5 Pseudorandom functions from pseudorandom generators and CPA security In this lecture we will see that the PRG conjecture implies the PRF conjecture. We will also see how PRFs imply an encryption scheme that is secure even when we encrypt multiple messages with the same key. We have seen that PRF’s (pseudorandom functions) are extremely useful, and we’ll see some more applications of them later on. But are they perhaps too amazing to exist? Why would someone imagine that such a wonderful object is feasible? The answer is the following theorem: Theorem 5.1 — The PRF Theorem. Suppose that the PRG Conjecture is true, then there exists a secure PRF collection {푓푠}푠∈{0,1}∗ such that 푛 푛 푛 for every 푠 ∈ {0, 1} , 푓푠 maps {0, 1} to {0, 1} . Figure 5.1: The construction of a pseudorandom function from a pseudorandom generator can be illustrated by a depth 푛 binary tree. The root is labeled by the seed 푠 and for every internal node 푣 labeled by a strong 푥 ∈ {0, 1}푛, we use that label 푥 as a seed into the PRG 퐺 to label 푣’s two children. In particular, the children of 푣 are labeled with 퐺0(푥) and 퐺1(푥) respectively. The output of the function 푓푠 on input 푖 is the label of the 푖푡ℎ leaf counting from left to right. Note that the numbering of leaf 푖 is related to the bitstring representation of 푖 and the path leaf 푖 in the following way: we traverse to leaf 푖 from the root by reading off the 푛 bits of 푖 left to right and descend into the left child of the current node for every 0 we encounter and traverse right for every 1. Compiled on 9.23.2021 13:32 126 an intensive introduction to cryptography Proof. We describe the proof, see also Chapter 6 of Rosulek or Section 8.5 of Katz-Lindell (section 7.5 in 2nd edition) for alternative exposi- tions. If the PRG Conjecture is true then in particular by the length exten- sion theorem there exists a PRG 퐺 ∶ {0, 1}푛 → {0, 1}2푛 that maps 푛 bits into 2푛 bits. Let’s denote 퐺(푠) = 퐺0(푠) ∘ 퐺1(푠) where ∘ denotes concatenation. That is, 퐺0(푠) denotes the first 푛 bits and 퐺1(푠) denotes the last 푛 bits of 퐺(푠). 푛 For 푖 ∈ {0, 1} , we define 푓푠(푖) as 퐺 (퐺 (⋯ 퐺 (푠))). 푖푛 푖푛−1 푖1 This corresponds to 푛 composed applications of 퐺푏 for 푏 ∈ {0, 1}. If the 푗푡ℎ bit of 푖’s binary string is 0 then the 푗푡ℎ application of the PRG is 퐺0 otherwise it is 퐺1. This series of successive applications starts with the initial seed 푠. This definition directly corresponds to the depiction in Fig. 5.1, where the successive applications of 퐺푏 correspond to the recursive labeling procedure. By the definition above we can see that to evaluate 푓푠(푖) we need to evaluate the pseudorandom generator 푛 times on inputs of length 푛, and so if the pseudorandom generator is efficiently computable then so is the pseudorandom function. Thus, “all” that’s left is to prove that the construction is secure and this is the heart of this proof. I’ve mentioned before that the first step of writing a proof is con- vincing yourself that the statement is true, but there is actually an often more important zeroth step which is understanding what the statement actually means. In this case what we need to prove is the following: We need to show that the security of the PRG 퐺 implies the security of the PRF ensemble {푓푠}. Via the contrapositive, this means that we assume that there is an adversary 퐴 that can distinguish in time 푇 a black box for 푓푠(⋅) from a black-box for a random function with advantage 휖. We need to use 퐴 come up with an adversary 퐷 that can distinguish in time 푝표푙푦(푇 ) an input of the form 퐺(푠) (where 푠 is random in {0, 1}푛) from an input of the form 푦 where 푦 is random in {0, 1}2푛 with bias at least 휖/푝표푙푦(푇 ). Assume that 퐴 as above is a 푇 -time adversary that wins in the “PRF Figure 5.2: In the “lazy evaluation” implementation of the black box to the adversary, we label every game” with advantage 휖. Let us consider the “lazy evaluation” imple- node in the tree only when we need it. Subsequent mentation of the black box for 퐴 illustrated in Fig. 5.2. That is, at every traversals do not reevaluate the PRG, leading to reuse of the intermediate seeds. Thus for example, two point in time there are nodes in the full binary tree that are labeled sibling leaves will correspond to a single call to 퐺(푥), and nodes which we haven’t yet labeled. When 퐴 makes a query 푖, where 푥 is their parent’s label, but with the left child this query corresponds to the path 푖 … 푖 in the tree. We look at the receiving the first 푛 bits and the right child receiving 1 푛 the second 푛 bits of 퐺(푥). In this figure check marks lowest (furthest away from the root) node 푣 on this path which has correspond to nodes that have been labeled and been labeled by some value 푦, and then we continue labelling the path question marks to nodes that are still unlabeled. pseudorandom functions from pseudorandom generators and cpa security 127 from 푣 downwards until we reach 푖. In other words, we label the two children of 푣 by 퐺0(푦) and 퐺1(푦), and then if the path 푖 involves the first child then we label its children by 퐺0(퐺0(푦)) and 퐺1(퐺0(푦)), and so on and so forth (see Fig. 5.3). Note that because 퐺0(푦) and 퐺1(푦) correspond to a single call to 퐺, regardless of whether the traversals continues left or right (i.e. whether the current level corresponds to a value 0 or 1 in 푖) we label both children at the same time. Figure 5.3: When the adversary queries 푖, the oracle takes the path from 푖 to the root and computes the generator on the minimum number of internal nodes that is needed to obtain the label of the 푖푡ℎ leaf. A moment’s thought shows that this is just another (arguably cum- bersome) way to describe the oracle that simply computes the map 푖 ↦ 푓푠(푖). And so the experiment of running 퐴 with this oracle pro- duces precisely the same result as running 퐴 with access to 푓푠(⋅). Note that since 퐴 has running time at most 푇 , the number of times our or- acle will need to label an internal node is at most 푇 ′ ≤ 2푛푇 (since we label at most 2푛 nodes for every query 푖). We now define the following 푇 ′ hybrids: in the 푗푡ℎ hybrid, we run this experiment but in the first 푗 times the oracle needs to label internal nodes then it uses independent random labels. That is, for the first 푗 times we label a node 푣, instead of letting the label of 푣 be 퐺푏(푢) (where 푢 is the parent of 푣, and 푏 ∈ {0, 1} corresponds to whether 푣 is the left or right child of 푢), we label 푣 by a random string in {0, 1}푛. Note that the 0푡ℎ hybrid corresponds to the case where the oracle ′푡ℎ implements the function 푖 ↦ 푓푠(푖), while in the 푇 hybrid all labels are random and hence implements a random function. By the hybrid argument, if 퐴 can distinguish between the 0푡ℎ hybrid and the 푇 ′푡ℎ hybrid with bias 휖 then there must exists some 푗 such that it distin- guishes between the 푗푡ℎ hybrid (pictured in Fig. 5.4) and the 푗 + 1푠푡 hybrid (pictured in Fig. 5.5) with bias at least 휖/푇 ′. We will use this 푗 and 퐴 to break the pseudorandom generator. We can now describe our distinguisher 퐷 (see Fig. 5.6) for the pseudorandom generator. On input a string 푦 ∈ {0, 1}2푛 퐷 will run 128 an intensive introduction to cryptography Figure 5.4: In the 푗푡ℎ hybrid the first 푗 internal labels are drawn uniformly at random from 푈푛. All sub- sequent children’s labels are produced in the usual way by seeding 퐺 with the label 푧 of the parent and assigning the first 푛 bits (퐺0(푧)) to the left child and the last 푛 bits (퐺1(푧)) to the right child. For exam- 퐿 푡ℎ ple, for some node 푣푗−1 at the 푗 level, we generate 퐿 pseudorandom string 퐺(푣푗−1) and label the left child 퐿 퐿 푅 퐿 푣푗 = 퐺0(푣푗−1) and the right child 푣푗 = 퐺1(푣푗−1). Note that the labeling scheme for this diagram is dif- ferent from that in the previous figures. This is simply for ease of exposition, we could still index our nodes via the path reaching them from the root. Figure 5.5: The 푗 + 1푠푡 hybrid differs from the 푗푡ℎ in that the process of assigning random labels con- tinues until the 푗 + 1푠푡 step as opposed to the 푗푡ℎ. The hybrids are otherwise completely identically constructed. pseudorandom functions from pseudorandom generators and cpa security 129 Figure 5.6: Distinguisher D is similar to hybrid 푗, in that the nodes in the first 푗 layers are assigned completely random labels.