Provable Security in Symmetric Key Cryptography

Transcription

1 Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012

2 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X i X i Y i 2. Security Proof of A Feistel Cipher L R f1 f2 f3 S T

3 Blockcipher X n E n Y A k-bit key n-bit blockcipher is a function(algorithm) K E : {0, 1} n {0, 1} k {0, 1} n such that each key K {0, 1} k defines a permutation E(, K ) on {0, 1} n. k

4 Hash Function H * n An n-bit hash function is a function(algorithm) H : {0, 1} {0, 1} n that takes a message of arbitrary length and returns an n-bit message digest.

5 Security Requirements for Hash Functions (Everywhere) Preimage Resistance Hard to find a preimage M such that H(M) = Z for any target image Z. An n-bit hash function should be preimage resistant up to 2 n queries. Collision Resistance Hard to find two different messages M, M such that H(M) = H(M ). An n-bit hash function should be collision resistant up to 2 n 2 queries.

6 Merkle-Damgård Transform Transforms a fixed-size compression function into a hash function Preserves the collision resistance of a compression function Allows one to focus on constructing a secure compression function IV f f f M[1] M[l] <l>

7 Blockcipher-based Hash Function Why Blockcipher-based Hash Functions? 1. Transfer of the trust in the existing blockcipher to the blockcipher-based hash function 2. A single implementation of a blockcipher used for both a blockcipher and a hash function Davies-Meyer Construction M E Blockcipher-based compression function

8 How Can We Prove Security for the DM-scheme? What We Want to Prove If the basing blockcipher is secure, then the resulting DM-scheme is also secure. We Need to Specify What is meant by a secure blockcipher". What an adversary A is able to do What is the goal of A Then we need to prove the probability of A achieving the goal is small. M E Blockcipher-based compression function

9 Ideal Cipher Model Ideal Cipher Model BC(k, n) = {blockciphers with n-bit blocks and k-bit keys} A blockcipher E is randomly chosen from BC(k, n) Attack Model Adversary A is allowed for two types of oracle queries E K (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k Information-theoretic security: Consider an adversary with no limit to its available time and memory. * In this talk, we will focus on the information-theoretic security. K,X K,Y E A E -1 E K (X) E -1 K(Y)

10 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1

11 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1

12 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 }

13 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 } Y 1

14 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 (X 1,K 1,Y 1 ) Y 1

15 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 )

16 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } R K 2 R K 2 {Y 2 }

17 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } X 2 R K 2 R K 2 {Y 2 }

18 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) X 2

19 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 )

20 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 }

21 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 } Y 3

22 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Y 3 Adversary (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) E -1

23 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q )

24 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q

25 Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q The query history Q determines q evaluations of a blockcipher. Each evaluation again determines a unique evaluation of the DM-scheme.

26 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i.

27 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding a collision

28 Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding two queries (X i, K i, Y i ) and (X j, K j, Y j ) (i < j) such that X i Y i = X j Y j.

29 Collision Security of the DM-scheme (Black et al. Crypto 2002) K i E X i X i Y i For fixed i and j such that i < j, Therefore, Pr[X i Y i = X j Y j ] 1 2 n q. Pr[X i Y i = X j Y j for some j < i] Pr[ 1 i<j q (X i Y i = X j Y j )] q2 2 n q The DM-scheme is collision resistant up to 2 n/2 queries.

30 Double-block-length Hash Function Security Weaknesses of SBL Hash Functions A SBL hash function is vulnerable to collision attacks due to its short output length Motivates the design of DBL hash functions The output length is twice the block length of the underlying blockcipher(s) Abreast-DM Tandem-DM E E M M E E

31 Security Proof of Tandem-DM E M E A 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FSE 2009, its extension given in ProvSec 2010 At Crypto 2011, Lee et. al. pointed out the flaws of the previous proofs and presented a new proof

32 Evaluation of Tandem-DM (A, B L, R), (B, L R, S) Q determine TDM E : {0, 1} 3n {0, 1} 2n A B L A R B S A TL A R B L R BL S B S

33 Collision Security of Tandem-DM Difficulty A single evaluation of Tandem-DM (as most DBL schemes are) is determined by two queries. Naive Approach Consider four queries 1 i, j, i, j q. Two evaluations of Abreast-DM determined by the i, j-th queries and by the i, j -th queries collide with probability at most 1 (2 n q) 2. The collision finding advantage is at most q 4 (2 n q) 2. A TL A R A TR A R B L R BL S B S B L R BR S B S

34 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S Predicate Coll(Q) is true if and only if such queries exist in Q A TL A R A TR A R B L R BL S B S B L R BR S B S

35 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want to upper bound Pr[Coll(Q)] = Adv Coll TDM E (A) A TL A R A TR A R B L R BL S B S B L R BR S B S

36 Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want Pr[Coll(Q)] to be small A TL A R A TR A R B L R BL S B S B L R BR S B S

37 Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n

38 Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll 1 (Q)] Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n

39 Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) A TL A R A TR A R B L R BL S B S B L R BR S B S

40 Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Coll i 1(Q)]? A TL A R A TR A R B L R BL S B S B L R BR S B S

41 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 A TL A R A TR A R B L R BL S B S B L R BR S B S

42 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S

43 Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S

44 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R

45 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B S

46 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B L R S B S B S

47 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? A A R B L R S B L R S B S B S

48 Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event") A R R A R A A R B L R S B L R S B S B S

49 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L?

50 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S

51 Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S

52 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L?

53 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L R S

54 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? It is hard to probabilistically restrict this number! A B L R S

55 Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? We want to eliminate this case A B L R S

56 Main Idea: Modified Adversary A A runs A as a subroutine and records its query history Q If A makes a forward query E L R (B), then A makes a query E L R (B), and an additional query E 1 B L (R) If A makes a backward query E 1 B L (R), then A makes a query E 1 B L (R), and an additional query E L R(B) A A B L R

57 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If A obtains the BL position of a certain evaluation by a forward query, then A will immediately make an additional backward query and place it at the TL position A A B L R

58 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query A A B L R

59 The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) It means that A does not create Subcase 2b A A B L R

60 Bad Events Xor(Q) FB(Q) Probability of the Bad Events max {i : X Z {0,1} n i Y i = Z } > α max {i : (Y Z {0,1} n i = Z Fwd[i] = 1) (X i = Z Bwd[i] = 1)} > α. For a fixed Z {0, 1} n, ( ) ( ) 2q 1 α Pr[ {i : X i Y i = Z } > α] α N 2q ( ) 2qe α ( 1 Therefore α N 2q ) α Pr[Xor(Q)] Pr[ Z {0,1} n ( {i : X i Y i = Z } > α)] ( ) 2eq α N α(n 2q)

61 Main Result Theorem For N = 2 n, q < N/2 and 1 α 2q, ( Adv coll TDM (q) 2N E 2eq α(n 2q) ) α + 4qα N 2q + 4q N 2q Asymptotically, using α = n/ log n lim n Advcoll TDM E (N/n) = 0 Numerically, for n = 128, using α = 16 Adv coll TDM E ( ) < 1 2

62 Exercises Question Prove or disprove the collision resistance of the following SBL compression functions. K K X E K Y X E K Y

63 Security Proof of A 4-round Feistel Cipher Question Is DES secure? Answer We cannot guarantee. Question Is DES secure under the assumption that its round functions and the key schedule are secure? Answer Yes, we can prove it.

64 Provable Security: Assumption L R f K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. Round keys K i, i = 1, 2, 3, 4, are securely generated f K3 We can prove The 4-round Feistel cipher is secure. S T

65 Provable Security: Assumption L f R K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. A random master key K generates independent random keys K i, i = 1, 2, 3, 4. f K3 We can prove The 4-round Feistel cipher is secure. S T

66 Provable Security: Security Notions Question What does it mean by a block cipher is secure"? We will consider a weaker model than an ideal cipher. What does it mean by a round function is secure"? Answer Even though an adversary is allowed a certain type of attacks with a certain amount of resources, it cannot achieve a certain adversarial goal. * Resources: Time, Memory and Data Information-theoretic security If a certain protocol is secure against an adversary with no limit to its available time and memory, then we say the protocol is secure in the information-theoretic sense.

67 Security of a Blockcipher: Pseudorandom Permutation What an adversary A is able to do Blockcipher E is public A is able to compute EK (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k For a secret key K, A adaptively makes two types of oracle queries E K ( ) and E 1 ( ) (CPCA-2) K The goal of A Distinguishing the permutation family E from a truly random permutation Such adversaries are often called distinguishers X Y EK EK -1 A E K (X) E -1 (Y) K

68 Pseudorandom Permutation (PRP) Let P n,n = {g : {0, 1} n {0, 1} n, where g is a permutation} For a keyed permutation family E : {0, 1} k {0, 1} n {0, 1} n Experiment Exp prp A K $ {0, 1} k, g $ $ P n,n, i {0, 1} δ A O i ( ),O 1 i ( ), where O 0 ( ) = E(K, ) and O 1 0 ( ) = E 1 (K, ) O 1 ( ) = g( ) and O 1 ( ) = g 1 ( ) if δ = i then output 1 else output 0 [ Pr Exp prp Adv prp E A = 1] 1 2 = Adv prp E (q) = max A Adv prp (A) E (A)

69 Security of a Round Function: Pseudorandom Function What an adversary A is able to do Round function f is public A is able to compute fk (X) for X {0, 1} n and K {0, 1} k For a secret key K, A adaptively makes oracle queries X Y f K ( ) (CPA-2) EK EK -1 E K (X) The goal of A Distinguishing the function family f from a truly random function A E -1 K (Y) fk X f K (X) A

70 Pseudorandom Function (PRF) Let F n,m = {g : {0, 1} n {0, 1} m } For a keyed function family f : {0, 1} k {0, 1} n {0, 1} m Experiment Exp prf A K $ {0, 1} k, g $ $ F n,m, i {0, 1} δ A O i ( ), where O 0 ( ) = f (K, ) and O 1 ( ) = g( ) if δ = i then output 1 else output 0 [ ] Pr Exp prf A = = Adv prf (A) Adv prf f (q) = max A Adv prf (A) f f

71 PRP vs. PRF Definition If an adversary that adaptively makes encryption and decryption queries is able to distinguish a block cipher from a truly random permutation only with a small probability, then the block cipher is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

72 PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

73 PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

74 Deterministic Adversary Making No Redundant Query We can assume: a distinguisher is deterministic Given a probabilistic distinguisher, we can fix its random coin so that the corresponding deterministic algorithm provides the best distinguishing advantage. a distinguisher makes no redundant query Given a distinguisher A that makes redundant queries, we can construct a distinguisher A that makes no redundant query using A as a subroutine.

75 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. We will prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, a random master key K generates independent random round keys K i, i = 1, 2, 3, 4, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.

76 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, Round keys K i, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.

77 Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if Round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f 1, f 2, f 3, f 4 ] is a CPCA-2 secure PRP.

78 Game Hopping Consider distinguishing games ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f 3,, f (K 4, )]? ψ[f 1, f 2, f 3, f 4 ]? g f 1,f 2, f 3, f 4 are truly random functions. g is a truly random permutation.

79 Security Proof: What We Want to Prove Theorem Suppose that round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random. Then for any distinguisher A making q queries, Adv prp q2 ψ[f 1,f 2,f 3,f 4 ](q) 2 n. * If A is allowed 2 n 2 queries, then A would not be able to distinguish ψ[f 1, f 2, f 3, f 4 ] from a random permutation.

80 How a Distinguisher Works After making q queries to O i ( ) and O 1 i ( ), A obtains a q-tuple of responses T is called a transcript. T = (Z 1,... Z q ) ({0, 1} 2n ) q. The output of A is a function of transcript T, denoted by A(T ). From T, we can recover q distinct evaluations of O i ( ), say (L i, R i ) (S i, T i ), i = 1,... q. Thus Z i is either (L i, R i ) or (S i, T i ) for i = 1,... q.

81 How We Upper Bound the Advantage Probability P 2 that A outputs δ = 1 conditioned on i = 1 P 2 = Number of g P 2n,2n such that 1 A g,g 1 P 2n,2n Number of g P 2n,2n yielding T = 2 2n! T such that A(T )=1 = M(22n q)! 2 2n! = M = 2 2n (2 2n 1) (2 2n q + 1) M 2 2nq (1 1 )(1 2 ) (1 q 1 ), 2 2n 2 2n 2 2n where M is the number of transcripts T such that A(T ) = 1. Permutation g uniquely determines T.

82 How We Upper Bound the Advantage Probability P 1 that A outputs δ = 1 conditioned on i = 0 P 1 = Number of (f 1, f 2, f 3, f 4 ) such that 1 A ψ[f 1,f 2,f 3,f 4 ],ψ[f 1,f 2,f 3,f 4 ] 1 = T s.t. A(T )=1 where F 0 = 2 n2n. F 4 0 Num. of (f 1, f 2, f 3, f 4 ) such that ψ[f 1, f 2, f 3, f 4 ] yield T F 4 0 F 0 is the size of F n,n = {g : {0, 1} n {0, 1} n }. Functions (f 1, f 2, f 3, f 4 ) uniquely determines T.,

83 How We Upper Bound the Advantage Since Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = Pr [ Exp prp A = 1] 1 2 = 1 2 (1 P 1) P = 1 2 P 2 P 1, we want to upper bound P 2 P 1. We can assume P 2 P 1. If P 2 (A) < P 1 (A), then construct A that uses A as a subroutine and outputs δ 1 if A outputs δ. Since P1 (A ) = 1 P 1 (A) and P 2 (A ) = 1 P 2 (A), P 2 (A ) > P 1 (A ). Adv prp ψ[f 1,f 2,f 3,f 4 ](A) = Advprp ψ[f 1,f 2,f 3,f 4 ] (A ).

84 The Number of Round Functions Compatible with T Lemma Let (L i, R i ) and (S i, T i ), 1 i q, be distinct inputs and the corresponding outputs. Then the number of 4-tuples of functions (f 1, f 2, f 3, f 4 ) such that for all 1 i q ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ) is at least where F 0 = 2 n2n. F0 4 ( 2 2qn 1 ) q(q 1) 2 2 n+1,

85 How We Upper Bound the Advantage Using the previous lemma, F 4 ( 0 q(q 1) P 1 M 2 2nq F n+1 ( P ) 2 2n ( q(q 1) P n ) 2 ( 1 q 1 2 2n q(q 1) 2 n ) ( 1 where we use inequalities P 2 1 and q q (1 a i ) 1 a i, i=1 i=1 for any a 1,..., a q > 0. Therefore we have q(q 1) 2 n+1 ) P 2 q2 2 n 1, Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = 1 2 P 2 P 1 = 1 2 (P 2 P 1 ) q2 2 n. ) 2

86 Proof of Lemma: Choosing f 1 1. Choose f 1 such that L i f 1 (R i ) L j f 1 (R j ) for any 1 i < j q. 2. For fixed i and j, if Ri = R j, then L i L j and hence any f 1 satisfies L i f 1 (R i ) L j f 1 (R j ), if Ri R j, then the number of f 1 such that L i f 1 (R i ) = L j f 1 (R j ) is exactly F 0 /2 n. At most q(q 1) 2 F0 2 n functions f 1 satisfy L i f 1 (R i ) = L j f 1 (R j ) for some i and j. Li Si f1 f2 f3 f4 Ri Li f1(ri) Ti

87 Proof of Lemma: Choosing f 1 Li Ri f1 Li f1(ri) 3. Therefore there are at least F 0 q(q 1) 2 F0 2 n functions f 1 such that L i f 1 (R i ), i = 1,..., q, are all distinct. f2 f3 f4 Si Ti

88 Proof of Lemma: Choosing f 2 1. Fix f 1 satisfying the condition described in the previous slides. 2. f 2 should satisfy Li f1 Ri S i = S j U i = U j, Ri Li f1(ri) where U i = T i R i f 2 (L i f 1 (R i )). f2 WLOG, let S 1 = S 2 = = S i1 = S 1, S i1 +1 = S i1 +2 = = S i2 = S 2, Ri f2(li f1(ri)) f3 S il 1 +1 = S il 1 +2 = = S il = S l. Exactly (2 n ) l (2 n ) 2n q = F 0 /2 (q l)n functions f 2 satisfy the above condition.. Ri f2(li f1(ri)) Si f4 Si Ti

89 Proof of Lemma: Choosing f 2 3. Among those functions, we would like to collect functions f 2 such that Li f1 Ri R i f 2 (L i f 1 (R i )) R j f 2 (L j f 1 (R j )) for any 1 i < j q. 4. For fixed i and j, if Si = S j, then T i T j and hence any f 2 satisfies the above condition, if Si S j, then the number of f 2 satisfying R i f 2 (L i f 1 (R i )) = R j f 2 (L j f 1 (R j )) and the q l equations for the first condition is exactly F 0 /2 (q l+1)n. Ri Ri f2(li f1(ri)) Si f2 Li f1(ri) Ri f2(li f1(ri)) f3 Si f4 Ti

90 Proof of Lemma: Choosing f 2 Li Ri f1 5. Excluding the bad functions for each (i, j), we have at least F 0 q(q 1) 2 (q l)n 2 = F 0 2 (q l)n F 0 2 (q l+1)n ( 1 q(q 1) 2 n+1 functions f 2 such that Si = S j U i = U j, Ri f 2 (L i f 1 (R i )) are all distinct. ) Ri Ri f2(li f1(ri)) f2 f4 Li f1(ri) Ri f2(li f1(ri)) f3 Si Si Ti

91 Proof of Lemma: Choosing f 3 Li Ri f1 1. Fix f 1 and f 2 satisfying the conditions described in the previous slides. 2. Choose f 3 such that Ri f2 Li f1(ri) f 3 (R i f 2 (L i f 1 (R i ))) = S i L i f 1 (R i ) for i = 1,..., q, 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 qn. Ri f2(li f1(ri)) f4 Si Si Ti

92 Proof of Lemma: Choosing f 4 Li Ri 1. Fix f 1, f 2 and f 3 satisfying the conditions described in the previous slides. 2. We would like to choose f 4 such that Ri f1 f2 Li f1(ri) for i = 1,..., l. f 4 (S i ) = U i 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 ln. Ri f2(li f1(ri)) f4 S * i Si Ti

93 Proof of Lemma: Putting Pieces Together To summarize, the number of (f 1, f 2, f 3, f 4 ) satisfying ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ), i = 1,..., q, is at least ( q(q 1) F 0 2 F0 2 n F 0 2 (q l)n ) ( 1 ) ( q(q 1) F0 2 n+1 2 qn = F qn ) ( ) F0 ( 1 2 ln q(q 1) 2 n+1 ) 2.

94 What Provable Security Provides The Feistel network is a secure structure for the design of a blockcipher. If a Feistel block cipher is turned out to be insecure, its weakness lies in its round function or key schedule algorithm, not the Feistel network itself.

95 A 3-round Feistel Cipher is NOT a PRP Given a permutation φ 1. A chooses L and R {0, 1} n, and asks φ(l, R) = (S, T ). 2. A chooses L such that L L, and asks φ(l, R) = (S, T ). 3. A asks φ 1 (S, T L L ) = (L, R ). 4. A outputs 1 if R = S S R, and 0 otherwise. Analysis P 1 = Pr [A outputs 1 φ is a random permutation] 1/2 n. P 2 = Pr [A outputs 1 φ = ψ[f 1, f 2, f 3 ]] = 1. Therefore Adv prp ψ[f 1,f 2,f 3 ] (A) = 1 2 P 2 P 1 = n+1

96 Why P 2 = 1 ψ[f 1, f 2, f 3 ](L, R) = (S, T ) S = R f 2 (L f 1 (R)) ψ[f 1, f 2, f 3 ] 1 (S, T ) = (L, R) L f1 R R = S f 2 (T f 3 (S )) L = T f 3 (S ) f 1 (S f 2 (T f 3 (S ))) = T f 3 (S ) f 1 (R) f2 ψ[f 1, f 2, f 3 ] 1 (S, T L L ) = (L, R ) R = S f 2 (T L L f 3 (S )) f3 = S f 2 (L f 1 (R)) = S (S R) S T

97 Exercises Question Prove that a 3-round Feistel cipher is a CPA-2 secure pseudorandom function up to 2 n 2 queries. L R f1 f2 f3 S T

98 References 1. J. Black, P. Rogaway and T. Shrimpton. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. Crypto 2002, LNCS 2442, pp , Springer-Verlag, J. Lee, M. Stam and J. Steinberger. The Collision Security of Tandem-DM in the Ideal Cipher Model. Crypto 2011, LNCS 6841, pp , Springer-Verlag, J. Patarin. Pseudorandom permutations based on the DES scheme. EUROCODE 1990, LNCS 514, pp , Springer-Verlag, 1991.