(CS555) Pseudorandom Functions and CPA Security

Outline and Readings

Outline

• Keyed Function
• Pseudorandom function (PRF)
• Encryption using PRF
• Pseudorandom Permutation (PRP)

Readings

• Katz and Lindell: 3.6.1 ~ 3.6.3

Keyed Function

• A key function F:{0,1}​k​​×{0,1}​⋆​​→{0,1}​⋆​​
  • Takes two inputs, first called the key, second input
  • When $k$ is fixed, F​k​​:{0,1}​⋆​​→{0,1}​⋆​​
  • We say $F$ is length-preserving when $|Fk(x)|=|x|=|k|$
• Informal: A keyed function $F$ is pseudorandom, iff when k←{0,1}​n​​ the resulting function is indistinguishable from a function chosen at uniform random from all functions {0,1}​⋆​​→{0,1}​⋆​​

Use Func​n​​: The Set of All Functions {0,1}​⋆​​→{0,1}​⋆​​

• How large is the set Func​n​​?
  • (2​n​​)​2​n​​​​=2​n⋅2​n​​​​
    • When $n=2$, this is $28$; $n=8$, this is $22048$
• Func​n​​ can be viewed as a big look-up table, storing values for each string in {0,1}​n​​
  • The table can then be viewed as a string of length n⋅2​n​​
  • Can define a keyed function such that each key selects a function in Func​n​​; call this the Random Function.
• How to implement a function $f$ that is randomly chosen from Func​n​​?
  • Maintains a table that is initially empty. When one queries $f(x)$, first looks in the table, if $x$ does not exist, randomly chooses $y$, add $(x,y)$ to the table, and return $y$; if $(x,y)$ exists, then return $y$.

Properties of Random Functions

• Let $R$ be the random function such that R​k​​, when $k$ randomly chosen, gives a random function in Func​n​​
  • Knowing R​k​​(a) gives absolutely no information about R​k​​(b) for $a\ne b$
• How to use the random function $R$ for encryption?
  • How about Enc​k​​(m)=R​k​​(m)?
• Correct way: Given message $m$, randomly chooses $r$, then c:=⟨r,R​k​​(r)⊕m⟩
  • So long as $r$ does not repeat, no information is leaked about $m$
  • Assuming sharing an (extremely) long random string, different portions are used to encrypt different messages

Pseudorandom Function (PRF)

Definition 2.3. Given an efficient, length-preserving key function F:{0,1}​k​​×{0,1}​⋆​​→{0,1}​⋆​​, we say $F$ is a pseudorandom function iff for all PPT distinguisher $D$, there exists a negligible function $negl$ such that

∣Pr[D​Fk(⋅)​​(1​n​​)=1]−Pr[D​f(⋅)​​(1​n​​)=1]∣≤negl(n)

• Where k←{0,1}​n​​ is chosen uniformly at random and $f$ is chosen uniformly at random from Func​n​​.
• $D$ is given oracle access to a function, and needs to tell whether the function is a random one, or one from $F$.

TIP

Q: What does PPT distinguisher D mean in cryptography?

A(AI generated): In the context of cryptography, the term "PPT" stands for "Probabilistic Polynomial Time." It refers to an algorithm or a Turing machine that runs in polynomial time with a randomization component. PPT algorithms are probabilistic because they can use randomness during their computation.

A "distinguisher" is an algorithm or an attacker that aims to distinguish between different cryptographic objects or properties. In the case of PPT distinguishers, they are used to distinguish between cryptographic schemes or primitives, such as encryption algorithms or hash functions.

The subscript "D" in "PPT distinguisher D" typically denotes a specific distinguisher algorithm. The purpose of such a distinguisher is to analyze a cryptographic scheme or primitive and determine whether it possesses certain desirable properties or security guarantees. For example, in the field of symmetric-key cryptography, a PPT distinguisher may be employed to determine whether an encryption algorithm exhibits strong pseudo-randomness or if it is vulnerable to certain attacks.

It's important to note that the specific functionality and goals of a PPT distinguisher may vary depending on the context and the cryptographic primitive being analyzed.

An Encryption Scheme Using PRF

• Construction 3.24. using a PRF $F$
  • Enc​k​​(m):c:=⟨r,F​k​​(r)⊕m⟩
    • where r←{0,1}​n​​ is chosen at uniform random
  • Dec​k​​(c): given c=⟨r,s⟩,m:=F​k​​(r)⊕s
  • Intuitively this is secure: so long as $r$ is not used for different messages, F​k​​(r) should look completely random, hence $m$ is like being encrypted using OTP
• Theorem 3.25. If $F$ is PRF, then Construction 3.24 is CPA-scure.

Proof of Theorem 3.25

• Given any $A$ that breaks CPA-security of $\mathrm{\Pi }$ construction 3.24, construct a distinguisher $D$ as follows:
  • $D$ is given oracle access to a function $g$, and needs to tell from which distribution is $g$ drawn
  • When $A$ requests an encryption, uses $c:=⟨r,g(r)\oplus m⟩$
  • If $A$ succeeds in guessing which of m​0​​ and m​1​​ is encrypted under the challenge ciphertext, outputs $1$ (PRF), otherwise output $0$ (Random)
• When $D$ is given a random function $f$
  • Pr[D​f(⋅)​​(1​n​​)=1]=Pr[PrivK​A,Λ​cpa​​=1]≤​2​​1​​+​2​n​​​​q(n)​​
  • Assuming that $A$ makes at most $q(n)$ requests for encryption,
  • We use $\mathrm{\Lambda }$ to denote Construction 3.24 with random function
  • When $r$ used in the challenge message does not appear in other messages, Pr[PrivK​A,Λ​cpa​​=1]=​2​​1​​
  • Prob that $r$ appears in other challenges is ​2​n​​​​q(n)​​
• When $D$ is given a pseudorandom function
  • Pr[D​Fk(⋅)​​(1​n​​)=1]=Pr[PrivK​A,Π​cpa​​=1]
• Thus
  • Pr[PrivK​A,Π​cpa​​=1]≥​2​​1​​+negl(n) if and only if ∣Pr[D​Fk(⋅)​​(1​n​​)=1]−Pr[D​f(⋅)​​(1​n​​)=1]∣≥negl(n)

Pseudorandom Permutations (PRP)

• We say that a length-preserving keyed function F:{0,1}​k​​×{0,1}​⋆​​→{0,1}​⋆​​, is a keyed permutation if and only if each F​k​​ is a bijection
• A Pseudorandom Permutation (PRP) is a keyed permutation that is indistinguishable from a random permutation
• A Strong PRP is a keyed permutation is indistinguishable from a random permutation when the distinguisher is given access to both the function and its inverse
• We assume block ciphers are PRP.