Introduction to Modern
Cryptography
Interactive Learning Session
Week 4: Practice & Theory of
Symmetric-Key Primitives
Thursday, 25 Feb 2016, 15:00-17:00
Overview of DES / AES
Warm-Up Questions
• Why should you never design a block cipher
yourself (despite having followed this course)?
• Why should you never implement a block
cipher yourself (despite having followed this
course)?
Questions
• What is the encode function of DESX?
• DESXk,ko,ki(m) = ko © DESk(m © ki)
• Why can’t we just do with an extra outer key?
DESYk,ko(m) = ko © DESk(m)
• Why can’t we just do with an extra inner key?
DESZk,ki (m) = DESk(m © ki)
Overview of Theoretical Constructions
(Section 7.2 in [KL])
• One-way functions (easy to compute, hard to
invert)
• Goldreich-Levin theorem
• PRGs (GL and hybrid arguments)
• PRFs from PRGs (by the GGM construction)
• PRPs (Feistel Networks)
n
and define G0 , G1 asFink (x)
t he t ext
define
= .GFor
· · t·he
), funct ion
x n k(·∈·{·0,G1}x 1,(k)
n
n
F k : { 0, 1} → { 0, 1} as:
Goldreich Goldwasser Micali
Construction of PRF from PRG
where x = x 1 · · · x nF;k (x
see
Const ruct ion 7.21. T he int uit ion for why t his funct ion
1 x 2 · · · x n ) = G x (· · · (G x (G x (k))) · · · ) .
is pseudorandom is t he same as before, but t he formal proof is complicat ed
pseudorandom funct ion from a pseudorandom generat or.
by t he fact tAhat
t here are now exponent ially many input s t o consider.
n
2
1
It is useful t o view t his const ruct ion as defining, for each key k ∈ { 0, 1} n , a
complete binary t ree of dept h n in which each node cont ains an n-bit value.
C ON
ST R
UinC which
T I ON
(See
Figure
7.2,
n =7.21
3.) T he root has value k, and for every in′
′
tLet
ernalGnode
h value k it s leftgenerat
child has
value
Gexpansion
rightorchild
0 (k ) and it sfact
be awitpseudorandom
or
wit
h
ℓ (n) = 2n,
′
has value G1 (k ). T he result F k (x) for x = x 1 · · · x n is t hen
defined t o be
n
and define G0 , G 1 as in t he t ext . For k ∈ { 0, 1} , define t he funct ion
t he value onn t he leaf node
n reached by t raversing t he t ree according t o t he
F ks :of{ 0,
→x i { =0, 01}means
as: “ go left ” and x i = 1 means “ go right .” (T he
bit
x, 1}
where
funct ion is only defined for input s of lengt h n, and t hus only values on t he
x 2T·he
· · size
x n ) of=t he
Gxt ree
· (Gx 2 (G
· · · ) heless,
.
k (x
leaves are ever F
out
put1 .)
ialx 1in(k)))
n. Nevert
n (·is· exponent
t o comput e F k (x) t he ent ire t ree need not be const ruct ed or st ored; only n
evaluat
of G are needed.funct ion from a pseudorandom generat or.
A ions
pseudorandom
It is useful t o view t his const ructkion as defining, for each key k ∈ { 0, 1} n , a
0
1
complet e binary t ree of dept h n in which each node cont ains an n-bit value.
(See Figure 7.2, in which
n = 3.) T he root has value k, and for every inG0 (k)
t ernal node wit h 0value k ′ 1it s left child has
value 1
G0 (k ′ ) and it s right child
0
has value G1 (k ′ ). T he result F k (x) for x = x 1 · · · x n is t hen defined t o be
G1 (Greached
t he value on t he leaf node
by t raversing t he t ree according t o t he
0 (k))
bit s of x, where
“1go left
“ go right .” (T he
1 x i 0= 1 means
1
0 x i =1 0 means
0
0 ” and
funct ion is only defined for input s of lengt h n, and t hus only values on t he
leaves are ever out put .) T he size of t he t ree is exponent ial in n. Nevert heless,
t o comput e Fk (x) t he ent ire t ree need not be const ruct ed or st ored; only n
Fk (011) = G1 (G1 (G0(k)))
evaluat ions of G are needed.
F I G U R E 7.2: Const ruct ing a pseudorandom funct ion.
Feistel
Network to get PRP from PRF
* T heoretical Constructions of Symmetric-K ey Primitives
271
L0
R0
Fk1
L1
R1
Fk2
L2
R2
Fk3
L3
R3
F I G U R E 7.3: A t hree-round Feist el network, as used t o const ruct a
pseudorandom permut at ion from a pseudorandom funct ion.
P R OOF
In t he st andard way, we can replace t he pseudorandom funct ions
Problem 1
• Let h be a length-preserving one-way function
and let f be defined as follows:
If xn/2+1 xn = 0n/2, then f(x)=0|x|,
else f(x) = h(x1 xn/2) 0n/2. One can prove that
f(x) is one-way.
• Prove that g(x) = f(f(x)) is not one-way.
• Prove that
g(x) = ( f(x), f(f(x)) ) is a one-way function.
Problem 2
• Let G be a PRG with expansion factor l(n)=n+1.
Prove that G is a one-way function.