feistel structures for mpc and more
play

Feistel Structures for MPC, and More Arnab Roy 1 (joint work with - PowerPoint PPT Presentation

Sep 19, 2022 •49 likes •299 views

Feistel Structures for MPC, and More Arnab Roy 1 (joint work with Martin Albrecht 2 , Lorenzo Grassi 3 , Lo Perrin 4 , Sebas- tian Ramacher 3 , Christian Rechberger 3 , Dragos Rotaru 1,5 and Markus Schofnegger 3 ) University of Bristol, Bristol,

  1. Feistel Structures for MPC, and More Arnab Roy 1 (joint work with Martin Albrecht 2 , Lorenzo Grassi 3 , Léo Perrin 4 , Sebas- tian Ramacher 3 , Christian Rechberger 3 , Dragos Rotaru 1,5 and Markus Schofnegger 3 ) University of Bristol, Bristol, UK 1 Royal Holloway, University of London 2 TU Graz, Austria 3 Inria, Paris, France 4 KU Leuven, Belgium 5 1

  2. Motivation and background

  3. Background • In recent years significant progress in the areas of MPC, FHE, ZK • Communication protocol (Theory → Practice) • Many new applications are being developed • Examples include 1. Private set intersection, privacy preserving search 2. Statistical computation on sensitive data 3. Verifiable computation 4. Cloud computation 2

  4. Background • The role of symmetric-key primitives - Hash function, PRF, PRP • Specific requirements from the protocols • Examples of typical conditions - Low number of multiplications (over integers): MPC, ZK - Low number of AND: MPC - Low multiplicative depth: FHE, MPC • Designs must be secure 3

  5. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? 4

  6. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough 4

  7. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough • Example: • SHA2 optimized : ≈ 25000 AND gates (per compression function) • AES is not efficient for MPC 4

  8. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough • Example: • SHA2 optimized : ≈ 25000 AND gates (per compression function) • AES is not efficient for MPC • Uses many XOR: non-linear after embedding into F p 4

  9. New design endeavours • New type of symmetric-key designs • New design challenges: Minimize • AND depth and/or No. of ANDs (per bit) • multiplicative complexity and/or depth (per bit) • Can we design primitives which minimize one or more of these metrics? • Example • MiMC, Feistel-MiMC [ZKP, MPC friendly] • Flip, Rasta [FHE friendly] • LowMC, Legendre PRF [MPC friendly] • GMiMC [ZKP, MPC friendly] • More recent designs • Present new cryptanalysis challenges 5

  10. ZKP friendly

  11. Hash function for Zero-knowledge proof system • Finite field (large) friendly hash • Different from the designs optimized for x86 (binary rings) • operations over Z 2 or F 2 makes them very slow for ZK system • Can not use BLAKE2b, SHA2, SHA3 • First new designs: MiMC, Feistel-MiMC • Recent designs • GMiMC (SNARK friendly) • Poseidon(SNARK friendly), Starkad (STARK friendly) • Vision(STARK friendly), Rescue (SNARK friendly) 6

  12. MiMCHash • We work over a field F k i k ⊕ c 1 k k X 3 x X 3 X 3 X 3 y Figure 1: MiMC Figure 2: Feistel-MiMC • Simple design idea: 1. Add (round) key 2. Add round constant 3. Repeat • Uses Sponge mode • Problem : expanding to > 512-bit = 2 elements in F , for 128 bit security 7

  13. Sponge m 1 m 2 m 3 m 4 h 0 h 1 h 2 r f f f f f f c • f is a bijection • c = 256; One F element 8

  14. GMiMC: Extension of MiMC • Uses Generalized Unbalanced Feistel with · · · F F · · · Figure 3: Contracting round Figure 4: Expanding round function function • Round function F i ( x 2 , . . . , x t , k i ) = ( � x j + rc i + k i ) 3 for CRF • Round function F i ( x , k i ) = ( x + rc i + k i ) 3 for ERF • k i = k k i = ( i + 1) k • No. of branches t << log 2 ( | F | ) 9

  15. GMiMCHash • Uses the sponge mode with capacity c = 256; • No. of branches t > 2 • Security Goal : 128-bit security m 1 m 2 m 3 m 4 h 0 h 1 h 2 r f f f f f f c 10

  16. Cryptanalysis • Use of APN function ( x → x 3 ) protects against differential and other statistical attacks • Security relies mostly on algebraic cryptanalysis - Interpolation, GCD, Groebner basis - Interpolation analysis (with root finding) for Hash function • Mostly exploiting the degree of the output polynomial • No weakness found in the GMiMCHash beyond birthday bound (to the best of our knowledge) 11

  17. Performance and application • In SNARK : GMiMCHash is faster ( ≈ 1 . 2 x ) than MiMC/Fesitel-MiMCHash • Main advantage is the expansion • Application examples: ZCash (ZKSNARK), Smart contract, STARK application etc. • StarkWare Hash challenge (https://starkware.co/hash-challenge/) - GMiMCHash, Feistel-MiMCHash - Poseidon and Starkad (SNARK and STARK friendly resp.) - Vision and Rescue (STARK and SNARK friendly resp.) 12

  18. MPC Friendly

  19. MPC friendly encryption • Ciphers optimized for x 86 are not suitable for MPC • Security aim : Secure block cipher • First new design: LowMC (over F 2 ) • Other: Legendre PRF (over integers) • Legendre PRF is secure only upto birthday bound • In SPDZ : MiMC turned out to be efficient in mode of operation (e.g. Authenticated Encryption) (!!) • What about GMiMC? 13

  20. GMiMC in MPC • Securty Goal : At least 128-bit key security • Efficiency in MPC: preprocessing + online computation • GMiMC erf and GMiMC crf have very fast preprocessing phase • Reason : Least no. of multiplications per (encryption) round • Avoids linear scaling with increased blocks (only known case) • Example: GMiMC erf is 5 . 5 x faster than MiMC (with 16 blocks) • Gain in throughput 14

  21. Yet another application

  22. PQ signature • A new application • Picnic : Uses ZKB++; ZKP-based signature scheme • Minimize: No. of multiplications × log 2 ( | F | ) • Current best option: LowMC • Can we use GMiMC? 15

  23. GMiMC in Picnic • Pushing the MiMC design strategy for small field • Security Goal : 256-bit key security with 256-bit input Scheme ( n , t , R ) Sign Verify View size MiMC (256 , 1 , 162) 333 . 97 ms 166 . 28 ms 83456 bits (272 , 1 , 172) 92 . 45 ms 46 . 32 ms 94112 bits GMiMC erf over F 2 n (33 , 8 , 56) 3 . 34 ms 2 . 29 ms 1848 bits LowMC-(256 , 10 , 38) - 3 . 74 ms 3 . 52 ms 1140 bits LowMC-(256 , 1 , 363) - 9 . 55 ms 7 . 12 ms 1089 bits • GMiMC is comparable to LowMC 16

  24. Conclusion and open questions • Finite field friendly designs • Design space exploration • Open questions in design and analysis • Cryptanalysis methods over F p (completely unknown) • New design principle? • Bounds on multiplicative complexity • How far can we extend current cryptanalysis techniques? • Can we obtain generic (algebraic) complexity results for security? Updates on MiMC, GMiMC and similar designs on https://byt3bit.github.io/primesym/ (new, still under construction) 17

  25. Thank you! 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris Dagstuhl 2018 (seminar-18021) Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion In this talk

1.31k views • 52 slides
Structures and Structural Information Mark Burgin University of California, Los Angeles , 520

Structures and Structural Information Mark Burgin University of California, Los Angeles , 520

Structures and Structural Information Mark Burgin University of California, Los Angeles , 520 Portola Plaza , Los Angeles, CA 90095, USA Rainer Feistel Leibniz Institute for Baltic Sea Research , Warnemnde, D-18119, Germany Abstract: Structures

543 views • 6 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin

407 views • 22 slides
Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design? CSci 5271 A. DES Introduction to Computer Security Networking (contd) and cryptography B. AES Stephen McCamant C. DSA University of

582 views • 11 slides
On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction Avradip Mandal 1 Jacques Patarin 2 Yannick Seurin 3 1 University of Luxembourg 2 University of Versailles, France 3 ANSSI, France March 20, TCC

1.05k views • 89 slides
General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel Schemes Victor Cauchois 1 , 2 , Clment Gomez 1 , Gal Thomas 1 1 DGA Maitrise de lInformation, Bruz, France 2 IRMAR, Universit de Rennes 1,

810 views • 68 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques Patarin CANS 2013 20 November 2013 Outline Introduction 1 State of the Art Our Contribution Definition of the schemes Attacks on Type-1

893 views • 45 slides
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

426 views • 24 slides
Nonintrusive probabilistic quantification of uncertainties with application to the management of

Nonintrusive probabilistic quantification of uncertainties with application to the management of

IE-net Managing, handling, and modeling uncertainty in mechanical design Nonintrusive probabilistic quantification of uncertainties with application to the management of manufacturing tolerances Maarten Arnst May 21, 2015 ULg, Lige, Belgium

803 views • 63 slides
Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Table of Contents click on

Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Table of Contents click on

Slide 1 / 154 Slide 2 / 154 Geometry Transformations 2014-09-08 www.njctl.org Slide 3 / 154 Table of Contents click on the topic to go to that section Transformations Translations Reflections Rotations Composition of

700 views • 52 slides
HIGHLIGHTS Kurt Shafer is a serial inventor USPS paid him over $100,000 for webcams Los Angeles

HIGHLIGHTS Kurt Shafer is a serial inventor USPS paid him over $100,000 for webcams Los Angeles

HIGHLIGHTS Kurt Shafer is a serial inventor USPS paid him over $100,000 for webcams Los Angeles is buying 8 of his hybrid rooftops for a total of $23,000 for Studio City Tractor Supply will carry his rooftop in 2021 Calidad in Australia will

365 views • 12 slides
10/10/2017 DISCLOSURES NONE LUNG CANCER SCREENING: REAL WORLD PERSPECTIVES Sachin Gupta MD,

10/10/2017 DISCLOSURES NONE LUNG CANCER SCREENING: REAL WORLD PERSPECTIVES Sachin Gupta MD,

10/10/2017 DISCLOSURES NONE LUNG CANCER SCREENING: REAL WORLD PERSPECTIVES Sachin Gupta MD, FCCP Division of Pulmonary &amp; Critical Care Medicine Kaiser Permanente San Francisco @ DoctorS achin AGENDA FOR THIS TALK

353 views • 14 slides
Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c)

Boomerang attacks on BLAKE-32 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) University of Luxembourg, Luxembourg February 15, 2011 Arnab Roy (joint work with Alex Biryukov and Ivica Nikoli c) Boomerang attacks on BLAKE-32

396 views • 27 slides
Using Secondary Information to inform Evidence-Based Discovery Catherine (Cathy) Blake

Using Secondary Information to inform Evidence-Based Discovery Catherine (Cathy) Blake

Using Secondary Information to inform Evidence-Based Discovery Catherine (Cathy) Blake Associate Director - Center for Informatics Research in Science and Scholarship (CIRSS) Associate Professor - Graduate School of Library and Information

648 views • 15 slides
Sam - samb0303 Blake - blakec20 Tuan - tuanvo Michelle - parkm23 Basic idea Centralized (host)

Sam - samb0303 Blake - blakec20 Tuan - tuanvo Michelle - parkm23 Basic idea Centralized (host)

Sam - samb0303 Blake - blakec20 Tuan - tuanvo Michelle - parkm23 Basic idea Centralized (host) web server User1 # Song names votes 1 --- 78% Now playing 2 --- 3 --- 4 --- User2 5 --- Pending for download

249 views • 4 slides
Images of Isaac Newton 1 Portrait of Isaac Newton, Godfrey Kneller, 1689 This image is in the

Images of Isaac Newton 1 Portrait of Isaac Newton, Godfrey Kneller, 1689 This image is in the

Images of Isaac Newton 1 Portrait of Isaac Newton, Godfrey Kneller, 1689 This image is in the public domain . 2 Portrait of Isaac Newton, James Thornhill, 1712 This image is in the public domain . 3 This image is in the public domain . Newton

186 views • 5 slides

More recommend