Public-seed Pseudorandom Permutations EUROCRYPT 2017

Size: px

Start display at page:

Download "Public-seed Pseudorandom Permutations EUROCRYPT 2017"

Abraham Hodge
5 years ago
Views:

1 Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017

2 Cryptographic schemes often built from generic building blocks

3 Cryptographic schemes often built from generic building blocks Typically: Block ciphers, hash/compression functions! M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad

M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g.

4 Cryptographic schemes often built from generic building blocks Typically: Block ciphers, hash/compression functions! M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad Is there a universal and simple building block for efficient symmetric cryptography?

5 Recent trend: Start from seedless permutation

6 Recent trend: Start from seedless permutation

7 Recent trend: Start from seedless permutation Sponge paradigm

8 Recent trend: Start from seedless permutation Sponge paradigm

9 Recent trend: Start from seedless permutation Sponge paradigm

10 Recent trend: Start from seedless permutation Sponge paradigm Here: π is an efficiently computable and invertible one-to-one function

11 Permutations Hashing MACs Garbling KDFs PRNGs Authenticated Encryption it would be nice, now, if permutations can be called the Swiss Army Knife [of cryptography] Joan Daemen, Passwords^12

12 Typical instantiations

13 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis

14 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES 0 128

15 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES Faster, no re-keying costs! Faster Hash functions [RS08], fast garbling [BHKR13]

16 Permutations assumptions Permutations are great in practice, but what about theory?

17 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. S 0 0 π π π

18 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =??? S 0 0 π π π

Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =?

19 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =??? S 0 0 π π π Observation: No standard-model proofs known for permutationbased constructions! Common approach: Use random permutation (RP) model π is random + adversary given oracle access to π and π 1

20 But: random permutations do not exist [CGH98]

21 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks

22 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model Hash functions random oracle

23 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions random oracle CRHF, OWFs, UOWHFs, CI, UCEs

24 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions Permutations random oracle RP CRHF, OWFs, UOWHFs, CI, UCEs????

25 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions Permutations random oracle RP CRHF, OWFs, UOWHFs, CI, UCEs???? What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness

26 This work, in a nutshell First plausible and useful standard-model security assumption for permutations.

27 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps)

28 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions:

29 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions: Can we get psprps at all?

30 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions: Can we get psprps at all? Are psprps useful?

31 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] We address two main questions: Can we get psprps at all? Are psprps useful?

32 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] We address two main questions: Can we get psprps at all? Yes! Are psprps useful? Yes!

33 psprps have many applications

34 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Message-locked Encryption (MLE) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Efficient garbling from fixed-key block-ciphers

35 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

36 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

37 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

38 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Feistel Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

39 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

40 We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 )

41 We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 ) Efficient (poly-time) algorithms π s 1 λ Gen s x π s x y π s 1 π s 1 y Seed generation Forward evaluation Backward evaluation (1) π s 0,1 n 0,1 n (2) x π s 1 π s x = x

42 Traditional security notion if seed is secret: Pseudorandom Permutation

43 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 0/1

44 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 0/1

45 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Stage 2: Learns seed No oracle access

46 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Limited information flow Stage 2: Learns seed No oracle access

47 UCE security H = (Gen, h) Bellare Hoang Keelveedhi

48 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source H = (Gen, h) Bellare Hoang Keelveedhi

49 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source H = (Gen, h) Bellare Hoang Keelveedhi

50 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi

51 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi

52 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D 0/1 distinguisher Bellare Hoang Keelveedhi

53 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D 0/1 distinguisher Bellare Hoang Keelveedhi

54 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S D

55 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! D

56 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D

57 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1

58 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1 P is psprp-secure if PPT S, D, left and right are indistinguishable.

59 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1 P is psprp-secure if PPT S, D, left and right are indistinguishable.

60 P is psprp-secure if PPT S, D,

61 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 S

62 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 (+, 0 n ) S (+, 0 n )

63 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n )

64 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y D

65 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D

66 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D 1 with prob. 1

67 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n

68 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n psprp-security is impossible against all sources!

69 Sources need to be restricted P = (Gen, π, π 1 ) all sources

70 Sources need to be restricted P = (Gen, π, π 1 ) all sources S

71 Sources need to be restricted P = (Gen, π, π 1 ) all sources s Gen(1 λ ) π s /π s 1 ρ Perms(n) ρ/ρ 1 S S s L D 0/1 P is psprp[s]-secure if S S and PPT D, left and right are indistinguishable.

72 This talk unpredictable and reset-secure sources all sources

73 This talk unpredictable and reset-secure sources all sources S sup unpredictable

74 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources

75 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources!

76 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs

77 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs psprp S srs is a stronger assumption than psprp S sup

78 Source restrictions unpredictability ρ Perms(n) S ρ/ρ 1 A

79 Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 A

80 Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A

81 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A

82 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} L A

83 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ)

84 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ) S sup : A is computationally unbounded S cup : A is PPT

85 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ) S sup : A is computationally unbounded S cup : A is PPT psprp[s cup ] impossible if io exists [BFM14]

86 Source restrictions reset-security

87 Source restrictions reset-security S ρ/ρ 1 ρ Perms(n) R

88 Source restrictions reset-security S ρ/ρ 1 ρ Perms(n) R

89 Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1

90 Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1 0/1

91 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n)

92 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n)

93 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT

94 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT S cup S crs

95 Recap psprp[s srs ] psprp[s sup ]

96 Recap psprp[s srs ] psprp[s sup ]

97 Recap

98 Recap Central assumption in UCE theory

99 Recap Central assumption in UCE theory

100 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

101 Next Can we get psprps at all? Are psprps useful?

102 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations

103 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

104 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

105 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

106 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Common denominator: A new, restricted notion of indifferentiability! Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

107 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Common denominator: A new, restricted notion of indifferentiability! Constructions of UCEs Direct applications Garbling from fixed-key block ciphers CP-sequential indifferentiability

108 Indifferentiability[MRH04] C f Funcs(, n) RO f RP ρ/ρ 1 ρ Perms(n)

109 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 ρ Perms(n)

110 Indifferentiability[MRH04] A C RP ρ/ρ 1 ρ Perms(n) A f Funcs(, n) RO f?

111 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim ρ Perms(n)

112 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim 0/1 ρ Perms(n) 0/1

113 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1

114 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable.

115 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks:

116 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks: 1. Full indifferentiability CP-seq indiff. 2. Reverse ordering: seq. indifferentiability [MPS12]

117 From psprps to UCEs Theorem:

118 From psprps to UCEs Theorem: C RP cpi RO C RP ρ/ρ 1

119 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C RP ρ/ρ 1

120 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] C RP ρ/ρ 1 π s /π s 1

121 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. C RP ρ/ρ 1 π s /π s 1

122 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. Similar result proved in [BHK14], but: Need full indifferentiability Only stated for UCE domain extension RP C ρ/ρ 1 π s /π s 1

123 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. Similar result proved in [BHK14], but: Need full indifferentiability Only stated for UCE domain extension RP C ρ/ρ 1 1 π s /π s Corollary: Every perm-based indiff. hash-function transforms a psprp into a UCE!

124 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0

125 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 Theorem [BDVP08]: Sponge[RP] cpi RO.

126 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO.

127 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure.

128 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure. Validates the Sponge paradigm for UCE applications!

129 CP-sequentially indiff. constructions that are not fully indiff.?

130 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.?

131 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? ρ

132 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n ρ

133 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n n ρ n

134 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r

135 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r

136 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ).

137 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable

138 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable

139 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.

140 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.

141 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure. From Chop P to VIL UCE: Domain extension techniques [BHK14]

142 psprps from UCEs Theorem:

143 psprps from UCEs Theorem: C RO cpi RP A 1 C A 1 RP st st A 2 RO A 2 Sim b b

144 psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b

145 psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psprp.

146 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f]

147 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability

148 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability psprps exist in the standard model if UCEs exist!!!

149 Can we reduce the round-complexity of Feistel for UCE to psprp transformation?

150 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability

151 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem: 5-round Feistel (ψ 5 [f]) cpi RP.

152 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem: 5-round Feistel (ψ 5 [f]) cpi RP. Corollary: H UCE S srs -secure ψ 5 [H] psprp[s srs ]- secure.

153 5-round proof is technically involved

154 5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X 1 X 2 X 3 X 4 X 5 X 6 f 1 f 2 f 3 f 4 f 5 X 0 forceval forceval X 5 Set Set uniform uniform

5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion

155 5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X 1 X 2 X 3 X 4 X 5 X 6 f 1 f 2 f 3 f 4 f 5 X 0 forceval forceval X 5 Set Set uniform uniform Open: Do 4-rounds suffice? [LR88] impossible This work!!!??? [DS16] [DSKT16] [HKT11] #rounds of Feistel for psprp-security

156 Heuristic Instantiations

157 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: Gen: E s {0,1} k

158 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k

159 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k From Permutations e.g. the Keccak permutation P = (Gen, π, π 1 ) π: Gen: π s {0,1} k

160 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k From Permutations e.g. the Keccak permutation P = (Gen, π, π 1 ) π: π psprp S sup -secure RP model Gen: s {0,1} k

161 Fast Garbling from psprps x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

162 Fast Garbling from psprps Fast garbling from [BHKR13] x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

163 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

164 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

165 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed generated upon garbling.

RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n,

K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed

166 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed generated upon garbling. Theorem: Secure garbling when π s is psprp[s sup ].

167 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

168 Conclusion psprps

169 Conclusion First standard model assumptions on permutations psprps

170 Conclusion First standard model assumptions on permutations psprps Constructions

171 Conclusion First standard model assumptions on permutations Applications psprps Constructions

172 Many open questions

173 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps?

174 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm:

175 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers?

176 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations?

177 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption?

178 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption? Thank you!

Public-Seed Pseudorandom Permutations

Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study