Introduction Informally, a Pseudorandom function family Pseudorandom functions and (PRF) is a collection of functions which are permutations indistinguishable from random functions. PRFs are enormously useful for cryptography. But they are also useful for several algorithmic applications. 15-859I We’ll show two equivalent characterizations Spring 2003 of PRFs, and give a construction of a PRF from a secure PRG. (Thus we will have that if OWFs exist, then PRFs exist) Notations PRFs: Statistical Test formulation A collection of functions is a set {ƒs}s∈{0,1}* An efficiently computable collection ƒs is p(|s|) q(|s|) where each ƒs:{0,1} → {0,1} , for statistical-test pseudorandom if for every polynomials p(.), q(.). ƒ is efficiently probabilistic polynomial time oracle TM T, computable if there exists a PPT F such that f k g k p(|s|) Adv(T,k) = | Pr[T (1 ) = 1] – Pr[T (1 ) = 1] | F(s,x) = ƒs(x) for all s, x∈{0,1} . is negligible, where f denotes an oracle for ƒ We denote by Fp,q the set of all functions from s p q {0,1} → {0,1} . for s ← Uk and g denotes an oracle drawn Given a PRG G: {0,1}k → {0,1}2k we define uniformly from Fp(k),q(k). k k G0, G1 : {0,1} →{0,1} so that G(x) = We call Adv(T,k) the advantage of T. G0(x),G1(x). PRFs: Polynomial inference formulation Equivalence Consider an experiment with t+1 stages: Theorem: ƒ cannot be polynomially inferred First, choose s←U . if and only if it is statistical-test k pseudorandom. Stage 1: A produces a query x1. Stage j, 1<j<t+1: A is given x ,ƒ (x ), for 0 < i < j, Proof: both directions in the contrapositive: i s i (a) if ƒ can be Q(k) inferred, then there is a statistical and produces query xj≠xi. test T which distinguishes between ƒS and Fp,q Stage t+1: Choose b←U1. Choose y1-b←Uq(k). with advantage 1/Q(k). Let yb = ƒs(xt). A is given xi, ƒs(xi), xt,y0,y1. (b) if there is a statistical test T for ƒ that has We say that PPTM A Q(k)-infers ƒif advantage 1/Q(k) and makes P(k) queries then ƒ can be 2P(k)Q(k) inferred. Pr[A(ƒs(x1),…,ƒs(xt-1),y0,y1) = b] > ½ + 1/Q(k) 1 Proof of (a) Proof of (b) Let A be the algorithm that Q-infers ƒ. Then the Suppose there is a statistical test T that has O oracle PPTM TA works as follows: advantage 1/Q(k) against ƒ and makes P(k) Stage 1: run A to get query x , respond with O(x ). 1 1 (wlog, distinct) oracle queries. We will Stage j: Let xj = A(O(x1)…O(xj-1)). construct an algorithm AT that 2P(k)Q(k) Stage t+1: Choose b←U , let y =O(x ), draw y ←U . If 1 b t 1-b q(k) infers ƒ. A(O(x1)…O(xt-1),y0,y1) = b, output 1, else output 0. g k Notice that Pr[TA (1 ) = 1] = ½ f k But since A Q(k)-infers ƒ, Pr[TA (1 )=1] > ½ + 1/Q(k). So TA has advantage 1/Q(k) as claimed. Definition of AT Proof that this works: Choose j {0,1,…P(k)-1} ∈U Consider doing an (k,j,ƒs) experiment: Run T, Stage i < j: Respond to T’s query qi-1 with ƒs(xi-1); run and on query qi, respond with: T until it makes query qi and return xi=qi. ƒs(qi), if i < j. Stage j: Respond to T’s query qj-1 with ƒs(xi-1). Run T yi ← Uq(k) otherwise. to get query qj. Return xj ← Up(k). Let pj(k) denote the probability that T outputs Stage i, j<i<P(k): Return xi ← Up(|s|). 0 1 in an (k,j,ƒs) experiment. Then p (k) = Stage P(k): Return x = q . P(k) j Pr[Tg(1k) = 1] and pP(k)(k) = Pr[Tf(1k) = 1]. Stage P(k)+1: Run T with y as O(q ) Respond to 0 j j j-1 additional queries from T with uniform bits, until T So we also have Σj(p (k) – p (k)) = Adv(T,k) outputs bit b’. Return 1-b’. … … Recap Then Pr[1-b’ = b] So a function family is statistical test = ΣiPr[j=i]Pr[1-b’ = b | j=i] pseudorandom iff it is polynomially uninferrable. (Proof by Hybrid method!) = 1/P(k) Σi Pr[1-b’ = b | j=i] = 1/P(k) Σi (Pr[b=1|j=i] Pr[b’=0|y0←Uq(k)&j=i] From now on, we will just say that a function family is pseudorandom if it is statistical test + Pr[b=0|j=i] Pr[b’=1|y0=ƒs(qi)&j=i]) pseudorandom. = 1/P(k) Σi (½ Pr[T outputs 0 in (k,i,ƒs) exp] That is, a pseudorandom function family +½ Pr[T outputs 1 in (k,i+1,ƒs) exp]) i i+1 (PRF) is a function family which is statistical = 1/2P(k) Σi ((1-p (k)) + p (k)) = ½ + 1/2P(k)Q(k), QED. test pseudorandom. 2 Constructing PRFs from PRGs Proof of Theorem… k 2k Let G:{0,1} → {0,1} be a PRG. Define a sequence of PPTs A0…Ak. k k A : Define ƒs: {0,1} → {0,1} by i Let L be an associative array. ƒs(x1x2…xk) = Gxk(Gxk-1(…(Gx2(Gx1(s)))…)) Run T, responding to queries (y1…yk): Theorem: ƒ is a PRF. s If (y1…yi) ∈L, let r = L(y1…yi) Proof: Suppose that there is a statistical test Else choose r←Uk and set L(y1…yi) = r respond with ƒ (y …y ) T that makes Q(k) queries and has Adv(T,k) r i+1 k Return output of T. = 1/P(k). We will construct a distinguisher for f k Notice: Pr[A0 = 1] = Pr[T (1 ) = 1], Pr[Ak = 1] = G with advantage 1/kQ(k)P(k). g k Pr[T (1 ) = 1]; Ei[Ai –Ai-1] = 1/kP(k) Proof, continued Properties of AT 2k Construct adversary AT(r1,…rQ(k)) (ri∈{0,1} ): Notice that Pr[A (U ) = 1] – Pr[A (G(U ))] = AT(r1,…,rQ(k))= T 2kq(k) T kq(k) E [A -A ] = 1/kP(k) Choose i∈U {0,…k-1}. Let L be as in Aj. Set j = 0. i i i-1 Run T, responding to queries (y1,…,yk): That is, if T distinguishes ƒs from Fp,q with If (y1…yi+1) ∈ L, Let r = L(y1…yi+1). advantage 1/P(k), AT distinguishes Q(k) Else: increment j; samples of G(Uk) from q(k) samples of U2k L(y1…yi0) = Left-Half(rj);L(y1…yi1) = Right-Half(rj) with advantage at least 1/kP(k). r = L(y1…yi+1) But then A can distinguish between a single Respond with ƒ (y …y ) T r i+2 k sample of G(U ) and U with advantage Return output of T. k 2k 1/kQ(k)P(k), QED. Pseudorandom permutations Notation, definitions A Pseudorandom Permutation family (PRP) is a Let ΠL denote the uniform distribution on PRF where every element ƒs is a bijection on {0,1}p(|s|). (PRPs have inverses) permutations on {0,1}L. k L(k) L(k) Typically for P: {0,1} × {0,1} →{0,1} there is an Define the Advantage of A against efficient algorithm to compute l(k) -1 permutation family P on {0,1} by: PK (x), given K. P(K,.) k Π k A Strong Pseudorandom Permutation family (SPRP) Adv(A,k) = |Pr[A (1 ) = 1] – Pr[A l(k)(1 )=1]| is a PRP which remains pseudorandom even when For any function f: {0,1}k→{0,1}k, define the the adversary is given access to an oracle for PK -1 2k and PK . permutation Df: {0,1} by Df(l,r) = (r, l⊕f(r)) k Naor and Reingold show that given a PRF ƒs: {0,1} -1 k 2k Note that Df is easy to compute. → {0,1} we can construct a SPRP Pƒ on {0,1} . 3 Intuition behind construction Construction: SPRP Let ƒ1, ƒ2 be chosen from a PRF family on Let h1,h2 be chosen from a pairwise- k 2k {0,1} . Then P = Dƒ2◦ Dƒ1 is indistinguishable independent family of permutations on {0,1} from a random permutation on uniformly k k Let ƒ1, ƒ2 :{0,1} →{0,1} be chosen from a chosen inputs. PRF family. There is a distinguisher for P on chosen Define the permutation P = h -1◦ D ◦ D ◦h . inputs: Left-half(P(L ,R) ⊕ P(L ,R)) = L ⊕L 2 ƒ2 ƒ1 1 1 2 1 2 SPRP Lemma: If ƒ , ƒ are chosen according whereas this holds with probability only 2-n for 1 2 to Fk,k, then P is statistically close to a a random permutation. random permutation. But if we can insure that the inputs to P, P-1 SPRP Theorem: P is a SPRP. are unique (whp), then we get what we need. Proof tools Proof tools, cont’d. Let M be a deterministic, unbounded oracle Call σ = {(x1,y1)…(xm,ym)} a possible M machine. M makes two types of queries: transcript if for every 1< i < m, (+,x): Querying G(x) -1 (-, y): Querying G (y) CM[{(x1,y1),…,(xi-1,yi-1)}] ∈{(+,xi),(-,yi)} th Denote the i query-answer pair of M by (xi,yi).