--------------------------------------------------------------------------
CSE 227 - Lecture 3 -  October 15, 2001
--------------------------------------------------------------------------

Last time: PRPs and PRFs 
Today: 0. Review
       1. PRP/PRF Switching Lemma 
       2. A strengthenting that isn't:a gentle introduction to hybrid arguments
       3. Pseudorandom generators (PRGs)
       4. One-way functions (OWFs)
       5. Eliminating coins
       6. Start symmetric Encryption
_____________________________________________________________________________

0. Review 
 
 Adv^prp_E (A) = Pr[K\gets K: A^{E_K} = 1] - Pr[pi\getsr Perm(n):  A^\pi=1]
 Adv^prf_F (A) = Pr[K\gets K: A^{F_K} = 1] - Pr[rho\getsr Rand(n): A^\rho=1]
  
 Count: draw picture of prf, prp subspace.  "Making computationally
 available to parties a shared random function/permutation"

  So far, we've assumed that the domain and range of our PRPs and PRFs are
  bits^n. More general PRFs and PRPs:
  let the domain be arbitary.   But if have a string of one length, have
   all strings of that length.  And easy to decide if a string is in the
  domain or not.  And nonempty.

_____________________________________________________________________________

1.  PRP/PRF Switching Lemma:

   Proposition: For any adversary A that makes at most q queries,  

      | Adv_E^prf(A) - Adv_E^prp(A) | - q^2 / 2*2^n


    Proof:   must show
           
                          q^2                                       q^2 
           Adv_E^prp(A) - ---  <= Adv_E^prf(A) <=  Adv_E^prp(A) +  -----
                         2*2^n                                     2*2^n

   Do RHS; LHS is analagous. 

Adv_E^prf(A)-Adv_E^prp(A)=(Pr[A^E_K=1]-Pr[A^rho=1])-(Pr[A^E_K=1]-Pr[A^pi=1]) 
   =  Pr[A^rho=1] - Pr[A^pi=1]  
   =  Pr[A^rho=1|COLL] Pr[COLL] + Pr[A^rho=1|no COLL] Pr[no COLL] - Pr[A^pi=1] 
  <= Pr[A^rho=1|COLL] Pr[COLL] + Pr[A^rho=1|no COLL] Pr[no COLL] - Pr[A^pi=1],  
  <= Pr[COLL] + Pr[A^rho=1|no COLL] - Pr[A^pi = 1]
  <= P[COLL] + Adv_E^prp(A)


         COLL = Union_{i=1}^q  COLL_i

     Pr[COLL] <= sum_{i=1}^q Pr[COLL_i]

              <=0 + 1 + 2 + ... + (q-1))/2^n 

              <= q(q-1) / 2*2^n


_____________________________________________________________________________



2. A strengthenting that isn't: a gentle introduction to hybrid arguments

                            // re for "real" or "reference"; te for "test"
                                  re    te         
  Adv^prp'_E(B) = Pr [K <- \K: B^{E_K, E_K}=1] -     
                  Pr [K <- \K, \pi <- Perm(n): B^{E_K, \pi}=1] 

    Essentially the same:

    *  Given an adversary A that attacks E in the PRP sense then
       there is an approx-as-good adversary B that attacks E in the PRP'
       sense.

          Trivial: don't use your "first" oracle.

    *  Given an adversary B that attacks E in the PRP' sense then
       there is an approx-as-good adversary A that attacks E in the PRP
       sense.

          Not as trivial.  "Hybrid argument"

                 E_K  E_K                            E_K pi
                B                 sig diff from     B 

       Look at:

                 E_K  E_K                 pi pi                 E_K pi
                B                 vs.    B               vs    B 

                  1                         2                     3

       Triangle inequality:
       (1) - (3) \ge e:   so (1) - (2) \ge e'/2  or   (2) - (3) \ge e'/2

       Case 1gap2:  Build A like this:   
                  A^f:    
                         Run B.  When B makes an oracle query re(x) answer f(x)
                                 When B makes an oracle qurey te(x) answer f(x)
                                 When B outputs a bit, b, output b
                     ......

                   if A's oracle is Real:  Pr[A^re=1] = Pr[B^{re,re}=1]
                   if A's oracle is Fake:  Pr[A^fa=1] = Pr[B^{fa,fa}=1]
               So
                Pr[A^re=1] - Pr[A^fa=1] = Pr[B^{re,re}=1] - Pr[B^{fa,fa}=1]
                                                >= e'/2

       Case 2gap3:  Build A like this:
                      A^f:
                          Run B.  Choose K at random.
                        When B makes an oracle query re(x), answer f(x)  
                        When B makes an oracle query te(x), answer E_K(x)  
                        When B outputs a bit, b, output 1-b
                      ......

                     if A's oracle if Real:  Pr[A^re=1] = 1 - Pr[B^{re,fa}=1]
                     if A's oracle if Fake:  Pr[A^fa=1] = 1 - Pr[B^{fa,fa}=1]
                     So  
      Pr[A^re=1] - Pr[A^fa=1] = 1-Pr[B^{re,fa}=1] - 1 + Pr[B^{fa,fa}=1]
                            = Pr[B^fa,fa = 1 - Pr[B^re,fa=1]
                            >= e'/2



____________________________________________________________________________

3. PRGs

PRG:  customary: G:\bits^k \rightarrow \bits^max where max>k.
An oracle G(K) that takes a query "NEXT BIT" and returns the next bit of 
G(K).

  Adv^prg_G(A) = Pr[K<-\gets^\ell: A^{G(K)})=1] - Pr[A^$=1]

Adversary asks for m bits, runs in time t.

Construction:

   G(K) = F_K([0]) F_K([1]) F_K([2]) ...  F_K([2^n-1])

Claim:  if F is a secure PRF then G, constructed as above, is a secure PRG.
Translate to provable-security language:

    Let Ag be an adversary that attacks G:
       running in time t, asking for m bits, Ag outputs a bit, 
       1 for G-prediction and 0 for $-prediction, where 
       delta = Adv^prg_G(Ag) is reasonably large.

    Want to construct an adversary Af for attacking F: 
       running in time t', asking q' queries, Af outputs a bit, 
       1 for F-prediction and 0 for \rho-prediction, where 
       delta' = Adv^prf_F(Af) is reasonably large.

    (hopefully, t' is small if t is,
                q' is small if q is,
     and        \delta' is large if \delta is.)

Definition of Af:  has an oracle, Af^f(.)

     pos = 0;  // number of bits returned so far
     Run Ag
       When Ag asks for NEXT_BIT  
                  if (pos mod n=0) then string = f([pos/n])
                  y = string[bit (pos mod n)+1]
                  pos++; 
                  return y 
     When Ag is done, outputing a bit b
       return b

Analysis:
     t' = t + O(nq)
     q' = ceiling{ m / n }

              ------------
     delta' = |          |
              ------------



delta' = Adv^prf_F(Af) = Pr[Af^F=1] - Pr[Af^rho = 1]
                       = Pr[Ag^G=1] - Pr[Ag^$ = 1]
                       = Adv^prg_G(Ag)
                       = delta

To  make a formal statement:

Proposition: Let F:\K\times\bits^n\rightarrow\bits^n be a PRF, 
   and let G:\K\rightarrow \bits^{n2^n} be defined by
   G(K) = F_K([0])...F_K([2^n-1]).
   Let Ag be an adversary that runs in time t and 
   asks for m bits and achieves advantage \delta = Adv^prg_G(A).
   Then there exists an adversary Af that runs in time t' and
   asks q' queries and acheives advantage \delta' = Adv^prf_F(Af) where

       t' = t + cm
       q' = ceil{m/n}
       delta' = delta 


Alternative way of saying things.

Proposition: Let F:\K\times\bits^n\rightarrow\bits^n be a PRF, 
   and let G:\K\rightarrow \bits^{n2^n} be defined by
   G(K) = F_K([0])...F_K([2^n-1]).  Then 

       Adv^prg_G(t,m) <=  Adv^prf_F (t+cm, \ceil{m/n})
   
  for some absolute constant c.

_________________________________________________________________________

4. One-way functions (OWFs)

   Let f: D -> R   where D has a distribution on it (usually, finite)

   Adv^owf(I) = Pr[x <- D; Y=f(x);   x'=I(Y):  f(x') = Y].

   Here I give credit for finding any preimage. Seems only fair.

   Useful for password-protection problem.

   Suppose given PRF   F: {0,1}^k x {0,1}^n -> {0,1}^n.    

   Let f(X) = F_X(0).  Security depends on k and n.  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Problem 3.5:  Give a convincing construction to show that F can be a 
    good PRF but f(X)=F_K(ZERO) is NOT a good OWF.  
    Assume F: {0,1}^{2n} x {0,1}^n -> {0,1}^n.    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


   Suppose F: {0,1}^k x {0,1}^n -> {0,1}^n with k<n.  Then OK.    

   (Notes claim open if k=n.  But not true; I convinced myself this morning
   that this is doable.  Still, someone is welcome to do a complete writeup 
   for your project, if you wish.)


   THEOREM.  Let f:{0,1}^k x {0,1}^k \rightarrow {0,1}^n be obtained from
             F: {0,1}^k x {0,1}^n -> {0,1}^n in the manner we have described.
             Assume k<n.  
             Suppose there exists an adversary I that inverts
             f in time t.  
             Then there exists an adversary A that
             breaks F (as a PRP) using 
                   time = t + tiny
                   queries = 1
                   adv^prf(A) >= 0.5 Adv^owf(I) 
   ......................................................................

   First a bit of preliminaries.

   "Wlog, I is deterministic"
   Justify in a moment.

 
   ......................................................................

   Given: an adversary I for inverting f(X) = F_X(0).
   Construct: an adversary A for breaking F as a PRF.

   Definition of A:
         Ask query 0, getting response Y
         Run I(Y), getting a value x.
         if F_X(0)=Y then return 1 else return 0
   ......................................................................

   Claim:  Adv^prf(A) >= 2 Adv^owf(I)

   Let \e = Adv^owf(I)

   Adv^prf (A) = Pr [A^{F_X} = 1] - Pr[A^rho = 1]
               
               = Pr [X \getsr \bits^k: f(I(f(X))=f(X)] - Pr[A^rho=1]
                      
               = \e               - Pr[A^rho=1] 
                                     =\delta

where
   \e     = Pr [X\getsr\bits^k: f(I(f(X)))=f(X)]
   \delta = Pr [Y\getsr\bits^n: f(I(Y))=Y]  

   Want to show:  delta=Pr[A^rho=1] <= \e / 2
                           Actually, we'll show delta <= 1/(1-2^{k-n})  \e

   Let Xset = {X\in\bits^k: f(I(f(X)))=f(X)}   // x-values I succeeds on 
   Let Yset = {Y\in\bits^n: f(I(Y))=Y}         // y-values I succeeds on


   \e = |Xset|/2^k        \delta = |Yset|/2^n


           |Yset|    |Xset|      2^k \e                  (k<n)
   delta = -----  <= -----  <=   ------  <= 0.5 \e
            2^n       2^n          2^n

     Why is |Yset| <= |Xset| ??

      Xset: *                Yset: *
    -----------          ----------------------
    | . . *  *|          | . *  . . .  ..  .  |
    |  * .* * |          | .  . * .  .. .  .  |
    | .  * . .|          |.  *  . .  * ..  .  |
    | . * *  *|          | . . .. .  . . .  . |
    -----------          ----------------------

    strings of              strings of length n
    length k

   A string X is * if               A string Y is * if its
   it's in Xset -- I inverts        in Y -- I inverts Y.
   f(X), finding
   _some_ valid preimage 
   for it

                     Each distinct Y in Yset has a distinct f-preimage 
                     in X, and that preimage is necessarilly in Xset.

5. Eliminating coins

   "Wlog, algorithm I is deterministic"

   Can usually do this.  DE-RANDOMIZATION ARGUMENT.

   Adv^owf_f(I) = Pr[R <- {0,1}^r; X <- {0,1}^k; f(I(f(X),R))=f(X)] 

   Average over random R and random X.
 
   Let m_R = Pr[X <- {0,1}^k: f(I(f(X),R))=f(X)] 

   Then    

      Adv^owf_f(I) = 1/2^r \sum_R m_R  is just the average of

  (Justification
   Let INVERTS    = {(X,R): X in bits^k and R in \bits^r and f(I(f(X),R))=f(X)}
       INVERTS(R) = {X: X in bits^k f(I(f(X),R))=f(X)}
   Adv^owf_f(I) = |INVERTS| 2^{k+r}.
                = sum_R  |INVERTS(R)|/2^k   / 2^r
               =  average_R  { m_R }
   )

   the different m_R values.  If you have a bunch of numbers that
   average out to a, at least one of the number is at least a!  Thus
   there exists an R such that  m_R >= Adv^owf_f(I).  For that
   particular R, I(Y, R) is a deterministic algorithm:  R is "hardwired"
   into I.  



   Explain the "controversy" about this type of non-constructive argument.
                           
   "Wlog, algorithm PRF-attacking adversary is deterministic."

   Adv^prf_F(A) = Pr[R\getsr\bits^r; K\getsr\bits^k: A^F_K(R)=1] - 
                  Pr[R\getsr\bits^r; \rho\getsr\Rand(n,n): A^rho(R)=1] 

   Let m_R = advantage associted to coins R.  Then 

   Adv^prf_F(A) = average_R { m_R } 

   So some particular coins achiceve associated advantage at least
   the expectation.

______________________________________________________________________

6. Start symmetric Encryption




12345678901234567890123456789012345678901234567890123456789012345678901234567890