0:00

In this segment we ask whether we can build block ciphers from simpler

primitives like pseudo random generators. The answer is yes. So to begin with, let's

ask whether we can build pseudo random functions as opposed to pseudo random

permutations from a pseudo random generator. Can we build a PRF from a PRG?

Our ultimate goal though is to build a block cipher which is a PRP. And we'll get

to that at the end. Okay, for now we build a PRF. So let's start with a PRG that

doubles its inputs so the seeds for the PRG is an element in K and the output is

actually two elements in K. So here we have a schematic of the generator, that

basically takes his input of C and K, and outputs two elements, in K as its output.

And now what does it mean for this purity to be secure, recall this means that

essentially the output is indistinguishable from a random element

inside of K squared Now it turns out that it's very easy to define basically what's

called a one bit PRF from this PRG. So what's a one bit PRF is basically a PRF

who's domain is only one bit. Okay, so it's a PRF that just takes one bit as

input. Okay, and the way we'll do it is we'll say is if the input bit X is zero

I'll put the left output and if the input bit X is one then I'll put the right

output of the PRF. Okay, in symbols we basically have what we wrote here. Now it

is straightforward to show, that in fact G is a secure PRG, then this one bit PRF is

in fact a secure PRF. If you think about it for a second, this really is not

[inaudible]. Its really just stating the same thing twice. So i will leave it for

you to think about this briefly and see and convince yourself that in fact this

theorem is true. The real questions is whether we can build a PRF, that actually

has a domain that is bigger than one bit. Ideally we would like the domain to be 128

bits, just say as a [inaudible] has. So the question is can we build 128 bit PRS

from a pseudo random generator. Well so let's see if we can make progress. So the

first thing we're gonna do is we're gonna say, well again, let's start with a PRG

that doubles its input let's see if we can build a PRG that quadruples its inputs.

Okay? So it goes from K to K to the fourth instead of K to K squared. Okay, so let's

see how to do this. So here we start with our original PRG that just doubles its

inputs, now remember that the fact that his is a PRG means that the output of the

PRG is indistinguishable from two random values in K. Well, if the output looks

like two random values in K, we can simply apply the generator again to those two

outputs. So let's say we apply the generator once to the left output, and

once to the rights outputs. And we are going to call the output of that, this

quadruple of elements, we are, are going to call that G1K. And i wrote down in

symbols what this generator does, but you can see basically from this figure,

exactly how the generator works. So now that we have a generator from K to K to

the fourth, We actually get a two bit PRF. Namely, what we will do is, we will say,

given two bits, 000110 or eleven, wills imply output the appropriate block that

the output of G1K. Okay, so now we can basically have a PRF that takes four

possible inputs as opposed to just two possible inputs as before. So the question

you should be asking me is why is this G1 case secure? Why is it a secure PRG? That

is why is this quadruple of outputs indistinguishable from random. And so

let's do a quick proof of this, we'll just do a simple proof by pictures. So here's

our generator that we want to prove is secure. And what that means is that we

want to argue that this distribution is indistinguishable from a random fordable

in K to the fourth. Okay so our goal is to prove that these two are

indistinguishable. Well let's do it one step at a time. We know that the generator

is a secure generator, therefore in fact the output of the first level is

indistinguishable from random. In other words, if we replace the first level by

truly random strings these two are truly random picked in the key space, then no

4:10

efficient adversary should be able to distinguish these two distributions. In

fact, if you could distinguish these two distributions, it's easy to show that you

would break the original PRG. Okay, but essentially you see that the reason we can

do this replacement, we can replace the output of G, with truly random values, is

exactly because of the definition of the PRG, which says the out put of the PRG is

indistinguishable from random, so we might as well just put random there, and no

efficient adversary can distinguish the resulting two distributions. Okay, so far

so good, but now we can do the same thing again to the left hand side. In other

words, we can replace these two pseudo random outputs, by truly random outputs.

And again because the generator G is secure, no efficient adversary can tell

the difference between these two distributions. But differently, if an

adversary can distinguish these two distributions, then we would also give an

attack on the generator G. And now finally we're gonna do this one last time. We're

gonna replace this pseudo random pair By a truly random pair, and low and behold we

get the actual distribution that we were shooting for, we would get a distribution

that is really made of four independent blocks. And so now we have proved this

transition basically that these two indistinguishable, these two

indistinguishable, and these two indistinguishable, and therefore these two

are indistinguishable, which is what we wanted to prove. Okay so this is kind of

the high level idea for the proof, it is not too difficult to make this rigorous,

but i just wanted to show you kinda intuition for how the proof works. Well,

if we were able to extend the generators outputs once, there's nothing preventing

us from doing it again so here is a generator G1 that outputs four elements in

the key space. And remember the output here is indistinguishable from our random

four couple, that's what we just proved. And so there's nothing preventing us from

applying the generator again. So we'll take the generator apply it to this random

looking thing and we should be able to get this random looking thing. This pair over

here that's random looking. And we can do the same thing again, and again, and

again. And now basically we've built a new generator that outputs elements in K to

the eighth, as opposed to K to the fourth. And again the proof of security is very

much the same as the one I just showed you essentially you gradually change the

outputs into truly random outputs. So we would change this to a truly random

output, then this, then that, then this, then that and so on and so forth. Until

finally we get something that's truly random and therefore the original two

distributions we started with G2K and truly random are indistinguishable. Okay,

so far so good. So now we have a generator that outputs elements in K to the eighth.

Now if we do that basically we get a three bit PRF. In other words, at zero, zero,

zero this PRF would output this block, and so on and so forth until one, one, one it

would output this block. Now the interesting thing is that in fact this PRF

is easy to compute. For example, suppose we wanted to compute the PRF at the point

one zero one. Okay, it's a three bit PRF. Okay so one zero one. How would we do

that? Well basically we would start from the original key K. And now we would apply

the generator G but we would only pay attention to the right output of G,

because the first bit is one. And then we will apply the generator again, but we

would only pay attention to the left of the output of the generator because the

second bit is zero. And then we would apply the generator again and only pay

attention to the right outputs because the third bit is one and that would be the

final output. Right, so you can see that, that lead us to 101, and in fact because

the [inaudible] generator is pseudo random, we know that, in particular that,

this output here is pseudo random. Okay, so this gives us a three bit PRF. Well, if

it worked three times, there's no reason why it can't work N times. And so if we

apply this transformation again and again, we arrive at what's called a GGMPRF. Ggm

stands for Goldreich, Goldwasser and Micali these are the inventors of

this PRF and the way it works is as follows. So we start off with a generator

just doubles its outputs, and now we're able to build a PRF that acts on a large

domain mainly a domain of size zero one to the N. Or N could be as big as 128 or even

more. So let's see, suppose we're given an input in 01 to the N, let me show you how

to evaluate the PRF. Well by now you should actually have a good idea for how

to do it. Essentially we start from the original key and then we apply the

generator and we take either the left or the right side depending on the bit X0 and

then we arrive at the next key, K1. And then we apply the generator again and we

take the left or the right side depending on X1 and we arrive at the next key. And

then we do this again and again, until finally we are arrive at the output. So we

have processed all end bits, and we arrive at the output of this function. And

basically we can prove security again pretty much along the same lines as we did

before, and we can show that if G is a secure PRG, then in fact we get a secure

PRF, on 01 to the N, on a very large domain. So that's fantastic. Now we have

we have essential, we have a PRF that's provably secure, assuming that the

underlying generator is secure, and the generator is supposedly much easier to

build than an actual PRF. And in fact it works on blocks that can be very large, in

particular, 01 to the 128th, which is what we needed. So you might ask well why isn't

this thing being used in practice? And the reason is, that it's actually fairly slow.

So imagine we plug in as a generator we plug in the salsa generator. So now to

evaluate this PRF at a 128 bit inputs, we would basically have to run the salsa

generator 128 times. One time per bit of the input. But then we would get a PRF

that's 128 times slower than the original salsa. And that's much, much, much slower

than AES. Aes is a heuristic PRF. But nevertheless it's much faster then what we

just got here. And so even though this is a very elegant construction, it's not used

in practice to build pseudo random functions although in a week we will be

using this type of construction to build a message integrity mechanism. So the last

step, is basically now that we've built a PRF, the questions is whether we can

actually build the block cypher. In other words, can we actually build a secure PRP

from a secure PRG. Everything we've done so far is not reversible. Again if you

look at this construction here, we can't decrypt basically given the final outputs.

It is not possible to go back or at least we don't know how to go back the, the

original inputs. So now the question of interest is so can we actually solve the

problem we wanted solve initially? Mainly, can we actually build a block cipher from

a secure PRG? So ill let you think about this for a second, and mark the answer. So

of course I hope everyone said the answer is yes and you already have all the

ingredients to do it. In particular, you already know how to build a PRF from a

pseudo random generator. And we said that once we have a PRF we can plug it into the

Luby-Rackoff construction, which if you remember, is just a three-round feistel.

So we said that if you plug a secure PRF into a three-round feistel, you get a

secure PRP. So combining these two together, basically gives us a secure PRP

from a pseudo random generator. And this is provably secure as long as the

underlying generator is secure. So it's a beautiful result but unfortunately again

it's not used in practice because it's considerably slower than heuristics

constructions like AES. Okay so this completes our module on constructing

pseudo random permutations, and pseudo random functions. And then in the next

module we're gonna talk about how to use these things to do proper encryption.