Public-Seed Pseudorandom Permutations -...
Transcript of Public-Seed Pseudorandom Permutations -...
![Page 1: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/1.jpg)
Public-SeedPseudorandomPermutations
StefanoTessaroUCSB
DIMACSWorkshopNewYork
June8,2017
JointworkwithPratikSoni (UCSB)
![Page 2: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/2.jpg)
Welookatexisting classofcryptographicprimitivesandintroduce/studythefirstโplausibleโassumptionsonthem.
Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations
EUROCRYPT 2017
![Page 3: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/3.jpg)
Cryptographicschemesoftenbuiltfromsimplerbuildingblocks
Isthereauniversal andsimplebuildingblockforefficientsymmetriccryptography?
๐ป
๐พ โ ๐๐๐๐ ||๐
๐พ โ ๐๐๐๐
๐ป
hashfunction(e.g.,SHA-3)
๐ธ+
๐,
๐ผ๐
๐/
๐ธ+
๐โ
blockcipher(e.g.,AES)
Mainmotivation:Singleobjectrequiringoptimizedimplementation!
![Page 4: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/4.jpg)
Recenttrend: = permutation
๐0
0๐ ๐
๐, ๐/ ๐3
๐
๐ฏ(๐)
efficiently computable and invertible permutation
๐
๐-bitblocks:
Example.Spongeconstruction(asinSHA-3)[BDPvA]
๐ โ ๐
![Page 5: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/5.jpg)
Severalpermutation-basedconstructions
โฆ
Hashfunctions,authenticatedencryptionschemes,PRNGs,garblingschemesโฆ
![Page 6: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/6.jpg)
Permutationinstantiations
Fixed-keyblockciphers
Ad-hocdesignse.g.,inSHA-3, AE schemes, โฆ Designedtowithstandcryptanalytic
attacks againstconstructionsusingthem!e.g.,nocollisionattack
e.g.,๐ โถ ๐ฅ โฆ AES(0,/@, ๐ฅ)๐๐๐
0,/@Fasterhashfunctions[RS08],fastgarbling[BHKR13]
![Page 7: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/7.jpg)
Permutationsassumptions
Idealgoal: Standard-model reduction!โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = SHAโ3;๐ = Anythingnon-trivial๐ =? ? ?
Unfortunately: Nostandard-modelproofsknownundernon-tautologicalassumptions!
๐Q0
0
๐ ๐ ๐
Whatsecuritypropertiesdoweexpectfromapermutation?
![Page 8: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/8.jpg)
Securityofpermutation-basedcrypto
Provablesecurity CryptanalysisRandompermutationmodel! Application specificattacks
๐ israndom+adversarygivenoracleaccessto๐ and ๐R,
clearlyunachievable[CGH98]โฆโฆsecurityagainstgeneric
attacks!
Insightsarehardtorecyclefornewapplications
Verylittlepermutation-specificcryptanalysis
![Page 9: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/9.jpg)
Exampleโ OWFsfrompermutations
๐ฅ ๐ฆ = ๐ ๐ฅ๐
Clearly:Cannotbeoneway!
๐: {0,1}X โ 0,1 X
๐R,(๐ฆ)๐R,
So,howdowemakeaone-wayfunctionoutof๐?
![Page 10: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/10.jpg)
๐๐ฅ๐ฆ
๐ง ๐ง
Naรฏveidea:Truncation ๐: 0,1 X โ 0,1 X//
Not oneway:โ๐ฆ: ๐R,(๐ฆ, ๐ง) preimageof๐ง
๐๐ฅ
๐ฆ
๐ง ๐ง
Bettercandidate:๐: 0,1 X// โ 0,1 X//
Conjectured one-wayfor๐ = SHA-3permutation
0
๐ฅ
Wanted: Basic(succinct,non-tautological)securitypropertysatisfiedby๐ whichimpliesone-wayness of๐?
![Page 11: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/11.jpg)
Hashfunctions
Permutations
idealmodel standardmodel
randomoracle
randompermutation
CRHF,OWFs,UOWHFs,CI,UCEsโฆ
Whatkindofcryptographichardnesscanweexpectfromapermutation?
Permutationsvshashfunctions
![Page 12: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/12.jpg)
Thiswork,inanutshell
inspiredbytheUCEframework [BHK13]
First plausible anduseful standard-modelsecurityassumptionforpermutations.
โPublic-seedPseudorandomPermutationsโ(psPRPs)
Twomainquestions:
CanwegetpsPRPs atall?
ArepsPRPsuseful?
![Page 13: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/13.jpg)
psPRPs โ LandscapepreviewDeterministic&HedgedPKE
Immunizingbackdoored PRGs
CCA-secureEnc.
โฆ
HardcorefunctionsKDM-securesymmetrickeyEnc.
Point-functionObfuscation
Efficientgarblingfromfixed-keyblock-ciphers
Message-lockedEncryption(MLE)๐ฉ๐ฌ๐๐๐๐ฉ๐ฌ๐๐๐ ๐๐๐
e.g.,Sponges
Feistel
![Page 14: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/14.jpg)
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
Co-related input hashFunctions (CIH)
![Page 15: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/15.jpg)
๐ = (๐บ๐๐, ๐, ๐R,)
๐บ๐๐ ๐ฅ ๐h ๐ฅ
๐ โถ 0,1 X โ 0,1 X
๐h1i ๐
Seedgeneration
๐ฆ ๐hR, ๐ฆ๐hR,
Forwardevaluation
Backwardevaluation
(2) โ๐ฅ โถ ๐hR, ๐h ๐ฅ = ๐ฅ
(1) ๐h โถ 0,1 X โ 0,1 X
Syntax:Seeded permutations
![Page 16: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/16.jpg)
๐ท
๐ โ Gen(1i)
๐p /๐hR,
5
๐ โ Perms(๐)
๐/๐R,โ
Stage1:โข Oracleaccessโข Secretseed
Stage2:โข Learnsseedโข Nooracleaccess
Secret-seedsecurity:Pseudorandompermutations(PRPs)
Limitedinformation
flow
0/1
![Page 17: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/17.jpg)
๐ โ Func(โ, ๐) ๐๐ โ Gen(1i)
โh
UCEsecurity
๐source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher ๐ท
Bellare Hoang Keelveedhi
0/1
๐
๐ โ Gen(1i)
โ
leakage
![Page 18: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/18.jpg)
๐ โ Perms(๐) ๐/๐R,๐ โ Gen(1i)
๐h/๐hR,
psPRP security[Thiswork]
๐source
๐ฟ
distinguisher ๐ท 0/1
๐
โ
๐ = (๐บ๐๐, ๐, ๐R,)Makesbothforwardandbackwardqueries!
![Page 19: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/19.jpg)
(+, 0X)(+, 0X)
๐h/๐hR, ๐/๐R,
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ฆ
Outputs1iff๐ฆ = ๐h 0X
1
1
withprob.1
withprob.1/2X
๐ฆ
Observation: ๐ฉ๐ฌ๐๐๐-securityimpossible againstallPPTsources!
โ
![Page 20: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/20.jpg)
Solution: Restrictclassofconsideredsources!
Definition. ๐ ๐ฉ๐ฌ๐๐๐[๐ฎ]-secure: โ๐ โ ๐ฎ,โPPT ๐ท:๐h/๐hR, โ ๐/๐R,
allsources
๐ฎ ๐
๐ฟ
๐ท 0/1
๐
๐h/๐hR, ๐/๐R,
![Page 21: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/21.jpg)
all sources
๐ฎh๏ฟฝh๐ฎh๏ฟฝ๏ฟฝ unpredictable
reset-secure
Here:unpredictableandreset-securesources
Bothrestrictionscaptureunpredictabilityofsourcequeries!
๐ฎh๏ฟฝ๏ฟฝ โ ๐ฎh๏ฟฝh ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh strongerassumptionthan๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝ๏ฟฝโน
![Page 22: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/22.jpg)
Sourcerestrictionsโ unpredictability
๐ ๐/๐R,(๐๏ฟฝ, ๐ฅ๏ฟฝ)
๐ฆ๏ฟฝ๐ฟ
๐โฒ
๐ โ ๐ โช {๐ฅ๏ฟฝ, ๐ฆ๏ฟฝ}
Pr[๐๏ฟฝ โฉ ๐ โ ๐] = negl(๐)
โ๐ฎh๏ฟฝ๏ฟฝ: ๐ด iscomputationallyunbounded,polyqueries
๐ฎ๏ฟฝ๏ฟฝ๏ฟฝ: ๐ด isPPT iOโน๐ฉ๐ฌ๐๐๐[๐ฎ๏ฟฝ๏ฟฝ๏ฟฝ] impossible[BFM14]
๐๏ฟฝ โ {+,โ}
Goal:Mustbehardfor๐ด topredict๐โsqueriesortheirinverses๐ด
![Page 23: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/23.jpg)
โ
Sourcerestrictionsโ reset-security
โ๐ฎh๏ฟฝh: ๐ iscomputationallyunbounded,polyqueries
๐ฎ๏ฟฝ๏ฟฝh: ๐ isPPT
๐ ๐/๐R,
๐
๐ฟ
๐/๐R,
0/1 ๐ โ Perms(๐) ๐, ๐๏ฟฝ โ Perms(๐)
Fact. ๐ฎh๏ฟฝ๏ฟฝ โ ๐ฎh๏ฟฝh
๐ ๐/๐R,
๐
๐ฟ
๐๏ฟฝ/๐๏ฟฝR,
0/1
![Page 24: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/24.jpg)
Recapโ Definitions
CentralassumptionsinUCEtheory
Equallyuseful?
![Page 25: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/25.jpg)
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
![Page 26: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/26.jpg)
Exampleโ Truncation
๐h๐ฅ
๐ฆ
๐ง ๐ง
0
๐ฅ ๐h ๐ฅ = ๐h ๐ฅ, 0XR๏ฟฝ [1. . ๐]
Lemma. If๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝ๏ฟฝ]-secureand๐ +๐ log๐ โค
๐ โค ๐ โ ๐ log๐ ,then๐ isPRG.
๐ โ Gen(1i)๐ฅ โ 0,1 XR๏ฟฝ
(๐ฆ, ๐ง) โ ๐h(๐ฅ, 0)๐ โ ๐ท(๐ , ๐ง) ๐
๐h(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ท๐ง ๐
๐h: 0,1 ๏ฟฝ โ 0,1 ๏ฟฝ
๐
Thus,alsoaOWF ...
![Page 27: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/27.jpg)
๐ โ Gen(1i)๐ฅ โ 0,1 XR๏ฟฝ
(๐ฆ, ๐ง) โ ๐h(๐ฅ, 0)๐ โ ๐ท(๐ , ๐ง)
Proofโ Contโd
๐
๐h(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ท๐ง ๐
๐
๐
๐(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ง
๐โ๐ท ๐
if๐ โ ๐ฎh๏ฟฝ๏ฟฝ
random!
๐ โ Gen๐ง โ 0,1 ๏ฟฝ
๐ โ ๐ท(๐ , ๐ง)
![Page 28: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/28.jpg)
Proofโ Unpredictabilityof๐
๐
๐(๐ฅ, 0XR๏ฟฝ) (๐ฆ, ๐ง)
๐ง ๐ ๐
๐/๐R,
Fact. Pr (๐ฅ, 0XR๏ฟฝ), ๐ฆ, ๐ง โฉ ๐ โ ๐ โค ๏ฟฝ/๏ฟฝ+ ๏ฟฝ
/ ยกยข
๐ = ๐ฉ๐จ๐ฅ๐ฒ(๐)queries
![Page 29: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/29.jpg)
NextCanwegetpsPRPs atall?
ArepsPRPsuseful?
Constructionsfrom UCEs
HeuristicInstantiations
ConstructionsofUCEs
DirectapplicationsGarblingfromfixed-key
blockciphersCommondenominator:CP-sequentialindifferentiability
![Page 30: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/30.jpg)
HowtobuildUCEsfrompsPRPs?
๐ป
๐h/๐hR,
โน๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure ๐ป[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.Idealtheorem.
๐ โ 0,1 โ ๐ปh(๐)
Whatdoes๐ปneedtosatisfyforthistobetrue?
๐ป[๐]
![Page 31: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/31.jpg)
๐ด ๐ดโ๐ป
0/1
๐
Sim
0/1
Indifferentiability [MRH04]
Definition. ๐ป indiff.fromROifโ PPT Sim โ PPT ๐ด:๐ป+๐/๐R, โ ๐+Sim
?๐/๐R,
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
![Page 32: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/32.jpg)
๐ด, ๐ด,โ
๐ป
0/1
๐
Sim
0/1
CP-sequentialindifferentiability
Def. ๐ป CP-indiff.fromROifโ PPT Sim โ PPT (๐ด,, ๐ด/):๐ป+๐/๐R, โ ๐+Sim
๐/๐R,
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
๐ด/ ๐ด/
๐ ๐ก ๐ ๐ก
![Page 33: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/33.jpg)
FrompsPRPs toUCEs
Similarto[BHK14]. But:โข Needsfullindifferentiability
โข UCEdomainextension
โน๐ ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure
๐ป[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem.
๐ป CP-indiff from RO
๐ป
๐h/๐hR,
Corollary.Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
![Page 34: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/34.jpg)
๐โ ๐โ
FrompsPRPs toUCEsโ Proof
๐ป
๐h/๐hR,
๐ ๐ท
๐ ๐ป
๐/๐R,
๐ ๐ท
๐ ๐
๐ ๐ท
๐โ โ
๐ reset-secure๐ป isCP-indiff from๐ ๐
byCP-indiff.by ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-securityif๐โ โ ๐ฎh๏ฟฝh
๐ โ Perms(๐) ๐ โ Funcs(โ, ๐)๐ โ Gen(1i)
![Page 35: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/35.jpg)
๐ โ
๐ โ
๐โ
๐โ
โ ๐/๐R,
๐ ๐ ๐ ๐
๐โ
Sim
๐ ๐
๐ Sim
๐ยซ
๐ ๐
โ
๐/๐R,
๐๏ฟฝ/๐๏ฟฝR,
cpi
โcpi
Reset-securityof๐บโ?
โ๐ isreset-secure!
![Page 36: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/36.jpg)
Goodnews#1
Corollary. Everyperm-basedindiff.hash-functiontransformsapsPRP intoaUCE!
Manypracticalhashdesignsfrompermutationsareindifferentiable fromRO!
UCEisameaningfulsecuritytargetโseveralapplications!
![Page 37: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/37.jpg)
Examplesโ Sponges
๐ฆ
Corollary,๐ ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh -secureโน Sponge[๐]๐๐๐ ๐ฎh๏ฟฝh -secure.
Theorem.[BDVP08] Sponge indifferentiable from RO.
๐ โ {0,1}โ
๐Q๐
n โ ๐
0
0
๐
๐
๐ ๐
๐, ๐/ ๐ยฎ
๐h ๐h ๐h
Validates theSpongeparadigmforUCEapplications!
![Page 38: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/38.jpg)
Goodnews#2โ Noneedforfullindifferentiabilitytruncates ๐-bitsto๐-bits
๐๐ ๐ ๐
Chop
Notindifferentiable!โข Forrandom๐ฆ,get๐ฅ =๐R,(๐ฆ)
โข Queryconstructionon๐ฅ,checkconsistencywithfirst๐ bitsof๐ฆ
๐ดChop
๐/๐R,๐ด
๐
Sim
0/1 0/1
![Page 39: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/39.jpg)
Chopโ Contโd
Theorem.Chop isCP-indiff fromROwhen๐ โ ๐ โ ๐(log ๐).
Corollary. ๐ ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝh -secureโน Chop[๐] ๐๐๐[๐ฎh๏ฟฝh]-secure.
๐๐๐ ๐ฎh๏ฟฝ๏ฟฝ๐ฉ๐ฌ๐๐๐ ๐ฎh๏ฟฝ๏ฟฝ
truncates ๐-bitsto๐-bits
๐๐h๐ ๐ ๐
From Chop ๐ toVILUCE:Domainextensiontechniques[BHK14]
![Page 40: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/40.jpg)
Whatabouttheconverse?
psPRPs UCEs
![Page 41: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/41.jpg)
psPRPs fromUCEs
๐ด, ๐ด,
โ๐
0/1
๐/๐R,
Sim
0/1
๐๐ด/ ๐ด/
๐ ๐ก ๐ ๐ก
โน๐ป๐๐๐[๐ฎh๏ฟฝh]-secure
๐[๐ป] ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem.
๐ CP-indiff from RP
![Page 42: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/42.jpg)
FromUCEstopsPRPs โ Feistel
impossible[CPS08]
[HKT11][DS16] [DKT16]
#roundsforindifferentiability
???
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ ๐ โ {0,1}/X
๐ยณ[๐]
๐ โ {0,1}/X
Corollary. psPRPs exist iff UCEsexist!!!*
*wrt reset-securesources
![Page 43: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/43.jpg)
Corollary.๐ฏ ๐๐๐ ๐ฎh๏ฟฝh -secureโน ๐ยณ[๐ฏ] ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝh]-secure.
Theorem. 5-round Feistel is CP-indiff from RP
[HKT11][DS16] [DSKT16]
#roundsforCP-sequentialindifferentiability
Thiswork!!!
Round-complexityofFeistelforUCE-to-psPRP transformation?
![Page 44: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/44.jpg)
5-roundproofisquiteinvolved!
Our5-roundSim:
impossible[LR88]
[HKT11][DS16] [DSKT16]
#roundsofFeistel forpsPRP-security
Thiswork!!!Open:Do4-roundssuffice?
โข Reliesonchaincompletiontechniques
โข Heavilyexploitsqueryordering
โข Verydifferentchain-completionstrategyfrompreviousworks,norecursion needed
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ
๐, ๐/ ๐ยฑ ๐ยฒ ๐ยณ ๐ยท
๐Q ๐ยณSet
uniformSet
uniform
forceVal forceVal
detect detect
???
![Page 45: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/45.jpg)
Acoupleofextraresults!
(Inpassing!)
![Page 46: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/46.jpg)
HeuristicInstantiations
๐ธ
๐ โ {0,1}๏ฟฝ
psPRP ๐ฎh๏ฟฝh -secure
psPRP ๐ฎh๏ฟฝ๏ฟฝ -secure๐
๐ โ {0,1}๏ฟฝ
Fromseedless permutations:
Fromblockciphers:
Ideal-ciphermodel
RPmodel
๐บ๐๐:
๐h ๐ฅ = ๐ธ(๐ , ๐ฅ)
๐h ๐ฅ = ๐ โ ๐(๐ โ ๐ฅ)
๐บ๐๐:
![Page 47: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/47.jpg)
FastGarblingfrompsPRPs
Ourvariant:๐ธ 0๏ฟฝ, ๐ฅ โ ๐h(๐ฅ),freshseed๐ generateduponeachgarblingoperation!
Garblingschemefrom[BHKR13]โข Onlycallsfixed-keyblockcipher
๐ฅ โ ๐ธ(0๏ฟฝ, ๐ฅ)
โข ProofinRPmodel
โข Veryfast โ nokeyre-schedule
Theorem. Secure when๐๐ is ๐ฉ๐ฌ๐๐๐[๐ฎh๏ฟฝ๏ฟฝ].
Garbled AND-Gate
๐ธ 0X, ๐ฅยบQ โ ๐ฅยปQ โ ๐ฅยบQ โ ๐ฅยปQ โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบQ โ ๐ฅยป, โ ๐ฅยบQ โ ๐ฅยป, โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบ, โ ๐ฅยปQ โ ๐ฅยบ, โ ๐ฅยปQ โ ๐ฅยผQ
๐ธ 0X, ๐ฅยบ, โ ๐ฅยป, โ ๐ฅยบ, โ ๐ฅยป, โ ๐ฅยผ,
๐ฅยบQ,๐ฅยบ,๐ฅยผQ,๐ฅยผ,AND๐ฅยปQ, ๐ฅยป,
![Page 48: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/48.jpg)
Roadmap
1.Definitions
2.Constructions&Applications
3.Conclusions
![Page 49: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/49.jpg)
Constructions
Conclusion
First (useful) standardmodelassumptionsonpermutations
ApplicationspsPRPs
![Page 50: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/50.jpg)
(Some)openquestions
BeyondpsPRPs:- Simplerassumptionsonpermutations?
MoreonpsPRPs:- MoreefficientconstructionsfromUCEs?- Weakerassumptions?- Cryptanalysis?
ps-Pseudorandomness asaparadigm:- UCE =psPRF
- ApplicationsofpsX?
IsSHA-3aCRHFunderanynon-trivialassumption?
![Page 51: Public-Seed Pseudorandom Permutations - DIMACSdimacs.rutgers.edu/Workshops/ComplexityCryptographic/Slides/...Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB DIMACS Workshop](https://reader034.fdocuments.net/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff012/html5/thumbnails/51.jpg)
Thankyou!PaperonePrint reallysoonโฆ
Fornow:http://www.cs.ucsb.edu/~tessaro/papers/SonTes17.pdf