Garbling XOR Gates For Free in the Standard Model

Transcription

1 Garblng XOR Gates For Free n the Standard Model Benny Applebaum Abstract Yao s garbled crcut (GC) technque s a powerful cryptographc tool whch allows to encrypt a crcut C by another crcut Ĉ n a way that hdes all nformaton except for the fnal output. Yao s orgnal constructon ncurs a constant overhead n both computaton and communcaton per gate of the crcut C (proportonal to the complexty of symmetrc encrypton). Kolesnkov and Schneder (ICALP 2008) ntroduced an optmzed varant that garbles XOR gates for free n a way that nvolves no cryptographc operatons and no communcaton. Ths varant has become very popular and has lead to notable performance mprovements. The securty of the free-xor optmzaton was orgnally proved n the random oracle model. Despte some partal progress (Cho et al., TCC 2012), the queston of replacng the random oracle wth a standard cryptographc assumpton has remaned open. We resolve ths queston by showng that the free-xor approach can be realzed n the standard model under the learnng party wth nose (LPN) assumpton. Our result s obtaned n two steps: 1. We show that the random oracle can be replaced wth a symmetrc encrypton whch remans secure under a combned form of related-key (RK) and key-dependent message (KDM) attacks; 2. We show that such a symmetrc encrypton can be constructed based on the LPN assumpton. As an addtonal contrbuton, we prove that the combnaton of RK and KDM securty s nontrval n the followng sense: There exsts an encrypton scheme whch acheves RK securty and KDM securty separately, but breaks completely at the presence of combned RK-KDM attacks. 1 Introducton Yao s garbled crcut (GC) constructon [43] s an effcent transformaton whch maps any boolean crcut C : {0, 1} n {0, 1} m together wth secret randomness nto a garbled crcut Ĉ along wth n pars of short k-bt keys (W 0, W 1 ) such that, for any (unknown) nput x, the garbled crcut Ĉ together wth the n keys W x = (W x 1 1,..., W n xn ) reveal C(x) but gve no addtonal nformaton about x. Yao s celebrated result shows that such a transformaton can be based on the exstence of any pseudorandom generator [13, 42], or equvalently a one-way functon [21]. Orgnally motvated by the problem of secure multparty computaton [42, 20], the GC constructon has found a dverse range of other applcatons to problems such as computng on encrypted data, parallel cryptography, verfable computaton, software protecton, functonal encrypton, and key-dependent message securty (see [5] for references). Despte ts theoretcal mportance, GC was School of Electrcal Engneerng, Tel-Avv Unversty, bennyap@post.tau.ac.l. Supported by Alon Fellowshp, ISF grant 1155/11, Israel Mnstry of Scence and Technology (grant ), and GIF grant 1152/

2 typcally consdered to be mpractcal due to a large computatonal and communcaton overhead whch s proportonal to the crcut sze. Ths belef was recently challenged by a frutful lne of works that optmzes the concrete effcency of GC-based protocols up to a level that suts large-scale practcal applcatons [37, 34, 31, 30, 39, 38, 22, 23, 41, 24, 29]. Among other mprovements, all current mplementatons of GCs (e.g., [39, 22, 33, 41, 23]) employ the so-called free-xor optmzaton of Kolesnkov and Schneder [28]. Whle n Yao s orgnal constructon every gate of the crcut C has a computatonal cost of few cryptographc operatons (e.g., three or four applcatons of a symmetrc prmtve) and a communcaton cost of few cphertexts, Kolesnkov and Schneder showed how to completely elmnate the communcaton and computatonal overhead of XOR-gates. Although ths leads only to an effcency mprovement by a constant factor, the effect on the practcal performance turns to be sgnfcant, especally for large or medum sze crcuts as demonstrated n [28, 27, 39]. As n many cases, ths gan n effcency requres stronger cryptographc assumptons. Unlke Yao s GC, whch can be based on the exstence of standard symmetrc-key cryptography, the free- XOR optmzaton reles on a hash functon H whch s modeled as a random oracle [9]. Due to the known lmtatons of the random oracle model [16], t s natural to ask: Is t possble to realze the free-xor optmzaton n the standard model? Ths queston was rased n the orgnal work of Kolesnkov and Schneder [28] and was further studed n [3, 17]. In [28] t was conjectured that the full power of the random oracle s not really needed, and that the functon H can be nstantated wth a correlaton-robust hash functon [25], a strong (yet seemngly realzable) verson of a hash functon whch remans pseudorandom even when t s appled to lnearly related nputs. Cho et al. [17] showed that the pcture s actually more complex: correlaton robustness alone does not suffce for securty (as demonstrated by an explct counter-example n the random-oracle model). Instead, one has to employ a stronger form of hash functon whch, n addton to beng correlaton-robust, also satsfes some form of crcular securty [15, 10]. Whle the exstence of crcular correlaton-robust hash functons (a new prmtve ntroduced by Cho et al. [17]) seems to be a reasonable assumpton (sgnfcantly weaker than the exstence of a random oracle), t s stll unknown how to realze t based on a standard cryptographc assumpton. Ths leaves open the problem of mplementng the free-xor optmzaton n the standard model. 1.1 Our Contrbuton We resolve the above feasblty queston by showng that the free-xor optmzaton can be realzed n the standard model under the learnng party wth nose (LPN) assumpton [19, 11]. Ths assumpton, whch can also be formulated as the ntractablty of decodng a random lnear code, s wdely studed by the codng and learnng communtes and was extensvely employed n cryptographc constructons durng the last two decades. Specfcally, we make the followng contrbutons: 1. We ntroduce a new combned form of Related Key (RK) and Key Dependent Message (KDM) attacks. Roughly speakng, n such an attack the adversary s allowed to see cphertexts of the form Enc φ(k) (ψ(k)) where K s the secret key and the functons φ and ψ are chosen by the adversary from some predefned functon famles. Ths noton of securty, referred to as RK-KDM securty, generalzes the prevous defntons of semantc securty under related key 2

3 attacks [3] and key-dependent message attacks [15, 10]. In fact, as shown n Secton 5, ths s a strct generalzaton as there exsts an encrypton scheme whch satsfes both RK-securty and KDM-securty separately, but fals to acheve the combned form of RK-KDM securty. 2. We prove that the free-xor constructon s secure when nstantated wth a semantcallysecure symmetrc encrypton scheme whose securty s preserved under lnear RK-KDM attacks. (Essentally, φ(k) = K 1 and ψ(k) = K 2 for any fxed shft vectors 1 and 2.) 3. We show that the LPN-based symmetrc encrypton of [18] and ts generalzaton [2] satsfes RK-KDM securty wth respect to lnear functons. In fact, our proof provdes a general template for provng RK-KDM securty based on pseudorandomness and jont key/message homomorphsm. Ths s smlar to prevous results along these lnes [14, 2, 6, 3]. Altogether our proofs turn to be qute smple (whch we consder as a vrtue), short and modular. Ths s due to the followng choces: Encrypton vs. Hashng. The key pont n whch we devate from [28, 17] s the use of (randomzed) symmetrc encrypton, as opposed to determnstc hash functon (or some other pseudorandom prmtve). Indeed, the GC constructon essentally employs the hash functon only as a computatonal one-tme pad, namely, as a mean to acheve secrecy. Therefore, n terms of functonalty t seems best (.e., more general) to abstract the underlyng prmtve as an encrypton scheme. Whle ths s true n general for the standard GC (cf. [31, 4] and the recent dscusson n [7]), ths dstncton becomes even more mportant n the context of the free-xor varant. In ths case, the underlyng prmtve should satsfy stronger notons of securty (RKA and KDM), and ths turns to be much easer for randomzed encrypton than for pseudorandom objects such as hash functons. (See also [3].) As a secondary gan, the new securty defnton that arses for symmetrc encrypton (RKA-KDM semantc securty) s natural and compatble wth exstng well-studed notons. In contrast, the analog defnton of RKA-KDM securty for hash functons (crcular correlaton-robustness) appears less natural as there s no obvous nterpretaton for the concepts of message and key. GC as Randomzed Encodng. It s mportant to dstngush between the garbled crcut transformaton (.e., the mappng from C to Ĉ) and the secure functon evaluaton protocol whch s based on t. The dstncton between the two, whch s sometmes blurred, can be formulated va the noton of randomzed encodng of functons [26] as done n [4]. Our proofs follow ths abstracton, and show that the free-xor technque yelds computatonally prvate randomzed encodng. At ths pont one can nvoke, for example, the general theorem of [4] to derve a secure MPC protocol. Smlarly, all other applcatons (cf. [1]) of randomzed encodng can be obtaned drectly by nvokng the reducton from RE to the desred task. Ths s the frst modular treatment of the free XOR varant. 1.2 Dscusson The man goal of ths work s to provde a sold theoretcal justfcaton for the free-xor heurstc. Ths s part of an ongong effort of the theory communty to explan the securty of real world protocols. Several such examples arse when tryng to mport random-oracle based protocols to 3

4 the standard model. In ths context, [16] suggested a two-step methodology: (1) dentfy useful specal-purpose propertes of the random oracle and (2) show that these propertes can be also provded by a fully specfed functon (or functon ensemble). In the context of the free-xor technque, the frst step was essentally taken by [17] who dentfed the extra need of crcular securty, whle the current paper completes the second step whch nvolves, n addton, some fne-tunng of step 1. It should be emphaszed that we do not suggest to replace the hash functon wth an LPN-based scheme n practcal mplementatons (though we do not rule out such a possblty ether). Stll, we beleve that the results of ths work are useful even f one decdes, due to effcency consderatons, to use a heurstc mplementaton. Specfcally, vewng the prmtve as an RKA-KDM secure encrypton scheme allows to rely on other heurstc solutons such as block cphers, for whch RKA and KDM securty are well studed. Other related works. The notons of key-dependent message securty (aka crcular securty) and related-key attacks were ntroduced by [15, 10] and [8]. Both notons were extensvely studed (separately) durng the last decade. Most relevant to ths paper s our jont work wth Harnk and Isha [3]. Ths work ntroduces the noton of semantc securty under related-key attacks, descrbes several constructons, and shows that protocols employng correlaton-robust hash functons and ther relatves (e.g., [36, 25]), can be securely nstantated wth RKA-secure encrypton schemes. In addton, [3] suggested to apply a smlar modfcaton to the free-xor varant, whch was beleved to be secure when nstantated wth correlaton-robust hash functons [28]. As mentoned, the latter clam was found to be naccurate, and therefore the results of [3] cannot be used n the context of the free-xor technque. (The other applcatons mentoned n [3] reman vald.) Organzaton. Followng some prelmnares (Secton 2), n Secton 3 we defne semantc securty under RK-KDM attacks and descrbe an LPN-based mplementaton. Secton 4 s devoted to the garbled crcut constructon, ncludng defntons (n terms of randomzed encodng), a descrpton of Yao s orgnal constructon and the free-xor varant, and a proof of securty that reduces the prvacy of the free-xor GC to the RK-KDM securty of the underlyng encrypton. In Secton 5, we descrbe an encrypton scheme whch s KDM secure and RKA secure but not RK-KDM secure, separatng the latter noton from the formers. Fnally, we end wth a short concluson n Secton 6. 2 Prelmnares We let denote strng concatenaton. Strngs are often treated as vectors or matrces over the bnary feld F 2, accordngly strng addton s nterpreted smply as bt-wse exclusve-or. When addng together two matrces A n k and B N k where n < N we assume that the last N n mssng rows of A are padded wth zeroes. The same conventon holds wth respect to vectors (.e., when k = 1). 2.1 Randomzed functons We extensvely use the abstracton of randomzed functons whch can be seen as a specal case of Maurer s Random Systems [35]. A randomzed functon s a two argument functon f : X R Y whose frst nput x s referred to as the determnstc nput and the second nput s referred to as 4

5 the random nput. For every determnstc nput x, we thnk of f(x) as the random varable nduced by samplng r R R and computng f(x; r) Y. When a (randomzed) algorthm A gets an oracle access to a randomzed functon f, we assume that A has control only on the determnstc nput; namely, f A queres f wth x, t gets as a result a fresh sample from f(x). Note that A f tself defnes a randomzed functon. We say that {f s } s {0,1} s a collecton of randomzed functons f f s s a randomzed functon for every key s. By default, all the collectons are effcently computable n the sense that f s (x) can be sampled n tme poly( s + x ). Indstngushablty. A par of randomzed functons f, g s equvalent f g f for every nput x the random varables f(x) and g(x) are dentcally dstrbuted. A par f = {f s } and g = {g s } of collectons of randomzed functons s computatonally ndstngushable, denoted by f c g, f for every effcent adversary A t holds that Pr [A fs (1 k ) = 1] Pr [A gs (1 k ) = 1] s {0,1} R k s {0,1} R < neg(k). k We extend the above defnton to the case of collectons f = {f 1 κ} and g = {g 1 κ} whch contan a sngle randomzed functon for every nput length κ. In ths case, we augment f (resp., g) by lettng f s = f 1 s (resp., g s = g 1 s ) and use the prevous defnton. 1 Let {f s }, {g s } and {h s } be collectons of randomzed functons. We wll need the followng standard facts (cf. [35]). Fact 2.1. If for every k N, Pr s R {0,1} k [f s g s ] > 1 ε(k) for some neglgble functon ε, then {f s } c {g s }. Fact 2.2. If {f s } c {g s } and A s an effcent functon then { A fs} s Fact 2.3. If {f s } c {g s } and {g s } c {h s } then {f s } c {h s }. 3 RK-KDM Securty c {A gs } s. A par of effcent probablstc algorthms (Enc, Dec) s a symmetrc encrypton scheme over the message-space {0, 1} and key-space {0, 1} k (where k serves as the securty parameter) f for every message M {0, 1} Pr s R {0,1} k [Dec s (Enc s (M)) = M] = 1. We also assume (WLOG) length-regularty,.e., that messages of equal length M, M are always encrypted by cphertexts of equal length Enc s (M) = Enc s (M ). Our securty defntons are parameterzed by a famly of key-dervaton and key-dependentmessage functons (whch are also ndexed by the securty parameter k) Φ RKA = { φ : {0, 1} k {0, 1} k}, Ψ KDM = { ψ : {0, 1} k {0, 1} }. 1 More generally, one can defne computatonal ndstngushablty wth respect to a par of key samplng algorthm KeyGen f (1 κ ) and KeyGen g (1 κ ) whch nduce, for every securty parameter κ, a probablty dstrbuton over the ensembles f and g. However, for ths paper the smpler defnton suffces. 5

6 These famles determne the legal relatons between the related-keys, and the key-related messages. RK-KDM Securty s defned va the followng par of real/fake oracles Real s and Fake s whch are ndexed by a key s {0, 1} k. For a query (φ Φ RKA, ψ Ψ KDM ), the oracle Real s returns a sample from the dstrbuton Enc φ(s) (ψ(s)), whereas, the oracle Fake s returns a sample from the dstrbuton Enc φ(s) (0 ψ(s) ). Defnton 3.1 (RK-KDM-secure encrypton). A symmetrc encrypton scheme (Enc, Dec) s semantcally-secure under Related-Key and Key-Dependent Message Attacks (n short, RK-KDMsecure) wth respect to Φ RKA, Ψ KDM f Real s Fake s where s R {0, 1} k c. Remarks: Relaton to prevous defntons. We note that the above defnton generalzes semantc securty under related-key attacks [3] and semantc securty under key-dependent message attacks [10]. Indeed, the former noton s obtaned by restrctng Ψ KDM to contan only constant functons, and the latter s obtaned by lettng Φ RKA contan only the dentty functon. If both restrctons are appled smultaneously, the defnton becomes dentcal to standard semantc securty under Chosen-Plantext Attacks. On the other hand, as we show n Secton 5, a scheme may satsfy both RKA securty and KDM securty (separately) wthout achevng the combned form of RKA-KDM securty. Non-Adaptvty. Defnton 3.1 allows the adversary to choose ts queres n a fully adaptve way. One may defne a seemngly weaker non-adaptve varant n whch the adversary has to specfy all ts queres at the begnnng of the game. We note that ths weaker varant suffces for the free-xor applcaton. LIN RK-KDM securty. We wll be nterested n lnear functons over F 2. Namely, both Φ RKA and Ψ KDM contan functons of the form s s + for every F k 2. To be compatble wth standard semantc securty, we requre that Ψ KDM also contans all fxed functons. Usng a compact notaton, we can descrbe each functon n Ψ KDM by a message M and a bt σ and let g M,σ : s (M + (σ s)). If the length of M s larger than k, we assume that (σ s) s padded wth zeroes at the end. Hence, the adversary may ask for an encrypton of the shfted key concatenated wth some fxed message. We refer to ths noton as LIN RK-KDM securty LPN-based Constructon The learnng party wth nose problem s parameterzed by postve ntegers k, t, and nose parameter ε (0, 1 2 ). The nput to the problem s a random matrx A R F t k 2 and a vector y = As+e F t 2 where s R F k 2 and e R Ber t ε s an error vector of t ndependent Bernoull random varable whch take the value 1 wth probablty ε. The goal s to recover the secret vector s. Ths can be consdered to be a decodng game where A generates a random lnear code and the goal s to recover 2 A seemngly weaker defnton of LIN RK-KDM securty restrcts the KDM famly to functons g M,σ : s (M + (σ s)) where M and s are of the same length k. We note that a scheme that satsfes ths noton can be trvally converted nto a scheme that satsfes our defnton (whch supports M longer than s). Ths can be done by parttonng the long message M nto t blocks M 1,..., M t of length k each, and concatenatng the encryptons of these blocks. A query of the form (f Φ RKA, g M,σ) can then be emulated by a lnear query (f Φ RKA, g M1,1) and t 1 fxed-message query (f Φ RKA, g M,0). 6

7 a random nformaton word s gven a nosy codeword y. For nteger-valued functon t = t(k) and a parameter ε, we say that the problem LPN t,ε s hard, f there s no effcent adversary that can solve t wth more than neglgble success probablty. We say that LPN ε s hard f LPN t,ε s hard for every polynomal t( ). It s wdely beleved that LPN ε s hard for any constant ε (0, 1 2 ), and the best known algorthm runs n tme 2 Θ(n/ log n) [12]. In the followng we descrbe the LPN-based symmetrc encrypton scheme of [2] whch s a varant of the scheme of [18]. Parameters. Let l = l(k) be a message-length parameter whch s set to be an arbtrary polynomal n the securty parameter k. (Shorter messages are padded wth zeroes.) Let ε < 1 2 and 0 < δ < 1 2 be constants. We wll use a famly of lnear bnary error-correctng codes wth nformaton words of length l(k) and block length t = t(n), that has an effcent decodng algorthm D that can correct up to (ε + δ) t errors. We let G = G l be the t l bnary generator matrx of ths famly and we assume that t can be effcently constructed (gven 1 k ). Constructon 3.2 (LPN-constructon). Let N = N(k) be an arbtrary polynomal (whch controls the tradeoff between the key-length and the tme complexty of the scheme). The prvate key of the scheme s a matrx S whch s chosen unformly at random from F k N 2. Encrypton: To encrypt a message M F l N 2, choose a random A R F t k 2 and a random nose matrx E R Berε t N. Output the cphertext (A, A S + E + G M). Decrypton: Gven a cphertext (A, Z) apply the decodng algorthm D to each of the columns of the matrx Z AS and output the result. Observe that the decrypton algorthm errs only when there exsts a column n E whose Hammng weght s larger than (ε+δ)m, whch, by Chernoff Bound, happens wth neglgble probablty. (Ths error can be elmnated by rejectng nose vectors whose relatve Hammng weght exceeds (ε + δ).) The scheme s also hghly effcent. Encrypton requres only cheap matrx operatons and decrypton requres n addton to decode the code G. It s shown n [2] that for proper choce of parameters both encrypton and decrypton can be done n quaslnear tme n the message length (for suffcently long message). Constructon 3.2 was proven to be semantcally secure based on the ntractablty of the LPN ε problem [2]. Securty aganst KDM and RKA attacks wth respect to lnear functons was further proven n [2] and [3]. We now generalze these results and show that the scheme s LIN RK-KDM secure. Theorem 3.3. Assumng that LPN ε s hard, the above constructon s LIN RK-KDM secure. 3.2 Proof of Theorem 3.3 Through ths secton we keep the conventon that S F k N 2 s a key, F2 k N s a key-shft vector, M F l N 2 s a message, b {0, 1} s a bt, and the par (A, Z) F t k 2 F t N 2 s a potental cphertext. In addton, we let Enc denote the LPN encrypton defned n Constructon

8 Recall that our goal s to prove that for a random key S R F k N 2 the randomzed functons Real S : (, M, b) Enc S+ (M + bs) Fake S : (, M, b) Enc S+ (0 l N ), are ndstngushable. Ths wll be proven va a sequence of hybrds. Let R S be a randomzed functon whch gnores the key S and the gven nput, and outputs a fresh unformly chosen matrces A R F t k 2 and Z R F t N 2. (If R S s appled to the same nput more than once t responds wth ndependent answers.) The followng lemma shows that the LPN encrypton scheme s not only semantcally secure but also pseudorandom n the followng sense: Lemma 3.4. Assumng that LPN ε s hard, {Enc S } c {R S }, where S R F k N 2. The proof s mplct n [2], we nclude t here for completeness. Proof. Fx some ε (0, 1 2 ). For polynomals N, t = poly(κ), and S R F2 k N we defne the randomzed functons LPN t N S and R t N S whch have no nput (or equvalently gnore ther nput) as follows. In each call, LPN t N S samples a random matrx A R F t k 2, a random nose matrx E R Ber t N ε, and outputs the par (A, A S +E). The functon R t N S s defned smlarly to R S, namely, n each call t smply outputs a fresh random par A R F t k 2 and Z R F t N 2. The well-known search-to-decson reducton of [11] shows that, assumng the hardness of LPN ε, { } c { }, (1) LPN t N S R t N S for N = 1 and any polynomal t. A standard hybrd argument allows to extend Eq. 1 to the case of an arbtrary polynomal N (and arbtrary polynomal t), as done n [2]. It remans to show that Eq. 1 mples the lemma. Fx t, N to be the parameters from Constructon 3.2, and let G F t l 2 be the generator matrx n use. Defne an oracle aded functon A ( ) whch gven M F l N 2 calls ts oracle O to obtans a par (A, R) and outputs (A, R + GM). For every S we have that Enc S A LPNt N S and A Rt N S R S, and, therefore, by Eq. 1 and Facts 2.1,2.2 and 2.3, we have that {Enc S } c {R S } as requred. We wll need the followng key observaton: Lemma 3.5. There exsts an effcent oracle machne F ( ) : (, M, b) (A, Z) such that for every S F k N 2. Real S F Enc S and F R S R S, Proof. We defne F as follows: Gven a query (, M, b) the machne F calls the oracle wth nput M, gets back the answer (A, Z ), and outputs the par A = A + GH and Z = Z + A where G s the generatng matrx used n Constructon 3.2 and H F l k 2 s the matrx ( b I k k ) 0. l k k 8

9 Fx a key S and a query (, M, b), we wll show that F Enc S(, M, b) s dstrbuted dentcally to Real S (, M, b). Let (A, Z ) be a fresh sample from Enc S (M). Clearly, A = A + GH s unform n F t k 2 snce A s unform. In addton, snce Z = A S + E + G M where E R Ber t N ε, and snce A = A + GH we can wrte Z as (A + GH) S + E + G M + A = A (S + ) + E + G (M + HS) = A (S + ) + E + G (M + bs), where the frst equalty s due to lnearty, and the second equalty follows from the defnton of H. It follows that (A, Z) s a fresh sample from Enc S+ (M + bs). To prove that F R S R S, t suffces to show that for any fxed query (, M, b) the transformaton from (A, Z ) to (A, Z) s an affne nvertble mappng. Ths follows mmedately from the defnton of F. We conclude that for S R F k N 2, Real S F Enc S c F R S R S. (2) Indeed, the frst and thrd transtons are due to Lemma 3.5, and the second transton s due to Lemma 3.4 and Fact 2.2. To complete the argument we need two addtonal defntons. Frst we defne an oracle machne whch gven an oracle O and an nput (, M, b) outputs a sample from F O (, 0 l N, 0); namely, t replaces M, b wth zeroes and proceeds as F O. By abuse of notaton, we refer to ths oracle as F (, 0 l N, 0). Smlarly, we let Real S (, 0 l N, 0) denote the randomzed functon whch maps (, M, b) to Real S (, 0 l N, 0). Note that the latter s just an equvalent formulaton of Fake S. Moreover, we can wrte: R S F (, 0 l N, 0) R S c F (, 0 l N, 0) Enc S(0 l N ) Real S (, 0 l N, 0) Fake S, (3) where the frst and thrd transtons are due to Lemma 3.5, and the second transton s due to c Lemma 3.4 and Fact 2.2. By combnng Eq. 2 and Eq. 3 wth Fact 2.3 we get that Real S Fake S, and Theorem 3.3 follows. Remark 3.6 (Abstracton). The proof of Theorem 3.3 provdes a general template for provng RKA-KDM securty. Specfcally, the propertes needed are pseudorandomness (n the sense of Lemma 3.4) and key/message homomorphsm (n the sense of Lemma 3.5). Indeed, observe that, apart from the proofs of Lemmas 3.4 and 3.5, the overall proof can be wrtten n a fully generc form wth no specfc references to the LPN constructon. 4 Yao s Garbled Crcut 4.1 Defnton Let f = {f n } n N be a polynomal-tme computable functon. In an abstract level, Yao s garbled crcut technque [43] constructs a randomzed functon ˆf = { ˆf n } n N whch encodes f n the sense that for every x the dstrbuton ˆf(x) reveals the value of f(x) but no other addtonal nformaton. 9

10 We formalze ths va the noton of computatonally prvate randomzed encodng from [4], whle adoptng the orgnal defnton from a non-unform adversaral settng to the unform settng (.e., adversares are modeled by probablstc polynomal-tme Turng machnes). Defnton 4.1 (Computatonal randomzed encodng). Let f = {f n : {0, 1} n {0, 1} l(n) } n N be an effcently computable functon and let ˆf = { ˆf n : {0, 1} n {0, 1} m(n) {0, 1} s(n) } n N be an effcently computable randomzed functon. We say that ˆf s a computatonal randomzed encodng of f (or encodng for short), f there exst an effcent recovery algorthm Rec and an effcent probablstc smulator algorthm Sm that satsfy the followng: Perfect correctness. For any n and any nput x {0, 1} n, Pr[Rec(1 n, ˆf n (x)) f n (x)] = 0. Computatonal prvacy. The randomzed functon ˆf n ( ) s computatonally ndstngushable from the randomzed functon Sm(1 n, f n ( )). Remark 4.2. The above defnton uses n both as an nput length parameter and as a cryptographc securty parameter quantfyng computatonal prvacy. When descrbng the constructon, t wll be convenent to use a separate parameter k for the latter, where computatonal prvacy wll be guaranteed as long as k n ɛ for some constant ɛ > 0. Furthermore, whle t s convenent to defne randomzed encodng for a sngle functon f, Yao s constructon (as well as the free-xor varant) actually provdes an effcent compler that maps the functon f (represented as a Boolean crcut) nto (crcut representatons of) the encodng ˆf, the recovery algorthm Rec and the smulator Sm. (See [5] for formal defnton.) In ths sense the encodng s fully constructve. 4.2 Yao s Constructon and the Free XOR Varant Let f = {f n : {0, 1} n {0, 1} l(n) } n N be a polynomal-tme computable functon computed by the unform crcut famly {C n } n N. In the followng we descrbe Yao s constructon and ts free-xor varant. Our notaton and termnology borrow from prevous presentatons of Yao s constructon n [40, 37, 32, 4]. Double-keyed Encrypton. Let k = k(n) be a securty parameter (by default, k = n ε for some constant ε > 0). We wll employ a symmetrc encrypton scheme (E 2, D 2 ) whch s keyed by a par of k-bt keys K 1, K 2. Intutvely, ths corresponds to a double-locked chest n the sense that decrypton s possble only f one knows both keys. There are several ways to mplement such an encrypton scheme based on standard sngle-key symmetrc encrypton (Enc, Dec) and, for smplcty, we choose to use E 2 K 1,K 2 (M) := (Enc K1 (R), Enc K2 (R + M)), D 2 K 1,K 2 (C 1, C 2 ) := Dec K1 (C 1 ) + Dec K2 (C 2 ) (4) where R s a random strng of length M. assumpton. Other choces are also applcable under the LPN 10

11 The orgnal constructon. For each wre of the crcut C n we assgn a par of keys: a 0-key W 0 {0, 1} k that represents the value 0, and a 1-key W 1 {0, 1} k that represents the value 1. For each of these pars we randomly color one key black and the other key whte. Ths s done R by choosng r {0, 1} and by lettng r + b be the color of W b. Fx some nput x for f n, and let b = b (x) be the value of the -th wre nduced by x. We refer to the key W b as the actve key of the -th wre. The encodng ˆf n (x; (W, r)) conssts of three parts: (1) The actve keys W b of the nput wres together wth ther colors c ; (2) For each gate a propagaton mechansm whch allows to translate the colored actve keys of the ncomng wres nto the colored actve keys of the outgong wres. Ths mechansm s mplemented va an encrypton table (or gate label ) n whch the keys of the outgong wre are encrypted under the keys of the ncomng wres. (3) For each output wre, we also append the semantcs of the colorng,.e., the bt r. Altogether, one can propagate the values of the colored actve keys (W b, c ) from the nputs to the outputs, and at the end reveal the values of the output wres by unmaskng the colors c wth r. Intutvely, prvacy holds as for non-output wres the values of the colored actve keys reveal nothng on ther semantcs b. Free XOR-gates. The free-xor optmzaton modfes the above constructon by makng sure that the key Wl 0 and colorng r l of a wre whch outgoes a XOR gate s just the sum of the keys and colorng of the ncomng wres and j, namely, W 0 l = W 0 + W 0 j, r l = r + r j. In addton, all key pars Wl 0, W l 1 have a fxed global (secret) dfference s = W l 0 + W l 1. As a result, for every par of values (α, β) {0, 1} 2 for the nput wres of a XOR gate, we have that W α+β l = W α + W β j. Hence, one can derve the colored actve key (W b l(x) l, r l + b l (x)) of the output wre by XOR-ng the colored actve keys (W b (x), r + b (x)), (W b j(x) j, r j + b j (x)) of the nput wres, and so gate labels are not needed. XOR gates have, therefore, no effect on the communcaton complexty of the encodng, and only a mnor effect on the computatonal complexty. A formal descrpton of the encodng s gven n Fgure 1. Our man result shows that, assumng LIN RK-KDM securty, the free XOR varant gves rse to a vald computatonal encodng: Theorem 4.3 (Man). If the underlyng symmetrc encrypton scheme (Enc, Dec) s LIN RK-KDM secure, then the randomzed functon ˆf, as defned n Fgure 1, s a randomzed encodng of the functon f. The proof of the theorem s deferred to Secton 4.3 (correctness) and 4.4 (prvacy). 4.3 Correctness The followng lemma shows that the encodng s correct. Lemma 4.4 (Correctness). There exsts an effcent recovery algorthm Rec such that for every x {0, 1} n t holds that Pr[Rec(1 n, ˆf n (x; (r, W ))) f n (x)] = 0. 11

12 Input: x {0, 1} n. The Encodng ˆf n Randomness: Choose a random global shft vector s R {0, 1} k. For a wre l that s not an output of a XOR gate let r l R {0, 1}, W 0 l R {0, 1} k, W 1 l := W 0 l + s. For a wre l that s an output of a XOR gate wth nputs, j let r l := r + r j, W 0 l := W 0 + W 0 j, W 1 l := W 0 + s. Outputs: The encodng conssts of the followng outputs: 1. For an nput wre, labeled by a lteral χ (ether some varable x u or ts negaton) output W χ(x) (χ(x) + r ). If s an output wre, output the mask of ths wre r. 2. For a non-xor gate t that computes some bnary functon g : {0, 1} 2 {0, 1} wth nput wres, j and output wre a y. We assocate wth ths gate 4 ordered outputs ( gate labels ). For every (a, a j ) {0, 1} 2 we output: Q a,a j t ( ) := E 2 W a +r,w a j +r j W g(a +r,a j +r j ) y (g(a + r, a j + r j ) + r y ), (5) j where denotes concatenaton, and E 2 s a double-encrypton algorthm whose randomness s omtted for smplcty. a If the fan-out s larger than 1, all outgong wres are treated as a sngle wre,.e., wth the same key and the same color. Fgure 1: The encodng ˆf n (x; (W, r, s)) of the functon f n (x). We assume that wres and gates of the crcut that computes f n are numbered accordng to some topologcal order. The double-encrypton algorthm E 2 K 1,K 2 (M) s defned based on a standard encrypton (Enc, Dec) as n Eq

13 Proof. Let α = ˆf n (x; (r, W )) for some x {0, 1} n and (r, W ) {0, 1} µ(n). The decoder traverses the crcut n topologcal order from nputs to outputs, and for each wre y t recovers the actve key Wy by together wth ts color c y = (b y (x) + r y ) as follows. If y s an nput wre then the value Wy by c y s gven as part of α. Otherwse, assume that the wre y outgoes a gate t whose ncomng wres are and j (for whch we already computed the desred values). If t s a XOR gate then we let W by y = W b +b j y = W b + W b j, and c y = (b + b j ) + r y = (b + b j ) + (r + r j ) = c + c j. It t s not a XOR gate then we use the colors c, c j of the actve keys of the nput wres to select the actve label Q c,c j t of the gate t (and gnore the other 3 nactve labels of ths gate). Consder ths label as n Eq. (5); recall that ths cpher was double-encrypted under the key W c r and the key W c j r j j can decrypt the label Q c,c j t = W b j j. Snce we have already computed the values c, c j, W b and W b j j (by applyng the decrypton algorthm D 2 ) and recover the value W g(b,b j ) y (g(b, b j ) + r y ) = W by y (c y ), = W b, we where g s the functon that the gate t computes, and therefore b y = g(b, b j ). Fnally, once we have the colors of an output wre y we can recover ts value b y by by XOR-ng c y wth the mask r y whch s gven explctly as part of α. 4.4 Prvacy Computatonal prvacy s slghtly more subtle. The free-xor optmzaton correlates the key pars va the global shft s. Ths ntroduces two form of dependences: (1) The four cphertexts of every gate are encrypted under related keys; and (2) The keys (of the ncomng wres) whch are used to encrypt the gate-labels are correlated wth the content of the labels (.e., the keys of the outgong wres). We show that f the underlyng encrypton (Enc, Dec) s RKA and KDM secure wth respect to lnear functons, then the encodng s ndeed prvate. Lemma 4.5 (Prvacy). There exsts an effcent smulator Sm such that ˆf n ( ) c Sm(1 n, f n ( )). To prove the lemma we defne an oracle-aded algorthm H O (x) such that (1) when the oracle O s the real RK-KDM oracle (wth respect to lnear queres) the dstrbuton of H O (x) s dentcal to the dstrbuton ˆf n (x), and (2) when the oracle O s the fake RK-KDM oracle, the dstrbuton H O (x) can be effcently sampled based on the output f n (x), and therefore can be used as a smulator Sm(1 n, f n (x)). The ndstngushablty of the two oracles mples that the smulator s output s computatonally ndstngushable from the encodng s dstrbuton ˆf n (x). The algorthm H ( ) (x). Let k = k(n), x {0, 1} n be the nput. We assume that H s gven an oracle access to a randomzed functon O s where s R {0, 1} k wll play the role of the secret global shfts. We wll assume that O s has the same nterface as Real s and Fake s, namely, gven a par of lnear functons (φ, ψ) the oracle outputs a cphertext of Enc. For every wre l we defne the followng values: 13

14 1. If l s not an output of a XOR gate, choose a random actve key W b l R l {0, 1} k and a random R color bt c l {0, 1}. 2. If the wre l s an output of a XOR gate, let W b l l j are the ncomng wres. 3. If l s an nput wre, output W b l l c l ; If t s an output wre output r l = c l b l (x). := W b + W b j j and c l = c + c j where and 4. The nactve key W b l+1 l s unknown, but t can be wrtten as a lnear functon of the masterkey s,.e., φ l : s s + W b l l. For every (non-xor) gate t wth nput wres, j and output wre y we do the followng: 5. Output the actve label Q c,c j t := E 2 W b (W,W b j y by c y ) (6) j R 6. Compute the nactve labels as follows. For every (α, β) (0, 0) choose R α,β {0, 1} k+1 and defne the lnear functon ψ α,β whch maps s to the value ( ) (Wy by + s g(b + α, b j + β) + b y ) (g(c + α + r, c j + β + r j ) + r y ) + R α,β, where g s the functon that the gate computes, and b = b (x), r = b + c, b j = b j (x), r j = b j + c j and b y = b y (x), r y = b y + c y. Now, output ( ) Q c +1,c j t := O(φ, ψ 1,0 ), Enc b W j (R 1,0 ) j ( ) Q c +1,c j +1 t := O(φ, ψ 1,1 ), O(φ j, R 1,1 ) (7) ( ) Q c,c j +1 t := Enc b W (R 0,1 ), O(φ j, ψ 0,1 ), where n the second equaton, we let the strng R 1,1 represent the constant functon s R 1,1. Clam 4.6. The randomzed functons ˆf n and H Reals for s R {0, 1} k are dentcally dstrbuted. Proof. We prove a stronger clam: for every x {0, 1} n even f the encodng and the hybrd H Reals (x) output ther nternal cons (ncludng the ones used by the oracle Real s ), the two experments are dentcally dstrbuted. Frst, t s not hard to verfy that the values s, Wl 0, r l and Wl 1 = Wl 0 + s are dentcally dstrbuted n both experments. When these values are fxed, the actve labels are also dentcally dstrbuted. Fnally, by substtutng φ, ψ α,β n Eq. 7 t follows that the nactve labels are also dstrbuted exactly as n ˆf(x). Let us move to the case where the oracle O s nstantated wth the oracle Fake s for s R {0, 1} k. By the RK-KDM securty of the scheme (Enc, Dec) and Fact 2.2, we get that Clam 4.7. The randomzed functons { H Reals} s and { H Fakes} are computatonally ndstngushable. s Fnally, we defne the smulator whch s just an equvalent descrpton of H Fakes (x): 14

15 The smulator Sm. Gven z = f n (x), for some x {0, 1} n, the smulator mmcs the frst three steps of H whch can be computed based on the value of the output wres f n (x) (wthout knowng x tself). However, nstead of vrtually settng nactve keys n the forth step, the smulator chooses a random shft vector s R {0, 1} k and sets W 1+b l l = W b l l + s for every wre l. Then, the smulator computes the actve labels exactly as n Eq. 6. Note that all these computatons can be done wthout knowng x (or b (x)). To compute the nactve labels the smulator mmcs the dstrbuton of H Fakes (x): It chooses R 1,0, R 1,1, R 0,1 R {0, 1} k+1 and computes ( Q c +1,c j t := ( Q c +1,c j +1 t := Q c,c j +1 t := Enc W b +1 Enc b W +1 ( Enc b W ) (0 k+1 ), Enc b W j (R 1,0 ) j (0 k+1 ), Enc W b j +1 j ) (0 k+1 ) ). (R 0,1 ), Enc b W j +1(0 k+1 ) j Indeed, all these cphertexts can be computed drectly snce the nactve keys (and the global shft s) are known. Clam 4.8. The randomzed functons Sm(f n ( )) and H Fakes ( ) for s R {0, 1} k are dentcally dstrbuted. Proof. Agan, a stronger clam holds: for every x {0, 1} n even f the smulator and the algorthm H Fakes( ) (x) output ther nternal cons, the two experments are dentcally dstrbuted. Frst, t s not hard to verfy that the values s, Wl 0, r l and Wl 1 = W l 0 + s are dentcally dstrbuted n both experments. When these values are fxed, the actve labels are also dentcally dstrbuted. Fnally, the nactve labels as defned by the smulator (Eq. 8) are computed exactly as they are computed by H Fakes( ) (x) (.e., as defned n Eq. 7 when the oracle Fake s ( ) s beng used). The proof of Lemma 4.5 follows from Clams and Facts 2.1 and Separatng RK-KDM from RKA & KDM Recall that LIN RKA securty corresponds to (Φ RKA, Ψ KDM ) RK-KDM securty where Φ RKA contans all lnear functons (over the bnary feld) and Ψ KDM contans the dentty functon. Smlarly, LIN KDM securty corresponds to the complementary case where Ψ KDM contans all lnear (and fxed) functons, and Φ RKA contans the dentty functon. We descrbe a symmetrc encrypton scheme (Enc, Dec) whch s semantcally secure under lnear related-key attacks and semantcally-secure under lnear key-dependent message attacks but does not acheve lnear RK-KDM securty. In fact, one can fully recover the secret key va a combned LIN RK-KDM attack. Our counter-example s based on a par of symmetrc encrypton schemes. The frst scheme (RE, RD) s LIN RKA secure but can be completely broken va LIN KDM attacks, and the second scheme (KE, KD) s LIN KDM secure but can be broken va LIN RK attacks. Both schemes are based on the LPN-based encrypton of Constructon 3.2 nstantated wth N = 1. Through ths secton we denote the LPN encrypton scheme by (PE, PD) ( P stands for party). (8) 15

16 5.1 Achevng RKA Securty & KDM Insecurty We defne the scheme (RE, RD) dentcally to the LPN constructon (Constructon 3.2) except that f the prefx of a plantext M s equal to the key S, then the correspondng cphertext wll be M tself (unencrypted). Formally 3, RE S (M) := { M PE S (M) f M [1:κ] = S, RD S (C) := otherwse. { C PD S (M) f C [1:κ] = S otherwse. It s not hard to prove that (RE, RD) s secure under lnear related-key attacks, but s completely nsecure at the presence of lnear key-dependent message attacks. Lemma 5.1. Under the LPN assumpton, the scheme (RE, RD) s secure aganst lnear related-key attacks. Proof. Recall that n a LIN RK attack on an encrypton algorthm E, the adversary makes queres of the form (, M) and attempts to dstngush between the real oracle EReal S whch returns E S+ (M) and the fake oracle EFake S whch returns E S+ (0 M ). The vew of an adversary A that breaks the LIN RKA securty of (RE, RD) s dentcal to the vew of an adversary who breaks the LIN RKA securty of the LPN-based scheme (PE, PD), as long as the adversary does not make a revealng query of the form (, M) where S + equals to the κ-bt prefx of M. Hence, t suffces to show that the probablty of askng a revealng query s neglgble. Indeed, ths must be the case as a revealng query (, M) can be used to recover the key by XOR-ng wth the κ-bt prefx of the message M [1:κ]. c We proceed wth a formal argument. Our goal s to prove that REReal S REFake S. Frst we show that REReal S and PEReal S are ndstngushable. Assume, towards a contradcton, that there exsts some adversary A whch dstngushes REReal S from PEReal S wth notceable advantage ε. We construct an adversary B PEReal S whch outputs S wth notceable probablty ε/t where t s the number of queres that A makes. Clearly, such an adversary contradcts the LIN-RKA securty of the LPN scheme. The adversary B smply chooses a random [t] and halts before makng the -th query (, M) wth the output +M [1:κ]. To analyze the success probablty of B we note that: (a) condtoned on not askng a revealng query the oracles REReal S and PEReal S are dentcally dstrbuted; (b) Hence, under our assumpton, A makes a revealng query wth probablty at least ε; (c) Therefore, wth probablty ε/t, the adversary B halts just before the frst revealng query and, n ths case, t outputs the key S. c A smlar argument shows that REFake S s ndstngushable from PEFake S, and, snce PEReal S c PEFake S we conclude, by Fact 2.3, that REReal S REFake S and the scheme s LIN RKA secure. 5.2 Achevng KDM Securty & RKA Insecurty The second scheme (KE, KD) s obtaned by modfyng the LPN constructon (PE, PD) as follows. The key S {0, 1} κ s augmented wth an ndex {1,..., κ}. A plantext M wll be encrypted 3 The decrypton RD may err wth neglgble probablty due to the possblty that some message M, whose prefx does not equal to the key S, wll be mapped to a cphertext PE S(M) whose prefx equals to the key. Ths can be handled n several ways, e.g., by modfyng the encrypton algorthm so that such event never happens. We prefer the current verson (wth neglgble error probablty) for smplcty. 16

17 by the trple (PE S (M),, S ),.e., n addton to the cphertext PE S (M), we leak a sngle bt of the key S whose locaton s determned by another (publc) part of the key. Formally, KE S, (M) := (PE S (M),, S ), KD S (C 1, C 2, C 3 ) := PD S (C 1 ) Below we show that the scheme s LIN KDM secure. In fact, t wll be useful to prove KDM securty wth respect to a slghtly rcher famly of extended lnear functons whch contans functons of the form ψ M,T : S M + T S for every M F l 2 and matrx T Fl κ 2. Lemma 5.2. Under the LPN assumpton, the scheme (KE, KD) s secure aganst extended lnear key-dependent message attacks. Proof. Recall that n an extended LIN KDM attack on an encrypton algorthm E, the adversary makes queres of the form (M, T ) and attempts to dstngush between the real oracle EReal S whch returns E S (M + T S) and the fake oracle EFake S whch returns E S (0 M ). Our goal s to show that the scheme KE S, s LIN KDM secure. Formally, ths means that we should support functons whch map the combned key (S ) {0, 1} κ+ log(κ) (vewed as a sngle long vector) nto messages of the form M + T (S ). However, snce s publc, any lnear functon n (S ) can be effcently translated nto a lnear functon n S of the form M + T S, and so t suffces to focus on such functons. We wll show how to reduce the extended LIN KDM securty of KE S, wth S R {0, 1} κ, R [κ] to the securty of PE S wth 1-bt shorter key S R {0, 1} κ 1. The extended LIN KDM securty of the latter s proven n [2, Thm. 8]. For an ndex [κ] and a bt σ {0, 1}, we defne an oracle aded randomzed functon A ( ),σ such that KEReal S, A PEReal S,σ and A PEFake S,σ KEFake S, (9) whenever S = (S[1: 1], σ, S [:κ 1]). By the LIN RKA securty of PE and Facts 2.1 and 2.2 we have that, for a random S {0, 1} κ, [κ], KEReal S, A PEReal S,σ c A PEFake S,σ KEFake S,, and the lemma follows by Fact 2.3. It s left to descrbe the converter A and to prove Eq. 9. Gven a KDM query (M, T ) the algorthm A,σ queres hs oracle wth (M, T ) and obtans a cphertext (A F t κ 1 2, Z F t 2 ). Then, A,σ samples a random column a F t 2 and outputs the matrx A = (A [1: 1] a A [:κ 1] ), a vector Z = Z +σ a and the par (, σ). If the oracle returns a fresh sample (A, Z = AS +E+GM ) from PE S (M ) for some message M, then the par (A, Z = A S + E + GM ) s a fresh sample from PE S (M ) where S = (S 1: 1, σ, S :κ 1 ). Ths mples Eq. 9 and the lemma follows. On the other hand, one can fully recover the key S va an RKA by shftng the ndex through all possble ndces n {1,..., κ}. Note that ths attack s oblvous to the messages encrypted; In partcular, all the attacker needs s the ablty to obtan, for any choce of, a cphertext KE (S,)+ (M) where the message M may be arbtrary and possbly unknown (e.g., chosen by the oracle). 17

18 5.3 Counter Example: RKA+KDM RK-KDM Our counter-example s defned va the followng double-encrypton: Enc S1,S 2 (M) := KE S2 (RE S1 (M)), Dec S1,S 2 (C) := RD S1 (KD S2 (C)), where S 1 {0, 1} κ and S 2 s the concatenaton of a vector S 2 {0, 1}κ and an ndex {1,..., κ}. Lemma 5.3. Under the LPN assumpton, the scheme (Enc, Dec) satsfes the followngs: 1. Securty under lnear related-key attacks. 2. Securty under lnear key-dependent message attacks. 3. The secret key can be fully recovered va a LIN RK-KDM attack. Proof. (1) We show that any double encrypton Enc, whose nner encrypton RE s LIN RKA secure, s also LIN RKA secure. For an encrypton E let EReal S and EFake S be the real/fake RKA oracles as defned n Lemma 5.1. We defne an oracle aded randomzed functon A O S 2 as follows: Gven a LIN RKA query wth shft vector = ( 1, 2 ) and message M, the functon A O S 2 outputs a sample from KE S2 + 2 (O( 1, M)). It follows that, for random S 1 and every S 2, EncReal S1,S 2 A REReal S 1 S 2 c A REFake S 1 S 2 EncFake S1,S 2, where the frst and thrd transtons follow from the defnton of A and the second transton s due to the LIN RKA securty of RE. (2) We wll need the followng observaton whch follows from the lnear structure of the LPN based encrypton PE. For every key S 1 and nternal randomness r the nner encrypton RE S1 (X; r) can be wrtten as an (extended) lnear mappng ψ M,T : X M + T X where M and T can be computed based on S 1 and r va some effcently computable mappng ρ. Usng ths observaton, we show that the double encrypton Enc nherts (extended) LIN KDM securty from the outer encrypton KE. Formally, let EReal S and EFake S be the real/fake KDM oracles for an encrypton E defned n Lemma 5.2. Let A O S 1 be an oracle-aded randomzed functon whch, gven an extended LIN KDM query ψ M,T, samples randomness r for the nner encrypton RE, computes (M, T ) = ρ(s 1, r), and queres the oracle O wth the composed lnear functon ψ : S 2 ψ M,T (ψ M,T (S 1, S 2 )). It s not hard to see that ψ s ndeed an extended lnear functon, and for random (S 1, S 2 ) EncReal S1,S 2 A KEReal S 2 S 1 c A KEFake S 2 S 1, where the frst transton s due to the defnton of A (and holds for every (S 1, S 2 )) and the second transton follows from the securty of KE. To complete the proof, defne an oracle-aded randomzed functon B O S 2 whch gven a LIN KDM query ψ M,T outputs O(Enc S2 (0 M )). For random (S 1, S 2 ) we have that and tem (2) follows. A KEFake S 2 S 1 B KEFake S 2 S 1 c B KEReal S 2 S 1 EncFake S1,S 2, 18

19 (3) We show that, gven an access to the real LIN RK-KDM oracle EncReal S1,S 2, t s possble to fully recover the key (S 1, S 2 ). Frst use RKA queres to fully recover the key S 2 va the attack descrbed n Secton 5.2. Second, n order to recover S 1, apply a KDM query to obtan an encrypton C of (S 1, S 2 ), and use the decrypton algorthm KD S2 to decrypt the cphertext C. We clam that the resultng value s smply (S 1, S 2 ). Indeed, by the defnton of RE we have that C = Enc S1,S 2 (S 1, S 2 ) = KE S2 (RE S1 (S 1, S 2 )) = KE S2 (S 1, S 2 ) and therefore KD S2 (C) = (S 1, S 2 ) and the lemma follows. 6 Concluson We defned a new combned form of RKA-KDM securty, proved that such an encrypton scheme can be realzed based on the LPN assumpton, and showed that the free-xor technque can be securely nstantated wth t. Altogether, our results enable a realzaton of the free-xor optmzaton n the standard model under a well-studed cryptographc assumpton. The new defnton of RKA-KDM securty further motvates the study of securty under relatedkey and key-dependent attacks. Specfcally, n lght of our counter-example, t s s natural to ask whether LIN RKA-KDM securty can be constructed based on some combnaton of an RKA-secure scheme and a KDM-secure scheme, or better yet, based on more general assumptons (e.g., CPAsecure encrypton scheme). It wll also be nterestng to fnd addtonal applcatons of RKA/KDM secure prmtves. References [1] Applebaum, B.: Randomly encodng functons: A new cryptographc paradgm - (nvted talk). In: ICITS. pp (2011) [2] Applebaum, B., Cash, D., Pekert, C., Saha, A.: Fast cryptographc prmtves and crcularsecure encrypton based on hard learnng problems. In: Advances n Cryptology - CRYPTO 2009 (2009) [3] Applebaum, B., Harnk, D., Isha, Y.: Semantc securty under related-key attacks and applcatons. In: ICS. pp (2011) [4] Applebaum, B., Isha, Y., Kushlevtz, E.: Computatonally prvate randomzng polynomals and ther applcatons. Computonal Complexty 15(2), (2006), prelmnary verson n Proc. 20th CCC, [5] Applebaum, B., Isha, Y., Kushlevtz, E.: How to garble arthmetc crcuts. In: FOCS 11. pp (2011) [6] Bellare, M., Cash, D.: Pseudorandom functons and permutatons provably secure aganst related-key attacks. In: Advances n Cryptology - CRYPT0 10 (2010) [7] Bellare, M., Hoang, V.T., Rogaway, P.: Garblng schemes. Cryptology eprnt Archve, Report 2012/265 (2012), 19