PRPs and PRFs课件.ppt

PRF Switching Lemma Any secure PRP is also a secure PRF. Lemma: Let E be a PRP over (K,X)  Then for any q-query adversary A: | PRF Adv[A,E] - PRP Adv[A,E] | q2 / 2|X| ? Suppose |X| is large so that q2 / 2|X| is “negligible” Then PRP Adv[A,E] “negligible” ? PRF Adv[A,E] “negligible” Using PRPs and PRFs Goal: build “secure” encryption from a PRP. Security is always defined using two parameters: 1. What “power” does adversary have?  examples: Adv sees only one ciphertext (one-time key) Adv sees many PT/CT pairs (many-time key, CPA) 2. What “goal” is adversary trying to achieve?  examples: Fully decrypt a challenge ciphertext. Learn info about PT from CT (semantic security) Modes of Operation for One-time Use Key Example application: Encrypted email. New key for every message. Semantic Security for one-time key E = (E,D) a cipher defined over (K,M,C) For b=0,1 define EXP(b) as: Def: E is sem. sec. for one-time key if for all “efficient” A: SS Adv[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Chal. b Adv. A k?K m0 , m1 ? M : |m0| = |m1| C ? E(k, mb) b’ ? {0,1} Adv. B (us) Semantic security (cont.) Sem. Sec. ? no “efficient” adversary learns info about PT from a single CT. Example: suppose efficient A can deduce LSB of PT from CT. Then E = (E,D) is not semantically secure. Chal. b?{0,1} Adv. A (given) k?K C? E(k, mb) m0, LSB(m0)=0 m1, LSB(m1)=1 C LSB(mb)=b Then SS Adv[B, E] = 1 ? E is not sem. sec. Note: ECB is not Sem. Sec. Electronic Code Book (ECB): Not semantically secure for messages that contain more than one block. Two blocks Chal. b?{0,1} Adv. A k?K (C1,C2) ? E(k, mb) m0 = “Hello World” m1 = “Hello Hello” If C1=C2 output 0, else output 1 Then SS Adv[A, ECB] = 1 Secure Constructions Examples of sem. sec. systems: 1. SS Adv[A, OTP] = 0 for all A 2. Deterministic counter mode from a PRF F