Provable Security in Symmetric Key Cryptography

Similar documents
The Collision Security of Tandem-DM in the Ideal Cipher Model

The Security of Abreast-DM in the Ideal Cipher Model

Security of Permutation-based Compression Function lp231

The Collision Security of Tandem-DM in the Ideal Cipher Model

Cryptanalysis of Tweaked Versions of SMASH and Reparation

On High-Rate Cryptographic Compression Functions

The preimage security of double-block-length compression functions

The preimage security of double-block-length compression functions

On the Security of Hash Functions Employing Blockcipher Post-processing

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

Known and Chosen Key Differential Distinguishers for Block Ciphers

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

III. Pseudorandom functions & encryption

Adaptive Preimage Resistance and Permutation-based Hash Functions

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Introduction to Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CPA-Security. Definition: A private-key encryption scheme

MJH: A Faster Alternative to MDC-2

New Preimage Attack on MDC-4

Preimage Resistance Beyond the Birthday Barrier The Case of Blockcipher Based Hashing

Provable Security of Cryptographic Hash Functions

Optimal Collision Security in Double Block Length Hashing with Single Length Key

Security of Cyclic Double Block Length Hash Functions including Abreast-DM

CTR mode of operation

Solution of Exercise Sheet 7

Some Plausible Constructions of Double-Block-Length Hash Functions

Modern Cryptography Lecture 4

A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model

Security of Random Feistel Schemes with 5 or more Rounds

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Avoiding collisions Cryptographic hash functions. Table of contents

A Domain Extender for the Ideal Cipher

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

Provably Secure Double-Block-Length Hash Functions in a Black-Box Model

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Block ciphers And modes of operation. Table of contents

Building Secure Block Ciphers on Generic Attacks Assumptions

On the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model

An introduction to Hash functions

Notes for Lecture 9. 1 Combining Encryption and Authentication

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

Block Ciphers/Pseudorandom Permutations

How (not) to efficiently dither blockcipher-based hash functions?

Benes and Butterfly schemes revisited

The Indistinguishability of the XOR of k permutations

Avoiding collisions Cryptographic hash functions. Table of contents

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV

The Sum of PRPs is a Secure PRF

CPSC 91 Computer Security Fall Computer Security. Assignment #3 Solutions

BEYOND POST QUANTUM CRYPTOGRAPHY

Improved Collision and Preimage Resistance Bounds on PGV Schemes

A survey on quantum-secure cryptographic systems

ECS 189A Final Cryptography Spring 2011

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

CS 6260 Applied Cryptography

Indifferentiability of Double Length Compression Functions

Cascade Encryption Revisited

Mix-Compress-Mix Revisited: Dispensing with Non-invertible Random Injection Oracles

Lecture 5, CPA Secure Encryption from PRFs

EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC

Secure and Practical Identity-Based Encryption

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lecture 5: Pseudorandom functions from pseudorandom generators

The Random Oracle Model and the Ideal Cipher Model are Equivalent

Improved security analysis of OMAC

CPSC 91 Computer Security Fall Computer Security. Assignment #2

Constructing Cryptographic Hash Functions from Fixed-Key Blockciphers

Provable Chosen-Target-Forced-Midx Preimage Resistance

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

On Generalized Feistel Networks

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Optimally Secure Block Ciphers from Ideal Primitives

SPCS Cryptography Homework 13

Random Oracles in a Quantum World

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Lecture 14: Cryptographic Hash Functions

The Random Oracle Model and the Ideal Cipher Model are Equivalent

1 Cryptographic hash functions

Verifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin

Transitive Signatures Based on Non-adaptive Standard Signatures

On the Round Security of Symmetric-Key Cryptographic Primitives

Semantic Security of RSA. Semantic Security

1 Number Theory Basics

Reset Indifferentiability and its Consequences

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Lecture 10 - MAC s continued, hash & MAC

Notes on Property-Preserving Encryption

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Message Authentication Codes from Unpredictable Block Ciphers

CS 6260 Applied Cryptography

Transcription:

Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012

Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X i X i Y i 2. Security Proof of A Feistel Cipher L R f1 f2 f3 S T

Blockcipher X n E n Y A k-bit key n-bit blockcipher is a function(algorithm) K E : {0, 1} n {0, 1} k {0, 1} n such that each key K {0, 1} k defines a permutation E(, K ) on {0, 1} n. k

Hash Function H * n An n-bit hash function is a function(algorithm) H : {0, 1} {0, 1} n that takes a message of arbitrary length and returns an n-bit message digest.

Security Requirements for Hash Functions (Everywhere) Preimage Resistance Hard to find a preimage M such that H(M) = Z for any target image Z. An n-bit hash function should be preimage resistant up to 2 n queries. Collision Resistance Hard to find two different messages M, M such that H(M) = H(M ). An n-bit hash function should be collision resistant up to 2 n 2 queries.

Merkle-Damgård Transform Transforms a fixed-size compression function into a hash function Preserves the collision resistance of a compression function Allows one to focus on constructing a secure compression function IV f f f M[1] M[l] <l>

Blockcipher-based Hash Function Why Blockcipher-based Hash Functions? 1. Transfer of the trust in the existing blockcipher to the blockcipher-based hash function 2. A single implementation of a blockcipher used for both a blockcipher and a hash function Davies-Meyer Construction M E Blockcipher-based compression function

How Can We Prove Security for the DM-scheme? What We Want to Prove If the basing blockcipher is secure, then the resulting DM-scheme is also secure. We Need to Specify What is meant by a secure blockcipher". What an adversary A is able to do What is the goal of A Then we need to prove the probability of A achieving the goal is small. M E Blockcipher-based compression function

Ideal Cipher Model Ideal Cipher Model BC(k, n) = {blockciphers with n-bit blocks and k-bit keys} A blockcipher E is randomly chosen from BC(k, n) Attack Model Adversary A is allowed for two types of oracle queries E K (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k Information-theoretic security: Consider an adversary with no limit to its available time and memory. * In this talk, we will focus on the information-theoretic security. K,X K,Y E A E -1 E K (X) E -1 K(Y)

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 }

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 Y 1 $ n {0,1} \R K 1 R K 1 R K 1 {Y 1 } D K 1 D K 1 {X 1 } Y 1

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 1,X 1 Adversary E -1 (X 1,K 1,Y 1 ) Y 1

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 )

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } R K 2 R K 2 {Y 2 }

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) X 2 $ n {0,1} \D K 2 D K 2 D K 2 {X 2 } X 2 R K 2 R K 2 {Y 2 }

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary K 2,Y 2 E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) X 2

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 )

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 }

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Adversary E -1 Y 3 $ n {0,1} \R (X 1,K 1,Y 1 K 3 ) R (X 2,K 2,Y 2 ) K 3 R K 3 {Y 3 } D K 3 D K 3 {X 3 } Y 3

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E K 3,X 3 Y 3 Adversary (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) E -1

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q )

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q

Recording Query History Simulation of an Ideal Cipher by Lazy Sampling E Adversary E -1 (X 1,K 1,Y 1 ) (X 2,K 2,Y 2 ) (X 3,K 3,Y 3 ) (X q,k q,y q ) Query History Q The query history Q determines q evaluations of a blockcipher. Each evaluation again determines a unique evaluation of the DM-scheme.

Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i.

Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding a collision

Collision Security of the DM-scheme K i E X i X i Y i (X i, K i, Y i ) determines DM : (X i, K i ) X i Y i. The Adversarial Goal Finding two queries (X i, K i, Y i ) and (X j, K j, Y j ) (i < j) such that X i Y i = X j Y j.

Collision Security of the DM-scheme (Black et al. Crypto 2002) K i E X i X i Y i For fixed i and j such that i < j, Therefore, Pr[X i Y i = X j Y j ] 1 2 n q. Pr[X i Y i = X j Y j for some j < i] Pr[ 1 i<j q (X i Y i = X j Y j )] q2 2 n q The DM-scheme is collision resistant up to 2 n/2 queries.

Double-block-length Hash Function Security Weaknesses of SBL Hash Functions A SBL hash function is vulnerable to collision attacks due to its short output length Motivates the design of DBL hash functions The output length is twice the block length of the underlying blockcipher(s) Abreast-DM Tandem-DM E E M M E E

Security Proof of Tandem-DM E M E A 3n-bit to 2n-bit compression function making two calls to a blockcipher using 2n-bit keys Proposed by Lai and Massey in Eurocrypt 1992 The first security proof given in FSE 2009, its extension given in ProvSec 2010 At Crypto 2011, Lee et. al. pointed out the flaws of the previous proofs and presented a new proof

Evaluation of Tandem-DM (A, B L, R), (B, L R, S) Q determine TDM E : {0, 1} 3n {0, 1} 2n A B L A R B S A TL A R B L R BL S B S

Collision Security of Tandem-DM Difficulty A single evaluation of Tandem-DM (as most DBL schemes are) is determined by two queries. Naive Approach Consider four queries 1 i, j, i, j q. Two evaluations of Abreast-DM determined by the i, j-th queries and by the i, j -th queries collide with probability at most 1 (2 n q) 2. The collision finding advantage is at most q 4 (2 n q) 2. A TL A R A TR A R B L R BL S B S B L R BR S B S

Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S Predicate Coll(Q) is true if and only if such queries exist in Q A TL A R A TR A R B L R BL S B S B L R BR S B S

Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want to upper bound Pr[Coll(Q)] = Adv Coll TDM E (A) A TL A R A TR A R B L R BL S B S B L R BR S B S

Collisions in Tandem-DM The goal of a collision-finding adversary A To find (A, B L, R), (B, L R, S), (A, B L, R ), (B, L R, S ) such that A B L A B L, A R = A R, B S = B S We want Pr[Coll(Q)] to be small A TL A R A TR A R B L R BL S B S B L R BR S B S

Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n

Case Analysis Coll(Q) Coll 1 (Q) Coll 2 (Q) Coll 3 (Q), where Coll 1 (Q) Q has a collision with TL, BL, TR, BR distinct Coll 2 (Q) Q has a collision with TL = BL or TR = BR Coll 3 (Q) Q has a collision with TL = BR or BL = TR We are going to focus on upper bounding Pr[Coll 1 (Q)] Ex) Coll 2 (Q) occurs if (A, A A, A), (B, B B, B) s.t. A B exist A TL 0 n B TR 0 n A A A BL A 0 n B B B BR B 0 n

Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) A TL A R A TR A R B L R BL S B S B L R BR S B S

Upper bounding Pr[Coll 1 (Q)] General Framework 1. Upper bound the probability of Coll i 1(Q) that the i-th query completes a collision 2. Union bound by summing the upper bounds over all possible queries i = 1,..., q (If the upper bounds are independent of each query, then we can just multiply q) How can we upper bound Pr[Coll i 1(Q)]? A TL A R A TR A R B L R BL S B S B L R BR S B S

Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 A TL A R A TR A R B L R BL S B S B L R BR S B S

Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S

Upper bounding Pr[Coll i 1(Q)] By symmetry, we can assume the last query is either TL or BL. The last query TL BL Backward Case 1 Case 3 Forward Case 2 Case 4 Union bound Pr[Coll i 1(Q)] Pr[Case1] + Pr[Case2] + Pr[Case3] + Pr[Case4] A TL A R A TR A R B L R BL S B S B L R BR S B S

Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R

Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B S

Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? B L R S B L R S B S B S

Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event")? A A R B L R S B L R S B S B S

Case 1: The Last Query is TL and Backward 1. At the point when TL is queried, B, L, R are fixed 2. B, L, R uniquely determine BL, and B S 3. The number of BR-queries (B, L R, S ) such that B S = B S is at most α except with small probability 4. Each of BR-queries uniquely determines TR, and A R 5. The response should be A R R, so Pr[Case1] α 2 n q (except with the bad event") A R R A R A A R B L R S B L R S B S B S

Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L?

Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S

Case 2: The Last Query is TL and Forward Subcase 2a: BL-query is Backward 1. At the point when TL is queried, A, B, L are fixed 2. The number of backward queries whose answer is B is at most α except with small probability 3. Since each of such backward queries uniquely determines R, Pr[Subcase2a] α 2 n q (except with the bad event") A B L R S

Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L?

Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? A B L R S

Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? It is hard to probabilistically restrict this number! A B L R S

Case 2: The Last Query is TL and Forward Subcase 2b: BL-query is Forward 1. At the point when TL is queried, A, B, L are fixed 2. The number of forward queries whose input block is B? We want to eliminate this case A B L R S

Main Idea: Modified Adversary A A runs A as a subroutine and records its query history Q If A makes a forward query E L R (B), then A makes a query E L R (B), and an additional query E 1 B L (R) If A makes a backward query E 1 B L (R), then A makes a query E 1 B L (R), and an additional query E L R(B) A A B L R

The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If A obtains the BL position of a certain evaluation by a forward query, then A will immediately make an additional backward query and place it at the TL position A A B L R

The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) If the TL position of a certain evaluation is obtained by a forward query after the BL position is determined, then the BL query should have been obtained by a backward query A A B L R

The Property of the Modified Adversary If A makes q queries, then A makes at most 2q queries Since Q Q, Adv Coll TDM E (A) Adv Coll TDM E (A ) It means that A does not create Subcase 2b A A B L R

Bad Events Xor(Q) FB(Q) Probability of the Bad Events max {i : X Z {0,1} n i Y i = Z } > α max {i : (Y Z {0,1} n i = Z Fwd[i] = 1) (X i = Z Bwd[i] = 1)} > α. For a fixed Z {0, 1} n, ( ) ( ) 2q 1 α Pr[ {i : X i Y i = Z } > α] α N 2q ( ) 2qe α ( 1 Therefore α N 2q ) α Pr[Xor(Q)] Pr[ Z {0,1} n ( {i : X i Y i = Z } > α)] ( ) 2eq α N α(n 2q)

Main Result Theorem For N = 2 n, q < N/2 and 1 α 2q, ( Adv coll TDM (q) 2N E 2eq α(n 2q) ) α + 4qα N 2q + 4q N 2q Asymptotically, using α = n/ log n lim n Advcoll TDM E (N/n) = 0 Numerically, for n = 128, using α = 16 Adv coll TDM E (2 120.87 ) < 1 2

Exercises Question Prove or disprove the collision resistance of the following SBL compression functions. K K X E K Y X E K Y

Security Proof of A 4-round Feistel Cipher Question Is DES secure? Answer We cannot guarantee. Question Is DES secure under the assumption that its round functions and the key schedule are secure? Answer Yes, we can prove it.

Provable Security: Assumption L R f K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. Round keys K i, i = 1, 2, 3, 4, are securely generated f K3 We can prove The 4-round Feistel cipher is secure. S T

Provable Security: Assumption L f R K0 Assumption 1. The round function f K1 f : {0, 1} k {0, 1} n {0, 1} n is secure. f K2 2. A random master key K generates independent random keys K i, i = 1, 2, 3, 4. f K3 We can prove The 4-round Feistel cipher is secure. S T

Provable Security: Security Notions Question What does it mean by a block cipher is secure"? We will consider a weaker model than an ideal cipher. What does it mean by a round function is secure"? Answer Even though an adversary is allowed a certain type of attacks with a certain amount of resources, it cannot achieve a certain adversarial goal. * Resources: Time, Memory and Data Information-theoretic security If a certain protocol is secure against an adversary with no limit to its available time and memory, then we say the protocol is secure in the information-theoretic sense.

Security of a Blockcipher: Pseudorandom Permutation What an adversary A is able to do Blockcipher E is public A is able to compute EK (X) and E 1 K (Y ) for X, Y {0, 1}n and K {0, 1} k For a secret key K, A adaptively makes two types of oracle queries E K ( ) and E 1 ( ) (CPCA-2) K The goal of A Distinguishing the permutation family E from a truly random permutation Such adversaries are often called distinguishers X Y EK EK -1 A E K (X) E -1 (Y) K

Pseudorandom Permutation (PRP) Let P n,n = {g : {0, 1} n {0, 1} n, where g is a permutation} For a keyed permutation family E : {0, 1} k {0, 1} n {0, 1} n Experiment Exp prp A K $ {0, 1} k, g $ $ P n,n, i {0, 1} δ A O i ( ),O 1 i ( ), where O 0 ( ) = E(K, ) and O 1 0 ( ) = E 1 (K, ) O 1 ( ) = g( ) and O 1 ( ) = g 1 ( ) if δ = i then output 1 else output 0 [ Pr Exp prp Adv prp E A = 1] 1 2 = Adv prp E (q) = max A Adv prp (A) E (A)

Security of a Round Function: Pseudorandom Function What an adversary A is able to do Round function f is public A is able to compute fk (X) for X {0, 1} n and K {0, 1} k For a secret key K, A adaptively makes oracle queries X Y f K ( ) (CPA-2) EK EK -1 E K (X) The goal of A Distinguishing the function family f from a truly random function A E -1 K (Y) fk X f K (X) A

Pseudorandom Function (PRF) Let F n,m = {g : {0, 1} n {0, 1} m } For a keyed function family f : {0, 1} k {0, 1} n {0, 1} m Experiment Exp prf A K $ {0, 1} k, g $ $ F n,m, i {0, 1} δ A O i ( ), where O 0 ( ) = f (K, ) and O 1 ( ) = g( ) if δ = i then output 1 else output 0 [ ] Pr Exp prf A = 1 1 2 = Adv prf (A) Adv prf f (q) = max A Adv prf (A) f f

PRP vs. PRF Definition If an adversary that adaptively makes encryption and decryption queries is able to distinguish a block cipher from a truly random permutation only with a small probability, then the block cipher is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

PRP vs. PRF Definition If an adversary that adaptively makes forward and backward queries is able to distinguish a keyed permutation family from a truly random permutation only with a small probability, then the keyed permutation family is called a CPCA-2 secure pseudorandom permutation (PRP). Definition If an adversary that adaptively makes forward queries is able to distinguish a keyed function family from a truly random function only with a small probability, then the keyed function family is called a CPA-2 secure pseudorandom function (PRF).

Deterministic Adversary Making No Redundant Query We can assume: a distinguisher is deterministic Given a probabilistic distinguisher, we can fix its random coin so that the corresponding deterministic algorithm provides the best distinguishing advantage. a distinguisher makes no redundant query Given a distinguisher A that makes redundant queries, we can construct a distinguisher A that makes no redundant query using A as a subroutine.

Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. We will prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, a random master key K generates independent random round keys K i, i = 1, 2, 3, 4, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.

Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if a round function f : {0, 1} k {0, 1} n {0, 1} n is a CPA-2 secure PRF, Round keys K i, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )] is a CPCA-2 secure PRP.

Security Proof: What We Want to Prove Let ψ[f ](L, R) = (R, L f (R)) be a 1-round Feistel permutation taking an n-bit function f as a round function. Let ψ[f 1,..., f r ] = ψ[f r ] ψ[f 1 ] be an r-round Feistel permutation taking r n-bit functions f 1,..., f r. It is sufficient to prove that if Round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random, then ψ[f 1, f 2, f 3, f 4 ] is a CPCA-2 secure PRP.

Game Hopping Consider distinguishing games ψ[f (K 1, ), f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f (K 2, ), f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f (K 3, ), f (K 4, )]? ψ[f 1, f 2, f 3,, f (K 4, )]? ψ[f 1, f 2, f 3, f 4 ]? g f 1,f 2, f 3, f 4 are truly random functions. g is a truly random permutation.

Security Proof: What We Want to Prove Theorem Suppose that round functions f i : {0, 1} n {0, 1} n, i = 1, 2, 3, 4, are chosen independently at random. Then for any distinguisher A making q queries, Adv prp q2 ψ[f 1,f 2,f 3,f 4 ](q) 2 n. * If A is allowed 2 n 2 queries, then A would not be able to distinguish ψ[f 1, f 2, f 3, f 4 ] from a random permutation.

How a Distinguisher Works After making q queries to O i ( ) and O 1 i ( ), A obtains a q-tuple of responses T is called a transcript. T = (Z 1,... Z q ) ({0, 1} 2n ) q. The output of A is a function of transcript T, denoted by A(T ). From T, we can recover q distinct evaluations of O i ( ), say (L i, R i ) (S i, T i ), i = 1,... q. Thus Z i is either (L i, R i ) or (S i, T i ) for i = 1,... q.

How We Upper Bound the Advantage Probability P 2 that A outputs δ = 1 conditioned on i = 1 P 2 = Number of g P 2n,2n such that 1 A g,g 1 P 2n,2n Number of g P 2n,2n yielding T = 2 2n! T such that A(T )=1 = M(22n q)! 2 2n! = M = 2 2n (2 2n 1) (2 2n q + 1) M 2 2nq (1 1 )(1 2 ) (1 q 1 ), 2 2n 2 2n 2 2n where M is the number of transcripts T such that A(T ) = 1. Permutation g uniquely determines T.

How We Upper Bound the Advantage Probability P 1 that A outputs δ = 1 conditioned on i = 0 P 1 = Number of (f 1, f 2, f 3, f 4 ) such that 1 A ψ[f 1,f 2,f 3,f 4 ],ψ[f 1,f 2,f 3,f 4 ] 1 = T s.t. A(T )=1 where F 0 = 2 n2n. F 4 0 Num. of (f 1, f 2, f 3, f 4 ) such that ψ[f 1, f 2, f 3, f 4 ] yield T F 4 0 F 0 is the size of F n,n = {g : {0, 1} n {0, 1} n }. Functions (f 1, f 2, f 3, f 4 ) uniquely determines T.,

How We Upper Bound the Advantage Since Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = Pr [ Exp prp A = 1] 1 2 = 1 2 (1 P 1) + 1 2 P 2 1 2 = 1 2 P 2 P 1, we want to upper bound P 2 P 1. We can assume P 2 P 1. If P 2 (A) < P 1 (A), then construct A that uses A as a subroutine and outputs δ 1 if A outputs δ. Since P1 (A ) = 1 P 1 (A) and P 2 (A ) = 1 P 2 (A), P 2 (A ) > P 1 (A ). Adv prp ψ[f 1,f 2,f 3,f 4 ](A) = Advprp ψ[f 1,f 2,f 3,f 4 ] (A ).

The Number of Round Functions Compatible with T Lemma Let (L i, R i ) and (S i, T i ), 1 i q, be distinct inputs and the corresponding outputs. Then the number of 4-tuples of functions (f 1, f 2, f 3, f 4 ) such that for all 1 i q ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ) is at least where F 0 = 2 n2n. F0 4 ( 2 2qn 1 ) q(q 1) 2 2 n+1,

How We Upper Bound the Advantage Using the previous lemma, F 4 ( 0 q(q 1) P 1 M 2 2nq F0 4 1 2 n+1 ( P 2 1 1 ) 2 2n ( q(q 1) P 2 1 2 2 2n ) 2 ( 1 q 1 2 2n q(q 1) 2 n ) ( 1 where we use inequalities P 2 1 and q q (1 a i ) 1 a i, i=1 i=1 for any a 1,..., a q > 0. Therefore we have q(q 1) 2 n+1 ) P 2 q2 2 n 1, Adv prp ψ[f 1,f 2,f 3,f 4 ] (A) = 1 2 P 2 P 1 = 1 2 (P 2 P 1 ) q2 2 n. ) 2

Proof of Lemma: Choosing f 1 1. Choose f 1 such that L i f 1 (R i ) L j f 1 (R j ) for any 1 i < j q. 2. For fixed i and j, if Ri = R j, then L i L j and hence any f 1 satisfies L i f 1 (R i ) L j f 1 (R j ), if Ri R j, then the number of f 1 such that L i f 1 (R i ) = L j f 1 (R j ) is exactly F 0 /2 n. At most q(q 1) 2 F0 2 n functions f 1 satisfy L i f 1 (R i ) = L j f 1 (R j ) for some i and j. Li Si f1 f2 f3 f4 Ri Li f1(ri) Ti

Proof of Lemma: Choosing f 1 Li Ri f1 Li f1(ri) 3. Therefore there are at least F 0 q(q 1) 2 F0 2 n functions f 1 such that L i f 1 (R i ), i = 1,..., q, are all distinct. f2 f3 f4 Si Ti

Proof of Lemma: Choosing f 2 1. Fix f 1 satisfying the condition described in the previous slides. 2. f 2 should satisfy Li f1 Ri S i = S j U i = U j, Ri Li f1(ri) where U i = T i R i f 2 (L i f 1 (R i )). f2 WLOG, let S 1 = S 2 = = S i1 = S 1, S i1 +1 = S i1 +2 = = S i2 = S 2, Ri f2(li f1(ri)) f3 S il 1 +1 = S il 1 +2 = = S il = S l. Exactly (2 n ) l (2 n ) 2n q = F 0 /2 (q l)n functions f 2 satisfy the above condition.. Ri f2(li f1(ri)) Si f4 Si Ti

Proof of Lemma: Choosing f 2 3. Among those functions, we would like to collect functions f 2 such that Li f1 Ri R i f 2 (L i f 1 (R i )) R j f 2 (L j f 1 (R j )) for any 1 i < j q. 4. For fixed i and j, if Si = S j, then T i T j and hence any f 2 satisfies the above condition, if Si S j, then the number of f 2 satisfying R i f 2 (L i f 1 (R i )) = R j f 2 (L j f 1 (R j )) and the q l equations for the first condition is exactly F 0 /2 (q l+1)n. Ri Ri f2(li f1(ri)) Si f2 Li f1(ri) Ri f2(li f1(ri)) f3 Si f4 Ti

Proof of Lemma: Choosing f 2 Li Ri f1 5. Excluding the bad functions for each (i, j), we have at least F 0 q(q 1) 2 (q l)n 2 = F 0 2 (q l)n F 0 2 (q l+1)n ( 1 q(q 1) 2 n+1 functions f 2 such that Si = S j U i = U j, Ri f 2 (L i f 1 (R i )) are all distinct. ) Ri Ri f2(li f1(ri)) f2 f4 Li f1(ri) Ri f2(li f1(ri)) f3 Si Si Ti

Proof of Lemma: Choosing f 3 Li Ri f1 1. Fix f 1 and f 2 satisfying the conditions described in the previous slides. 2. Choose f 3 such that Ri f2 Li f1(ri) f 3 (R i f 2 (L i f 1 (R i ))) = S i L i f 1 (R i ) for i = 1,..., q, 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 qn. Ri f2(li f1(ri)) f4 Si Si Ti

Proof of Lemma: Choosing f 4 Li Ri 1. Fix f 1, f 2 and f 3 satisfying the conditions described in the previous slides. 2. We would like to choose f 4 such that Ri f1 f2 Li f1(ri) for i = 1,..., l. f 4 (S i ) = U i 3. The number of such functions is exactly Li f1(ri) Ri f2(li f1(ri)) f3 F 0 2 ln. Ri f2(li f1(ri)) f4 S * i Si Ti

Proof of Lemma: Putting Pieces Together To summarize, the number of (f 1, f 2, f 3, f 4 ) satisfying ψ[f 1, f 2, f 3, f 4 ](L i, R i ) = (S i, T i ), i = 1,..., q, is at least ( q(q 1) F 0 2 F0 2 n F 0 2 (q l)n ) ( 1 ) ( q(q 1) F0 2 n+1 2 qn = F 4 0 2 2qn ) ( ) F0 ( 1 2 ln q(q 1) 2 n+1 ) 2.

What Provable Security Provides The Feistel network is a secure structure for the design of a blockcipher. If a Feistel block cipher is turned out to be insecure, its weakness lies in its round function or key schedule algorithm, not the Feistel network itself.

A 3-round Feistel Cipher is NOT a PRP Given a permutation φ 1. A chooses L and R {0, 1} n, and asks φ(l, R) = (S, T ). 2. A chooses L such that L L, and asks φ(l, R) = (S, T ). 3. A asks φ 1 (S, T L L ) = (L, R ). 4. A outputs 1 if R = S S R, and 0 otherwise. Analysis P 1 = Pr [A outputs 1 φ is a random permutation] 1/2 n. P 2 = Pr [A outputs 1 φ = ψ[f 1, f 2, f 3 ]] = 1. Therefore Adv prp ψ[f 1,f 2,f 3 ] (A) = 1 2 P 2 P 1 = 1 2 1 0. 2n+1

Why P 2 = 1 ψ[f 1, f 2, f 3 ](L, R) = (S, T ) S = R f 2 (L f 1 (R)) ψ[f 1, f 2, f 3 ] 1 (S, T ) = (L, R) L f1 R R = S f 2 (T f 3 (S )) L = T f 3 (S ) f 1 (S f 2 (T f 3 (S ))) = T f 3 (S ) f 1 (R) f2 ψ[f 1, f 2, f 3 ] 1 (S, T L L ) = (L, R ) R = S f 2 (T L L f 3 (S )) f3 = S f 2 (L f 1 (R)) = S (S R) S T

Exercises Question Prove that a 3-round Feistel cipher is a CPA-2 secure pseudorandom function up to 2 n 2 queries. L R f1 f2 f3 S T

References 1. J. Black, P. Rogaway and T. Shrimpton. Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV. Crypto 2002, LNCS 2442, pp. 103 118, Springer-Verlag, 2002. 2. J. Lee, M. Stam and J. Steinberger. The Collision Security of Tandem-DM in the Ideal Cipher Model. Crypto 2011, LNCS 6841, pp. 561 577, Springer-Verlag, 2011. 3. J. Patarin. Pseudorandom permutations based on the DES scheme. EUROCODE 1990, LNCS 514, pp. 193 204, Springer-Verlag, 1991.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback