CIS 5371 Cryptography
3c. Pseudorandom Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Definition
• A 𝑘𝑒𝑦𝑒𝑑 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛 𝐹 is a two input function
∗
∗
∗
𝐹 ∶ 0,1 × 0,1 → 0,1
where the first input is called the key, denoted 𝑘,
.and the second is just called input.
2
Definition 3.23
•
Let 𝐹 be an efficient length preserving keyed
function. 𝐹 is a pseudorandom function if
 PPT distinguishers D,  a negl function
such that
| Pr 𝐷𝐹𝑘
∙
1𝑛 = 1 − Pr 𝐷 𝑓
∙
1𝑛 = 1 | ≤ negl(𝑛)
∗
where 𝑘 ← 0,1 is chosen uniformly at random
and f is chosen at random from the set of all
functions mapping n-bit strings to n-bit strings.
3
A secure fixed length
encryption scheme
𝐹𝑟𝑒𝑠ℎ 𝑟𝑎𝑛𝑑𝑜𝑚 𝑠𝑡𝑟𝑖𝑛𝑔 𝑟
𝑝𝑠𝑒𝑢𝑑𝑜𝑟𝑎𝑛𝑑𝑜𝑚
𝑘𝑒𝑦𝑒𝑑 𝑓𝑢𝑛𝑐𝑡𝑖𝑜𝑛
𝑝𝑎𝑑
𝑝𝑙𝑎𝑖𝑛𝑡𝑒𝑥𝑡
𝑋𝑂𝑅
𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡
4
Existence of pseudorandom
functions
• We cannot prove that pseudorandom
functions exist!
• In practice there exist very efficient
primitives called block ciphers that are
widely believed to behave as
pseudorandom functions.
5
CPA secure encryption using PRF
Protocol Π = (Gen, Enc, Dec)
Let 𝐹 be a pseudorandom function. Define a
private-key encryption scheme for messages of
length 𝑛 as follows:
• Gen: on input 1𝑛 choose 𝑘  {0,1}𝑛 uniformly at
random and output 𝑘 as key.
• Enc: on input a key 𝑘  {0,1}𝑛 and a message
m{0,1}𝑛 , choose choose 𝑟  {0,1}𝑛 uniformly at
random and output the ciphertext
𝑐 ≔ 𝑟, 𝐹𝑘 𝑟  𝑚 .
• Dec: on input a key 𝑘  {0,1}𝑛 and a ciphertext
c = 𝑟, 𝑠, output the plaintext
𝑚 ≔ 𝐹𝑘 𝑟  𝑠 .
6
Theorem 3.25
Let 𝐹 be a pseudorandom function.
Then protocol  is a fixed-length private-key
encryption scheme for messages of length n that
has indistinguishable encryptions under CPA.
7
A secure fixed length encryption
Proof
Let Π be an encryption that is exactly the same
as Π but that uses a truly random function 𝑓.
Then,
∀ Adversary A (even inefficient) that makes at
most 𝑞 𝑛 queries to the oracle, we have
Pr PrivK
cpa
1
𝑞(𝑛)
𝐴, Π 𝑛 = 1 =
+ 𝑛+1
2
2
8
A secure fixed length encryption
Proof
We have: Pr PrivK
Let
cpa
𝜀 𝑛 ≝ Pr[PrivK
cpa
𝐴, Π 𝑛 = 1 =
1
2
+
(𝐴, Π) 𝑛 = 1] −
1
2
.
Then Pr[PrivK cpa (𝐴, Π)
𝑛 = 1] =
1
2
𝑞(𝑛)
.
2𝑛+1
+ 𝜀(𝑛).
If  is negligible then we should not be able to
distinguish these.
Otherwise a gap between them would make it
possible to distinguish truly random from
pseudorandom.
9
A secure fixed length encryption
Reduction
Distinguisher D with oracle O: {0,1}𝑛  {0,1}𝑛
Adversary A with
Protocol Π or Π
1𝑛
1𝑛 , 𝑜𝑟𝑎𝑐𝑙𝑒 O
Choose 𝑟  {0,1}
uniformly at random
Query O 𝑟 to get 𝑠
𝑛
𝑒𝑛𝑐𝑟𝑦𝑝𝑡 𝑚
(𝑟, 𝑠  𝑚)
Query encryption oracle to
get encryptions of chosen
plaintexts
𝑚0 , 𝑚1
𝑜𝑡ℎ𝑒𝑟: (𝑟, 𝑠  𝑚)
1 if 𝑏 ′ = 𝑏
0 if 𝑏 ′  𝑏
choose a random bit 𝑏
Query O 𝑟′ to get 𝑠′
return 𝑐𝑏 = 𝑟′, 𝑠′  𝑚𝑏 
𝑐𝑏
Repeat: Query to get
encryptions of chosen
plaintexts
𝑏′
10
A secure fixed length encryption
Proof
From,
Pr 𝐷 𝐹𝑘 (∙) 1𝑛 = 1 = Pr[PrivK
cpa
Pr 𝐷 𝑓(∙) 1𝑛 = 1 = Pr[PrivK
cpa
1
(𝐴, Π)(𝑛) = 1] = 2 + 𝜀 𝑛
and
𝐴, Π
𝑛 = 1] .
Then,
| Pr[𝐷𝐹𝑘(∙) 1𝑛 = 1 − Pr[𝐷 𝑓 (∙) 1𝑛 = 1]| ≥
≥
1
2
+ 𝜀 𝑛 −
1
2
𝑞 𝑛
− 𝑛+1
2
= ε 𝑛
𝑞(𝑛)
− 𝑛+1
2
that must be negligible.
So ε 𝑛 is negligible.
11
A secure variable length
encryption
The messages 𝑚1 , . . . , 𝑚𝑙 can be securely
encrypted as
𝑟1 , 𝐹𝑘 𝑟1  𝑚1  , . . . , 𝑟𝑙 , 𝐹𝑘 𝑟𝑙  𝑚𝑙 .
12
Corollary 3.26
Let 𝐹 be a pseudorandom function.
Then the scheme sketched in the previous slide
is an arbitrary length private-key encryption
scheme that has indistinguishable encryptions
under CPA.
13
Pseudorandom permutations
•
Let
∗
∗
∗
𝐹 ∶ 0,1 × 0,1 → 0,1
be an efficient, length preserving, keyed function.
𝐹 is called a 𝑘𝑒𝑦𝑒𝑑 𝑝𝑒𝑟𝑚𝑢𝑎𝑡𝑎𝑡𝑖𝑜𝑛 if for every 𝑘,
the function 𝐹𝑘 ∙ is one-to-one 𝑠𝑜 𝐹 𝑖𝑠 a 𝑏𝑖𝑗𝑒𝑐𝑡𝑖𝑜𝑛 .
• A keyed permutation is efficient if there is a
polynomial-time algorithm that will compute
function 𝐹𝑘 −1 𝑥 given 𝑘 and 𝑥 .
• A pseudorandom permutation is defined in a
manner analogous to Definition 3.23, by replacing the
term “function” by “permutation”.
14
Definition 3.28
Strong Pseudorandom permutations
•
Let F be an efficient keyed permutation. We say that
𝐹 is a strong pseudorandom permutation if,
 PPT distinguishers D,  a negl function such that
| Pr
−1
𝐹
∙
,
𝐹
(∙)
𝑘
𝑘
𝐷
1𝑛
= 1 − Pr
−1 (∙)
𝑓
∙
,𝑓
𝐷
1𝑛 = 1 |
≤ negl(𝑛)
where 𝑘 ← {0,1}∗ is chosen uniformly at random and f
is chosen at random from the set of all permutations
on n-bit strings.
• The analogue for strong pseudorandom permutations
are block ciphers.
15
Pseudorandom permutations
modes of operation
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Output Feedback (OFB)
4. Counter(CTR)
16
Pseudorandom permutations
𝑚1
𝑚2
𝑚3
𝐹𝑘
𝐹𝑘
𝐹𝑘
𝑐1
𝑐2
𝑐3
Electronic Code Book (ECB)
17
Pseudorandom permutations
IV
IV
𝑚1
𝑚2
𝑚3



𝐹𝑘
𝐹𝑘
𝐹𝑘
𝑐1
𝑐2
𝑐3
Cipher Block Chaining (CBC)
18
Pseudorandom permutations
IV
𝐹𝑘
IV
𝑚1

𝑐1
𝐹𝑘
𝑚2

𝑐2
𝐹𝑘
𝑚3

𝑐3
Output Feedback (OFB)
19
Pseudorandom permutations
ctr
𝑚1
ctr
ctr+1
ctr+2
ctr+3
𝐹𝑘
𝐹𝑘
𝐹𝑘

𝑐1
𝑚2

𝑚3
𝑐2

𝑐3
Counter mode (CTR)
20
Pseudorandom permutations
modes of operation
Electronic Code Book (ECB)
𝑚1 , 𝑚2 , … , 𝑚𝑙  𝐹𝑘 𝑚1 , 𝐹𝑘 𝑚2 , … , 𝐹𝑘 𝑚𝑙
Encryption is deterministic : no CPA-security
Worse: ECB-mode does not have indistinguishable
encryptions in the presence of an eavesdropper: if
a block is repeated in the plaintext, the same block
will be repeated in the ciphertext.
21
Pseudorandom permutations
modes of operation
Cipher Block Chaining (CBC)
𝑐𝑖 = 𝐹𝑘 (𝑐𝑖−1  𝑚𝑖 ).
Encryption is probabilistic . 𝐹𝑘 must be invertible.
It has been shown that we get CPA-security if 𝐹𝑘
is a pseudorandom permutation.
Drawback: encryption is sequential.
[Chained CBC: the last block of the previous ciphertext is the
IV of the next ciphertext. Used in SSL 3.0 & TLS 1.0]
22
Pseudorandom permutations
modes of operation
Output Feedback (OFB)
𝑟𝑖 = 𝐹𝑘 (𝑟𝑖−1 ), 𝑐𝑖 = 𝑚𝑖  𝑟𝑖 .
Unsynchronized stream-cipher mode.
Encryption is probabilistic.
It can been shown that we get CPA-security if
𝐹𝑘 is a pseudorandom permutation.
Drawback: both encryption and encryption are
sequential.
23
Pseudorandom permutations
modes of operation
Counter(CTR) -- randomized counter mode
𝑟𝑖 = 𝐹𝑘 (ctr + 𝑖), 𝑐𝑖 = 𝑚𝑖  𝑟𝑖 ,
𝐹𝑘 need not be invertible.
Encryption is probabilistic .
It can been shown that we get CPA-security if 𝐹 is
a pseudorandom function.
Both encryption and encryption can be fully
parallelized.
We do not require that 𝐹 is a permutation (that is,
it need not be invertible).
24
Chosen Ciphertext Attacks (CCA)
In a CCA the adversary not only can encrypt
messages of his choice (CPA) but also can decrypt
ciphertexts of his choice (with one exception
discussed later).
Formally this is captured by giving the adversary
access to a decryption oracle (as well as the
encryption oracle).
Let = (Gen, Enc, Dec) be a private-key encryption
scheme, 𝐴 an adversary and 𝑛 the value of the
security parameter.
25
CCA indistinguishability experiment
cca
PrivK (A, Π)(𝑛)
1.
3.
4.
3.
A key 𝑘 is generated running Gen 1𝑛 .
The adversaryA is given input 1𝑛 and 𝑜𝑟𝑎𝑐𝑙𝑒 𝑎𝑐𝑐𝑒𝑠𝑠 𝑡𝑜
En𝑐𝑘 ∙ 𝑎𝑛𝑑 De𝑐𝑘 ∙ 𝑎𝑛𝑑 outputs a pair of messages 𝑚0
and 𝑚1 of the same length.
A random bit 𝑏  0,1 is chosen and then a ciphertext
𝑐𝑖  En𝑐𝑘 𝑚𝑏 is computed and given to A.
The adversary A continues to have 𝑜𝑟𝑎𝑐𝑙𝑒 𝑎𝑐𝑐𝑒𝑠𝑠 𝑡𝑜
Enc𝑘 ∙ 𝑎𝑛𝑑 De𝑐𝑘 ∙ 𝑏𝑢𝑡 𝑖𝑠 𝑛𝑜𝑡 𝑎𝑙𝑙𝑜𝑤𝑒𝑑 𝑡𝑜 𝑞𝑢𝑒𝑟𝑦 𝐷𝑒𝑐𝑘 ∙
on the challenge ciphertext 𝑐𝑖 itself. Eventually A
outputs a bit 𝑏 ′ .
The output of the experiment i𝑠 1 if 𝑏 = 𝑏 ′ and 0 otherwise.
26
Indistinguishable encryptions
under CCA --Definition
A private-key encryption scheme Π has
indistinguishable encryptions under CCA if
∀ PPT adversaries A, ∃ 𝑎 negl function with:
Pr[PrivK
cca
(A, Π)(𝑛)=1] ≤
1
2
+ negl(n)
where the probabilities is taken over the
coins used in the experiment.
27
Insecurity of the encryption
schemes that we have studied
1. .All earlier discussed private-key encryption
schemes are not CCA-secure.
2. Example.
Let 𝑐 ≔ 𝑟, 𝐹𝑘 𝑟  𝑚 , and suppose A chose𝑠
𝑚0 = 0𝑛 and 𝑚1 = 1𝑛 , to get the ciphertext 𝑟, 𝑠. The
adversary flips the first bit of 𝑠 to get 𝑠 ′ an asks for the
plaintext of 𝑐 ′ = 𝑟, 𝑠′ ≠ 𝑐 .
If he gets 10𝑛−1 then 𝑏 = 0; if he gets 01𝑛−1 then 𝑏 = 1.
4. CCA implies non-malleability : by trying to modify the
ciphertext the result is either an invalid ciphertext or one
that decrypts to a plaintext that has no relation to the
original.
28