4

Let $F:\{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n$ be a secure PRF (i.e. a PRF where the key space, input space, and output space are all $\{0,1\}^n$) and say $n=128$.

My assignment is to show that the function $F'(k,x) = F(k,x)$ when $x \ne 0^n$ and $F'(k,x)=k$ when $x=0^n$ is not a secure PRF, but the function $F''((k_1,k_2),x)) = F(k_1,x)$ when $x \ne 0$ and $F''((k_1,k_2,x)=k_2$ when $x=0^n$ is a secure PRF.

However, I think that both are secure PRFs. Because when the input is $0^n$, above $F'(k,x)$ and $F''((k1,k2),x)$ will return $k$ and $k_2$ which are randomly chosen from their keyspace. So, even though adversary inputs $0^n$ multiple times it can only find out some random $\{0,1\}^n$.

Can you tell me what's wrong with my reasoning?

Daniel S
  • 23,716
  • 1
  • 29
  • 67
blueMountain
  • 41
  • 3

1 Answers1

1

Informally, the security of a PRF is defined as follows:

The adversary is allowed to ask questions from its oracle. The oracle choose one of the functions $F$ or $f$ at the beginning, where $f$ is a truly random function with the same domain and image as $F$. When the adversary $A$ sends a query on $x$, the oracle returns the answer $F(k,x)$ or $f(x)$, depending on which one it has chosen at the beginning. We say that $F$ is a secure PRF if $A$ can not distinguish which function the oracle has chosen.

Now whit this explanation, for your first function, the adversary sends a query on a nonzero $x^*$, then a query on zero, when it receives $k$, it compute $F(k,x^*)$ if it was the same as the answer it has received for $x^*$ from the oracle, it distinguishes that the oracle has chosen $F$.

For the second function, the same attack does not work, because the adversary does not know the whole key yet.

A.Solei
  • 405
  • 2
  • 10
  • Thank you for your answer. But as far as i understand, F'(k1, x) = F(k1, x) and F'(k2, 0^n) = k2.(k1 and k2 are randomly chosen from their keyspace each) And the probability of k1 and k2 be equal is neglible. Since key space is 128 bits binary string. So that the advantage of adversary is negligible. Is their any wrong with it? – blueMountain Apr 16 '21 at 08:04
  • More precisely, for the second function $F'((k_1,k_2),x^)=F(k_1,x^)$ and $F'((k_1,k_2),0^n)=k_2$ . And as you said in this case $k_2$ does not give any information about $k_1$ if the keyspace is big enough and keys are chosen randomly. – A.Solei Apr 16 '21 at 08:58
  • I appreciate your kindness. But for this function $F'(k,x) = F(k,x)$ when $x \ne 0^n$ otherwise $k$, if i input $x^$ it'll return $F(k, x^)$ then if i input $0^n$ it'll return $k'$. Then how can it compute $F(k,x^*)$? It has no info about $k$ and the only info it has is $k'$. – blueMountain Apr 16 '21 at 09:43
  • You are mistaken in your assumption that the key is sampled independently for each query. The key is sampled once and remains fixed for all queries. – Maeher Apr 16 '21 at 09:50
  • Then, why $F''((k_1,k_2),x)) = F(k_1,x)$ when $x \ne 0$ and $F''((k_1,k_2,x)=k_2$ when $x=0^n$ is secure PRF? If i input $0^n$ it'll always return determined k2. So adversary can distinguish it from really random function. – blueMountain Apr 16 '21 at 10:28
  • because it is a function, for a fixed input it gives the same output. And it is the same about truly random function $f$. So the adversary can not distinguish between $F'$ and $f$. – A.Solei Apr 16 '21 at 11:21
  • That is the expected behavior of a random function. – Maeher Apr 16 '21 at 12:56