Online
Cryptography
Course
Dan
Boneh
Using
block
ciphers
Review:
PRPs
and
PRFs
Dan
Boneh
Block
ciphers:
crypto
work
horse
n bits
PT Block
n bits
CT Block
E, D
Key
k bits
Canonical examples:
1. 3DES: n= 64 bits,
2. AES:
k = 168 bits
n=128 bits, k = 128, 192, 256 bits
Dan
Boneh
Abstractly:
PRPs
and
PRFs
• Pseudo
Random
FuncAon
(PRF)
defined
over
(K,X,Y):
F:
K
×
X
→
Y
such
that
exists
“efficient”
algorithm
to
evaluate
F(k,x)
• Pseudo
Random
PermutaAon
(PRP)
defined
over
(K,X):
E:
K
×
X
→
X
such
that:
1.
Exists
“efficient”
determinisAc
algorithm
to
evaluate
E(k,x)
2.
The
funcAon
E(
k,
⋅
)
is
one-‐to-‐one
3.
Exists
“efficient”
inversion
algorithm
D(k,x)
Dan
Boneh
Secure
PRFs
• Let
F:
K
×
X
→
Y
be
a
PRF
Funs[X,Y]:
the
set
of
all
funcAons
from
X
to
Y
SF
=
{
F(k,⋅)
s.t.
k
∈
K
}
⊆
Funs[X,Y]
• IntuiAon:
a
PRF
is
secure
if
a
random
funcAon
in
Funs[X,Y]
is
indisAnguishable
from
a
random
funcAon
in
SF
SF
Funs[X,Y]
Size
|K|
Size
|Y|
|X|
Dan
Boneh
Secure
PRF:
definAon
• For
b=0,1
define
experiment
EXP(b)
as:
b
Chal.
f
b=0:
k←K,
f
←F(k,⋅)
b=1:
f←Funs[X,Y]
Adv.
A
x1
∈
X
,
x2
,
…,
xq
f(x1)
,
f(x2)
,
…,
f(xq)
b’
∈
{0,1}
• Def:
F
is
a
secure
PRF
if
for
all
“efficient”
A:
EXP(b)
AdvPRF[A,F]
:=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
Dan
Boneh
Secure
PRP
(secure
block
cipher)
• For
b=0,1
define
experiment
EXP(b)
as:
b
Chal.
f
b=0:
k←K,
f
←E(k,⋅)
b=1:
f←Perms[X]
Adv.
A
x1
∈
X
,
x2,
…,
xq
f(x1)
,
f(x2),
…,
f(xq)
• Def:
E
is
a
secure
PRP
if
for
all
“efficient”
A:
AdvPRP[A,E]
=
|Pr[EXP(0)=1]
–
Pr[EXP(1)=1]
|
is
“negligible.”
b’
∈
{0,1}
Dan
Boneh
Let
X
=
{0,1}.
Perms[X]
contains
two
funcAons
Consider
the
following
PRP:
key
space
K={0,1},
input
space
X
=
{0,1},
PRP
defined
as:
E(k,x)
=
x⨁k
Is
this
a
secure
PRP?
Yes
No
It
depends
Example
secure
PRPs
• PRPs
believed
to
be
secure:
3DES,
AES,
…
AES-‐128:
K
×
X
→
X
where
K
=
X
=
{0,1}128
• An
example
concrete
assumpAon
about
AES:
All
280–Ame
algs.
A
have
AdvPRP[A,
AES]
<
2-‐40
Dan
Boneh
Consider
the
1-‐bit
PRP
from
the
previous
quesAon:
E(k,x)
=
x⨁k
Is
it
a
secure
PRF?
Note
that
Funs[X,X]
contains
four
funcAons
Yes
No
It
depends
Akacker
A:
(1) query
f(⋅)
at
x=0
and
x=1
(2) if
f(0)
=
f(1)
output
“1”,
else
“0”
AdvPRF[A,E]
=
|0-‐½|
=
½
PRF
Switching
Lemma
Any
secure
PRP
is
also
a
secure
PRF,
if
|X|
is
sufficiently
large.
Lemma:
Let
E
be
a
PRP
over
(K,X)
Then
for
any
q-‐query
adversary
A:
|
AdvPRF
[A,E]
-
AdvPRP[A,E]
|
<
q2
/
2|X|
⇒
Suppose
|X|
is
large
so
that
q2
/
2|X|
is
“negligible”
Then
AdvPRP
[A,E]
“negligible”
⇒
AdvPRF[A,E]
“negligible”
Dan
Boneh
Final
note
• SuggesAon:
– don’t
thing
about
the
inner-‐workings
of
AES
and
3DES.
• We
assume
both
are
secure
PRPs
and
will
see
how
to
use
them
Dan
Boneh
End
of
Segment
Dan
Boneh