04 1 using block annotated tủ tài liệu bách khoa

Online Cryptography Course Dan Boneh Using block ciphers Review: PRPs and PRFs Dan Boneh Block ciphers: crypto work horse n bits PT Block n bits CT Block E, D Key k bits Canonical examples: 1.  3DES: n= 64 bits, 2.  AES: k = 168 bits n=128 bits, k = 128, 192, 256 bits Dan Boneh Abstractly: PRPs and PRFs •  Pseudo Random FuncAon (PRF) defined over (K,X,Y): F: K × X → Y such that exists “efficient” algorithm to evaluate F(k,x) •  Pseudo Random PermutaAon (PRP) defined over (K,X): E: K × X → X such that: 1 Exists “efficient” determinisAc algorithm to evaluate E(k,x) 2 The funcAon E( k, ⋅ ) is one-‐to-‐one 3 Exists “efficient” inversion algorithm D(k,x) Dan Boneh Secure PRFs •  Let F: K × X → Y be a PRF Funs[X,Y]: the set of all funcAons from X to Y SF = { F(k,⋅) s.t k ∈ K } ⊆ Funs[X,Y] •  IntuiAon: a PRF is secure if a random funcAon in Funs[X,Y] is indisAnguishable from a random funcAon in SF SF Funs[X,Y] Size |K| Size |Y| |X| Dan Boneh Secure PRF: definAon •  For b=0,1 define experiment EXP(b) as: b Chal f b=0: k←K, f ←F(k,⋅) b=1: f←Funs[X,Y] Adv A x1 ∈ X , x2 , …, xq f(x1) , f(x2) , …, f(xq) b’ ∈ {0,1} •  Def: F is a secure PRF if for all “efficient” A: EXP(b) AdvPRF[A,F] := |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” Dan Boneh Secure PRP (secure block cipher) •  For b=0,1 define experiment EXP(b) as: b Chal f b=0: k←K, f ←E(k,⋅) b=1: f←Perms[X] Adv A x1 ∈ X , x2, …, xq f(x1) , f(x2), …, f(xq) •  Def: E is a secure PRP if for all “efficient” A: AdvPRP[A,E] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | is “negligible.” b’ ∈ {0,1} Dan Boneh Let X = {0,1} Perms[X] contains two funcAons Consider the following PRP: key space K={0,1}, input space X = {0,1}, PRP defined as: E(k,x) = x⨁k Is this a secure PRP? Yes No It depends Example secure PRPs •  PRPs believed to be secure: 3DES, AES, … AES-‐128: K × X → X where K = X = {0,1}128 •  An example concrete assumpAon about AES: All 280–Ame algs A have AdvPRP[A, AES] < 2-‐40 Dan Boneh Consider the 1-‐bit PRP from the previous quesAon: E(k,x) = x⨁k Is it a secure PRF? Note that Funs[X,X] contains four funcAons Yes No It depends Akacker A: (1)  query f(⋅) at x=0 and x=1 (2)  if f(0) = f(1) output “1”, else “0” AdvPRF[A,E] = |0-‐½| = ½ PRF Switching Lemma Any secure PRP is also a secure PRF, if |X| is sufficiently large Lemma: Let E be a PRP over (K,X) Then for any q-‐query adversary A: | AdvPRF [A,E] - AdvPRP[A,E] | < q2 / 2|X| ⇒ Suppose |X| is large so that q2 / 2|X| is “negligible” Then AdvPRP [A,E] “negligible” ⇒ AdvPRF[A,E] “negligible” Dan Boneh Final note •  SuggesAon: –  don’t thing about the inner-‐workings of AES and 3DES •  We assume both are secure PRPs and will see how to use them Dan Boneh End of Segment Dan Boneh .. .Block ciphers: crypto work horse n bits PT Block n bits CT Block E, D Key k bits Canonical examples: 1.   3DES: n= 64 bits, 2.  AES: k = 16 8 bits n =12 8 bits, k = 12 8, 19 2, 256... •  For b=0 ,1 define experiment EXP(b) as: b Chal f b=0: k←K, f ←F(k,⋅) b =1: f←Funs[X,Y] Adv A x1 ∈ X , x2 , …, xq f(x1) , f(x2) ,... …, f(xq) b’ ∈ {0 ,1} •  Def: F is a secure PRF if for all “efficient” A: EXP(b) AdvPRF[A,F] := |Pr[EXP(0) =1] – Pr[EXP (1) =1] | is “negligible.”