Pseudorandom Functions and Permutations

Introduction

Informally, a Pseudorandom function family Pseudorandom functions and (PRF) is a collection of functions which are permutations indistinguishable from random functions. PRFs are enormously useful for cryptography. But they are also useful for several algorithmic applications. 15-859I We’ll show two equivalent characterizations Spring 2003 of PRFs, and give a construction of a PRF from a secure PRG. (Thus we will have that if OWFs exist, then PRFs exist)

Notations PRFs: Statistical Test formulation

A collection of functions is a set {ƒs}s∈{0,1}* An efficiently computable collection ƒs is p(|s|) q(|s|) where each ƒs:{0,1} → {0,1} , for statistical-test pseudorandom if for every polynomials p(.), q(.). ƒ is efficiently probabilistic polynomial time oracle TM T, computable if there exists a PPT F such that f k g k p(|s|) Adv(T,k) = | Pr[T (1 ) = 1] – Pr[T (1 ) = 1] | F(s,x) = ƒs(x) for all s, x∈{0,1} . is negligible, where f denotes an oracle for ƒ We denote by Fp,q the set of all functions from s p q {0,1} → {0,1} . for s ← Uk and g denotes an oracle drawn Given a PRG G: {0,1}k → {0,1}2k we define uniformly from Fp(k),q(k). k k G0, G1 : {0,1} →{0,1} so that G(x) = We call Adv(T,k) the advantage of T. G0(x),G1(x).

PRFs: Polynomial inference formulation Equivalence

Consider an experiment with t+1 stages: Theorem: ƒ cannot be polynomially inferred First, choose s←U . if and only if it is statistical-test k pseudorandom. Stage 1: A produces a query x1. Stage j, 1 ½ + 1/Q(k)

1 Proof of (a) Proof of (b)

Let A be the algorithm that Q-infers ƒ. Then the Suppose there is a statistical test T that has O oracle PPTM TA works as follows: advantage 1/Q(k) against ƒ and makes P(k) Stage 1: run A to get query x , respond with O(x ). 1 1 (wlog, distinct) oracle queries. We will Stage j: Let xj = A(O(x1)…O(xj-1)). construct an algorithm AT that 2P(k)Q(k) Stage t+1: Choose b←U , let y =O(x ), draw y ←U . If 1 b t 1-b q(k) infers ƒ. A(O(x1)…O(xt-1),y0,y1) = b, output 1, else output 0. g k Notice that Pr[TA (1 ) = 1] = ½ f k But since A Q(k)-infers ƒ, Pr[TA (1 )=1] > ½ + 1/Q(k).

So TA has advantage 1/Q(k) as claimed.

Definition of AT Proof that this works:

Choose j {0,1,…P(k)-1} ∈U Consider doing an (k,j,ƒs) experiment: Run T, Stage i < j: Respond to T’s query qi-1 with ƒs(xi-1); run and on query qi, respond with: T until it makes query qi and return xi=qi. ƒs(qi), if i < j. Stage j: Respond to T’s query qj-1 with ƒs(xi-1). Run T yi ← Uq(k) otherwise. to get query qj. Return xj ← Up(k). Let pj(k) denote the probability that T outputs Stage i, j

… Recap

Then Pr[1-b’ = b] So a function family is statistical test

= ΣiPr[j=i]Pr[1-b’ = b | j=i] pseudorandom iff it is polynomially uninferrable. (Proof by Hybrid method!) = 1/P(k) Σi Pr[1-b’ = b | j=i] = 1/P(k) Σi (Pr[b=1|j=i] Pr[b’=0|y0←Uq(k)&j=i] From now on, we will just say that a function family is pseudorandom if it is statistical test + Pr[b=0|j=i] Pr[b’=1|y0=ƒs(qi)&j=i]) pseudorandom. = 1/P(k) Σi (½ Pr[T outputs 0 in (k,i,ƒs) exp] That is, a pseudorandom function family +½ Pr[T outputs 1 in (k,i+1,ƒs) exp]) i i+1 (PRF) is a function family which is statistical = 1/2P(k) Σi ((1-p (k)) + p (k)) = ½ + 1/2P(k)Q(k), QED. test pseudorandom.

2 Constructing PRFs from PRGs Proof of Theorem…

k 2k Let G:{0,1} → {0,1} be a PRG. Define a sequence of PPTs A0…Ak. k k A : Define ƒs: {0,1} → {0,1} by i Let L be an associative array. ƒs(x1x2…xk) = Gxk(Gxk-1(…(Gx2(Gx1(s)))…)) Run T, responding to queries (y1…yk): Theorem: ƒ is a PRF. s If (y1…yi) ∈L, let r = L(y1…yi) Proof: Suppose that there is a statistical test Else choose r←Uk and set L(y1…yi) = r respond with ƒ (y …y ) T that makes Q(k) queries and has Adv(T,k) r i+1 k Return output of T. = 1/P(k). We will construct a distinguisher for f k Notice: Pr[A0 = 1] = Pr[T (1 ) = 1], Pr[Ak = 1] = G with advantage 1/kQ(k)P(k). g k Pr[T (1 ) = 1]; Ei[Ai –Ai-1] = 1/kP(k)

Proof, continued Properties of AT

2k Construct adversary AT(r1,…rQ(k)) (ri∈{0,1} ): Notice that Pr[A (U ) = 1] – Pr[A (G(U ))] = AT(r1,…,rQ(k))= T 2kq(k) T kq(k) E [A -A ] = 1/kP(k) Choose i∈U {0,…k-1}. Let L be as in Aj. Set j = 0. i i i-1 Run T, responding to queries (y1,…,yk): That is, if T distinguishes ƒs from Fp,q with If (y1…yi+1) ∈ L, Let r = L(y1…yi+1). advantage 1/P(k), AT distinguishes Q(k) Else: increment j; samples of G(Uk) from q(k) samples of U2k L(y1…yi0) = Left-Half(rj);L(y1…yi1) = Right-Half(rj) with advantage at least 1/kP(k). r = L(y1…yi+1) But then A can distinguish between a single Respond with ƒ (y …y ) T r i+2 k sample of G(U ) and U with advantage Return output of T. k 2k 1/kQ(k)P(k), QED.

Pseudorandom permutations Notation, definitions

A Pseudorandom Permutation family (PRP) is a Let ΠL denote the uniform distribution on PRF where every element ƒs is a bijection on {0,1}p(|s|). (PRPs have inverses) permutations on {0,1}L. k L(k) L(k) Typically for P: {0,1} × {0,1} →{0,1} there is an Define the Advantage of A against efficient algorithm to compute l(k) -1 permutation family P on {0,1} by: PK (x), given K. P(K,.) k Π k A Strong Pseudorandom Permutation family (SPRP) Adv(A,k) = |Pr[A (1 ) = 1] – Pr[A l(k)(1 )=1]| is a PRP which remains pseudorandom even when For any function f: {0,1}k→{0,1}k, define the the adversary is given access to an oracle for PK -1 2k and PK . permutation Df: {0,1} by Df(l,r) = (r, l⊕f(r)) k Naor and Reingold show that given a PRF ƒs: {0,1} -1 k 2k Note that Df is easy to compute. → {0,1} we can construct a SPRP Pƒ on {0,1} .

3 Intuition behind construction Construction: SPRP

Let ƒ1, ƒ2 be chosen from a PRF family on Let h1,h2 be chosen from a pairwise- k 2k {0,1} . Then P = Dƒ2◦ Dƒ1 is indistinguishable independent family of permutations on {0,1} from a random permutation on uniformly k k Let ƒ1, ƒ2 :{0,1} →{0,1} be chosen from a chosen inputs. PRF family. There is a distinguisher for P on chosen Define the permutation P = h -1◦ D ◦ D ◦h . inputs: Left-half(P(L ,R) ⊕ P(L ,R)) = L ⊕L 2 ƒ2 ƒ1 1 1 2 1 2 SPRP Lemma: If ƒ , ƒ are chosen according whereas this holds with probability only 2-n for 1 2 to Fk,k, then P is statistically close to a a random permutation. random permutation. But if we can insure that the inputs to P, P-1 SPRP Theorem: P is a SPRP. are unique (whp), then we get what we need.

Proof tools Proof tools, cont’d.

Let M be a deterministic, unbounded oracle Call σ = {(x1,y1)…(xm,ym)} a possible M machine. M makes two types of queries: transcript if for every 1< i < m, (+,x): Querying G(x) -1 (-, y): Querying G (y) CM[{(x1,y1),…,(xi-1,yi-1)}] ∈{(+,xi),(-,yi)} th Denote the i query-answer pair of M by (xi,yi). Let TP be a random variable denoting the Wlog, assume M makes exactly m queries. transcript of M with an oracle for P. Denote by {(x ,y ),…,(x ,y )} the transcript of M with 1 1 m m Let T be a random variable denoting the oracle G. Π transcript of M with an oracle chosen from Denote by CM[{(x1,y1),…,(xi-1,yj-1)}] the deterministic function for the ith query of M, and let Π2k. CM[{(x1,y1)…(xm,ym)}] the output of M.

More Proof Tools. Lemma 1

Let T be a random variable denoting transcripts 2 2k+1 R Pr[CM(TR) = 1] – Pr[CM(TΠ) = 1] ≤ m /2 . from a random process which responds to M’s ith query as follows: Proof: If the query is (+,x) and for some j < i there is a query- Pr[TR = σ | TR is consistent] = Pr[TΠ=σ] (because answer pair (x,yj), return yj. a consistent transcript is a permutation, and TR If the query is (-,y) and for some j < i there is a query- chooses uniformly from transcripts) answer pair (x ,y) return x j j So Pr[CM(TR) = 1] – Pr[CM(TΠ) = 1] ≤ Pr[TR is Otherwise, return a uniformly chosen 2k-bit string. inconsistent] T might contain responses inconsistent with a R Pr[TR is inconsistent] ≤ permutation: Call a possible M-transcript σ = Σ Pr[x =x and y ≠y or y =y and x ≠x ] = {(x ,y ),…(x ,y )} inconsistent if for some 1 < j < i < i,j i j i j i j i j 1 1 m m (m(m-1)/2)2-2k ≤ m2/22k+1. m, xi=xj and yi ≠ yj or yi=yj and xi ≠ xj.

4 BAD set Lemma 2 proof.

For a fixed h1,h2, define the set BAD(h1,h2) to σ∈BAD(h1,h2) if there exist i < j with h1(xi)|R be the set of possible and consistent M- = h2(xj) |R (Ri,j) or h2(yi)|L = h2(yj)|L (Li,j). transcripts {(x ,y ),…,(x ,y )} such that: 1 1 m m So Pr[σ∈BAD(h1,h2)] ≤Σi

Key Lemma Lemma Proof, Cont’d.

Lemma 3: Let σ = {(x ,y ),…,(x ,y )} be possible 0 0 2 1 1 m m We get yi = P(xi) when ƒ1(Ri ) = Li ⊕ Li , and and consistent. Then ƒ (L 2) = R 0 ⊕ R 2. Pr[T = σ | σ∉BAD(h ,h ) ] = Pr[T = σ]. 2 i i i P 1 2 R But since we never have L 2= L 2 or R 0=R 0 Proof: Given σ is consistent, i j i j -2km (otherwise σ is bad), these probabilities are Pr[TR = σ] = 2 . th independent. And since ƒ ,ƒ are chosen But suppose σ∉BAD(h1,h2). Then for the i query- 1 2 answer pair, yi = P(xi) exactly when: randomly we get that Pr[TP = σ | σ∉ 0 0 2 0 0 -2km h1(xi)= (Li ,Ri ), Li = Li ⊕ƒ1(Ri ), BAD(h1,h2) ] = 2 , QED. 2 0 2 2 2 Ri = Ri ⊕ƒ2(Li ), and Li ,Ri = h2(yi). 0 0 2 2 0 2 i.e., when ƒ1(Ri ) = Li ⊕ Li , and ƒ2(Li ) = Ri ⊕ Ri

SPRP Lemma: Proof SPRP Theorem: Proof

SPRP Lemma: if ƒ1,ƒ2←Fk,k then for any SPRP Theorem: If ƒ1,ƒ2←ƒs, where ƒs is a oracle adversary M which makes at most m PRF, then P is a SPRP. queries, Proof: Assume not. Let M be an efficient |Pr[MP(1k) = 1] – Pr[MΠ2k(1k) = 1]| ≤ oracle machine distinguishing P from a m2/22k+1+m2/2k randomly chosen permutation. Consider the

Proof: composition of previous three lemmas. hybrid distribution H where ƒ1←Fk,k, and ƒ2←ƒs. Recall Pr[MP=1] – Pr[MΠ=1] > 1/poly(k).

5 SPRP proof

Then we must have either: (a) |Pr[MP=1] – Pr[MH=1]| > 1/poly; OR (b) |Pr[MH=1] – Pr[MΠ=1]| > 1/poly.

This gives a statistical test against ƒs: run M, answering queries using P with either :

(a) a random function; or

(b) a pseudrandom function

for ƒ1, and the function oracle for ƒ2.

Then in either case, we distinguish ƒs with the same gap as M in distinguishing H from P or Π.