symmetric key encryption constructions
play

Symmetric-Key Encryption: constructions Lecture 5 PRG from One-Way - PowerPoint PPT Presentation

Symmetric-Key Encryption: constructions Lecture 5 PRG from One-Way Permutations PRF , Block Cipher RECALL PRG One-bit stretch PRG, G k : {0,1} k {0,1} k+1 k k G R k 1 Increasing the stretch Can use part of the PRG output as a new


  1. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that

  2. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate

  3. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one

  4. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one g f (x,r) = (f(x), r), where |r|=|x|

  5. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one g f (x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random

  6. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one g f (x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors)

  7. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one g f (x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors) Can show that a predictor of B(x,r) with non-negligible advantage can be turned into an inversion algorithm for f

  8. Goldreich-Levin Predicate Given any OWF f, can slightly modify it to get a OWF g f such that g f has a simple hardcore predicate g f is almost as efficient as f; is a permutation if f is one g f (x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors) Can show that a predictor of B(x,r) with non-negligible advantage can be turned into an inversion algorithm for f Predictor for B(x,r) is a “noisy channel” through which x, encoded as (<x,0>,<x,1>...<x,2 |x| -1>) (Walsh-Hadamard code), is transmitted. Can recover x by error-correction (local list decoding)

  9. PRG from One-Way Permutations

  10. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1

  11. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k 1

  12. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1

  13. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f

  14. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f bijection

  15. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f bijection Claim: G is a PRG

  16. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f bijection Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x)

  17. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f bijection Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x) Important: holds only when the seed x is kept hidden, and is random

  18. PRG from One-Way Permutations One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 k k G R k G(x) = f(x) ◦ B(x) 1 Where f: {0,1} k → {0,1} k is a one-way permutation, and B a hardcore predicate for f bijection Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x) Important: holds only when the seed x is kept hidden, and is random ... or pseudorandom

  19. PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1

  20. PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1 Increasing the stretch

  21. 
 
 PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1 Increasing the stretch Can use part of the PRG output as a new seed 


  22. 
 
 PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1 Increasing the stretch Can use part of the PRG output as a new seed 
 ... G G G G G R k

  23. 
 
 PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1 Increasing the stretch Can use part of the PRG output as a new seed 
 ... G G G G G R k If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”)

  24. 
 
 PRG from One-Way Permutations k k One-bit stretch PRG, G k : {0,1} k → {0,1} k+1 G R k 1 Increasing the stretch Can use part of the PRG output as a new seed 
 ... G G G G G R k If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”) A stream cipher SC K

  25. PRG Summary

  26. PRG Summary OWF , OWP, Hardcore predicates

  27. PRG Summary OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random

  28. PRG Summary OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate.

  29. PRG Summary OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.)

  30. PRG Summary OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.) Useful in SKE: Can use PRG to stretch a short key to a long (one-time) pad. Or use as a Stream Cipher.

  31. PRG Summary OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.) Useful in SKE: Can use PRG to stretch a short key to a long (one-time) pad. Or use as a Stream Cipher. Next: Constructing a proper (multi-message) SKE scheme

  32. Beyond One-Time

  33. Beyond One-Time Need to make sure same part of the one-time pad is never reused

  34. Beyond One-Time Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used)

  35. Beyond One-Time Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the receiver. Then receiver will need to run the stream- cipher to get to that index.

  36. Beyond One-Time Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the receiver. Then receiver will need to run the stream- cipher to get to that index. A PRG with direct access to any part of the output stream?

  37. Beyond One-Time Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the receiver. Then receiver will need to run the stream- cipher to get to that index. A PRG with direct access to any part of the output stream? Pseudo Random Function (PRF)

  38. Pseudorandom Function (PRF)

  39. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string

  40. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access)

  41. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the i th block of the pseudorandom string corresponding to seed s

  42. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the i th block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i)

  43. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the i th block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i) Pseudorandom Function

  44. Pseudorandom Function (PRF) A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the i th block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i) Pseudorandom Function Need to define pseudorandomness for a function (not a string)

  45. Pseudorandom Function (PRF)

  46. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment

  47. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to guess which.

  48. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to b guess which. b ← {0,1}

  49. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to b guess which. b’ b ← {0,1} b’=b? Yes/No

  50. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to b guess which. b’ Note: Only 2 k seeds for F b ← {0,1} b’=b? Yes/No

  51. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to b guess which. b’ Note: Only 2 k seeds for F b ← {0,1} b’=b? But 2^(n2 m ) functions R Yes/No

  52. Pseudorandom Function (PRF) F: {0,1} k × {0,1} m(k) → {0,1} n(k) is a PRF if all PPT F s adversaries have negligible advantage in MUX the PRF experiment R Adversary given oracle access to either F with a random seed, or a random function R: {0,1} m(k) → {0,1} n(k) . Needs to b guess which. b’ Note: Only 2 k seeds for F b ← {0,1} b’=b? But 2^(n2 m ) functions R Yes/No PRF stretches k bits to n2 m bits

  53. Pseudorandom Function (PRF)

  54. Pseudorandom Function (PRF) A PRF can be constructed from any PRG

  55. Pseudorandom Function (PRF) A PRF can be constructed from any PRG K 0 G K K 1

  56. Pseudorandom Function (PRF) A PRF can be constructed from any PRG G is a length- K 0 doubling PRG G K K 1

  57. Pseudorandom Function (PRF) A PRF can be constructed from any PRG G is a length- G K 0 doubling PRG G K G K 1

  58. Pseudorandom Function (PRF) A PRF can be constructed from any PRG G is a K 00 length- G K 0 doubling PRG K 01 G K K 10 G K 1 K 11

  59. Pseudorandom Function (PRF) A PRF can be constructed from any PRG K 000 G G is a K 00 K 001 length- G K 0 doubling K 010 PRG G K 01 K 011 G K K 100 G K 10 K 101 G K 1 K 110 G K 11 K 111

  60. Pseudorandom Function (PRF) A PRF can be constructed from any PRG K 000 G G is a K 00 K 001 length- G K 0 doubling K 010 PRG G K 01 K 011 G ... K K 100 G K 10 K 101 G K 1 K 110 G K 11 K 111

  61. Pseudorandom Function (PRF) A PRF can be constructed from any PRG K 000 G G is a K 00 K 001 length- G K 0 doubling K 010 PRG G K 01 K 011 G ... K K 100 G K 10 K 101 G K 1 K 110 G K 11 K 111

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend