04 1 using block annotated tủ tài liệu bách khoa
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (259.45 KB, 12 trang )
Online
Cryptography
Course
Dan
Boneh
Using
block
ciphers
Review:
PRPs
and
PRFs
Dan
Boneh
Block
ciphers:
crypto
work
horse
n bits
PT Block
n bits
CT Block
E, D
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits,
2. AES:
k = 168 bits
n=128 bits, k = 128, 192, 256 bits
Dan
Boneh
Abstractly:
PRPs
and
PRFs
• Pseudo
Random
FuncAon
(PRF)
defined
over
(K,X,Y):
F:
K
×
X
→
Y
such
that
exists
“efficient”
algorithm
to
evaluate
F(k,x)
• Pseudo
Random
PermutaAon
(PRP)
defined
over
(K,X):
E:
K
×
X
→
X
such
that:
1.
Exists
“efficient”
determinisAc
algorithm
to
evaluate
E(k,x)
2.
The
funcAon
E(
k,
⋅
)
is
one-‐to-‐one
3.
Exists
“efficient”
inversion
algorithm
D(k,x)
Dan
Boneh
Secure
PRFs
• Let
F:
K
×
X
→
Y
be
a
PRF
Funs[X,Y]:
the
set
of
all
funcAons
from
X
to
Y
SF
=
{
F(k,⋅)
s.t.
k
∈
K
}
⊆
Funs[X,Y]
• IntuiAon:
a
PRF
is
secure
if
a
random
funcAon
in
Funs[X,Y]
is
indisAnguishable
from
a
random
funcAon
in
SF
SF
Funs[X,Y]
Size
|K|
Size
|Y|
|X|
Dan
Boneh
Secure
PRF:
definAon
• For
b=0,1
define
experiment
EXP(b)
as:
b
Chal.
f
b=0:
k←K,
f
←F(k,⋅)
b=1:
f←Funs[X,Y]
Adv.
A
x1
∈
X
,
x2
,
…,
xq
f(x1)
,
f(x2)
,
…,
f(xq)
b’
∈
{0,1}
• Def:
F
is
a
secure
PRF
if
for
all
“efficient”
A:
EXP(b)
AdvPRF[A,F]
:=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
Dan
Boneh
Secure
PRP
(secure
block
cipher)
• For
b=0,1
define
experiment
EXP(b)
as:
b
Chal.
f
b=0:
k←K,
f
←E(k,⋅)
b=1:
f←Perms[X]
Adv.
A
x1
∈
X
,
x2,
…,
xq
f(x1)
,
f(x2),
…,
f(xq)
• Def:
E
is
a
secure
PRP
if
for
all
“efficient”
A:
AdvPRP[A,E]
=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
b’
∈
{0,1}
Dan
Boneh
Let
X
=
{0,1}.
Perms[X]
contains
two
funcAons
Consider
the
following
PRP:
key
space
K={0,1},
input
space
X
=
{0,1},
PRP
defined
as:
E(k,x)
=
x⨁k
Is
this
a
secure
PRP?
Yes
No
It
depends
Example
secure
PRPs
• PRPs
believed
to
be
secure:
3DES,
AES,
…
AES-‐128:
K
×
X
→
X
where
K
=
X
=
{0,1}128
• An
example
concrete
assumpAon
about
AES:
All
280–Ame
algs.
A
have
AdvPRP[A,
AES]
<
2-‐40
Dan
Boneh
Consider
the
1-‐bit
PRP
from
the
previous
quesAon:
E(k,x)
=
x⨁k
Is
it
a
secure
PRF?
Note
that
Funs[X,X]
contains
four
funcAons
Yes
No
It
depends
Akacker
A:
(1) query
f(⋅)
at
x=0
and
x=1
(2) if
f(0)
=
f(1)
output
“1”,
else
“0”
AdvPRF[A,E]
=
|0-‐½|
=
½
PRF
Switching
Lemma
Any
secure
PRP
is
also
a
secure
PRF,
if
|X|
is
sufficiently
large.
Lemma:
Let
E
be
a
PRP
over
(K,X)
Then
for
any
q-‐query
adversary
A:
|
AdvPRF
[A,E]
-
AdvPRP[A,E]
|
<
q2
/
2|X|
⇒
Suppose
|X|
is
large
so
that
q2
/
2|X|
is
“negligible”
Then
AdvPRP
[A,E]
“negligible”
⇒
AdvPRF[A,E]
“negligible”
Dan
Boneh
Final
note
• SuggesAon:
– don’t
thing
about
the
inner-‐workings
of
AES
and
3DES.
• We
assume
both
are
secure
PRPs
and
will
see
how
to
use
them
Dan
Boneh
End
of
Segment
Dan
Boneh
