




































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The relationship between prf (pseudo random function) security and key-randomness. It includes various games, examples, and analyses to help understand why prf-security implies key-randomness. The document also discusses the importance of key randomness and its implications for security.
Typology: Study notes
1 / 76
This page cannot be seen from the preview
Don't miss anything!





































































We studied security of a block cipher against key recovery.
But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure.
We want to answer the question: What is a good block cipher? where “good” means that natural uses of the block cipher are secure.
We could try to define “good” by a list of necessary conditions:
But this is neither necessarily correct nor appealing.
Q: What does it mean for a program to be “intelligent” in the sense of a human? Possible answers:
Q: What does it mean for a program to be “intelligent” in the sense of a human? Possible answers:
Clearly, no such list is a satisfactory answer to the question.
Behind the wall:
Game:
Game:
Notion Real object Ideal object Intelligence Program Human PRF Block cipher?
A random function with L-bit outputs is implemented by the following box Fn, where T is initially ⊥ everywhere:
Fn
Caller
x (^) -
^ T[x]
If T[x] = ⊥ then T[x] ← {$ 0 , 1 }L Return T[x]
Game Rand{ 0 , 1 }L procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }L return T[x]
Adversary A
We denote by Pr
RandA { 0 , 1 }l ⇒ d
the probability that A outputs d
Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]
adversary A y ← Fn(01) return (y = 000)
Pr
RandA { 0 , 1 } 3 ⇒ true
Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]
adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 = 010 ∧ y 2 = 011)
Pr
RandA { 0 , 1 } 3 ⇒ true
Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]
adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 ⊕ y 2 = 101)
Pr
RandA { 0 , 1 } 3 ⇒ true
Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]
adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 ⊕ y 2 = 101)
Pr
RandA { 0 , 1 } 3 ⇒ true