Public-seed Pseudorandom Permutations EUROCRYPT 2017
|
|
- Abraham Hodge
- 5 years ago
- Views:
Transcription
1 Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017
2 Cryptographic schemes often built from generic building blocks
3 Cryptographic schemes often built from generic building blocks Typically: Block ciphers, hash/compression functions! M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad
4 Cryptographic schemes often built from generic building blocks Typically: Block ciphers, hash/compression functions! M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad Is there a universal and simple building block for efficient symmetric cryptography?
5 Recent trend: Start from seedless permutation
6 Recent trend: Start from seedless permutation
7 Recent trend: Start from seedless permutation Sponge paradigm
8 Recent trend: Start from seedless permutation Sponge paradigm
9 Recent trend: Start from seedless permutation Sponge paradigm
10 Recent trend: Start from seedless permutation Sponge paradigm Here: π is an efficiently computable and invertible one-to-one function
11 Permutations Hashing MACs Garbling KDFs PRNGs Authenticated Encryption it would be nice, now, if permutations can be called the Swiss Army Knife [of cryptography] Joan Daemen, Passwords^12
12 Typical instantiations
13 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis
14 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES 0 128
15 Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES Faster, no re-keying costs! Faster Hash functions [RS08], fast garbling [BHKR13]
16 Permutations assumptions Permutations are great in practice, but what about theory?
17 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. S 0 0 π π π
18 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =??? S 0 0 π π π
19 Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =??? S 0 0 π π π Observation: No standard-model proofs known for permutationbased constructions! Common approach: Use random permutation (RP) model π is random + adversary given oracle access to π and π 1
20 But: random permutations do not exist [CGH98]
21 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks
22 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model Hash functions random oracle
23 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions random oracle CRHF, OWFs, UOWHFs, CI, UCEs
24 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions Permutations random oracle RP CRHF, OWFs, UOWHFs, CI, UCEs????
25 But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions Permutations random oracle RP CRHF, OWFs, UOWHFs, CI, UCEs???? What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness
26 This work, in a nutshell First plausible and useful standard-model security assumption for permutations.
27 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps)
28 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions:
29 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions: Can we get psprps at all?
30 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions: Can we get psprps at all? Are psprps useful?
31 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] We address two main questions: Can we get psprps at all? Are psprps useful?
32 This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] We address two main questions: Can we get psprps at all? Yes! Are psprps useful? Yes!
33 psprps have many applications
34 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Message-locked Encryption (MLE) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Efficient garbling from fixed-key block-ciphers
35 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers
36 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers
37 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers
38 psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Feistel Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers
39 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
40 We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 )
41 We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 ) Efficient (poly-time) algorithms π s 1 λ Gen s x π s x y π s 1 π s 1 y Seed generation Forward evaluation Backward evaluation (1) π s 0,1 n 0,1 n (2) x π s 1 π s x = x
42 Traditional security notion if seed is secret: Pseudorandom Permutation
43 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 0/1
44 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 0/1
45 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Stage 2: Learns seed No oracle access
46 Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Limited information flow Stage 2: Learns seed No oracle access
47 UCE security H = (Gen, h) Bellare Hoang Keelveedhi
48 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source H = (Gen, h) Bellare Hoang Keelveedhi
49 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source H = (Gen, h) Bellare Hoang Keelveedhi
50 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi
51 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi
52 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D 0/1 distinguisher Bellare Hoang Keelveedhi
53 UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D 0/1 distinguisher Bellare Hoang Keelveedhi
54 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S D
55 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! D
56 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D
57 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1
58 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1 P is psprp-secure if PPT S, D, left and right are indistinguishable.
59 psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1 P is psprp-secure if PPT S, D, left and right are indistinguishable.
60 P is psprp-secure if PPT S, D,
61 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 S
62 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 (+, 0 n ) S (+, 0 n )
63 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n )
64 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y D
65 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D
66 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D 1 with prob. 1
67 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n
68 P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n psprp-security is impossible against all sources!
69 Sources need to be restricted P = (Gen, π, π 1 ) all sources
70 Sources need to be restricted P = (Gen, π, π 1 ) all sources S
71 Sources need to be restricted P = (Gen, π, π 1 ) all sources s Gen(1 λ ) π s /π s 1 ρ Perms(n) ρ/ρ 1 S S s L D 0/1 P is psprp[s]-secure if S S and PPT D, left and right are indistinguishable.
72 This talk unpredictable and reset-secure sources all sources
73 This talk unpredictable and reset-secure sources all sources S sup unpredictable
74 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources
75 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources!
76 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs
77 This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs psprp S srs is a stronger assumption than psprp S sup
78 Source restrictions unpredictability ρ Perms(n) S ρ/ρ 1 A
79 Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 A
80 Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A
81 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A
82 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} L A
83 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ)
84 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ) S sup : A is computationally unbounded S cup : A is PPT
85 Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ) S sup : A is computationally unbounded S cup : A is PPT psprp[s cup ] impossible if io exists [BFM14]
86 Source restrictions reset-security
87 Source restrictions reset-security S ρ/ρ 1 ρ Perms(n) R
88 Source restrictions reset-security S ρ/ρ 1 ρ Perms(n) R
89 Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1
90 Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1 0/1
91 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n)
92 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n)
93 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT
94 Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT S cup S crs
95 Recap psprp[s srs ] psprp[s sup ]
96 Recap psprp[s srs ] psprp[s sup ]
97 Recap
98 Recap Central assumption in UCE theory
99 Recap Central assumption in UCE theory
100 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
101 Next Can we get psprps at all? Are psprps useful?
102 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations
103 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers
104 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers
105 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers
106 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Common denominator: A new, restricted notion of indifferentiability! Constructions of UCEs Direct applications Garbling from fixed-key block ciphers
107 Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Common denominator: A new, restricted notion of indifferentiability! Constructions of UCEs Direct applications Garbling from fixed-key block ciphers CP-sequential indifferentiability
108 Indifferentiability[MRH04] C f Funcs(, n) RO f RP ρ/ρ 1 ρ Perms(n)
109 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 ρ Perms(n)
110 Indifferentiability[MRH04] A C RP ρ/ρ 1 ρ Perms(n) A f Funcs(, n) RO f?
111 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim ρ Perms(n)
112 Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim 0/1 ρ Perms(n) 0/1
113 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1
114 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable.
115 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks:
116 CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks: 1. Full indifferentiability CP-seq indiff. 2. Reverse ordering: seq. indifferentiability [MPS12]
117 From psprps to UCEs Theorem:
118 From psprps to UCEs Theorem: C RP cpi RO C RP ρ/ρ 1
119 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C RP ρ/ρ 1
120 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] C RP ρ/ρ 1 π s /π s 1
121 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. C RP ρ/ρ 1 π s /π s 1
122 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. Similar result proved in [BHK14], but: Need full indifferentiability Only stated for UCE domain extension RP C ρ/ρ 1 π s /π s 1
123 From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. Similar result proved in [BHK14], but: Need full indifferentiability Only stated for UCE domain extension RP C ρ/ρ 1 1 π s /π s Corollary: Every perm-based indiff. hash-function transforms a psprp into a UCE!
124 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0
125 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 Theorem [BDVP08]: Sponge[RP] cpi RO.
126 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO.
127 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure.
128 From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure. Validates the Sponge paradigm for UCE applications!
129 CP-sequentially indiff. constructions that are not fully indiff.?
130 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.?
131 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? ρ
132 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n ρ
133 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n n ρ n
134 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r
135 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r
136 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ).
137 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable
138 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable
139 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.
140 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.
141 From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure. From Chop P to VIL UCE: Domain extension techniques [BHK14]
142 psprps from UCEs Theorem:
143 psprps from UCEs Theorem: C RO cpi RP A 1 C A 1 RP st st A 2 RO A 2 Sim b b
144 psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b
145 psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psprp.
146 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f]
147 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability
148 From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability psprps exist in the standard model if UCEs exist!!!
149 Can we reduce the round-complexity of Feistel for UCE to psprp transformation?
150 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability
151 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem: 5-round Feistel (ψ 5 [f]) cpi RP.
152 Can we reduce the round-complexity of Feistel for UCE to psprp transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem: 5-round Feistel (ψ 5 [f]) cpi RP. Corollary: H UCE S srs -secure ψ 5 [H] psprp[s srs ]- secure.
153 5-round proof is technically involved
154 5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X 1 X 2 X 3 X 4 X 5 X 6 f 1 f 2 f 3 f 4 f 5 X 0 forceval forceval X 5 Set Set uniform uniform
155 5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X 1 X 2 X 3 X 4 X 5 X 6 f 1 f 2 f 3 f 4 f 5 X 0 forceval forceval X 5 Set Set uniform uniform Open: Do 4-rounds suffice? [LR88] impossible This work!!!??? [DS16] [DSKT16] [HKT11] #rounds of Feistel for psprp-security
156 Heuristic Instantiations
157 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: Gen: E s {0,1} k
158 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k
159 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k From Permutations e.g. the Keccak permutation P = (Gen, π, π 1 ) π: Gen: π s {0,1} k
160 Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k From Permutations e.g. the Keccak permutation P = (Gen, π, π 1 ) π: π psprp S sup -secure RP model Gen: s {0,1} k
161 Fast Garbling from psprps x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g
162 Fast Garbling from psprps Fast garbling from [BHKR13] x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g
163 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g
164 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g
165 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed generated upon garbling.
166 Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed generated upon garbling. Theorem: Secure garbling when π s is psprp[s sup ].
167 Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions
168 Conclusion psprps
169 Conclusion First standard model assumptions on permutations psprps
170 Conclusion First standard model assumptions on permutations psprps Constructions
171 Conclusion First standard model assumptions on permutations Applications psprps Constructions
172 Many open questions
173 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps?
174 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm:
175 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers?
176 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations?
177 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption?
178 Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations? Is SHA-3 a CRHF under any non-trivial assumption? Thank you!
Public-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Stefano Tessaro UCSB Joint work with Pratik Soni (UCSB) DIMACS Workshop New York June 8, 2017 We look at existing class of cryptographic primitives and introduce/study
More informationPublic-Seed Pseudorandom Permutations
Public-Seed Pseudorandom Permutations Pratik Soni and Stefano Tessaro University of California, Santa Barbara {pratik soni,tessaro}@cs.ucsb.edu Abstract. A number of cryptographic schemes are built from
More informationThe Random Oracle Model and the Ideal Cipher Model are Equivalent
The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCodes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII
Codes and Cryptography MAMME, Fall 2015 PART XII Outline 1 Symmetric Encryption (II) 2 Construction Strategies Construction Strategies Stream ciphers: For arbitrarily long messages (e.g., data streams).
More informationInstantiating Random Oracles via UCEs
A preliminary version of this paper appears in the proceedings of CRYPTO 2013. This is a revised and updated full version, available as IACR Cryptology eprint Archive Report 2013/424. Instantiating Random
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationCS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn
CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, 2014 Instructor: Rachel Lin 1 Recap Lecture 5: RSA OWFs Scribe: Tiawna Cayton Last class we discussed a collection of one-way functions (OWFs),
More informationG /G Introduction to Cryptography November 4, Lecture 10. Lecturer: Yevgeniy Dodis Fall 2008
G22.3210-001/G63.2170 Introduction to Cryptography November 4, 2008 Lecture 10 Lecturer: Yevgeniy Dodis Fall 2008 Last time we defined several modes of operation for encryption. Today we prove their security,
More informationDesign Paradigms for Building Multi-Property Hash Functions
Design Paradigms or Building Multi-Property Hash Functions Thomas Ristenpart UCSD Security and Cryptography Lab Lorentz Workshop June, 2008 Multi-property hash unctions One hash unction with many security
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationReset Indifferentiability and its Consequences
Reset Indifferentiability and its Consequences ASIACRYPT 2013 Paul Baecher, Christina Brzuska, Arno Mittelbach Tel Aviv University & Darmstadt University of Technology; supported by DFG Heisenberg and
More informationContention in Cryptoland: Obfuscation, Leakage and UCE
Contention in Cryptoland: Obfuscation, Leakage and UCE Mihir Bellare 1, Igors Stepanovs 2, and Stefano Tessaro 3 1 Department of Computer Science and Engineering, University of California San Diego, USA.
More informationCryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley dbrumley@cmu.edu Carnegie Mellon University The Landscape Jargon in Cryptography 2 Good News: OTP has perfect secrecy Thm:
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationRandomness-Dependent Message Security
Randomness-Dependent Message Security Eleanor Birrell Kai-Min Chung Rafael Pass Sidharth Telang December 28, 2012 Abstract Traditional definitions of the security of encryption schemes assume that the
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationFeistel Networks made Public, and Applications
Feistel Networks made Public, and Applications Yevgeniy Dodis Prashant Puniya February 11, 2007 Abstract Feistel Network, consisting of a repeated application of the Feistel Transform, gives a very convenient
More information10-Round Feistel is Indifferentiable from an Ideal Cipher
10-Round Feistel is Indifferentiable from an Ideal Cipher Dana Dachman-Soled Jonathan Katz Aishwarya Thiruvengadam September 8, 2015 Abstract We revisit the question of constructing an ideal cipher from
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationPr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]
Midterm Review Sheet The definition of a private-key encryption scheme. It s a tuple Π = ((K n,m n,c n ) n=1,gen,enc,dec) where - for each n N, K n,m n,c n are sets of bitstrings; [for a given value of
More informationBuilding Secure Block Ciphers on Generic Attacks Assumptions
Building Secure Block Ciphers on Generic Attacks Assumptions Jacques Patarin and Yannick Seurin University of Versailles and Orange Labs SAC 2008 August 14-15, 2008 the context security of symmetric primitives
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationFoundation of Cryptography, Lecture 4 Pseudorandom Functions
Foundation of Cryptography, Lecture 4 Pseudorandom Functions Handout Mode Iftach Haitner, Tel Aviv University Tel Aviv University. March 11, 2014 Iftach Haitner (TAU) Foundation of Cryptography March 11,
More informationTowards RSA-OAEP without Random Oracles
Towards RSA-OAEP without Random Oracles Nairen Cao 1 Adam O Neill 2 Mohammad Zaheri 3 November 28, 2018 In Memoriam: John C. O Neill (1953 2018). Abstract We give the first positive results about instantiability
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which
More informationMESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION. Mihir Bellare UCSD 1
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified
More informationConstant-round Leakage-resilient Zero-knowledge from Collision Resistance *
Constant-round Leakage-resilient Zero-knowledge from Collision Resistance * Susumu Kiyoshima NTT Secure Platform Laboratories, Tokyo, Japan kiyoshima.susumu@lab.ntt.co.jp August 20, 2018 Abstract In this
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously Digital Signatures Algorithms: Gen() à (sk,pk) Sign(sk,m) à σ Ver(pk,m,σ) à 0/1 Correctness: Pr[Ver(pk,m,Sign(sk,m))=1:
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationOn Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationSimple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia)
Simple Pseudorandom Number Generator with Strengthened Double Encryption (Cilia) Henry Ng Henry.Ng.a@gmail.com Abstract. A new cryptographic pseudorandom number generator Cilia is presented. It hashes
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationOn Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT
On Perfect and Adaptive Security in Exposure-Resilient Cryptography Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT 1 Problem: Partial Key Exposure Alice needs to store a cryptographic
More informationBreaking Symmetric Cryptosystems Using Quantum Algorithms
Breaking Symmetric Cryptosystems Using Quantum Algorithms Gaëtan Leurent Joined work with: Marc Kaplan Anthony Leverrier María Naya-Plasencia Inria, France FOQUS Workshop Gaëtan Leurent (Inria) Breaking
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationSymmetric Crypto Systems
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Symmetric Crypto Systems EECE 412 Copyright 2004-2008 Konstantin Beznosov 09/16/08 Module Outline Stream ciphers under the hood Block ciphers
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis John Steinberger July 9, 2009 Abstract We design an efficient mode of operation on block ciphers, SS-NMAC. Our mode has the
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationMessage Authentication Codes from Unpredictable Block Ciphers
Message Authentication Codes from Unpredictable Block Ciphers Yevgeniy Dodis 1 and John Steinberger 2 1 Department of Computer Science, New York University. dodis@cs.nyu.edu 2 Department of Mathematics,
More informationSecurity Under Key-Dependent Inputs
Security Under Key-Dependent Inputs Shai Halevi Hugo Krawczyk IBM T.J. Watson Research Center shaih@alum.mit.edu, hugo@ee.technion.ac.il August 13, 2007 Abstract In this work we re-visit the question of
More informationIntroduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.
Yoyo Game with AES Navid Ghaedi Bardeh University of Bergen May 8, 2018 1 / 33 Outline 1 Introduction on Block cipher 2 Yoyo Game 3 Application on AES 4 Conclusion 2 / 33 Classical Model of Symmetric Cryptography
More informationContention in Cryptoland: Obfuscation, Leakage and UCE
A preliminary version of this paper appears in TCC 2016-A. This is the full version appearing as IACR eprint Archive Report 2015/487. Contention in Cryptoland: Obfuscation, Leakage and UCE Mihir Bellare
More informationThe Magic of ELFs. Mark Zhandry MIT & Princeton
The Magic of ELFs Mark Zhandry MIT & Princeton mzhandry@princeton.edu Abstract We introduce the notion of an Extremely Lossy Function (ELF). An ELF is a family of functions with an image size that is tunable
More informationKeccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1
Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors 17th Workshop on Elliptic Curve Cryptography Leuven, Belgium, September 17th, 2013 1
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationStream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida
Stream ciphers Pawel Wocjan Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu Definition of block ciphers Block ciphers: crypto work horse n bits
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationEfficient and Provable White-Box Primitives
Efficient and Provable White-Box Primitives Pierre-Alain Fouque 1,2, Pierre Karpman 3,4, Paul Kirchner 5, and Brice Minaud 1 1 Université de Rennes 1, France 2 Institut Universitaire de France 3 Inria,
More informationPrivate-Key Encryption
Private-Key Encryption Ali El Kaafarani Mathematical Institute Oxford University 1 of 37 Outline 1 Pseudo-Random Generators and Stream Ciphers 2 More Security Definitions: CPA and CCA 3 Pseudo-Random Functions/Permutations
More informationOvercoming Weak Expectations
Overcoming Weak Expectations Yevgeniy Dodis 1 and Yu Yu 2 1 New York University. Email: dodis@cs.nyu.edu. 2 Institute for Interdisciplinary Information Sciences, Tsinghua University. Email: yuyu@yuyu.hk.
More informationOvercoming Weak Expectations
Overcoming Weak Expectations Yevgeniy Dodis Yu Yu December 22, 2012 Abstract Recently, there has been renewed interest in basing cryptographic primitives on weak secrets, where the only information about
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationConstructing secure MACs Message authentication in action. Table of contents
Constructing secure MACs Message authentication in action Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents From last time Recall the definition of message
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationOn Quantum Indifferentiability
On Quantum Indifferentiability Tore Vincent Carstens, Ehsan Ebrahimi, Gelo Noel Tabia, and Dominique Unruh University of Tartu, Estonia March 8, 2018 Abstract We study the indifferentiability of classical
More information