ICS 180: Introduction to Cryptography
6/3/2004
Handout 2: Symmetric Encryption from a PRF
A PRF is a very powerful source of (pseudo)randomness and therefore it can be imme
diately turned into powerful ciphers. The construction is very simple: just use the outputs
of the pseudorandom function as onetime pads to xor your message with. We give here a
simple proof that the resulting encryption is secure both under the Chosen Plaintext Attack
(CPA)
and
under the “Lunchtime Attack”, sometimes called “Chosen Ciphertext Attack
1” (CCA1).
1
First, a Pseudorandom Function [PRF] family is defined as set of functions
{
F
s
}
s
∈{
0
,
1
}
n
,
where
F
s
:
{
0
,
1
}
l
(
n
)
→{
0
,
1
}
L
(
n
)
for every
s
∈{
0
,
1
}
n
, s.t.
1.
F
s
(
x
) is polytime computable (for every
s, x
).
2. Functions
F
s
are indistinguishable from
random functions
on the same domain/range,
i.e. from functions chosen at random from family of
all
functions mapping domain
{
0
,
1
}
l
(
n
)
to range
{
0
,
1
}
L
(
n
)
. Formally, we require that for every PPT
A
, the following
two distributions are indistinguishable:
{
A
F
k
(
·
)
(1
n
)
}
k
←{
0
,
1
}
n
≈{
A
R
(
·
)
(1
n
)
}
R
←
RndFct
(
l
(
n
)
,L
(
n
))
(1)
Where in each case,
A
can interact with functions
F
k
or
R
as with oracles: For any
input
A
gives to the oracle, he receives an output a value of the function at this input.
Now, using such PRF family
{
F
s
}
, we can design a symmetric encryption scheme as
follows:
KGen
(1
n
)
→
k,
for
k
←{
0
,
1
}
n
(2)
Enc
k
(
m
)
→
(
x, F
k
(
x
)
⊕
m
)
,
for
x
←{
0
,
1
}
l
(
n
)
, assuming

m

=
L
(
n
)
(3)
Dec
k
((
c
1
, c
2
))
→
F
k
(
c
1
)
⊕
c
2
(4)
Theorem 1
The above (symmetric) encryption scheme is (CPA,CCA1)secure.
Proof:
(Part 1)
Recall first what does it mean that an (symmetric) encryption is (CPA,CCA1)
secure.
It means that any PPT adversary
A
running in the following game, denoted
A
O
CP A/CCA
1
(1
n
) (i.e.
A
has input 1
n
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '04
 Jarecki
 Cryptography, Chosenplaintext attack, Chosenciphertext attack, OCP A/CCA1

Click to edit the document details