Public-Seed Pseudorandom Permutations

Transcription

1 Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017

2 We look at existing class of cryptographic primitives and introduce/study the first plausible assumptions on them. Pratik Soni, Stefano Tessaro Public-Seed Pseudorandom Permutations EUROCRYPT 2017

3 Cryptographic schemes often built from simpler building blocks M, M / M l K ipad M IV E + E + H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad Is there a universal and simple building block for efficient symmetric cryptography? Main motivation: Single object requiring optimized implementation!

4 Recent trend: = permutation Example. Sponge construction (as in SHA-3) [BDPvA] M r-bit blocks: M, M / M 3 r n r 0 0 π π π H(M) efficiently computable and invertible permutation

5 Several permutation-based constructions Hash functions, authenticated encryption schemes, PRNGs, garbling schemes

6 Permutation instantiations Ad-hoc designs e.g., in SHA-3, AE schemes, Designed to withstand cryptanalytic attacks against constructions using them! e.g., no collision attack Fixed-key block ciphers e.g., π x AES(0,/@, x) AES 0,/@ Faster hash functions [RS08], fast garbling [BHKR13]

7 Permutations assumptions What security properties do we expect from a permutation? Ideal goal: Standard-model reduction! If π satisfies X then C[π] satisfies Y. e.g., C = SHA 3; Y = Anything non-trivial X =??? S Q0 0 π π π Unfortunately: No standard-model proofs known under non-tautological assumptions!

8 Security of permutation-based crypto Provable security Random permutation model! π is random + adversary given oracle access to π and π R, clearly unachievable [CGH98] security against generic attacks! Cryptanalysis Application specific attacks Insights are hard to recycle for new applications Very little permutationspecific cryptanalysis

9 Example OWFs from permutations π: {0,1} X 0,1 X x π y = π x π R, π R, (y) Clearly: Cannot be one way! So, how do we make a oneway function out of π?

10 Naïve idea: Truncation f: 0,1 X 0,1 X// x π y z z Not one way: y: π R, (y, z) preimage of z Better candidate: g: 0,1 X// 0,1 X// x 0 x π y z z Conjectured one-way for π = SHA-3 permutation Wanted: Basic (succinct, non-tautological) security property satisfied by π which implies one-wayness of g?

11 Permutations vs hash functions ideal model standard model Hash functions Permutations random oracle random permutation CRHF, OWFs, UOWHFs, CI, UCEs What kind of cryptographic hardness can we expect from a permutation?

12 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] Two main questions: Can we get psprps at all? Are psprps useful?

13 psprps Landscape preview Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Feistel e.g., Sponges psprp UCE Message-locked Encryption (MLE) Hardcore functions KDM-secure symmetric key Enc. Point-function Obfuscation CCA-secure Enc. Efficient garbling from fixed-key block-ciphers

14 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

15 Syntax: Seeded permutations π 0,1 X 0,1 X P = (Gen, π, π R, ) π h 1 i Gen s x π h x y π h R, π h R, y Seed generation Forward evaluation Backward evaluation (1) π h 0,1 X 0,1 X (2) x π h R, π h x = x

16 Secret-seed security: Pseudorandom permutations (PRPs) s Gen(1 i ) ρ Perms(n) π p / π h R, ρ/ρ R, D5 0/1 Stage 1: Oracle access Secret seed Limited information flow Stage 2: Learns seed No oracle access

17 UCE security h h s Gen(1 i ) f Func(, n) Bellare Hoang Keelveedh f source S H = (Gen, h) s L leakage distinguisher D 0/1

18 psprp security [This work] π h /π h R, s Gen(1 i ) ρ Perms(n) ρ/ρ R, Makes both forward and backward queries! source s S L P = (Gen, π, π R, ) distinguisher D 0/1

19 Observation: psprp-security impossible against all PPT sources! π h /π h R, ρ/ρ R, (+, 0 X ) y S y (+, 0 X ) Outputs 1 iff s L = y 1 D y = π h 0 X 1 with prob. 1 with prob. 1/2 X

20 Solution: Restrict class of considered sources! all sources π h /π h R, ρ/ρ R, S S s L D 0/1 Definition. P psprp[s]-secure: S S, PPT D: π h /π h R, ρ/ρ R,

21 Here: unpredictable and reset-secure sources reset-secure all sources S h h S hƒ unpredictable Both restrictions capture unpredictability of source queries! S hƒ S h h psprp S h h stronger assumption than psprp S hƒ

22 Source restrictions unpredictability σ {+, } (σ, x ) S ρ/ρ R, y A L Q Q {x, y } Goal: Must be hard for A to predict S s queries or their inverses Q Pr [ Q Q φ] = negl(λ) S hƒ : A is computationally unbounded, poly queries S ƒ : A is PPT io psprp[s ƒ ] impossible [BFM14]

23 Source restrictions reset-security S ρ/ρ R, S ρ/ρ R, L L R ρ/ρ R, R ρ /ρ R, 0/1 ρ Perms(n) 0/1 ρ, ρ Perms(n) S h h : R is computationally unbounded, poly queries S h : R is PPT Fact. S hƒ S h h

24 Recap Definitions Equally useful? Central assumptions in UCE theory

25 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

26 Example Truncation 0 y g h : 0,1 0,1 x x π h z z g h x = π h x, 0 XR [1.. k] Lemma. If π psprp[s hƒ ]-secure and m + ω log λ k n ω log λ, then g is PRG. Thus, also a OWF... s Gen(1 i ) x 0,1 XR (y, z) π h (x, 0) b D(s, z) (x, 0 XR ) π h S (y, z) s z D b

27 Proof Cont d π h ρ random! (x, 0 XR ) (y, z) s (x, 0 XR ) (y, z) s S z D b S z D b s Gen(1 i ) x 0,1 XR (y, z) π h (x, 0) b D(s, z) if S S hƒ s Gen z 0,1 b D(s, z)

28 Proof Unpredictability of S (x, 0 XR ) ρ (y, z) ρ/ρ R, q = poly(n) queries S z R Q Fact. Pr (x, 0 XR ), y, z Q φ ž / Ÿ + ž /

29 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Constructions of UCEs Heuristic Instantiations Common denominator: CP-sequential indifferentiability Direct applications Garbling from fixed-key block ciphers

30 How to build UCEs from psprps? H[P] π h /π h R, M 0,1 H H h (M) Ideal theorem. P psprp[s h h ]-secure H[P] UCE[S h h ]-secure. What does H need to satisfy for this to be true?

31 Indifferentiability [MRH04] f Funcs(, n) H f A A 0/1 ρ/ρ R, ρ Perms(n) 0/1? Sim Definition. H indiff. from RO if PPT Sim PPT A: H + ρ/ρ R, f + Sim

32 CP-sequential indifferentiability f Funcs(, n) A A, H, st A ρ/ρ R, A / / st f Sim 0/1 ρ Perms(n) 0/1 Def. H CP-indiff. from RO if PPT Sim PPT (A,, A / ): H + ρ/ρ R, f + Sim

33 From psprps to UCEs Theorem. P psprp[s h h ]-secure H CP-indiff from RO H[P] UCE[S h h ]-secure. Similar to [BHK14]. But: Needs full indifferentiability UCE domain extension π h /π h R, H Corollary. Every perm-based indiff. hash-function transforms a psprp into a UCE!

34 From psprps to UCEs Proof s Gen(1 i ) ρ Perms(n) S reset-secure H is CP-indiff from RO f Funcs(, n) π h /π h R, ρ/ρ R, H s H s f s S D S D S D S S by psprp[s h h ]- security if S S h h by CP-indiff.

35 Reset-security of S? S h ρ/ρ R, cpi f Sim R S R S R f f«sim R cpi ρ/ρ R, S h ρ /ρ R, S is reset-secure! S R S R

36 Good news #1 Corollary. Every perm-based indiff. hashfunction transforms a psprp into a UCE! Many practical hash designs from permutations are indifferentiable from RO! UCE is a meaningful security target several applications!

37 Examples Sponges M {0,1} M, M / M SQ r 0 r y n r 0 ρ ρ ρ π h π h π h Theorem. [BDVP08] Sponge indifferentiable from RO. Corollary, P psprp S h h -secure Sponge[P] UCE S h h -secure. Validates the Sponge paradigm for UCE applications!

38 Good news #2 No need for full indifferentiability Chop truncates n-bits to r-bits ρ n n r Not indifferentiable! For random y, get x = ρ R, (y) Query construction on x, check consistency with first r bits of y Chop A A ρ/ρ R, 0/1 0/1 f Sim

39 Chop Cont d truncates n-bits to r-bits ρ πh n n r Theorem. Chop is CP-indiff from RO when n r ω(log λ). psprp S hƒ UCE S hƒ Corollary. P psprp S h h -secure Chop[P] UCE[S h h ]- secure. From Chop P to VIL UCE: Domain extension techniques [BHK14]

40 What about the converse? psprps UCEs

41 psprps from UCEs Theorem. H UCE[S h h ]-secure P CP-indiff from RP P[H] psprp[s h h ]-secure. A, P A, st f A / A / st ρ/ρ R, Sim 0/1 0/1

42 From UCEs to psprps Feistel X {0,1} /X f, f / f ± f ² f ³ Y {0,1} /X ψ ³ [f] [DS16] [DKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability Corollary. psprps exist iff UCEs exist!!!* * wrt reset-secure sources

43 Round-complexity of Feistel for UCE-to-psPRP transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem. 5-round Feistel is CP-indiff from RP Corollary. H UCE S h h -secure ψ ³ [H] psprp[s h h ]- secure.

44 5-round proof is quite involved! Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X, X / X ± X ² X ³ X f, f / f ± f ² f ³ X Q forceval forceval X ³ Set Set uniform uniform Open: Do 4-rounds suffice? [LR88] impossible This work!!!??? [DS16] [DSKT16] [HKT11] #rounds of Feistel for psprp-security

45 A couple of extra results! (In passing!)

46 Heuristic Instantiations From block ciphers: π h x = E(s, x) Gen: E s {0,1} psprp S h h -secure Ideal-cipher model From seedless permutations: π h x = s π(s x) π psprp S hƒ -secure RP model Gen: s {0,1}

47 Fast Garbling from psprps x º Q, x º, x» Q, x», AND x ¼ Q, x ¼, Garbling scheme from [BHKR13] Only calls fixed-key block cipher x E(0, x) Very fast no key re-schedule Proof in RP model Garbled AND-Gate E 0 X, x Q º x Q» x Q º x Q Q» x ¼ E 0 X, x Q º x,» x Q º x, Q» x ¼ E 0 X, x, º x Q» x, º x Q Q» x ¼ E 0 X, x, º x,» x, º x,,» x ¼ Our variant: E 0, x π h (x), fresh seed s generated upon each garbling operation! Theorem. Secure when π s is psprp[s hƒ ].

48 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

49 Conclusion First (useful) standard model assumptions on permutations Applications psprps Constructions

50 (Some) open questions More on psprps: - More efficient constructions from UCEs? - Weaker assumptions? - Cryptanalysis? ps-pseudorandomness as a paradigm: - UCE = psprf - Applications of psx? Beyond psprps: - Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption?

51 Thank you! Paper on eprint really soon For now: