public-seed pseudorandom permutations -...
TRANSCRIPT
Public-SeedPseudorandomPermutations
StefanoTessaroUCSB
DIMACSWorkshopNewYork
June8,2017
JointworkwithPratikSoni (UCSB)
Welookatexisting classofcryptographicprimitivesandintroduce/studythefirst“plausible”assumptionsonthem.
Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations
EUROCRYPT 2017
Cryptographicschemesoftenbuiltfromsimplerbuildingblocks
Isthereauniversal andsimplebuildingblockforefficientsymmetriccryptography?
𝐻
𝐾 ⊕ 𝑖𝑝𝑎𝑑 ||𝑀
𝐾 ⊕ 𝑜𝑝𝑎𝑑
𝐻
hashfunction(e.g.,SHA-3)
𝐸+
𝑀,
𝐼𝑉
𝑀/
𝐸+
𝑀ℓ
blockcipher(e.g.,AES)
Mainmotivation:Singleobjectrequiringoptimizedimplementation!
Recenttrend: = permutation
𝜋0
0𝜋 𝜋
𝑀, 𝑀/ 𝑀3
𝑀
𝑯(𝑀)
efficiently computable and invertible permutation
𝑟
𝑟-bitblocks:
Example.Spongeconstruction(asinSHA-3)[BDPvA]
𝑛 − 𝑟
Severalpermutation-basedconstructions
…
Hashfunctions,authenticatedencryptionschemes,PRNGs,garblingschemes…
Permutationinstantiations
Fixed-keyblockciphers
Ad-hocdesignse.g.,inSHA-3, AE schemes, … Designedtowithstandcryptanalytic
attacks againstconstructionsusingthem!e.g.,nocollisionattack
e.g.,𝜋 ∶ 𝑥 ↦ AES(0,/@, 𝑥)𝐀𝐄𝐒
0,/@Fasterhashfunctions[RS08],fastgarbling[BHKR13]
Permutationsassumptions
Idealgoal: Standard-model reduction!“If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
e.g., 𝐶 = SHA−3;𝑌 = Anythingnon-trivial𝑋 =? ? ?
Unfortunately: Nostandard-modelproofsknownundernon-tautologicalassumptions!
𝑆Q0
0
𝜋 𝜋 𝜋
Whatsecuritypropertiesdoweexpectfromapermutation?
Securityofpermutation-basedcrypto
Provablesecurity CryptanalysisRandompermutationmodel! Application specificattacks
𝜋 israndom+adversarygivenoracleaccessto𝜋 and 𝜋R,
clearlyunachievable[CGH98]……securityagainstgeneric
attacks!
Insightsarehardtorecyclefornewapplications
Verylittlepermutation-specificcryptanalysis
Example– OWFsfrompermutations
𝑥 𝑦 = 𝜋 𝑥𝜋
Clearly:Cannotbeoneway!
𝜋: {0,1}X → 0,1 X
𝜋R,(𝑦)𝜋R,
So,howdowemakeaone-wayfunctionoutof𝜋?
𝜋𝑥𝑦
𝑧 𝑧
Naïveidea:Truncation 𝑓: 0,1 X → 0,1 X//
Not oneway:∀𝑦: 𝜋R,(𝑦, 𝑧) preimageof𝑧
𝜋𝑥
𝑦
𝑧 𝑧
Bettercandidate:𝑔: 0,1 X// → 0,1 X//
Conjectured one-wayfor𝜋 = SHA-3permutation
0
𝑥
Wanted: Basic(succinct,non-tautological)securitypropertysatisfiedby𝜋 whichimpliesone-wayness of𝑔?
Hashfunctions
Permutations
idealmodel standardmodel
randomoracle
randompermutation
CRHF,OWFs,UOWHFs,CI,UCEs…
Whatkindofcryptographichardnesscanweexpectfromapermutation?
Permutationsvshashfunctions
Thiswork,inanutshell
inspiredbytheUCEframework [BHK13]
First plausible anduseful standard-modelsecurityassumptionforpermutations.
“Public-seedPseudorandomPermutations”(psPRPs)
Twomainquestions:
CanwegetpsPRPs atall?
ArepsPRPsuseful?
psPRPs – LandscapepreviewDeterministic&HedgedPKE
Immunizingbackdoored PRGs
CCA-secureEnc.
…
HardcorefunctionsKDM-securesymmetrickeyEnc.
Point-functionObfuscation
Efficientgarblingfromfixed-keyblock-ciphers
Message-lockedEncryption(MLE)𝐩𝐬𝐏𝐑𝐏𝐩𝐬𝐏𝐑𝐏 𝐔𝐂𝐄
e.g.,Sponges
Feistel
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Co-related input hashFunctions (CIH)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋R,)
𝐺𝑒𝑛 𝑥 𝜋h 𝑥
𝜋 ∶ 0,1 X → 0,1 X
𝜋h1i 𝑠
Seedgeneration
𝑦 𝜋hR, 𝑦𝜋hR,
Forwardevaluation
Backwardevaluation
(2) ∀𝑥 ∶ 𝜋hR, 𝜋h 𝑥 = 𝑥
(1) 𝜋h ∶ 0,1 X → 0,1 X
Syntax:Seeded permutations
𝐷
𝑠 ← Gen(1i)
𝜋p /𝜋hR,
5
𝜌 ← Perms(𝑛)
𝜌/𝜌R,≈
Stage1:• Oracleaccess• Secretseed
Stage2:• Learnsseed• Nooracleaccess
Secret-seedsecurity:Pseudorandompermutations(PRPs)
Limitedinformation
flow
0/1
𝑓 ← Func(∗, 𝑛) 𝑓𝑠 ← Gen(1i)
ℎh
UCEsecurity
𝑆source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher 𝐷
Bellare Hoang Keelveedhi
0/1
𝒔
𝑠 ← Gen(1i)
≈
leakage
𝜌 ← Perms(𝑛) 𝜌/𝜌R,𝑠 ← Gen(1i)
𝜋h/𝜋hR,
psPRP security[Thiswork]
𝑆source
𝐿
distinguisher 𝐷 0/1
𝒔
≈
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋R,)Makesbothforwardandbackwardqueries!
(+, 0X)(+, 0X)
𝜋h/𝜋hR, 𝜌/𝜌R,
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑦
Outputs1iff𝑦 = 𝜋h 0X
1
1
withprob.1
withprob.1/2X
𝑦
Observation: 𝐩𝐬𝐏𝐑𝐏-securityimpossible againstallPPTsources!
≈
Solution: Restrictclassofconsideredsources!
Definition. 𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮]-secure: ∀𝑆 ∈ 𝒮,∀PPT 𝐷:𝜋h/𝜋hR, ≈ 𝜌/𝜌R,
allsources
𝒮 𝑆
𝐿
𝐷 0/1
𝒔
𝜋h/𝜋hR, 𝜌/𝜌R,
all sources
𝒮h�h𝒮h�� unpredictable
reset-secure
Here:unpredictableandreset-securesources
Bothrestrictionscaptureunpredictabilityofsourcequeries!
𝒮h�� ⊆ 𝒮h�h 𝐩𝐬𝐏𝐑𝐏 𝒮h�h strongerassumptionthan𝐩𝐬𝐏𝐑𝐏 𝒮h��⟹
Sourcerestrictions– unpredictability
𝑆 𝜌/𝜌R,(𝜎�, 𝑥�)
𝑦�𝐿
𝑄′
𝑄 ← 𝑄 ∪ {𝑥�, 𝑦�}
Pr[𝑄� ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
⊆𝒮h��: 𝐴 iscomputationallyunbounded,polyqueries
𝒮���: 𝐴 isPPT iO⟹𝐩𝐬𝐏𝐑𝐏[𝒮���] impossible[BFM14]
𝜎� ∈ {+,−}
Goal:Mustbehardfor𝐴 topredict𝑆’squeriesortheirinverses𝐴
≈
Sourcerestrictions– reset-security
⊆𝒮h�h: 𝑅 iscomputationallyunbounded,polyqueries
𝒮��h: 𝑅 isPPT
𝑆 𝜌/𝜌R,
𝑅
𝐿
𝜌/𝜌R,
0/1 𝜌 ← Perms(𝑛) 𝜌, 𝜌� ← Perms(𝑛)
Fact. 𝒮h�� ⊆ 𝒮h�h
𝑆 𝜌/𝜌R,
𝑅
𝐿
𝜌�/𝜌�R,
0/1
Recap– Definitions
CentralassumptionsinUCEtheory
Equallyuseful?
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Example– Truncation
𝜋h𝑥
𝑦
𝑧 𝑧
0
𝑥 𝑔h 𝑥 = 𝜋h 𝑥, 0XR� [1. . 𝑘]
Lemma. If𝜋 𝐩𝐬𝐏𝐑𝐏[𝒮h��]-secureand𝑚 +𝜔 log𝜆 ≤
𝑘 ≤ 𝑛 − 𝜔 log𝜆 ,then𝑔 isPRG.
𝑠 ← Gen(1i)𝑥 ← 0,1 XR�
(𝑦, 𝑧) ← 𝜋h(𝑥, 0)𝑏 ← 𝐷(𝑠, 𝑧) 𝑆
𝜋h(𝑥, 0XR�) (𝑦, 𝑧)
𝐷𝑧 𝑏
𝑔h: 0,1 � → 0,1 �
𝒔
Thus,alsoaOWF ...
𝑠 ← Gen(1i)𝑥 ← 0,1 XR�
(𝑦, 𝑧) ← 𝜋h(𝑥, 0)𝑏 ← 𝐷(𝑠, 𝑧)
Proof– Cont’d
𝑆
𝜋h(𝑥, 0XR�) (𝑦, 𝑧)
𝐷𝑧 𝑏
𝒔
𝑆
𝜌(𝑥, 0XR�) (𝑦, 𝑧)
𝑧
𝒔≈𝐷 𝑏
if𝑆 ∈ 𝒮h��
random!
𝑠 ← Gen𝑧 ← 0,1 �
𝑏 ← 𝐷(𝑠, 𝑧)
Proof– Unpredictabilityof𝑆
𝑆
𝜌(𝑥, 0XR�) (𝑦, 𝑧)
𝑧 𝑅 𝑄
𝜌/𝜌R,
Fact. Pr (𝑥, 0XR�), 𝑦, 𝑧 ∩ 𝑄 ≠ 𝜙 ≤ �/�+ �
/ ¡¢
𝑞 = 𝐩𝐨𝐥𝐲(𝑛)queries
NextCanwegetpsPRPs atall?
ArepsPRPsuseful?
Constructionsfrom UCEs
HeuristicInstantiations
ConstructionsofUCEs
DirectapplicationsGarblingfromfixed-key
blockciphersCommondenominator:CP-sequentialindifferentiability
HowtobuildUCEsfrompsPRPs?
𝐻
𝜋h/𝜋hR,
⟹𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure 𝐻[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.Idealtheorem.
𝑀 ∈ 0,1 ∗ 𝐻h(𝑀)
Whatdoes𝐻needtosatisfyforthistobetrue?
𝐻[𝑃]
𝐴 𝐴≈𝐻
0/1
𝑓
Sim
0/1
Indifferentiability [MRH04]
Definition. 𝐻 indiff.fromROif∃ PPT Sim ∀ PPT 𝐴:𝐻+𝜌/𝜌R, ≈ 𝑓+Sim
?𝜌/𝜌R,
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
𝐴, 𝐴,≈
𝐻
0/1
𝑓
Sim
0/1
CP-sequentialindifferentiability
Def. 𝐻 CP-indiff.fromROif∃ PPT Sim ∀ PPT (𝐴,, 𝐴/):𝐻+𝜌/𝜌R, ≈ 𝑓+Sim
𝜌/𝜌R,
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
𝐴/ 𝐴/
𝑠𝑡 𝑠𝑡
FrompsPRPs toUCEs
Similarto[BHK14]. But:• Needsfullindifferentiability
• UCEdomainextension
⟹𝑃 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure
𝐻[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.
Theorem.
𝐻 CP-indiff from RO
𝐻
𝜋h/𝜋hR,
Corollary.Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
𝑆∗ 𝑆∗
FrompsPRPs toUCEs– Proof
𝐻
𝜋h/𝜋hR,
𝑆 𝐷
𝒔 𝐻
𝜌/𝜌R,
𝑆 𝐷
𝒔 𝑓
𝑆 𝐷
𝒔≈ ≈
𝑆 reset-secure𝐻 isCP-indiff from𝑅𝑂
byCP-indiff.by 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-securityif𝑆∗ ∈ 𝒮h�h
𝜌 ← Perms(𝑛) 𝑓 ← Funcs(∗, 𝑛)𝑠 ← Gen(1i)
𝑅∗
𝑅∗
𝑆∗
𝑆∗
ℎ 𝜌/𝜌R,
𝑆 𝑅 𝑆 𝑅
𝑓≈
Sim
𝑆 𝑅
𝑓 Sim
𝑓«
𝑆 𝑅
ℎ
𝜌/𝜌R,
𝜌�/𝜌�R,
cpi
≈cpi
Reset-securityof𝑺∗?
≈𝑆 isreset-secure!
Goodnews#1
Corollary. Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
Manypracticalhashdesignsfrompermutationsareindifferentiable fromRO!
UCEisameaningfulsecuritytarget–severalapplications!
Examples– Sponges
𝑦
Corollary,𝑃 𝐩𝐬𝐏𝐑𝐏 𝒮h�h -secure⟹ Sponge[𝑃]𝐔𝐂𝐄 𝒮h�h -secure.
Theorem.[BDVP08] Sponge indifferentiable from RO.
𝑀 ∈ {0,1}∗
𝑆Q𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀, 𝑀/ 𝑀®
𝜋h 𝜋h 𝜋h
Validates theSpongeparadigmforUCEapplications!
Goodnews#2– Noneedforfullindifferentiabilitytruncates 𝑛-bitsto𝑟-bits
𝜌𝑛 𝑛 𝑟
Chop
Notindifferentiable!• Forrandom𝑦,get𝑥 =𝜌R,(𝑦)
• Queryconstructionon𝑥,checkconsistencywithfirst𝑟 bitsof𝑦
𝐴Chop
𝜌/𝜌R,𝐴
𝑓
Sim
0/1 0/1
Chop– Cont’d
Theorem.Chop isCP-indiff fromROwhen𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary. 𝑃 𝐩𝐬𝐏𝐑𝐏 𝒮h�h -secure⟹ Chop[𝑃] 𝐔𝐂𝐄[𝒮h�h]-secure.
𝐔𝐂𝐄 𝒮h��𝐩𝐬𝐏𝐑𝐏 𝒮h��
truncates 𝑛-bitsto𝑟-bits
𝜌𝜋h𝑛 𝑛 𝑟
From Chop 𝑃 toVILUCE:Domainextensiontechniques[BHK14]
Whatabouttheconverse?
psPRPs UCEs
psPRPs fromUCEs
𝐴, 𝐴,
≈𝑃
0/1
𝜌/𝜌R,
Sim
0/1
𝑓𝐴/ 𝐴/
𝑠𝑡 𝑠𝑡
⟹𝐻𝐔𝐂𝐄[𝒮h�h]-secure
𝑃[𝐻] 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure.
Theorem.
𝑃 CP-indiff from RP
FromUCEstopsPRPs – Feistel
impossible[CPS08]
[HKT11][DS16] [DKT16]
#roundsforindifferentiability
???
𝑓, 𝑓/ 𝑓± 𝑓² 𝑓³ 𝑌 ∈ {0,1}/X
𝜓³[𝒇]
𝑋 ∈ {0,1}/X
Corollary. psPRPs exist iff UCEsexist!!!*
*wrt reset-securesources
Corollary.𝑯 𝐔𝐂𝐄 𝒮h�h -secure⟹ 𝜓³[𝑯] 𝐩𝐬𝐏𝐑𝐏[𝒮h�h]-secure.
Theorem. 5-round Feistel is CP-indiff from RP
[HKT11][DS16] [DSKT16]
#roundsforCP-sequentialindifferentiability
Thiswork!!!
Round-complexityofFeistelforUCE-to-psPRP transformation?
5-roundproofisquiteinvolved!
Our5-roundSim:
impossible[LR88]
[HKT11][DS16] [DSKT16]
#roundsofFeistel forpsPRP-security
Thiswork!!!Open:Do4-roundssuffice?
• Reliesonchaincompletiontechniques
• Heavilyexploitsqueryordering
• Verydifferentchain-completionstrategyfrompreviousworks,norecursion needed
𝑓, 𝑓/ 𝑓± 𝑓² 𝑓³
𝑋, 𝑋/ 𝑋± 𝑋² 𝑋³ 𝑋·
𝑋Q 𝑋³Set
uniformSet
uniform
forceVal forceVal
detect detect
???
Acoupleofextraresults!
(Inpassing!)
HeuristicInstantiations
𝐸
𝑠 ← {0,1}�
psPRP 𝒮h�h -secure
psPRP 𝒮h�� -secure𝜋
𝑠 ← {0,1}�
Fromseedless permutations:
Fromblockciphers:
Ideal-ciphermodel
RPmodel
𝐺𝑒𝑛:
𝜋h 𝑥 = 𝐸(𝑠, 𝑥)
𝜋h 𝑥 = 𝑠 ⊕ 𝜋(𝑠 ⊕ 𝑥)
𝐺𝑒𝑛:
FastGarblingfrompsPRPs
Ourvariant:𝐸 0�, 𝑥 ⇒ 𝜋h(𝑥),freshseed𝑠 generateduponeachgarblingoperation!
Garblingschemefrom[BHKR13]• Onlycallsfixed-keyblockcipher
𝑥 → 𝐸(0�, 𝑥)
• ProofinRPmodel
• Veryfast – nokeyre-schedule
Theorem. Secure when𝜋𝒔 is 𝐩𝐬𝐏𝐑𝐏[𝒮h��].
Garbled AND-Gate
𝐸 0X, 𝑥ºQ ⊕ 𝑥»Q ⊕ 𝑥ºQ ⊕ 𝑥»Q ⊕ 𝑥¼Q
𝐸 0X, 𝑥ºQ ⊕ 𝑥», ⊕ 𝑥ºQ ⊕ 𝑥», ⊕ 𝑥¼Q
𝐸 0X, 𝑥º, ⊕ 𝑥»Q ⊕ 𝑥º, ⊕ 𝑥»Q ⊕ 𝑥¼Q
𝐸 0X, 𝑥º, ⊕ 𝑥», ⊕ 𝑥º, ⊕ 𝑥», ⊕ 𝑥¼,
𝑥ºQ,𝑥º,𝑥¼Q,𝑥¼,AND𝑥»Q, 𝑥»,
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Constructions
Conclusion
First (useful) standardmodelassumptionsonpermutations
ApplicationspsPRPs
(Some)openquestions
BeyondpsPRPs:- Simplerassumptionsonpermutations?
MoreonpsPRPs:- MoreefficientconstructionsfromUCEs?- Weakerassumptions?- Cryptanalysis?
ps-Pseudorandomness asaparadigm:- UCE =psPRF
- ApplicationsofpsX?
IsSHA-3aCRHFunderanynon-trivialassumption?
Thankyou!PaperonePrint reallysoon…
Fornow:http://www.cs.ucsb.edu/~tessaro/papers/SonTes17.pdf