w-prf - Chapter 3 Pseudorandom Functions Pseudorandom...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Chapter 3 Pseudorandom Functions Pseudorandom functions (PRFs) and their cousins, pseudorandom permutations (PRPs), figure as central tools in the design of protocols, especially those for shared-key cryptography. At one level, PRFs and PRPs can be used to model blockciphers, and they thereby enable the security analysis of protocols based on blockciphers. But PRFs and PRPs are also a useful conceptual starting point in contexts where blockciphers dont quite fit the bill because of their fixed block-length. So in this chapter we will introduce PRFs and PRPs and investigate their basic properties. 3.1 Function families A function family is a map F : K D R . Here K is the set of keys of F and D is the domain of F and R is the range of F . The set of keys and the range are finite, and all of the sets are nonempty. The two-input function F takes a key K and an input X to return a point Y we denote by F ( K,X ). For any key K K we define the map F K : D R by F K ( X ) = F ( K,Y ). We call the function F K an instance of function family F . Thus F specifies a collection of maps, one for each key. Thats why we call F a function family or family of functions . Sometimes we write Keys ( F ) for K , Dom ( F ) for D , and Range ( F ) for R . Usually K = { , 1 } k for some integer k , the key length . Often D = { , 1 } for some integer called the input length , and R = { , 1 } L for some integers L called the output length . But sometimes the domain or range could be sets containing strings of varying lengths. There is some probability distribution on the (finite) set of keys K . Unless otherwise indicated, this distribution will be the uniform one. We denote by K $ K the operation of selecting a random string from K and naming it K . We denote by f $ F the operation: K $ K ; f F K . In other words, let f be the function F K where K is a randomly chosen key. We are interested in the input-output behavior of this randomly chosen instance of the family. A permutation is a bijection (i.e. a one-to-one onto map) whose domain and range are the same set. That is, a map : D D is a permutation if for every y D there is exactly one x D such that ( x ) = y . We say that F is a family of permutations if Dom ( F ) = Range ( F ) and each F K is a permutation on this common set. Example 3.1.1 A blockcipher is a family of permutations. In particular DES is a family of per- mutations DES : K D R with K = { , 1 } 56 and D = { , 1 } 64 and R = { , 1 } 64 . 2 PSEUDORANDOM FUNCTIONS Here the key length is k = 56 and the input length and output length are = L = 64. Similarly AES (when AES refers to AES128) is a family of permutations AES : K D R with K = { , 1 } 128 and D = { , 1 } 128 and R = { , 1 } 128 ....
View Full Document

This note was uploaded on 08/31/2011 for the course CSE 207 taught by Professor Daniele during the Winter '08 term at UCSD.

Page1 / 25

w-prf - Chapter 3 Pseudorandom Functions Pseudorandom...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online