Constructing CPA-Secure Encryption Schemes

In this section we will construct encryption schemes that are secure against chosen-plaintext attacks. We begin by introducing the important notion of pseudorandom functions.

3.6.1 Pseudorandom Functions

As we have seen, pseudorandom generators can be used to obtain security in the presence of eavesdropping adversaries. The notion of pseudorandomness is also instrumental in obtaining security against chosen-plaintext attacks. Now, however, instead of considering pseudorandomstrings, we consider pseudoran-dom functions. We will specifically be interested in pseudorandom functions mapping n-bit strings ton-bit strings. As in our earlier discussion of pseu-dorandomness, it does not make much sense to say that any fixed function f :{0,1}ⁿ → {0,1}ⁿ is pseudorandom (in the same way that it makes little sense to say that any fixed function is random). Thus, we must technically refer to the pseudorandomness of adistribution on functions. An easy way to do this is to considerkeyed functions, defined next.

A keyed functionF is a two-input functionF :{0,1}^∗× {0,1}^∗→ {0,1}^∗, where the first input is called thekeyand denotedk, and the second input is just called the input. In general the keykwill be chosen and thenfixed, and we will then be interested in the (single-input) functionFk :{0,1}^∗→ {0,1}^∗ defined by Fk(x)^def= F(k, x). For simplicity, we will assume thatF is length-preservingso that the key, input, and output lengths ofFare all the same; i.e., we assume that the function F is only defined when the key kand the input x have the same length, in which case|Fk(x)|=|x|=|k|. So, by fixing a key k∈ {0,1}ⁿwe obtain a functionFk(·) mappingn-bit strings ton-bit strings.

We say F is efficient if there is a deterministic polynomial-time algorithm that computes F(k, x) given kand xas input. We will only be interested in function F that are efficient.

A keyed function F induces a natural distribution on functions given by choosing a random keyk← {0,1}ⁿand then considering the resulting

single-input function Fk. Intuitively, we call F pseudorandom if the function Fk

(for randomly-chosen keyk) is indistinguishable from a function chosen uni-formly at random from the set of all functions having the same domain and range; that is, if no polynomial-time adversary can distinguish whether it is interacting — in a sense we will more carefully define soon — with Fk (for randomly-chosen keyk) orf (wheref is chosen at random from the set of all functions mappingn-bit strings ton-bit strings).

Since the notion of choosing a function at random is less familiar than the notion of choosing a string at random, it is worth spending a bit more time on this idea. From a mathematical point of view, we can consider the set Funcn

of all functions mappingn-bit strings ton-bit strings; this set is finite (as we will see in a moment), and so randomly selecting a function mapping n-bit strings ton-bit strings corresponds exactly to choosing an element uniformly at random from this set. How large is the setFuncn? A functionf is exactly specified by its value on each point in its domain; in fact, we can view any function (over a finite domain) as a large look-up table that stores f(x) in the row of the table labeled by x. Forfn ∈Funcn, the look-up table for fn

has 2ⁿ rows (one for each point of the domain{0,1}ⁿ) and each row contains ann-bit string (since the range offn is{0,1}ⁿ). Any such table can thus be represented using exactly n·2ⁿ bits. Moreover, the functions in Funcn are in one-to-one correspondence with look-up tables of this form; meaning that they are in one-to-one correspondence with all strings of length n·2ⁿ. We conclude that the size ofFuncn is 2^n·2n.

Viewing a function as a look-up table provides another useful way to think about selecting a functionfn ∈ Funcn uniformly at random. Indeed, this is exactly equivalent to choosing each row of the look-up table offn uniformly at random. That is, the values fn(x) and fn(y) (for x 6= y) are completely independent and uniformly distributed.

Coming back to our discussion of pseudorandom functions, recall that we wish to construct a keyed function F such thatFk (fork ← {0,1}ⁿ chosen uniformly at randomly) is indistinguishable fromfn (forfn ←Funcn chosen uniformly at random). Note that the former is chosen from a distribution over (at most) 2ⁿ distinct functions, whereas the latter is chosen from a distribu-tion over all 2^n·2n functions in Funcn. Despite this, the “behavior” of these functions must look the same to any polynomial-time distinguisher.

A first attempt at formalizing the notion of a pseudorandom function would be to proceed in the same way as in Definition 3.15. That is, we could re-quire that every polynomial-time distinguisherD that receives a description of the pseudorandom function Fk outputs 1 with “almost” the same proba-bility as when it receives a description of a random function fn. However, this definition is inappropriate since the description of a random function has exponential length (i.e., given by its look-up table which has length n·2ⁿ), whileDis limited to running in polynomial time. So,D would not even have sufficient time to examine its entire input.

The actual definition therefore gives D oracle access to the function in

question (eitherFkorfn);D is allowed to query the oracle at any pointx, in response to which the oracle returns the value of the function evaluated atx.

We treat this oracle as a black-box in the same way as when we provided the adversary with oracle access to the encryption procedure in the definition of a chosen-plaintext attack. (Although here the oracle is computing a determin-istic function, and so always returns the same result when queried twice on the same input.) We are now ready to present the formal definition.

DEFINITION 3.24 Let F : {0,1}^∗× {0,1}^∗ → {0,1}^∗ be an efficient, length-preserving, keyed function. We say F is a pseudorandom function if for all probabilistic polynomial-time distinguishers D, there exists a negligible function neglsuch that:

Pr[D^Fk(·)(1ⁿ) = 1]−Pr[D^fn(·)(1ⁿ) = 1]≤negl(n),

wherek← {0,1}ⁿ is chosen uniformly at random andfn is chosen uniformly at random from the set of functions mappingn-bit strings to n-bit strings.

Notice that D interacts freely with its oracle. Thus, it can ask queries adaptively, choosing the next input based on the previous outputs received.

However, since D runs in polynomial time, it can only ask a polynomial number of queries. Notice also that a pseudorandom function must inherit any efficiently checkable property of a random function. For example, even if x andx⁰ differ in only a single bit, the outputsFk(x) andFk(x⁰) must (with overwhelming probability over choice ofk) look completely uncorrelated. This gives a hint as to why pseudorandom functions are useful for constructing secure encryption schemes.

An important point in the definition is that the distinguisher D is not given the key k. It is meaningless to require that Fk be pseudorandom if k is known, since it is trivial to distinguish an oracle for Fk from an oracle for fn given k: simply query the oracle at the point 0ⁿ to obtain the answery, and compare this to the result y⁰ =Fk(0ⁿ) that can be computed using the known valuek. An oracle forFk will always returny=y⁰, while an oracle for a random function will have y =y⁰ with probability only 2⁻ⁿ. In practice, this means that once k is revealed then all claims to the pseudorandomness of Fk no longer hold. To take a concrete (though made-up) example: sayF is pseudorandom. Then given oracle access toFk (for random k), it will be hard to find an inputx for whichFk(x) = 0ⁿ (since it would be hard to find such an input for a truly random functionfn). But ifkis known then finding such an input may be easy.

On the existence of pseudorandom functions. As with pseudorandom generators, it is important to ask whether such entities exist (and under what assumptions). For now we just note that there exist efficient primitives called block ciphers that are believed to act as pseudorandom functions. From a

theoretical point of view, pseudorandom functions exist if and only if pseu-dorandom generators exist, and so pseupseu-dorandom functions can in fact be constructed based on any of the hard problems from which pseudorandom generators can be constructed. We will discuss these issues further in Chap-ters 5 and 6. We remark that the existence of pseudorandom functions is very surprising, and the fact that these can be constructed based on hard problems of a certain type represents one of the truly amazing contributions of modern cryptography.

Using pseudorandom functions in cryptography. Pseudorandom func-tions turn out to be a very useful building block for a number of different cryptographic constructions. We use them below to obtain CPA-secure en-cryption and in Chapter 4 to construct message authentication codes. One of the reasons that they are so useful is that they enable a clean and elegant analysis of the constructions that use them. That is, given a scheme that is based on a pseudorandom function, a general way of analyzing the scheme is to first prove its security under the assumption that a truly random function is used instead. This step relies on a probabilistic analysis and has nothing to do with computational bounds or hardness. Next, the security of the original scheme is derived by proving that if an adversary can break the scheme when a pseudorandom function is used, then it must implicitly be distinguishing the function from random.

3.6.2 CPA-Secure Encryption Schemes from Pseudorandom Functions

We focus here on constructing a fixed-length encryption scheme that is CPA-secure. By what we have said at the end of Section 3.5, this implies the existence of a CPA-secure encryption scheme for arbitrary-length messages.

In Section 3.6.4 we will consider more efficient ways of handling messages of arbitrary length.

A naive attempt at constructing a secure encryption scheme from a pseudo-random function is to defineEnck(m) =Fk(m). On the one hand, we expect that this “reveals no information aboutm” (since fn(m) for a random func-tionfn is simply a randomn-bit string). However, performing encryption in this way gives a deterministic encryption scheme and so it cannot be CPA-secure. Concretely, givenc=Enck(mb) it is possible to request an encryption ofEnck(m0) andEnck(m1); sinceEnck(·) =Fk(·) is a deterministic function, one of the encryptions will equalcand thus reveal the value of b.

Our actual construction is probabilistic. Specifically, we encrypt by apply-ing the pseudorandom function to arandom value r(rather than the plaintext message) and XORing the result with the plaintext. (See Construction 3.25 and Figure??.) This can again be viewed as an instance of XORing a pseu-dorandom “pad” with a plaintext message, with the major difference being the fact that an independent pseudorandom string is used each time (since

the pseudorandom function is applied to a different input each time). Actu-ally, this is not quite true since it is possible that a random value used for encryption repeats and is used more than once; we will have to explicitly take this into account in our proof.

CONSTRUCTION 3.25

Let F be a pseudorandom function. Define a private-key encryption scheme for messages of lengthnas follows:

• Gen: on input 1ⁿ, choosek ← {0,1}ⁿ uniformly at random and output it as the key.

• Enc: on input a keyk∈ {0,1}ⁿand a messagem∈ {0,1}ⁿ, choose r← {0,1}ⁿ uniformly at random and output the ciphertext

c:=hr, Fk(r)⊕mi.

• Dec: on input a keyk∈ {0,1}ⁿand a ciphertextc=hr, si, output the plaintext message

m:=Fk(r)⊕s.

A CPA-secure encryption scheme from any pseudorandom function.

Intuitively, security holds because Fk(r) looks completely random to an adversary who observes a ciphertexthr, si— and thus the encryption scheme is similar to the one-time pad —as long as the valuer was not used in some previous encryption (specifically, as long as it was not used by the encryption oracle when answering one of the adversary’s queries). Moreover, this “bad event” (namely, a repeating value ofr) occurs with only negligible probability.

THEOREM 3.26 IfFis a pseudorandom function, then Construction 3.25 is a fixed-length private-key encryption scheme with length parameter`(n) =n that has indistinguishable encryptions under a chosen-plaintext attack.

PROOF The proof here follows a general paradigm for working with pseu-dorandom functions. First, we analyze the security of the scheme in an ideal-ized world where a truly random functionfn is used in place ofFk, and show that the scheme is secure in this case. Next, we claim that if the scheme were insecure when Fk was used then this would imply the possibility of distin-guishingFk from a truly random function.

LetΠ = (e Gen,g Enc,g Dec) be an encryption scheme that is exactly the sameg as Π = (Gen,Enc,Dec) in Construction 3.25, except that a truly random functionfnis used in place ofFk. That is,Gen(1g ⁿ) chooses a random function

fn ← Funcn, and gEnc encrypts just like Enc except that fn is used instead of Fk. (This is not a legal encryption scheme because it is not efficient.

Nevertheless, this is a mental experiment for the sake of the proof, and is well defined for this purpose.) We claim that for every adversaryAthat makes at mostq(n) queries to its encryption oracle, we have

Prh

(Note that we make no assumptions here regarding the computational power of A.) To see this, recall that every time a message m is encrypted (ei-ther by the encryption oracle or when the challenge ciphertext in experiment PrivK^cpa

A,eΠ(n) is computed), a random r ∈ {0,1}ⁿ is chosen and the cipher-text is set equal to hr, fn(r)⊕mi. Let rc denote the random string used when generating the challenge ciphertext c = hrc, fn(rc)⊕mbi. There are two subcases:

1. The value rc is used by the encryption oracle to answer at least one of A’s queries: In this case,A may easily determine which of its mes-sages was encrypted. This is so because whenever the encryption oracle returns a ciphertexthr, siin response to a request to encrypt the mes-sagem, the adversary learns the value offn(r) (sincefn(r) =s⊕m).

However, since A makes at most q(n) queries to its oracle and each oracle query is answered using a valuer chosen uniformly at random, the probability of this event is at mostq(n)/2ⁿ.

2. The valuercis never used by the encryption oracle to answer any ofA’s queries: In this case, Alearns nothing about the value of fn(rc) from its interaction with the encryption oracle (since fn is a truly random function). That means that, as far asAis concerned, the value fn(rc) that is XORed with mb is chosen uniformly at random, and so the probability thatAoutputs b⁰ =b in this case is exactly 1/2 (as in the case of the one-time pad.)

Let Repeat denote the event that rc is used by the encryption oracle to answer at least one ofA’s queries. We have

Pr[PrivK^cpa

Now, fix somepptadversaryAand define the functionεby ε(n)^def= Prh

PrivK^cpa_A,Π(n) = 1i

−1

2. (3.5)

The number of oracle queries made by A is upper bounded by its running-time. SinceAruns in polynomial-time, the number of oracle queries it makes is upper bounded by some polynomial q(·). Note that Equation (3.4) also holds with respect to thisA. Thus, at this point, we have the following:

Pr[PrivK^cpa

A,eΠ(n) = 1]≤ 1 2+q(n)

2ⁿ and

Pr[PrivK^cpa_A,Π(n) = 1] = 1

2+ε(n).

If ε is not negligible, then the difference between these is not negligible, ei-ther. Intuitively, such a “gap” (if present) would enable us to distinguish the pseudorandom function from a truly random function. Formally, we prove this via reduction.

We useAto construct a distinguisherDfor the pseudorandom functionF. The distinguisher D is given oracle access to some function, and its goal is to determine whether this function is “pseudorandom” (i.e., equal toFk for randomly-chosen k← {0,1}ⁿ) or “random” (i.e., equal tofn for randomly-chosen fn ← Funcn). To do this, D emulates the CPA indistinguishability experiment for A (in a manner described below), and observes whether A succeeds or not. If A succeeds then D guesses that its oracle must be a pseudorandom function, while ifA does not succeed thenD guesses that its oracle must be a random function. In detail:

DistinguisherD:

Dis given as input 1ⁿ and has access to an oracleO.

1. Run A(1ⁿ). Whenever Aqueries its encryption oracle on a messagem, answer this query in the following way:

(a) Chooser← {0,1}ⁿuniformly at random.

(b) QueryO(r) and obtain responses⁰. (c) Return the ciphertexthr, s⁰⊕mitoA.

2. When A outputs messagesm0, m1 ∈ {0,1}ⁿ, choose a ran-dom bit b← {0,1}and then:

(a) Chooser← {0,1}ⁿuniformly at random.

(b) QueryO(r) and obtain responses⁰.

(c) Return the challenge ciphertexthr, s⁰⊕mbitoA. 3. Continue answering any encryption oracle queries of A as

before. Eventually, A outputs a bit b⁰. Output 1 if b⁰ =b, and output 0 otherwise.

The key points are as follows:

1. If D’s oracle is a pseudorandom function, then the view of A when run as a sub-routine by D is distributed identically to the view of A in experiment PrivK^cpa_A,Π(n). This holds because a key k is chosen at random and then every encryption is carried out by choosing a random r, computings⁰=Fk(r), and setting the ciphertext equal tohr, s⁰⊕mi,

2. IfD’s oracle is a random function, then the view ofAwhen run as a sub-routine byD is distributed identically to the view ofA in experiment PrivK^cpa

A,eΠ(n). This can be seen exactly as above, with the only difference being that a random functionfn is used instead ofFk. Thus,

Prh wherefn←Funcn is chosen uniformly at random in the above.

SinceF is a pseudorandom function andDruns in probabilistic polynomial time, there exists a negligible functionneglsuch that

Prh

D^Fk(·)(1ⁿ) = 1i

−Prh

D^fn(·)(1ⁿ) = 1i≤negl(n).

Combining this with the above observations and Equations (3.4) and (3.5), we have that means thatεis negligible, completing the proof.

As discussed in Section 3.5, any CPA-secure fixed-length encryption scheme automatically yields a CPA-secure encryption scheme for messages of arbitrary length. Applying the approach discussed there to the fixed-length scheme we

have just constructed, the encryption of a message m =m1, . . . , m`, where eachmi is ann-bit block, is given by

hr1, Fk(r1)⊕m1, r2, Fk(r2)⊕m2, . . . , r`, Fk(r`)⊕m`i.

The scheme can handle messages whose length is not an exact multiple of n by truncation; we omit the details. We have:

COROLLARY 3.27 IfFis a pseudorandom function, the scheme sketched above is a private-key encryption scheme for arbitrary-length messages that has indistinguishable encryptions under a chosen-plaintext attack.

Efficiency of Construction 3.25. The CPA-secure encryption scheme in Construction 3.25, and its extension to arbitrary-length messages in the corol-lary above, has the drawback that the length of the ciphertext is (at least) double the length of the plaintext. This is because each block of size n is encrypted using ann-bit random string which must be included as part of the ciphertext. In Section 3.6.4 we will show how long plaintexts can be encrypted more efficiently.

3.6.3 Pseudorandom Permutations and Block Ciphers LetF :{0,1}^∗× {0,1}^∗→ {0,1}^∗be an efficient, length-preserving, keyed function. We callF akeyed permutationif for every k, the functionFk(·) is one-to-one (and therefore, sinceF is length-preserving, a bijection). We say a keyed permutation isefficientif there is a polynomial-time algorithm comput-ingFk(x) givenk and x, as well as a polynomial-time algorithm computing F_k⁻¹(x) givenkandx.

We define what it means for a keyed permutation F to be pseudorandom in a manner analogous to Definition 3.24 but with two differences. First, we require that Fk (for a randomly-chosen k) be indistinguishable from a ran-dompermutation rather than a random function. This is merely an aesthetic choice since random permutations and random functions are anyway indis-tinguishable using polynomially-many queries. The second difference is more significant, and is motivated by the fact that cryptographic schemes using a keyed permutation may utilize the inverseF_k⁻¹ in addition toFk. Thus, we requireFk to be indistinguishable from a random permutationeven if the dis-tinguisher is given oracle access to the inverse of the permutation.⁹ Formally:

9In some other works, a pseudorandom permutation is defined by considering a distin-guisher that isonlygiven access to the permutation (and not its inverse) as in the case of Definition 3.24, and the stronger variant we define in Definition 3.28 is called astrong or super pseudorandom permutation.

DEFINITION 3.28 Let F : {0,1}^∗× {0,1}^∗ → {0,1}^∗ be an efficient,

DEFINITION 3.28 Let F : {0,1}^∗× {0,1}^∗ → {0,1}^∗ be an efficient,