PPs t r rt - - PowerPoint PPT Presentation

p ps t r
SMART_READER_LITE
LIVE PREVIEW

PPs t r rt - - PowerPoint PPT Presentation

Feb 01, 2023 245 likes •876 views

PPs t r rt rst trs

slide-1
SLIDE 1

❳❖❘ ♦❢ P❘Ps ✐♥ ❛ ◗✉❛♥t✉♠ ❲♦r❧❞

❇❛rt ▼❡♥♥✐♥❦✱ ❆❧❛♥ ❙③❡♣✐❡♥✐❡❝ ❘❛❞❜♦✉❞ ❯♥✐✈❡rs✐t② ✭❚❤❡ ◆❡t❤❡r❧❛♥❞s✮✱ ❑❯ ▲❡✉✈❡♥ ✭❇❡❧❣✐✉♠✮

P◗❈r②♣t♦ ✷✵✶✼ ❏✉♥❡ ✷✻✱ ✷✵✶✼

✶ ✴ ✶✼

slide-2
SLIDE 2

■♥tr♦❞✉❝t✐♦♥

▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧

P❘P P❘❋

◆♦✇

✷ ✴ ✶✼

slide-3
SLIDE 3

■♥tr♦❞✉❝t✐♦♥

▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧

P❘P P❘❋

◆♦✇

✷ ✴ ✶✼

slide-4
SLIDE 4

■♥tr♦❞✉❝t✐♦♥

▲✉❜②✲❘❛❝❦♦✛ ✴ ❋❡✐st❡❧

P❘P P❘❋

◆♦✇

✷ ✴ ✶✼

slide-5
SLIDE 5

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

n + 1 n + 2 n + ℓ Ek Ek · · · · · · Ek m1 c1 m2 c2 mℓ cℓ

❙❡❝✉r✐t② ❜♦✉♥❞✿ ❈❚❘ ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s✿

✐s ❛ s❡❝✉r❡ P❘P ✭t②♣✐❝❛❧❧② ✮ ◆✉♠❜❡r ♦❢ ❡♥❝r②♣t❡❞ ❜❧♦❝❦s

✸ ✴ ✶✼

slide-6
SLIDE 6

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

n + 1 n + 2 n + ℓ Ek Ek · · · · · · Ek m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[E](q, t) ≤ Advprp E (q, t) +

q 2

  • /2n

❈❚❘ ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s✿

✐s ❛ s❡❝✉r❡ P❘P ✭t②♣✐❝❛❧❧② ✮ ◆✉♠❜❡r ♦❢ ❡♥❝r②♣t❡❞ ❜❧♦❝❦s

✸ ✴ ✶✼

slide-7
SLIDE 7

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

n + 1 n + 2 n + ℓ Ek Ek · · · · · · Ek m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[E](q, t) ≤ Advprp E (q, t) +

q 2

  • /2n
  • ❈❚❘[E] ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s✿
  • Ek ✐s ❛ s❡❝✉r❡ P❘P ✭t②♣✐❝❛❧❧② t ≪ 2κ✮
  • ◆✉♠❜❡r ♦❢ ❡♥❝r②♣t❡❞ ❜❧♦❝❦s q ≪ 2n/2

✸ ✴ ✶✼

slide-8
SLIDE 8

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ ❋✉♥❝t✐♦♥

n + 1 n + 2 n + ℓ Fk Fk · · · · · · Fk m1 c1 m2 c2 mℓ cℓ

❙❡❝✉r✐t② ❜♦✉♥❞✿ ❈❚❘ ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s ✐s ❛ s❡❝✉r❡ P❘❋ ❇✐rt❤❞❛② ❜♦✉♥❞ s❡❝✉r✐t② ❧♦ss ❞✐s❛♣♣❡❛r❡❞

✹ ✴ ✶✼

slide-9
SLIDE 9

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ ❋✉♥❝t✐♦♥

n + 1 n + 2 n + ℓ Fk Fk · · · · · · Fk m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[F](q) ≤ Advprf F (q)

❈❚❘ ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s ✐s ❛ s❡❝✉r❡ P❘❋ ❇✐rt❤❞❛② ❜♦✉♥❞ s❡❝✉r✐t② ❧♦ss ❞✐s❛♣♣❡❛r❡❞

✹ ✴ ✶✼

slide-10
SLIDE 10

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ Ps❡✉❞♦r❛♥❞♦♠ ❋✉♥❝t✐♦♥

n + 1 n + 2 n + ℓ Fk Fk · · · · · · Fk m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[F](q) ≤ Advprf F (q)

  • ❈❚❘[F] ✐s s❡❝✉r❡ ❛s ❧♦♥❣ ❛s Fk ✐s ❛ s❡❝✉r❡ P❘❋
  • ❇✐rt❤❞❛② ❜♦✉♥❞ s❡❝✉r✐t② ❧♦ss ❞✐s❛♣♣❡❛r❡❞

✹ ✴ ✶✼

slide-11
SLIDE 11

❳❖❘ ♦❢ P❘Ps

x XoP(k, x)

Ek1 Ek2

s❡❝✉r✐t② ❬❇■✾✾✱▲✉❝✵✵✱P❛t✵✽❪ ❇♦✉♥❞ ♣r❡s❡r✈❡❞ ❢♦r

❬❈▲P✶✹✱▼P✶✺❪

✺ ✴ ✶✼

slide-12
SLIDE 12

❳❖❘ ♦❢ P❘Ps

x XoP(k, x)

Ek1 Ek2

  • min{2κ, 2n} s❡❝✉r✐t② ❬❇■✾✾✱▲✉❝✵✵✱P❛t✵✽❪

❇♦✉♥❞ ♣r❡s❡r✈❡❞ ❢♦r

❬❈▲P✶✹✱▼P✶✺❪

✺ ✴ ✶✼

slide-13
SLIDE 13

❳❖❘ ♦❢ P❘Ps

x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

  • min{2κ, 2n} s❡❝✉r✐t② ❬❇■✾✾✱▲✉❝✵✵✱P❛t✵✽❪
  • ❇♦✉♥❞ ♣r❡s❡r✈❡❞ ❢♦r r ≥ 3 ❬❈▲P✶✹✱▼P✶✺❪

Advprf

XoP(q, t) ≤ r · Advprp E (q, t) + q/2n

✺ ✴ ✶✼

slide-14
SLIDE 14

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P

· · · · · · Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+2 1n+2 0n+ℓ 1n+ℓ

m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[XoP](q, t) ≤ Advprf XoP(q, t)

s❡❝✉r✐t②

✻ ✴ ✶✼

slide-15
SLIDE 15

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P

· · · · · · Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+2 1n+2 0n+ℓ 1n+ℓ

m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[XoP](q, t) ≤ Advprf XoP(q, t)

≤ Advprp

E (2q, t) + q/2n

s❡❝✉r✐t②

✻ ✴ ✶✼

slide-16
SLIDE 16

❈♦✉♥t❡r ▼♦❞❡ ❇❛s❡❞ ♦♥ ❳♦P

· · · · · · Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+2 1n+2 0n+ℓ 1n+ℓ

m1 c1 m2 c2 mℓ cℓ

  • ❙❡❝✉r✐t② ❜♦✉♥❞✿

Advcpa

CTR[XoP](q, t) ≤ Advprf XoP(q, t)

≤ Advprp

E (2q, t) + q/2n

  • min{2κ, 2n} s❡❝✉r✐t②

✻ ✴ ✶✼

slide-17
SLIDE 17

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s❄

❙✐♠♦♥✴❙❤♦r P♦❧②✲t✐♠❡ ♣❡r✐♦❞ ✜♥❞✐♥❣ ❯s❡❞ t♦ ❛tt❛❝❦ ❊✈❡♥✲▼❛♥s♦✉r✱ ❈❇❈✲▼❆❈✱ ✳ ✳ ✳ ◗✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ✇✐t❤ ❦❡②❡❞ ♣r✐♠✐t✐✈❡

  • r♦✈❡r

✏❍❛❧✈❡s t❤❡ ❦❡② s✐③❡✑ ◆♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ♥❡❡❞❡❞

❚❤✐s ✇♦r❦✿ ♥♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥

✼ ✴ ✶✼

slide-18
SLIDE 18

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s❄

❙✐♠♦♥✴❙❤♦r

  • P♦❧②✲t✐♠❡ ♣❡r✐♦❞ ✜♥❞✐♥❣
  • ❯s❡❞ t♦ ❛tt❛❝❦ ❊✈❡♥✲▼❛♥s♦✉r✱ ❈❇❈✲▼❆❈✱ ✳ ✳ ✳
  • ◗✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ✇✐t❤ ❦❡②❡❞ ♣r✐♠✐t✐✈❡
  • r♦✈❡r

✏❍❛❧✈❡s t❤❡ ❦❡② s✐③❡✑ ◆♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ♥❡❡❞❡❞

❚❤✐s ✇♦r❦✿ ♥♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥

✼ ✴ ✶✼

slide-19
SLIDE 19

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s❄

❙✐♠♦♥✴❙❤♦r

  • P♦❧②✲t✐♠❡ ♣❡r✐♦❞ ✜♥❞✐♥❣
  • ❯s❡❞ t♦ ❛tt❛❝❦ ❊✈❡♥✲▼❛♥s♦✉r✱ ❈❇❈✲▼❆❈✱ ✳ ✳ ✳
  • ◗✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ✇✐t❤ ❦❡②❡❞ ♣r✐♠✐t✐✈❡
  • r♦✈❡r
  • ✏❍❛❧✈❡s t❤❡ ❦❡② s✐③❡✑
  • ◆♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ♥❡❡❞❡❞

❚❤✐s ✇♦r❦✿ ♥♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥

✼ ✴ ✶✼

slide-20
SLIDE 20

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s❄

❙✐♠♦♥✴❙❤♦r

  • P♦❧②✲t✐♠❡ ♣❡r✐♦❞ ✜♥❞✐♥❣
  • ❯s❡❞ t♦ ❛tt❛❝❦ ❊✈❡♥✲▼❛♥s♦✉r✱ ❈❇❈✲▼❆❈✱ ✳ ✳ ✳
  • ◗✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ✇✐t❤ ❦❡②❡❞ ♣r✐♠✐t✐✈❡
  • r♦✈❡r
  • ✏❍❛❧✈❡s t❤❡ ❦❡② s✐③❡✑
  • ◆♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥ ♥❡❡❞❡❞

❚❤✐s ✇♦r❦✿ ♥♦ q✉❛♥t✉♠ ✐♥t❡r❛❝t✐♦♥

✼ ✴ ✶✼

slide-21
SLIDE 21

❖✉r ❈♦♥tr✐❜✉t✐♦♥

❈❧❛ss✐❝❛❧ ❱❡rs✉s ◗✉❛♥t✉♠ Pr♦♦❢s

  • ❋♦r♠❛❧✐③❛t✐♦♥ ♦❢ t②♣❡s ♦❢ ❞✐st✐♥❣✉✐s❤❡rs
  • ❊①♣♦s✐t✐♦♥ ♦❢ ❤♦✇ ❝❧❛ss✐❝❛❧ ♣r♦♦❢s s✉❜s✐st q✉❛♥t✉♠❧②
  • ❆♣♣❧✐❝❛❜❧❡ t♦ ♠②r✐❛❞ ❝r②♣t♦❣r❛♣❤✐❝ s❝❤❡♠❡s

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s ♦❢ ❳♦P ❆♣♣❧✐❝❛t✐♦♥ ♦❢ s✉❜s✐st❡♥❝❡✿ s❡❝✉r✐t② ❑❡② ❘❡❝♦✈❡r② ❆tt❛❝❦ ♦♥ ❳♦P ❆tt❛❝❦ ✐♥ ❝♦♠♣❧❡①✐t② ✭✐♠♣r♦✈❡s ♦✈❡r ●r♦✈❡r✮ ❘❡❧✐❡s ♦♥ ❝❧❛✇✲✜♥❞✐♥❣ ❛❧❣♦r✐t❤♠

✽ ✴ ✶✼

slide-22
SLIDE 22

❖✉r ❈♦♥tr✐❜✉t✐♦♥

❈❧❛ss✐❝❛❧ ❱❡rs✉s ◗✉❛♥t✉♠ Pr♦♦❢s

  • ❋♦r♠❛❧✐③❛t✐♦♥ ♦❢ t②♣❡s ♦❢ ❞✐st✐♥❣✉✐s❤❡rs
  • ❊①♣♦s✐t✐♦♥ ♦❢ ❤♦✇ ❝❧❛ss✐❝❛❧ ♣r♦♦❢s s✉❜s✐st q✉❛♥t✉♠❧②
  • ❆♣♣❧✐❝❛❜❧❡ t♦ ♠②r✐❛❞ ❝r②♣t♦❣r❛♣❤✐❝ s❝❤❡♠❡s

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s ♦❢ ❳♦P

  • ❆♣♣❧✐❝❛t✐♦♥ ♦❢ s✉❜s✐st❡♥❝❡✿ min{2κ/2, 2n} s❡❝✉r✐t②

❑❡② ❘❡❝♦✈❡r② ❆tt❛❝❦ ♦♥ ❳♦P ❆tt❛❝❦ ✐♥ ❝♦♠♣❧❡①✐t② ✭✐♠♣r♦✈❡s ♦✈❡r ●r♦✈❡r✮ ❘❡❧✐❡s ♦♥ ❝❧❛✇✲✜♥❞✐♥❣ ❛❧❣♦r✐t❤♠

✽ ✴ ✶✼

slide-23
SLIDE 23

❖✉r ❈♦♥tr✐❜✉t✐♦♥

❈❧❛ss✐❝❛❧ ❱❡rs✉s ◗✉❛♥t✉♠ Pr♦♦❢s

  • ❋♦r♠❛❧✐③❛t✐♦♥ ♦❢ t②♣❡s ♦❢ ❞✐st✐♥❣✉✐s❤❡rs
  • ❊①♣♦s✐t✐♦♥ ♦❢ ❤♦✇ ❝❧❛ss✐❝❛❧ ♣r♦♦❢s s✉❜s✐st q✉❛♥t✉♠❧②
  • ❆♣♣❧✐❝❛❜❧❡ t♦ ♠②r✐❛❞ ❝r②♣t♦❣r❛♣❤✐❝ s❝❤❡♠❡s

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s ♦❢ ❳♦P

  • ❆♣♣❧✐❝❛t✐♦♥ ♦❢ s✉❜s✐st❡♥❝❡✿ min{2κ/2, 2n} s❡❝✉r✐t②

❑❡② ❘❡❝♦✈❡r② ❆tt❛❝❦ ♦♥ ❳♦P

  • ❆tt❛❝❦ ✐♥ ❝♦♠♣❧❡①✐t② 2κr/(r+1) ✭✐♠♣r♦✈❡s ♦✈❡r ●r♦✈❡r✮
  • ❘❡❧✐❡s ♦♥ ❝❧❛✇✲✜♥❞✐♥❣ ❛❧❣♦r✐t❤♠

✽ ✴ ✶✼

slide-24
SLIDE 24
  • ❡♥❡r❛❧ ❙❡❝✉r✐t② ❋r❛♠❡✇♦r❦

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ❉✐st✐♥❣✉✐s❤✐♥❣ ❛❞✈❛♥t❛❣❡ Adv R

SPk(q, t)

❖♥❧✐♥❡ ❝♦♠♣❧❡①✐t②✿ ♦r❛❝❧❡ q✉❡r✐❡s ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ t✐♠❡ ❦♥♦✇s ✿ ❝❛♥ ♠❛❦❡ ♦✤✐♥❡ ❡✈❛❧✉❛t✐♦♥s

✾ ✴ ✶✼

slide-25
SLIDE 25
  • ❡♥❡r❛❧ ❙❡❝✉r✐t② ❋r❛♠❡✇♦r❦

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ❉✐st✐♥❣✉✐s❤✐♥❣ ❛❞✈❛♥t❛❣❡ Adv R

SPk(q, t)

  • ❖♥❧✐♥❡ ❝♦♠♣❧❡①✐t②✿ q ♦r❛❝❧❡ q✉❡r✐❡s
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ t t✐♠❡

❦♥♦✇s ✿ ❝❛♥ ♠❛❦❡ ♦✤✐♥❡ ❡✈❛❧✉❛t✐♦♥s

✾ ✴ ✶✼

slide-26
SLIDE 26
  • ❡♥❡r❛❧ ❙❡❝✉r✐t② ❋r❛♠❡✇♦r❦

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ❉✐st✐♥❣✉✐s❤✐♥❣ ❛❞✈❛♥t❛❣❡ Adv R

SPk(q, t)

  • ❖♥❧✐♥❡ ❝♦♠♣❧❡①✐t②✿ q ♦r❛❝❧❡ q✉❡r✐❡s
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ t t✐♠❡
  • D ❦♥♦✇s P✿ ❝❛♥ ♠❛❦❡ ≈ t ♦✤✐♥❡ ❡✈❛❧✉❛t✐♦♥s

✾ ✴ ✶✼

slide-27
SLIDE 27

❉✐st✐♥❣✉✐s❤❡rs

s❡t ♦❢ D✬s ♦♥❧✐♥❡ ♦✤✐♥❡ D(q, t) q ❝❧❛ss✐❝❛❧ t ❝❧❛ss✐❝❛❧ D(q, ˆ t) q ❝❧❛ss✐❝❛❧ t q✉❛♥t✉♠ D(ˆ q, ˆ t) q q✉❛♥t✉♠ t q✉❛♥t✉♠ ❝❧❛ss✐❝❛❧ ❝❧❛ss✐❝❛❧ ❞✐st✐♥❣✉✐s❤❡rs ✐♥❝❧✉❞❡s ●r♦✈❡r ✐♥❝❧✉❞❡s ❙✐♠♦♥✴❙❤♦r ✉s❡❞ ❛ ❧♦t ✐♥ ❝❧❛ss✐❝❛❧ ❝r②♣t♦

✶✵ ✴ ✶✼

slide-28
SLIDE 28

❉✐st✐♥❣✉✐s❤❡rs

s❡t ♦❢ D✬s ♦♥❧✐♥❡ ♦✤✐♥❡ D(q, t) q ❝❧❛ss✐❝❛❧ t ❝❧❛ss✐❝❛❧ D(q, ˆ t) q ❝❧❛ss✐❝❛❧ t q✉❛♥t✉♠ D(ˆ q, ˆ t) q q✉❛♥t✉♠ t q✉❛♥t✉♠ ❝❧❛ss✐❝❛❧ ← − ❝❧❛ss✐❝❛❧ ❞✐st✐♥❣✉✐s❤❡rs ← − ✐♥❝❧✉❞❡s ●r♦✈❡r ← − ✐♥❝❧✉❞❡s ❙✐♠♦♥✴❙❤♦r ✉s❡❞ ❛ ❧♦t ✐♥ ❝❧❛ss✐❝❛❧ ❝r②♣t♦

✶✵ ✴ ✶✼

slide-29
SLIDE 29

❉✐st✐♥❣✉✐s❤❡rs

s❡t ♦❢ D✬s ♦♥❧✐♥❡ ♦✤✐♥❡ D(q, t) q ❝❧❛ss✐❝❛❧ t ❝❧❛ss✐❝❛❧ D(q, ˆ t) q ❝❧❛ss✐❝❛❧ t q✉❛♥t✉♠ D(ˆ q, ˆ t) q q✉❛♥t✉♠ t q✉❛♥t✉♠ D(q, ∞) q ❝❧❛ss✐❝❛❧ ∞ ← − ❝❧❛ss✐❝❛❧ ❞✐st✐♥❣✉✐s❤❡rs ← − ✐♥❝❧✉❞❡s ●r♦✈❡r ← − ✐♥❝❧✉❞❡s ❙✐♠♦♥✴❙❤♦r ← − ✉s❡❞ ❛ ❧♦t ✐♥ ❝❧❛ss✐❝❛❧ ❝r②♣t♦

✶✵ ✴ ✶✼

slide-30
SLIDE 30

❉✐st✐♥❣✉✐s❤❡rs

s❡t ♦❢ D✬s ♦♥❧✐♥❡ ♦✤✐♥❡ D(q, t) q ❝❧❛ss✐❝❛❧ t ❝❧❛ss✐❝❛❧ D(q, ˆ t) q ❝❧❛ss✐❝❛❧ t q✉❛♥t✉♠ D(ˆ q, ˆ t) q q✉❛♥t✉♠ t q✉❛♥t✉♠ D(q, ∞) q ❝❧❛ss✐❝❛❧ ∞ ← − ❝❧❛ss✐❝❛❧ ❞✐st✐♥❣✉✐s❤❡rs ← − ✐♥❝❧✉❞❡s ●r♦✈❡r ← − ✐♥❝❧✉❞❡s ❙✐♠♦♥✴❙❤♦r ← − ✉s❡❞ ❛ ❧♦t ✐♥ ❝❧❛ss✐❝❛❧ ❝r②♣t♦

D(q, ∞) D(q, ˆ t) D(q, t) D(ˆ q, ˆ t)

D(q, t) ⊆ D(q, ˆ t) ⊆ D(q, ∞)

✶✵ ✴ ✶✼

slide-31
SLIDE 31

❚②♣✐❝❛❧ ❈❧❛ss✐❝❛❧ ❙❡❝✉r✐t② Pr♦♦❢

IC

SPk R

distinguisher D

scheme based on primitive random function

❙t❡♣ ✶✿ r❡♣❧❛❝❡ ❜② ✐❞❡❛❧ ❡q✉✐✈❛❧❡♥t ❙t❡♣ ✷✿ ✜rst t❡r♠ ✐s ♣r✐♠✐t✐✈❡ s❡❝✉r✐t② ✭❡✳❣✳✱ P❘P✮ ❙t❡♣ ✸✿ s❡❝♦♥❞ t❡r♠ ✲✐♥✈❛r✐❛♥t✿ ❣✐✈❡ ✐♥✜♥✐t❡ t✐♠❡ Adv R

SPk(q, t)

✶✶ ✴ ✶✼

slide-32
SLIDE 32

❚②♣✐❝❛❧ ❈❧❛ss✐❝❛❧ ❙❡❝✉r✐t② Pr♦♦❢

IC

SI R

distinguisher D

scheme based on ideal random function

  • ❙t❡♣ ✶✿ r❡♣❧❛❝❡ Pk ❜② ✐❞❡❛❧ ❡q✉✐✈❛❧❡♥t I

❙t❡♣ ✷✿ ✜rst t❡r♠ ✐s ♣r✐♠✐t✐✈❡ s❡❝✉r✐t② ✭❡✳❣✳✱ P❘P✮ ❙t❡♣ ✸✿ s❡❝♦♥❞ t❡r♠ ✲✐♥✈❛r✐❛♥t✿ ❣✐✈❡ ✐♥✜♥✐t❡ t✐♠❡ Adv R

SPk(q, t) ≤ Adv I Pk(q′, t′) + AdvR SI(q, t)

✶✶ ✴ ✶✼

slide-33
SLIDE 33

❚②♣✐❝❛❧ ❈❧❛ss✐❝❛❧ ❙❡❝✉r✐t② Pr♦♦❢

IC

SI R

distinguisher D

scheme based on ideal random function

  • ❙t❡♣ ✶✿ r❡♣❧❛❝❡ Pk ❜② ✐❞❡❛❧ ❡q✉✐✈❛❧❡♥t I
  • ❙t❡♣ ✷✿ ✜rst t❡r♠ ✐s ♣r✐♠✐t✐✈❡ s❡❝✉r✐t② ✭❡✳❣✳✱ P❘P✮

❙t❡♣ ✸✿ s❡❝♦♥❞ t❡r♠ ✲✐♥✈❛r✐❛♥t✿ ❣✐✈❡ ✐♥✜♥✐t❡ t✐♠❡ Adv R

SPk(q, t) ≤ Adv I Pk(q′, t′) + AdvR SI(q, t)

≤ Adv I

Pk(q′, t′) +

✶✶ ✴ ✶✼

slide-34
SLIDE 34

❚②♣✐❝❛❧ ❈❧❛ss✐❝❛❧ ❙❡❝✉r✐t② Pr♦♦❢

IC

SI R

distinguisher D

scheme based on ideal random function

  • ❙t❡♣ ✶✿ r❡♣❧❛❝❡ Pk ❜② ✐❞❡❛❧ ❡q✉✐✈❛❧❡♥t I
  • ❙t❡♣ ✷✿ ✜rst t❡r♠ ✐s ♣r✐♠✐t✐✈❡ s❡❝✉r✐t② ✭❡✳❣✳✱ P❘P✮
  • ❙t❡♣ ✸✿ s❡❝♦♥❞ t❡r♠ P✲✐♥✈❛r✐❛♥t✿ ❣✐✈❡ D ✐♥✜♥✐t❡ t✐♠❡

Adv R

SPk(q, t) ≤ Adv I Pk(q′, t′) + AdvR SI(q, t)

≤ Adv I

Pk(q′, t′) + AdvR SI(q, ∞)

✶✶ ✴ ✶✼

slide-35
SLIDE 35

❈♦♥✈❡rs✐♦♥ t♦ ◗✉❛♥t✉♠

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ■❞❡♥t✐❝❛❧ st♦r② ❤♦❧❞s ❢♦r q✉❛♥t✉♠ ❞✐st✐♥❣✉✐s❤❡rs

Adv R

SPk(q, ˆ

t) ≤ Adv I

Pk(q′, ˆ

t′) + AdvR

SI(q, ∞)

✳✳✳✳✳✳✳ ❄ ❝❧❛ss✐❝❛❧ ❛♥❛❧②s✐s ❝❛rr✐❡s ♦✈❡r ❈♦♥✈❡rs✐♦♥ ❛♣♣❧✐❡s t♦ ❛❧❧ st❛♥❞❛r❞ ♠♦❞❡❧ ♣r♦♦❢s ✭♥♦t ❝♦✈❡r❡❞✿ ♣❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ♠♦❞❡s✮

✶✷ ✴ ✶✼

slide-36
SLIDE 36

❈♦♥✈❡rs✐♦♥ t♦ ◗✉❛♥t✉♠

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ■❞❡♥t✐❝❛❧ st♦r② ❤♦❧❞s ❢♦r q✉❛♥t✉♠ ❞✐st✐♥❣✉✐s❤❡rs

Adv R

SPk(q, ˆ

t) ≤ Adv I

Pk(q′, ˆ

t′) + AdvR

SI(q, ∞)

− − → ✳✳✳✳✳✳✳ t′ ≪ 2κ/2❄ ❝❧❛ss✐❝❛❧ ❛♥❛❧②s✐s ❝❛rr✐❡s ♦✈❡r ❈♦♥✈❡rs✐♦♥ ❛♣♣❧✐❡s t♦ ❛❧❧ st❛♥❞❛r❞ ♠♦❞❡❧ ♣r♦♦❢s ✭♥♦t ❝♦✈❡r❡❞✿ ♣❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ♠♦❞❡s✮

✶✷ ✴ ✶✼

slide-37
SLIDE 37

❈♦♥✈❡rs✐♦♥ t♦ ◗✉❛♥t✉♠

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ■❞❡♥t✐❝❛❧ st♦r② ❤♦❧❞s ❢♦r q✉❛♥t✉♠ ❞✐st✐♥❣✉✐s❤❡rs

Adv R

SPk(q, ˆ

t) ≤ Adv I

Pk(q′, ˆ

t′) + AdvR

SI(q, ∞)

− − → ✳✳✳✳✳✳✳ − − → t′ ≪ 2κ/2❄ ❝❧❛ss✐❝❛❧ ❛♥❛❧②s✐s ❝❛rr✐❡s ♦✈❡r ❈♦♥✈❡rs✐♦♥ ❛♣♣❧✐❡s t♦ ❛❧❧ st❛♥❞❛r❞ ♠♦❞❡❧ ♣r♦♦❢s ✭♥♦t ❝♦✈❡r❡❞✿ ♣❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ♠♦❞❡s✮

✶✷ ✴ ✶✼

slide-38
SLIDE 38

❈♦♥✈❡rs✐♦♥ t♦ ◗✉❛♥t✉♠

IC

SPk R

distinguisher D

scheme based on primitive random function

  • ■❞❡♥t✐❝❛❧ st♦r② ❤♦❧❞s ❢♦r q✉❛♥t✉♠ ❞✐st✐♥❣✉✐s❤❡rs

Adv R

SPk(q, ˆ

t) ≤ Adv I

Pk(q′, ˆ

t′) + AdvR

SI(q, ∞)

− − → ✳✳✳✳✳✳✳ − − → t′ ≪ 2κ/2❄ ❝❧❛ss✐❝❛❧ ❛♥❛❧②s✐s ❝❛rr✐❡s ♦✈❡r

  • ❈♦♥✈❡rs✐♦♥ ❛♣♣❧✐❡s t♦ ❛❧❧ st❛♥❞❛r❞ ♠♦❞❡❧ ♣r♦♦❢s

✭♥♦t ❝♦✈❡r❡❞✿ ♣❡r♠✉t❛t✐♦♥✲❜❛s❡❞ ♠♦❞❡s✮

✶✷ ✴ ✶✼

slide-39
SLIDE 39

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s ♦❢ ❳♦P

x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

❚❤❡♦r❡♠ ❬P❛t✵✽✱▼P✶✺❪ ❋♦r r ≥ 2 ❛♥❞ q ≤ 2n/67 ✇❡ ❤❛✈❡ Advprf

XoPr(q, t) ≤ r · Advprp E (q, t) + q/2n

❚❤❡♦r❡♠ ❋♦r ❛♥❞ ✇❡ ❤❛✈❡

✶✸ ✴ ✶✼

slide-40
SLIDE 40

◗✉❛♥t✉♠ ❙❡❝✉r✐t② ❆♥❛❧②s✐s ♦❢ ❳♦P

x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

❚❤❡♦r❡♠ ❬P❛t✵✽✱▼P✶✺❪ ❋♦r r ≥ 2 ❛♥❞ q ≤ 2n/67 ✇❡ ❤❛✈❡ Advprf

XoPr(q, t) ≤ r · Advprp E (q, t) + q/2n

❚❤❡♦r❡♠ ❋♦r r ≥ 2 ❛♥❞ q ≤ 2n/67 ✇❡ ❤❛✈❡ Advprf

XoPr(q, ˆ

t) ≤ r · Advprp

E (q, ˆ

t) + q/2n

✶✸ ✴ ✶✼

slide-41
SLIDE 41

❑❡② ❘❡❝♦✈❡r② ❆tt❛❝❦ ♦♥ ❳♦P

x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

❚❤❡♦r❡♠ ❋♦r r ≥ 1✱ τ ≥ 1✱ t = O(τ · 2κr/(r+1)) ✇❡ ❤❛✈❡ Advkey

XoPr(τ, ˆ

t) ≥ 1 − ε(r, τ, n)

  • ε ♠♦♥♦t♦♥✐❝❛❧❧② ❞❡❝r❡❛s✐♥❣ ✐♥ t❤r❡s❤♦❧❞ τ
  • ♦❛❧✿ ❝♦♥str✉❝t ❛♥ ❛❞✈❡rs❛r②

✶✹ ✴ ✶✼

slide-42
SLIDE 42

❑❡② ❘❡❝♦✈❡r② ❆tt❛❝❦ ♦♥ ❳♦P

x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

❚❤❡♦r❡♠ ❋♦r r ≥ 1✱ τ ≥ 1✱ t = O(τ · 2κr/(r+1)) ✇❡ ❤❛✈❡ Advkey

XoPr(τ, ˆ

t) ≥ 1 − ε(r, τ, n)

  • ε ♠♦♥♦t♦♥✐❝❛❧❧② ❞❡❝r❡❛s✐♥❣ ✐♥ t❤r❡s❤♦❧❞ τ
  • ●♦❛❧✿ ❝♦♥str✉❝t ❛♥ ❛❞✈❡rs❛r②

✶✹ ✴ ✶✼

slide-43
SLIDE 43

◗✉❛♥t✉♠ ❈❧❛✇✲❋✐♥❞✐♥❣

❈❧❛✇✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ❋✐♥❞ (x, y) s✳t✳ f(x) = g(y)

❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t② Pr❡❞✐❝❛t❡✲❋✐♥❞✐♥❣

  • ✐✈❡♥

❛♥❞

  • ✐✈❡♥ r❡❧❛t✐♦♥

❋✐♥❞ s✳t✳ ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t②

✶✺ ✴ ✶✼

Z X Y g f

slide-44
SLIDE 44

◗✉❛♥t✉♠ ❈❧❛✇✲❋✐♥❞✐♥❣

❈❧❛✇✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ❋✐♥❞ (x, y) s✳t✳ f(x) = g(y)
  • ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t② O
  • (|X| · |Y |)1/3

Pr❡❞✐❝❛t❡✲❋✐♥❞✐♥❣

  • ✐✈❡♥

❛♥❞

  • ✐✈❡♥ r❡❧❛t✐♦♥

❋✐♥❞ s✳t✳ ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t②

✶✺ ✴ ✶✼

Z X Y g f

slide-45
SLIDE 45

◗✉❛♥t✉♠ ❈❧❛✇✲❋✐♥❞✐♥❣

❈❧❛✇✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ❋✐♥❞ (x, y) s✳t✳ f(x) = g(y)
  • ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t② O
  • (|X| · |Y |)1/3

Pr❡❞✐❝❛t❡✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ●✐✈❡♥ r❡❧❛t✐♦♥ R
  • ❋✐♥❞ (x1 . . . xp, y1 . . . yq) s✳t✳ (f(x1) . . . f(xp), g(y1) . . . g(yq)) ∈ R

❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t②

✶✺ ✴ ✶✼

Z X Y g f

slide-46
SLIDE 46

◗✉❛♥t✉♠ ❈❧❛✇✲❋✐♥❞✐♥❣

❈❧❛✇✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ❋✐♥❞ (x, y) s✳t✳ f(x) = g(y)
  • ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t② O
  • (|X| · |Y |)1/3

Pr❡❞✐❝❛t❡✲❋✐♥❞✐♥❣

  • ●✐✈❡♥ f : X → Z ❛♥❞ g : Y → Z
  • ●✐✈❡♥ r❡❧❛t✐♦♥ R
  • ❋✐♥❞ (x1 . . . xp, y1 . . . yq) s✳t✳ (f(x1) . . . f(xp), g(y1) . . . g(yq)) ∈ R
  • ❚❛♥✐ ✭✷✵✵✾✮✿ ❛❧❣♦r✐t❤♠ ✇✐t❤ ❝♦♠♣❧❡①✐t② O
  • (|X|p · |Y |q)1/(p+q+1)

✶✺ ✴ ✶✼

Z X Y g f

slide-47
SLIDE 47

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1

✱ ✳ ✳ ✳ ✱ ❳♦P

✷ ❉❡✜♥❡ f(l) = El(1)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞

s✳t✳ ✭r❡❧❛t✐♦♥ ✮ ❈♦♠♣❧❡①✐t② ❖♥❧✐♥❡ q✉❡r✐❡s✿ ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ ❢♦r ✐♥❝r❡❛s✐♥❣

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-48
SLIDE 48

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1

✱ ✳ ✳ ✳ ✱ ❳♦P

✷ ❉❡✜♥❡ f(l) = El(1)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞ l1, . . . , lr−1, m s✳t✳

f(l1) ⊕ f(l2) ⊕ . . . ⊕ f(lr−1) ⊕ g(m) = 0 ✭r❡❧❛t✐♦♥ R✮ ❈♦♠♣❧❡①✐t② ❖♥❧✐♥❡ q✉❡r✐❡s✿ ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ ❢♦r ✐♥❝r❡❛s✐♥❣

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-49
SLIDE 49

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1

✱ ✳ ✳ ✳ ✱ ❳♦P

✷ ❉❡✜♥❡ f(l) = El(1)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞ l1, . . . , lr−1, m s✳t✳

f(l1) ⊕ f(l2) ⊕ . . . ⊕ f(lr−1) ⊕ g(m) = 0 ✭r❡❧❛t✐♦♥ R✮ ❈♦♠♣❧❡①✐t②

  • ❖♥❧✐♥❡ q✉❡r✐❡s✿ 1
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ O(2κr/(r+1))
  • ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s

❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ ❢♦r ✐♥❝r❡❛s✐♥❣

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-50
SLIDE 50

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1✱ ✳ ✳ ✳ ✱ ❳♦Pr(k, τ) = zτ ✷ ❉❡✜♥❡ f(l) = El(1)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞ l1, . . . , lr−1, m s✳t✳

f(l1) ⊕ f(l2) ⊕ . . . ⊕ f(lr−1) ⊕ g(m) = 0 ✭r❡❧❛t✐♦♥ R✮ ❈♦♠♣❧❡①✐t②

  • ❖♥❧✐♥❡ q✉❡r✐❡s✿ 1 τ
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ O(2κr/(r+1))
  • ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s

❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ ❢♦r ✐♥❝r❡❛s✐♥❣

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-51
SLIDE 51

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1✱ ✳ ✳ ✳ ✱ ❳♦Pr(k, τ) = zτ ✷ ❉❡✜♥❡ f(l) = El(1) · · · El(τ)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1 · · · Em(τ) ⊕ zτ

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞ l1, . . . , lr−1, m s✳t✳

f(l1) ⊕ f(l2) ⊕ . . . ⊕ f(lr−1) ⊕ g(m) = 0 ✭r❡❧❛t✐♦♥ R✮ ❈♦♠♣❧❡①✐t②

  • ❖♥❧✐♥❡ q✉❡r✐❡s✿ 1 τ
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ O(2κr/(r+1)) O(τ · 2κr/(r+1))
  • ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s

❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ ❢♦r ✐♥❝r❡❛s✐♥❣

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-52
SLIDE 52

❑❡② ❘❡❝♦✈❡r② ❆❞✈❡rs❛r②

✶ ◗✉❡r② ❳♦Pr(k, 1) = z1✱ ✳ ✳ ✳ ✱ ❳♦Pr(k, τ) = zτ ✷ ❉❡✜♥❡ f(l) = El(1) · · · El(τ)

❉❡✜♥❡ g(m) = Em(1) ⊕ z1 · · · Em(τ) ⊕ zτ

✸ ❆♣♣❧② ❚❛♥✐✬s ❛❧❣♦r✐t❤♠ t♦ ✜♥❞ l1, . . . , lr−1, m s✳t✳

f(l1) ⊕ f(l2) ⊕ . . . ⊕ f(lr−1) ⊕ g(m) = 0 ✭r❡❧❛t✐♦♥ R✮ ❈♦♠♣❧❡①✐t②

  • ❖♥❧✐♥❡ q✉❡r✐❡s✿ 1 τ
  • ❖✤✐♥❡ ❝♦♠♣❧❡①✐t②✿ O(2κr/(r+1)) O(τ · 2κr/(r+1))
  • ❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ q✉✐t❡ ❧♦✇ ❞✉❡ t♦ ❢❛❧s❡ ♣♦s✐t✐✈❡s

❙✉❝❝❡ss ♣r♦❜❛❜✐❧✐t②✿ ❛♣♣r♦❛❝❤✐♥❣ 1 ❢♦r ✐♥❝r❡❛s✐♥❣ τ

✶✻ ✴ ✶✼ x XoPr(k, x)

Ek1 Ek2 Ekr−1 Ekr

· · ·

slide-53
SLIDE 53

❈♦♥❝❧✉s✐♦♥

Pr♦♦❢ s✉❜s✐st❡♥❝❡

  • ❙✐♠♣❧❡ ❛♥❞ ♥❛t✉r❛❧
  • ❇r♦❛❞❧② ❛♣♣❧✐❝❛❜❧❡

Pr✐♠✐t✐✈❡ ✐s♦❧❛t✐♦♥ st❡♣

  • ❚✐❣❤t ✐❢ t❤❡r❡ ✐s ♦♥❧② ♦♥❡ ❦❡②
  • ▲♦♦s❡ ✐❢ ♠✉❧t✐♣❧❡ ❦❡②s ❛r❡ ✐♥✈♦❧✈❡❞
  • ◆♦♥✲tr✐✈✐❛❧ t♦ ❣❡t ❛r♦✉♥❞

❚❤❛♥❦ ②♦✉ ❢♦r ②♦✉r ❛tt❡♥t✐♦♥✦

✶✼ ✴ ✶✼

slide-54
SLIDE 54

❙✉♣♣♦rt✐♥❣ ❙❧✐❞❡s ❙❯PP❖❘❚■◆● ❙▲■❉❊❙

✶✽ ✴ ✶✼

slide-55
SLIDE 55

Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

IC

Ek p

blockcipher random permutation

  • ❚✇♦ ♦r❛❝❧❡s✿ Ek ✭❢♦r s❡❝r❡t r❛♥❞♦♠ ❦❡② k✮ ❛♥❞ p

❉✐st✐♥❣✉✐s❤❡r ❤❛s q✉❡r② ❛❝❝❡ss t♦ ❡✐t❤❡r ♦r tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤

✶✾ ✴ ✶✼

slide-56
SLIDE 56

Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

IC

Ek p

distinguisher D

blockcipher random permutation

  • ❚✇♦ ♦r❛❝❧❡s✿ Ek ✭❢♦r s❡❝r❡t r❛♥❞♦♠ ❦❡② k✮ ❛♥❞ p
  • ❉✐st✐♥❣✉✐s❤❡r D ❤❛s q✉❡r② ❛❝❝❡ss t♦ ❡✐t❤❡r Ek ♦r p
  • D tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤

✶✾ ✴ ✶✼

slide-57
SLIDE 57

Ps❡✉❞♦r❛♥❞♦♠ P❡r♠✉t❛t✐♦♥

IC

Ek p

distinguisher D

blockcipher random permutation

  • ❚✇♦ ♦r❛❝❧❡s✿ Ek ✭❢♦r s❡❝r❡t r❛♥❞♦♠ ❦❡② k✮ ❛♥❞ p
  • ❉✐st✐♥❣✉✐s❤❡r D ❤❛s q✉❡r② ❛❝❝❡ss t♦ ❡✐t❤❡r Ek ♦r p
  • D tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤

Advprp

E (D) =

  • P
  • DEk = 1
  • − P (Dp = 1)
  • ✶✾ ✴ ✶✼
slide-58
SLIDE 58

Ps❡✉❞♦r❛♥❞♦♠ ❋✉♥❝t✐♦♥

IC

Fk f

distinguisher D

  • ne-way function

random function

  • ❚✇♦ ♦r❛❝❧❡s✿ Fk ✭❢♦r s❡❝r❡t r❛♥❞♦♠ ❦❡② k✮ ❛♥❞ f
  • ❉✐st✐♥❣✉✐s❤❡r D ❤❛s q✉❡r② ❛❝❝❡ss t♦ ❡✐t❤❡r Fk ♦r f
  • D tr✐❡s t♦ ❞❡t❡r♠✐♥❡ ✇❤✐❝❤ ♦r❛❝❧❡ ✐t ❝♦♠♠✉♥✐❝❛t❡s ✇✐t❤

Advprf

F (D) =

  • P
  • DFk = 1
  • − P
  • Df = 1
  • ✷✵ ✴ ✶✼
slide-59
SLIDE 59

❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪

· · · · · · · · · Ek Ek Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+1 1n+2 0n+1 1n+w 0n+2 1n+w+1

m1 c1 m2 c2 mw cw mw+1 cw+1

  • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s

❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘ ✷✵✵✻✿ s❡❝✉r✐t②✱ ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ ✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪

✷✶ ✴ ✶✼

slide-60
SLIDE 60

❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪

· · · · · · · · · Ek Ek Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+1 1n+2 0n+1 1n+w 0n+2 1n+w+1

m1 c1 m2 c2 mw cw mw+1 cw+1

  • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s
  • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘[E]

✷✵✵✻✿ s❡❝✉r✐t②✱ ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪ ✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪

✷✶ ✴ ✶✼

slide-61
SLIDE 61

❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪

· · · · · · · · · Ek Ek Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+1 1n+2 0n+1 1n+w 0n+2 1n+w+1

m1 c1 m2 c2 mw cw mw+1 cw+1

  • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s
  • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘[E]
  • ✷✵✵✻✿ 22n/3 s❡❝✉r✐t②✱ 2n/w ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪

✷✵✶✻✿ s❡❝✉r✐t② ❬■▼❱✶✻❪

✷✶ ✴ ✶✼

slide-62
SLIDE 62

❈❊◆❈ ❜② ■✇❛t❛ ❬■✇❛✵✻❪

· · · · · · · · · Ek Ek Ek Ek Ek Ek Ek Ek

0n+1 1n+1 0n+1 1n+2 0n+1 1n+w 0n+2 1n+w+1

m1 c1 m2 c2 mw cw mw+1 cw+1

  • ❖♥❡ s✉❜❦❡② ✉s❡❞ ❢♦r w ≥ 1 ❡♥❝r②♣t✐♦♥s
  • ❆❧♠♦st ❛s ❡①♣❡♥s✐✈❡ ❛s ❈❚❘[E]
  • ✷✵✵✻✿ 22n/3 s❡❝✉r✐t②✱ 2n/w ❝♦♥❥❡❝t✉r❡❞ ❬■✇❛✵✻❪
  • ✷✵✶✻✿ 2n/w s❡❝✉r✐t② ❬■▼❱✶✻❪

✷✶ ✴ ✶✼