Public-SeedPseudorandomPermutations
StefanoTessaroUCSB
DIMACSWorkshopNewYork
June8,2017
JointworkwithPratikSoni (UCSB)
Welookatexisting classofcryptographicprimitivesandintroduce/studythefirstโplausibleโassumptionsonthem.
Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations
EUROCRYPT 2017
Cryptographicschemesoftenbuiltfromsimplerbuildingblocks
Isthereauniversal andsimplebuildingblockforefficientsymmetriccryptography?
๐ป
๐พ โ ๐๐๐๐ ||๐
๐พ โ ๐๐๐๐
๐ป
hashfunction(e.g.,SHA-3)
๐ธ+
๐,
๐ผ๐
๐/
๐ธ+
๐โ
blockcipher(e.g.,AES)
Mainmotivation:Singleobjectrequiringoptimizedimplementation!
Recenttrend: = permutation
๐0
0๐ ๐
๐, ๐/ ๐3
๐
๐ฏ(๐)
efficiently computable and invertible permutation
๐
๐-bitblocks:
Example.Spongeconstruction(asinSHA-3)[BDPvA]
๐ โ ๐
Severalpermutation-basedconstructions
โฆ
Hashfunctions,authenticatedencryptionschemes,PRNGs,garblingschemesโฆ
Permutationinstantiations
Fixed-keyblockciphers
Ad-hocdesignse.g.,inSHA-3, AE schemes, โฆ Designedtowithstandcryptanalytic
attacks againstconstructionsusingthem!e.g.,nocollisionattack
e.g.,๐ โถ ๐ฅ โฆ AES(0,/@, ๐ฅ)๐๐๐
0,/@Fasterhashfunctions[RS08],fastgarbling[BHKR13]
Permutationsassumptions
Idealgoal: Standard-model reduction!โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = SHAโ3;๐ = Anythingnon-trivial๐ =? ? ?
Unfortunately: Nostandard-modelproofsknownundernon-tautologicalassumptions!
๐Q0
0
๐ ๐ ๐
Whatsecuritypropertiesdoweexpectfromapermutation?
Securityofpermutation-basedcrypto
Provablesecurity CryptanalysisRandompermutationmodel! Application specificattacks
๐ israndom+adversarygivenoracleaccessto๐ and ๐R,
clearlyunachievable[CGH98]โฆโฆsecurityagainstgeneric
attacks!
Insightsarehardtorecyclefornewapplications
Verylittlepermutation-specificcryptanalysis
Exampleโ OWFsfrompermutations
๐ฅ ๐ฆ = ๐ ๐ฅ๐
Clearly:Cannotbeoneway!
๐: {0,1}X โ 0,1 X
๐R,(๐ฆ)๐R,
So,howdowemakeaone-wayfunctionoutof๐?
๐๐ฅ๐ฆ
๐ง ๐ง
Naรฏveidea:Truncation ๐: 0,1 X โ 0,1 X//
Not oneway:โ๐ฆ: ๐R,(๐ฆ, ๐ง) preimageof๐ง
๐๐ฅ
๐ฆ
๐ง ๐ง
Bettercandidate:๐: 0,1 X// โ 0,1 X//
Conjectured one-wayfor๐ = SHA-3permutation
0
๐ฅ
Wanted: Basic(succinct,non-tautological)securitypropertysatisfiedby๐ whichimpliesone-wayness of๐?
Hashfunctions
Permutations
idealmodel standardmodel
randomoracle
randompermutation
CRHF,OWFs,UOWHFs,CI,UCEsโฆ
Whatkindofcryptographichardnesscanweexpectfromapermutation?
Permutationsvshashfunctions
Thiswork,inanutshell
inspiredbytheUCEframework [BHK13]
First plausible anduseful standard-modelsecurityassumptionforpermutations.
โPublic-seedPseudorandomPermutationsโ(psPRPs)
Twomainquestions:
CanwegetpsPRPs atall?
ArepsPRPsuseful?
psPRPs โ LandscapepreviewDeterministic&HedgedPKE
Immunizingbackdoored PRGs
CCA-secureEnc.
โฆ
HardcorefunctionsKDM-securesymmetrickeyEnc.
Point-functionObfuscation
Efficientgarblingfromfixed-keyblock-ciphers
Message-lockedEncryption(MLE)๐ฉ๐ฌ๐๐๐๐ฉ๐ฌ๐๐๐ ๐๐๐
e.g.,Sponges
Feistel
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Co-related input hashFunctions (CIH)
๐ = (๐บ๐๐, ๐, ๐R,)
๐บ๐๐ ๐ฅ ๐h ๐ฅ
๐ โถ 0,1 X โ 0,1 X
๐h1i ๐
Seedgeneration
๐ฆ ๐hR, ๐ฆ๐hR,
Forwardevaluation
Backwardevaluation
(2) โ๐ฅ โถ ๐hR, ๐h ๐ฅ = ๐ฅ
(1) ๐h โถ 0,1 X โ 0,1 X
Syntax:Seeded permutations
๐ท
๐ โ Gen(1i)
๐p /๐hR,
5
๐ โ Perms(๐)
๐/๐R,โ
Stage1:โข Oracleaccessโข Secretseed
Stage2:โข Learnsseedโข Nooracleaccess
Secret-seedsecurity:Pseudorandompermutations(PRPs)
Limitedinformation
flow
0/1
๐ โ Func(โ, ๐) ๐๐ โ Gen(1i)
โh
UCEsecurity
๐source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher ๐ท
Bellare Hoang Keelveedhi
0/1
๐
๐ โ Gen(1i)
โ
leakage
๐ โ Perms(๐) ๐/๐R,๐ โ Gen(1i)
๐h/๐hR,
psPRP security[Thiswork]
๐source
๐ฟ
distinguisher ๐ท 0/1
๐
โ
๐ = (๐บ๐๐, ๐, ๐R,)Makesbothforwardandbackwardqueries!
(+, 0X)(+, 0X)
๐h/๐hR, ๐/๐R,
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ฆ
Outputs1iff๐ฆ = ๐h 0X
1
1
withprob.1
withprob.1/2X
๐ฆ
Observation: ๐ฉ๐ฌ๐๐๐-securityimpossible againstallPPTsources!
โ
Solution: Restrictclassofconsideredsources!
Definition. ๐ ๐ฉ๐ฌ๐๐๐[๐ฎ]-secure: โ๐ โ ๐ฎ,โPPT ๐ท:๐h/๐hR, โ ๐/๐R,
allsources
๐ฎ ๐
๐ฟ
๐ท 0/1
๐
๐h/๐hR, ๐/๐R,
all sources
๐ฎh๏ฟฝh๐ฎh๏ฟฝ๏ฟฝ unpredictable
reset-secure
Here:unpredictableandreset-securesources
Bothrestrictionscaptureunpredictabilityofsourcequeries!
๐ฎh๏ฟฝ๏ฟฝ โ ๐ฎh๏ฟฝh ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh strongerassumptionthan๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝ๏ฟฝโน
Sourcerestrictionsโ unpredictability
๐ ๐/๐R,(๐๏ฟฝ, ๐ฅ๏ฟฝ)
๐ฆ๏ฟฝ๐ฟ
๐โฒ
๐ โ ๐ โช {๐ฅ๏ฟฝ, ๐ฆ๏ฟฝ}
Pr[๐๏ฟฝ โฉ ๐ โ ๐] = negl(๐)
โ๐ฎh๏ฟฝ๏ฟฝ: ๐ด iscomputationallyunbounded,polyqueries
๐ฎ๏ฟฝ๏ฟฝ๏ฟฝ: ๐ด isPPT iOโน๐ฉ๐ฌ๐๐๐[๐ฎ๏ฟฝ๏ฟฝ๏ฟฝ] impossible[BFM14]
๐๏ฟฝ โ {+,โ}
Goal:Mustbehardfor๐ด topredict๐โsqueriesortheirinverses๐ด
โ
Sourcerestrictionsโ reset-security
โ๐ฎh๏ฟฝh: ๐ iscomputationallyunbounded,polyqueries
๐ฎ๏ฟฝ๏ฟฝh: ๐ isPPT
๐ ๐/๐R,
๐
๐ฟ
๐/๐R,
0/1 ๐ โ Perms(๐) ๐, ๐๏ฟฝ โ Perms(๐)
Fact. ๐ฎh๏ฟฝ๏ฟฝ โ ๐ฎh๏ฟฝh
๐ ๐/๐R,
๐
๐ฟ
๐๏ฟฝ/๐๏ฟฝR,
0/1
Recapโ Definitions
CentralassumptionsinUCEtheory
Equallyuseful?
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Exampleโ Truncation
๐h๐ฅ
๐ฆ
๐ง ๐ง
0
๐ฅ ๐h ๐ฅ = ๐h ๐ฅ, 0XR๏ฟฝ [1. . ๐]
Lemma. If๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝ๏ฟฝ]-secureand๐ +๐ log๐ โค
๐ โค ๐ โ ๐ log๐ ,then๐ isPRG.
๐ โ Gen(1i)๐ฅ โ 0,1 XR๏ฟฝ
(๐ฆ, ๐ง) โ ๐h(๐ฅ, 0)๐ โ ๐ท(๐ , ๐ง) ๐
๐h(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ท๐ง ๐
๐h: 0,1 ๏ฟฝ โ 0,1 ๏ฟฝ
๐
Thus,alsoaOWF ...
๐ โ Gen(1i)๐ฅ โ 0,1 XR๏ฟฝ
(๐ฆ, ๐ง) โ ๐h(๐ฅ, 0)๐ โ ๐ท(๐ , ๐ง)
Proofโ Contโd
๐
๐h(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ท๐ง ๐
๐
๐
๐(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ง
๐โ๐ท ๐
if๐ โ ๐ฎh๏ฟฝ๏ฟฝ
random!
๐ โ Gen๐ง โ 0,1 ๏ฟฝ
๐ โ ๐ท(๐ , ๐ง)
Proofโ Unpredictabilityof๐
๐
๐(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ง ๐ ๐
๐/๐R,
Fact. Pr (๐ฅ, 0XR๏ฟฝ), ๐ฆ, ๐ง โฉ ๐ โ ๐ โค ๏ฟฝ/๏ฟฝ+ ๏ฟฝ
/ ยกยข
๐ = ๐ฉ๐จ๐ฅ๐ฒ(๐)queries
NextCanwegetpsPRPs atall?
ArepsPRPsuseful?
Constructionsfrom UCEs
HeuristicInstantiations
ConstructionsofUCEs
DirectapplicationsGarblingfromfixed-key
blockciphersCommondenominator:CP-sequentialindifferentiability
HowtobuildUCEsfrompsPRPs?
๐ป
๐h/๐hR,
โน๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure ๐ป[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.Idealtheorem.
๐ โ 0,1 โ ๐ปh(๐)
Whatdoes๐ปneedtosatisfyforthistobetrue?
๐ป[๐]
๐ด ๐ดโ๐ป
0/1
๐
Sim
0/1
Indifferentiability [MRH04]
Definition. ๐ป indiff.fromROifโ PPT Sim โ PPT ๐ด:๐ป+๐/๐R, โ ๐+Sim
?๐/๐R,
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
๐ด, ๐ด,โ
๐ป
0/1
๐
Sim
0/1
CP-sequentialindifferentiability
Def. ๐ป CP-indiff.fromROifโ PPT Sim โ PPT (๐ด,, ๐ด/):๐ป+๐/๐R, โ ๐+Sim
๐/๐R,
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
๐ด/ ๐ด/
๐ ๐ก ๐ ๐ก
FrompsPRPs toUCEs
Similarto[BHK14]. But:โข Needsfullindifferentiability
โข UCEdomainextension
โน๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure
๐ป[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem.
๐ป CP-indiff from RO
๐ป
๐h/๐hR,
Corollary.Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
๐โ ๐โ
FrompsPRPs toUCEsโ Proof
๐ป
๐h/๐hR,
๐ ๐ท
๐ ๐ป
๐/๐R,
๐ ๐ท
๐ ๐
๐ ๐ท
๐โ โ
๐ reset-secure๐ป isCP-indiff from๐ ๐
byCP-indiff.by ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-securityif๐โ โ ๐ฎh๏ฟฝh
๐ โ Perms(๐) ๐ โ Funcs(โ, ๐)๐ โ Gen(1i)
๐ โ
๐ โ
๐โ
๐โ
โ ๐/๐R,
๐ ๐ ๐ ๐
๐โ
Sim
๐ ๐
๐ Sim
๐ยซ
๐ ๐
โ
๐/๐R,
๐๏ฟฝ/๐๏ฟฝR,
cpi
โcpi
Reset-securityof๐บโ?
โ๐ isreset-secure!
Goodnews#1
Corollary. Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
Manypracticalhashdesignsfrompermutationsareindifferentiable fromRO!
UCEisameaningfulsecuritytargetโseveralapplications!
Examplesโ Sponges
๐ฆ
Corollary,๐ ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh -secureโน Sponge[๐]๐๐๐ ๐ฎh๏ฟฝh -secure.
Theorem.[BDVP08] Sponge indifferentiable from RO.
๐ โ {0,1}โ
๐Q๐
n โ ๐
0
0
๐
๐
๐ ๐
๐, ๐/ ๐ยฎ
๐h ๐h ๐h
Validates theSpongeparadigmforUCEapplications!
Goodnews#2โ Noneedforfullindifferentiabilitytruncates ๐-bitsto๐-bits
๐๐ ๐ ๐
Chop
Notindifferentiable!โข Forrandom๐ฆ,get๐ฅ =๐R,(๐ฆ)
โข Queryconstructionon๐ฅ,checkconsistencywithfirst๐ bitsof๐ฆ
๐ดChop
๐/๐R,๐ด
๐
Sim
0/1 0/1
Chopโ Contโd
Theorem.Chop isCP-indiff fromROwhen๐ โ ๐ โ ๐(log ๐).
Corollary. ๐ ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh -secureโน Chop[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.
๐๐๐ ๐ฎh๏ฟฝ๏ฟฝ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝ๏ฟฝ
truncates ๐-bitsto๐-bits
๐๐h๐ ๐ ๐
From Chop ๐ toVILUCE:Domainextensiontechniques[BHK14]
Whatabouttheconverse?
psPRPs UCEs
psPRPs fromUCEs
๐ด, ๐ด,
โ๐
0/1
๐/๐R,
Sim
0/1
๐๐ด/ ๐ด/
๐ ๐ก ๐ ๐ก
โน๐ป๐๐๐[๐ฎh๏ฟฝh]-secure
๐[๐ป] ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem.
๐ CP-indiff from RP
FromUCEstopsPRPs โ Feistel
impossible[CPS08]
[HKT11][DS16] [DKT16]
#roundsforindifferentiability
???
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ ๐ โ {0,1}/X
๐ยณ[๐]
๐ โ {0,1}/X
Corollary. psPRPs exist iff UCEsexist!!!*
*wrt reset-securesources
Corollary.๐ฏ ๐๐๐ ๐ฎh๏ฟฝh -secureโน ๐ยณ[๐ฏ] ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem. 5-round Feistel is CP-indiff from RP
[HKT11][DS16] [DSKT16]
#roundsforCP-sequentialindifferentiability
Thiswork!!!
Round-complexityofFeistelforUCE-to-psPRP transformation?
5-roundproofisquiteinvolved!
Our5-roundSim:
impossible[LR88]
[HKT11][DS16] [DSKT16]
#roundsofFeistel forpsPRP-security
Thiswork!!!Open:Do4-roundssuffice?
โข Reliesonchaincompletiontechniques
โข Heavilyexploitsqueryordering
โข Verydifferentchain-completionstrategyfrompreviousworks,norecursion needed
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ ๐ยท
๐Q ๐ยณSet
uniformSet
uniform
forceVal forceVal
detect detect
???
Acoupleofextraresults!
(Inpassing!)
HeuristicInstantiations
๐ธ
๐ โ {0,1}๏ฟฝ
psPRP ๐ฎh๏ฟฝh -secure
psPRP ๐ฎh๏ฟฝ๏ฟฝ -secure๐
๐ โ {0,1}๏ฟฝ
Fromseedless permutations:
Fromblockciphers:
Ideal-ciphermodel
RPmodel
๐บ๐๐:
๐h ๐ฅ = ๐ธ(๐ , ๐ฅ)
๐h ๐ฅ = ๐ โ ๐(๐ โ ๐ฅ)
๐บ๐๐:
FastGarblingfrompsPRPs
Ourvariant:๐ธ 0๏ฟฝ, ๐ฅ โ ๐h(๐ฅ),freshseed๐ generateduponeachgarblingoperation!
Garblingschemefrom[BHKR13]โข Onlycallsfixed-keyblockcipher
๐ฅ โ ๐ธ(0๏ฟฝ, ๐ฅ)
โข ProofinRPmodel
โข Veryfast โ nokeyre-schedule
Theorem. Secure when๐๐ is ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝ๏ฟฝ].
Garbled AND-Gate
๐ธ 0X, ๐ฅยบQ โ ๐ฅยปQ โ ๐ฅยบQ โ ๐ฅยปQ โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบQ โ ๐ฅยป, โ ๐ฅยบQ โ ๐ฅยป, โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบ, โ ๐ฅยปQ โ ๐ฅยบ, โ ๐ฅยปQ โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบ, โ ๐ฅยป, โ ๐ฅยบ, โ ๐ฅยป, โ ๐ฅยผ,
๐ฅยบQ,๐ฅยบ,๐ฅยผQ,๐ฅยผ,AND๐ฅยปQ, ๐ฅยป,
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Constructions
Conclusion
First (useful) standardmodelassumptionsonpermutations
ApplicationspsPRPs
(Some)openquestions
BeyondpsPRPs:- Simplerassumptionsonpermutations?
MoreonpsPRPs:- MoreefficientconstructionsfromUCEs?- Weakerassumptions?- Cryptanalysis?
ps-Pseudorandomness asaparadigm:- UCE =psPRF
- ApplicationsofpsX?
IsSHA-3aCRHFunderanynon-trivialassumption?
Thankyou!PaperonePrint reallysoonโฆ
Fornow:http://www.cs.ucsb.edu/~tessaro/papers/SonTes17.pdf