public-seed pseudorandom permutationsย ยท kdm-secure symmetric key enc. (kdm) point function...
TRANSCRIPT
Public-seed Pseudorandom Permutations
Pratik Soni Stefano Tessaro
UC Santa Barbara UC Santa Barbara
EUROCRYPT 2017
Cryptographic schemes often built from generic building blocks
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
๐ป
๐พ โ ๐๐๐๐ || ๐
๐พ โ ๐๐๐๐
๐ป
hash function (e.g., SHA-3)
๐ธ๐พ
๐1
๐ผ๐
๐2
๐ธ๐พ
๐โ
block cipher (e.g., AES)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
Is there a universal and simple building block for efficient symmetric cryptography?
๐ป
๐พ โ ๐๐๐๐ || ๐
๐พ โ ๐๐๐๐
๐ป
hash function (e.g., SHA-3)
๐ธ๐พ
๐1
๐ผ๐
๐2
๐ธ๐พ
๐โ
block cipher (e.g., AES)
Recent trend: Start from seedless permutation
Recent trend: Start from seedless permutation
Recent trend: Start from seedless permutation
Sponge paradigm
Recent trend: Start from seedless permutation
Sponge paradigm
Recent trend: Start from seedless permutation
โฆ
Sponge paradigm
Here: ๐ is an efficiently computable and invertible one-to-one function
Recent trend: Start from seedless permutation
โฆ
Sponge paradigm
Permutations
โโฆ it would be nice, now, if permutations can be called
the Swiss Army Knife [of cryptography]โ โ Joan Daemen, Passwords^12
Hashing Garbling
PRNGs Authenticated Encryption
MACs KDFs
Typical instantiations
Typical instantiations
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
e.g., ๐ โถ ๐ฅ โ AES(0128, ๐ฅ) ๐ด๐ธ๐
0128
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
e.g., ๐ โถ ๐ฅ โ AES(0128, ๐ฅ)
Faster, no re-keying costs!
๐ด๐ธ๐
0128
Faster Hash functions [RS08], fast garbling [BHKR13]
Permutations assumptions
Permutations are great in practice, but what about theory?
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
Permutations are great in practice, but what about theory?
๐0 0
0
๐ ๐ ๐
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = KECCAK;
๐ = Anything non-trivial
๐ = ? ? ?
Permutations are great in practice, but what about theory?
๐0 0
0
๐ ๐ ๐
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = KECCAK;
๐ = Anything non-trivial
๐ = ? ? ?
Common approach: Use random permutation (RP) model
๐ is random + adversary given oracle access to ๐ and ๐โ1
Permutations are great in practice, but what about theory?
Observation: No standard-model proofs known for permutation-based constructions!
๐0 0
0
๐ ๐ ๐
But: random permutations do not exist [CGH98]
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model
random oracle
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model standard model
random oracle CRHF, OWFs, UOWHFs,
CI, UCEsโฆ
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEsโฆ
????
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEsโฆ
????
What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness โฆ
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
Yes! Yes!
psPRPs have many applications
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Sponges
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Efficient garbling from fixed-key block-ciphers
Sponges
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Efficient garbling from fixed-key block-ciphers
Sponges
Feistel
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
๐ = (๐บ๐๐, ๐, ๐โ1) ๐ โถ 0,1 ๐ โ 0,1 ๐
We consider seeded permutations
๐ = (๐บ๐๐, ๐, ๐โ1)
๐บ๐๐ ๐ฅ ๐๐ ๐ฅ
๐ โถ 0,1 ๐ โ 0,1 ๐
๐๐ 1๐ ๐
Seed generation
๐ฆ ๐๐ โ1 ๐ฆ ๐๐
โ1
Forward evaluation
Backward evaluation
Efficient (poly-time) algorithms
(2) โ๐ฅ โถ ๐๐ โ1 ๐๐ ๐ฅ = ๐ฅ
(1) ๐๐ โถ 0,1 ๐ โ 0,1 ๐
We consider seeded permutations
Traditional security notion if seed is secret: Pseudorandom Permutation
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
๐ โ Perms(๐)
๐/๐โ1 โ
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
๐ โ Perms(๐)
๐/๐โ1 โ
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
5
๐ โ Perms(๐)
๐/๐โ1 โ
Stage 1: โข Oracle access โข Secret seed
Stage 2: โข Learns seed โข No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
5
๐ โ Perms(๐)
๐/๐โ1 โ
Stage 1: โข Oracle access โข Secret seed
Stage 2: โข Learns seed โข No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
Limited information
flow
0/1
UCE security
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
๐
๐ โ Gen(1๐)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
0/1
๐
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
0/1
๐
โ
๐
๐ท
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐
๐ท
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐
๐ฟ
๐ท
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , left and right are indistinguishable.
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , left and right are indistinguishable.
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ ๐ฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ ๐ฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
๐ฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1 with prob. 1
๐ฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1
1
with prob. 1
with prob. 1/2๐
๐ฆ
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1
1
with prob. 1
with prob. 1/2๐
๐ฆ
๐๐ ๐๐ ๐-security is impossible against all sources!
โ
Sources need to be restricted
all sources
๐ = (Gen, ๐, ๐โ1)
Sources need to be restricted
all sources
๐ฎ
๐ = (Gen, ๐, ๐โ1)
Sources need to be restricted
๐ is ๐๐ ๐๐ ๐[๐ฎ]-secure if โ ๐ โ ๐ฎ and โ PPT
๐ท, left and right are indistinguishable.
all sources
๐ฎ
๐ = (Gen, ๐, ๐โ1)
๐
๐ฟ
๐ท 0/1
๐
๐ โ Gen(1๐) ๐๐ /๐๐
โ1 ๐ โ Perms(๐) ๐/๐โ1
all
sources
This talk โ unpredictable and reset-secure sources
all
sources
๐ฎ๐ ๐ข๐ unpredictable
This talk โ unpredictable and reset-secure sources
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
๐ฎ๐ ๐ข๐ โ ๐ฎ๐ ๐๐
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
๐ฎ๐ ๐ข๐ โ ๐ฎ๐ ๐๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ is a stronger
assumption than ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐ โน
Source restrictions โ unpredictability
๐ ๐/๐โ1
๐ด
๐ โ Perms(๐)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ด
๐ โ Perms(๐)
๐ โ {+,โ}
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ด
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
โ
๐ฎ๐ ๐ข๐: ๐ด is computationally unbounded
๐ฎ๐๐ข๐: ๐ด is PPT
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
โ
๐ฎ๐ ๐ข๐: ๐ด is computationally unbounded
๐ฎ๐๐ข๐: ๐ด is PPT ๐๐ ๐๐ ๐[๐ฎ๐๐ข๐] impossible if iO
exists [BFM14]
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
Source restrictions โ reset-security
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ โ Perms(๐)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ โ Perms(๐)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
๐ โ Perms(๐)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ โ Perms(๐)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
โ
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
โ
Source restrictions โ reset-security
โ
๐ฎ๐ ๐๐ : ๐ is computationally unbounded
๐ฎ๐๐๐ : ๐ is PPT
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
โ
Source restrictions โ reset-security
โ
๐ฎ๐ ๐๐ : ๐ is computationally unbounded
๐ฎ๐๐๐ : ๐ is PPT
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
๐ฎ๐๐ข๐ โ ๐ฎ๐๐๐
๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]
๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐]
Recap
๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]
๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐]
Recap
Recap
Recap
Central assumption in UCE theory
Recap
Central assumption in UCE theory
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability!
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability! CP-sequential
indifferentiability
๐ถ
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
๐ด ๐ด
๐ถ
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
๐ด ๐ด
๐ถ
? ๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
๐ด ๐ด
๐ถ
๐๐๐ ๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
๐ด ๐ด โ
๐ถ
0/1
๐๐๐
0/1
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
โ
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
โ
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
โ
Remarks:
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
โ
1. Full indifferentiability โน CP-seq indiff.
2. Reverse ordering: seq. indifferentiability [MPS12]
Remarks:
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
From psPRPs to UCEs
Theorem:
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐
๐ถ
Theorem:
๐ ๐
๐/๐โ1
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure
๐ถ
Theorem:
๐ ๐
๐/๐โ1
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐ถ[๐]
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
Similar result proved in [BHK14], but: โข Need full indifferentiability โข Only stated for UCE domain extension
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
Similar result proved in [BHK14], but: โข Need full indifferentiability โข Only stated for UCE domain extension
๐ถ
Theorem:
๐ ๐
๐/๐โ1
Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!
๐๐ /๐๐ โ1
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Sponge[๐] ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure.
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Sponge[๐] ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure.
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
Validates the Sponge paradigm for UCE applications!
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐๐ถ๐ธ ๐ฎ๐ ๐ข๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐๐ถ๐ธ ๐ฎ๐ ๐ข๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
From Chop ๐ to VIL UCE: Domain extension techniques [BHK14]
CP-sequentially indiff. constructions that are not fully indiff.?
psPRPs from UCEs Theorem:
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
๐ถ ๐ ๐ โผcpi ๐ ๐
Theorem:
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ป ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure ๐ถ ๐ป ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem:
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ป ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure ๐ถ ๐ป ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem:
From UCEs to psPRPs โ Feistel
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
From UCEs to psPRPs โ Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
From UCEs to psPRPs โ Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
psPRPs exist in the standard model if UCEs exist!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
Theorem: 5-round Feistel (๐5[๐]) โผcpi ๐ ๐.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
Corollary: ๐ฏ ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure โน ๐5[๐ฏ] ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem: 5-round Feistel (๐5[๐]) โผcpi ๐ ๐.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
5-round proof is technically involved
5-round proof is technically involved
Our 5-round Sim:
โข Relies on chain completion techniques
โข Heavily exploits query ordering
โข Very different chain-completion strategy from previous works, no recursion needed
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5 Set
uniform Set
uniform
forceVal forceVal
detect detect
5-round proof is technically involved
Our 5-round Sim:
impossible
[LR88]
[HKT11] [DS16] [DSKT16]
#rounds of Feistel for psPRP-security
This work!!! Open: Do 4-rounds suffice?
โข Relies on chain completion techniques
โข Heavily exploits query ordering
โข Very different chain-completion strategy from previous works, no recursion needed
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5 Set
uniform Set
uniform
forceVal forceVal
detect detect
???
Heuristic Instantiations
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
From Block-ciphers e.g. AES
๐บ๐๐:
๐:
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
From Block-ciphers e.g. AES
Ideal-Cipher model
๐บ๐๐:
๐:
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
๐
๐ โ {0,1}๐
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
๐ = (๐บ๐๐, ๐, ๐โ1)
Ideal-Cipher model
๐บ๐๐:
๐:
๐:
๐บ๐๐:
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
psPRP ๐ฎ๐ ๐ข๐ -secure ๐
๐ โ {0,1}๐
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
๐ = (๐บ๐๐, ๐, ๐โ1)
Ideal-Cipher model
RP model
๐บ๐๐:
๐:
๐:
๐บ๐๐:
Fast Garbling from psPRPs
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Fast Garbling from psPRPs Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Fast Garbling from psPRPs
This work: Replace ๐ธ 0๐ , ๐ฅ by ๐๐ for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Fast Garbling from psPRPs
This work: Replace ๐ธ 0๐ , ๐ฅ by ๐๐ for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Theorem: Secure garbling when ๐๐ is ๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐].
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
Conclusion
psPRPs
Conclusion
First standard model assumptions on permutations
psPRPs
Constructions
Conclusion
First standard model assumptions on permutations
psPRPs
Constructions
Conclusion
First standard model assumptions on permutations
Applications psPRPs
Many open questionsโฆ
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Thank you!