Public-seed Pseudorandom Permutations · KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked 𝒑𝒔𝑷𝑹𝑷 ... is -secure if ∀ PPT , , left

Public-seed Pseudorandom Permutations

Pratik Soni Stefano Tessaro

UC Santa Barbara UC Santa Barbara

EUROCRYPT 2017

Cryptographic schemes often built from generic building blocks


Typically: Block ciphers, hash/compression functions!

𝐻

𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀

𝐾 ⊕ 𝑜𝑝𝑎𝑑

𝐻

hash function (e.g., SHA-3)

𝐸𝐾

𝑀1

𝐼𝑉

𝑀2

𝐸𝐾

𝑀ℓ

block cipher (e.g., AES)


Typically: Block ciphers, hash/compression functions!

Is there a universal and simple building block for efficient symmetric cryptography?

𝐻

𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀

𝐾 ⊕ 𝑜𝑝𝑎𝑑

𝐻

hash function (e.g., SHA-3)

𝐸𝐾

𝑀1

𝐼𝑉

𝑀2

𝐸𝐾

𝑀ℓ

block cipher (e.g., AES)

Recent trend: Start from seedless permutation



Sponge paradigm


Sponge paradigm


…

Sponge paradigm

Here: 𝜋 is an efficiently computable and invertible one-to-one function


…

Sponge paradigm

Permutations

“… it would be nice, now, if permutations can be called

the Swiss Army Knife [of cryptography]” — Joan Daemen, Passwords^12

Hashing Garbling

PRNGs Authenticated Encryption

MACs KDFs

Typical instantiations


Ad-hoc construction

e.g., in KECCAK, NORX, …

Designed to withstand cryptanalysis


Fixed-key block ciphers

Ad-hoc construction



e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥) 𝐴𝐸𝑆

0128


Fixed-key block ciphers

Ad-hoc construction



e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥)

Faster, no re-keying costs!

𝐴𝐸𝑆

0128

Faster Hash functions [RS08], fast garbling [BHKR13]

Permutations assumptions

Permutations are great in practice, but what about theory?


Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”


𝑆0 0

0

𝜋 𝜋 𝜋



e.g., 𝐶 = KECCAK;

𝑌 = Anything non-trivial

𝑋 = ? ? ?


𝑆0 0

0

𝜋 𝜋 𝜋



e.g., 𝐶 = KECCAK;

𝑌 = Anything non-trivial

𝑋 = ? ? ?

Common approach: Use random permutation (RP) model

𝜋 is random + adversary given oracle access to 𝜋 and 𝜋−1


Observation: No standard-model proofs known for permutation-based constructions!

𝑆0 0

0

𝜋 𝜋 𝜋

But: random permutations do not exist [CGH98]


RP model proofs only yield security for generic attacks



Quite different state of affairs than for hash functions:

Hash functions

ideal model

random oracle




Hash functions

ideal model standard model

random oracle CRHF, OWFs, UOWHFs,

CI, UCEs…




Hash functions

Permutations


random oracle

RP

CRHF, OWFs, UOWHFs, CI, UCEs…

????




Hash functions

Permutations


random oracle

RP

CRHF, OWFs, UOWHFs, CI, UCEs…

????

What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness …

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.



“Public-seed Pseudorandom Permutations” (psPRPs)




We address two main questions:





Can we get psPRPs at all?






Are psPRPs useful?


inspired by the UCE framework [BHK13]





Are psPRPs useful?


inspired by the UCE framework [BHK13]





Are psPRPs useful?

Yes! Yes!

psPRPs have many applications


Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Efficient garbling from fixed-key block-ciphers

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷





…





Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬





…






Sponges





…






Sponges





…






Sponges

Feistel

Roadmap

1.Definitions

2.Constructions & Applications

3.Conclusions

Co-related input hash

Functions (CIH)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1) 𝜋 ∶ 0,1 𝑛 → 0,1 𝑛

We consider seeded permutations

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝐺𝑒𝑛 𝑥 𝜋𝑠 𝑥

𝜋 ∶ 0,1 𝑛 → 0,1 𝑛

𝜋𝑠 1𝜆 𝑠

Seed generation

𝑦 𝜋𝑠−1 𝑦 𝜋𝑠

−1

Forward evaluation

Backward evaluation

Efficient (poly-time) algorithms

(2) ∀𝑥 ∶ 𝜋𝑠−1 𝜋𝑠 𝑥 = 𝑥

(1) 𝜋𝑠 ∶ 0,1 𝑛 → 0,1 𝑛

We consider seeded permutations

Traditional security notion if seed is secret: Pseudorandom Permutation

𝐷

𝑠 ← Gen(1𝜆)

𝜋s / 𝜋𝑠−1

𝜌 ← Perms(𝑛)

𝜌/𝜌−1 ≈


0/1

𝐷

𝑠 ← Gen(1𝜆)



𝜌/𝜌−1 ≈


0/1

𝐷

𝑠 ← Gen(1𝜆)


5


𝜌/𝜌−1 ≈

Stage 1: • Oracle access • Secret seed

Stage 2: • Learns seed • No oracle access


0/1

𝐷

𝑠 ← Gen(1𝜆)


5


𝜌/𝜌−1 ≈

Stage 1: • Oracle access • Secret seed

Stage 2: • Learns seed • No oracle access


Limited information

flow

0/1

UCE security

𝐻 = (𝐺𝑒𝑛, ℎ)

Bellare Hoang Keelveedhi

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source




𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source




𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿


distinguisher

𝐷



𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿


distinguisher

𝐷


𝒔

𝑠 ← Gen(1𝜆)


𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿


distinguisher

𝐷


0/1

𝒔


𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿


distinguisher

𝐷


0/1

𝒔

≈

𝑆

𝐷

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐷

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐿

𝐷

𝒔


𝑠 ← Gen(1𝜆)

psPRP security


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐿

𝐷 0/1

𝒔


𝑠 ← Gen(1𝜆)

psPRP security


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.

𝑆

𝐿

𝐷 0/1

𝒔


𝑠 ← Gen(1𝜆)

psPRP security


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.

𝑆

𝐿

𝐷 0/1

𝒔


𝑠 ← Gen(1𝜆)

psPRP security


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆


(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆


(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆


𝑦 𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆

𝐿 = 𝑦

𝐷

𝒔


𝑦 𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆

𝐿 = 𝑦

𝐷

𝒔


𝑦

Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆

𝐿 = 𝑦

𝐷

𝒔


𝑦


1 with prob. 1

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆

𝐿 = 𝑦

𝐷

𝒔


𝑦


1

1

with prob. 1

with prob. 1/2𝑛

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)


𝑆

𝐿 = 𝑦

𝐷

𝒔


𝑦


1

1

with prob. 1

with prob. 1/2𝑛

𝑦

𝑝𝑠𝑃𝑅𝑃-security is impossible against all sources!

≈

Sources need to be restricted

all sources

𝑃 = (Gen, 𝜋, 𝜋−1)


all sources

𝒮

𝑃 = (Gen, 𝜋, 𝜋−1)


𝑃 is 𝑝𝑠𝑃𝑅𝑃[𝒮]-secure if ∀ 𝑆 ∈ 𝒮 and ∀ PPT

𝐷, left and right are indistinguishable.

all sources

𝒮

𝑃 = (Gen, 𝜋, 𝜋−1)

𝑆

𝐿

𝐷 0/1

𝒔

𝑠 ← Gen(1𝜆) 𝜋𝑠/𝜋𝑠

−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

all

sources

This talk – unpredictable and reset-secure sources

all

sources

𝒮𝑠𝑢𝑝 unpredictable


all

sources

𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable

reset-secure


all

sources


reset-secure


Both restrictions model that 𝐷 cannot predict the queries made by the sources!

all

sources


reset-secure



𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠

all

sources


reset-secure



𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 is a stronger

assumption than 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝 ⟹

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

𝐴



𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝐴


𝜎 ∈ {+,−}


𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝐴

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}


𝜎 ∈ {+,−}


𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}


𝜎 ∈ {+,−}


𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}


𝜎 ∈ {+,−}


𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)


𝜎 ∈ {+,−}

It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse


𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

⊆

𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded

𝒮𝑐𝑢𝑝: 𝐴 is PPT


𝜎 ∈ {+,−}



𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

⊆

𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded

𝒮𝑐𝑢𝑝: 𝐴 is PPT 𝑝𝑠𝑃𝑅𝑃[𝒮𝑐𝑢𝑝] impossible if iO

exists [BFM14]


𝜎 ∈ {+,−}


Source restrictions – reset-security


𝑆 𝜌/𝜌−1

𝑅



𝑆 𝜌/𝜌−1

𝑅



𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1



𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1



𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1

𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)

𝜌1 ← Perms(𝑛)

≈


𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1



≈


⊆

𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded

𝒮𝑐𝑟𝑠: 𝑅 is PPT

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1



≈


⊆

𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded

𝒮𝑐𝑟𝑠: 𝑅 is PPT

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1



𝒮𝑐𝑢𝑝 ⊆ 𝒮𝑐𝑟𝑠

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]

Recap

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]

Recap

Recap

Recap

Central assumption in UCE theory

Recap

Central assumption in UCE theory

Roadmap

1.Definitions


3.Conclusions


Functions (CIH)

Next


Functions (CIH)


Are psPRPs useful?

Next


Functions (CIH)


Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Next


Functions (CIH)


Are psPRPs useful?



Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Next


Functions (CIH)


Are psPRPs useful?





block ciphers

Next


Functions (CIH)


Are psPRPs useful?





block ciphers

Next


Functions (CIH)


Are psPRPs useful?





block ciphers

Common denominator: A new, restricted notion of indifferentiability!

Next


Functions (CIH)


Are psPRPs useful?





block ciphers

Common denominator: A new, restricted notion of indifferentiability! CP-sequential

indifferentiability

𝐶

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓


𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

𝐴 𝐴

𝐶

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓




𝐴 𝐴

𝐶

? 𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓




𝐴 𝐴

𝐶

𝑆𝑖𝑚 𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓




𝐴 𝐴 ≈

𝐶

0/1

𝑆𝑖𝑚

0/1

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓




≈

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1

CP-sequential indifferentiability

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓



≈

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1


𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):

left and right are indistinguishable.

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓



≈

Remarks:

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1




𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓



≈

1. Full indifferentiability ⟹ CP-seq indiff.

2. Reverse ordering: seq. indifferentiability [MPS12]

Remarks:

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1




𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓



From psPRPs to UCEs

Theorem:

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝐶[𝑃]

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

𝜋𝑠/𝜋𝑠−1

From psPRPs to UCEs


𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1


From psPRPs to UCEs



Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1


From psPRPs to UCEs



Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!


From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙


𝑦 ∈ {0,1}𝑟

Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌



𝑦 ∈ {0,1}𝑟


𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌


𝜋𝑠 𝜋𝑠 𝜋𝑠


𝑦 ∈ {0,1}𝑟

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.


𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌




𝑦 ∈ {0,1}𝑟

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.


𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌



Validates the Sponge paradigm for UCE applications!

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝜌



𝑥 ∈ {0,1}𝑛 𝜌



𝑥 ∈ {0,1}𝑛 𝜌 𝑛 𝑛



𝑥 ∈ {0,1}𝑛

truncates 𝑛-bits to 𝑟-bits

𝜌 𝑛 𝑛 𝑟



𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟


𝜌 𝑛 𝑛 𝑟



Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟


𝜌 𝑛 𝑛 𝑟




Chop 𝑅𝑃 is not indifferentiable

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟


𝜌 𝑛 𝑛 𝑟





𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟


𝜌 𝜋𝑠 𝑛 𝑛 𝑟




Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.


𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟








𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟








𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟



From Chop 𝑃 to VIL UCE: Domain extension techniques [BHK14]


psPRPs from UCEs Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃

Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +

𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +

𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem:

From UCEs to psPRPs – Feistel

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛


impossible

[CPS08]

[HKT11] [DS16] [DSKT16]

#rounds for indifferentiability

???

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛


impossible

[CPS08]

[HKT11] [DS16] [DSKT16]

#rounds for indifferentiability

???

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛

psPRPs exist in the standard model if UCEs exist!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

[HKT11] [DS16] [DSKT16]

#rounds for CP-sequential indifferentiability


Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.

[HKT11] [DS16] [DSKT16]


This work!!!


Corollary: 𝑯 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure ⟹ 𝜓5[𝑯] 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.

[HKT11] [DS16] [DSKT16]


This work!!!


5-round proof is technically involved


Our 5-round Sim:

• Relies on chain completion techniques

• Heavily exploits query ordering

• Very different chain-completion strategy from previous works, no recursion needed

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5 Set

uniform Set

uniform

forceVal forceVal

detect detect


Our 5-round Sim:

impossible

[LR88]

[HKT11] [DS16] [DSKT16]

#rounds of Feistel for psPRP-security

This work!!! Open: Do 4-rounds suffice?

• Relies on chain completion techniques

• Heavily exploits query ordering

• Very different chain-completion strategy from previous works, no recursion needed

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5 Set

uniform Set

uniform

forceVal forceVal

detect detect

???



𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

From Block-ciphers e.g. AES

𝐺𝑒𝑛:

𝜋:


𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

psPRP 𝒮𝑠𝑟𝑠 -secure


Ideal-Cipher model

𝐺𝑒𝑛:

𝜋:


𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)


𝜋

𝑠 ← {0,1}𝑘

From Permutations e.g. the Keccak permutation


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

Ideal-Cipher model

𝐺𝑒𝑛:

𝜋:

𝜋:

𝐺𝑒𝑛:


𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)


psPRP 𝒮𝑠𝑢𝑝 -secure 𝜋

𝑠 ← {0,1}𝑘

From Permutations e.g. the Keccak permutation


𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

Ideal-Cipher model

RP model

𝐺𝑒𝑛:

𝜋:

𝜋:

𝐺𝑒𝑛:

Fast Garbling from psPRPs

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs Fast garbling from [BHKR13]

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎


1 And 𝑥𝑏

0, 𝑥𝑏1


• Only calls fixed-key block cipher

𝑥 → 𝐸(0𝑘 , 𝑥)

• Very fast – no key-schedule

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎


1 And 𝑥𝑏

0, 𝑥𝑏1



𝑥 → 𝐸(0𝑘 , 𝑥)

• Proof in RP model


Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎


1 And 𝑥𝑏

0, 𝑥𝑏1


This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed

generated upon garbling.

Fast garbling from [BHKR13]


𝑥 → 𝐸(0𝑘 , 𝑥)



Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎


1 And 𝑥𝑏

0, 𝑥𝑏1


This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed

generated upon garbling.

Fast garbling from [BHKR13]


𝑥 → 𝐸(0𝑘 , 𝑥)



Theorem: Secure garbling when 𝜋𝒔 is 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝].

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎


1 And 𝑥𝑏

0, 𝑥𝑏1

Roadmap

1.Definitions


3.Conclusions


Functions (CIH)

Conclusion

psPRPs

Conclusion

First standard model assumptions on permutations

psPRPs

Constructions

Conclusion


psPRPs

Constructions

Conclusion


Applications psPRPs

Many open questions…


• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

psPRPs:




psPRPs:

Public-seed Pseudorandomness - general paradigm:




• Applications of public-seed Ideal Ciphers?

psPRPs:



• Simpler assumptions on permutations?




psPRPs:


Beyond psPRPs:






psPRPs:


Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?






psPRPs:


Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?

Thank you!

Documents

Public-seed Pseudorandom Permutations · KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked 𝒑𝒔𝑷𝑹𝑷 ... is -secure if ∀ PPT , , left