1 / 18

Intro To Encryption Exercise 4

Intro To Encryption Exercise 4. Defining Pseudo-Random Permutation. Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A f denote A with oracle to f :{0,1} k  {0,1} k Let where key  R {0,1} k and r is a random function over {0,1} k

skip
Download Presentation

Intro To Encryption Exercise 4

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro To EncryptionExercise 4

  2. Defining Pseudo-Random Permutation • Let Abe alg. with oracle to a function from {0,1}k to {0,1}k • Notation: let Afdenote A with oracle to f:{0,1}k{0,1}k • Letwhere keyR{0,1}k and r is a random function over {0,1}k • Notation: xRX means xis chosen randomly from set X • Let ADVPRPE,k(t)=MAX{ADVPRPA,E,k} for Alimited to time t • Should be negligible for feasible t • Ideally: ADVPRPE,k(t)=constant /(2k-t) • Adversary controls plaintext  chosen plaintext attack • modify definition to allow also chosen ciphertext

  3. Solution • Let f’ :{0,1}k{0,1}k be an inverse function to f, meaning f’=f-1. • (for each cipher text we now have a reverse function to give us the plain text) • Let r’ be a reversible function to r. • Why? • (If we want to fool adversary with a random function we must have a reversible function) • Notation: let Af,f’denote A with oracle to both f, f’

  4. Solution • Letwhere keyR{0,1}k and r is a random function over {0,1}k • Notation: xRX means xis chosen randomly from set X • Adversary controls plaintext and ciphertext

  5. Problem • You wish for your users to access a remote server via user and password. • All of the users have modems and you trust the phone company to have secured phone lines (no eaves dropping on the line). • All the users must use “good” passwords. • What is a “good” password? • What is the problem with “good” passwords? • How can you build a device that can help the user?Hint: the device may generate the passwords

  6. Problem • Construct a PRF from a random oracle.

  7. Solution • Let A be the Random oracle, which receives input x. • Use PRFk(x)=A(k||x) • Is this a sufficient solution?

  8. Problem • Does random oracle provide CRHF and OWF properties?

  9. Solution • Yes!! By counting arguments • Consider the random function as being defined incrementally • When the oracle is asked for f(x) for the first time, it selects random value • Example: OWF • Let x1,x2,…xmbe the queries of the adversary, with xm being the adversary’s reply (i.e. success if f(xm)=f(x)). • Claim: for every i=1,…,m, Prob(f(xi)=f(x))<i/2n • Proof: By induction…

  10. Problem • What are the differences between PRF and Universal Hash Functions?

  11. Problem • construct a PRP from a random oracle.

  12. Solution • Construct PRF from Random Oracle. • Use Feistel rounds to build a PRP. • How many rounds?

  13. Problem • construct CPA-IND secure cryptosystem from random oracle.

  14. Solution • Build a PRP from random oracle • Use CBC construction for the PRP.

  15. Problem • construct OWF h() from PRF Fk()

  16. Solution • In order to build h(x) use: • h(x)=PRFx(0)

  17. Problem • can we use OWF to construct PRF like we used random oracle?

  18. Solution • NO!!!! • Evaluate the following: • h(x) is OWF. • h’(x)=001100||h(x) • Clearly h’ is OWF but can be distinguished from a random output.

More Related