Pseudorandom Functions

Before defining pseudorandom function, we first recall the defi-nition of a random function.

3.8. Pseudorandom Functions 95

3.8.1 Random Functions

The schemer||m⊕ f(r)would be multi-message secure if f were a random function. We can describe a random functions in two different ways: a combinatorial description—as a random function table—and compuational description—as a machine that randomly chooses outputs given inputs and keeps track of its previous answers. In the combinatorial description, the random function table can be view as a long array that stores the values of f. So, f(x)returns the value at positionnx.

0101 . . . 1101 . . . 0010 . . . 0100 . . .

1 2 3 2ⁿ

nbits n bits nbits nbits

Note that the description length of a random function is n2ⁿ, so there are 2ⁿ²ⁿ random functions from {0, 1}ⁿ → {0, 1}ⁿ. Let RF_nbe the distribution that picks a function mapping{0, 1}ⁿ → {0, 1}ⁿ uniformly at random.

A computational description of a random function is instead as follows: a random function is a machine that upon receiving inputxproceeds as follows. If it has not seenxbefore, it chooses a valuey← {0, 1}ⁿand returns y; it then records that f(x) =y.

If it has seenx before, then it looks upx, and outputs the same value as before.

x y

f(x) =y

It can be seen that both of the above descriptions of a random functions give rise to identical distributions.

The problem with random functions is that (by definition) they have a long description length. So, we cannot employ a random function in our encryption scheme. We will next define apseudorandomfunction, which mimics a random function, but has a short description.

3.8.2 Definition of Pseudorandom Functions

Intuitively, a pseudorandom function (PRF) “looks” like a ran-dom function to any n.u. p.p.t. adversary. In defining this notion, we consider an adversary that getsoracleaccess to either the PRF, or a truly random function, and is supposed to decide which one it is interacting with. More precisely, an oracle Turing ma-chine M is a Turing machine that has been augmented with a component called anoracle: the oracle receives requests from M on a special tape and writes its responses to a tape in M. We now extend the notion of indistinguishability of distributions, to indistinguishability of distributions of oracles.

.Definition96.1(Oracle Indistinguishability). Let {On}_n∈N and {O⁰_n}_n be ensembles whereO_n,O⁰_n are probability distributions over functions f : {_{0, 1}}^{`1(n)</sup> → {<sub>0, 1</sub>}<sup>`2(n)} for some polynomi-als `<sub>1</sub>(·),`₂(·). We say that {On}_n and {O⁰_n}_n are computation-ally indistinguishable (denoted by {O_n⁰}_n ≈ {O⁰_n}_n∈N) if for all non-uniform p.p.t. oracles machines D, there exists a negligible functione(·)such that∀n∈_N

It is easy to verify that oracle indistinguishability satisfies “clo-sure under efficient operations”, the Hybrid Lemma, and the Prediction Lemma.

We turn to define pseudorandom functions.

.Definition96.2(Pseudo-random Function). A family of functions {f_s:{_{0, 1}}^|s| → {_{0, 1}}^|s|}_s∈{0,1}∗ ispseudo-randomif

• (Easy to compute): fs(x)can be computed by a p.p.t. algo-rithm that is given inputsandx

• (Pseudorandom): {s← {0, 1}ⁿ : f_s}_n≈ {F←RF_n:F}_n. Note that in the definition of a PRF, it is critical that the seeds to the PRF is not revealed; otherwise it is easy to distinguish f_s from a random function: simply ask the oracle a random query xand check whether the oracle’s reply equals f_s(x).

3.8. Pseudorandom Functions 97

Also note that the number of pseudorandom functions is much smaller than the number of random function (for the same input lenghts); indeed all pseudorandom functions have a short description, whereas random functions in general do not.

.Theorem97.3 If a pseudorandom generator exists, then pseudoran-dom functions exist.

Proof. We have already shown that any pseudorandom generator gis sufficient to construct a pseudorandom generatorg⁰ that has polynomial expansion. So, without loss of generality, letg be a length-doubling pseudorandom generator.

g: x g₀(x) g₁(x)

nbits nbits nbits

Then we define f_s as follows to be a pseudorandom function:

fs(b₁b₂. . .bn) =g_bn(g_bn−1(· · ·(g_b1(s))· · ·))

f keeps only one side of the pseudorandom generator at each ofn iterations. Thus, the possible outputs of f for a given input form a tree; the first three levels are shown in the following diagram. The leaves of the tree are the output of f.

s s₀ =g₀(s)

s₀₀ =g₀(s₀) s₀₁ =g₁(s₀)

s₁= g₁(s)

s₁₀= g₀(s₁) s₁₁= g₁(s₁) The intuition about why f is a pseudorandom function is that a tree of heightncontains 2ⁿleaves, so exponentially many values can be indexed by a single function withn bits of input.

Thus, each unique input to f takes a unique path through the tree. The output of f is the output of a pseudorandom generator on a random string, so it is also pseudo-random.

One approach to the proof is to look at the leaves of the tree. Build a sequence of hybrids by successively replacing each leaf with a random distribution. This approach, however, does not work because our hybrid lemma does not apply when there are exponentially many hybrids. Instead, we form hybrids by replacing successive levels of the tree: hybrid HFⁱ_n is formed by picking all levels through theith uniformly at random, then applying the tree construction as before.

random

Note that HF¹_n={s← {0, 1}ⁿ : fs(·)}(picking only the seed at random), which is the distribution defined originally. Further, HFⁿ_n=RF_n (picking the leaves at random).

Thus, if D can distinguish F ← RF_n and fs for a randomly chosen s, then D distinguishes F₁ ← HF¹_n and Fn ← HFⁿ_n with probabilitye. By the hybrid lemma, there exists someisuch that D distinguishesHFⁱ_nandHFⁱ_n⁺¹ with probabilitye/n.

The difference between HFⁱ_n and HFⁱ_n⁺¹ is that level i+1 in HFⁱ_n is g(U_n), whereas inHFⁱ_n⁺¹, level i+1 is U_n. Afterwards, both distributions continue to usegto construct the tree.

To finish the proof, we will construct one more set of hybrid distributions. Recall that there is some polynomial p(n) such that the number of queries made byD is bounded byp(n). So, we can now apply the first hybrid idea suggested above: define hybridHHF_n^j that picksF fromHF_nⁱ, and answer the first jnew queries usingF, then answer the remaining queries using HF_nⁱ⁺¹. But now there are only p(n)hybrids, so the hybrid lemma applies, and D can distinguish HHF^j_n and HHF^j_n⁺¹ for some j with probability e/(np(n)). But HHF_n^j and HHF^j_n⁺¹ differ only in that HHF^j_n⁺¹ answers its j+1st query with the output of a pseudorandom generator on a randomly chosen value, whereas

3.9. Construction of Multi-message Secure Encryption 99

HHF^j_n answers its j+1st query with a randomly chosen value.

As queries toHHF_n^j can be emulated in p.p.t. (we here rely on the equivalence between the combinatorial and the computational view of a random function; we omit the details), it follows by closure under efficient operations thatDcontradicts the

pseudo-random property of g.

3.9 Construction of Multi-message Secure