PRF Security and Key-Randomness: Understanding the Connection - Prof. Mihir Bellare, Study notes of Computer Science

The relationship between prf (pseudo random function) security and key-randomness. It includes various games, examples, and analyses to help understand why prf-security implies key-randomness. The document also discusses the importance of key randomness and its implications for security.

Typology: Study notes

Pre 2010

Uploaded on 03/28/2010

koofers-user-gni-1
koofers-user-gni-1 🇺🇸

4.5

(4)

10 documents

1 / 76

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PSEUDO-RANDOM FUNCTIONS
1 / 65
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c

Partial preview of the text

Download PRF Security and Key-Randomness: Understanding the Connection - Prof. Mihir Bellare and more Study notes Computer Science in PDF only on Docsity!

PSEUDO-RANDOM FUNCTIONS

Recall

We studied security of a block cipher against key recovery.

But we saw that security against key recovery is not sufficient to ensure that natural usages of a block cipher are secure.

We want to answer the question: What is a good block cipher? where “good” means that natural uses of the block cipher are secure.

We could try to define “good” by a list of necessary conditions:

  • (^) Key recovery is hard
  • Recovery of M from C = EK (M) is hard -...

But this is neither necessarily correct nor appealing.

Turing Intelligence Test

Q: What does it mean for a program to be “intelligent” in the sense of a human? Possible answers:

  • (^) It can be happy
  • (^) It recognizes pictures
  • It can multiply
  • (^) But only small numbers!

Turing Intelligence Test

Q: What does it mean for a program to be “intelligent” in the sense of a human? Possible answers:

  • (^) It can be happy
  • (^) It recognizes pictures
  • It can multiply
  • (^) But only small numbers!

Clearly, no such list is a satisfactory answer to the question.

Turing Intelligence Test

Behind the wall:

  • Room 1: The program P
  • (^) Room 0: A human

Turing Intelligence Test

Game:

  • Put tester in room 0 and let it interact with object behind wall
  • (^) Put tester in rooom 1 and let it interact with object behind wall
  • Now ask tester: which room was which?

Turing Intelligence Test

Game:

  • (^) Put tester in room 0 and let it interact with object behind wall
  • Put tester in rooom 1 and let it interact with object behind wall
  • (^) Now ask tester: which room was which? Clarification: Room numbers are in our head, not written on door!

Real versus Ideal

Notion Real object Ideal object Intelligence Program Human PRF Block cipher?

Random functions

A random function with L-bit outputs is implemented by the following box Fn, where T is initially ⊥ everywhere:

Fn

Caller

x (^) -

^ T[x]

If T[x] = ⊥ then T[x] ← {$ 0 , 1 }L Return T[x]

Random function

Game Rand{ 0 , 1 }L procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }L return T[x]

Adversary A

  • (^) Make queries to Fn
  • Eventually halts with some output

We denote by Pr

[

RandA { 0 , 1 }l ⇒ d

]

the probability that A outputs d

Random function

Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]

adversary A y ← Fn(01) return (y = 000)

Pr

[

RandA { 0 , 1 } 3 ⇒ true

]

= 2−^3

Random function

Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]

adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 = 010 ∧ y 2 = 011)

Pr

[

RandA { 0 , 1 } 3 ⇒ true

]

Random function

Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]

adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 ⊕ y 2 = 101)

Pr

[

RandA { 0 , 1 } 3 ⇒ true

]

Random function

Game Rand{ 0 , 1 } 3 procedure Fn(x) if T[x] = ⊥ then T[x] ← {$ 0 , 1 }^3 return T[x]

adversary A y 1 ← Fn(00) y 2 ← Fn(11) return (y 1 ⊕ y 2 = 101)

Pr

[

RandA { 0 , 1 } 3 ⇒ true

]

= 2−^3