2 is equotah∈llyer t{likhaelynTπh(is}tXoisb).teruS2ae−onbytecahLerifu-beseXaitra1e =p2∈erXm2{u1tacthiooicesn}canfornevπ(erXma), palldistequinactllyXlik1 aelyn% d, ifX2 to the string. Pr [f(X1) = Y and f(X2) =| Y ] =2L 2L 1 L # 0 if X2 = X Pr [f(X1) = Y and f(X22)−=2Y ] =if XLif1 X=L2X−=2 X if# X−1 = X2 1 2 string. Y1 = YP2.r [saπ−(!meX2p)−o=in2tY. 1ifanXdif1π=X2(XX=2) X= Y ] = % 1 The aboveP! Pris[rf[(afX(coX1)1=n) d=YitYaionLadnnafdl(fXp(2Xr)o2=b) a=Yb]Y=ilit] =y, and 1sa!ys#−th# at ev1 en2 if2 we know! the value 3. Fix X , X 0, 1 and Y 0, 1 . Then: % L L # $ 2− if X1 = X2 if Y1 = Y2 1 2 ! !2− 2− if Xif1! X=1X=2 X!2 L ! ! L ∈ { !} ∈P{r [f!}L(X1!) 3.f(XFLix2)XP1=4.rL, X[πY2Fix(]XX=0,11,)X2=an0dY0Y,11 πa0ifn(,d1XXY2.1)Th=0en, 1:XY.22T]ha=enn:d Y2= 01 % 3. Fix X1,oXf2 f4.o0n,F1ixX4.X1an1,,dFXitixY2sXv1a,0Xlu, 21e o.a0nT,d1haenY ad:nidff0Yer, 1en0.t,T1phoen.inT: th∈en{X: 2}is∈equ{ ∈}ally{ }lik∈ely{ t}o be any L-bit ∈ { } ∈⊕T{his is}2tLrue because a permutation can never map distinct X# 1−and X2 to the ∈ { } ∈! !{ }∈ { } L L 2∈−{ }if X1 = X2  | 1 L ! 4.4. FFixixXPXr1,[1fX,(X2X21) =0,0Y1, 1anadnadfn(dYXY2) =0,Y10],=1. T.hTen2hL:en: L # L  0 ififXX011==XX22 and ifY =Y01 = Y2 string. ∈ { } ∈ { } same2−pLoint2if.−X12=if−PXr [π12if(=XXX1) =21XY 2and ifπ(XX)1==Y ] X= 22!an1dY =% 0 ∈ { } ∈ { }! 2− if X1 = X2 1 2  ! % % Pr [f(X1) = Y and f(X2) = Y ] = L # # # $ 2− if X1 = X2 ! Pr [f(X ) f(X2)−=LYLif] =X1 =0 X2! if X = X and!Y =L 0L  0 if X1 = X2 and Y = 0 Pr [f(X!1) Tf(1hX4.)a=Fb!ixYo22]Xv−=2e1−,XisL20ifaifXXco101,=if1n=XdX12aitn=2PiodrX1[Ynπ2(aXaln12)dp0,Yr1πo(=Xb. 2a0T)b=hilitenY :] =y,and says t% hat if we know the value of π ! ⊕L ⊕   # L  ⊕l # #   ! 4. F3.ix XF1,ixX2 X10,,PX1r2[fa(nXd )Y0, 1f(0X, 1a)n=.dYTYh] en= : 0, T1his is.∈tT{ruheen#b}eca: use a p∈er{mLuta}LtionLcanL never ma0 p distifinXct1X=1Xa2ndanXd 2Yto=t0he 5. SPurp[fp(oX1se) l f(2XL) =anYd] =let0 τ:if1X0,1 1=1ifXX2 1aifn=XdX1Y0=2 ,=aX1n20daYnd=Yen0=o0te the function that on% input ∈ { !} ∈ { 1⊕∈ {} }L2 ∈{ 0sa}me pifoinXt1. = X2 and# Y = 0 1 ! ! 4. Fix X1, X2 0, 1 and Y ⊕0,≤L1 .oTnhenXL:1, its va{lue }on →a d{ifferen}# L t point Xif2X1is1 =equX2ifaXnlly1d=YXlik=2 a0elynd Y!t=o0 be any L-bit string ∈ { } ∈ { } 2− if1X1 =XifL 2X1 = X2l and Y =20L L !  16 Y 5. Sup0p,o1se l rLetanudrnlets τt:hLe01,# 1firstifXl01,b1=itXsden2o!aoftne2dYt−hY.e =fuFn0ctixifionX2d! tist1h!a=1tinonXctin2pXut% 1, X2 % 0, 1 , Y1 5. Suppose l L an≤d letotτh:Ler0,t1h4.{anFix}πX0(→,1X1, X{2Ind)en.t}h0oeS,tca1eoLsethateXnhdferu=YncteXioaa0nnr, 1dethYa.2t=−Toh0nen! tin:h1ispuiscthcoompicesuted afsofrolloπw(s:!X ), all equally likely, if Pr [f(X1) ∈Pf(r{XL[≤2f)(=X}Y1])L==Y20− a{nifdifX}Xf1l1(=→X=XX{22)2 =a}n1dY∈Y]{= 0} 1 ∈2{  }0 # !if X1 = X2 and∈Y {= 0 }2 ∈ 0, 1Y La0n,d1 ZreturnLs 0th,e1first.# lTPbrith[sπen(oXf :Y1). Fπix(Xdist2) in=ct% YLX] =1, X2 % 0,!1 , Y1 % 5. SupposeYl ⊕L0,a1n∈d {letLretuτ}r:ns20t,h1e firLstl l 0b,it1s odflenY o. teFixthed# istfunLinctctionX1t,hXat2 on in∈0p,{1ut1−,}Y1 ∈ ! 5. PSru[pfp(Xose) l f(LXa)n=d Ylet] =τ:00, 1 if X 0=, 1X daenndotYe⊕=th0e!LfPurn[2πct−(Xion) thπaif(tXXo)n=1inY=p]uXt if2 X = X and Y = 01 1{∈≤L {L }02}, 1 and Z{2Y∈1l}10={, 1→Yif.{2TX}.1h1en}=: X22 and Y = 0 1 ∈! {02 !} if X∈1 1= X22and Y = 0 Y 0, 10,⊕1≤Lret{aunrdn}sZt2he fi0r,st1{∈l .{bTit}hs}eno→f: Y{. F}ix distinct# X1, X2 0⊕, 1 , Y!12 1 l % %% Y∈ { {0,}1 } returns ∈th{e fir}st l% bits of Y . Fix distinct LX1, X∈2{ l }0, 1 , ∈Y−1 ! L l 1 PrP[ifτ(rXf[(1τX=(2)f)X(=2XZan2d)f)Y(X==1)Z0=2Y1]f=(2X− 1.) =1Y01] =if2ifX−X1 1=.=XX22aanndd YY = 0 5. Suppose0l, 1∈ L{Laanndd}Zlet2 τ: 0,01, 1.!LlTPhenr [τ:0(,f1(Xl d)en) =oteZthLeff(uXPn|rct)[πio=(Xn!Y1t)h]a=tπ2o(Xnl2in). =p∈uYt{]= } L ∈ % 4. F{ix0,X}1 1,aXnd2 Z2∈ {0,01,}13..aTnFhdenixY: X21,0X, 12 2 . T01,h1en:1a⊕n|d−Y 0, 1 . Then: ! ≤L { }L → { }l | l ! !   0 if X1 = X2 and Y = 0 Y 0,{1 }returns t∈he{∈fir{st l}}bitsof Y . ∈FInix{tdhiste cain}sect X1 ,=X2X2 an0d, 1Y =, Y01 this is computed as follows: 5. Suppose l L and let τ: 0P,r1[τ(f(X20),)1= Zd2enfot(eXt1h)∈e=f{uYn1ct] =io}n2−th.atl on inp∈ut { } % ! ∈ {L ≤L} l { P}r [τ→(f({X2)}) = Z| 2 f(X1) = %Y1L] =∈ 2{− .}! % ∈ 1 if X1 = X2 and Y = 0 Y 0, 10, 1andrZet2urns0,th1e .firTsthenl :bits of Y . Fix distinct X12, X2 if0,X1 , =Y1 X  { } ∈ { } | Pr [π(X−1) π(X2)1= Y ] 2  0 if X1 = X2 ∈ {L } l ∈ { } # ∈ !  0, 1 and Z2 0, 1Pr [.τT(fh(enX:)) = Z f(X ) = Y In] =tPh2ercal [.seπ(XX1⊕=1)X2=anYd Y a=n0dthπis(isXco2mp) =utedYLa]s =follows: % { } ∈ { Pr}[f(X12) f(2X2) 1= Y ]1 = − 0 % if X =% X and Y = 0 ! | l 1 2 $ 2 if X = X Pr [τ(f(X )) =⊕Z f(X ) = Y ] = 2 . Pr [π(X1) π(X2) = Y ] − 1 2 2 2 1 1 − ⊕ # L |  1 if X1 = X2 and Y = 0 This is true because a permutation can never map distinct X1 and X2 to the  5. Suppose l L and letsaτ:me0p, 1oinLt.  0, 1 l denote the function that on input ≤L { } → { } ! Y 0, 1 returns the first l bits of Y . F! ix distinct X1, X!2 0, 1 , Y1 ∈ {L } 4. Fl ix X1, X2 0, 1 and Y 0, 1 . T∈h{en: } ∈ 0, 1 and Z2 0, 1 . Then: ∈ { } ∈ { } { } ∈ { } 1 l ! Pr [τ(f(X )) = Z f(X ) = Y ] = 2− . if X1 = X2 and Y = 0 2 2 | 1 1 2! 1 % %  − !  0 if X1 = X2 and Y = 0 Pr [π(X1) π(X2) = Y ] =  % ⊕  !  0 if X1 = X2 and Y = 0 % ! 1 if X1 = X2 and Y = 0   In the case X = X and Y = 0! this is computed as follows: 1 % 2 %  Pr [π(X ) π(X ) = Y ] 1 ⊕ 2 Pseudorandom functions (PRFs)

• Informally, a function family F is a PRF if the input-output behavior of its random instance is computationally indistinguishable from that of a random function.

17

Bellare and Rogaway 9 Bellare and RogawayBellare and Rogaway PRFs 9 9 • Def. Fix a function family F: Keys(F) × Dom(F) → Range(F)

prfE-xp1 eriment Expprf-1(A) prfExp-0 eriment Expprf-0(A) Bellare an•d RoExperimentgEaxpwaeryiment ExpFprf-1(A) ExperimenF t ExpExperimentF (Aprf) -0 F 9 $ $ ExperKimen$ t ExpF K(A) Egxp$ erFuimennc(Dt,RE) xpg F Fun(Ac(D) ,R) $← K $← KF ← $ ←$ g • KKb $ KAeFys(F)K b A K b $gAg Func(Dg ,b R )Func(Dom(F),Range(F))A $←← K ← ← ←$ ← b RetAurFnKb Return b Retburn bAg Return b ←The prf-advantage of A is defined←as The prf-advan• tageRetofuArnis bd↔efinedFKas Return b ↔ g prf prf 1 prf 0 prf prf 1 prf-1 - prf 0 prf-0- AdvF (A-) = Pr ExpF (A) =- 1 Pr ExpF (A) = 1 . The prf-advanAdtagevF (oAEf)xpA=eris imenAdPefir nEtedxpbEFaxps (FA) =(A1 ) PEr xpExperFimen(At−) =EA1xp.F b (A) • $→ !− $ " !→ " prf It shKould b!e notedprfth1at the f"amily !F isg public.FuprfnTch(0eDa",dRver)sary A, and anyone else, It shoAduld vbe n(oAted) th=at thPerfaEmilyxpF is- (pAub)lic.= 1The aPdvrerEsaxpry A, a-n(dAa)ny=on1e else,. F Returnknows$ ←tbheKdescripFtion of the family and←is$ caReturnpFable, bgiven values K, X, of comput- knows the descriptionbof thAe FfaKmily and is capable,−givenb valuAesg K, X, of comput- ing F (K, X! ). " ! " ing F (K, X). ← ← It should be noted thatRTtetheeuwfroanrmilyldbs areFcapistupredubblic.y whTathweeRacaetdllvuexerrnpsaerbrimyenAts., aTnhde fiarnstyexponeerelse,iment picks The worlds are captured by what we call experiments. The first experiment picks knows the descriptiona roafndtohme infastmilyance FandofisfamilycapaFble,andgtivhenenruvnasluadesverKsa,ryXA, wofithcoompracleutg-= F . Taheraprndof-advanm instantagece F ooffAfamilyis dFefianneddKthaens runs adversary A with oracle g = F . K ing F (K, X). The prf-advantageAKdversary A inofter anact sadvwitersarh its oyr aAcle, isquerying it and getting Kback answers, and Adversary A interacts with its oracle, querying it and getting back answers, and The worlds areprfcapevtenurteduallybyouwtphuatts aw“egprfucaess”ll-1exbitp.erTihme enexpts.erimenThterfietrustrprfnexps -t0heersaimenme bitt.pTichkse second eventuallyAdoutpvuFts (expaA“g)eruimeness”= tbpitPic.rksThEaerxpexpandFeromimenfu(nActt )rioet=nugr1:nsDthePsaRrmeanEdbxpritu.nFsTAhewseco(itAh)tnhd=is a1s or.acle, again a ranexpdomerimeninsttapnicceks Fa KranodfomfamilyfunctioFn ga:nDd thenR arnudnrsunasdAv−erw→itsahrtyhisAaswoitrahcle,oragcleaing = FK . F is a rsecureeturning A PRF’s gu!ess ifb itfor.→E aanch expy adverimen"ersaryt has a! cer withtain p r“reasonable”obability of"returnin g 1. AdvIterretshsaurorynuinldAg Abin’setergnuoaesstctedTsbhitewt.hpitErahotabcaitthbhsilitexpeoyfreraaismilycle,imentakentquFhoaervsiseryina tpcerhugebtraitalic.inndaponmrTdobhcaghebetoiliticesatdinyvmagoerf bdrsaeteacruinkyrntinaAhneg,swexp1a.nererds,imenaannytd.onTehuelse,s, evenkntTuohawellysprtohbuaetresourcesbpdilituescrtys isaipt“foagtrkiouentess”hn eoitsvofierrfstb titprfthexph.eT-rerfaaadvhnimenmilyedoexpmtantage, cterahhnoeimenicesdprisobma tacaisbrdilitet pe“small”ayuinbrisnle,thsoevterghexpivet.hensaereimenmechvoaicelubt.itesoT.fhTKus,h,aenXsecod,anoyfndrcoanmpdomut- expinerfgoimenrFth(eKt fip,ricXstks)exp.aerraimencnhdooicestm, thtfhueanptctrAoiobmiganbilitgh:tymaDiskoe,verfoRrtAhaenisdcharollouicenwsedoAf tKowbitaenhadtrahnisydoarmizedasnodroamcle,algoraitgham.inIn the choices that A mighsecot mandke,expfoerrimenA ist,allothewedpr→otboabbilite ay risanodvoermizedthe raanlgdormithchm.oiceInofthgeand any random returning A’s guess bit. Each experiment has a certain probability of returning 1. secoTnhdeexpwoerrldimens atr,cethhocaeicespprtotubharbedtilitAbymayiskwes.ovheraTtthhweseeeratcawndollopmexrocbphaerobiceilitimiesoenf gshts.aonudldTabhneyeevrfiaarnlustdaotmexped seperaimenrately;t pthice ks 18 Thea pcrhraoonicesbdaobmtilithaintyAstismaatnakcetkes.wenoFTexpKohveseeroerimenf tftwahomilyetspraaorebnaFcodboilitmpmaniesletdchelyshtohicesodenuildfferrbmaenuentev.dseaaluindavtederthsaeseprexpayraAterely;imenwitthheto. rTaclehus,g = FK . for AthtdwevoerfiexprsasterryexpimenAertinsimenatrere coatT,ctmpotshseeletewelyitphrohowdbiitffwaersbellenilitoAtr.aydcle,oisesoaquvterderettyinerhemingchinitogicewanhicodhf gKwetortaldinnditg isabnainyc,krwaaenndloswoomkerats,thaend choevicesentThuoaseetllyAhomigouwtpwhuellttdsmaiffAaerkden“e,ogceesufess”oinart tAdhetebiserpitrmino.ablloTabinhwilitgeedieswexphtictohherabtwimenetohareldrtwatitnordisexpetomizedinuerr,nimenwsetlothaseolgrketsaoarutmeitrnhth1m.e.bitIfIn.ATtishedosecoing and seconddiffexperenerceimenin thte, ptrhgooeboadpbrilitjobiesaabttilitthellinatytgishewothvwiceroh expwthoreerldrimenaitnisdtosinmr,etitcuhrwnooiceu1ld. IforetfAugrnisan1ddomoinagrneyaofrtaenndinomthe first expgooerdimenjob at ptellinicksgexpawhrericaimennh dwootmrldthfauitnniniscttinhioe,nsecoitgw:noduD.ldSoretthuRerdnaiff1nerdmoenrceruenisosfatAenmeawinsuittrhheeotfhfihrisostwawsellorAacle,is doinagga. in choices that A makes.WeTcahllesethistwmeao psurroebtahbe ilitprf-aiesdv→ashntoaugeldofbAe. evThainlukaotfedit aseps thaerpartoely;babilitthyethat A BellarreetexpuarernimendingRotAtgh’saawnginauyessthe secobit.ndE. aSochtheexpdiffererenimence istahmeaas suarecerofthaoinw wpellroAbaisbdilitoinyg. of returning 1. 9 twoTexpWhee ercaprimenllotbhaisbtsmeailitarysue risco“ebrtmpteahaeks”kletpenrft-aelyhodevscadernhifftemeatergheeneFof,rta.wAnit. dhTo“hmbinreakck”ohfoitinicestaers pthrmaete edpdroinebaainbspilittecifiyhethc,expattecAhernicaimenl waty. baTsedhus, T“obrseeeaks”hotwhe scwhellemeoAnFtd,hoewesditefih an“titbriodeanet.k”erinminterpinretgedwPRFsinhicahspwecifiorc,ldtecithnisicainl ,wawyebalosedok at the for the first experiment, the probability is over the choice of K and any random differoenn cetheindefitnhiteiopnr.obabDilitifferiesentthadavtertsahreiestwoill exphaveerdiimenfferentsadrvetanutranges.1.ThIfereAarise twdo inreagsoans why choices th•atDefA mig. oFixnehat davmaer functionsakre,y mafoyr aAch ievisfamilyeaallogrwea edtFer:at doKvaeys(F)bnetagae rthaan n×daon mizedoDom(F)ther. Oanelgis o→rthita htRm.itange(F)is moInrethe good jobDiaffterentellint adgverwsahricieshwwillohrldaveitdiffiserinen,t aitdvwanotuagldes.retThuerrne a1remotworereaosoftnens winhythe first secoonenaddvexpersarery imenmay “atclevc,hievterhee”ainpgrrtoeahbetaerqubestailitdvioaynstisaitgoeavskstheranatnahdneotthrheaernw.daOyonmitepiscrohtcesseshoaicet it toishfemogrepraeliesnd taondyeterraminndeom exper“imenclevert”tinh•atnheinqutesthitesiosecoonustpitnutda.sks. TShoaentodhtheterhdeiiswffaersimpyenitlyceprtoishcessesataitmeaatskshsue morreperliesoe fquhtestowdioetwners,ellminorAspeisenddos inmogr.e time choices that A maprkocessines. Tghthesee reptwlies.o pInrdoeedba,bwilite expiesectshthoautldas baneaevdvaerlusaarytedseessepmoraerantdely;morethe We caitlls otuhtisputmea. Thsue roethterheispsimprf-alydvtahnattaitgprfeaskso-f1Amo. rTe hquinestk ioofns,itoarsspthenedsprmoobraeprfbtilitime-0y that A two experimenEtxps inaerrpeutimenco-oumptputtletexaEelyxpmplesdiffoferg,(enoArt)sp. endEs xpmorere coimenmputintgEtime,xpits abilit(Ay t)o tell which “breapks”rocessintheg•scthheemereplies.F , Inwditeedh “, bwreeaexpk”ectFintheratpraets aedn aindverasaspryecifiseesc,motecrehannicad Fmol wreay based world $it is in should go up. $ inpTuot-oseeutputhexaowmpwKlesellofAg, dorospesenadts modetreercominmpuintingg twime,hgiciths waFboiliturldnyct(oitDtellis,Rwin)hic,hwe look at the on the definition. The “security” of family F as a pseudorandom function must thus be thought world it is in should go$←up. KF ←$ g dDiffiffererenencet •adinverthsaeroiesbpf raoswbdaepillAbenilithKdainvieseg odntiffhtheraetenresotthueardcestvwaoanllotexpawgedes.erbtoimenTtheerAatetsaacrketeer.tuwWrnoe rma1ea. ysoIfwnasnAtwtisohywdanotintog a goodThjoeb“secuat rtitelliny” ofg←fawmilyhichF wasoarldpseuitdoisranindo,mitfuwnctouioldn ←mruetstutrhnus1bemothroeugohtften in the first one adversary may acknhRievoetw,eufoarrnganrbeay gtiverenardesovaunrcetaglimite thataionns,anRwohettahteruisr.tnhOebnperf-aisdtvahnattagite aischmoievedreby the of as depen• ding on mothestreso“clevurerces” aadlloverwsaedrytoamothengastttaacllkerth.oseWewmaho yarwe arnestt rticto wedanttottohe given resource “clevexpkner”oerwinimen, fotrhaetnytquhgaivestnenioinresontshuitercesecoaskslimitnadtn.iodSns,othtwehhewatadisyifftiterhepenprrocef-acessesdisvaantmeaatgheeasucrhepievreliesedofbhtyootwhdeetwerellminA eis doing. TheWprefca-advanll thistagemeasulimitofreAs.thise pdrefif-andedvanatasge of A. Think of it as the probability that A its oumotpstut“.clevTThehere” oa dtprf-advantagehverersaisrTyhsimpaemochnolygicest oftaohllf aanrtesoh oitadvseuraceswsksersarhotoamorcoeyn rAsideste isquerrictestcaedniotvoanrts,yh.eoOgrivnspeenrenesoresodusrucermoceofrine tterimeest is the limits. pro“cessinbreaks”g thethreprfepsclies.hemetime-coIndFeedmp, wlexit, itwhey “exptborfeaectA.prfk”tAh-nin1aottheraerspraresoetn uedardcevinerofsaainrtspyerestecifiseesisc,mothprfteecrn-eu0hmannbicader moolfwquraeyeriesbaqsed inpuotn-otuhTtehpAdeudtcefihexaovniceFitmpioo(fnAlesr.eso) oufr=cesg, otroPspcorennsidEdserxpmocaFnrevcoar(ympA. )Oun=teinr1gesotime,urcePoritf sinEatberxpilitestFyistotht(eellA)w=hic1h . time-complexity t of A. Another resource of interest is the−number of queries q world itDisiffinerenshtoualddvergosaurpies. will!have different advan"tages. !There are two reaso"ns why It shoTonhueelda“dsecuvberesaFrnit roisy”yt edmaao fsecureytfahamilyachtievthF eePRFafsagamilyr eaifp seutforerFda odanrisvaanyndp touadvambgelic.futersarynhctaTniohannem owithatuhdsterver.t h“reasonable”OsausnrebyeisAtthh,oaautgnithdtisa nmoyornee else, knofoaw“sclevsdeptherene”ddinescrresourcesgtohneiptquthioeestnresoio oitsnfusrtces hitprfeaaf-skslloaadvmilywaednantagedtoatnhthedewisa atisytcaa itc“small”kperparb.ole,Wcessese.gmaivyenthweavrnaeptlutliesoeswaKtnot,dXteto,erominf coemput- inkngoFitws,(Kfoour,tXapnuy)t..givTenheroesothuerrceislimitsimpatlyionths,awt hitataissksthmoe prfe-aqudvestantioagnes,acohrievspedendbys tmohere time moTstprho“eclevcessinwoerr”ldg atsdhaveerrresaepcarlies.ypatmouInredndgeedstbya,llwtehoaexpset wwectehocatahllraetexraestpserarictnimaeddenvterots.sathreTyghseesiveenfirmorstesorexpueracenerdimenmoret picks limits. a rainndpoumt-ouintpstuatnexacempFKlesoofffga,milyor spFendasnmod trhe encompruuntsinagdtvime,ersaitrsyaAbilitwyittho otellraclewhicgh= FK . wTohreldchitoiceis inofshresoouldurcesgo utop.consider can vary. One resource of interest is the Atdime-coversamprylexitA yintterofaAct.s Awnitothheritsresooruarcle,ce ofquintereryinest gis ittheanndumgbetertinof gquberaiesck qanswers, and The “security” of family F as a pseudorandom function must thus be thought 19 eventually outputs a “guess” bit. The experiment returns the same bit. The second of as depending on the resources allowed to the attacker. We may want to want to experiment picks a random function g: D R and runs A with this as oracle, again know, for any given resource limitations, wh→at is the prf-advantage achieved by the retumorninstg“clevA’serg”uaessdverbsait.ryEaamochngexpst aerll imenthosetwhhaosaarecerresttraictinedprtoobtahbeilitgivyenofresoretuurcerning 1. Thelimitpros.bability is taken over the random choices made in the experiment. Thus, for theTfihrestchexpoiceeroimenf resotu,rcesthetpo rcoobnasidbiliter ycanis voavryer. tOhnee crhesooiceurceofofKintaernestd aisnythreandom choicestime-cothampt Alexitmigy thtofmaA.ke,RAesourcesnfotrhAer isresoallou rofcewed oanf tino tadverbeestaersaryisratnhdeonmizedumberaolgf oquriterhiesm.qIn the second exper•imenTime-complexitt, the probayb ilitis measuredy is over t hine somerando fixm edch oRAMice o modelf g and ofa ny random choices that Acomputationmakes. These andt wincludeso proba btheilit maximumies should ofbe theeva running-timesluated separat ely; the two experimenofts Aa rine cothemp experiments,letely differen plust. the size of the code for A. To see how well A does at determining which world it is in, we look at the • The number of queries A makes. difference in the probabilities that the two experiments return 1. If A is doing a good job at•tellinThe gtotalwh iclengthh wor ldof allit isqueries.in, it would return 1 more often in the first experiment than in the second. So the difference is a measure of how well A is doing. We call this measure the prf-advantage of A. Think of it as the probability that A “breaks” the scheme F , with “break” interpreted in a specific, technical way based on the definition. Different adversaries will have different advantages. There are two reasons why one adversary may achieve a greater advantage than another. One is that it is more “clever” in the questions it asks and the way it processes the replies to determine its output. The other is simply that it asks more questions, or spends more time processing the replies. Indeed, we expect that as an adversary sees more and more input-output examples of g, or spends more computing time, its ability to tell which world it is in should go up. 20 The “security” of family F as a pseudorandom function must thus be thought of as depending on the resources allowed to the attacker. We may want to want to know, for any given resource limitations, what is the prf-advantage achieved by the most “clever” adversary amongst all those who are restricted to the given resource limits. The choice of resources to consider can vary. One resource of interest is the time-complexity t of A. Another resource of interest is the number of queries q Bellare and Rogaway 11

3.4 Pseudorandom permutations

A family of functions F : D D is a pseudorandom permutation if the input- K × → output behavior of a random instance of the family is “computationally indistin- guishable” from that of a random permutation on D. In this settinPseudorg, there arandome two kin permutationsds of attacks that (PRPs)one can consider. One, as before, is that the adversary gets an oracle for the function g being tested. How- ever wBelhlaen•reInformallyaFnd isRogaawfaymily, a functionof perm ufamilytation Fs, iso nae PRFcan ifalso theco inputnsider-outputthe ca1 1se where the behavior of its random instance is1 computationally adversary gets, in addition, an oracle for g− . We consider these settings in turn. The first isindistinguishablethe setting of ch ofromsen-p thatlain tofext a artandomtacks w permutation.hile the second is the setting of chosen-ciphertext attacks. 3.4 Pseudorandom permutations

3.4.1A familyPRPof fuunctniodners FC: PAD D is a pseudorandom permutation if the input- K × → output behavior of a random instance of the family is “computationally indistin- We fix a family of functions F : D D. (You may want to think = 0, 1 k guishable” from that of a random pKer×mutatio→n on D. K { } and D =In t0h,is1set!,tinsing, cetherthe isareistwthoekinmodsstofcoattmmoacks tnhacat ose.ne caWnecodnosidnerot. maOne,ndaas te that F be { } a familybeforoe,f isperthamt uthteataiodvnerssaarlty hgoetusgahn oargaacleinfotrhtisheisfutnhcteiomon g stbeincogmmotestedn. caHose.)w- As before, ever when F is a family of permutations, one can also consider the case where the we consider an adversary A that is placed1 in a room where it has oracle access to a adversary gets, in addition, an oracle for g− . We consider these settings in turn. functTiohne figrstchisotsenhe setintinognoef ochfotsenwo-plawinays.text attacks while the second is the setting of chosen-ciphertext attacks. World 0: The function g is drawn at random from Perm(D), namely, we choose g according to g $ Perm(D). 3.4.1 PRP←under CPA WorldWe 1:fix aTfhamilye funofctfuionctniognsisFd: rawnDat Dra.n(dYoummafryomwanFt ,tontahmelyink =g 0$, 1F k. (Recall this ! K × → K { } and D = 0, 1 , since this is the most$common case. We do not mandate tha←t F be means that a{ key} is chosen via K and then g is set to FK .) 21 a family of permutations although ag←ainKthis is the most common case.) As before, Noticewetcohnasidt Wer oarnldadv1erissartyhAe tsahamet is pinlacedtheinPaRroFomsetwhtineregit, bhuastoWracleorldaccess0 htaosachanged. As function g chosen in one of two ways. 12 before the task facing the adversary A isPtSoEUdDetORerAminNDOMe inFUwNChicTIhONSworld it was placed basedWoornldth0:e inThpeuftu-onctuiotpn ugtisbdehrawanvioatrraonfdgom. from Perm(D), namely, we choose g according to g $ Perm(D). ← World 1:PRPsThe fu nunderction g is chosen-plaintextdrawn at random from F , n aattacksmely g $ F . (CP(RecaA)ll this Definition 3.7 Let F : D $ D be a family of fu←nctions, and let A be an means thaprpt a-cpakey-1is chosenKvia× K → and then g isprfset-1 to FK .) Expalgeroimenrithtm•ExpDefthFa.t Fixtak aes( Afunction)aisn aoctruaacle llyfamily←idfoenrKta icaF:f ulKntoeys(F)ctEioxpnFg ×: (DDom(F)A). ThDe p ,→roab nDom(F)adbil-returns a bit. We → ity is ocovern12sidthNeerortaicentdwtoohmaexptcWhooericerldimeno1f iskeyths:eKsaamend inalsotheovPerRFthsete cotPininSgEU,tobDssesuORt WANDoofrldAOM0ifFUhthaNCse claThItaONStnerged. As happens to beefroarendthoemizedtask .faTcinhge expthe eradimenversatryretAuisrntsotdhete ersaminmeebinit twhhaicthAwroetrlduritns.waIns placed ExperimentbEasedxpprpon-cpathe-0in(Apu)t,-oauptperutmbuehtaprpatvioio-ncpar go:f-g1D. D is chosen at random,prp-acpand-0 F Experiment ExpF (A→) Experiment ExpF (A) the result bit of A’s computa$tion with oracle g is returned. The$ probability is over Definition 3.7K Let F : D D be a family gof funPcteriomns,(Dan)d let A be an the choice of g and the coinprps o-cpaf A-1 ifKa×ny. A→s before, the measurprfe -o1f how well A did aElgxporeritimenhm thEaxpt t$←FakesKFan(Aor)aiscleactfouraallyfuidnenctiotican lgt:oDExp←F$D,(gAan)d. Tretheuprnrosbaabbil-it. We at telling the two worldbs apaArt, Kwhich we call the prp-cpa-ab→dvanAtage of A, is the ity iscoonvsidererthetwraonexpdo←mercimenhoicets:of key K and also over the coin←tosses of A if the latter differencehabpetpenweens to tbheerapnRrdoetobmizedaubrilitn.iesbThtehexpat terhimene expt reretimenurns ttsheretsaRumeretnbu1it.rnthabt A returns. In prp-cpa-0 ConvenExptioernimens regtaErdxpinExpg reresoimenu(rAcet)E, meaaxppprpersum-rcpauesta-1at(iolsoAn) gr:emaEDxpinerimentDheissatcEmehoxpsenaprps ab-tcpaefrao-0nr(e.dAo)m,Infaonr-d F F → F the result bit of A’s comp$ utation with oracle g is retprpu$r-ncpaed. The probability is over mally,Tahfeamilyprp-cpF isa-advana secuKrtagee PRPofuAndiser dCefiPAnedif AdasvgF Per(mA(D) is) “small” for all the choice of g and th$e←coKins of A if any. As before, t←h$ e measure of how well A did adversaries using a “practicab l”AaFmoK unt of resources. b Ag at telling the two wo←rlds apart, which we call the p←rp-cpa-advantage of A, is the prp-cpa Return b prp-cpa-1 Return b prp-cpa-0 diAdfferenvceF between(At)he p=robaPbilitr iesExpthatFthe exper(imenA) t=s r1eturn 1P.r ExpF (A) = 1 . The prp-cpa-advantage of an adversary A is − 3.4.2 PRPTChoneuvprennp-cptdioerna-advans rCegCarAdtageing resoof Aur!ceis dmeaefinsuedresasalso remain the"same as!before. Infor- " mally, a family F is a secure PRP under CPA if Advprp-cpa(A) is “small” for all We fixTahfaemilyintuofitpioernmuistasimilations Fr: to tDhat Dfo.r(DYoefiu manityiownFan3t.6to. thTinhke d=iffer0en, 1 cek is that here the adversaAdriesvuprpsin-gcpaa(“Ap)ract=icaPl”Kr×aEmoxpu→nprpt o-cpaf reso-1(Aur)ces.= 1 Pr Expprp-cpaK-0(A{) =}1 . and D“id= ea0l”, 1 o!,bsinjectFce thisatisFtheismobeinst cogFmmocompn acarse.ed wTh−itishtime,is nowF elodnogermantdhaetefamily of random { } that Ffubnectaiofanmilys, buoft preratmhuertatiohnes.)fa!milyAs befoofrre,anwdeocomn"sidpererma!untatdiovernsas.ry A that" 3.4T.2he FinP istRPu itaio usecurennisdersimilaC PRPCrAto underthat for CPDefiAn itifio forn 3 .6an. Tyh adve differsaryerence is withthat here the is placed in “aidreaool”m,objuectt ntohwatitFhaiss boeinracleg coaccessmparedtowtwitoh fisunncto iolonns,gerg tahnedfitamilys invoerf serandom 1 We fix a“reasonable”family of permuta resourcestions F : D its prfD. -cpa-(You maadvy wantageant to thin isk “small”= 0, 1 .k g− . The mafunnncterionins, wbuhticrhatgheris tchheosenfamilyisKt×ohferasa→ndmeomapserinmuthtaetioCnPs.A case, aKnd o{nce }g and 1D = 0, 1 !, since this is the most common case. This time, we do mandate is chosen, g− is a{utoma} tically defined, so we do not have to say how it is chosen. that F be a family of permutations.) As before, we consider an adversary A that $ 22 World 0:is Tplahecedfuninctaiornoogm,isbdurtawnonwaitt rhaansdoormaclefroamccessPertmo(tDwo),fnunactmelyions,viag agnd itPs erinmver(Dse). 1 ← (So g is jgu−st. aTrhaenmadomnnerperinmwuhtaicthiognisonchDosen.) is the same as in the CPA case, and once g 1 is chosen, g− is automatically defined, so we do not have to say how it is chosen. World 1: The function g is drawn at random from F , namely g $ F . World 0: The function g is drawn at random from Perm(D), namely← via g $ Perm(D). 1 1 ← In World(1Sowgeisletjugst−a r=anFdKo−m bpeertmhuetaintiovern seonoDf .)the chosen instance, while in World 0 it is the inverse of the chosen random permutation. As before the t$ask facing the World 1: The function g is drawn at random from F , namely g F . adversary A is PRPsto determin undere in whic hchosen-ciphertextworld it was placed based on t h←attackse input-outp u(CCA)t In World 1 we let g 1 = F 1 be the inverse of the chosen instance, while in World 0 behavior o•f itSinces oracles. an in−verseK− function is defined for each instance, we can it is alsothe in considerverse of the thechosen caseran dwhenom per manut aadvtion.ersaryAs befo rgets,e the t ainsk addition,facing the an adversary A is to determine in which world it was placed based on the input-output Definition 3.8 Let F : -1D D be a family of permutations, and let A be an behaorvioacler of it fors or aKgcles.× → algorithm that takes an oracle for a function g: D D, and also an oracle for the • 1Def. Fix a permutation family F: →Keys(F) × Dom(F) →Dom(F) function Dg−efi:nitionD 3.8D, aLetnd Fret: urnsDa bitD. Wbee acofanmilysideroftwpero mexputaertioimenns, atns:d let A be an Bellare and Rogaw→ay K × → 13 algorithm that takes anprpor-ccaacle-1for a function g: D D,prpan-dccaalso-0 an oracle for the Experimen1 t Exp (A) Experiment →Exp (A) function g− : D D,Fand returns a bit. We consider twFo experiments: K $ → g $ Perm(D) ← K 1 prp-cca-1 1 prp-cca-0 $ ExpF er,Fimen− t Exp (A) E←xp$ ergimen,g t Exp (A) b A K K F b A − F ← $ ← $ ReturnKb Retugrn bPerm(D) $← KF ,F 1 ←$ g,g 1 b A K K− b A − ← ← Return b Return b ConTvhene prtp-cionca-advans regartagedinogf Aresois duefircenedmeaas sures also remain the same as before. However, TheTheprp-c prp-cca-advantageca-advantage of A is ofd efiann adved aersars y A is we willAdbevprpin-tccaer(estA) ed= inPsor Emexpprpad-ccadit-1io(An)a=l r1esoPur ceExppaprpra-ccamet-0(Aer)s.= 1Sp.ecifically, since there F F − F are now two oAdravcles,prp-cca(wA)e ca=! nPrcoEuxpntprpsep-cca-1a(rAa)"t=ely1 t!hPre Enxpumprpb-ccaer-0o(Af)qu= "1eries,. and total length F F − F The intuition is similar to that fo!r Definition 3.6. T" he di!fference is that her"e the of these queries, for each. As usual, informally, a family F is a secu1 re PRP under adversaryTheasprpinmotuitccarioenpisowsimilaer: nrottoonthlyatcafonr Ditefiquniterioyng3,.6b.uTt hite cadiffnerdenirceectislythquaterhyerge −th.e - 1 CCA if Adad•verFFsa isry ah asecures(moA)reisp oPRPw“ersma: undernotll”onlyf oCCAcarnaitll ifqu aforerdyv geran, bsayu tradvitiescaersarynudsinirectg lywithaqu“erp yrga−ct.ical” amount of resources. “reasonable” resources its prf-cca-advantage is “small”. 23 3.4.3 Relations between the notions 1 If an adversary does not query g− the oracle might as well not be there, and the adversary is effectively mounting a chosen-plaintext attack. Thus we have the following: PRP-CCA ⇒ PRP-CPA

Proposition 3.9Theorem.[PRP-C LetC FA:Keysimp×liesD→D PRbe aP-C permutationPA] Let familyF : . ThenD D be a • K × → family of permutforat ioannys advandersarylet A Ab thate a runs(PR Pin-C timePA ta andttac kinmakges) aqd vchosen-ersary. Suppose that A runs in timeplaintextt, asks queriesq quer ies,thesean totallingd these quμ bitseries theretota lexistsµ bit s.anT hen there exists adversary B that also runs in time t and makes q chosen- a (PRP-CCA attplaintextacking) queriesadversa thesery B totallingthat ru nμs bitsin tandime not, chosen-asks q chosen-plaintext queries, these quciphertexteries tota linqueriesg µ b itsuchs, a nthatd asks no chosen-ciphertext queries, where

Advprp-cca(B) Advprp-cpa(A) . F ≥ F Though the technical result is easy, it is worth stepping back to explain its inter- pretation. The theorem says that if you have an adversary A that breaks F in the PRP-CPA sense, then you have some other adversary B breaks F in the PRP-CCA sense. Furthermore, the adversary B will be just as efficient as the adversary A was. As a consequence, if you think there is no reasonable adversary B that breaks F in the PRP-CCA sense, then you have no choice but to believe that there is no reasonable adversary A that breaks F in the PRP-CPA sense. The inexistence of a reasonable adversary B that breaks F in the PRP-CCA sense means that F is PR24P- CCA secure, while the inexistence of a reasonable adversary A that breaks F in the PRP-CPA sense means that F is PRP-CPA secure. So PRP-CCA security implies PRP-CPA security, and a statement like the proposition above is how, precisely, one makes such a statement.

3.5 Modeling block ciphers

One of the primary motivations for the notions of pseudorandom functions (PRFs) and pseudorandom permutations (PRPs) is to model block ciphers and thereby enable the security analysis of protocols that use block ciphers. As discussed in Section ??, classically the security of DES or other block ciphers has been looked at only with regard to key recovery. That is, analysis of a block cipher F has focused on the following question: Given some number of input-output examples

(X1, FK (X1)), . . . , (Xq, FK (Xq)) 14 PSEUDORANDOM FUNCTIONS

14 where K is a random, unknown key, how hard is it to fiPnSdEUKD?ORTAheNDbloOMck FUcipNCherTisIONS taken as “secure” if the resources required to recover the key are prohibitive. Yet, as we saw, even a cursory glance at common block cipher usages shows that hardness of key recovery is not sufficient for security. We had discussed wanting a master security property of block ciphers under which natural usages of block ciphers could wherbeepKrovisenasecuranrde.om,Weusungkngestownthakteyt,hishomwasterhardpisropiterttoy fiisntdhaKt ?theTbhloe cbklocipckhciper bheer is takaensecuas r“esecuPRPre”, unifdterheeitresoheruCrcesPA roequr CCirAed. to recover the key are prohibitive. Yet, as we sawW, eevcaennnaotcuprrsoovreytghlaatnspceecifiat ccobmmolock ncipbhloercsk hcipaveherthisusaprgoespershtyo.wTs hthe abtestharwdeness of kcaeyn drecoo isvaerssuy meis ntohteysudffio,ciaenndt tfhoenr secugo ornittyo. uWseethem.ad dFiscuor qussedantwitatnivtine secug a rmityaster secuassessmenrity propts,ertwyeowfobuloldckmacipkehsperecifis uncdcoernwjecthicuhresnaatbuoruatl uthsae gaesdvaonf tbalogeckfucipncthioernss ocof uld various block ciphers. For example we might conjecture something like: be proven secure. We suggest that this master property is that the block cipher be a secure PRP, under eitherprpC-cpaPA or CCA. t/TDES q Adv (At,q) c1 + c2 We cannot prove thatDEspS ecific blo≤ck cip·her2s55have th·is24p0roperty. The best we

canfodroanisy adssuvermesarythAeyt,q dtoh,atarnudnsthinentimego aotnmotostuset anthdem.asks Faot rmoqustanqt6it4a-btiviteorsecuaclerity assessmenqueries.ts,HerweeTwDEoSuldis tmahModelinge tkimee sptoecifidoconcoe blocknDjEectS courmpes ciphersuatbaotuiotntohneoaudrvfiaxedntaRgeAMfunmoctiodelns of AppvAaerppoiondif ucosempbndixlouctAkatxiocipnA,haerns.d cF1,ocr2 exaare mpsomelecownestmiganthstdepcoennjdectinguroenlysoometn thhisinmog likdel.e: In other worWds,antwe ar e“masterconjecturin” gpropertthat theyb estthatatt ac ksblockare eit cipherher exha beustiv ePRP-CPkey searcAh or •or linear .prpW-ecpamight be bolder wt/itThDrEegS ard to AqES and conjecture PRP-CCA secure.AdvDES (At,q) c1 55 + c2 40 TheThesometBirhinBgthdirlikethdayaPyrPorboleb≤mlem· 2 · 2 for any adversary A that runs in time at most t and asks at most q 64-bit oracle Conjectures:t,q prp-cpa t/TAES q • Adv (Bt,q) c1 + c2 . queries. Here TDES is theAEtimeS to do on≤e DE·S co21mp28 utatio·n21o2n8 our fixed RAM model of computation, and c1, c2 are some constants depending only on this model. In other for •anyDESadver andsary BAESt,q th aaret run PRP-CCAs in time at mo(thusst t a nalsod asks PRP-CPat most qA)12 8secure.-bit oracle 2 worquds,eries.we aWree coconujldectaulsorinmag tkheTatsimilaHEtheBrbIcoestRnTjectaHDttuarAcesksYraegPreRarOBdeitinhgLEMerthexhe starenustgivtheokfeybloseack rch or ciplineah•errsFcrorasypP antRaPnysa lysis.uBn drunninger CWCeAmigra ttimehhert bthe atnb andoCldPerA .makingwith rega qrd queriesto AES and conjecture prf somethMinogrelikinteeresting is AdvDES(t, q). Here we cannot do better than assume that 2 prp-cpaprf t/t/TTDAEESS q q The TsethetinsetgtisintghisattwhaAdethwavAdveehvqavbe(aB(qlls.Atb,tq,qa))Vlls.iewVctiew1hemthaems n+ua+smcnb2uermedber, 1ed., .,.1.,,.q...W, qe. Walsoe ahlsoavehave AES DES ≤≤ · 251528 264 · 2128 N bNins,binwhs,erwehNere Nq. Wq.e Wtherotwhrtohwe tbhaellsbaallst rantdroamn2doinmtointhtoe tbhines,binons,e obnye obnye,one, for any adversary≥Bt,≥q that prfruns in time at mot/stTAEt aSnd aqsks at most q 128-bit oracle beginbneginingnwinitghwbitahll b1a.llA1Adt. rAvanAEtdrSoa(mBntd,qmeao)m meansct1hnasttheaacth+eabcahllbis.allequis aequllyalikllyelyliktelyo latnodlainnd in In the proof we will find the foqulloerwies.ingWine equcouldalitalsoiesmausefke similaul tor≤maconkjecte· uest2r1es28imarega2tr1es.d28ing the strength of block any oafnythoefNthebinNs,bainns,d athned pthroebparboilitbabiesilitfoiesr afllorthalle bthaellsballsre inardeepinendepdenentd.enAt.coAllisiocollision n ciphfoerr asnaysaPdRverPsas ruiesndAert,qC, BCtA,q ruanthneringthinantimeCPaAt.most t and making at most q oracle is saisidsaqutoideroies.ccuto orTccuhifissorismeifdusoebmetino tenbhineprfdbseniruthdpdsacouypnattcoataincnkintadginiscuaintssedgleaatstlaleatterwst.oTtbwhaeolls.secobaWlls.nde tWaerreminainrteerinestteredested Proposition A.2 The inequality More interesting is AdvDES(t, q). HBelerelawree acanndnoRot dgoawbaetyter than assume that 23 Belin Clainre(NeaaC,ncq(dh)N,Rof,otqrhmg)e,auwplathraoyeabrpisesarboilitbsimpaybilitolyfybaecaocof ullisioasecothllisione.obnject. under consideration is a family of 23 t/T q2 1 TheperTbmhireutthabdtirioatynhs.dpaayrxapdaAdorxadvisoprfxthis(eAtcahese) cawsehercwehNere=DNES36=+5.36W5.e Ware arskine asking whgawt hisatthise the 1 x 1 e− xDE.S t,q 1 55 64 −cheancceh·atnhceWa≤te,tsthinaresst−,aintghraoatutghprese≤ooufaprqeoapflleoqcoppnle,jeoectptule,h≤res.ertehTaerh·reree2tacowreuoldtpwexisteoo2ppleeohigwphlelyithewfftitecthheivtsaehaemettsaacksbmeirthbdiratyh,day, ! " that break DES or AES as a PRF without recovering the 2key. So far, we do not assuminassugminbirgthbdiratyshdaysre raarnedprfroamlyndomlyand ainndepinent/depTdAEenenStdlyendtqlyistrdibisturtibedutoedverovthere tdhaeysdaoysf of know of any such attAdacks,v but(Btht,eq)amountc1of cryptana+lytic effo.rt that has focused is true for any real number x with 0 x 1. AES ≤ ·√2128 2128 the ytheaeo≤rn.yteahItisr≤.tguoItarlntissuosmarnustll.othuCaterttthwaainhtenlyw, thqoenahssuitqsmeh√it3tsh6a5t 3at6hb5elotchkeacipncceheranoiscef aoPbfRiraFthbisdiratyhmdcouacyhllisiocollision isn is the birthday paradox. If you are not ftahmiliae birrtwhditahytphis,araydooux.maIfy ywoauntarteo lonootk fatmilia25r with this, you may want to look at alreafaodlrrysteaarnquodynyitgaerdequvheraitssuigsaehmprh,iesigatriohAo,nut,aqntr,hdoBaun1t,nq/tdh2rau.1tn/nit2in.isg secuin trimee agaatinmost ksteyt raecondvmaery.kinNgonaett hmoeless,st qthoeracle Appendix ??, and then come back to the following. TquherismoTies.fthaivctisatTiofcaahnctisnanisseemcad dnaurseemgeusutmenorpttsuhrsisinerwbpeirrghisintahwvdehgaenoywuAtahlinfitpentraedstpcenkfiinhrdeadstiscufixarvhdoea?.rssed?oTrf,dht.ahelanTetrderPheaeR.tsoFhrTeaennahssusoiteconmpsecoismeittiornisundbetstatrisercauykemt,histainottththaet tfhoellowing. Proof of Theorem A.1: Let CTi hbise tellshe evusenthtat haant inthsteanice-thofballblococllidk cipesherwitcahnobneedistinguished from a collisioeacocllisioahnndpfororonumbrpuaviewlarboilitbaaisryisesbtilithCa(tsimpyNifC,aq(bly)Nlogc,brkqoeca)cipwgsuhrseoerrwoisutshgbrehroolyuokbgenTphjecthrlyaoisspapuoPrtnroellsRtdpioFerontrhatcoueniolsntnsiditotahshlqera2too/tauNtldqioa2.nb/TeNisincoh.isnstaTsidisafhanerismilytceedhise tfoaohffcteaftaoctblotcok cipher can be distinguished from a of the previous ones. Then Pr [rCanid] oisminasecuftunmoctre,ioastndb(aairsedepla1ocemen)n/Nseeint, shsingouaceldnbuwemsohbuenerghtot. fheinpi-tuth-oubtapllutisexamples which is ap- remempreremembmerut.abtTeriohn.es.Tfohlloe−fwoinllogwginivgesgivaesmoaremoraexanredctoexamrenctfudnrerenctindiogern,inpbgrao,sedvidproinvidogninbseeinogthbougtphpauernpupamerndbaerndof input-output examples which is ap- thrown in, there are at most i p1rodximaifferWtelyeensttr2esso!/ccu2t.haTpthtiedishesehasloasreimptasllaoconrtndajectntthucoeres.in-tsequThhberenaellcescoisuldfoequrexistthaellyhsecuighlyriteffyectofivbeloatctkaccipks her −lowerlowboerunbdosunondsthonis tphrisobparboilitbayb.ility. proximately 2!/2. This has important consequences for the security of block cipher likely to land in any of them. Nbaosedwthaptrobtroeacokls.DES or AES as a PRF without recovering the key. So far, we do not know of any such attacks,Thebut th“birthdae amobuansedt ofy”pcrrypo attackttoaconals.lytic effort that has focused TheorThemeoremA.1A.1[Bir[Birthdathydbaouy bnoud] nLetd] LetC(NC, q(N) d, qen) odtene tohte tphreobparboilitbabyilitofyatofleaatstleast Proponosthitionis goal3.16is smaLetll. CEer: ta0in,ly1, kto assu0,me1 !that a0,b1loc!kbcipe aherfamilyis a PoRfFperis ma umtuacthions. C(N, q) = Pro[nCe collisioC n when wCe th] row q 1 balls at random into N q buckets.k Then ! ! one stcorollisio•n1gTheoremernawssu2henmptw.io eFnortthhr aoannqw{ty(qh! +1ablockt})it/12×bisa cipher{secullsPrart}ope raa →gosEna dinwith{itionostmkin} eydomaint3.16orecoN verLet yqand. bNuEoc :knretangehs.0eless,, 1T henthe 0, 1 0, 1 be a family of permutations. Suppose q∨satisfi∨es·2· · ∨q 2 ≥ ≥. Then there is an adver≥sary≥A, ma{king} q ×or{acle } → { } motiva{0,1}tion anl dandarg≤u anmen≤yt sAw thate hav make outlinesed q inqueriesfavor o fs.t.the PRF assump(!t+1ion)/st2 ay, quPerries[Ca1n]d+hPavinr [Cg 2ru] n+ning t+imePra[bCouqt]Stuhpapt oqtseo(qdqo(sa1q)cotisfi1mp)esut2ationqs of2E, such. tThahten there is an adversary A, making q oracle and our view is that if a block cipherC(isNb,rqo)ken as a PR−F then it sh≤ould≤be considered ≤ · · · C(N, q) queries≤ a−nd2hNaving running time about that to do q computations of E, such that 0insecu1re, and a replaqcemen1 t should be so≤ught. q2(Nq 1) Advprf (A) 0.3 . (3.5) an+d + + − E −! ≤ anNd N · · · N ≥ · 2 prf q(q 1) AdvE (A) 0.3 −! . (3.5) q(q 1)/2N ≥ · 2 q(q 1) C(N, q) 1 q(eq −1)/2−N . = Proof−of Pr.oposition 3.16C(:N,Aq)dversar1≥y Aeis−−giv−en an.oracle g: 0, 1 ! 0, 1 ! • Lemma. If we throw (at≥ random)− q balls into N≥q{ bins} and→ { } and w2oNrks like this: ! ! AlsoAiflso1 if q1 √q 2 N √ t2 h N en t hthenen the probabilitProof ofy Prof opa collisionosition 3.16: Adversary A is given an oracle g: 0, 1 0, 1 ≤ ≤ ≤ { } → { } This proves the upper bound. For the lower bound we let Dianbdewtohreksevlikenetthtis:hat Adversary Ag q(q q(1q) 1) there is no collision after having thrown in the i-th ball.C(IfNC,tq(hN)er, qe) is0n.3o0co.3 llisio− −n. aft.er for i = 1, . . . , q do ≥ ≥ · ·N N throwing in i balls then they must all be occupying different slots,AdsovertsaheryprAogbability Let xi be the i-th l-bit string in lexicographic order of no collision upon throwing in the (i + 1)-st ball is exactly (Nfori)i/=N1. ,T. .h.a, qt dis,o yi g(xi) − ← Let xi be the i-th l-bit string in lexicographic order if y1, . . . , yqNare alli distinct thien return 1, else return 0 Pr [Di+1 Di] = − = 1 . y 1 g(x ) | N − N 1 i ← i Let us now justify Equation (3.5). LettifingyN1, .=. .2,l,yqwearclae aimll dthistatinct then return 1, else return 0 Also note Pr [D1] = 1. The probability of no collision at the end of the game can now be computed via Pr Expprf-1(A) = 1 = 1 (3.6) l E Let us now justify Equation (3.5). Letting N26= 2 , we claim that ! " 1 C(N, q) = Pr [D ] prf-0 q Pr ExpE (A) = 1 = 1 C(N, q) . prf-1 (3.7) − − Pr ExpE (A) = 1 = 1 (3.6) ! " = Pr [Dq Dq 1] Pr [Dq 1] ! " Here C(N, q), as|defin−ed ·in Appen−dix ??, is the probability that some bprfin-0gets two Pr ExpE (A) = 1 = 1 C(N, q) . (3.7) or mo. re .balls in the experiment of randomly throwing q balls into N bins. We will − justif.y th.ese claims shortly, but first let us use them to conclude.! Subtracting, we " Here C(N, q), as defined in Appendix ??, is the probability that some bin gets two get q 1 Proof of the Lemma − or more balls in the experiment of randomly throwing q balls into N bins. We will = Pr [Di+1 Di] Advprf (A) |= PrNE−xp1prf-1jNu(Ast)−if=y21thesePNrclaE−imsxpqprf+sh-0o1(rAtly) =, b1ut first let us use them to conclude. Subtracting, we −i=1C NE , q · E · .−. . E 1 #Bella(re and Ro) =gaw1ay ! get " ! " 23 q 1 = 1 [1N C(N, qN)] N − i − − − = 1 . 1 2 Advprf (A)q =1 Pr Expprf-1(A) = 1 Pr Expprf-0(A) = 1 − N ==(1C−(N, q)) · (1 − ) · . . . (E1 − ) E E i=1 ! " N N N − # q(q 1) = 1 ![1 C(N, q)] " ! " the birthday parado0x..3 If you−are n.ot familiar with this, you may want to look at Note that i/N 1. So we can use th//e inUsingequ thatality 1≥ x · e 2xl for each term of the − − ≤ Appendix ??, and−then≤come−back to the following. = C(N, q) above expression. This means tThhee alabstovline eisTishnbisoyttellsPmorouprsoesitthtaiohtanann??in.stItanrceemaof ina sblotockjucipstifhyerEcaqun abteiodnists in(3g.6uish) aedndfr(o3m.7)a. q(q 1) q 1 random function based on seeing a numberq−of1input-outputqexa(qmp−1)les which is ap- Equation (3.6) is clear!/b2ecause−in1 World 1, g−= EK for some−key K, a0n.d3 since −E is a. − i/N 1/N 2/Nproxima(q tely1)/2N≤. Tehis hqaN(sqimp·1).o/r2.tNa.nteconsequNences=forethe secu≥Nrity of b·lock cip2l her e− = e−family− of p−bera···sedm−uptar−ottioocons,ls.g=is ae−perm−utation,.and thus y1, . . . , yq are all distinct. Now, i=1 The last line isq bqy−Proposition ??. It remains to justify Equations (3.6) and (3.7). # −x k −1 ! (! 1) // PrUsingopos thatition 3.161 −Lete E: ≥0,(11 − e0, 1 )x if0, 1 be a family≤ 1of permutations. {(!+1})/2× { } → { } Suppose q satisfies 2 q 2 E.quTahentiotnher(3e .6is )anisa2cleadNversar rbyecaA, umasekining Wq oorarcleld 1, g = EK for some key K, and since E is a ≤ ≤ queries and having running time1faabmilyoutqt(hqoatf−tpoer1dmo) qucotamptiountas,tiogniss oaf Ep,ersumchuthaattion, and thus y , . . . , y are all distinct. Now, ≤ 1 − (1 − ) · 1 q q(q 1) Advprfe(A) 20.N3 − . (3.5) E ≥ · 2! 1 q(q − 1) q(q − 1) Thus Proof ofCPr(Nop,osqition) ≥ 3.16(1 −: Ad)ver· sary A is given≥an0o.3racle· g: 0, 1 ! 0, 1 ! e 2N {N } → { } and works like this: 27

Adversary Ag for i = 1, . . . , q do Let xi be the i-th l-bit string in lexicographic order y g(x ) i ← i if y1, . . . , yq are allProofdistinct thofen theretu rTheoremn 1, else return 0

Let us now justify Equation (3.5). Letting N = 2l, we claim that g • Adversary A prf-1i-th l-bit string Pr ExpE (A) = 1 = 1 (3.6) ! prf-0 " For i=1,..q do yi←Prg()( AEndF) = 1or= 1 C(N, q) . (3.7) E − If y ,...y are all distinct! return "1, else return 0 Herei C(N,qq ), as defined in Appendix ??, is the probability that some bin gets two EndIfor more balls in the experiment of randomly throwing q balls into N bins. We will justify these claims shortly, but first let us use them to conclude. Subtracting, we get

Advprf (A) = Pr Expprf-1(A) = 1 Pr Expprf-0(A) = 1 E E − E = 1 ![1 C(N, q)] " ! " − − = C(N, q) q(q 1) 0.3 − . ≥ · 2l The last line is by Proposition ??. It remains to justify Equations (3.6) and (3.7).

Equation (3.6) is clear because in World 1, g = EK for some key K, and since E is a family of permutations, g is a permutation, and thus y1, . . . , yq are all distinct. Now, 28