--------------------------------------------------------------------------
CSE 227 - Lecture 4 -  October 22, 2001
--------------------------------------------------------------------------

Last time: PRF, PRPs, PRGs 
Today: 0. Review
       1. One-way functions (OWFs)
       2. Eliminating coins
       3. Notions of symmetric encryption
       4. Using the definition to break schemes
       5. Equivalence of notions
       6. Security of CTR mode
_____________________________________________________________________________

0. Review 
 
 Adv^prp_E (A) = Pr[K\gets K: A^{E_K} = 1] - Pr[pi\getsr Perm(n):  A^\pi=1]
 Adv^prf_F (A) = Pr[K\gets K: A^{F_K} = 1] - Pr[rho\getsr Rand(n): A^\rho=1]

 | Adv_E^prf(A) - Adv_E^prp(A) | - q^2 / 2*2^n

 Add reference oracle: doesn't strengthen the notion
 Hybrid argument

 PRGs   An oracle G(K) that takes a query "NEXT BIT" and 
        returns the next bit of 

  Adv^prg_G(A) = Pr[K<-\gets^\ell: A^{G(K)})=1] - Pr[A^$=1]

_________________________________________________________________________

1. One-way functions (OWFs)

   Let f: D -> R   where D has a distribution on it (usually, finite)

   Adv^owf(I) = Pr[x <- D; Y=f(x);   x'=I(Y):  f(x') = Y].

   Here I give credit for finding any preimage. Seems only fair.

   Useful for password-protection problem.

   Suppose given PRF   F: {0,1}^k x {0,1}^n -> {0,1}^n.    

   Let f(X) = F_X(0).  Security depends on k and n.  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Problem 3.5:  Give a construction to show that F can be a 
    good PRF but f(X)=F_X(ZERO) is NOT a good OWF.  
    Assume F: {0,1}^{2n} x {0,1}^n -> {0,1}^n.    
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   Suppose F: {0,1}^k x {0,1}^n -> {0,1}^n with k<n.  Then OK.    

   (Notes claim open if k=n.  But not true; I convinced myself this morning
   that this is doable.  Still, someone is welcome to do a complete writeup 
   for your project, if you wish.)


   THEOREM.  Let f:{0,1}^k x {0,1}^k \rightarrow {0,1}^n be obtained from
             F: {0,1}^k x {0,1}^n -> {0,1}^n in the manner we have described.
             Assume k<n.  
             Suppose there exists an adversary I that inverts
             f in time t.  
             Then there exists an adversary A that
             breaks F (as a PRP) using 
                   time = t + tiny
                   queries = 1
                   adv^prf(A) >= 0.5 Adv^owf(I) 
   ......................................................................

   First a bit of preliminaries.

   "Wlog, I is deterministic"
   Justify in a moment.

   ......................................................................

   Given: an adversary I for inverting f(X) = F_X(0).
   Construct: an adversary A for breaking F as a PRF.

   Definition of A:
         Ask query 0, getting response Y
         Run I(Y), getting a value x.
         if F_X(0)=Y then return 1 else return 0
   ......................................................................

   Claim:  Adv^prf(A) >= 2 Adv^owf(I)

   Let \e = Adv^owf(I)

   Adv^prf (A) = Pr [A^{F_X} = 1] - Pr[A^rho = 1]
               
               = Pr [X \getsr \bits^k: f(I(f(X))=f(X)] - Pr[A^rho=1]
                      
               = \e               - Pr[A^rho=1] 
                                     =\delta

where
   \e     = Pr [X\getsr\bits^k: f(I(f(X)))=f(X)]
   \delta = Pr [Y\getsr\bits^n: f(I(Y))=Y]  

   Want to show:  delta=Pr[A^rho=1] <= \e / 2
                           Actually, we'll show delta <= 1/(1-2^{k-n})  \e

   Let Xset = {X\in\bits^k: f(I(f(X)))=f(X)}   // x-values I succeeds on 
   Let Yset = {Y\in\bits^n: f(I(Y))=Y}         // y-values I succeeds on


   \e = |Xset|/2^k        \delta = |Yset|/2^n


           |Yset|    |Xset|      2^k \e                  (k<n)
   delta = -----  <= -----  <=   ------  <= 0.5 \e
            2^n       2^n          2^n

     Why is |Yset| <= |Xset| ??

      Xset: *                Yset: *
    -----------          ----------------------
    | . . *  *|          | . *  . . .  ..  .  |
    |  * .* * |          | .  . * .  .. .  .  |
    | .  * . .|          |.  *  . .  * ..  .  |
    | . * *  *|          | . . .. .  . . .  . |
    -----------          ----------------------

    strings of              strings of length n
    length k

   A string X is * if               A string Y is * if its
   it's in Xset -- I inverts        in Y -- I inverts Y.
   f(X), finding
   _some_ valid preimage 
   for it

                     Each distinct Y in Yset has a distinct f-preimage 
                     in X, and that preimage is necessarily in Xset.

2. Eliminating coins

   "Wlog, algorithm I is deterministic"

   Can usually do this.  DE-RANDOMIZATION ARGUMENT.

   Adv^owf_f(I) = Pr[R <- {0,1}^r; X <- {0,1}^k; f(I(f(X),R))=f(X)] 

   Average over random R and random X.
 
   Let m_R = Pr[X <- {0,1}^k: f(I(f(X),R))=f(X)] 

   Average the student's GPAs in the class: gpa[r,c] = GPA of student
   at row r, column c.
              avg {gpa[r,c]} = avg  { avg { gpa(r,c) }  }
              r,c               c      r

                             = avg    gpa_r (c)
                                c
   Then    

      Adv^owf_f(I) = 1/2^r \sum_R m_R  is just the average of

  (Justification
   Let INVERTS    = {(X,R): X in bits^k and R in \bits^r and f(I(f(X),R))=f(X)}
       INVERTS(R) = {X: X in bits^k f(I(f(X),R))=f(X)}
   Adv^owf_f(I) = |INVERTS| 2^{k+r}.
                = sum_R  |INVERTS(R)|/2^k   / 2^r
               =  average_R  { m_R }
   )

   the different m_R values.  If you have a bunch of numbers that
   average out to a, at least one of the number is at least a!  Thus
   there exists an R such that  m_R >= Adv^owf_f(I).  For that
   particular R, I(Y, R) is a deterministic algorithm:  R is "hardwired"
   into I.  


   Explain the "controversy" about this type of non-constructive argument.
                           
   Works for other definitions, too.
   "Wlog, algorithm PRF-attacking adversary is deterministic."

   Adv^prf_F(A) = Pr[R\getsr\bits^r; K\getsr\bits^k: A^F_K(R)=1] - 
                  Pr[R\getsr\bits^r; \rho\getsr\Rand(n,n): A^rho(R)=1] 

   Let m_R = advantage associated to coins R.  Then 

   Adv^prf_F(A) = average_R { m_R } 

   So some particular coins achieve associated advantage at least
   the expectation.

______________________________________________________________________

3. Notions of symmetric encryption

3.0  Enc scheme syntax

     (\K, \E, \D)

     \E: {0,1} -> {0,1}^*
     probabilistic:  \bot only returned if outside the MessageSpace
     MessageSpace must be "reasonable" -- if contains a string of one length
       contains all strings of that length

     (stateful: \bot returned if outside the MessageSpace OR for some state, Message
        pairs (eg., depending on the length)

3.1  Not about recovering the key ("you can't recover the key by your attack" -- too weak)  
     Not about being unable to recover the plaintext 
     ("you can't recover the plaintexts from the ciphertexts" -- too weak)
     Not about looking random  ("the ciphertexts look random" -- too strong)

3.2 Real-or-random

     Adv^rr_Pi(A) = Pr[K <- \K; A^E_K(.) ] -  Pr [ K <- \K: A^E_K($^|.|) ] 

3.3 Left-or-right

     Adv^lr_Pi(A) = Pr[K <- \K; A^lr(.,.,0)=1] - Pr[K <- \K; A^lr(.,.,1)=1] 

     (queries M_0, M_1 must be of the same length and in the message space)

3.4 Find-then-guess

     Adv^fg_Pi(A) = 2 Pr[k <- K; (M_0, M_1, s) <- A^E_k(find); b <- 0; C <- E_k(M_b):
                              A^E_k(guess,s,C) = b] - 1

     (messages M_0 and M_1 must have the same length)


3.5. Semantic security  "whatever you can know about the plaintext given the ciphertext
                        you can know just as well in the ABSENCE of the ciphertext"

     Adv^sem_Pi(A) = Pr [K <- \K; (\M,f,s) <- A^E_k(select); M <- \M; C <- E_K(M):
                            A^E_K (predict,C,s) = f(x) ]  -

                     Pr [K <- \K; (\M,f,s) <- A^E_k(select); M,M' <- \M; C <- E_K(M'):
                            A^E_K (predict,C,s) = f(x) ] 

     (all messages output by \M have the same length)

3.6. Claim equivalence of all these notions


........................................................................................

4. Does CBC/IV=0 work? NO.  IV=$  yes.  Not _too_   CTR mode.

4.1 Does deterministic encryption work. 



5. Equivalence


5.1. Left-or-right --> Real-or-random

Let Arr be an adversary that breaks Pi=(K,E,D) in the rr sense.  
Construct adversary Alr that break Pi in the lr sense.

Definition of Alr^f(.,.)

      Run Arr^g
        When Arr make an oracle query g(X):
           Choose a random X' of the same length as X.
           Y = f(X,X')
           return Y
        When Arr outputs a bit, b, 
           output b



5.2. Real-or-random --> Left-or-right

Let Alr be an adversary that breaks Pi=(K,E,D) in the lr sense.  
Construct adversary Arr that break Pi in the rr sense.

Definition of Arr^g(.)


       X    -     p = Pr[K\getsr\K: A^left_K(.,.)=1]    
                  
       $    $     r = Pr[K\getsr\K: A^$(.,.)=1]    
                  
       -    X'    q = Pr[K\getsr\K: A^right_K(.,.)=1]   


  e = p-q  = (p-r) + (r-q)
           so p-r > e/2          |    or r-q>=e/2
                                 |
    Run Alr^f                    |   Run Alr^f
      When Alr queries f(X,X')   |      When Alr queries f(X,X')
        Return g(X)              |         Return g(X')
      When Alr outputs b         |      When Alr outputs b
        Output b                 |         Output 1-b
                                 |

5.3.   RR -->  FG

   If Pi is secure in the rr-sense  
   then Pi is secure in the fg-sense.

       Suppose there was an adversary FG that attacks Pi in the fg-sense.
       Then there would be an adversary RR that attacks Pi rr-sense.


   Definition of RR^g  
   ------------------

       Run FG^f (find)
         When FG makes a query x of f, answer with g(x).
   
       When FG outputs (M_0, M_1, s):
         b <- {0,1}
         C <- g(M_b)

       Run FG^f (guess, C, s)
          When FG makes a query x of f, answer with g(x)

       When FG outputs a bit, b', 
          If b=b' then return 1 // guess "real"
                  else return 0 // guess "fake"


   Analysis of RR^g  
   ----------------
   Suppose that g is instantiated by a "real" encryption oracle. Perfectly
   simulates FG's "native" environment:
      Pr [ RR^{E_K(.)}=1 ] = Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find);
                                  b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b] 

   If g is instantiated by a "fake" encryption oracle:

      Pr [ RR^{E_K($^|.|)}=1 ] =  1/2

   So 

      Adv^rr (RR) =  [ RR^{E_k(.)}=1 ] -  Pr [ RR^{E_k($^|.|)=1 ]

                  = Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find);
                         b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b]   -  1/2
 
   So
     2 Adv^rr (RR) = 2 Pr [ k <- K; (M_0, M_1, s) <- A^E_k (find);
                         b <- {0,1}; C <- E_k(M_b): A^E_k (guess, C, s) =b]   -  1
                   = Adv^fg  (FG)

   ie
       Adv^rr (RR) = Adv^fg  /  2


5.4. If Pi is secure in the fg-sense
     then Pi is secure in the rr-sense.

       Suppose there is an adversary RR that attacks Pi in the rr-sense.
       Then there is an adversary FG that attacks fg-sense.

   Idea
   ....
        RR makes q queries to g.  Suppose answer all random   P_q    -- gap
                                                 all real     P_0    __/

                       Answer answer first j random,   P_j
                                     next q-j real.    
                       P_0 P_1 ... P_q
                       P_0 - P_q  > delta, so  there is some 
                       P_j - P_{j+1} > delta/q    (0 <= i < q)
                       In fact, for a random i,
                          E [ P_j - P_{j+1} ] > delta/q  

     
   Definition of FG^f   0 <= j <= q-1
   --------------------------------------

    FG^f(find)
    ..........

       choose j at random from {0..q-1}

       Run RR^g:

         When RR makes it's i'th query, x_i, of g: 
             * if i <= j, return y_i <- f($^|.|)
             * if i = j+1, we are done with the find-stage.
               Output  (M_0, M_1, s) <- ($^|x_i|,  x_i,  current state of RR)

       //  C <- E_k(M_b) for some random bit b.   We don't see b or k

    FG^f(guess, C, s)
    ..........

       Restore RR to state s.  RR just asked some query x_{j+1}.  Return C.
       Continue running RR.

       When RR makes subsequent oracle queries, x_i, of g: 
            return f(x_i) 

       When RR outputs a bit, b', output b'.


   Analysis of FG^f  
   ----------------
        You get the idea...




5. Achieving security with CTR mode
   Start by reviewing PRF notion


   Define (stateful) CTR mode:   CTR = (K, E, D) ...

   ------------------------------------------------------------------------
   Prop (informal):  Security of CTR-mode.
         If f is a secure PRP, CTR[f] is a secure encryption scheme.
            Namely, if there is an adversary encA that breaks CTR[f], 
            there is an adversary prfA that breaks f (in the prf-sense). 
   ------------------------------------------------------------------------

   Proof:  Let encA be an adversary that attacks CTR[f] in the rr-sense.  We must construct an 
           adversary prfA that distinguishes real block cipher from a random function


   Common idea:  first pretend that f were a RANDOM function.
   Argue that there would be NO advantage:

        Pr [encA^CTR_rho(.) = 1 ]  
      = Pr [encA^CTR_rho($^|.|) = 1 ]  
      = Pr [encA^CTR_k  ($^|.|) = 1 ]  
 
   no matter what encA does -- because all it sees is the next counter and uniform
   random bits.

   Know:

        Pr [encA^CTR_k(.) = 1]  - Pr [encA^CTR_k($^|.|) = 1] = delta 
               
 
        Algorithm:  prfA^f: 
        ----------------
             Run encA^CTR, simulating the encryption oracle CTR by using f.
             When encA outputs a bit, b, return b. 
            
        -----------------

        Pr [ prfA^E_k = 1 ]  =  Pr [encA^CTR_k(.) = 1]
        Pr [ prfA^rho = 1 ]  =  Pr [encA^CTR_rho(.) = 1]
                             =  Pr [encA^CTR_k($^|.|) = 1]

       So 
       Adv^prf(prfA) = Pr [ prfA^E_k = 1 ] - Pr [ prfA^rho = 1 ]  
      =  Pr [ encA^CTR_k(.) = 1] - Pr [encA^CTR_k($^|.|) = 1]
      =  Adv^rr

       Adv^rr (D)  =  Pr [ A^E_k(.) = 1 ] - Pr [ A^\rho(.) = 1 ]  
                    =  Adv^prf (A)
                    =  Pr [ RR^E_k(.) = 1] - Pr [ RR^\rho(.) = 1]


6. Achieve with CBC / 0IV  (wrong)
   Achieve with CBC / $IV

   Describe.  Most common way to encrypt.  No time to prove.  


7. Asym encryption

     Review trust model.

     Asym Definition
  
     Describe "raw" RSA method.

     Describe "hash" RSA.
                           r^e mod N      H(r) xor M

     Describe OAEP

     Discuss "hybrid" encryption
   
........................................................................................
                 











______________________________________________________________________

Problem 3.5:  Give a construction to show that F can be a 
    good PRF but f(X)=F_X(ZERO) is NOT a good OWF.  
    Assume F: {0,1}^{2n} x {0,1}^n -> {0,1}^n.    


Problem 3.6:  

Let f: D -> R be a function, where X has an associated distribution.
Suppose there is a probabilistic adversary I that, in time t, obtains advantage
    \e  = Adv^owf_f (I) =Pr [X\getsr D: f(I(F(X)))=Y]
Show that there is a deterministic adversary I that, in essentially the same time,
obtains the same advantage, \e.


Exercise 3.7.

Consider the following definition of the security of a OWF:
    Adv^owf'_f (I) =Pr [X\getsr D: I(F(X)))=X]
Give an example of a OWF that is secure in this sense but 
not secure in the sense that we defined.
   



12345678901234567890123456789012345678901234567890123456789012345678901234567890