This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Chapter 3 Pseudorandom Functions Pseudorandom functions (PRFs) and their cousins, pseudorandom permutations (PRPs), figure as central tools in the design of protocols, especially those for sharedkey cryptography. At one level, PRFs and PRPs can be used to model blockciphers, and they thereby enable the security analysis of protocols based on blockciphers. But PRFs and PRPs are also a useful conceptual starting point in contexts where blockciphers don’t quite fit the bill because of their fixed blocklength. So in this chapter we will introduce PRFs and PRPs and investigate their basic properties. 3.1 Function families A function family is a map F : K × D → R . Here K is the set of keys of F and D is the domain of F and R is the range of F . The set of keys and the range are finite, and all of the sets are nonempty. The twoinput function F takes a key K and an input X to return a point Y we denote by F ( K,X ). For any key K ∈ K we define the map F K : D → R by F K ( X ) = F ( K,Y ). We call the function F K an instance of function family F . Thus F specifies a collection of maps, one for each key. That’s why we call F a function family or family of functions . Sometimes we write Keys ( F ) for K , Dom ( F ) for D , and Range ( F ) for R . Usually K = { , 1 } k for some integer k , the key length . Often D = { , 1 } ℓ for some integer ℓ called the input length , and R = { , 1 } L for some integers L called the output length . But sometimes the domain or range could be sets containing strings of varying lengths. There is some probability distribution on the (finite) set of keys K . Unless otherwise indicated, this distribution will be the uniform one. We denote by K $ ← K the operation of selecting a random string from K and naming it K . We denote by f $ ← F the operation: K $ ← K ; f ← F K . In other words, let f be the function F K where K is a randomly chosen key. We are interested in the inputoutput behavior of this randomly chosen instance of the family. A permutation is a bijection (i.e. a onetoone onto map) whose domain and range are the same set. That is, a map π : D → D is a permutation if for every y ∈ D there is exactly one x ∈ D such that π ( x ) = y . We say that F is a family of permutations if Dom ( F ) = Range ( F ) and each F K is a permutation on this common set. Example 3.1.1 A blockcipher is a family of permutations. In particular DES is a family of per mutations DES : K × D → R with K = { , 1 } 56 and D = { , 1 } 64 and R = { , 1 } 64 . 2 PSEUDORANDOM FUNCTIONS Here the key length is k = 56 and the input length and output length are ℓ = L = 64. Similarly AES (when “AES” refers to “AES128”) is a family of permutations AES : K × D → R with K = { , 1 } 128 and D = { , 1 } 128 and R = { , 1 } 128 ....
View
Full Document
 Winter '08
 daniele
 FN, adversary

Click to edit the document details