Symmetric-Key Encryption: constructions Lecture 5 PRG from One-Way - - PowerPoint PPT Presentation
Symmetric-Key Encryption: constructions Lecture 5 PRG from One-Way Permutations PRF , Block Cipher RECALL PRG One-bit stretch PRG, G k : {0,1} k {0,1} k+1 k k G R k 1 Increasing the stretch Can use part of the PRG output as a new
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 Increasing the stretch Can use part of the PRG output as a new seed If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”) A stream cipher
k k 1
Rk
Rk
K RECALL
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 Increasing the stretch Can use part of the PRG output as a new seed If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”) A stream cipher
k k 1
Rk
Rk
K RECALL coming up
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
x←{0,1}k f(x)
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x)
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if B is polynomial time computable
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if B is polynomial time computable For all (non-uniform) PPT adversary, advantage
predicate experiment is negligible
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if B is polynomial time computable For all (non-uniform) PPT adversary, advantage
predicate experiment is negligible
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No x←{0,1}k f(x)
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if B is polynomial time computable For all (non-uniform) PPT adversary, advantage
predicate experiment is negligible
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No x←{0,1}k b’ = B(x)? f(x) b’ Yes/No
fk: {0,1}k → {0,1}n(k) is a one-way function (OWF) if f is polynomial time computable For all (non-uniform) PPT adversary, probability
But x may not be completely hidden by f(x) B is a hardcore predicate of a OWF f if B is polynomial time computable For all (non-uniform) PPT adversary, advantage
predicate experiment is negligible B(x) remains “completely” hidden, given f(x)
x←{0,1}k f(x’)=f(x)? f(x) x’ Yes/No x←{0,1}k b’ = B(x)? f(x) b’ Yes/No
Integer factorization:
Integer factorization: fmult(x,y) = x⋅y
Integer factorization: fmult(x,y) = x⋅y Input distribution: (x,y) random k-bit primes
Integer factorization: fmult(x,y) = x⋅y Input distribution: (x,y) random k-bit primes Fact: taking input domain to be the set of all k-bit integers, with input distribution being uniform over it, will also work (if k-bit primes distribution works)
Integer factorization: fmult(x,y) = x⋅y Input distribution: (x,y) random k-bit primes Fact: taking input domain to be the set of all k-bit integers, with input distribution being uniform over it, will also work (if k-bit primes distribution works) Important that we require |x|=|y|=k, not just |x⋅y|=2k (otherwise, 2 is a valid factor of x.y with 3/ 4 probability)
Solving Subset Sum:
Solving Subset Sum: fsubsum(x1...xk, S) = (x1...xk, Σi∈S xi )
Solving Subset Sum: fsubsum(x1...xk, S) = (x1...xk, Σi∈S xi ) Input distribution: xi k-bit integers, S⊆{1...k}. Uniform
Solving Subset Sum: fsubsum(x1...xk, S) = (x1...xk, Σi∈S xi ) Input distribution: xi k-bit integers, S⊆{1...k}. Uniform Inverting fsubsum known to be NP-complete, but assuming that it is a OWF is “stronger” than assuming P≠NP
Solving Subset Sum: fsubsum(x1...xk, S) = (x1...xk, Σi∈S xi ) Input distribution: xi k-bit integers, S⊆{1...k}. Uniform Inverting fsubsum known to be NP-complete, but assuming that it is a OWF is “stronger” than assuming P≠NP Note: (x1,…,xk) is “public” (given as part of the output to be inverted)
Solving Subset Sum: fsubsum(x1...xk, S) = (x1...xk, Σi∈S xi ) Input distribution: xi k-bit integers, S⊆{1...k}. Uniform Inverting fsubsum known to be NP-complete, but assuming that it is a OWF is “stronger” than assuming P≠NP Note: (x1,…,xk) is “public” (given as part of the output to be inverted) OWF Collection: A collection of subset sum problems, all with the same (x1,…,xk) (and independent S)
Rabin OWF: fRabin(x; n) = (x2 mod n, n), where n = pq, and p, q are random k-bit primes, and x is uniform from {0...n}
Rabin OWF: fRabin(x; n) = (x2 mod n, n), where n = pq, and p, q are random k-bit primes, and x is uniform from {0...n} This OWF can be used as a OWF collection indexed by n (many functions for the same k, using different n)
Rabin OWF: fRabin(x; n) = (x2 mod n, n), where n = pq, and p, q are random k-bit primes, and x is uniform from {0...n} This OWF can be used as a OWF collection indexed by n (many functions for the same k, using different n) More: e.g, Discrete Logarithm (uses as index: a group & generator), RSA function (uses as index: n=pq & an exponent e).
Rabin OWF: fRabin(x; n) = (x2 mod n, n), where n = pq, and p, q are random k-bit primes, and x is uniform from {0...n} This OWF can be used as a OWF collection indexed by n (many functions for the same k, using different n) More: e.g, Discrete Logarithm (uses as index: a group & generator), RSA function (uses as index: n=pq & an exponent e). Later
For candidate OWFs, often hardcore predicates known
For candidate OWFs, often hardcore predicates known e.g. if fRabin(x;n) is a OWF , then LSB(x) is a hardcore predicate for it
For candidate OWFs, often hardcore predicates known e.g. if fRabin(x;n) is a OWF , then LSB(x) is a hardcore predicate for it Reduction: Given an algorithm for finding LSB(x) from fRabin(x;n) for random x, one can use it to invert fRabin
Given any OWF f, can slightly modify it to get a OWF gf such that
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one gf(x,r) = (f(x), r), where |r|=|x|
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one gf(x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one gf(x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors)
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one gf(x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors) Can show that a predictor of B(x,r) with non-negligible advantage can be turned into an inversion algorithm for f
Given any OWF f, can slightly modify it to get a OWF gf such that gf has a simple hardcore predicate gf is almost as efficient as f; is a permutation if f is one gf(x,r) = (f(x), r), where |r|=|x| Input distribution: x as for f, and r independently random GL-predicate: B(x,r) = <x,r> (dot product of bit vectors) Can show that a predictor of B(x,r) with non-negligible advantage can be turned into an inversion algorithm for f
Predictor for B(x,r) is a “noisy channel” through which x, encoded as (<x,0>,<x,1>...<x,2|x|-1>) (Walsh-Hadamard code), is transmitted. Can recover x by error-correction (local list decoding)
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x)
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f
k k 1
Rk
bijection
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f Claim: G is a PRG
k k 1
Rk
bijection
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x)
k k 1
Rk
bijection
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x) Important: holds only when the seed x is kept hidden, and is random
k k 1
Rk
bijection
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1 G(x) = f(x)◦B(x) Where f: {0,1}k → {0,1}k is a one-way permutation, and B a hardcore predicate for f Claim: G is a PRG For a random x, f(x) is also random, and hence all of f(x) is next-bit unpredictable. B is a hardcore predicate, so B(x) remains unpredictable after seeing f(x) Important: holds only when the seed x is kept hidden, and is random ... or pseudorandom
k k 1
Rk
bijection
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
Increasing the stretch
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
Increasing the stretch Can use part of the PRG output as a new seed
k k 1
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
Increasing the stretch Can use part of the PRG output as a new seed
k k 1
Rk
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
Increasing the stretch Can use part of the PRG output as a new seed If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”)
k k 1
Rk
Rk
One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
Increasing the stretch Can use part of the PRG output as a new seed If the intermediate seeds are never output, can keep stretching on demand (for any “polynomial length”) A stream cipher
k k 1
Rk
Rk
K One-bit stretch PRG, Gk: {0,1}k → {0,1}k+1
OWF , OWP, Hardcore predicates
OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random
OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate.
OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.)
OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.) Useful in SKE: Can use PRG to stretch a short key to a long (one-time) pad. Or use as a Stream Cipher.
OWF , OWP, Hardcore predicates Output of a PRG on a random (hidden) seed is computationally indistinguishable from random A PRG can be constructed from a OWP and a hardcore predicate. Possible from OWF too, but more complicated. (And, many candidate OWFs are in fact permutations.) Useful in SKE: Can use PRG to stretch a short key to a long (one-time) pad. Or use as a Stream Cipher. Next: Constructing a proper (multi-message) SKE scheme
Need to make sure same part of the one-time pad is never reused
Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used)
Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the
cipher to get to that index.
Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the
cipher to get to that index. A PRG with direct access to any part of the output stream?
Need to make sure same part of the one-time pad is never reused Sender and receiver will need to maintain state and stay in sync (indicating how much of the pad has already been used) Or only sender maintains the index, but sends it to the
cipher to get to that index. A PRG with direct access to any part of the output stream? Pseudo Random Function (PRF)
A compact representation of an exponentially long (pseudorandom) string
A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access)
A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the ith block of the pseudorandom string corresponding to seed s
A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the ith block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i)
A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the ith block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i) Pseudorandom Function
A compact representation of an exponentially long (pseudorandom) string Allows “random-access” (instead of just sequential access) A function F(s;i) outputs the ith block of the pseudorandom string corresponding to seed s Exponentially many blocks (i.e., large domain for i) Pseudorandom Function Need to define pseudorandomness for a function (not a string)
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which.
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which.
b b←{0,1}
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which.
b’ Yes/No b b←{0,1} b’=b?
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which. Note: Only 2k seeds for F
b’ Yes/No b b←{0,1} b’=b?
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which. Note: Only 2k seeds for F But 2^(n2m) functions R
b’ Yes/No b b←{0,1} b’=b?
Fs R
MUX
F: {0,1}k×{0,1}m(k) →{0,1}n(k) is a PRF if all PPT adversaries have negligible advantage in the PRF experiment Adversary given oracle access to either F with a random seed, or a random function R: {0,1}m(k) →{0,1}n(k). Needs to guess which. Note: Only 2k seeds for F But 2^(n2m) functions R PRF stretches k bits to n2m bits
b’ Yes/No b b←{0,1} b’=b?
A PRF can be constructed from any PRG
A PRF can be constructed from any PRG
K K0 K1
A PRF can be constructed from any PRG
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
r
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
r
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
K00 K01 K10 K11
K000 K001
K010 K011
K100 K101
K110 K111
r Kr
K K0 K1
G is a length- doubling PRG
A PRF can be constructed from any PRG
Not blazing fast A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher
K r A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher Extra features/requirements:
K r A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher Extra features/requirements: Permutation: input block (r) to output block
K r A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher Extra features/requirements: Permutation: input block (r) to output block Key can be used as an inversion trapdoor
K r A PRF can be constructed from any PRG
Not blazing fast Faster constructions based on specific number-theoretic computational complexity assumptions Fast heuristic constructions PRF in practice: Block Cipher Extra features/requirements: Permutation: input block (r) to output block Key can be used as an inversion trapdoor Pseudorandomness even with access to inversion
K r A PRF can be constructed from any PRG
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r)
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r)
K
m (block)
Enc r
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob
K
m (block)
Enc r
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob
K
m (block)
Enc r
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob
K
m (block)
Enc r
K Dec
m
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BCK(r) is pseudorandom. (In fact, Eve could have picked r, as long as we ensure no r is reused.)
K
m (block)
Enc r
K Dec
m
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BCK(r) is pseudorandom. (In fact, Eve could have picked r, as long as we ensure no r is reused.) How to pick a fresh r?
K
m (block)
Enc r
K Dec
m
Suppose Alice and Bob have shared a key (seed) for a block-cipher (PRF) BC For each encryption, Alice will pick a fresh pseudorandom pad, by picking a fresh value r and setting pad=BCK(r) Bob needs to be able to generate the same pad, so Alice sends r (in the clear, as part of the ciphertext) to Bob Even if Eve sees r, PRF security guarantees that BCK(r) is pseudorandom. (In fact, Eve could have picked r, as long as we ensure no r is reused.) How to pick a fresh r? Pick at random!
K
m (block)
Enc r
K Dec
m
How to encrypt a long message (multiple blocks)?
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long)
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
FK FK FK
r
r
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
FK FK FK
r
r sequential
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
FK
r,1
FK FK
r,2 r,t
r
FK FK FK
r
r sequential
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
FK
r,1
FK FK
r,2 r,t
r
FK FK FK
r
r input length slightly decreased, based on an a priori limit on t sequential
How to encrypt a long message (multiple blocks)? Can chop the message into blocks and independently encrypt each block as before. Works, but ciphertext size is double that of the plaintext (if |r| is one-block long) Extend output length of PRF (w/o increasing input length)
FK
r,1
FK FK
r,2 r,t
r
Output is indistinguishable from t random blocks (even if input to FK known/chosen) FK FK FK
r
r input length slightly decreased, based on an a priori limit on t sequential
Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
r
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
m1 ⊕ m2 ⊕ mt ⊕ c1 c2 ct r
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
m1 ⊕ m2 ⊕ mt ⊕ c1 c2 ct r
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Counter (CTR) Mode: Similar idea as in the second construction. No a priori limit on number of blocks in a message. Security from low likelihood of (r+1,...,r+t) running into (r’+1,...,r’+t’) FK
r+1
FK FK
r+2 r+t
Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
m1 ⊕ m2 ⊕ mt ⊕ c1 c2 ct r
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Counter (CTR) Mode: Similar idea as in the second construction. No a priori limit on number of blocks in a message. Security from low likelihood of (r+1,...,r+t) running into (r’+1,...,r’+t’) FK
r+1
FK FK
r+2 r+t
Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
Not a PRF (Why?)
m1 ⊕ m2 ⊕ mt ⊕ c1 c2 ct r
Output Feedback (OFB) mode: Extend the pseudorandom output using the first construction in the previous slide Counter (CTR) Mode: Similar idea as in the second construction. No a priori limit on number of blocks in a message. Security from low likelihood of (r+1,...,r+t) running into (r’+1,...,r’+t’) Cipher Block Chaining (CBC) mode: Sequential encryption. Decryption uses FK-1. Ciphertext an integral number of blocks.
m1 m2 mt r
FK FK FK ⊕ ⊕ ⊕
c1 c2 ct
FK
r+1
FK FK
r+2 r+t
Various “modes” of operation of a Block-cipher (i.e., encryption schemes using a block-cipher). All with one block overhead.
Not a PRF (Why?)