Lecture 4 - Block Cipher

Question 1

What’s the definition of CPA Security?

Answer 1

That for every polynomial-time adversary A exists a negl() function such that, the probability of the attacker playing the CPA game guessing correct, is less than or equal to randomly guessing plus negl(n)

Question 2

What’s a PRF?

Answer 2

A pseudorandom function where a key will influence which function is returned from the set of all functions Fxy. So that it looks random.

F is a PRF, if F is efficiently computable and secure

A PRF is secure, if we cannot distinguish whether a function was chose uniformly at random from Fxy or from Sf

Question 3

What is a PRP?

Answer 3

A pseudo-random permutation.

A permutation is a PRP, if it is efficiently computable, invertible, bijective and secure.

For fixed permutation 𝛱 : K × X → X let 𝑺𝜫 = { п(k,*) s.t. k ∈ K } ⊂ Πx

It’s secure if we can’t distinguish whether it is chosen uniformly at random from Πx or from SΠ

Question 4

Explain encryption with PRF

Answer 4

Gen will take input 1^n, choose k from {0,1}^n and output k
Enc will take input (k,m), choose r <–R {0,1}^n and output
(r, Fk(r ) ⊕ m)
Dec will take (k,c) as input with c = (r,s) and output: s ⊕ Fk(r )

if F is a PRF this encryption is CPA secure

Question 5

Explain Constructing PRFs from PRGs

Answer 5

Start with key k, use G to expand it into 2 outputs, then PRF selects one of the two, since PRF is just used for selection, it inherits security from the PRG

Question 6

Explain Constructing PRFs from PRGs for longer inputs

Answer 6

The same process as for single bit, but apply G again on the outputs of the first G, and then use PRF as selection using x as a 2 bit input.

Question 7

What’s the goldreich-goldwasser-micali construction?

Answer 7

We have a secure PRG that for any key k will output two values in K
G(k)=(G(k)[0],G(k)[1]) where G(k)[0] and G(k)[1] are two halves of the output

The function FK(x) is defined recursively
FK(x0,x1,…….,xn-1) = G(G(…(G(G(K)[x0])[x1])…[xn-1]
Start at initial secret key k, at each step apply G and select left or right output based on the corresponding bit in x, repeat n times to obtain kn, the final output

Slide 27 (32 in pdf) of Cipher Block lecture