CPA-Secure Encryption from Pseudorandom Functions

We focus here on constructing a CPA-secure, fixed-length encryption scheme. By what we have said at the end of Section 3.4.2, this implies the existence of a CPA-secure encryption scheme for arbitrary-length messages. In Section 3.6 we will discuss more efficient ways of encrypting messages of arbitrary length. A naive attempt at constructing a secure encryption scheme from a pseu- dorandom permutation is to define Enck(m) = Fk(m). Although we expect

that this “reveals no information about m” (since, if f is a uniform function, then f (m) is simply a uniform n-bit string), this method of encryption is de- terministic and so cannot possibly be CPA-secure. In particular, encrypting the same plaintext twice will yield the same ciphertext.

Our secure construction is randomized. Specifically, we encrypt by applying the pseudorandom function to a random value r (rather than the message) and XORing the result with the plaintext. (See Figure 3.3 and Construction 3.30.) This can again be viewed as an instance of XORing a pseudorandom pad with the plaintext, with the major difference being the fact that a fresh pseudoran- dom pad is used each time. (In fact, the pseudorandom pad is only “fresh” if the pseudorandom function is applied to a “fresh” value on which it has never been applied before. While it is possible that a random r will be equal to some r-value chosen previously, this happens with only negligible probability.)

Ciphertext pad XOR Plaintext Random string r Pseudorandom function

Proofs of security based on pseudorandom functions. Before turning to the proof that the above construction is CPA-secure, we highlight a common template that is used by most proofs of security (even outside the context of encryption) for constructions based on pseudorandom functions. The first step of such proofs is to consider a hypothetical version of the construction in which the pseudorandom function is replaced with a random function. It is then argued—using a proof by reduction—that this modification does not significantly affect the attacker’s success probability. We are then left with analyzing a scheme that uses a completely random function. At this point the rest of the proof typically relies on probabilistic analysis and does not rely on any computational assumptions. We will utilize this proof template several times in this and the next chapter.

CONSTRUCTION 3.30

Let F be a pseudorandom function. Define a private-key encryption scheme for messages of length n as follows:

• Gen: on input 1n_{, choose uniform k}

∈ {0, 1}n_{and output it.}

• Enc: on input a key k ∈ {0, 1}n_{and a message m}

∈ {0, 1}n_{, choose}

uniform r∈ {0, 1}n_{and output the ciphertext}

c :=hr, Fk(r)⊕ mi.

• Dec: on input a key k ∈ {0, 1}n_{and a ciphertext c =}

hr, si, output the plaintext message

m := Fk(r)⊕ s.

A CPA-secure encryption scheme from any pseudorandom function. THEOREM 3.31 If F is a pseudorandom function, then Construction 3.30 is a CPA-secure private-key encryption scheme for messages of length n.

PROOF Let eΠ = (gGen, gEnc, gDec) be an encryption scheme that is exactly the same as Π = (Gen, Enc, Dec) from Construction 3.30, except that a truly random function f is used in place of Fk. That is, gGen(1n) chooses a uniform

function f ∈ Funcn, and gEnc encrypts just like Enc except that f is used

instead of Fk. (This modified encryption scheme is not efficient. But we can

still define it as a hypothetical encryption scheme for the sake of the proof.) Fix an arbitrary ppt adversaryA, and let q(n) be an upper bound on the number of queries that_A(1n_{) makes to its encryption oracle. (Note that q}

must be upper-bounded by some polynomial.) As the first step of the proof, we show that there is a negligible function negl such that

PrhPrivKcpa_A,Π(n) = 1i_{− Pr}hPrivKcpa

A,eΠ(n) = 1

i

We prove this by reduction. We use A to construct a distinguisher D for the pseudorandom function F . The distinguisher D is given oracle access to some function O, and its goal is to determine whether this function is “pseudorandom” (i.e., equal to Fk for uniform k∈ {0, 1}n) or “random” (i.e.,

equal to f for uniform f _{∈ Func}n). To do this, D emulates experiment PrivKcpa

for_{A in the manner described below, and observes whether A succeeds or not.} If_{A succeeds then D guesses that its oracle must be a pseudorandom function,} whereas if_{A does not succeed then D guesses that its oracle must be a random} function. In detail:

Distinguisher D:

D is given input 1n and access to an oracleO : {0, 1}n

→ {0, 1}n_.

1. Run _A(1n_{). Whenever}

A queries its encryption oracle on a message m_{∈ {0, 1}}n_{, answer this query in the following way:}

(a) Choose uniform r_{∈ {0, 1}}n_.

(b) Query_{O(r) and obtain response y.} (c) Return the ciphertexthr, y ⊕ mi to A.

2. When A outputs messages m0, m1 ∈ {0, 1}n, choose a uni-

form bit b∈ {0, 1} and then: (a) Choose uniform r_{∈ {0, 1}}n_.

(b) Query_{O(r) and obtain response y.}

(c) Return the challenge ciphertext_{hr, y ⊕ m}bi to A.

3. Continue answering encryption-oracle queries of_{A as before} untilA outputs a bit b0_{. Output 1 if b}0_{= b, and 0 otherwise.}

D runs in polynomial time sinceA does. The key points are as follows: 1. If D’s oracle is a pseudorandom function, then the view of _{A when}

run as a subroutine by D is distributed identically to the view of _A in experiment PrivKcpa_A,Π(n). This is because, in this case, a key k is chosen uniformly at random and then every encryption is carried out by choosing a uniform r, computing y := Fk(r), and setting the ciphertext

equal tohr, y ⊕ mi, exactly as in Construction 3.30. Thus, Pr_k←{0,1}n h DFk(·)₍₁n_{) = 1}i_{= Pr}h_PrivKcpa A,Π(n) = 1 i , (3.9) where we emphasize that k is chosen uniformly on the left-hand side. 2. If D’s oracle is a random function, then the view of _{A when run as a}

subroutine by D is distributed identically to the view of_{A in experiment} PrivKcpa

A,eΠ(n). This can be seen exactly as above, with the only difference

being that a uniform function f_{∈ Func}n is used instead of Fk. Thus,

Pr_{f ←Func}n h Df (·)₍₁n_{) = 1}i_{= Pr}h_PrivKcpa A,eΠ(n) = 1 i , (3.10) where f is chosen uniformly from Funcn on the left-hand side.

By the assumption that F is a pseudorandom function (and since D is effi- cient), there exists a negligible function negl for which

PrhDFk(·)₍₁n_{) = 1}i

− PrhDf (·)(1n) = 1i _{≤ negl(n).}

Combining the above with Equations (3.9) and (3.10) gives Equation (3.8). For the second part of the proof, we show that

PrhPrivKcpa

A,eΠ(n) = 1

i

≤ 1₂+q(n)

2n . (3.11)

(Recall that q(n) is a bound on the number of encryption queries made byA. The above holds even if we place no computational restrictions onA.) To see that Equation (3.11) holds, observe that every time a message m is encrypted in PrivKcpa

A,eΠ(n) (either by the encryption oracle or when the challenge cipher-

text is computed), a uniform r ∈ {0, 1}n _{is chosen and the ciphertext is set}

equal tohr, f(r) ⊕ mi. Let r∗_{denote the random string used when generating}

the challenge ciphertexthr∗_{, f (r}∗_{)⊕ mbi. There are two possibilities:}

1. The value r∗ _{is never used when answering any ofA’s encryption-oracle}

queries: In this case,_{A learns nothing about f(r}∗_{) from its interaction}

with the encryption oracle (since f is a truly random function). This means that, as far as _{A is concerned, the value f(r}∗_{) that is XORed}

with mb is uniformly distributed and independent of the rest of the

experiment, and so the probability that_{A outputs b}0_{= b in this case is}

exactly 1/2 (as in the case of the one-time pad).

2. The value r∗ _{is used when answering at least one of A’s encryption-}

oracle queries: In this case,_{A may easily determine whether m}0or m1

was encrypted. This is so because if the encryption oracle ever returns a ciphertexthr∗_{, si in response to a request to encrypt the message m,}

the adversary learns that f (r∗_{) = s⊕ m.}

However, since _{A makes at most q(n) queries to its encryption ora-} cle (and thus at most q(n) values of r are used when answering _A’s encryption-oracle queries), and since r∗_{is chosen uniformly from{0, 1}}n_,

the probability of this event is at most q(n)/2n_.

Let Repeat denote the event that r∗ _{is used by the encryption oracle when}

answering at least one of A’s queries. As just discussed, the probability of Repeat is at most q(n)/2n_{, and the probability that A succeeds in PrivK}cpa

A,eΠ

if Repeat does not occur is exactly 1/2. Therefore: Pr[PrivKcpa

A,eΠ(n) = 1]

= Pr[PrivKcpa

A,eΠ(n) = 1∧ Repeat] + Pr[PrivK cpa

A,eΠ(n) = 1∧ Repeat]

≤ Pr[Repeat] + Pr[PrivKcpa_A,eΠ(n) = 1| Repeat] ≤ q(n)₂n +

1 2.

Combining the above with Equation (3.8), we see that there is a negligible function negl such that Pr[PrivKcpa_A,Π(n) = 1] ≤ 1

2 + q(n)

2n + negl(n). Since

q is polynomial, q(n)₂n is negligible. In addition, the sum of two negligible

functions is negligible, and thus there exists a negligible function negl0 such that Pr[PrivKcpa_A,Π(n) = 1]≤ 1

2+ negl0(n), completing the proof.

Concrete security. The above proof shows that Pr[PrivKcpa_A,Π(n) = 1]_≤ 1

2+ q(n)

2n + negl(n)

for some negligible function negl. The final term depends on the security of F as a pseudorandom function; it is a bound on the distinguishing probability of algorithm D (which has roughly the same running time as the adversaryA). The term q(n)₂n represents a bound on the probability that the value r∗ used

to encrypt the challenge ciphertext was used to encrypt some other message.

3.6

Modes of Operation

Modes of operation provide a way to securely (and efficiently) encrypt long messages using stream or block ciphers.