public-seed pseudorandom permutations - … pseudorandom permutations pratik soni stefano tessaro uc...
TRANSCRIPT
Public-seed Pseudorandom Permutations
Pratik Soni Stefano Tessaro
UC Santa Barbara UC Santa Barbara
EUROCRYPT 2017
Cryptographic schemes often built from generic building blocks
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
𝐻
𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀
𝐾 ⊕ 𝑜𝑝𝑎𝑑
𝐻
hash function (e.g., SHA-3)
𝐸𝐾
𝑀1
𝐼𝑉
𝑀2
𝐸𝐾
𝑀ℓ
block cipher (e.g., AES)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
Is there a universal and simple building block for efficient symmetric cryptography?
𝐻
𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀
𝐾 ⊕ 𝑜𝑝𝑎𝑑
𝐻
hash function (e.g., SHA-3)
𝐸𝐾
𝑀1
𝐼𝑉
𝑀2
𝐸𝐾
𝑀ℓ
block cipher (e.g., AES)
Recent trend: Start from seedless permutation
Recent trend: Start from seedless permutation
Recent trend: Start from seedless permutation
Sponge paradigm
Recent trend: Start from seedless permutation
Sponge paradigm
Recent trend: Start from seedless permutation
…
Sponge paradigm
Here: 𝜋 is an efficiently computable and invertible one-to-one function
Recent trend: Start from seedless permutation
…
Sponge paradigm
Permutations
“… it would be nice, now, if permutations can be called
the Swiss Army Knife [of cryptography]” — Joan Daemen, Passwords^12
Hashing Garbling
PRNGs Authenticated Encryption
MACs KDFs
Typical instantiations
Typical instantiations
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥) 𝐴𝐸𝑆
0128
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥)
Faster, no re-keying costs!
𝐴𝐸𝑆
0128
Faster Hash functions [RS08], fast garbling [BHKR13]
Permutations assumptions
Permutations are great in practice, but what about theory?
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
Permutations are great in practice, but what about theory?
𝑆0 0
0
𝜋 𝜋 𝜋
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
e.g., 𝐶 = KECCAK;
𝑌 = Anything non-trivial
𝑋 = ? ? ?
Permutations are great in practice, but what about theory?
𝑆0 0
0
𝜋 𝜋 𝜋
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
e.g., 𝐶 = KECCAK;
𝑌 = Anything non-trivial
𝑋 = ? ? ?
Common approach: Use random permutation (RP) model
𝜋 is random + adversary given oracle access to 𝜋 and 𝜋−1
Permutations are great in practice, but what about theory?
Observation: No standard-model proofs known for permutation-based constructions!
𝑆0 0
0
𝜋 𝜋 𝜋
But: random permutations do not exist [CGH98]
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model
random oracle
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model standard model
random oracle CRHF, OWFs, UOWHFs,
CI, UCEs…
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEs…
????
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEs…
????
What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness …
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
Yes! Yes!
psPRPs have many applications
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Sponges
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Efficient garbling from fixed-key block-ciphers
Sponges
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Efficient garbling from fixed-key block-ciphers
Sponges
Feistel
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1) 𝜋 ∶ 0,1 𝑛 → 0,1 𝑛
We consider seeded permutations
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝐺𝑒𝑛 𝑥 𝜋𝑠 𝑥
𝜋 ∶ 0,1 𝑛 → 0,1 𝑛
𝜋𝑠 1𝜆 𝑠
Seed generation
𝑦 𝜋𝑠−1 𝑦 𝜋𝑠
−1
Forward evaluation
Backward evaluation
Efficient (poly-time) algorithms
(2) ∀𝑥 ∶ 𝜋𝑠−1 𝜋𝑠 𝑥 = 𝑥
(1) 𝜋𝑠 ∶ 0,1 𝑛 → 0,1 𝑛
We consider seeded permutations
Traditional security notion if seed is secret: Pseudorandom Permutation
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
5
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Stage 1: • Oracle access • Secret seed
Stage 2: • Learns seed • No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
5
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Stage 1: • Oracle access • Secret seed
Stage 2: • Learns seed • No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
Limited information
flow
0/1
UCE security
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
𝒔
𝑠 ← Gen(1𝜆)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
0/1
𝒔
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
0/1
𝒔
≈
𝑆
𝐷
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑆
𝐷
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑆
𝐿
𝐷
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦 𝑦
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦 𝑦
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
𝑦
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1 with prob. 1
𝑦
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1
1
with prob. 1
with prob. 1/2𝑛
𝑦
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1
1
with prob. 1
with prob. 1/2𝑛
𝑦
𝑝𝑠𝑃𝑅𝑃-security is impossible against all sources!
≈
Sources need to be restricted
all sources
𝑃 = (Gen, 𝜋, 𝜋−1)
Sources need to be restricted
all sources
𝒮
𝑃 = (Gen, 𝜋, 𝜋−1)
Sources need to be restricted
𝑃 is 𝑝𝑠𝑃𝑅𝑃[𝒮]-secure if ∀ 𝑆 ∈ 𝒮 and ∀ PPT
𝐷, left and right are indistinguishable.
all sources
𝒮
𝑃 = (Gen, 𝜋, 𝜋−1)
𝑆
𝐿
𝐷 0/1
𝒔
𝑠 ← Gen(1𝜆) 𝜋𝑠/𝜋𝑠
−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
all
sources
This talk – unpredictable and reset-secure sources
all
sources
𝒮𝑠𝑢𝑝 unpredictable
This talk – unpredictable and reset-secure sources
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 is a stronger
assumption than 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝 ⟹
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
𝐴
𝜌 ← Perms(𝑛)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝐴
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝐴
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
⊆
𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded
𝒮𝑐𝑢𝑝: 𝐴 is PPT
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
⊆
𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded
𝒮𝑐𝑢𝑝: 𝐴 is PPT 𝑝𝑠𝑃𝑅𝑃[𝒮𝑐𝑢𝑝] impossible if iO
exists [BFM14]
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
Source restrictions – reset-security
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝜌 ← Perms(𝑛)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝜌 ← Perms(𝑛)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
𝜌 ← Perms(𝑛)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝜌 ← Perms(𝑛)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
≈
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
≈
Source restrictions – reset-security
⊆
𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded
𝒮𝑐𝑟𝑠: 𝑅 is PPT
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
≈
Source restrictions – reset-security
⊆
𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded
𝒮𝑐𝑟𝑠: 𝑅 is PPT
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
𝒮𝑐𝑢𝑝 ⊆ 𝒮𝑐𝑟𝑠
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]
Recap
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]
Recap
Recap
Recap
Central assumption in UCE theory
Recap
Central assumption in UCE theory
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability!
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability! CP-sequential
indifferentiability
𝐶
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
𝐴 𝐴
𝐶
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
𝐴 𝐴
𝐶
? 𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
𝐴 𝐴
𝐶
𝑆𝑖𝑚 𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
𝐴 𝐴 ≈
𝐶
0/1
𝑆𝑖𝑚
0/1
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
≈
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
≈
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
≈
Remarks:
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
≈
1. Full indifferentiability ⟹ CP-seq indiff.
2. Reverse ordering: seq. indifferentiability [MPS12]
Remarks:
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
From psPRPs to UCEs
Theorem:
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝐶[𝑃]
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!
𝜋𝑠/𝜋𝑠−1
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
Validates the Sponge paradigm for UCE applications!
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
𝜌
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝜌
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝜌 𝑛 𝑛
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
From Chop 𝑃 to VIL UCE: Domain extension techniques [BHK14]
CP-sequentially indiff. constructions that are not fully indiff.?
psPRPs from UCEs Theorem:
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃
Theorem:
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +
𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem:
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +
𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem:
From UCEs to psPRPs – Feistel
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
From UCEs to psPRPs – Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
From UCEs to psPRPs – Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
psPRPs exist in the standard model if UCEs exist!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
Corollary: 𝑯 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure ⟹ 𝜓5[𝑯] 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
5-round proof is technically involved
5-round proof is technically involved
Our 5-round Sim:
• Relies on chain completion techniques
• Heavily exploits query ordering
• Very different chain-completion strategy from previous works, no recursion needed
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5 Set
uniform Set
uniform
forceVal forceVal
detect detect
5-round proof is technically involved
Our 5-round Sim:
impossible
[LR88]
[HKT11] [DS16] [DSKT16]
#rounds of Feistel for psPRP-security
This work!!! Open: Do 4-rounds suffice?
• Relies on chain completion techniques
• Heavily exploits query ordering
• Very different chain-completion strategy from previous works, no recursion needed
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5 Set
uniform Set
uniform
forceVal forceVal
detect detect
???
Heuristic Instantiations
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
From Block-ciphers e.g. AES
𝐺𝑒𝑛:
𝜋:
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
From Block-ciphers e.g. AES
Ideal-Cipher model
𝐺𝑒𝑛:
𝜋:
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
𝜋
𝑠 ← {0,1}𝑘
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
Ideal-Cipher model
𝐺𝑒𝑛:
𝜋:
𝜋:
𝐺𝑒𝑛:
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
psPRP 𝒮𝑠𝑢𝑝 -secure 𝜋
𝑠 ← {0,1}𝑘
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
Ideal-Cipher model
RP model
𝐺𝑒𝑛:
𝜋:
𝜋:
𝐺𝑒𝑛:
Fast Garbling from psPRPs
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Fast Garbling from psPRPs
This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Fast Garbling from psPRPs
This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Theorem: Secure garbling when 𝜋𝒔 is 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝].
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
Conclusion
psPRPs
Conclusion
First standard model assumptions on permutations
psPRPs
Constructions
Conclusion
First standard model assumptions on permutations
psPRPs
Constructions
Conclusion
First standard model assumptions on permutations
Applications psPRPs
Many open questions…
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Thank you!