Professional Documents
Culture Documents
1 / 65
Recall
We studied security of a block cipher against key recovery.
But we saw that security against key recovery is not sufficient to ensure
that natural usages of a block cipher are secure.
We want to answer the question:
What is a good block cipher?
where good means that natural uses of the block cipher are secure.
We could try to define good by a list of necessary conditions:
Key recovery is hard
Recovery of M from C = EK (M) is hard
...
3 / 65
3 / 65
3 / 65
4 / 65
Game:
Put tester in room 0 and let it interact with object behind wall
Put tester in rooom 1 and let it interact with object behind wall
Now ask tester: which room was which?
6 / 65
Game:
Put tester in room 0 and let it interact with object behind wall
Put tester in rooom 1 and let it interact with object behind wall
Now ask tester: which room was which?
Game:
Put tester in room 0 and let it interact with object behind wall
Put tester in rooom 1 and let it interact with object behind wall
Now ask tester: which room was which?
Notion
Intelligence
PRF
Real object
Program
Block cipher
Ideal object
Human
?
8 / 65
Notion
Intelligence
PRF
Real object
Program
Block cipher
Ideal object
Human
Random function
8 / 65
Random functions
Caller
x T[x]
If T[x] = then
$
T[x] {0, 1}L
Return T[x]
9 / 65
Random function
Game Rand{0,1}L
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}L
return T[x]
Adversary A
Make queries to Fn
Eventually halts with some output
We denote by
h
i
Pr RandA
d
l
{0,1}
the probability that A outputs d
10 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y Fn(01)
return (y = 000)
h
i
Pr RandA
true
=
{0,1}3
11 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y Fn(01)
return (y = 000)
h
i
Pr RandA
true
= 23
{0,1}3
11 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y1 Fn(00)
y2 Fn(11)
return (y1 = 010 y2 = 011)
h
i
Pr RandA
true
=
{0,1}3
12 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y1 Fn(00)
y2 Fn(11)
return (y1 = 010 y2 = 011)
h
i
Pr RandA
true
= 26
{0,1}3
12 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y1 Fn(00)
y2 Fn(11)
return (y1 y2 = 101)
h
i
Pr RandA
true
=
{0,1}3
13 / 65
Random function
Game Rand{0,1}3
procedure Fn(x)
$
if T[x] = then T[x] {0, 1}3
return T[x]
adversary A
y1 Fn(00)
y2 Fn(11)
return (y1 y2 = 101)
h
i
Pr RandA
true
= 23
{0,1}3
13 / 65
Function families
permutation
14 / 65
Notion
PRF
Real object
Family of functions
(eg. a block cipher)
Ideal object
Random function
15 / 65
PRF-adversaries
Let F : Keys(F ) Dom(F ) Range(F ) be a family of functions.
A prf-adversary (our tester) has an oracle Fn for a function from
Dom(F ) to Range(F ). It can
Make an oracle query x of its choice and get back Fn(x)
Do this many times
Eventually halt and output a bit d
x1
Fn(x1 )
..
.
xq
Fn
-
Fn(xq )
16 / 65
Repeat queries
We said earlier that a random function must be consistent, meaning
once it has returned y in response to x, it must return y again if queried
again with the same x. This is why we have the if in the following:
written as
Game
RandRange(F )
procedure Fn(x)
$
if T[x] = then T[x] Range(F )
Return T[x]
procedure Fn(x)
$
T[x] Range(F )
Return T[x]
17 / 65
PRF-adversaries
Let F : Keys(F ) Dom(F ) Range(F ) be a family of functions.
Real world
xFn
y
y FK (x)
As output d
1
0
xy
Fn
$
y Range(F )
Intended meaning:
I think I am in the
Real world
Ideal (Random) world
The games
Let F : Keys(F ) Dom(F ) Range(F ) be a family of functions.
Game RealF
Game RandRange(F )
procedure Initialize
$
K Keys(F )
procedure Fn(x)
$
T[x] Range(F )
Return T[x]
procedure Fn(x)
Return FK (x)
Pr
Rand
1
F
Range(F )
F
19 / 65
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Game RealF
procedure Initialize
$
K {0, 1}k
procedure Fn(x)
Return FK (x)
Real world
xFn
y
y
FK (x)
20 / 65
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Game RealF
procedure Initialize
$
K {0, 1}k
procedure Fn(x)
Return FK (x)
Then
Real world
xFn
y
y FK (x)
h
i
Pr RealA
1
=
F
20 / 65
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Game RealF
procedure Initialize
$
K {0, 1}k
procedure Fn(x)
Return FK (x)
Then
Real world
xFn
y
y FK (x)
h
i
Pr RealA
1
=1
F
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}128
Return T[x]
Then
xy
Fn
y {0, 1}128
$
h
i
Pr RandA
1
=
Range(F )
21 / 65
Example
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}128
Return T[x]
xy
Fn
$
y {0, 1}128
Then
h
i
128
Pr RandA
) = 0128 = 2128
Range(F ) 1 = Pr Fn(0
because Fn(0128 ) is a random 128-bit string.
21 / 65
Let F : {0, 1}k {0, 1}128 {0, 1}128 be defined by FK (x) = x. Let
prf-adversary A be defined by
adversary A
if Fn(0128 ) = 0128 then Ret 1 else Ret 0
Then
1
2128
z h }|
}|
i{ z h
i{
prf
A
A
AdvF (A) = Pr RealF 1 Pr RandRange(F ) 1
= 1 2128
22 / 65
Pr
Rand
1
F
Range(F )
F
is a number between 1 and 1.
A large (close to 1) advantage means
A is doing well
F is not secure
23 / 65
PRF security
Adversary advantage depends on its
strategy
resources: Running time t and number q of oracle queries
for any A with time and number of oracle queries at most 280n .
Insecurity: F is insecure (not a PRF) if there exists A using few
resources that achieves high advantage.
24 / 65
Example 1
Define F : {0, 1}k {0, 1}128 {0, 1}128 by FK (x) = x for all k, x.
Is F a secure PRF?
Real
xy
Fn
y FK (x)
Rand
xy
Fn
$
y {0, 1}128
Pr
Rand
1
F
Range(F )
F
is close to 1?
25 / 65
Example 1
Define F : {0, 1}k {0, 1}128 {0, 1}128 by FK (x) = x for all k, x.
Is F a secure PRF?
Real
xy
Fn
y FK (x)
Rand
xy
Fn
$
y {0, 1}128
Pr
Rand
1
F
Range(F )
F
is close to 1?
Exploitable weakness of F : FK (0128 ) = 0128 for all K . We can
determine which world we are in by testing whether Fn(0128 ) = 0128 .
25 / 65
Example 1
Real
xy
Fn
y FK (x)
Rand
xy
Fn
$
y {0, 1}128
26 / 65
Example 1: Analysis
F is defined by FK (x) = x.
adversary A
if Fn(0128 ) = 0128 then return 1 else return 0
Real
xy
Fn
y FK (x)
Rand
xy
Fn
$
y {0, 1}128
Example 1: Conclusion
F is defined by FK (x) = x.
adversary A
if Fn(0128 ) = 0128 then return 1 else return 0
Then
1
2128
z h }|
}|
i{ z h
i{
prf
A
A
AdvF (A) = Pr RealF 1 Pr RandRange(F ) 1
= 1 2128
and A is efficient.
Conclusion: F is not a secure PRF.
28 / 65
Example 2
Define F : {0, 1}` {0, 1}` {0, 1}` by FK (x) = K x for all K , x.
Is F a secure PRF?
Real
xy
Fn
y FK (x)
Rand
xy
Fn
y {0, 1}`
$
Pr
Rand
1
F
Range(F )
F
is close to 1?
29 / 65
Example 2
Define F : {0, 1}` {0, 1}` {0, 1}` by FK (x) = K x for all K , x.
Is F a secure PRF?
Real
xy
Fn
y FK (x)
Rand
xy
Fn
y {0, 1}`
$
Pr
Rand
1
F
Range(F )
F
is close to 1?
Exploitable weakness of F :
FK (0` ) FK (1` ) = (K 0` ) (K 1` ) = 1`
for all K . We can determine which world we are in by testing whether
Fn(0` ) Fn(1` ) = 1` .
29 / 65
30 / 65
Real world
xFn
y
y
FK (x)
31 / 65
procedure Fn(x)
Return FK (x)
Then
Real world
xFn
y
y
FK (x)
h
i
Pr RealA
1
=
F
31 / 65
Real world
xFn
y
y
FK (x)
h
i
Pr RealA
1
=1
F
because
Fn(0` ) Fn(1` ) = FK (0` ) FK (1` ) = (K 0` ) (K 1` ) = 1`
31 / 65
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}` return T[x]
xy
Fn
$
y {0, 1}`
32 / 65
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}` return T[x]
Then
xy
Fn
$
y {0, 1}`
h
i
Pr RealA
1
=
F
32 / 65
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}` return T[x]
Then
xy
Fn
$
y {0, 1}`
h
i
h
i
`
`
`
Pr RealA
1
=
Pr
Fn(1
)
Fn(0
)
=
1
=
F
32 / 65
Game RandRange(F )
procedure Fn(x)
$
T[x] {0, 1}` return T[x]
Then
xy
Fn
$
y {0, 1}`
h
i
h
i
`
`
`
Pr RealA
1
=
Pr
Fn(1
)
Fn(0
)
=
1
= 2`
F
Example 2: Conclusion
F : {0, 1}` {0, 1}` {0, 1}` is defined by FK (x) = K x.
adversary A
if Fn(0` ) Fn(1` ) = 1` then return 1 else return 0
Then
1
2`
}|
z h }|
i{ z h
i{
prf
A
A
AdvF (A) = Pr RealF 1 Pr RandRange(F ) 1
= 1 2`
and A is efficient .
Conclusion: F is not a secure PRF.
33 / 65
Birthday Problem
q people 1, . . . , q with birthdays
y1 , . . . , yq {1 . . . , 365}
Assume each persons birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1 , . . . , yq are not all different]
What is the value of C (365, q)?
How large does q have to be before C (365, q) is at least 1/2?
34 / 65
Birthday Problem
q people 1, . . . , q with birthdays
y1 , . . . , yq {1 . . . , 365}
Assume each persons birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1 , . . . , yq are not all different]
What is the value of C (365, q)?
How large does q have to be before C (365, q) is at least 1/2?
Naive intuition:
C (365, q) q/365
q has to be around 365
34 / 65
Birthday Problem
q people 1, . . . , q with birthdays
y1 , . . . , yq {1 . . . , 365}
Assume each persons birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1 , . . . , yq are not all different]
What is the value of C (365, q)?
How large does q have to be before C (365, q) is at least 1/2?
Naive intuition:
C (365, q) q/365
q has to be around 365
The reality
C (365, q) q 2 /365
q has to be only around 23
34 / 65
C (365, q)
0.253
0.347
0.411
0.444
0.507
0.569
0.627
0.706
0.814
0.891
0.970
35 / 65
Birthday Problem
36 / 65
Birthday Problem
q2
2N
36 / 65
N
N
N
q1
Y
i
=
1
N
= 1
i=1
so
C (N, q) = 1
q1
Y
i=1
i
1
N
37 / 65
Birthday bounds
Let
C (N, q) = Pr [y1 , . . . , yq not all distinct]
Fact: Then
q(q 1)
q(q 1)
C (N, q) 0.5
N
N
38 / 65
Union bound
C2
C1
Arithmetic sums
0 + 1 + 2 + + (q 1) =
40 / 65
Arithmetic sums
0 + 1 + 2 + + (q 1) =
q(q 1)
2
40 / 65
Birthday bounds
Let
C (N, q) = Pr [y1 , . . . , yq not all distinct]
Then
q(q 1)
N
Proof of this upper bound: Let Ci be the event that
yi {y1 , . . . , yi1 }. Then
C (N, q) 0.5
C (N, q) = Pr [C1 C2 , . . . , Cq ]
Pr [C1 ] + Pr [C2 ] + . . . + Pr [Cq ]
0
1
q1
+ + ... +
N
N
N
q(q 1)
.
2N
41 / 65
Real
xy
Fn
y EK (x)
Rand
xy
Fn
$
y {0, 1}`
Pr
Rand
1
E
E
{0,1}`
is close to 1?
42 / 65
43 / 65
44 / 65
Then
adversary A
Let x1 , . . . , xq {0, 1}` be distinct
for i = 1, . . . , q do yi Fn(xi )
if y1 , . . . , yq are all distinct
then return 1 else return 0
h
i
Pr RealA
1
=
E
45 / 65
Then
adversary A
Let x1 , . . . , xq {0, 1}` be distinct
for i = 1, . . . , q do yi Fn(xi )
if y1 , . . . , yq are all distinct
then return 1 else return 0
h
i
Pr RealA
1
=1
E
45 / 65
adversary A
Let x1 , . . . , xq {0, 1}` be distinct
for i = 1, . . . , q do yi Fn(xi )
if y1 , . . . , yq are all distinct
then return 1 else return 0
Then
h
i
Pr RandA
1
= Pr [y1 , . . . , yq all distinct]
`
{0,1}
= 1 C (2` , q)
because y1 , . . . , yq are randomly chosen from {0, 1}` .
46 / 65
1C (2` ,q)
}|
z h }|
i{ z h
i{
prf
A
A
AdvE (A) = Pr RealF 1 Pr RandRange(F ) 1
= C (2` , q)
0.3
q(q 1)
2`
so
q 2`/2 Advprf
E (A) 1 .
47 / 65
Conclusion: If E : {0, 1}k {0, 1}` {0, 1}` is a block cipher, there is
an attack on it as a PRF that succeeds in about 2`/2 queries.
Depends on block length, not key length!
`
64
128
2`/2
232
264
Status
Insecure
Secure
48 / 65
examples of EK
PRF-security: It should be hard to distinguish the input-output
49 / 65
for secure use of E , so a YES answer would render our claim false.
Luckily the answer to the above question is NO.
50 / 65
51 / 65
procedure Fn(x)
return FK (x)
procedure Finalize(K 0 )
return (K = K 0 )
Example
Y [1]
K [1, 1] K [1, 2] K [1, `]
X [1]
Y [2]
K [2, 1] K [2, 2] K [2, `] X [2]
FK (X ) =
.. = ..
..
..
.
.
.
.
Y [L]
X [`]
K [L, 1] K [L, 2] K [L, `]
Here the bits in the matrix are the bits in the key, and arithmetic is
modulo two.
Question: Is F secure against key-recovery?
53 / 65
Example
Y [1]
K [1, 1] K [1, 2] K [1, `]
X [1]
Y [2]
K [2, 1] K [2, 2] K [2, `] X [2]
FK (X ) =
.. = ..
..
..
.
.
.
.
Y [L]
X [`]
K [L, 1] K [L, 2] K [L, `]
Here the bits in the matrix are the bits in the key, and arithmetic is
modulo two.
Question: Is F secure against key-recovery?
Answer: NO
53 / 65
Example
For 1 i ` let:
ej =
0
..
.
0
1
0
..
.
0
j 1
`j
FK (ej ) =
K [1, 1] K [1, 2]
K [2, 1] K [2, 2]
..
.
K [L, 1] K [L, 2]
K [1, j]
K [1, `]
..
.
K [2, `]
K [2, j]
1
=
..
..
.
.
..
K [L, `]
K [L, j]
0
54 / 65
KR attack on example
Adversary B
K 0 // is the empty string
for j = 1, . . . , ` do yj Fn(ej ) ; K 0 K 0 k yj
return K 0
Then
Advkr
F (B) = 1 .
The time-complexity of B is t = O(`2 L) since it makes q = ` calls to its
oracle and each computation of Fn = FK takes O(`L) time.
So F is insecure against key-recovery.
55 / 65
Real world
xFn
y
y FK (x)
xy
Fn
$
y Range(F )
56 / 65
57 / 65
Advprf
F (A) is small
kr
AdvF (B) is small
F is KR-secure
58 / 65
Contrapositive:
F not KR-secure
Advkr
F (B) is big
Advprf
F (A) is big
F is not PRF-secure
59 / 65
How A runs B
Idea:
A uses B to find key K 0
Tests whether K 0 is the right key
Issues:
B needs an FK oracle, which A only has in the real world
How to test K 0 ?
How they are addressed:
A gives B its Fn oracle
Test by seeing whether FK 0 agrees with Fn on a new point.
61 / 65
adversary A
i 0
K 0 B FnKRSim
$
x {0, 1}` {x1 , . . . , xi }
if FK 0 (x) = Fn(x) then return 1
else return 0
subroutine FnKRSim(x)
i i +1
xi x
yi Fn(x)
return yi
62 / 65
Analysis
adversary A
i 0
K 0 B FnKRSim
$
x {0, 1}` {x1 , . . . , xi }
if FK 0 (x) = Fn(x) then return 1
else return 0
subroutine FnKRSim(x)
i i +1
xi x
yi Fn(x)
return yi
so
h
i
kr
Pr RealA
F 1 AdvF (B)
x
/ {x1 , . . . , xi },
h
i
Pr RandA
1
= 2L
Range(F )
kr
L
So Advprf
F (A) AdvF (B) 2
63 / 65
The running time of A is that of B plus O(q(` + L)) plus the time for
one computation of F .
Implication:
F PRF-secure
F is KR-secure.
64 / 65
Our Assumptions
DES, AES are good block ciphers in the sense of being PRF-secure to
the maximum extent possible.
65 / 65