In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain) with practical effort.
Let F be a mapping . F is a PRP if and only if
A pseudorandom permutation family is a collection of pseudorandom permutations, where a specific permutation may be chosen using a key.
The idealized abstraction of a (keyed) block cipher is a truly random permutation on the mappings between plaintext and ciphertext. If a distinguishing algorithm exists that achieves significant advantage with less effort than specified by the block cipher's security parameter (this usually means the effort required should be about the same as a brute force search through the cipher's key space), then the cipher is considered broken at least in a certificational sense, even if such a break doesn't immediately lead to a practical security failure. [2]
Modern ciphers are expected to have super pseudorandomness. That is, the cipher should be indistinguishable from a randomly chosen permutation on the same message space, even if the adversary has black-box access to the forward and inverse directions of the cipher. [3]
Michael Luby and Charles Rackoff [4] showed that a "strong" pseudorandom permutation can be built from a pseudorandom function using a Luby–Rackoff construction which is built using a Feistel cipher.
An unpredictable permutation (UP) Fk is a permutation whose values cannot be predicted by a fast randomized algorithm. Unpredictable permutations may be used as a cryptographic primitive, a building block for cryptographic systems with more complex properties.
An adversary for an unpredictable permutation is defined to be an algorithm that is given access to an oracle for both forward and inverse permutation operations. The adversary is given a challenge input k and is asked to predict the value of Fk. It is allowed to make a series of queries to the oracle to help it make this prediction, but is not allowed to query the value of k itself. [5]
A randomized algorithm for generating permutations generates an unpredictable permutation if its outputs are permutations on a set of items (described by length-n binary strings) that cannot be predicted with accuracy significantly better than random by an adversary that makes a polynomial (in n) number of queries to the oracle prior to the challenge round, whose running time is polynomial in n, and whose error probability is less than 1/2 for all instances. That is, it cannot be predicted in the complexity class PP, relativized by the oracle for the permutation. [5]
It can be shown that a function Fk is not a secure message authentication code (MAC) if it satisfies only the unpredictability requirement. It can also be shown that one cannot build an efficient variable input length MAC from a block cipher which is modelled as a UP of n bits. It has been shown that the output of a k = n/ω(log λ) round Feistel construction with unpredictable round functions may leak all the intermediate round values. [5] Even for realistic Unpredictable Functions (UF), some partial information about the intermediate round values may be leaked through the output. It was later shown that if a super-logarithmic number of rounds in the Feistel construction is used, then the resulting UP construction is secure even if the adversary gets all the intermediate round values along with the permutation output. [6]
There is also a theorem that has been proven in this regard which states that if there exists an efficient UP adversary Aπ that has non-negligible advantage επ in the unpredictability game against UP construction ψU,k and which makes a polynomial number of queries to the challenger, then there also exists a UF adversary Af that has non-negligible advantage in the unpredictability game against a UF sampled from the UF family F . From this, it can be shown that the maximum advantage of the UP adversary Aπ is επ = O (εf. (qk)6). Here εf denotes the maximum advantage of a UF adversary running in time O(t + (qk)5) against a UF sampled from F, where t is the running time of the PRP adversary Aψ and q is the number of queries made by it. [6] [7]
In addition, a signature scheme that satisfies the property of unpredictability and not necessarily pseudo-randomness is essentially a Verifiable Unpredictable Function (VUF). A verifiable unpredictable function is defined analogously to a Verifiable Pseudorandom Function (VRF) but for pseudo-randomness being substituted with weaker unpredictability. Verifiable unpredictable permutations are the permutation analogs of VUFs or unpredictable analogs of VRPs. A VRP is also a VUP and a VUP can actually be built by building a VRP via the Feistel construction applied to a VRF. But this is not viewed useful since VUFs appear to be much easier to construct than VRFs. [8]
In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called blocks. Block ciphers are specified elementary components in the design of many cryptographic protocols and are widely used to encrypt large amounts of data, including in data exchange protocols. A block cipher uses blocks as an unvarying transformation.
A pseudorandom number generator (PRNG), also known as a deterministic random bit generator (DRBG), is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers. The PRNG-generated sequence is not truly random, because it is completely determined by an initial value, called the PRNG's seed. Although sequences that are closer to truly random can be generated using hardware random number generators, pseudorandom number generators are important in practice for their speed in number generation and their reproducibility.
A cryptographically secure pseudorandom number generator (CSPRNG) or cryptographic pseudorandom number generator (CPRNG) is a pseudorandom number generator (PRNG) with properties that make it suitable for use in cryptography. It is also loosely known as a cryptographic random number generator (CRNG).
Articles related to cryptography include:
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel, who did pioneering research while working for IBM; it is also commonly known as a Feistel network. A large proportion of block ciphers use the scheme, including the US Data Encryption Standard, the Soviet/Russian GOST and the more recent Blowfish and Twofish ciphers. In a Feistel cipher, encryption and decryption are very similar operations, and both consist of iteratively running a function called a "round function" a fixed number of times.
In cryptography, a random oracle is an oracle that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time that query is submitted.
A randomized algorithm is an algorithm that employs a degree of randomness as part of its logic or procedure. The algorithm typically uses uniformly random bits as an auxiliary input to guide its behavior, in the hope of achieving good performance in the "average case" over all possible choices of random determined by the random bits; thus either the running time, or the output are random variables.
In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value protects a message's data integrity, as well as its authenticity, by allowing verifiers to detect any changes to the message content.
In cryptography, a hard-core predicate of a one-way function f is a predicate b which is easy to compute but is hard to compute given f(x). In formal terms, there is no probabilistic polynomial-time (PPT) algorithm that computes b(x) from f(x) with probability significantly greater than one half over random choice of x. In other words, if x is drawn uniformly at random, then given f(x), any PPT adversary can only distinguish the hard-core bit b(x) and a uniformly random bit with negligible advantage over the length of x.
In cryptography, Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway, and subsequently standardized in PKCS#1 v2 and RFC 2437.
In theoretical computer science and cryptography, a pseudorandom generator (PRG) for a class of statistical tests is a deterministic procedure that maps a random seed to a longer pseudorandom string such that no statistical test in the class can distinguish between the output of the generator and the uniform distribution. The random seed itself is typically a short binary string drawn from the uniform distribution.
In cryptography, a verifiable random function (VRF) is a public-key pseudorandom function that provides proofs that its outputs were calculated correctly. The owner of the secret key can compute the function value as well as an associated proof for any input value. Everyone else, using the proof and the associated public key, can check that this value was indeed calculated correctly, yet this information cannot be used to find the secret key.
Disk encryption is a special case of data at rest protection when the storage medium is a sector-addressable device. This article presents cryptographic aspects of the problem. For an overview, see disk encryption. For discussion of different software packages and hardware devices devoted to this problem, see disk encryption software and disk encryption hardware.
In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish between a function chosen randomly from the PRF family and a random oracle. Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes.
In cryptography, an adversary's advantage is a measure of how successfully it can attack a cryptographic algorithm, by distinguishing it from an idealized version of that type of algorithm. Note that in this context, the "adversary" is itself an algorithm and not a person. A cryptographic algorithm is considered secure if no adversary has a non-negligible advantage, subject to specified bounds on the adversary's computational resources. "Negligible" usually means "within O(2−p)" where p is a security parameter associated with the algorithm. For example, p might be the number of bits in a block cipher's key.
In cryptography, a distinguishing attack is any form of cryptanalysis on data encrypted by a cipher that allows an attacker to distinguish the encrypted data from random data. Modern symmetric-key ciphers are specifically designed to be immune to such an attack. In other words, modern encryption schemes are pseudorandom permutations and are designed to have ciphertext indistinguishability. If an algorithm is found that can distinguish the output from random faster than a brute force search, then that is considered a break of the cipher.
In computational complexity the decision tree model is the model of computation in which an algorithm is considered to be basically a decision tree, i.e., a sequence of queries or tests that are done adaptively, so the outcome of previous tests can influence the tests performed next.
In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:
In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.
The Lai–Massey scheme is a cryptographic structure used in the design of block ciphers. It is used in IDEA and IDEA NXT. The scheme was originally introduced by Xuejia Lai with the assistance of James L. Massey, hence the scheme's name, Lai-Massey.