## From unpredictability to indistinguishability: A simple construction of pseudo-random functions from MACs (1998)

### Cached

### Download Links

Venue: | Advances in Cryptology - CRYPTO '98, LNCS |

Citations: | 22 - 8 self |

### BibTeX

@INPROCEEDINGS{Naor98fromunpredictability,

author = {Moni Naor and Omer Reingold},

title = {From unpredictability to indistinguishability: A simple construction of pseudo-random functions from MACs},

booktitle = {Advances in Cryptology - CRYPTO '98, LNCS},

year = {1998},

pages = {267--282},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This paper studies the relationship between unpredictable functions (which formalize the concept of a MAC) and pseudo-random functions. We show an efficient transformation of the former to the latter using a unique application of the Goldreich-Levin hard-core bit (taking the inner-product with a random vector r): While in most applications of the GL-bit the random vector r may be public, in our setting this is not the case. The transformation is only secure when r is secret and treated as part of the key. In addition, we consider weaker notions of unpredictability and their relationship to the corresponding notions of pseudo-randomness. Using these weaker notions we formulate the exact requirements of standard protocols for private-key encryption, authentication and identification. In particular, this implies a simple construction of a private-key encryption scheme from the standard challenge-response identification scheme. 1

### Citations

756 | Construction of Pseudorandom Generator from any One-Way Function
- Impagliazzo, Yung
- 1993
(Show Context)
Citation Context ...enough for f s to be unpredictable but it should also hide information about its input. Since unpredictable functions imply one-way functions [20] they also imply full-fledged pseudo-random functions =-=[15, 19]-=-. However, these general constructions (from one-way functions to pseudo-random generators [19] and from pseudo-random generators to pseudorandom functions [15]) are computationally heavy. An obvious ... |

665 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...tack vs. an adaptive attack. We show that in several settings unpredictability can easily be turned into pseudo-randomness. Pseudo-random functions were introduced by Goldreich, Goldwasser and Micali =-=[15]-=- and are a very well studied object in Foundations of Cryptography. A distribution of functions is pseudo-random if: (1) This distribution is efficient (i.e., it is easy to sample functions according ... |

623 |
How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits
- Blum, Micali
- 1984
(Show Context)
Citation Context ...le" number sequences [29]. There, given any prefix of the sequence it is hard to compute the next number. As shown by Yao [31], the unpredictability of the bit sequences introduced by Blum and Mi=-=cali [7]-=-, implies their pseudo-randomness. Thus unpredictability and pseudo-randomness (indistinguishability) are equivalent for bit sequences but not for number sequences in general. This interesting phenome... |

529 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ... is pseudo-random. 1 As an interesting analogy, consider Shamir's "unpredictable" number sequences [29]. There, given any prefix of the sequence it is hard to compute the next number. As sho=-=wn by Yao [31]-=-, the unpredictability of the bit sequences introduced by Blum and Micali [7], implies their pseudo-randomness. Thus unpredictability and pseudo-randomness (indistinguishability) are equivalent for bi... |

503 | Keying Hash Functions for Message Authentication
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ... (message authentication code) by letting the authentication tag of a message m be f s (m) (where the key, s, of f s is also the private key of the MAC). As discussed by Bellare, Canetti and Krawczyk =-=[1]-=- (see also [26]) the security of this scheme does not require the full strength of a pseudo-random function. Breaking this MAC (under the strong attack of existential forgery with a chosen message) am... |

473 | Non-Malleable Cryptography
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...lity against a random sample and a random challenge. Encryption The encryption of a message m is defined to be hr; f s (r) \Phi mi, where r is a uniformly chosen input. We are using the terminlogy of =-=[11]-=- for attacks (chosen plaintext, chosen ciphertext in the preprocessing and postprocessing modes) and notions security (semantic and nonmalleability) . Assuming that the adversary is limited to a chose... |

386 | A hard-core predicate for all one-way functions
- Goldreich, Levin
- 1989
(Show Context)
Citation Context ...at this point is whether it is possible to use unpredictable functions in order to construct a pseudo-random function at low cost. A natural construction is to apply the Goldreich-Levin hard-core bit =-=[17]-=- (GL-bit) in order to obtain a single-bit pseudo-random function using the innerproduct with a random (but fixed) vector r. In other words, if f : f0; 1g n 7! f0; 1g m is an unpredictable function, th... |

375 | A Concrete Security Treatment of Symmetric Encryption
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...1 2 fi fi fi fi is negligible. The equivalence of this definition to Definition 2.2 was shown in [15]. For a recent discussion on similar reductions and their security see the work of Bellare et. al. =-=[2]-=-. Proposition 3.1 ([15]) Let F = fF n g n2N be an efficient I n 7! I `(n) function-ensemble. Then F is pseudo-random iff it is indistinguishable against an adaptive sample and an adaptive challenge. T... |

355 | HMAC: Keyed-hashing for Message Authentication
- Krawczyk, Bellare, et al.
- 1997
(Show Context)
Citation Context ...[1]. They are especially attractive for long messages since the cryptographic function is only applied to a much shorter string and since for some of the recent constructions of hash functions (e.g., =-=[18, 28]-=-) computing h(m) is relatively cheap. However, in this case it is not enough for f s to be unpredictable but it should also hide information about its input. Since unpredictable functions imply one-wa... |

354 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...udo-random functions are still valuable for many applications such as private-key encryption. In fact, pseudo-random functions are useful even in the context of authentication. Consider Wegman-Carter =-=[30]-=- based MACs. I.e., letting the authentication tag of a message m be f s (h(m)) where h is a non-cryptographic hash-function (e.g., almostuniversals2 ). 3 Such MACs are a serious competitors to both CB... |

157 | The security of cipher block chaining
- Bellare, Kilian, et al.
- 1994
(Show Context)
Citation Context ...MACs. I.e., letting the authentication tag of a message m be f s (h(m)) where h is a non-cryptographic hash-function (e.g., almostuniversals2 ). 3 Such MACs are a serious competitors to both CBC-MACs =-=[3]-=- and HMACs [1]. They are especially attractive for long messages since the cryptographic function is only applied to a much shorter string and since for some of the recent constructions of hash functi... |

154 | Number-theoretic constructions of efficient pseudo-random functions
- Naor, Reingold
- 1997
(Show Context)
Citation Context ...tion provides a simple construction of a private-key encryption scheme from the standard challenge-response identification scheme. ffl Showing a more efficient variant for one of the constructions in =-=[25]-=- that achieves some notion of unpredictability (which is sufficient for the standard identification scheme). Random attacks on function families are also natural in the context of Computational Learni... |

152 | Tracing traitors
- Chor, Fiat, et al.
- 2000
(Show Context)
Citation Context ...adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or fixed (see e.g., =-=[4, 6, 8, 10, 12, 13, 16, 21, 22, 24]-=-). In this paper we concentrate on the application to authentication (and also on the applications to identification and encryption): A pseudo-random function f s can be used as a MAC (message authent... |

143 | Foundations of Cryptography (Fragments of a Book). Available at http://www.wisdom.weizmann.ac.il/home/oded/public_html/frag.html Exposure-Resilient Functions and All-or-Nothing Transforms 469
- Goldreich
(Show Context)
Citation Context ...onsider weaker notions of unpredictability and pseudo-randomness. 2 Preliminaries In this section we include the definitions of function-ensembles and pseudo-random functions almost as they appear in =-=[14, 24]-=-: 2.1 Notation ffl I n denotes the set of all n-bit strings, f0; 1g n . ffl U n denotes the random variable uniformly distributed over I n . ffl Let x and y be two bit strings of equal length, then x ... |

119 |
One-way Functions are Essential for Complexity Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...h(m) is relatively cheap. However, in this case it is not enough for f s to be unpredictable but it should also hide information about its input. Since unpredictable functions imply one-way functions =-=[20]-=- they also imply full-fledged pseudo-random functions [15, 19]. However, these general constructions (from one-way functions to pseudo-random generators [19] and from pseudo-random generators to pseud... |

101 | On the construction of pseudorandom permutations: LubyRackoff revisited
- Naor, Reingold
- 1999
(Show Context)
Citation Context ...n adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or xed (see e.g., =-=[4, 6, 8, 9, 10, 11, 14, 17, 18, 20]-=-). In this paper we concentrate on the application to authentication (and also on the applications to identi cation and encryption): A pseudo-random function fs can be used as a MAC (message authentic... |

88 | Cryptographic primitives based on hard learning problems
- Blum, Furst, et al.
- 1994
(Show Context)
Citation Context ...eves some notion of unpredictability (which is sufficient for the standard identification scheme). Random attacks on function families are also natural in the context of Computational Learning-Theory =-=[5]-=-. In addition, it was shown in [23] how to construct a full-fledged pseudo-random function f from such a weak pseudo-random functions h (going through the concept of a pseudo-random synthesizer). Give... |

85 |
On the Generation of Cryptographically Strong Pseudo-Random Sequences
- Shamir
- 1983
(Show Context)
Citation Context ...l guess is negligible. However, in case N is small (i.e. polynomial) this definition implies that f s is pseudo-random. 1 As an interesting analogy, consider Shamir's "unpredictable" number =-=sequences [29]-=-. There, given any prefix of the sequence it is hard to compute the next number. As shown by Yao [31], the unpredictability of the bit sequences introduced by Blum and Micali [7], implies their pseudo... |

57 |
Chaffing and winnowing: Confidentiality without encryption. http://theory.lcs.mit. edu/˜rivest/chaffing.txt
- Rivest
- 1998
(Show Context)
Citation Context ...bviously for using efficient constructions of MACs in scenarios that require pseudo-random functions (especially when a single-bit pseudo-random function is needed as in [9]). A recent work of Rivest =-=[27]-=- makes strong arguments against the validity of export regulations ' distinction between MACs and encryption schemes. One may view our work as supporting such arguments since it shows that efficient (... |

56 |
On the cryptographic applications of random functions
- Goldreich, Goldwasser, et al.
- 1985
(Show Context)
Citation Context ...n adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or xed (see e.g., =-=[4, 6, 8, 9, 10, 11, 14, 17, 18, 20]-=-). In this paper we concentrate on the application to authentication (and also on the applications to identi cation and encryption): A pseudo-random function fs can be used as a MAC (message authentic... |

56 | Bucket hashing and its application to fast message authentication
- Rogaway
- 1995
(Show Context)
Citation Context ...[1]. They are especially attractive for long messages since the cryptographic function is only applied to a much shorter string and since for some of the recent constructions of hash functions (e.g., =-=[18, 28]-=-) computing h(m) is relatively cheap. However, in this case it is not enough for f s to be unpredictable but it should also hide information about its input. Since unpredictable functions imply one-wa... |

49 |
New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs
- BELLARE, GOLDWASSER
- 1989
(Show Context)
Citation Context ...adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or fixed (see e.g., =-=[4, 6, 8, 10, 12, 13, 16, 21, 22, 24]-=-). In this paper we concentrate on the application to authentication (and also on the applications to identification and encryption): A pseudo-random function f s can be used as a MAC (message authent... |

42 | Synthesizers and their application to the parallel construction of psuedo-random functions
- Naor, Reingold
- 1995
(Show Context)
Citation Context ...ty (which is sufficient for the standard identification scheme). Random attacks on function families are also natural in the context of Computational Learning-Theory [5]. In addition, it was shown in =-=[23]-=- how to construct a full-fledged pseudo-random function f from such a weak pseudo-random functions h (going through the concept of a pseudo-random synthesizer). Given that h has a large enough output ... |

31 | On the security of two MAC algorithms
- Preneel, Oorschot
- 1996
(Show Context)
Citation Context ...entication code) by letting the authentication tag of a message m be f s (m) (where the key, s, of f s is also the private key of the MAC). As discussed by Bellare, Canetti and Krawczyk [1] (see also =-=[26]-=-) the security of this scheme does not require the full strength of a pseudo-random function. Breaking this MAC (under the strong attack of existential forgery with a chosen message) amounts to adapti... |

29 |
Two remarks concerning the goldwasser-micali-rivest signature scheme
- Goldreich
- 1987
(Show Context)
Citation Context ...adaptive access to the function as a black-box. Pseudo-random functions have numerous applications in practically any scenario where a large amount of randomness need to be shared or fixed (see e.g., =-=[4, 6, 8, 10, 12, 13, 16, 21, 22, 24]-=-). In this paper we concentrate on the application to authentication (and also on the applications to identification and encryption): A pseudo-random function f s can be used as a MAC (message authent... |

27 |
How to construct pseudorandom permutations and pseudorandom functions
- Luby, Racko
- 1988
(Show Context)
Citation Context |

21 |
Modern Cryptology
- Brassard
- 1988
(Show Context)
Citation Context |

19 |
Pseudo-randomness and applications
- Luby
- 1996
(Show Context)
Citation Context |

17 |
Checking the correctness of memories, Algorithmica 12
- Blum, Evans, et al.
- 1994
(Show Context)
Citation Context |

9 |
Multicast Security: A Taxonomy and Efficient Authentication
- Canetti, G, et al.
- 1999
(Show Context)
Citation Context ...rge range. Moreover, there are several scenarios where a single-bit (or few-bit) pseudo-random function is needed. One such scenario (which also motivated this work) was considered by Canetti et. al. =-=[9]-=- for multicast authentication. In their scheme many functions are used for authentication, and the adversary might know a constant fraction of them. Therefore, letting each function be a one-bit pseud... |

8 |
Towards a theory of software protection
- Goldreich
- 1986
(Show Context)
Citation Context |

1 |
security: A taxonomy and efficient authentication, submission to this conference
- Multicast
(Show Context)
Citation Context ... tolerable. An alternative solution is to concatenate several pseudo-random functions. Moreover, there are several scenarios where a single-bit (or few-bit) pseudorandom function is needed (see e.g., =-=[27]-=- which also motivated this work). This is the case where many functions are used for authentication but the adversary knows a constant fraction of them so there is no point in having functions with la... |

1 |
Non-malleable cryptography, Proc. 23rd Ann
- Dolev, Dwork, et al.
- 1991
(Show Context)
Citation Context ...tability against a random sample and a random challenge. Encryption The encryption of a message m is defined to be 〈r, fs(r) ⊕ m〉, where r is a uniformly chosen input. We are using the terminology of =-=[9]-=- for attacks (chosen plaintext, chosen ciphertext in the preprocessing and postprocessing modes) and notions security (semantic and non-malleability). Assuming that the adversary is limited to a chose... |

1 |
security: A taxonomy and e cient authentication, submission to this conference
- Multicast
(Show Context)
Citation Context ... tolerable. An alternative solution is to concatenate several pseudo-random functions. Moreover, there are several scenarios where a single-bit (or few-bit) pseudorandom function is needed (see e.g., =-=[27]-=- which also motivated this work). This is the case where many functions are used for authentication but the adversary knows a constant fraction of them so there is no point in having functions with la... |