Public-SeedPseudorandomPermutations

StefanoTessaroUCSB

DIMACSWorkshopNewYork

June8,2017

JointworkwithPratikSoni (UCSB)

Welookatexisting classofcryptographicprimitivesandintroduce/studythefirst“plausible”assumptionsonthem.

Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations

EUROCRYPT 2017

Cryptographicschemesoftenbuiltfromsimplerbuildingblocks

Isthereauniversal andsimplebuildingblockforefficientsymmetriccryptography?

𝐻

𝐾 ⊕ 𝑖𝑝𝑎𝑑 ||𝑀

𝐾 ⊕ 𝑜𝑝𝑎𝑑

𝐻

hashfunction(e.g.,SHA-3)

𝐸+

𝑀,

𝐼𝑉

𝑀/

𝐸+

𝑀ℓ

blockcipher(e.g.,AES)

Mainmotivation:Singleobjectrequiringoptimizedimplementation!

Recenttrend: = permutation

𝜋0

0𝜋 𝜋

𝑀, 𝑀/ 𝑀3

𝑀

𝑯(𝑀)

efficiently computable and invertible permutation

𝑟

𝑟-bitblocks:

Example.Spongeconstruction(asinSHA-3)[BDPvA]

𝑛 − 𝑟

Severalpermutation-basedconstructions

…

Hashfunctions,authenticatedencryptionschemes,PRNGs,garblingschemes…

Permutationinstantiations

Fixed-keyblockciphers

Ad-hocdesignse.g.,inSHA-3, AE schemes, … Designedtowithstandcryptanalytic

attacks againstconstructionsusingthem!e.g.,nocollisionattack

e.g.,𝜋 ∶ 𝑥 ↦ AES(0,/@, 𝑥)𝐀𝐄𝐒

0,/@Fasterhashfunctions[RS08],fastgarbling[BHKR13]

Permutationsassumptions

Idealgoal: Standard-model reduction!“If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”

e.g., 𝐶 = SHA−3;𝑌 = Anythingnon-trivial𝑋 =? ? ?

Unfortunately: Nostandard-modelproofsknownundernon-tautologicalassumptions!

𝑆Q0

0

𝜋 𝜋 𝜋

Whatsecuritypropertiesdoweexpectfromapermutation?

Securityofpermutation-basedcrypto

Provablesecurity CryptanalysisRandompermutationmodel! Application specificattacks

𝜋 israndom+adversarygivenoracleaccessto𝜋 and 𝜋R,

clearlyunachievable[CGH98]……securityagainstgeneric

attacks!

Insightsarehardtorecyclefornewapplications

Verylittlepermutation-specificcryptanalysis

Example– OWFsfrompermutations

𝑥 𝑦 = 𝜋 𝑥𝜋

Clearly:Cannotbeoneway!

𝜋: {0,1}X → 0,1 X

𝜋R,(𝑦)𝜋R,

So,howdowemakeaone-wayfunctionoutof𝜋?

𝜋𝑥𝑦

𝑧 𝑧

Naïveidea:Truncation 𝑓: 0,1 X → 0,1 X//

Not oneway:∀𝑦: 𝜋R,(𝑦, 𝑧) preimageof𝑧

𝜋𝑥

𝑦

𝑧 𝑧

Bettercandidate:𝑔: 0,1 X// → 0,1 X//

Conjectured one-wayfor𝜋 = SHA-3permutation

0

𝑥

Wanted: Basic(succinct,non-tautological)securitypropertysatisfiedby𝜋 whichimpliesone-wayness of𝑔?

Hashfunctions

Permutations

idealmodel standardmodel

randomoracle

randompermutation

CRHF,OWFs,UOWHFs,CI,UCEs…

Whatkindofcryptographichardnesscanweexpectfromapermutation?

Permutationsvshashfunctions

Thiswork,inanutshell

inspiredbytheUCEframework [BHK13]

First plausible anduseful standard-modelsecurityassumptionforpermutations.

“Public-seedPseudorandomPermutations”(psPRPs)

Twomainquestions:

CanwegetpsPRPs atall?

ArepsPRPsuseful?

psPRPs – LandscapepreviewDeterministic&HedgedPKE

Immunizingbackdoored PRGs

CCA-secureEnc.

…

HardcorefunctionsKDM-securesymmetrickeyEnc.

Point-functionObfuscation

Efficientgarblingfromfixed-keyblock-ciphers

Message-lockedEncryption(MLE)𝐩𝐬𝐏𝐑𝐏𝐩𝐬𝐏𝐑𝐏 𝐔𝐂𝐄

e.g.,Sponges

Feistel

Roadmap

1.Definitions

2.Constructions&Applications

3.Conclusions

Co-related input hashFunctions (CIH)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋R,)

𝐺𝑒𝑛 𝑥 𝜋h 𝑥

𝜋 ∶ 0,1 X → 0,1 X

𝜋h1i 𝑠

Seedgeneration

𝑦 𝜋hR, 𝑦𝜋hR,

Forwardevaluation

Backwardevaluation

(2) ∀𝑥 ∶ 𝜋hR, 𝜋h 𝑥 = 𝑥

(1) 𝜋h ∶ 0,1 X → 0,1 X

Syntax:Seeded permutations

𝐷

𝑠 ← Gen(1i)

𝜋p /𝜋hR,

5

𝜌 ← Perms(𝑛)

𝜌/𝜌R,≈

Stage1:• Oracleaccess• Secretseed

Stage2:• Learnsseed• Nooracleaccess

Secret-seedsecurity:Pseudorandompermutations(PRPs)

Limitedinformation

flow

0/1

𝑓 ← Func(∗, 𝑛) 𝑓𝑠 ← Gen(1i)

ℎh

UCEsecurity

𝑆source

𝐿

𝐻 = (𝐺𝑒𝑛, ℎ)

distinguisher 𝐷

Bellare Hoang Keelveedhi

0/1

𝒔

𝑠 ← Gen(1i)

≈

leakage

𝜌 ← Perms(𝑛) 𝜌/𝜌R,𝑠 ← Gen(1i)

𝜋h/𝜋hR,

psPRP security[Thiswork]

𝑆source

𝐿

distinguisher 𝐷 0/1

𝒔

≈

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋R,)Makesbothforwardandbackwardqueries!

(+, 0X)(+, 0X)

𝜋h/𝜋hR, 𝜌/𝜌R,

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑦

Outputs1iff𝑦 = 𝜋h 0X

1

1

withprob.1

withprob.1/2X

𝑦

Observation: 𝐩𝐬𝐏𝐑𝐏-securityimpossible againstallPPTsources!

≈

Solution: Restrictclassofconsideredsources!

Definition. 𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮]-secure: ∀𝑆 ∈ 𝒮,∀PPT 𝐷:𝜋h/𝜋hR, ≈ 𝜌/𝜌R,

allsources

𝒮 𝑆

𝐿

𝐷 0/1

𝒔

𝜋h/𝜋hR, 𝜌/𝜌R,

all sources

𝒮h�h𝒮h�� unpredictable

reset-secure

Here:unpredictableandreset-securesources

Bothrestrictionscaptureunpredictabilityofsourcequeries!

𝒮h�� ⊆ 𝒮h�h 𝐩𝐬𝐏𝐑𝐏 𝒮h�h strongerassumptionthan𝐩𝐬𝐏𝐑𝐏 𝒮h��⟹

Sourcerestrictions– unpredictability

𝑆 𝜌/𝜌R,(𝜎�, 𝑥�)

𝑦�𝐿

𝑄′

𝑄 ← 𝑄 ∪ {𝑥�, 𝑦�}

Pr[𝑄� ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

⊆𝒮h��: 𝐴 iscomputationallyunbounded,polyqueries

𝒮���: 𝐴 isPPT iO⟹𝐩𝐬𝐏𝐑𝐏[𝒮���] impossible[BFM14]

𝜎� ∈ {+,−}

Goal:Mustbehardfor𝐴 topredict𝑆’squeriesortheirinverses𝐴

≈

Sourcerestrictions– reset-security

⊆𝒮h�h: 𝑅 iscomputationallyunbounded,polyqueries

𝒮��h: 𝑅 isPPT

𝑆 𝜌/𝜌R,

𝑅

𝐿

𝜌/𝜌R,

0/1 𝜌 ← Perms(𝑛) 𝜌, 𝜌� ← Perms(𝑛)

Fact. 𝒮h�� ⊆ 𝒮h�h

𝑆 𝜌/𝜌R,

𝑅

𝐿

𝜌�/𝜌�R,

0/1

Recap– Definitions

CentralassumptionsinUCEtheory

Equallyuseful?

Roadmap

1.Definitions

2.Constructions&Applications

3.Conclusions

Example– Truncation

𝜋h𝑥

𝑦

𝑧 𝑧

0

𝑥 𝑔h 𝑥 = 𝜋h 𝑥, 0XR� [1. . 𝑘]

Lemma. If𝜋 𝐩𝐬𝐏𝐑𝐏[𝒮h��]-secureand𝑚 +𝜔 log𝜆 ≤

𝑘 ≤ 𝑛 − 𝜔 log𝜆 ,then𝑔 isPRG.

𝑠 ← Gen(1i)𝑥 ← 0,1 XR�

(𝑦, 𝑧) ← 𝜋h(𝑥, 0)𝑏 ← 𝐷(𝑠, 𝑧) 𝑆

𝜋h(𝑥, 0XR�) (𝑦, 𝑧)

𝐷𝑧 𝑏

𝑔h: 0,1 � → 0,1 �

𝒔

Thus,alsoaOWF ...

𝑠 ← Gen(1i)𝑥 ← 0,1 XR�

(𝑦, 𝑧) ← 𝜋h(𝑥, 0)𝑏 ← 𝐷(𝑠, 𝑧)

Proof– Cont’d

𝑆

𝜋h(𝑥, 0XR�) (𝑦, 𝑧)

𝐷𝑧 𝑏

𝒔

𝑆

𝜌(𝑥, 0XR�) (𝑦, 𝑧)

𝑧

𝒔≈𝐷 𝑏

if𝑆 ∈ 𝒮h��

random!

𝑠 ← Gen𝑧 ← 0,1 �

𝑏 ← 𝐷(𝑠, 𝑧)

Proof– Unpredictabilityof𝑆

𝑆

𝜌(𝑥, 0XR�) (𝑦, 𝑧)

𝑧 𝑅 𝑄

𝜌/𝜌R,

Fact. Pr (𝑥, 0XR�), 𝑦, 𝑧 ∩ 𝑄 ≠ 𝜙 ≤ �/�+ �

/ ¡¢

𝑞 = 𝐩𝐨𝐥𝐲(𝑛)queries

NextCanwegetpsPRPs atall?

ArepsPRPsuseful?

Constructionsfrom UCEs

HeuristicInstantiations

ConstructionsofUCEs

DirectapplicationsGarblingfromfixed-key

blockciphersCommondenominator:CP-sequentialindifferentiability

HowtobuildUCEsfrompsPRPs?

𝐻

𝜋h/𝜋hR,

⟹𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure 𝐻[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.Idealtheorem.

𝑀 ∈ 0,1 ∗ 𝐻h(𝑀)

Whatdoes𝐻needtosatisfyforthistobetrue?

𝐻[𝑃]

𝐴 𝐴≈𝐻

0/1

𝑓

Sim

0/1

Indifferentiability [MRH04]

Definition. 𝐻 indiff.fromROif∃ PPT Sim ∀ PPT 𝐴:𝐻+𝜌/𝜌R, ≈ 𝑓+Sim

?𝜌/𝜌R,

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

𝐴, 𝐴,≈

𝐻

0/1

𝑓

Sim

0/1

CP-sequentialindifferentiability

Def. 𝐻 CP-indiff.fromROif∃ PPT Sim ∀ PPT (𝐴,, 𝐴/):𝐻+𝜌/𝜌R, ≈ 𝑓+Sim

𝜌/𝜌R,

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

𝐴/ 𝐴/

𝑠𝑡 𝑠𝑡

FrompsPRPs toUCEs

Similarto[BHK14]. But:• Needsfullindifferentiability

• UCEdomainextension

⟹𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure

𝐻[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.

Theorem.

𝐻 CP-indiff from RO

𝐻

𝜋h/𝜋hR,

Corollary.Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!

𝑆∗ 𝑆∗

FrompsPRPs toUCEs– Proof

𝐻

𝜋h/𝜋hR,

𝑆 𝐷

𝒔 𝐻

𝜌/𝜌R,

𝑆 𝐷

𝒔 𝑓

𝑆 𝐷

𝒔≈ ≈

𝑆 reset-secure𝐻 isCP-indiff from𝑅𝑂

byCP-indiff.by 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-securityif𝑆∗ ∈ 𝒮h�h

𝜌 ← Perms(𝑛) 𝑓 ← Funcs(∗, 𝑛)𝑠 ← Gen(1i)

𝑅∗

𝑅∗

𝑆∗

𝑆∗

ℎ 𝜌/𝜌R,

𝑆 𝑅 𝑆 𝑅

𝑓≈

Sim

𝑆 𝑅

𝑓 Sim

𝑓«

𝑆 𝑅

ℎ

𝜌/𝜌R,

𝜌�/𝜌�R,

cpi

≈cpi

Reset-securityof𝑺∗?

≈𝑆 isreset-secure!

Goodnews#1

Corollary. Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!

Manypracticalhashdesignsfrompermutationsareindifferentiable fromRO!

UCEisameaningfulsecuritytarget–severalapplications!

Examples– Sponges

𝑦

Corollary,𝑃 𝐩𝐬𝐏𝐑𝐏 𝒮h�h -secure⟹ Sponge[𝑃]𝐔𝐂𝐄 𝒮h�h -secure.

Theorem.[BDVP08] Sponge indifferentiable from RO.

𝑀 ∈ {0,1}∗

𝑆Q𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀, 𝑀/ 𝑀®

𝜋h 𝜋h 𝜋h

Validates theSpongeparadigmforUCEapplications!

Goodnews#2– Noneedforfullindifferentiabilitytruncates 𝑛-bitsto𝑟-bits

𝜌𝑛 𝑛 𝑟

Chop

Notindifferentiable!• Forrandom𝑦,get𝑥 =𝜌R,(𝑦)

• Queryconstructionon𝑥,checkconsistencywithfirst𝑟 bitsof𝑦

𝐴Chop

𝜌/𝜌R,𝐴

𝑓

Sim

0/1 0/1

Chop– Cont’d

Theorem.Chop isCP-indiff fromROwhen𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Corollary. 𝑃 𝐩𝐬𝐏𝐑𝐏 𝒮h�h -secure⟹ Chop[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.

𝐔𝐂𝐄 𝒮h��𝐩𝐬𝐏𝐑𝐏 𝒮h��

truncates 𝑛-bitsto𝑟-bits

𝜌𝜋h𝑛 𝑛 𝑟

From Chop 𝑃 toVILUCE:Domainextensiontechniques[BHK14]

Whatabouttheconverse?

psPRPs UCEs

psPRPs fromUCEs

𝐴, 𝐴,

≈𝑃

0/1

𝜌/𝜌R,

Sim

0/1

𝑓𝐴/ 𝐴/

𝑠𝑡 𝑠𝑡

⟹𝐻𝐔𝐂𝐄[𝒮h�h]-secure

𝑃[𝐻] 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure.

Theorem.

𝑃 CP-indiff from RP

FromUCEstopsPRPs – Feistel

impossible[CPS08]

[HKT11][DS16] [DKT16]

#roundsforindifferentiability

???

𝑓, 𝑓/ 𝑓± 𝑓² 𝑓³ 𝑌 ∈ {0,1}/X

𝜓³[𝒇]

𝑋 ∈ {0,1}/X

Corollary. psPRPs exist iff UCEsexist!!!*

*wrt reset-securesources

Corollary.𝑯 𝐔𝐂𝐄 𝒮h�h -secure⟹ 𝜓³[𝑯] 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure.

Theorem. 5-round Feistel is CP-indiff from RP

[HKT11][DS16] [DSKT16]

#roundsforCP-sequentialindifferentiability

Thiswork!!!

Round-complexityofFeistelforUCE-to-psPRP transformation?

5-roundproofisquiteinvolved!

Our5-roundSim:

impossible[LR88]

[HKT11][DS16] [DSKT16]

#roundsofFeistel forpsPRP-security

Thiswork!!!Open:Do4-roundssuffice?

• Reliesonchaincompletiontechniques

• Heavilyexploitsqueryordering

• Verydifferentchain-completionstrategyfrompreviousworks,norecursion needed

𝑓, 𝑓/ 𝑓± 𝑓² 𝑓³

𝑋, 𝑋/ 𝑋± 𝑋² 𝑋³ 𝑋·

𝑋Q 𝑋³Set

uniformSet

uniform

forceVal forceVal

detect detect

???

Acoupleofextraresults!

(Inpassing!)

HeuristicInstantiations

𝐸

𝑠 ← {0,1}�

psPRP 𝒮h�h -secure

psPRP 𝒮h�� -secure𝜋

𝑠 ← {0,1}�

Fromseedless permutations:

Fromblockciphers:

Ideal-ciphermodel

RPmodel

𝐺𝑒𝑛:

𝜋h 𝑥 = 𝐸(𝑠, 𝑥)

𝜋h 𝑥 = 𝑠 ⊕ 𝜋(𝑠 ⊕ 𝑥)

𝐺𝑒𝑛:

FastGarblingfrompsPRPs

Ourvariant:𝐸 0�, 𝑥 ⇒ 𝜋h(𝑥),freshseed𝑠 generateduponeachgarblingoperation!

Garblingschemefrom[BHKR13]• Onlycallsfixed-keyblockcipher

𝑥 → 𝐸(0�, 𝑥)

• ProofinRPmodel

• Veryfast – nokeyre-schedule

Theorem. Secure when𝜋𝒔 is 𝐩𝐬𝐏𝐑𝐏[𝒮h��].

Garbled AND-Gate

𝐸 0X, 𝑥ºQ ⊕ 𝑥»Q ⊕ 𝑥ºQ ⊕ 𝑥»Q ⊕ 𝑥¼Q

𝐸 0X, 𝑥ºQ ⊕ 𝑥», ⊕ 𝑥ºQ ⊕ 𝑥», ⊕ 𝑥¼Q

𝐸 0X, 𝑥º, ⊕ 𝑥»Q ⊕ 𝑥º, ⊕ 𝑥»Q ⊕ 𝑥¼Q

𝐸 0X, 𝑥º, ⊕ 𝑥», ⊕ 𝑥º, ⊕ 𝑥», ⊕ 𝑥¼,

𝑥ºQ,𝑥º,𝑥¼Q,𝑥¼,AND𝑥»Q, 𝑥»,

Roadmap

1.Definitions

2.Constructions&Applications

3.Conclusions

Constructions

Conclusion

First (useful) standardmodelassumptionsonpermutations

ApplicationspsPRPs

(Some)openquestions

BeyondpsPRPs:- Simplerassumptionsonpermutations?

MoreonpsPRPs:- MoreefficientconstructionsfromUCEs?- Weakerassumptions?- Cryptanalysis?

ps-Pseudorandomness asaparadigm:- UCE =psPRF

- ApplicationsofpsX?

IsSHA-3aCRHFunderanynon-trivialassumption?

Thankyou!PaperonePrint reallysoon…

Fornow:http://www.cs.ucsb.edu/~tessaro/papers/SonTes17.pdf