public-seed pseudorandom permutations · kdm-secure symmetric key enc. (kdm) point function...

Public-seed Pseudorandom Permutations

Pratik Soni Stefano Tessaro

UC Santa Barbara UC Santa Barbara

EUROCRYPT 2017

Cryptographic schemes often built from generic building blocks

Cryptographic schemes often built from generic building blocks

Typically: Block ciphers, hash/compression functions!

𝐻

𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀

𝐾 ⊕ 𝑜𝑝𝑎𝑑

𝐻

hash function (e.g., SHA-3)

𝐸𝐾

𝑀1

𝐼𝑉

𝑀2

𝐸𝐾

𝑀ℓ

block cipher (e.g., AES)

Cryptographic schemes often built from generic building blocks

Typically: Block ciphers, hash/compression functions!

Is there a universal and simple building block for efficient symmetric cryptography?

𝐻

𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀

𝐾 ⊕ 𝑜𝑝𝑎𝑑

𝐻

hash function (e.g., SHA-3)

𝐸𝐾

𝑀1

𝐼𝑉

𝑀2

𝐸𝐾

𝑀ℓ

block cipher (e.g., AES)

Recent trend: Start from seedless permutation

Recent trend: Start from seedless permutation

Recent trend: Start from seedless permutation

Sponge paradigm

Recent trend: Start from seedless permutation

Sponge paradigm

Recent trend: Start from seedless permutation

…

Sponge paradigm

Here: 𝜋 is an efficiently computable and invertible one-to-one function

Recent trend: Start from seedless permutation

…

Sponge paradigm

Permutations

“… it would be nice, now, if permutations can be called

the Swiss Army Knife [of cryptography]” — Joan Daemen, Passwords^12

Hashing Garbling

PRNGs Authenticated Encryption

MACs KDFs

Typical instantiations

Typical instantiations

Ad-hoc construction

e.g., in KECCAK, NORX, …

Designed to withstand cryptanalysis

Typical instantiations

Fixed-key block ciphers

Ad-hoc construction

e.g., in KECCAK, NORX, …

Designed to withstand cryptanalysis

e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥) 𝐴𝐸𝑆

0128

Typical instantiations

Fixed-key block ciphers

Ad-hoc construction

e.g., in KECCAK, NORX, …

Designed to withstand cryptanalysis

e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥)

Faster, no re-keying costs!

𝐴𝐸𝑆

0128

Faster Hash functions [RS08], fast garbling [BHKR13]

Permutations assumptions

Permutations are great in practice, but what about theory?

Permutations assumptions

Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”

Permutations are great in practice, but what about theory?

𝑆0 0

0

𝜋 𝜋 𝜋

Permutations assumptions

Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”

e.g., 𝐶 = KECCAK;

𝑌 = Anything non-trivial

𝑋 = ? ? ?

Permutations are great in practice, but what about theory?

𝑆0 0

0

𝜋 𝜋 𝜋

Permutations assumptions

Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”

e.g., 𝐶 = KECCAK;

𝑌 = Anything non-trivial

𝑋 = ? ? ?

Common approach: Use random permutation (RP) model

𝜋 is random + adversary given oracle access to 𝜋 and 𝜋−1

Permutations are great in practice, but what about theory?

Observation: No standard-model proofs known for permutation-based constructions!

𝑆0 0

0

𝜋 𝜋 𝜋

But: random permutations do not exist [CGH98]

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

Quite different state of affairs than for hash functions:

Hash functions

ideal model

random oracle

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

Quite different state of affairs than for hash functions:

Hash functions

ideal model standard model

random oracle CRHF, OWFs, UOWHFs,

CI, UCEs…

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

Quite different state of affairs than for hash functions:

Hash functions

Permutations

ideal model standard model

random oracle

RP

CRHF, OWFs, UOWHFs, CI, UCEs…

????

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

Quite different state of affairs than for hash functions:

Hash functions

Permutations

ideal model standard model

random oracle

RP

CRHF, OWFs, UOWHFs, CI, UCEs…

????

What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness …

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all?

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all?

Are psPRPs useful?

This work, in a nutshell

inspired by the UCE framework [BHK13]

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all?

Are psPRPs useful?

This work, in a nutshell

inspired by the UCE framework [BHK13]

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all?

Are psPRPs useful?

Yes! Yes!

psPRPs have many applications

psPRPs have many applications

Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Efficient garbling from fixed-key block-ciphers

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷

psPRPs have many applications

Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Efficient garbling from fixed-key block-ciphers

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬

psPRPs have many applications

Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Efficient garbling from fixed-key block-ciphers

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬

Sponges

psPRPs have many applications

Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬

Efficient garbling from fixed-key block-ciphers

Sponges

psPRPs have many applications

Deterministic & Hedged PKE

Immunizing backdoored PRGs

CCA-secure Enc. (CCA)

…

Hardcore functions (HC)

KDM-secure symmetric key Enc. (KDM)

Point function Obfuscation (PFOB)

Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬

Efficient garbling from fixed-key block-ciphers

Sponges

Feistel

Roadmap

1.Definitions

2.Constructions & Applications

3.Conclusions

Co-related input hash

Functions (CIH)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1) 𝜋 ∶ 0,1 𝑛 → 0,1 𝑛

We consider seeded permutations

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝐺𝑒𝑛 𝑥 𝜋𝑠 𝑥

𝜋 ∶ 0,1 𝑛 → 0,1 𝑛

𝜋𝑠 1𝜆 𝑠

Seed generation

𝑦 𝜋𝑠−1 𝑦 𝜋𝑠

−1

Forward evaluation

Backward evaluation

Efficient (poly-time) algorithms

(2) ∀𝑥 ∶ 𝜋𝑠−1 𝜋𝑠 𝑥 = 𝑥

(1) 𝜋𝑠 ∶ 0,1 𝑛 → 0,1 𝑛

We consider seeded permutations

Traditional security notion if seed is secret: Pseudorandom Permutation

𝐷

𝑠 ← Gen(1𝜆)

𝜋s / 𝜋𝑠−1

𝜌 ← Perms(𝑛)

𝜌/𝜌−1 ≈

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐷

𝑠 ← Gen(1𝜆)

𝜋s / 𝜋𝑠−1

𝜌 ← Perms(𝑛)

𝜌/𝜌−1 ≈

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐷

𝑠 ← Gen(1𝜆)

𝜋s / 𝜋𝑠−1

5

𝜌 ← Perms(𝑛)

𝜌/𝜌−1 ≈

Stage 1: • Oracle access • Secret seed

Stage 2: • Learns seed • No oracle access

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐷

𝑠 ← Gen(1𝜆)

𝜋s / 𝜋𝑠−1

5

𝜌 ← Perms(𝑛)

𝜌/𝜌−1 ≈

Stage 1: • Oracle access • Secret seed

Stage 2: • Learns seed • No oracle access

Traditional security notion if seed is secret: Pseudorandom Permutation

Limited information

flow

0/1

UCE security

𝐻 = (𝐺𝑒𝑛, ℎ)

Bellare Hoang Keelveedhi

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐻 = (𝐺𝑒𝑛, ℎ)

Bellare Hoang Keelveedhi

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐻 = (𝐺𝑒𝑛, ℎ)

Bellare Hoang Keelveedhi

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿

𝐻 = (𝐺𝑒𝑛, ℎ)

distinguisher

𝐷

Bellare Hoang Keelveedhi

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿

𝐻 = (𝐺𝑒𝑛, ℎ)

distinguisher

𝐷

Bellare Hoang Keelveedhi

𝒔

𝑠 ← Gen(1𝜆)

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿

𝐻 = (𝐺𝑒𝑛, ℎ)

distinguisher

𝐷

Bellare Hoang Keelveedhi

0/1

𝒔

𝑓 ← Funcs(𝑚, 𝑛) 𝑓

𝑠 ← Gen(1𝜆)

ℎ𝑠

UCE security

𝑆 source

𝐿

𝐻 = (𝐺𝑒𝑛, ℎ)

distinguisher

𝐷

Bellare Hoang Keelveedhi

0/1

𝒔

≈

𝑆

𝐷

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐷

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐿

𝐷

𝒔

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑆

𝐿

𝐷 0/1

𝒔

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.

𝑆

𝐿

𝐷 0/1

𝒔

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.

𝑆

𝐿

𝐷 0/1

𝒔

Makes forward and backward queries!

𝑠 ← Gen(1𝜆)

psPRP security

𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

𝝆/𝝆−𝟏

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦 𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦 𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦

Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦

Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛

1 with prob. 1

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦

Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛

1

1

with prob. 1

with prob. 1/2𝑛

𝑦

(+, 0𝑛) (+, 0𝑛)

𝑠 ← Gen(1𝜆)

𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

𝑆

𝐿 = 𝑦

𝐷

𝒔

𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …

𝑦

Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛

1

1

with prob. 1

with prob. 1/2𝑛

𝑦

𝑝𝑠𝑃𝑅𝑃-security is impossible against all sources!

≈

Sources need to be restricted

all sources

𝑃 = (Gen, 𝜋, 𝜋−1)

Sources need to be restricted

all sources

𝒮

𝑃 = (Gen, 𝜋, 𝜋−1)

Sources need to be restricted

𝑃 is 𝑝𝑠𝑃𝑅𝑃[𝒮]-secure if ∀ 𝑆 ∈ 𝒮 and ∀ PPT

𝐷, left and right are indistinguishable.

all sources

𝒮

𝑃 = (Gen, 𝜋, 𝜋−1)

𝑆

𝐿

𝐷 0/1

𝒔

𝑠 ← Gen(1𝜆) 𝜋𝑠/𝜋𝑠

−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1

all

sources

This talk – unpredictable and reset-secure sources

all

sources

𝒮𝑠𝑢𝑝 unpredictable

This talk – unpredictable and reset-secure sources

all

sources

𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable

reset-secure

This talk – unpredictable and reset-secure sources

all

sources

𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable

reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐷 cannot predict the queries made by the sources!

all

sources

𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable

reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐷 cannot predict the queries made by the sources!

𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠

all

sources

𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable

reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐷 cannot predict the queries made by the sources!

𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 is a stronger

assumption than 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝 ⟹

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

𝐴

𝜌 ← Perms(𝑛)

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝐴

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝐴

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

⊆

𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded

𝒮𝑐𝑢𝑝: 𝐴 is PPT

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse

Source restrictions – unpredictability

𝑆 𝜌/𝜌−1

(𝜎, 𝑥𝑖)

𝑦𝑖

𝐴

𝐿

𝑄′

𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}

Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)

⊆

𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded

𝒮𝑐𝑢𝑝: 𝐴 is PPT 𝑝𝑠𝑃𝑅𝑃[𝒮𝑐𝑢𝑝] impossible if iO

exists [BFM14]

𝜌 ← Perms(𝑛)

𝜎 ∈ {+,−}

It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse

Source restrictions – reset-security

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝜌 ← Perms(𝑛)

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝜌 ← Perms(𝑛)

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

𝜌 ← Perms(𝑛)

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝜌 ← Perms(𝑛)

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1

𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)

𝜌1 ← Perms(𝑛)

≈

Source restrictions – reset-security

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1

𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)

𝜌1 ← Perms(𝑛)

≈

Source restrictions – reset-security

⊆

𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded

𝒮𝑐𝑟𝑠: 𝑅 is PPT

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1

𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)

𝜌1 ← Perms(𝑛)

≈

Source restrictions – reset-security

⊆

𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded

𝒮𝑐𝑟𝑠: 𝑅 is PPT

𝑆 𝜌/𝜌−1

𝑅

𝐿

𝜌/𝜌−1

0/1

𝑆 𝜌/𝜌−1

𝑅

𝐿

0/1

𝜌1/𝜌1−1

𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)

𝜌1 ← Perms(𝑛)

𝒮𝑐𝑢𝑝 ⊆ 𝒮𝑐𝑟𝑠

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]

Recap

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]

𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]

Recap

Recap

Recap

Central assumption in UCE theory

Recap

Central assumption in UCE theory

Roadmap

1.Definitions

2.Constructions & Applications

3.Conclusions

Co-related input hash

Functions (CIH)

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Common denominator: A new, restricted notion of indifferentiability!

Next

Co-related input hash

Functions (CIH)

Can we get psPRPs at all?

Are psPRPs useful?

Constructions from UCEs

Heuristic Instantiations

Constructions of UCEs

Direct applications Garbling from fixed-key

block ciphers

Common denominator: A new, restricted notion of indifferentiability! CP-sequential

indifferentiability

𝐶

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

𝐴 𝐴

𝐶

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

𝐴 𝐴

𝐶

? 𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

𝐴 𝐴

𝐶

𝑆𝑖𝑚 𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

𝐴 𝐴 ≈

𝐶

0/1

𝑆𝑖𝑚

0/1

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

Indifferentiability[MRH04]

≈

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1

CP-sequential indifferentiability

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

≈

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1

CP-sequential indifferentiability

𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):

left and right are indistinguishable.

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

≈

Remarks:

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1

CP-sequential indifferentiability

𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):

left and right are indistinguishable.

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

≈

1. Full indifferentiability ⟹ CP-seq indiff.

2. Reverse ordering: seq. indifferentiability [MPS12]

Remarks:

𝐴1 𝐶

𝐴2

𝑠𝑡

0/1

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

0/1

CP-sequential indifferentiability

𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):

left and right are indistinguishable.

𝑅𝑃

𝜌/𝜌−1

𝑅𝑂

𝑓

𝜌 ← Perms(𝑛)

𝑓 ← Funcs(∗, 𝑛)

From psPRPs to UCEs

Theorem:

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝐶[𝑃]

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

𝜋𝑠/𝜋𝑠−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

𝜋𝑠/𝜋𝑠−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]

Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

𝜋𝑠/𝜋𝑠−1

From psPRPs to UCEs

𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +

𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]

Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension

𝐶

Theorem:

𝑅𝑃

𝜌/𝜌−1

Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!

𝜋𝑠/𝜋𝑠−1

From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙

From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙

From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙

𝜋𝑠 𝜋𝑠 𝜋𝑠

From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.

Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙

𝜋𝑠 𝜋𝑠 𝜋𝑠

From psPRPs to UCEs – Sponges

𝑦 ∈ {0,1}𝑟

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.

Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.

𝑀 ∈ {0,1}∗

𝑆0 𝑟

n − 𝑟

0

0

𝜌

𝑟

𝜌 𝜌

𝑀1 𝑀2 𝑀𝑙

𝜋𝑠 𝜋𝑠 𝜋𝑠

Validates the Sponge paradigm for UCE applications!

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝜌

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑥 ∈ {0,1}𝑛 𝜌

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑥 ∈ {0,1}𝑛 𝜌 𝑛 𝑛

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑥 ∈ {0,1}𝑛

truncates 𝑛-bits to 𝑟-bits

𝜌 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Chop 𝑅𝑃 is not indifferentiable

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Chop 𝑅𝑃 is not indifferentiable

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝜋𝑠 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.

Chop 𝑅𝑃 is not indifferentiable

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝜋𝑠 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.

Chop 𝑅𝑃 is not indifferentiable

𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝜋𝑠 𝑛 𝑛 𝑟

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).

Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.

Chop 𝑅𝑃 is not indifferentiable

𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝

𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟

truncates 𝑛-bits to 𝑟-bits

𝜌 𝜋𝑠 𝑛 𝑛 𝑟

From Chop 𝑃 to VIL UCE: Domain extension techniques [BHK14]

CP-sequentially indiff. constructions that are not fully indiff.?

psPRPs from UCEs Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃

Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +

𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem:

psPRPs from UCEs

≈ 𝐴1 𝐶

𝐴2

𝑠𝑡

𝑏′

𝐴1

𝐴2

𝑠𝑡

𝑆𝑖𝑚

𝑏′

𝑅𝑂

𝑅𝑃

Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.

𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +

𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem:

From UCEs to psPRPs – Feistel

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛

From UCEs to psPRPs – Feistel

impossible

[CPS08]

[HKT11] [DS16] [DSKT16]

#rounds for indifferentiability

???

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛

From UCEs to psPRPs – Feistel

impossible

[CPS08]

[HKT11] [DS16] [DSKT16]

#rounds for indifferentiability

???

𝑛

𝑛

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5

𝑌 ∈ {0,1}2𝑛

𝜓5[𝒇]

𝑋 ∈ {0,1}2𝑛

𝑛

𝑛

𝑛

𝑛

psPRPs exist in the standard model if UCEs exist!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

[HKT11] [DS16] [DSKT16]

#rounds for CP-sequential indifferentiability

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.

[HKT11] [DS16] [DSKT16]

#rounds for CP-sequential indifferentiability

This work!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

Corollary: 𝑯 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure ⟹ 𝜓5[𝑯] 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.

Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.

[HKT11] [DS16] [DSKT16]

#rounds for CP-sequential indifferentiability

This work!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

5-round proof is technically involved

5-round proof is technically involved

Our 5-round Sim:

• Relies on chain completion techniques

• Heavily exploits query ordering

• Very different chain-completion strategy from previous works, no recursion needed

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5 Set

uniform Set

uniform

forceVal forceVal

detect detect

5-round proof is technically involved

Our 5-round Sim:

impossible

[LR88]

[HKT11] [DS16] [DSKT16]

#rounds of Feistel for psPRP-security

This work!!! Open: Do 4-rounds suffice?

• Relies on chain completion techniques

• Heavily exploits query ordering

• Very different chain-completion strategy from previous works, no recursion needed

𝑓1 𝑓2 𝑓3 𝑓4 𝑓5

𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6

𝑋0 𝑋5 Set

uniform Set

uniform

forceVal forceVal

detect detect

???

Heuristic Instantiations

Heuristic Instantiations

𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

From Block-ciphers e.g. AES

𝐺𝑒𝑛:

𝜋:

Heuristic Instantiations

𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

psPRP 𝒮𝑠𝑟𝑠 -secure

From Block-ciphers e.g. AES

Ideal-Cipher model

𝐺𝑒𝑛:

𝜋:

Heuristic Instantiations

𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

psPRP 𝒮𝑠𝑟𝑠 -secure

𝜋

𝑠 ← {0,1}𝑘

From Permutations e.g. the Keccak permutation

From Block-ciphers e.g. AES

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

Ideal-Cipher model

𝐺𝑒𝑛:

𝜋:

𝜋:

𝐺𝑒𝑛:

Heuristic Instantiations

𝐸

𝑠 ← {0,1}𝑘

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

psPRP 𝒮𝑠𝑟𝑠 -secure

psPRP 𝒮𝑠𝑢𝑝 -secure 𝜋

𝑠 ← {0,1}𝑘

From Permutations e.g. the Keccak permutation

From Block-ciphers e.g. AES

𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)

Ideal-Cipher model

RP model

𝐺𝑒𝑛:

𝜋:

𝜋:

𝐺𝑒𝑛:

Fast Garbling from psPRPs

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs Fast garbling from [BHKR13]

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑥 → 𝐸(0𝑘 , 𝑥)

• Very fast – no key-schedule

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑥 → 𝐸(0𝑘 , 𝑥)

• Proof in RP model

• Very fast – no key-schedule

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs

This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed

generated upon garbling.

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑥 → 𝐸(0𝑘 , 𝑥)

• Proof in RP model

• Very fast – no key-schedule

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Fast Garbling from psPRPs

This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed

generated upon garbling.

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑥 → 𝐸(0𝑘 , 𝑥)

• Proof in RP model

• Very fast – no key-schedule

Theorem: Secure garbling when 𝜋𝒔 is 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝].

Garbled And

𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0

𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1

𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0

𝑥𝑎0, 𝑥𝑎

1 𝑥𝑔0, 𝑥𝑔

1 And 𝑥𝑏

0, 𝑥𝑏1

Roadmap

1.Definitions

2.Constructions & Applications

3.Conclusions

Co-related input hash

Functions (CIH)

Conclusion

psPRPs

Conclusion

First standard model assumptions on permutations

psPRPs

Constructions

Conclusion

First standard model assumptions on permutations

psPRPs

Constructions

Conclusion

First standard model assumptions on permutations

Applications psPRPs

Many open questions…

Many open questions…

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

psPRPs:

Many open questions…

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

psPRPs:

Public-seed Pseudorandomness - general paradigm:

Many open questions…

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs:

Public-seed Pseudorandomness - general paradigm:

Many open questions…

• Simpler assumptions on permutations?

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs:

Public-seed Pseudorandomness - general paradigm:

Beyond psPRPs:

Many open questions…

• Simpler assumptions on permutations?

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs:

Public-seed Pseudorandomness - general paradigm:

Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?

Many open questions…

• Simpler assumptions on permutations?

• More applications: psPRP-based PRNGs, authenticated encryption?

• More efficient constructions: Round complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs:

Public-seed Pseudorandomness - general paradigm:

Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?

Thank you!