ideal models in symmetric cryptography stefano tessaro uc santa barbara visions of cryptography...
TRANSCRIPT
Ideal Models in Symmetric Cryptography
Stefano TessaroUC Santa Barbara
Visions of CryptographyWeizmann Institute
Crypto-History [oversimplified]
1982
Cryptographic algorithms designed from scratch, no proofs, …
2000 BC
Provable security: Security of cryptosystems formalized and proven under computational assumptions.
Amazingly successful
The Sky is the Limit!
Encryption, signatures, multi-party computation, secure delegation, functional encryption, FHE, …
This Talk – In a Nutshell
This talk: Biased selection of problems which cannot be studied within the traditional framework of provable security.
Two high-level goals:
Leitmotif: Security proofs are in ideal models (e.g. random oracle model, ideal cipher model, etc.)
Survey a set problems not as widely considered by the core theory community.
1
Thought-provoking: Foster discussion on ideal models, and show why “we are stuck with them”.
2
Ideal ModelsCryptographic primitives – Set P of valid “instances” Functions {0,1}* → {0,1}n
Permutations {0,1}n → {0,1}n
Pairs (f, op), where f: Zq → {0,1}n, op(f(a), f(b)) = f(a + b)
Ideal-P model:1. Pick P u.a.r from P2. Every algorithm (i.e.,
attacker, schemes) given access to P.
P
C
Random-oracle model [FiaSha86,BelRog93]
Generic-group model [Sho97]
Rationale: Ideal primitive P has all security properties expected from P-candidates.
Ideal Models
Fact. [CaGoHa98] Security proofs in ideal models are not “sound”.
This talk. Problems motivated by design of efficient and highly-secure constructions of symmetric cryptographic primitives (block ciphers, hash functions).
They are only way to give “provable” answers. Security against limited attacker class (i.e., generic attacks) is
partially justified by existing cryptanalytic attacks.
Ideal models used in security proofs:
“A proof in an ideal model is better than no proof at all.”
Outline
Three selected examples:
From Weak to Strong Block Ciphers1
Hash Functions and Key Derivation2
Building Ideal Primitives3
Pseudorandom Functions [GoGoMi84]
Keyed function F: K × X → Y
F R
D D
0/1 0/1
SK
Definition. F (T, Q, e)-PRF: (T, Q)-distinguishers ∀ D: Pr[D → 1|left] – Pr[D → 1|right] < e
x F(SK,x) x R(x) = $
Q adaptive queries
Time T
Random function R: X → Y
[Typically: e = negl for T, Q = poly(k) - here we care about concrete security]
PRFs efficient symmetric encryption, MACs, …⟹
Candidates: Block Ciphers
EM
SK
CE-1
C
SK
M
E.g.: AES, DES, 3DES, IDEA, BLOWFISH, …
|M| = |C| = n (e.g. n = 128)
EM’ ≠ M
SK
C’ ≠ C
For every SK: Block cipher is a permutation on n-bit strings
|SK| = k (e.g. k = 128, 256, …)
E
Pseudorandom Permutations [LubRac85]
Block cipher E: K × X → X
P
D D
0/1 0/1
SK
Definition. E (T, Q, e)-PRP: (T, Q)-distinguishers ∀ D: Pr[D → 1|left] – Pr[D → 1|right] < .e
x E(SK,x) x P(x)
Random permutation P: X → X
(+,x) (+,x)(-,y) (-,y)E-1(SK,y) P-1(y)
STRONG-PRP
Pseudorandom ConstructionsBuilding PRFs / PRPs from weaker pseudorandom objects is a central problem both in theoretical and applied cryptography.
ECE
Important: We always have T’ < T.
Standard-model provable-security: If E is (T, Q, e)-PRP then C is (T’, Q’, e’)-PRF, where T’ ≈ T
Example. PRF from PRP
PRP PRF?
Our Problem: From Weak to Strong Ciphers
Block-cipher design paradigm:• Design weak component • Iterate weak component multiple times
Sequential composition of weak ciphers
Used for 3DES, where E = DES is insecure (widespread in the electronic payment sector)
ME
K1
E
K2
E
K3
C
• DES best attack: 242
• 3DES best attack: 290
Expectation: Breaking construction strictly harder than breaking component
Hope: T’ > T! Cannot show this in the standard model under any reasonable assumption on E …
Amplification of Generic Security
ME
K1
E
K2
E
K3
C
“Generic” Security Amplification: Prove that there is no generic attack – treating E as a black-box – which breaks sequential composition with complexity less than T’ >> 2k.
Observation. (Exhaustive key search) E can always be distinguished with 2k computation and Q = O(k/n) queries.
The Ideal Cipher Model [Sha49]
∀SK {0,1}∈ k: ESK uar from the set of all permutations {0,1}n → {0,1}n
(+, SK, M)
ICC P IC
D D
0/1 0/1
ICESK(M)
(-, SK, C)ESK-1(C)
QC queries
QP queries
SK
Definition. C is (QC, QP, e)-strong PRP if (Q∀ C, QP)-distinguishers D:
Pr[D → 1|left] – Pr[D → 1|right] < e
(+, SK, M), (-, SK , C)
(+, M), (-, C)
Two query types: Primitive queries “Local” computation⟹ Construction queries Key-dependent access to primitive⟹
The General Problem
ICC P IC
D D
0/1 0/1
SK
Problem. Find efficient C which is a (QC, QP, = e negl)-strong PRP for QC, QP both as large as possible.
QC ≤ 2n QP < 2n + k
Two-fold Sequential Composition
E E
SK1 SK2
ICEE
SK1, SK2
(+, x)
(+, SK1, x)
y
(+, SK2, y)
z
z
x y z
Two-fold Sequential Composition
E E
SK1 SK2
ICEE
SK1, SK2
D
Meet-in-the-middle attack: [DifHel76]• z ← C(+, x)• ∀SK’1: y[SK’1] ← IC(+, SK’1, x)• ∀SK’2: y’[SK’2] ← IC(-, SK’2, z) • If SK’∃ 1, SK’2 : y[SK’1] = y[SK’2] then output 1• Else output 0
xz
SK’1
y[SK’1]
y’[SK’2]
SK’2
Fact 1. Pr[D → 1|left] = 1
0/1
Fact 2. If k < n/2: Pr[D → 1|right] < 1/2
P
DESX [Rivest, 1984]
E
SKSK2
SK1
Theorem: [KilRog01] DESX is a (QC, QP, = e negl)-strong PRP if QC * QP < 2n + k.
Result meaningful even when k = 0 [EveMan96] Proof succeeds even if SK1 = SK2 [DunKelSha11] Essentially optimal for one-call constructions [GazTes12]
3DES
E
SK1
E
SK2
E
SK3
Caveat: If QC approaches 2n, then distinguishable with QP = 2k queries.
Theorem: [BelRog06,GazMau10] 3DES is a (QC, QP, = e negl)-strong PRP as long as QC ≤ 2n and QP < 2n/2 + k.
Alternative: Back to sequential composition! (used in 3DES)
3DES – Proof Approach
p p1 p2 pK
p p1 pi pKpj pk
For random i, j, k: pi, pj pk = p
…
…………
K = 2k
Lemma. Hard to distinguish with fewer than 2k + n/2 queries.
Beyond Length 3
E
SK1
E
SK2
E
SKl
Expectation: Security increases with l.
Theorem. [Lee13] Security for QP → 2k + min{k,n} when l →∞.
Increasing Efficiency [GazTes12]
E
SK
SK’’
E
Theorem: [GazTes12]2XOR-Cascade is a (QC, QP, = e negl)-strong PRP if QC ≤ 2n and QP < 2k + n/2.
SK’
[Same security as 3DES, one block cipher call less]
XOR Cascades
E
SK1
E
SK2
E
SKl
SK’1 SK’2 SK’3 SK’l SK’l + 1
Theorem. [LPS12,Lee13,Gaz13,CheSte13] Security for QP → 2k + n when l →∞.
Optimal!
Outline
Three selected examples:
From Weak to Strong Block Ciphers1
Hash Functions and Key Derivation2
Building Ideal Primitives3
Hash Functions
Example: Block-cipher based hash-functions [PGV93]
Practical hash-function constructions are usually only analyzed in ideal models.
Goal: Optimize concrete security / # calls tradeoff for standard security properties [Hundreds of papers!]
EX
Y
Z
H(X, Y) = Z
Key-Derivation FunctionsGoal: Derive secret-key from low-entropy secret (e.g., password) – PKCS#5 standard
…H H H
Randomly chosen per KDF evaluation
pw || salt SK
Expectations:1. Time to break should increase linearly with iteration length.2. Time to break should increase linearly with number of independent
instances.
Theorem. [BeRiTe12] Expectations are true for KDFs from the PKCS#5 standard (in the ROM).
Outline
Three selected examples:
From Weak to Strong Block Ciphers1
Hash Functions and Key Derivation2
Building Ideal Primitives3
So far: Construction C of a primitive Q from a primitive P achieving specific goal, with security proof in ideal-P model.
Most ambitious goal. Construction C(.) using ideal primitive P s.t. C(P) “as good as” ideal primitive Q.
“If an application is secure in the ideal-Q model, then it is secure in the ideal-P model, where calls to Q are replaced by calls to C(P).”
Indifferentiability [MaReHo04]
PC Q SIM
D D
0/1 0/1
Definition. C (QC, QP, e)-indifferentiable: (efficient) SIM∃ ∀D:
Pr[D → 1|left] – Pr[D → 1|right] < e
[Typically: efficient = poly(QC, QP), e = negl(k)]
Keyless, deterministic construction
Composability [MaReHo04]
G
Q
0/1
P C
G
0/1
Arbitrary security game G
Pr[G → 1|Q] = negl Pr[G → 1|C(P)] = ?
Indifferentiability ⟹ Pr[G → 1|C(P)] = negl
SIM
Indifferentiability ConstructionsLiterature on indifferentiability encompasses by now hundreds of papers
Standard security notion for hash function constructions (e.g., in SHA-3 competition) “Hash function has all security properties of a random oracle.”
EIV
M1
E
M2
E
Ml
truncate
Theorem. [CDMP05] Construction is indifferentiable from a random oracle in the ideal-cipher model.
Typical example. Random oracles from ideal ciphers
Ideal Ciphers from Random Oracles
Theorem. [HoKuTe11] 14-round Feistel is indifferentiable from a random permutation.
F1
F2
F14
Much more complex than converse. [CoPaSe08]
Indifferentiability Constructions
Random oracles from fixed input-length random oracles with optimal security […, MauTes07,…,DodSte11,…]
Other constructions
Ideal ciphers from random permutations [ABDMS13,LamSeu13]
Leads to interesting questions about expander graphs.
Multi-Stage Games
G1
Q
0/1
G2
Examples:• Deterministic
encryption• Leakage resilience• …
Observation. [RSS11] Indifferentiability does not imply composition for multi-stage games.
Multi-Stage Games
New Goal: Find good indifferentiability-like notions with composition properties for multi-stage games.
Reset indifferentiability [RSS11]: Distinguisher is allowed to reset simulator.
Reset indifferentiability sufficient for secure composition in the multi-stage setting.
Many impossibility results: Traditional indifferentiability results are impossible for reset indifferentiability [DGHM13,BBM13,…]
…
Conclusions
Ideally, we would like to avoid ideal models.
A large number of relevant security questions can only be answered using ideal-model security proofs.
Ideal models give rise to a rich area of works with interesting theoretical questions.
Thank you!
DESX – Proof Idea
Extend the ideal world:
IC
D
P1 Transcript:
• TC = {(w, z)}, size QC
• TP = {(SK’, x, y)}, size QP
E
SKSK2
SK1
2 RandomSK, SK1, SK2
D wins if • ∃(w,*) ∈ TC: (SK, w SK⊕ 1, *) ∈ TP • ∃(*,z) ∈ TC: (SK, *, z SK⊕ 2) ∈ TP
Lemma 1: e ≤ Pr[D wins]
Lemma 2: Pr[D wins] ≤ 2 QC Q P / 2n + k