The Random Oracle Model and the Ideal Cipher Model are Equivalent

Similar documents
The Random Oracle Model and the Ideal Cipher Model are Equivalent

A Domain Extender for the Ideal Cipher

Building Secure Block Ciphers on Generic Attacks Assumptions

The Random Oracle Model and the Ideal Cipher Model Are Equivalent

Public-Seed Pseudorandom Permutations

Public-seed Pseudorandom Permutations EUROCRYPT 2017

On the Relation Between the Ideal Cipher and the Random Oracle Models

A survey on quantum-secure cryptographic systems

The Indistinguishability of the XOR of k permutations

Block Ciphers/Pseudorandom Permutations

CPA-Security. Definition: A private-key encryption scheme

Lecture 10 - MAC s continued, hash & MAC

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

BEYOND POST QUANTUM CRYPTOGRAPHY

10-Round Feistel is Indifferentiable from an Ideal Cipher

Benes and Butterfly schemes revisited

Chosen-Ciphertext Security without Redundancy

Feistel Networks made Public, and Applications

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Random Oracles in a Quantum World

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

III. Pseudorandom functions & encryption

non-trivial black-box combiners for collision-resistant hash-functions don t exist

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Security of Random Feistel Schemes with 5 or more Rounds

On High-Rate Cryptographic Compression Functions

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Provable Security of Cryptographic Hash Functions

Quantum Chosen-Ciphertext Attacks against Feistel Ciphers

Chosen Ciphertext Security with Optimal Ciphertext Overhead

Security Analysis of Key-Alternating Feistel Ciphers

Towards Understanding the Known-Key Security of Block Ciphers

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications

A Pseudo-Random Encryption Mode

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Lecture 18: Message Authentication Codes & Digital Signa

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function

On Quantum Indifferentiability

Eliminating Random Permutation Oracles in the Even-Mansour Cipher

Indifferentiability of Iterated Even-Mansour Ciphers with Non-Idealized Key-Schedules: Five Rounds are Necessary and Sufficient

Design Paradigms for Building Multi-Property Hash Functions

Reset Indifferentiability and its Consequences

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Lectures 2+3: Provable Security

On the Round Security of Symmetric-Key Cryptographic Primitives

On the Security of Hash Functions Employing Blockcipher Post-processing

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Random Oracles in a Quantum World

Message Authentication Codes from Unpredictable Block Ciphers

Provable Security in Symmetric Key Cryptography

Merkle-Damgård Revisited : how to Construct a Hash Function

CTR mode of operation

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Message Authentication Codes from Unpredictable Block Ciphers

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

ECS 189A Final Cryptography Spring 2011

Provable security. Michel Abdalla

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

f (x) f (x) easy easy

Secret-key Cryptography from Ideal Primitives: A Systematic Overview

Public Key Cryptography

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

An introduction to Hash functions

Cryptanalysis of Tweaked Versions of SMASH and Reparation

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Provable Security of Substitution-Permutation Networks

Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

Improved indifferentiability security analysis of chopmd Hash Function

A New Paradigm of Hybrid Encryption Scheme

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Uninstantiability of Full-Domain Hash

Authentication. Chapter Message Authentication

Constructing Variable-Length PRPs and SPRPs from Fixed-Length PRPs

On Seed-Incompressible Functions

Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions

DD2448 Foundations of Cryptography Lecture 3

Lecture 7: Boneh-Boyen Proof & Waters IBE System

Computational security & Private key encryption

ZCZ: Achieving n-bit SPRP Security with a Minimal Number of Tweakable-block-cipher Calls

Security of Even Mansour Ciphers under Key-Dependent Messages

1 Number Theory Basics

Modern Cryptography Lecture 4

On the Indifferentiability of Key-Alternating Ciphers

The Sum of PRPs is a Secure PRF

Limits on the Efficiency of One-Way Permutation-Based Hash Functions

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Simple SK-ID-KEM 1. 1 Introduction

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Building Secure Block Ciphers on Generic Attacks Assumptions

The Cramer-Shoup Cryptosystem

Transcription:

The Random Oracle Model and the Ideal Cipher Model are Equivalent Jean-ébastien Coron 1, Jacques Patarin 2, and Yannick eurin 2,3 (1) Univ. Luxembourg, (2) Univ. Versailles, (3)Orange Labs éminaire EN June 19, 2008

the context two fundamental primitives of cryptology: block ciphers: E : {0, 1} k {0, 1} n {0, 1} n, E(K, ) bijective, efficiently computable and invertible hash functions: H : {0, 1} {0, 1} n, efficiently computable security definition in the standard model? well... block cipher = pseudorandom permutation; OK for most applications, but: doesn t take related-key attacks into account insufficient for (black-box) constructing CRHFs [imon89] hash function = OWF, CRHF, PRF, unpredictable... there s a need for stronger, idealised models éminaire EN Y. eurin 1/27 Orange Labs

outline ROM and ICM indifferentiability: definition, usefulness... building a random permutation from a random function using the Luby- Rackoff construction: why 5 rounds are not enough indifferentiability for 6 rounds description of the simulator main ideas of the proof ongoing work & conclusion éminaire EN Y. eurin 2/27 Orange Labs

idealised models: ROM ultimately, we want a hash function to behave as a random function Random Oracle Model [BellareR93]: a publicly accessible oracle, returning a n -bit random value for each new query widely used in PK security proofs (OAEP, P... ) also widely criticized: uninstantiability results [CanettiGH98, Nielsen02] removing ROs has become a popular sport schemes provably secure in the plain standard model Cramer-houp encryption Boneh-Boyen signatures... are often less efficient and come at the price of stronger complexity assumptions sometimes no scheme at all (non-sequential aggregate signatures) éminaire EN Y. eurin 3/27 Orange Labs

idealised models: ICM ultimately, we want a block cipher to behave as a family of random permutations (E K ) K {0,1} k Ideal Cipher Model [hannon49, Winternitz84]: a pair of publicly accessible oracles E(, ) and E 1 (, ), such that E(K, ) is a random permutation for each key K less popular than the ROM, but: widely used for analyzing block cipher-based hash functions [BlackR02, Hirose06] used for the security proof of some PK schemes (encryption, Authenticated Key Exchange... ) uninstantiability results as well [Black06] éminaire EN Y. eurin 4/27 Orange Labs

idealised models: is ICM > ROM? the ICM seems to be richer than the ROM since an ideal cipher has much more structure than a random oracle Coron et al. CRYPTO 2005 paper: the ICM implies the ROM, i.e. one can replace a random oracle by a block cipher-based hash function in any cryptosystem and the resulting scheme remains as secure in the ICM as in the ROM what about the other direction? Bellare, Pointcheval, Rogaway, Eurocrypt 2000: The ideal-cipher model is richer than the RO-model, and you can t just say apply the Feistel construction to your random oracle to make the cipher. While this may be an approach to instantiating an ideal-cipher, there is no formal sense we know in which you can simulate the ideal-cipher model using only the RO-model. éminaire EN Y. eurin 5/27 Orange Labs

the classical indistinguishability notion usual security definition for a block cipher: (trong)-prp Adv PRP A (E) = [ ] Pr K $ {0, 1} k, A E K( ),E 1 K ( ) = 1 Pr = negl(k) for any PPT adversary A [ G $ Perm({0, 1} n ), A G( ),G 1 ( ) = 1] well-known Luby-Rackoff result: the Feistel scheme with 4 rounds and pseudorandom internal functions yields a strong pseudorandom permutation useful only in secret-key applications, useless when the internal functions are public (e.g. for block cipher-based hash functions) LR f K P D éminaire EN Y. eurin 6/27 Orange Labs

indifferentiability: definition let G be an ideal primitive (e.g. a random permutation), and C F be a construction using another ideal primitive F (e.g. the Feistel construction using a random oracle) C is said (q, t, q, ɛ) -indifferentiable from G if there is a PPT simulator running in time at most t, making at most q queries such that for any distinguisher D making at most q queries, Pr [ D CF,F = 1 ] Pr [ D G,G = 1] ɛ the simulator cannot see the distinguisher s queries to G! C F G D éminaire EN Y. eurin 7/27 Orange Labs

indifferentiability: usefulness indifferentiability implies a kind of universal composability property (less general than Canetti s UC though) let Γ be a cryptosystem using a primitive G ; let C F be a construction using a primitive F ; if C F is indifferentiable from G, then Γ(C F ) is at least as secure as Γ(G) more precisely, any attacker A against Γ(C F ) can be turned into an attacker A against Γ(G) with advantage negligibly close to the advantage of A éminaire EN Y. eurin 8/27 Orange Labs

indifferentiability: usefulness C F G Γ A Γ A A E D E D Pr [A succeeds] Pr [A succeeds] = [ Pr E(Γ C, A F ) = 1 ] Pr [ E(Γ G, A G ) = 1 ] [ ] [ = Pr D CF,F = 1 Pr D G,G = 1] = negl(k) éminaire EN Y. eurin 9/27 Orange Labs

previous indifferentiability results function constructions: hash functions constructions (FIL to VIL, block cipher-based) [CoronDMP05, ChangNLY06] m 1 m L m m 1 2 m L IV E E IV E H sponge construction [BertoniDPvA08]: construction of a VIL random function from a FIL random function or permutation constructions with security beyond the birthday barrier [MaurerT07] éminaire EN Y. eurin 10/27 Orange Labs

previous indifferentiability results permutation constructions: Luby-Rackoff with super-logarithmic number of rounds is indifferentiable from a random permutation in the honest-but-curious model of indifferentiability [DodisP06] what about the general indifferentiability model? is a constant number of rounds sufficient? éminaire EN Y. eurin 11/27 Orange Labs

5 rounds are not enough L 0 L 1 L 2 L 3 L R R 0 R 1 R 2 R 3 = 0 F1 X X F 2 X Y Y F 3 Y Z Z = Z F 3 (Y ) F 3 (Y ) F 4 Z 0 1 2 3 = 0 F 5 T 0 T 1 T 2 T 3 T éminaire EN Y. eurin 12/27 Orange Labs

indifferentiability of the 6R Luby-Rackoff construction Theorem: The Luby-Rackoff construction with 6 rounds is (q, t, q, ɛ) -indifferentiable from a random permutation, with t, q = O(q 4 ) and ɛ = 2 18 q 8 /2 n. prepending a k -bit key to the random oracle calls yields a construction indifferentiable from an ideal cipher to prove this result, we will construct a simulator for the inner random oracles F 1,..., F 6 such that the resulting Feistel scheme matches the random permutation P L F F F F F F 1 2 3 4 5 6 R X Y Z A T L R P T éminaire EN Y. eurin 13/27 Orange Labs

the simulation strategy must anticipate future queries of the distinguisher; when does it have to react? definition: a k -chain, k > 2, (x i, x i+1,..., x i+k 1 ) is a sequence of round values such that L F1 F 2 R X x i+2 = F i+1 (x i+1 ) x i. [ x j+1 = P(x j x j 1 F j (x j )) right ]. x i+k 1 = F i+k 2 (x i+k 2 ) x i+k 3 F 3 F 4 F 5 Y Z A waiting for 5-chains or 4-chains: to late reacting on 2-chains: to early (exponential simulator runtime) reacting on 3-chains F 6 T éminaire EN Y. eurin 14/27 Orange Labs

simulation: adapting 3-chains the simulator maintains an history of already defined F i values F i values are defined randomly, and 3-chains are completed to match the random permutation P L F1 F 2 R X for example, on a query X to F 2 : there s a downward 3-chain if there are Y in F 3 s history and Z in F 4 s history such that X = F 3 (Y) Z there s an upward 3-chain if there are R in F 1 s history and in F 6 s history such that P(X F 1 (R) R) = T for some T F 3 F 4 F 5 F 6 Y Z A T éminaire EN Y. eurin 15/27 Orange Labs

simulation: adapting 3-chains example with a query X to F 2 : L R F 2 (X) $ {0, 1} n look in F 3 and F 4 history if there are Y and Z such that X = F 3 (Y) Z R = Y F 2 (X), F 1 (R) $ {0, 1} n, L = X F 1 (R) query T = P(L R) A = Y F 4 (Z) adapt F 5 (A) Z and F 6 () A T F1 F 2 F 3 F 4 F 5 X Y Z A what could go wrong: F 6 chain reaction leading to exponential running time impossibility to adapt a round value: aborts T éminaire EN Y. eurin 16/27 Orange Labs

the simulator Query Direction History Call Compute Adapt F 1 - (F 6, F 5 ) F 4 T (F 3, F 2 ) F 1 + (F 2, F 3 ) F 4 L R (F 5, F 6 ) F 2 - (F 1, F 6 ) F 5 L R (F 4, F 3 ) F 2 + (F 3, F 4 ) F 1 L R (F 5, F 6 ) F 3 - (F 2, F 1 ) F 6 L R (F 5, F 4 ) F 3 + (F 4, F 5 ) F 6 T (F 1, F 2 ) F 4 - (F 3, F 2 ) F 1 L R (F 6, F 5 ) F 4 + (F 5, F 6 ) F 1 T (F 2, F 3 ) F 5 - (F 4, F 3 ) F 6 T (F 2, F 1 ) F 5 + (F 6, F 1 ) F 2 T (F 3, F 4 ) F 6 - (F 5, F 4 ) F 3 T (F 2, F 1 ) F 6 + (F 1, F 2 ) F 3 L R (F 4, F 5 ) L F1 F 2 F 3 F 4 F 5 F 6 R X Y Z A T éminaire EN Y. eurin 17/27 Orange Labs

the simulator Query Direction History Call Compute Adapt involves P F 1 - (F 6, F 5 ) F 4 T (F 3, F 2 ) Y F 2 - (F 1, F 6 ) F 5 L R (F 4, F 3 ) Y F 2 + (F 3, F 4 ) F 1 L R (F 5, F 6 ) F 3 + (F 4, F 5 ) F 6 T (F 1, F 2 ) F 4 - (F 3, F 2 ) F 1 L R (F 6, F 5 ) F 5 - (F 4, F 3 ) F 6 T (F 2, F 1 ) F 5 + (F 6, F 1 ) F 2 T (F 3, F 4 ) Y F 6 + (F 1, F 2 ) F 3 L R (F 4, F 5 ) Y fact: the total number of calls to the four lines involving P is less than q, except with negligible probability L F1 F 2 F 3 F 4 F 5 F 6 R X Y Z A consequence 1: F 3 and F 4 2q, except with negligible probability T éminaire EN Y. eurin 18/27 Orange Labs

the simulator Query Direction History Call Compute Adapt involves P F 1 - (F 6, F 5 ) F 4 T (F 3, F 2 ) Y F 2 - (F 1, F 6 ) F 5 L R (F 4, F 3 ) Y F 2 + (F 3, F 4 ) F 1 L R (F 5, F 6 ) F 3 + (F 4, F 5 ) F 6 T (F 1, F 2 ) F 4 - (F 3, F 2 ) F 1 L R (F 6, F 5 ) F 5 - (F 4, F 3 ) F 6 T (F 2, F 1 ) F 5 + (F 6, F 1 ) F 2 T (F 3, F 4 ) Y F 6 + (F 1, F 2 ) F 3 L R (F 4, F 5 ) Y consequence 2: the total number of calls to the four other lines is less than 4q 2, except with negl. probability L F1 F 2 F 3 F 4 F 5 F 6 R X Y Z A consequence 3: F 1, F 2, F 4 and F 6 q + 4q 2, except with negl. probability T éminaire EN Y. eurin 19/27 Orange Labs

sketch of the proof of the theorem we need to prove that: the simulator runs in polynomial time: done, according to the previous analysis the simulator aborts with negligible probability its output is indistinguishable from the output of random functions éminaire EN Y. eurin 20/27 Orange Labs

the simulator does not abort we must show that the values which are adapted are not already in the simulator history, except with negl. probability for this, we show that the inputs to be adapted are always randomly determined L F1 F 2 R X example with line (F 1, ) Query Direction History Call Compute Adapt F 1 - (F 6, F 5 ) F 4 T (F 3, F 2 ) F 3 + (F 4, F 5 ) F 6 T (F 1, F 2 ) F 5 - (F 4, F 3 ) F 6 T (F 2, F 1 ) F 3 F 4 F 5 F 6 Y Z A complete proof: read the f*** paper T éminaire EN Y. eurin 21/27 Orange Labs

the simulator does not abort we must show that the values which are adapted are not already in the simulator history, except with negl. probability for this, we show that the inputs to be adapted are always randomly determined L F1 F 2 R X example with line (F 1, ) Query Direction History Call Compute Adapt F 1 - (F 6, F 5 ) F 4 T (F 3, F 2 ) F 3 + (F 4, F 5 ) F 6 T (F 1, F 2 ) F 5 - (F 4, F 3 ) F 6 T (F 2, F 1 ) F 3 F 4 F 5 F 6 Y Z A complete proof: read the full paper T éminaire EN Y. eurin 22/27 Orange Labs

indifferentiability proof T T F F P P LR LR F D D D D Game 0 Game 1 Game 2 Game 3 Game0 is the same as Game1 Game2 is indistinguishable from Game3 unless aborts, which happens with negligible probability Game1 is indistinguishable from Game2: LR(L R) = (L r 1 r 3 r 5 ) (R r 2 r 4 r 6 ) the output of T always omits two consecutive values r i = F i ( ), r i+1 = F i+1 ( ) (the ones that are adapted by the simulator) éminaire EN Y. eurin 23/27 Orange Labs

practical impacts example of the Phan-Pointcheval 3R-OAEP scheme: in the random permutation model P Enc pk (m; r) = TOWP pk (P(m r)) can be replaced in the ROM by a 3R Feistel scheme s = m F 1 (r); t = r F 2 (s); u = s F 3 (t) Enc pk (m; r; ρ) = TOWP pk (t u ρ) example of the Even-Mansour cipher: E k1,k 2 (m) = k 2 P(m k 1 ) secure in the random permutation model P secure in the ROM model with a 4R Feistel scheme [GentryR04] a dedicated analysis will often enable to replace a random permutation by a Feistel scheme with < 6 rounds éminaire EN Y. eurin 24/27 Orange Labs

open questions, ongoing work improve the tightness of the analysis best (exponential) attacks conjectured security Θ( q2 2 n ) weaker (but still useful) models of indifferentiability: relation with the known-key distinguishers of Knudsen and Rijmen (Asiacrypt 07), correlation intractability minimal number of calls to the random oracle to build a random permutation: are there constructions with < 6 calls to the RO? éminaire EN Y. eurin 25/27 Orange Labs

conclusion The 6-round Luby-Rackoff construction with public random inner functions is indifferentiable from a random permutation. our result says nothing about the rightfulness to replace an ideal cipher by AE, or a random oracle by HAx now that it is proved that ROM ICM, you may: use the ICM with more confidence, since it isn t stronger than the more standard ROM or, as pointed out by a reviewer, look at the ROM with even more defiance, since it leads to the over ideal ICM!!! éminaire EN Y. eurin 26/27 Orange Labs

thanks for your attention! comments questions? éminaire EN Y. eurin 27/27 Orange Labs

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback