[PPT] - Indistinguishability Theory Ueli Maurer ETH Zurich FOSAD 2009, PowerPoint Presentation

SLIDE 1

Indistinguishability Theory

Ueli Maurer

ETH Zurich

FOSAD 2009, Bertinoro, Sept. 2009.

SLIDE 2

Distinguishing two objects:

SLIDE 3

Distinguishing two objects:

left or right?

SLIDE 4

Distinguishing two types of numbers

Set A:

2048-bit integers with exactly

2 prime factors, each with at

least 512 bits.

Set B:

2048-bit integers with exactly

3 prime factors, each with at

least 512 bits.

SLIDE 5

Distinguishing two types of numbers

Set A:

2048-bit integers with exactly

2 prime factors, each with at

least 512 bits.

Set B:

2048-bit integers with exactly

3 prime factors, each with at

least 512 bits.

374095762974511873398056743981753957783254673845967825364509871 365295584882333644985766091852825640501638759879538762635485678 243091425765253648526374099125231764748985576600963327393947586 123498750533495862054987746524351089758393218367443278968764534 3127364987564354675092736565475849823142537584950243685261

left or right?

SLIDE 6

Random vs. pseudo-random bit generator

RBG

utput

sequence

PRBG

utput

sequence

SLIDE 7

Random vs. pseudo-random bit generator

RBG

utput

sequence

PRBG

utput

sequence 101100011101111001001110100010000011101100101110010111010001101 000011011010111101010001101011010100100101011110101000001101101 111000111011000101111010010101101001010110000101011010101101001 110011001001100010110100011100101010001011010100001111000101010

left or right?

SLIDE 8

Distinguisher’s advantage

left / right Distinguisher

D

50% 50% View

D’s task: Guess left/right

SLIDE 9

Distinguisher’s advantage

left / right Distinguisher

D

50% 50% View

D’s task: Guess left/right Prob(correct guess) = 0.5 +

/2

=

D

✁ I

I I I I I

✂ I

I I I I I

✄

(D’s advantage)

SLIDE 10

Distinguisher’s advantage

left / right Distinguisher

D

50% 50% View

D’s task: Guess left/right Prob(correct guess) = 0.5 +

☎ /2 ☎

= D

✆ I

I I I I I

✝ I

I I I I I

✞

(D’s advantage) best D:

✆ I

I I I I I

✝ I

I I I I I

✞

SLIDE 11

Distinguishing a RV V from a uniform RV U

V

1 v

P (v)

V

(uniform)

SLIDE 12

Distinguishing a RV V from a uniform RV U

V

1 v

P (v)

V

(uniform)

Statistical distance: d

✟ V ✠ U ✡ ☛✌☞ ✍ ✎ ✏✒✑ ✓ ✔ ✔ ✔ ✔ ✔ ✔ ✔PV ✟✖✕ ✡ ✗ ✘ ✙ ✙ ✔ ✔ ✔ ✔ ✔ ✔ ✔

(sum of red quantities)

SLIDE 13

Distinguishing a RV V from a uniform RV U

V

1 v

P (v)

V

(uniform)

Statistical distance: d

✚ V ✛ U ✜ ✢✌✣ ✤ ✥ ✦✒✧ ★ ✩ ✩ ✩ ✩ ✩ ✩ ✩PV ✚✖✪ ✜ ✫ ✬ ✭ ✭ ✩ ✩ ✩ ✩ ✩ ✩ ✩

(sum of red quantities)

✣ ✚ V ✛ U ✜

SLIDE 14

Distinguishing a RV V from a uniform RV U

V

1 v

P (v)

V

(uniform)

Statistical distance: d

✮ V ✯ U ✰ ✱✌✲ ✳ ✴ ✵✒✶ ✷ ✸ ✸ ✸ ✸ ✸ ✸ ✸PV ✮✖✹ ✰ ✺ ✻ ✼ ✼ ✸ ✸ ✸ ✸ ✸ ✸ ✸

(sum of red quantities)

✲ ✮ V ✯ U ✰

Possible interpretation: P

✮ V ✲

U

✰ ✲ ✻ ✺

d

✮ V ✯ U ✰

SLIDE 15

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ...

SLIDE 16

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ...

SLIDE 17

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

SLIDE 18

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

✽

Only input-output behavior is relevant!

SLIDE 19

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

✾

Only input-output behavior is relevant!

✾

Characterized by: pS

✿❁❀❃❂❅❄ ❆❈❇❉❇❊❇❋❄ ❀●✿❍❆■❇❊❇❊❇❏✿❑❀●▲ ❆ for ▼ ◆ ❖◗P❙❘ P❯❚❱❚❱❚

SLIDE 20

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

❲

Only input-output behavior is relevant!

❲

Characterized by: pS

❳❁❨❃❩❅❬ ❭❈❪❉❪❊❪❋❬ ❨●❳❍❭■❪❊❪❊❪❏❳❑❨●❫ ❭ for ❴ ❵ ❛◗❜❙❝ ❜❯❞❱❞❱❞ ❡

abstraction called random system [Mau02]

❡

This description is minimal!

❡

Redundant (better) description: pS

❳❍❭■❪❊❪❊❪❢❳ ❨ ❩❅❬ ❭■❪❊❪❊❪❋❬ ❨

SLIDE 21

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

❣

Only input-output behavior is relevant!

❣

Characterized by: pS

❤❁✐❃❥❅❦ ❧❈♠❉♠❊♠❋❦ ✐●❤❍❧■♠❊♠❊♠❏❤❑✐●♥ ❧ for ♦ ♣ q◗r❙s r❯t❱t❱t ✉

abstraction called random system [Mau02]

✉

This description is minimal!

✉

Redundant (better) description: pS

❤❍❧■♠❊♠❊♠❢❤ ✐ ❥❅❦ ❧■♠❊♠❊♠❋❦ ✐

Equivalence of systems: S

✈

T if same behavior

SLIDE 22

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

✇

Only input-output behavior is relevant!

✇

Characterized by: pS

①❁②❃③❅④ ⑤❈⑥❉⑥❊⑥❋④ ②●①❍⑤■⑥❊⑥❊⑥❏①❑②●⑦ ⑤ for ⑧ ⑨ ⑩◗❶❙❷ ❶❯❸❱❸❱❸ ❹

abstraction called random system [Mau02]

❹

This description is minimal!

❹

Redundant (better) description: pS

①❍⑤■⑥❊⑥❊⑥❢① ② ③❅④ ⑤■⑥❊⑥❊⑥❋④ ②

Equivalence of systems: S

❺

T if same behavior Realization of S from a RV (range

❻

):

❼ S ❽ ❾ ❿ ❽ ➀ ❻ ❹ ➁

SLIDE 23

Discrete systems

X , X , ...

1 2

S

2 1

Y , Y , ... Description of S: pseudo-code, figures, text, ... What kind of mathematical object is the behavior?

➂

Only input-output behavior is relevant!

➂

Characterized by: pS

➃❁➄❃➅❅➆ ➇❈➈❉➈❊➈❋➆ ➄●➃❍➇■➈❊➈❊➈❏➃❑➄●➉ ➇ for ➊ ➋ ➌◗➍❙➎ ➍❯➏❱➏❱➏ ➐

abstraction called random system [Mau02]

➐

This description is minimal!

➐

Redundant (better) description: pS

➃❍➇■➈❊➈❊➈❢➃ ➄ ➅❅➆ ➇■➈❊➈❊➈❋➆ ➄

Equivalence of systems: S

➑

T if same behavior Realization of S from a RV (range

➒

):

➓ S ➔ → ➣ ➔ ↔ ➒ ➐ ↕ ➐

notion of independence

SLIDE 24

Distinguishers

X , X , ...

1 2

S

2 1

Y , Y , ...

D

SLIDE 25

Distinguishers

X , X , ...

1 2

S

2 1

Y , Y , ...

D

PDS

➙ ➛➝➜ ➛ ➞ ➟ ➠➢➡ ➤

pS

➜➦➥➨➧❢➙ ➥ ➜ ➥➫➩ ➭ ➯ pD ➙ ➥ ➧❢➙ ➥➫➩ ➭ ➜ ➥➫➩ ➭ ➞

pS

➜ ➛➲➧➳➙ ➛ ➯ pD ➙ ➛➵➧➸➜ ➛ ➩ ➭

notation:

➙ ➥ ➡ ➺ ➙ ➭➼➻❱➽❯➽❱➽❱➻ ➙ ➥➚➾

SLIDE 26

Distinguishers

W = 0/1 X , X , ...

1 2

S

2 1

Y , Y , ...

D

PDS

➪ ➶➝➹ ➶ ➘ ➴ ➷➢➬ ➮

pS

➹➦➱➨✃❢➪ ➱ ➹ ➱➫❐ ❒ ❮ pD ➪ ➱ ✃❢➪ ➱➫❐ ❒ ➹ ➱➫❐ ❒ ➘

pS

➹ ➶➲✃➳➪ ➶ ❮ pD ➪ ➶➵✃➸➹ ➶ ❐ ❒

notation:

➪ ➱ ➬ ❰ ➪ ❒➼Ï❱Ð❯Ð❱Ð❱Ï ➪ ➱➚Ñ

SLIDE 27

Distinguishing advantage

2 equivalent views:

W = 0/1 W = 0/1

D T D S

1

W = 0/1

D S T

Z

D

Ò Ó S Ô T Õ Ö✌× Ø Ø Ø Ø Ø

PDS

Ó W × Ù Õ Ú

PDT

Ó W × Ù Õ✒Ø Ø Ø Ø Ø × Û Ø Ø Ø Ø Ø

PDSTZ

Ó W ×

Z

Õ Ú Ü Ý Ø Ø Ø Ø Ø

SLIDE 28

Distinguishing advantage

2 equivalent views:

W = 0/1 W = 0/1

D T D S

1

W = 0/1

D S T

Z

D

Þ ß S à T á â✌ã ä ä ä ä ä

PDS

ß W ã å á æ

PDT

ß W ã å á✒ä ä ä ä ä ã ç ä ä ä ä ä

PDSTZ

ß W ã

Z

á æ è é ä ä ä ä ä

best (adaptive) D:

Þ ß S à T á

SLIDE 29

Distinguishing advantage

2 equivalent views:

W = 0/1 W = 0/1

D T D S

1

W = 0/1

D S T

Z

D

ê ë S ì T í î✌ï ð ð ð ð ð

PDS

ë W ï ñ í ò

PDT

ë W ï ñ í✒ð ð ð ð ð ï ó ð ð ð ð ð

PDSTZ

ë W ï

Z

í ò ô õ ð ð ð ð ð

best (adaptive) D:

ê ë S ì T í

best non-adapt. D:

NA

ê ë S ì T í

SLIDE 30

Game-winning

2 1

Y , Y , ... X , X , ...

1 2

S

SLIDE 31

Game-winning

monotone binary output (MBO) game won

1

i

2 1

Y , Y , ... X , X , ...

1 2

S

SLIDE 32

Game-winning

monotone binary output (MBO) game won

1

i

2 1

Y , Y , ... X , X , ...

1 2

D S

SLIDE 33

Game-winning

monotone binary output (MBO) game won

1

i

2 1

Y , Y , ... X , X , ...

1 2

D S

D’s prob. of winning with

ö

queries:

÷ D ø ù úS û

SLIDE 34

Game-winning

monotone binary output (MBO) game won

1

i

2 1

Y , Y , ... X , X , ...

1 2

D S

D’s prob. of winning with

ü

queries:

ý D þ ÿ S ✁

Optimal (adaptive) D:

ý þ ÿ S ✁ ✂☎✄

maxD

ý D þ ÿ S ✁

SLIDE 35

Game-winning

monotone binary output (MBO) game won

1

i

2 1

Y , Y , ... X , X , ...

1 2

D S

D’s prob. of winning with

✆

queries:

✝ D ✞ ✟ ✠S ✡

Optimal (adaptive) D:

✝ ✞ ✟ ✠S ✡ ☛☎☞

maxD

✝ D ✞ ✟ ✠S ✡

Optimal non-adapt. D:

✝ NA ✞ ✟ ✠S ✡ ☛✌☞

maxD

✍ NA ✝ D ✞ ✟ ✠S ✡

SLIDE 36

Playing 2 games in parallel S T

SLIDE 37

Playing 2 games in parallel S T

Can a combined strategy be better than optimal individual strategies?

SLIDE 38

Playing 2 games in parallel S T

Can a combined strategy be better than optimal individual strategies? YES! Chess grand-masters’ problem!

SLIDE 39

Playing 2 games in parallel S T

Can a combined strategy be better than optimal individual strategies? YES! Chess grand-masters’ problem! Lemma [MPR07]: For winning both games, playing individual optimal strategies is optimal.

SLIDE 40

Game-winning Distinguishing S T

SLIDE 41

Game-winning Distinguishing S T

Def.:

✎S and ✎T are restricted equivalent, denoted ✎S ✏ ✑ ✎T,

if the I/O behavior is identical as long as MBO

✒

0.

SLIDE 42

Game-winning Distinguishing S T

Def.:

✓S and ✓T are restricted equivalent, denoted ✓S ✔ ✕ ✓T,

if the I/O behavior is identical as long as MBO

✖

0. Lemma ( ) [Mau02]: If

✓S ✔ ✕ ✓T, then, for every D,

D

✗ ✘ S ✙ T ✚ ✛ D ✗ ✘ ✓S ✚ ✘ ✖ ✛ D ✗ ✘ ✓T ✚ ✚✢✜

SLIDE 43

Game-winning Distinguishing S T

Def.:

✣S and ✣T are restricted equivalent, denoted ✣S ✤ ✥ ✣T,

if the I/O behavior is identical as long as MBO

✦

0. Lemma ( ) [Mau02]: If

✣S ✤ ✥ ✣T, then, for every D,

D

✧ ★ S ✩ T ✪ ✫ D ✧ ★ ✣S ✪ ★ ✦ ✫ D ✧ ★ ✣T ✪ ✪✢✬

In particular,

✧ ★ S ✩ T ✪ ✫ ✧ ★ ✣S ✪

SLIDE 44

Game-winning Distinguishing S T

Def.:

✭S and ✭T are restricted equivalent, denoted ✭S ✮ ✯ ✭T,

if the I/O behavior is identical as long as MBO

✰

0. Lemma ( ) [Mau02]: If

✭S ✮ ✯ ✭T, then, for every D,

D

✱ ✲ S ✳ T ✴ ✵ D ✱ ✲ ✭S ✴ ✲ ✰ ✵ D ✱ ✲ ✭T ✴ ✴✢✶

In particular,

✱ ✲ S ✳ T ✴ ✵ ✱ ✲ ✭S ✴

Note: This lemma talks about a system as a mathemati- cal object and is independent of the description language used for systems!

SLIDE 45

Game-winning Distinguishing S T

Def.:

✷S and ✷T are restricted equivalent, denoted ✷S ✸ ✹ ✷T,

if the I/O behavior is identical as long as MBO

✺

0. Lemma ( ) [Mau02]: If

✷S ✸ ✹ ✷T, then, for every D,

D

✻ ✼ S ✽ T ✾ ✿ D ✻ ✼ ✷S ✾ ✼ ✺ ✿ D ✻ ✼ ✷T ✾ ✾✢❀

In particular,

✻ ✼ S ✽ T ✾ ✿ ✻ ✼ ✷S ✾

SLIDE 46

Game-winning Distinguishing S T

Def.:

❁S and ❁T are restricted equivalent, denoted ❁S ❂ ❃ ❁T,

if the I/O behavior is identical as long as MBO

❄

0. Lemma ( ) [Mau02]: If

❁S ❂ ❃ ❁T, then, for every D,

D

❅ ❆ S ❇ T ❈ ❉ D ❅ ❆ ❁S ❈ ❆ ❄ ❉ D ❅ ❆ ❁T ❈ ❈✢❊

In particular,

❅ ❆ S ❇ T ❈ ❉ ❅ ❆ ❁S ❈

Lemma ( ) [MPR07]: Any S and T can be enhanced by MBOs to systems

❁S and ❁T such that ❁S ❂ ❃ ❁T and,

for every D,

❉ D ❅ ❆ ❁S ❈ ❄

D

❅ ❆ S ❇ T ❈

SLIDE 47

Security amplification paradigm

SLIDE 48

Security amplification paradigm

Idea: Combine several mildly secure systems to obtain a highly secure system. Example: XOR of mildly uniform independent keys yields a highly uniform key!

SLIDE 49

Security amplification paradigm

Idea: Combine several mildly secure systems to obtain a highly secure system. Example: Cascade of mildly secure ciphers yields a highly secure cipher!

SLIDE 50

Distinguishing a RV V from a uniform RV U

V

1 v

P (v)

V

(uniform)

Statistical distance: d

❋ V

U

❍ ■☎❏ ❑ ▲ ▼❖◆ P ◗ ◗ ◗ ◗ ◗ ◗ ◗PV ❋❙❘ ❍ ❚ ❯ ❱ ❱ ◗ ◗ ◗ ◗ ◗ ◗ ◗

(sum of red quantities)

❏ ❋ V

U

❍

Possible interpretation: P

❋ V ❏

U

❍ ❏ ❯ ❚

d

❋ V

U

❍

SLIDE 51

Product theorem for random variables

V’ V V V’

SLIDE 52

Product theorem for random variables

0.5 1 0.3 0.7 0.5 1 0.6 0.4

V’ V V V’ 0.2 0.1

SLIDE 53

Product theorem for random variables

0.5 1 0.3 0.7 0.5 1 0.6 0.4 0.5 1 0.54 0.46

V’ V V V’ 0.2 0.1

SLIDE 54

Product theorem for random variables

0.5 1 0.3 0.7 0.5 1 0.6 0.4 0.5 1 0.54 0.46

0.04 = 2 0.1 0.2 . . V’ V V V’ 0.2 0.1

SLIDE 55

Product theorem for random variables

0.5 1 0.3 0.7 0.5 1 0.6 0.4 0.5 1 0.54 0.46

0.04 = 2 0.1 0.2 . . V’ V V V’ 0.2 0.1

Theorem: d(V V’,U) 2

❲ d(V,U) ❲ d(V’,U)

SLIDE 56

Product theorem for random variables

*

V’ V

*

V V’

Theorem: d(V

❳ V’,U)

2

❨ d(V,U) ❨ d(V’,U)

for any quasi-group operation

❳

SLIDE 57

Product theorems for systems ?

Let F and G be (possibly stateful) functions.

*

G F F G

*

SLIDE 58

Product theorems for systems ? [MPR07]

Let F and G be (possibly stateful) functions.

*

G F F G

*

Theorem:

❩ ❬ F ❭ G ❪ R ❫

2

❴ ❩ ❬ F ❪ R ❫ ❴ ❩ ❬ G ❪ R ❫

for any quasi-group operation

❭ .

(R

❵

uniform random function)

SLIDE 59

Product theorems for systems [MPR07]

Let F and G be (possibly stateful) permutations.

F G F G

SLIDE 60

Product theorems for systems [MPR07]

Let F and G be (possibly stateful) permutations.

F G F G

Theorem:

❛ ❜ F ❝ G ❞ P ❡

2

❢ ❛ ❜ F ❞ P ❡ ❢ ❛ ❜ G ❞ P ❡

if G is stateless.

SLIDE 61

Product theorems for systems [MPR07]

Let F and G be (possibly stateful) permutations.

F G F G

Theorem:

❣ ❤ F ✐ G ❥ P ❦

2

❧ ❣ ❤ F ❥ P ❦ ❧ ❣ ❤ G ❥ P ❦

if G is stateless. Special case: Vaudenay’s decorrelation theorem

SLIDE 62

Product theorems for systems [MPR07]

Let F and G be (possibly stateful) permutations.

F G F G

Theorem:

♠ ♥ F ♦ G ♣ P q

2

r ♠ ♥ F ♣ P q r ♠ ♥ G ♣ P q

if G is stateless. Special case: Vaudenay’s decorrelation theorem

What is the general principle?

SLIDE 63

Neutralizing constructions [MPR07]

C( . , . )

I F

s t F ✉ I ✈ s t①✇ ✈

SLIDE 64

Neutralizing constructions [MPR07]

1

C( . , . )

Z

I F

② ③ F ④ I ⑤ ② ③①⑥ ⑤

SLIDE 65

Neutralizing constructions [MPR07]

1 1

C( . , . )

Z’ Z

J G I F

⑦ ⑧ F ⑨ I ⑩ ⑦ ⑧ G ⑨ J ⑩

SLIDE 66

Neutralizing constructions [MPR07]

C( . , . )

1 1

Z’ Z

J G I F

❶ ❷ F ❸ I ❹ ❶ ❷ G ❸ J ❹

SLIDE 67

Neutralizing constructions [MPR07]

C( . , . )

1 1

Z’ Z

J G I F

❺ ❻ F ❼ I ❽ ❺ ❻ G ❼ J ❽

Def.: C

❻❿❾ ❼ ❾ ❽ is neutralizing if C ❻ I ❼ G ❽ ➀

C

❻ F ❼ J ❽ ➀

C

❻ I ❼ J ❽ ➀

Q

SLIDE 68

Neutralizing constructions [MPR07]

C( . , . )

1 1

Z’ Z

J G I F

➁ ➂ F ➃ I ➄ ➁ ➂ G ➃ J ➄

Def.: C

➂❿➅ ➃ ➅ ➄ is neutralizing if C ➂ I ➃ G ➄ ➆

C

➂ F ➃ J ➄ ➆

C

➂ I ➃ J ➄ ➆

Q Examples: C

➂ F ➃ G ➄ ➇

F

➈ G,

I

➇

J

➇

Q

➇

R

SLIDE 69

Neutralizing constructions [MPR07]

C( . , . )

1 1

Z’ Z

J G I F

➉ ➊ F ➋ I ➌ ➉ ➊ G ➋ J ➌

Def.: C

➊❿➍ ➋ ➍ ➌ is neutralizing if C ➊ I ➋ G ➌ ➎

C

➊ F ➋ J ➌ ➎

C

➊ I ➋ J ➌ ➎

Q Examples: C

➊ F ➋ G ➌ ➏

F

➐ G,

I

➏

J

➏

Q

➏

R C

➊ F ➋ G ➌ ➏

F

➑ G,

I

➏

J

➏

Q

➏

P

SLIDE 70

Neutralizing constructions [MPR07]

C( . , . )

1 1

Z’ Z

J G I F

➒ ➓ F ➔ I → ➒ ➓ G ➔ J →

Def.: C

➓❿➣ ➔ ➣ → is neutralizing if C ➓ I ➔ G → ↔

C

➓ F ➔ J → ↔

C

➓ I ➔ J → ↔

Q Examples: C

➓ F ➔ G → ↕

F

➙ G,

I

↕

J

↕

Q

↕

R C

➓ F ➔ G → ↕

F

➛ G,

I

↕

J

↕

Q

↕

P Theorem:

➒ ➓ C ➓ F ➔ G →❖➔ Q →

2

➜ ➒ ➓ F ➔ I → ➜ ➒ ➓ G ➔ J →

SLIDE 71

Proof of the product theorem (1)

Theorem:

➝ ➞ C ➞ F ➟ G ➠❖➟ Q ➠

2

➡ ➝ ➞ F ➟ I ➠ ➡ ➝ ➞ G ➟ J ➠

SLIDE 72

Proof of the product theorem (1)

Theorem:

➢ ➤ C ➤ F ➥ G ➦❖➥ Q ➦

2

➧ ➢ ➤ F ➥ I ➦ ➧ ➢ ➤ G ➥ J ➦

C( . , . )

1 1

Z’ Z

J G I F

C

➤ I ➨ F ➥ J ➨ G ➦

SLIDE 73

Proof of the product theorem (1)

Theorem:

➩ ➫ C ➫ F ➭ G ➯❖➭ Q ➯

2

➲ ➩ ➫ F ➭ I ➯ ➲ ➩ ➫ G ➭ J ➯

C( . , . )

1 1

Z’ Z

J G I F

1 1

F G C( , ) Q Q

Z Z’ Z

C

➫ I ➳ F ➭ J ➳ G ➯

SLIDE 74

Proof of the product theorem (1)

Theorem:

➵ ➸ C ➸ F ➺ G ➻❖➺ Q ➻

2

➼ ➵ ➸ F ➺ I ➻ ➼ ➵ ➸ G ➺ J ➻

C( . , . )

1 1

Z’ Z

J G I F

1 1

F G C( , ) Q Q

Z Z’ Z

1

F G C( , ) Q

S

C

➸ I ➽ F ➺ J ➽ G ➻

SLIDE 75

Proof of the product theorem (1)

Theorem:

➾ ➚ C ➚ F ➪ G ➶❖➪ Q ➶

2

➹ ➾ ➚ F ➪ I ➶ ➹ ➾ ➚ G ➪ J ➶

C( . , . )

1 1

Z’ Z

J G I F

1 1

F G C( , ) Q Q

Z Z’ Z

1

factor 2

F G C( , ) Q

S

C

➚ I ➘ F ➪ J ➘ G ➶

SLIDE 76

Proof of the product theorem (1)

Theorem:

➴ ➷ C ➷ F ➬ G ➮❖➬ Q ➮

2

➱ ➴ ➷ F ➬ I ➮ ➱ ➴ ➷ G ➬ J ➮

C( . , . )

1 1

Z’ Z

J G I F

1 1

F G C( , ) Q Q

Z Z’ Z

1

factor 2

F G C( , ) Q

S

C

➷ I ✃ F ➬ J ✃ G ➮ ➴ ➷ C ➷ F ➬ G ➮❖➬ Q ➮ ❐

2

➱ adv. in guessing Z

Z

❒ in C ➷ I ✃ F ➬ J ✃ G ➮

SLIDE 77

Game-winning Indistinguishability S T

Def.:

❮S and ❮T are restricted equivalent, denoted ❮S ❰ Ï ❮T,

if the I/O behavior is identical as long as MBO

Ð

0. Lemma ( ) [Mau02]: If

❮S ❰ Ï ❮T, then, for every D,

D

Ñ Ò S Ó T Ô Õ D Ñ Ò ❮S Ô Ò Ð Õ D Ñ Ò ❮T Ô Ô✢Ö

In particular,

Ñ Ò S Ó T Ô Õ Ñ Ò ❮S Ô

Lemma ( ) [MPR07]: Any S and T can be enhanced by MBOs to systems

❮S and ❮T such that ❮S ❰ Ï ❮T and,

for every D,

Õ D Ñ Ò ❮S Ô Ð

D

Ñ Ò S Ó T Ô

SLIDE 78

Proof of the product theorem (2)

C( . , . )

1 1

Z’ Z

J G I F

SLIDE 79

Proof of the product theorem (2)

C( . , . )

1 1

Z’ Z

J G I F

×

Task: Guess Z

Ø

Z

Ù

SLIDE 80

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

Ú

Task: Guess Z

Û

Z

Ü Ú

Define MBOs and give the guesser access to them.

SLIDE 81

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

Ý

Task: Guess Z

Þ

Z

ß Ý

Define MBOs and give the guesser access to them.

SLIDE 82

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

à

Task: Guess Z

á

Z

â à

Define MBOs and give the guesser access to them.

à

Game 1 not won

ã

advantage 0 in guessing Z

SLIDE 83

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

ä

Task: Guess Z

å

Z

æ ä

Define MBOs and give the guesser access to them.

ä

Game 2 not won

ç

advantage 0 in guessing Z

æ

SLIDE 84

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

è

Task: Guess Z

é

Z

ê è

Define MBOs and give the guesser access to them.

è

Game 2 not won

ë

advantage 0 in guessing Z

ê è

Game 1 or game 2 not won

ë

adv. 0 in guessing Z

é

Z

ê . ë

advantage

ì

probability that both games won

SLIDE 85

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

í

Task: Guess Z

î

Z

ï í

Define MBOs and give the guesser access to them.

í

Game 2 not won

ð

advantage 0 in guessing Z

ï í

Game 1 or game 2 not won

ð

adv. 0 in guessing Z

î

Z

ï . ð

advantage

ñ

probability that both games won

í

We give the guesser direct access to the 2 games.

SLIDE 86

Proof of the product theorem (2)

C( . , . )

1 1

F I

Z’ Z

J G

ò

Task: Guess Z

ó

Z

ô ò

Define MBOs and give the guesser access to them.

ò

Game 2 not won

õ

advantage 0 in guessing Z

ô ò

Game 1 or game 2 not won

õ

adv. 0 in guessing Z

ó

Z

ô . õ

advantage

ö

probability that both games won

ò

We give the guesser direct access to the 2 games.

ò

Prob. of winning

÷

product of winning games 1 and 2.

÷ ø ù❿ú F û I ü ýþø ùÿú G û J ü

q.e.d.

SLIDE 87

Computational indisting. amplification

Theorem [M-Tessaro09]: The previous statements hold also for computational indistinguishability.

SLIDE 88

Computational indisting. amplification

Theorem [M-Tessaro09]: The previous statements hold also for computational indistinguishability. = class of efficient distinguishers (e.g. poly-time)

SLIDE 89

Computational indisting. amplification

Theorem [M-Tessaro09]: The previous statements hold also for computational indistinguishability. = class of efficient distinguishers (e.g. poly-time) Example:

Cipher 1 Cipher n Cipher 2

X key Z key Z key Z Y

1 2 n

✁

C

✂ ✄ P ☎ ✆

✁

C

✝ ✞✟✞✠✞ C ✡ ✄ P ☎ ☛ ☞ ✡ ✌ ✝ ✆ ✡ ✍

SLIDE 90

Computational indisting. amplification

Theorem [M-Tessaro09]: The previous statements hold also for computational indistinguishability. = class of efficient distinguishers (e.g. poly-time) Example:

Cipher 1 Cipher n Cipher 2

X key Z key Z key Z Y

1 2 n

✎ ✏

C

✑ ✒ P ✓ ✔ ✎ ✏

C

✕ ✖✟✖✠✖ C ✗ ✒ P ✓ ✘ ✙ ✗ ✚ ✕ ✔ ✗ ✛

Problem: Amplification only if

✔ ✜ ✢ ✣✥✤ .

SLIDE 91

Strong security amplification

Cipher 1 Cipher n Cipher 2

key Z 1 key Z key Z 2

n

X key Z 0 key Z n+1 Y

Theorem [MT09]:

✦ ✧

C

★ ✩ P ✪ ✫ ✦ ✧

C

✬ ✭✠✭✟✭ C ✮ ✩ P ✪ ✯ ✫ ✮ ✰

SLIDE 92

Indistinguishability amplification: Type 2

*

G F F G

*

F G F G Theorem:

✱ ✲ F ✳ G ✴ R ✵

NA

✱ ✲ F ✴ R ✵

NA

✱ ✲ G ✴ R ✵✷✶

Theorem:

✱ ✲ F ✸ G ✴ P ✵

NA

✱ ✲ F ✴ P ✵

NA

✱ ✲ G ✴ P ✵✷✶