Public-seed Pseudorandom Permutations EUROCRYPT PDF Free Download

Public-seed Pseudorandom Permutations Pratik Soni UC Santa Barbara Stefano Tessaro UC Santa Barbara EUROCRYPT 2017

Cryptographic schemes often built from generic building blocks

Cryptographic schemes often built from generic building blocks Typically: Block ciphers, hash/compression functions! M 1 M 2 M l K ipad M IV E K E K H H block cipher (e.g., AES) hash function (e.g., SHA-3) K opad

Recent trend: Start from seedless permutation

Recent trend: Start from seedless permutation Sponge paradigm

Recent trend: Start from seedless permutation Sponge paradigm Here: π is an efficiently computable and invertible one-to-one function

Permutations Hashing MACs Garbling KDFs PRNGs Authenticated Encryption it would be nice, now, if permutations can be called the Swiss Army Knife [of cryptography] Joan Daemen, Passwords^12

Typical instantiations

Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis

Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES 0 128

Typical instantiations Ad-hoc construction e.g., in KECCAK, NORX, Designed to withstand cryptanalysis Fixed-key block ciphers e.g., π x AES(0 128, x) AES 0 128 Faster, no re-keying costs! Faster Hash functions [RS08], fast garbling [BHKR13]

Permutations assumptions Permutations are great in practice, but what about theory?

Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. S 0 0 π π π

Permutations assumptions Permutations are great in practice, but what about theory? Goal: Standard-model reduction: If π satisfies X then C[π] satisfies Y. e.g., C = KECCAK; Y = Anything non-trivial X =??? S 0 0 π π π Observation: No standard-model proofs known for permutationbased constructions! Common approach: Use random permutation (RP) model π is random + adversary given oracle access to π and π 1

But: random permutations do not exist [CGH98]

But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks

But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model Hash functions random oracle

But: random permutations do not exist [CGH98] RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: ideal model standard model Hash functions Permutations random oracle RP CRHF, OWFs, UOWHFs, CI, UCEs???? What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness

This work, in a nutshell First plausible and useful standard-model security assumption for permutations.

This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps)

This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions:

This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) We address two main questions: Can we get psprps at all?

This work, in a nutshell First plausible and useful standard-model security assumption for permutations. Public-seed Pseudorandom Permutations (psprps) inspired by the UCE framework [BHK13] We address two main questions: Can we get psprps at all? Are psprps useful?

psprps have many applications

psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Message-locked Encryption (MLE) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Efficient garbling from fixed-key block-ciphers

psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

psprps have many applications Deterministic & Hedged PKE Immunizing backdoored PRGs psprp Feistel Sponges UCE Message-locked Encryption (MLE) Point function Obfuscation (PFOB) CCA-secure Enc. (CCA) Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Efficient garbling from fixed-key block-ciphers

Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 )

We consider seeded permutations π 0,1 n 0,1 n P = (Gen, π, π 1 ) Efficient (poly-time) algorithms π s 1 λ Gen s x π s x y π s 1 π s 1 y Seed generation Forward evaluation Backward evaluation (1) π s 0,1 n 0,1 n (2) x π s 1 π s x = x

Traditional security notion if seed is secret: Pseudorandom Permutation

Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 0/1

Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Stage 2: Learns seed No oracle access

Traditional security notion if seed is secret: Pseudorandom Permutation s Gen(1 λ ) ρ Perms(n) π s / π s 1 ρ/ρ 1 D 5 0/1 Stage 1: Oracle access Secret seed Limited information flow Stage 2: Learns seed No oracle access

UCE security H = (Gen, h) Bellare Hoang Keelveedhi

UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source H = (Gen, h) Bellare Hoang Keelveedhi

UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi

UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D distinguisher Bellare Hoang Keelveedhi

UCE security h s s Gen(1 λ ) f Funcs(m, n) f S source s L H = (Gen, h) D 0/1 distinguisher Bellare Hoang Keelveedhi

psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S D

psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! D

psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D

psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1

psprp security π s /π s 1 s Gen(1 λ ) ρ Perms(n) ρ/ρ 1 P = (Gen, π, π 1 ) S Makes forward and backward queries! s L D 0/1 P is psprp-secure if PPT S, D, left and right are indistinguishable.

P is psprp-secure if PPT S, D,

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 S

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π s ρ Perms(n) ρ/ρ 1 (+, 0 n ) S (+, 0 n )

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n )

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y D

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 (+, 0 n ) y S y (+, 0 n ) s L = y Outputs 1 iff y = π s 0 n D 1 with prob. 1

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n

P is psprp-secure if PPT S, D, s Gen(1 λ ) 1 π s /π ρ Perms(n) s ρ/ρ 1 y y (+, 0 n ) (+, 0 n ) S s L = y Outputs 1 iff y = π s 0 n D 1 1 with prob. 1 with prob. 1/2 n psprp-security is impossible against all sources!

Sources need to be restricted P = (Gen, π, π 1 ) all sources

Sources need to be restricted P = (Gen, π, π 1 ) all sources S

Sources need to be restricted P = (Gen, π, π 1 ) all sources s Gen(1 λ ) π s /π s 1 ρ Perms(n) ρ/ρ 1 S S s L D 0/1 P is psprp[s]-secure if S S and PPT D, left and right are indistinguishable.

This talk unpredictable and reset-secure sources all sources

This talk unpredictable and reset-secure sources all sources S sup unpredictable

This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources

This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources!

This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs

This talk unpredictable and reset-secure sources reset-secure S srs S sup unpredictable all sources Both restrictions model that D cannot predict the queries made by the sources! S sup S srs psprp S srs is a stronger assumption than psprp S sup

Source restrictions unpredictability ρ Perms(n) S ρ/ρ 1 A

Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 A

Source restrictions unpredictability σ {+, } S (σ, x i ) ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A

Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A

Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} L A

Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ)

Source restrictions unpredictability σ {+, } S (σ, x i ) y i ρ Perms(n) ρ/ρ 1 Q Q { σ, x i, (σ, y i )} A L It should be hard for A to predict any of S s queries or its inverse Q Pr [ Q Q φ] = negl(λ) S sup : A is computationally unbounded S cup : A is PPT

Source restrictions reset-security

Source restrictions reset-security S ρ/ρ 1 ρ Perms(n) R

Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1

Source restrictions reset-security S ρ/ρ 1 L ρ Perms(n) R ρ/ρ 1 0/1

Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n)

Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT

Source restrictions reset-security S ρ/ρ 1 S ρ/ρ 1 L ρ Perms(n) L ρ Perms(n) R ρ/ρ 1 R ρ 1 /ρ 1 1 0/1 0/1 ρ 1 Perms(n) S srs : R is computationally unbounded S crs : R is PPT S cup S crs

Recap psprp[s srs ] psprp[s sup ]

Recap

Recap Central assumption in UCE theory

Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

Next Can we get psprps at all? Are psprps useful?

Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations

Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

Next Can we get psprps at all? Are psprps useful? Constructions from UCEs Heuristic Instantiations Common denominator: A new, restricted notion of indifferentiability! Constructions of UCEs Direct applications Garbling from fixed-key block ciphers

Indifferentiability[MRH04] C f Funcs(, n) RO f RP ρ/ρ 1 ρ Perms(n)

Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 ρ Perms(n)

Indifferentiability[MRH04] A C RP ρ/ρ 1 ρ Perms(n) A f Funcs(, n) RO f?

Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim ρ Perms(n)

Indifferentiability[MRH04] C f Funcs(, n) RO f A A RP ρ/ρ 1 Sim 0/1 ρ Perms(n) 0/1

CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1

CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable.

CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks:

CP-sequential indifferentiability f Funcs(, n) A 1 C A 1 RO f st st A 2 RP ρ/ρ 1 A 2 Sim ρ Perms(n) 0/1 0/1 C RP cpi RO PPT Sim PPT (A 1, A 2 ): left and right are indistinguishable. Remarks: 1. Full indifferentiability CP-seq indiff. 2. Reverse ordering: seq. indifferentiability [MPS12]

From psprps to UCEs Theorem:

From psprps to UCEs Theorem: C RP cpi RO C RP ρ/ρ 1

From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C RP ρ/ρ 1

From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] C RP ρ/ρ 1 π s /π s 1

From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. C RP ρ/ρ 1 π s /π s 1

From psprps to UCEs Theorem: C RP cpi RO + P psprp[s srs ]-secure C[P] UCE[S srs ]-secure. Similar result proved in [BHK14], but: Need full indifferentiability Only stated for UCE domain extension RP C ρ/ρ 1 π s /π s 1

From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0

From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 Theorem [BDVP08]: Sponge[RP] cpi RO.

From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO.

From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure.

From psprps to UCEs Sponges M {0,1} M 1 M 2 M l r S0 r y {0,1} r ρ ρ ρ n r 0 π s π s π s Theorem [BDVP08]: Sponge[RP] cpi RO. Corollary: P psprp S srs -secure Sponge[P] UCE S srs -secure. Validates the Sponge paradigm for UCE applications!

CP-sequentially indiff. constructions that are not fully indiff.?

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.?

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? ρ

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n ρ

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? x {0,1} n n ρ n

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ).

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure.

From psprps to UCEs Chop CP-sequentially indiff. constructions that are not fully indiff.? truncates n-bits to r-bits x {0,1} n ρ πs n n r y {0,1} r Theorem: Chop[RP] cpi RF when n r ω(log λ). Chop RP is not indifferentiable psprp S sup UCE S sup Corollary: P psprp S srs -secure Chop[P] UCE[S srs ]- secure. From Chop P to VIL UCE: Domain extension techniques [BHK14]

psprps from UCEs Theorem:

psprps from UCEs Theorem: C RO cpi RP A 1 C A 1 RP st st A 2 RO A 2 Sim b b

psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b

psprps from UCEs Theorem: C RO cpi RP + H UCE[S srs ]-secure C H psprp[s srs ]-secure. A 1 C A 1 RP st st A 2 RO A 2 Sim b b Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psprp.

From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f]

From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability

From UCEs to psprps Feistel X {0,1} 2n n n X 1 X 2 X 3 X 4 X 5 X 6 n f 1 f 2 f 3 f 4 f 5 n n n Y {0,1} 2n X 0 X 5 ψ 5 [f] [DS16] [DSKT16] [HKT11] [CPS08] impossible??? #rounds for indifferentiability psprps exist in the standard model if UCEs exist!!!

Can we reduce the round-complexity of Feistel for UCE to psprp transformation?

Can we reduce the round-complexity of Feistel for UCE to psprp transformation? [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability

Can we reduce the round-complexity of Feistel for UCE to psprp transformation? This work!!! [DS16] [DSKT16] [HKT11] #rounds for CP-sequential indifferentiability Theorem: 5-round Feistel (ψ 5 [f]) cpi RP.

5-round proof is technically involved

5-round proof is technically involved Our 5-round Sim: Relies on chain completion techniques Heavily exploits query ordering Very different chain-completion strategy from previous works, no recursion needed detect detect X 1 X 2 X 3 X 4 X 5 X 6 f 1 f 2 f 3 f 4 f 5 X 0 forceval forceval X 5 Set Set uniform uniform

Heuristic Instantiations

Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: Gen: E s {0,1} k

Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k

Heuristic Instantiations From Block-ciphers e.g. AES P = (Gen, π, π 1 ) π: E psprp S srs -secure Ideal-Cipher model Gen: s {0,1} k From Permutations e.g. the Keccak permutation P = (Gen, π, π 1 ) π: Gen: π s {0,1} k

Fast Garbling from psprps x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

Fast Garbling from psprps Fast garbling from [BHKR13] x a 0, x a 1 x b 0, x b 1 And x g 0, x g 1 Garbled And E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g

Fast Garbling from psprps Fast garbling from [BHKR13] Only calls fixed-key block cipher x E(0 k, x) Very fast no key-schedule Proof in RP model x 0 a, x1 a x 0 1 b, x b And Garbled And x g 0, x g 1 E 0 n, K 10 0 K 10 x g E 0 n, K 01 0 K 01 x g E 0 n, K 11 1 K 11 x g E 0 n, K 00 0 K 00 x g This work: Replace E 0 k, x by π s for a random seed generated upon garbling.

Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions

Conclusion psprps

Conclusion First standard model assumptions on permutations psprps

Conclusion First standard model assumptions on permutations psprps Constructions

Conclusion First standard model assumptions on permutations Applications psprps Constructions

Many open questions

Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps?

Many open questions psprps: More applications: psprp-based PRNGs, authenticated encryption? More efficient constructions: Round complexity of Feistel for psprps? Public-seed Pseudorandomness - general paradigm: Applications of public-seed Ideal Ciphers? Beyond psprps: Simpler assumptions on permutations?

Public-seed Pseudorandom Permutations EUROCRYPT 2017