Constructing CPA-Secure Encryption Schemes Before constructing encryption schemes secure

against chosen-plaintext attacks, we first introduce the important notion of pseudorandom

functions. 3.5.1 Pseudorandom Functions and Block Ciphers Pseudorandom functions (PRFs)
generalize the notion of pseudorandom generators. Now, instead of considering “random-looking”
strings we consider “random-looking” functions. As in our earlier discussion of pseudorandomness, it
does not make much sense to say that any fixed function f : {0, 1} ∗ → {0, 1} ∗ is pseudorandom (in
the same way that it makes little sense to say that any fixed function is random). Thus, we must
instead refer to the pseudorandomness of a distribution on functions. Such a distribution is induced
naturally by considering keyed functions, defined next. A keyed function F : {0, 1} ∗ × {0, 1} ∗ → {0, 1}
∗ is a two-input function, where the first input is called the key and denoted k. We say F is efficient if
there is a polynomial-time algorithm that computes F(k, x) given k and x. (We will only be interested
in efficient keyed functions.) In typical usage a key k is chosen and fixed, and we are then interested
in the single-input function Fk : {0, 1} ∗ → {0, 1} ∗ defined by Fk(x) = F(k, x). The security parameter n
dictates the key length, input length, and output length. That is, we associate with F three functions
`key, `in, and `out ; for any key k ∈ {0, 1} `key(n) , the function Fk is only defined for inputs x ∈ {0, 1}
`in(n) , in which case Fk(x) ∈ {0, 1} `out(n) . Unless stated otherwise, we assume for simplicity that F
is length-preserving, meaning `key(n) = `in(n) = `out(n) = n. That is, by fixing a key k ∈ {0, 1} n we
obtain a function Fk mapping n-bit input strings to n-bit output strings. A keyed function F induces a
natural distribution on functions given by choosing a uniform key k ∈ {0, 1} n and then considering
the resulting singleinput function Fk. We call F pseudorandom if the function Fk (for a uniform key k)
is indistinguishable from a function chosen uniformly at random from the set of all functions having
the same domain and range; that is, if no efficient adversary can distinguish—in a sense we more
carefully define below—whether it is interacting with Fk (for uniform k) or f (where f is chosen
uniformly from the set of all functions mapping n-bit inputs to n-bit outputs). Since choosing a
function at random is less intuitive than choosing a string at random, it is worth spending a bit more
time on this idea. Consider the set Funcn of all functions mapping n-bit strings to n-bit strings. This
set is finite, and selecting a uniform function mapping n-bit strings to n-bit strings means choosing
an element uniformly from this set. How large is Funcn? A function f is specified by giving its value
on each point in its domain. We can view any function (over a finite domain) as a large look-up table
that stores 78 Introduction to Modern Cryptography f(x) in the row of the table labeled by x. For f ∈
Funcn, the look-up table for f has 2n rows (one for each point of the domain {0, 1} n), with each row
containing an n-bit string (since the range of f is {0, 1} n ). Concatenating all the entries of the table,
we see that any function in Funcn can be represented by a string of length 2n · n. Moreover, this
correspondence is one-to-one, as each string of length 2n · n (i.e., each table containing 2n entries of
length n) defines a unique function in Funcn. Thus, the size of Funcn is exactly the number of strings
of length n · 2 n, or |Funcn| = 2n·2 n . Viewing a function as a look-up table provides another useful
way to think about selecting a uniform function f ∈ Funcn: It is exactly equivalent to choosing each
row in the look-up table of f uniformly. This means, in particular, that the values f(x) and f(y) (for any
two inputs x 6= y) are uniform and independent. We can view this look-up table being populated by
random entries in advance, before f is evaluated on any input, or we can view entries of the table
being chosen uniformly “on-the-fly,” as needed, whenever f is evaluated on a new input on which f
has not been evaluated before. Coming back to our discussion of pseudorandom functions, recall
that a pseudorandom function is a keyed function F such that Fk (for k ∈ {0, 1} n chosen uniformly at
random) is indistinguishable from f (for f ∈ Funcn chosen uniformly at random). The former is chosen
from a distribution over (at most) 2 n distinct functions, whereas the latter is chosen from all 2n·2 n
functions in Funcn. Despite this, the “behavior” of these functions must look the same to any
polynomial-time distinguisher. A first attempt at formalizing the notion of a pseudorandom function
would be to proceed in the same way as in Definition 3.14. That is, we could require that every
polynomial-time distinguisher D that receives a description of the pseudorandom function Fk
outputs 1 with “almost” the same probability as when it receives a description of a random function
f. However, this definition is inappropriate since the description of a random function has
exponential length (given by its look-up table of length n · 2 n ), while D is limited to running in
polynomial time. So, D would not even have sufficient time to examine its entire input. The
definition therefore gives D access to an oracle O which is either equal to Fk (for uniform k) or f (for a
uniform function f). The distinguisher D may query its oracle at any point x, in response to which the
oracle returns O(x). We treat the oracle as a black box in the same way as when we provided the
adversary with oracle access to the encryption algorithm in the definition of a chosen-plaintext
attack. Here, however, the oracle computes a deterministic function and so returns the same result
if queried twice on the same input. (For this reason, we may assume without loss of generality that D
never queries the oracle twice on the same input.) D may interact freely with its oracle, choosing its
queries adaptively based on all previous outputs. Since D runs in polynomial time, however, it can
ask only polynomially many queries. We now present the formal definition. (The definition assumes
F is lengthpreserving for simplicity only.) Private-Key Encryption 79 DEFINITION 3.25 Let F : {0, 1} ∗ ×
{0, 1} ∗ → {0, 1} ∗ be an efficient, length-preserving, keyed function. F is a pseudorandom function if
for all probabilistic polynomial-time distinguishers D, there is a negligible function negl such that:
Pr[DFk(·) (1n ) = 1] − Pr[Df(·) (1n ) = 1]
 ≤ negl(n), where the first probability is taken over uniform choice of k ∈ {0, 1} n and the randomness
of D, and the second probability is taken over uniform choice of f ∈ Funcn and the randomness of D.
An important point is that D is not given the key k. It is meaningless to require that Fk be
pseudorandom if k is known, since given k it is trivial to distinguish an oracle for Fk from an oracle for
f. (All the distinguisher has to do is query the oracle at any point x to obtain the answer y, and
compare this to the result y 0 := Fk(x) that it computes itself using the known value k. An oracle for
Fk will return y = y 0 , while an oracle for a random function will have y = y 0 with probability only
2−n.) This means that if k is revealed, any claims about the pseudorandomness of Fk no longer hold.
To take a concrete example, if F is a pseudorandom function, then given oracle access to Fk (for
uniform k) it must be hard to find an input x for which Fk(x) = 0n (since it would be hard to find such
an input for a truly random function f). But if k is known, finding such an input may be easy. Example
3.26 As usual, we can gain familiarity with the definition by looking at an insecure example. Define
the keyed, length-preserving function F by F(k, x) = k ⊕ x. For any input x, the value of Fk(x) is
uniformly distributed (when k is uniform). Nevertheless, F is not pseudorandom since its values on
any two points are correlated. Concretely, consider the distinguisher D that queries its oracle O on
arbitrary, distinct points x1, x2 to obtain values y1 = O(x1) and y2 = O(x2), and outputs 1 if and only if
y1 ⊕ y2 = x1 ⊕ x2. If O = Fk, for any k, then D outputs 1. On the other hand, if O = f for f chosen
uniformly from Funcn, then the probability that f(x1) ⊕ f(x2) = x1 ⊕ x2 is exactly the probability that
f(x2) = x1 ⊕ x2 ⊕ f(x1), or 2−n, and D outputs 1 with this probability. The difference is |1 − 2 −n|,
which is not negligible. ♦ Pseudorandom Permutations/Block Ciphers Let Permn be the set of all
permutations (i.e., bijections) on {0, 1} n. Viewing any f ∈ Permn as a look-up table as before, we
now have the added constraint that the entries in any two distinct rows must be different. We have
2n different choices for the entry in the first row of the table; once we fix this entry, we are left with
only 2n − 1 choices for the second row, and so on. We thus see that the size of Permn is (2n)!.