Pseudorandom permutations

Recall that a block cipherF is a family of permutations: each instance F_K of the family is a permutation.

With the intent of modeling block ciphers we introduce the notion of a pseudorandom permutation. We proceed exactly as above, but replaceRand^D→R withPerm^D.

In this setting, there are two kinds of attacks that one can consider. One, as before, is that the adversary gets an oracle for the functiong being tested. However when g is a permutation one can also consider the

case where the adversary gets, in addition, and oracle forg⁻¹. We consider these settings in turn. The first is the setting of chosen-plaintext attacks while the second is the setting of chosen-ciphertext attacks.

5.4.1 PRP under CPA

We fix a family of functionsF:Keys(F)×D→D. (You may want to thinkKeys(F) ={0,1}^kandD={0,1}^l, since this is the most common case. We do not mandate thatF be a family of permutations although again this is the most common case.) As before, we consider an adversaryAthat is placed in a room where it has oracle access to a functiongchosen in one of two ways.

World 0: The functiong is drawn at random fromPerm^D, namely viag←^R Perm^D. (So gis just a random permutation onD.)

World 1: The functiongis drawn at random fromF, namelyg←^R F. (This means that a key is chosen via K←^R Keys(F) and theng is set toFK.)

Notice that World 1 is the same in the PRF setting, but World 0 has changed. As before the task facing the adversaryAis to determine in which world it was placed based on the input-output behavior ofg.

Definition 5.5 LetF:Keys(F)×D→D be a family of functions, and letAbe an algorithm that takes an oracle for a functiong:D→D, and returns a bit. We consider two experiments:

ExperimentExp^prp-cpa-1

For anyt, q, µwe define theprp-cpa-advantage ofF via Adv^prp-cpa

F (t, q, µ) = max

A {Adv^prp-cpa

F,A }

where the maximum is over allAhaving time-complexitytand making at mostqoracle queries, the sum of the lengths of these queries being at mustµbits.

The intuition is similar to that for Definition 5.4. The difference is that here the “ideal” object with whichF is being compared is no longer the family of random functions, but rather the family of random permutations.

Experiment Exp^prp-cpa-1

F,A is actually identical to Exp^prf-1

F,A . The probability is over the random choice of key K and also over the coin tosses ofA if the latter happens to be randomized. The experiment returns the same bit thatA returns. In ExperimentExp^prp-cpa-0

F,A , a permutation g:{0,1}^l → {0,1}^l is chosen at random, and the result bit ofA’s computation with oracleg is returned. The probability is over the choice of g and the coins of A if any. As before, the measure of how wellA did at telling the two worlds apart, which we call the prp-cpa-advantage ofA, is the difference between the probabilities that the experiments return 1.

Conventions regarding resource measures also remain the same as before. Informally, a familyF is a secure PRP under CPA ifAdv^prp-cpa

F (t, q, µ) is “small” for “practical” values of the resource parameters.

Cryptography: Lecture Notes 65

5.4.2 PRP under CCA

We fix a family of permutationsF:Keys(F)×D→D. (You may want to thinkKeys(F) ={0,1}^k andD= {0,1}^l, since this is the most common case. This time, we do mandate thatF be a family of permutations.) As before, we consider an adversaryAthat is placed in a room, but now it has oracle access to two functions, gand its inverseg⁻¹. The manner in whichgis chosen is the same as in the CPA case, and oncegis chosen, g⁻¹ is automatically defined, so we do not have to say how it is chosen.

World 0: The functiong is drawn at random fromPerm^D, namely viag←^R Perm^D. (So gis just a random permutation onD.)

World 1: The functiongis drawn at random fromF, namelyg←^R F. (This means that a key is chosen via K←^R Keys(F) and theng is set toFK.)

In World 1,g⁻¹=F_K⁻¹ is the inverse of the chosen instance, while in World 0 it is the inverse of the chosen random permutation. As before the task facing the adversaryAis to determine in which world it was placed based on the input-output behavior of its oracles.

Definition 5.6 LetF:Keys(F)×D→Dbe a family of permutations, and letAbe an algorithm that takes an oracle for a functiong:D→D, and also an oracle for the functiong⁻¹:D →D, and returns a bit. We

where the maximum is over allA having time-complexity t, making at mostq_equeries to the g oracle, the sum of the lengths of these queries being at must µ_e bits, and also making at most q_d queries to the g⁻¹ oracle, the sum of the lengths of these queries being at mustµ_d bits,

The intuition is similar to that for Definition 5.4. The difference is that here the adversary has more power:

not only can it queryg, but it can directly queryg⁻¹. Conventions regarding resource measures also remain the same as before. However, we add some resource parameters. Specifically, since there are now two oracles, we count separately the number of queries, and total length of these queries, for each. Informally, a family F is a secure PRP under CCA ifAdv^prp-cca

F (t, qe, µe, qd, µd) is “small” for “practical” values of the resource parameters.

5.4.3 Relations between the notions

If an adversary above does not query g⁻¹, the latter oracle may as well not be there, and the adversary is effectively mounting a chosen-plaintext attack. Thus we have the following:

Proposition 5.7 LetF:Keys(F)×D→D be a family of permutations. Then Adv^prp-cpa

F cpa(t, q, µ) = Adv^prp-cpa

F cca(t, q, µ,0,0) for anyt, q, µ.