Public-seed Pseudorandom Permutations Pratik Soni Stefano Tessaro - - PowerPoint PPT Presentation

Public-seed Pseudorandom Permutations

Pratik Soni Stefano Tessaro

UC Santa Barbara UC Santa Barbara

EUROCRYPT 2017

Cryptographic schemes often built from generic building blocks

Cryptographic schemes often built from generic building blocks

Typically: Block ciphers, hash/compression functions!

𝐼 𝐿 ⊕ 𝑗𝑞𝑏𝑒 || 𝑁 𝐿 ⊕ 𝑝𝑞𝑏𝑒 𝐼

hash function (e.g., SHA-3)

𝐹𝐿 𝑁1 𝐽𝑊 𝑁2 𝐹𝐿 𝑁ℓ

block cipher (e.g., AES)

Cryptographic schemes often built from generic building blocks

Typically: Block ciphers, hash/compression functions!

Is there a universal and simple building block for efficient symmetric cryptography?

𝐼 𝐿 ⊕ 𝑗𝑞𝑏𝑒 || 𝑁 𝐿 ⊕ 𝑝𝑞𝑏𝑒 𝐼

hash function (e.g., SHA-3)

𝐹𝐿 𝑁1 𝐽𝑊 𝑁2 𝐹𝐿 𝑁ℓ

block cipher (e.g., AES)

Recent trend: Start from seedless permutation

Recent trend: Start from seedless permutation

Recent trend: Start from seedless permutation

Sponge paradigm

Recent trend: Start from seedless permutation

Sponge paradigm

Recent trend: Start from seedless permutation

…

Sponge paradigm

Here: 𝜌 is an efficiently computable and invertible

• ne-to-one function

Recent trend: Start from seedless permutation

…

Sponge paradigm

Permutations

“… it would be nice, now, if permutations can be called the Swiss Army Knife [of cryptography]” — Joan Daemen, Passwords^12

Hashing Garbling PRNGs Authenticated Encryption MACs KDFs

Typical instantiations

Typical instantiations

Ad-hoc construction e.g., in KECCAK, NORX, … Designed to withstand cryptanalysis

Typical instantiations

Fixed-key block ciphers Ad-hoc construction e.g., in KECCAK, NORX, … Designed to withstand cryptanalysis e.g., 𝜌 ∶ 𝑦 → AES(0128, 𝑦)

𝐵𝐹𝑇 0128

Typical instantiations

Fixed-key block ciphers Ad-hoc construction e.g., in KECCAK, NORX, … Designed to withstand cryptanalysis e.g., 𝜌 ∶ 𝑦 → AES(0128, 𝑦) Faster, no re-keying costs!

𝐵𝐹𝑇 0128

Faster Hash functions [RS08], fast garbling [BHKR13]

Permutations assumptions

Permutations are great in practice, but what about theory?

Permutations assumptions

Goal: Standard-model reduction: “If 𝜌 satisfies 𝑌 then 𝐷[𝜌] satisfies 𝑍.” Permutations are great in practice, but what about theory?

𝑇0

𝜌 𝜌 𝜌

Permutations assumptions

Goal: Standard-model reduction: “If 𝜌 satisfies 𝑌 then 𝐷[𝜌] satisfies 𝑍.”

e.g., 𝐷 = KECCAK;

𝑍 = Anything non-trivial 𝑌 = ? ? ? Permutations are great in practice, but what about theory?

𝑇0

𝜌 𝜌 𝜌

Permutations assumptions

Goal: Standard-model reduction: “If 𝜌 satisfies 𝑌 then 𝐷[𝜌] satisfies 𝑍.”

e.g., 𝐷 = KECCAK;

𝑍 = Anything non-trivial 𝑌 = ? ? ? Common approach: Use random permutation (RP) model 𝜌 is random + adversary given oracle access to 𝜌 and 𝜌−1 Permutations are great in practice, but what about theory? Observation: No standard-model proofs known for permutation- based constructions!

𝑇0

𝜌 𝜌 𝜌

But: random permutations do not exist [CGH98]

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: Hash functions ideal model random oracle

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: Hash functions ideal model standard model random oracle

CRHF, OWFs, UOWHFs, CI, UCEs…

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: Hash functions Permutations ideal model standard model random oracle RP

CRHF, OWFs, UOWHFs, CI, UCEs… ????

But: random permutations do not exist [CGH98]

RP model proofs only yield security for generic attacks Quite different state of affairs than for hash functions: Hash functions Permutations ideal model standard model random oracle RP

CRHF, OWFs, UOWHFs, CI, UCEs… ????

What cryptographic hardness can we expect from a permutation?

No one-wayness, no compression, no pseudorandomness …

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all?

This work, in a nutshell

First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all? Are psPRPs useful?

This work, in a nutshell

inspired by the UCE framework [BHK13] First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all? Are psPRPs useful?

This work, in a nutshell

inspired by the UCE framework [BHK13] First plausible and useful standard-model security assumption for permutations.

“Public-seed Pseudorandom Permutations” (psPRPs)

We address two main questions:

Can we get psPRPs at all? Are psPRPs useful?

Yes! Yes!

psPRPs have many applications

psPRPs have many applications

Deterministic & Hedged PKE Immunizing backdoored PRGs CCA-secure Enc. (CCA) … Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Efficient garbling from fixed-key block-ciphers Message-locked Encryption (MLE)

𝒒𝒕𝑸𝑺𝑸

psPRPs have many applications

Deterministic & Hedged PKE Immunizing backdoored PRGs CCA-secure Enc. (CCA) … Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Efficient garbling from fixed-key block-ciphers Message-locked Encryption (MLE)

𝒒𝒕𝑸𝑺𝑸 𝑽𝑫𝑭

psPRPs have many applications

Deterministic & Hedged PKE Immunizing backdoored PRGs CCA-secure Enc. (CCA) … Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Efficient garbling from fixed-key block-ciphers Message-locked Encryption (MLE)

𝒒𝒕𝑸𝑺𝑸 𝑽𝑫𝑭

Sponges

psPRPs have many applications

Deterministic & Hedged PKE Immunizing backdoored PRGs CCA-secure Enc. (CCA) … Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked Encryption (MLE)

𝒒𝒕𝑸𝑺𝑸 𝑽𝑫𝑭

Efficient garbling from fixed-key block-ciphers Sponges

psPRPs have many applications

Deterministic & Hedged PKE Immunizing backdoored PRGs CCA-secure Enc. (CCA) … Hardcore functions (HC) KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked Encryption (MLE)

𝒒𝒕𝑸𝑺𝑸 𝑽𝑫𝑭

Efficient garbling from fixed-key block-ciphers Sponges Feistel

Roadmap

1.Definitions 2.Constructions & Applications 3.Conclusions

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝜌 ∶ 0,1 𝑜 → 0,1 𝑜

We consider seeded permutations

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝐻𝑓𝑜 𝑦 𝜌𝑡 𝑦 𝜌 ∶ 0,1 𝑜 → 0,1 𝑜

𝜌𝑡

1𝜇 𝑡

Seed generation

𝑧 𝜌𝑡

−1 𝑧

𝜌𝑡

−1

Forward evaluation Backward evaluation

Efficient (poly-time) algorithms

(2) ∀𝑦 ∶ 𝜌𝑡

−1 𝜌𝑡 𝑦

= 𝑦 (1) 𝜌𝑡 ∶ 0,1 𝑜 → 0,1 𝑜

We consider seeded permutations

Traditional security notion if seed is secret: Pseudorandom Permutation

𝐸 𝑡 ← Gen(1𝜇) 𝜌s / 𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1

≈

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐸 𝑡 ← Gen(1𝜇) 𝜌s / 𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1

≈

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐸 𝑡 ← Gen(1𝜇) 𝜌s / 𝜌𝑡

−1 5

𝜍 ← Perms(𝑜) 𝜍/𝜍−1

≈

Stage 1:

• Oracle access
• Secret seed

Stage 2:

• Learns seed
• No oracle access

Traditional security notion if seed is secret: Pseudorandom Permutation

0/1

𝐸 𝑡 ← Gen(1𝜇) 𝜌s / 𝜌𝑡

−1 5

𝜍 ← Perms(𝑜) 𝜍/𝜍−1

≈

Stage 1:

• Oracle access
• Secret seed

Stage 2:

• Learns seed
• No oracle access

Traditional security notion if seed is secret: Pseudorandom Permutation Limited information flow

0/1

UCE security

𝐼 = (𝐻𝑓𝑜, ℎ)

Bellare Hoang Keelveedhi

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source

𝐼 = (𝐻𝑓𝑜, ℎ)

Bellare Hoang Keelveedhi

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source

𝐼 = (𝐻𝑓𝑜, ℎ)

Bellare Hoang Keelveedhi

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source 𝑀

𝐼 = (𝐻𝑓𝑜, ℎ)

distinguisher 𝐸

Bellare Hoang Keelveedhi

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source 𝑀

𝐼 = (𝐻𝑓𝑜, ℎ)

distinguisher 𝐸

Bellare Hoang Keelveedhi

𝒕 𝑡 ← Gen(1𝜇)

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source 𝑀

𝐼 = (𝐻𝑓𝑜, ℎ)

distinguisher 𝐸

Bellare Hoang Keelveedhi

0/1 𝒕

𝑔 ← Funcs(𝑛, 𝑜) 𝑔 𝑡 ← Gen(1𝜇) ℎ𝑡

UCE security

𝑇 source 𝑀

𝐼 = (𝐻𝑓𝑜, ℎ)

distinguisher 𝐸

Bellare Hoang Keelveedhi

0/1 𝒕

≈

𝑇 𝐸 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑇 𝐸 Makes forward and backward queries! 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑇 𝑀 𝐸 𝒕 Makes forward and backward queries! 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑇 𝑀 𝐸 0/1 𝒕 Makes forward and backward queries! 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , left and right are indistinguishable.

𝑇 𝑀 𝐸 0/1 𝒕 Makes forward and backward queries! 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , left and right are indistinguishable.

𝑇 𝑀 𝐸 0/1 𝒕 Makes forward and backward queries! 𝑡 ← Gen(1𝜇)

psPRP security

𝝆𝒕/𝝆𝒕

−𝟐

𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐)

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

𝝇/𝝇−𝟐

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧 𝑧

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇 𝑀 = 𝑧 𝐸 𝒕

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧 𝑧

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇 𝑀 = 𝑧 𝐸 𝒕

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧

Outputs 1 iff 𝑧 = 𝜌𝑡 0𝑜

𝑧

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇 𝑀 = 𝑧 𝐸 𝒕

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧

Outputs 1 iff 𝑧 = 𝜌𝑡 0𝑜

1

with prob. 1

𝑧

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇 𝑀 = 𝑧 𝐸 𝒕

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧

Outputs 1 iff 𝑧 = 𝜌𝑡 0𝑜

1 1

with prob. 1 with prob. 1/2𝑜

𝑧

(+, 0𝑜) (+, 0𝑜)

𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1 𝑇 𝑀 = 𝑧 𝐸 𝒕

𝑄 is 𝑞𝑡𝑄𝑆𝑄-secure if ∀ PPT 𝑇, 𝐸 , …

𝑧

Outputs 1 iff 𝑧 = 𝜌𝑡 0𝑜

1 1

with prob. 1 with prob. 1/2𝑜

𝑧

𝑞𝑡𝑄𝑆𝑄-security is impossible against all sources!

≈

Sources need to be restricted

all sources

𝑄 = (Gen, 𝜌, 𝜌−1)

Sources need to be restricted

all sources

𝒯

𝑄 = (Gen, 𝜌, 𝜌−1)

Sources need to be restricted

𝑄 is 𝑞𝑡𝑄𝑆𝑄[𝒯]-secure if ∀ 𝑇 ∈ 𝒯 and ∀ PPT 𝐸, left and right are indistinguishable.

all sources

𝒯

𝑄 = (Gen, 𝜌, 𝜌−1)

𝑇

𝑀

𝐸

0/1 𝒕 𝑡 ← Gen(1𝜇) 𝜌𝑡/𝜌𝑡

−1

𝜍 ← Perms(𝑜) 𝜍/𝜍−1

all sources

This talk – unpredictable and reset-secure sources

all sources

𝒯𝑡𝑣𝑞

unpredictable

This talk – unpredictable and reset-secure sources

all sources

𝒯𝑡𝑠𝑡 𝒯𝑡𝑣𝑞

unpredictable reset-secure

This talk – unpredictable and reset-secure sources

all sources

𝒯𝑡𝑠𝑡 𝒯𝑡𝑣𝑞

unpredictable reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐸 cannot predict the queries made by the sources!

all sources

𝒯𝑡𝑠𝑡 𝒯𝑡𝑣𝑞

unpredictable reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐸 cannot predict the queries made by the sources!

𝒯𝑡𝑣𝑞 ⊆ 𝒯𝑡𝑠𝑡

all sources

𝒯𝑡𝑠𝑡 𝒯𝑡𝑣𝑞

unpredictable reset-secure

This talk – unpredictable and reset-secure sources

Both restrictions model that 𝐸 cannot predict the queries made by the sources!

𝒯𝑡𝑣𝑞 ⊆ 𝒯𝑡𝑠𝑡

𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 is a stronger assumption than 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑣𝑞

⟹

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 𝐵

𝜍 ← Perms(𝑜)

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝐵

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −}

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝐵 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)}

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −}

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝑧𝑗 𝐵 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)}

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −}

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝑧𝑗 𝐵 𝑀 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)}

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −}

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝑧𝑗 𝐵 𝑀 𝑅′ 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)} Pr [ 𝑅′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇)

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −} It should be hard for 𝐵 to predict any of 𝑇’s queries or its inverse

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝑧𝑗 𝐵 𝑀 𝑅′ 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)} Pr [ 𝑅′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇)

⊆ 𝒯𝑡𝑣𝑞: 𝐵 is computationally unbounded 𝒯𝑑𝑣𝑞: 𝐵 is PPT

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −} It should be hard for 𝐵 to predict any of 𝑇’s queries or its inverse

Source restrictions – unpredictability

𝑇 𝜍/𝜍−1 (𝜏, 𝑦𝑗) 𝑧𝑗 𝐵 𝑀 𝑅′ 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦𝑗 , (𝜏 , 𝑧𝑗)} Pr [ 𝑅′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇)

⊆ 𝒯𝑡𝑣𝑞: 𝐵 is computationally unbounded 𝒯𝑑𝑣𝑞: 𝐵 is PPT 𝑞𝑡𝑄𝑆𝑄[𝒯𝑑𝑣𝑞] impossible if iO exists [BFM14]

𝜍 ← Perms(𝑜)

𝜏 ∈ {+, −} It should be hard for 𝐵 to predict any of 𝑇’s queries or its inverse

Source restrictions – reset-security

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝜍 ← Perms(𝑜)

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝜍 ← Perms(𝑜)

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

𝜍 ← Perms(𝑜)

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

0/1 𝜍 ← Perms(𝑜)

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

0/1

𝑇 𝜍/𝜍−1 𝑆

𝑀 0/1

𝜍1/𝜍1

−1

𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) 𝜍1 ← Perms(𝑜)

≈

Source restrictions – reset-security

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

0/1

𝑇 𝜍/𝜍−1 𝑆

𝑀 0/1

𝜍1/𝜍1

−1

𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) 𝜍1 ← Perms(𝑜)

≈

Source restrictions – reset-security

⊆ 𝒯𝑡𝑠𝑡: 𝑆 is computationally unbounded 𝒯𝑑𝑠𝑡: 𝑆 is PPT

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

0/1

𝑇 𝜍/𝜍−1 𝑆

𝑀 0/1

𝜍1/𝜍1

−1

𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) 𝜍1 ← Perms(𝑜)

≈

Source restrictions – reset-security

⊆ 𝒯𝑡𝑠𝑡: 𝑆 is computationally unbounded 𝒯𝑑𝑠𝑡: 𝑆 is PPT

𝑇 𝜍/𝜍−1 𝑆

𝑀

𝜍/𝜍−1

0/1

𝑇 𝜍/𝜍−1 𝑆

𝑀 0/1

𝜍1/𝜍1

−1

𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) 𝜍1 ← Perms(𝑜)

𝒯𝑑𝑣𝑞 ⊆ 𝒯𝑑𝑠𝑡

𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡] 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑣𝑞]

Recap

𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡] 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑣𝑞]

Recap

Recap

Recap

Central assumption in UCE theory

Recap

Central assumption in UCE theory

Roadmap

1.Definitions 2.Constructions & Applications 3.Conclusions

Next

Can we get psPRPs at all? Are psPRPs useful?

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications

Garbling from fixed-key block ciphers

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications

Garbling from fixed-key block ciphers

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications

Garbling from fixed-key block ciphers

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications

Garbling from fixed-key block ciphers Common denominator: A new, restricted notion of indifferentiability!

Next

Can we get psPRPs at all? Are psPRPs useful?

Constructions from UCEs Heuristic Instantiations Constructions of UCEs Direct applications

Garbling from fixed-key block ciphers Common denominator: A new, restricted notion of indifferentiability! CP-sequential indifferentiability

𝐷 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

Indifferentiability[MRH04]

𝐵 𝐵 𝐷 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

Indifferentiability[MRH04]

𝐵 𝐵 𝐷

?

𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

Indifferentiability[MRH04]

𝐵 𝐵 𝐷 𝑇𝑗𝑛 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

Indifferentiability[MRH04]

𝐵 𝐵

≈

𝐷 0/1 𝑇𝑗𝑛 0/1 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

Indifferentiability[MRH04]

≈

𝐵1 𝐷 𝐵2 𝑡𝑢 0/1 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 0/1

CP-sequential indifferentiability

𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

≈

𝐵1 𝐷 𝐵2 𝑡𝑢 0/1 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 0/1

CP-sequential indifferentiability

𝐷 𝑆𝑄 ∼𝑑𝑞𝑗 𝑆𝑃 ⇔ ∃ PPT 𝑇𝑗𝑛 ∀ PPT (𝐵1, 𝐵2): left and right are indistinguishable. 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

≈

Remarks:

𝐵1 𝐷 𝐵2 𝑡𝑢 0/1 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 0/1

CP-sequential indifferentiability

𝐷 𝑆𝑄 ∼𝑑𝑞𝑗 𝑆𝑃 ⇔ ∃ PPT 𝑇𝑗𝑛 ∀ PPT (𝐵1, 𝐵2): left and right are indistinguishable. 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

≈

• 1. Full indifferentiability ⟹ CP-seq indiff.
• 2. Reverse ordering: seq. indifferentiability [MPS12]

Remarks:

𝐵1 𝐷 𝐵2 𝑡𝑢 0/1 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 0/1

CP-sequential indifferentiability

𝐷 𝑆𝑄 ∼𝑑𝑞𝑗 𝑆𝑃 ⇔ ∃ PPT 𝑇𝑗𝑛 ∀ PPT (𝐵1, 𝐵2): left and right are indistinguishable. 𝑆𝑄

𝜍/𝜍−1

𝑆𝑃

𝑔 𝜍 ← Perms(𝑜) 𝑔 ← Funcs(∗, 𝑜)

From psPRPs to UCEs

Theorem:

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃 + 𝑄 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃 ⟹ + 𝑄 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure 𝐷[𝑄]

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1 𝜌𝑡/𝜌𝑡

−1

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃 ⟹ + 𝑄 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]-secure. 𝐷[𝑄]

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1 𝜌𝑡/𝜌𝑡

−1

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃 ⟹ + 𝑄 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]-secure. 𝐷[𝑄]

Similar result proved in [BHK14], but:

• Need full indifferentiability
• Only stated for UCE domain extension

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1 𝜌𝑡/𝜌𝑡

−1

From psPRPs to UCEs

𝐷 𝑆𝑄 ∼cpi 𝑆𝑃 ⟹ + 𝑄 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]-secure. 𝐷[𝑄]

Similar result proved in [BHK14], but:

• Need full indifferentiability
• Only stated for UCE domain extension

𝐷

Theorem:

𝑆𝑄

𝜍/𝜍−1

Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!

𝜌𝑡/𝜌𝑡

−1

From psPRPs to UCEs – Sponges

𝑧 ∈ {0,1}𝑠 𝑁 ∈ {0,1}∗

𝑇0

𝑠 n − 𝑠 𝜍 𝑠 𝜍 𝜍 𝑁1 𝑁2 𝑁𝑚

From psPRPs to UCEs – Sponges

𝑧 ∈ {0,1}𝑠

Theorem [BDVP08]: Sponge[𝑆𝑄] ∼cpi 𝑆𝑃.

𝑁 ∈ {0,1}∗

𝑇0

𝑠 n − 𝑠 𝜍 𝑠 𝜍 𝜍 𝑁1 𝑁2 𝑁𝑚

From psPRPs to UCEs – Sponges

𝑧 ∈ {0,1}𝑠

Theorem [BDVP08]: Sponge[𝑆𝑄] ∼cpi 𝑆𝑃.

𝑁 ∈ {0,1}∗

𝑇0

𝑠 n − 𝑠 𝜍 𝑠 𝜍 𝜍 𝑁1 𝑁2 𝑁𝑚

𝜌𝑡 𝜌𝑡 𝜌𝑡

From psPRPs to UCEs – Sponges

𝑧 ∈ {0,1}𝑠

Corollary: 𝑄 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 -secure ⟹ Sponge[𝑄] 𝑉𝐷𝐹 𝒯𝑡𝑠𝑡 -secure. Theorem [BDVP08]: Sponge[𝑆𝑄] ∼cpi 𝑆𝑃.

𝑁 ∈ {0,1}∗

𝑇0

𝑠 n − 𝑠 𝜍 𝑠 𝜍 𝜍 𝑁1 𝑁2 𝑁𝑚

𝜌𝑡 𝜌𝑡 𝜌𝑡

From psPRPs to UCEs – Sponges

𝑧 ∈ {0,1}𝑠

Corollary: 𝑄 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 -secure ⟹ Sponge[𝑄] 𝑉𝐷𝐹 𝒯𝑡𝑠𝑡 -secure. Theorem [BDVP08]: Sponge[𝑆𝑄] ∼cpi 𝑆𝑃.

𝑁 ∈ {0,1}∗

𝑇0

𝑠 n − 𝑠 𝜍 𝑠 𝜍 𝜍 𝑁1 𝑁2 𝑁𝑚

𝜌𝑡 𝜌𝑡 𝜌𝑡

Validates the Sponge paradigm for UCE applications!

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝜍

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑦 ∈ {0,1}𝑜

𝜍

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑦 ∈ {0,1}𝑜

𝜍

𝑜 𝑜

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑦 ∈ {0,1}𝑜 truncates 𝑜-bits to 𝑠-bits

𝜍

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇).

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇).

Chop 𝑆𝑄 is not indifferentiable

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇).

Chop 𝑆𝑄 is not indifferentiable

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍 𝜌𝑡

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇). Corollary: 𝑄 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 -secure ⟹ Chop[𝑄] 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]- secure.

Chop 𝑆𝑄 is not indifferentiable

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍 𝜌𝑡

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇). Corollary: 𝑄 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 -secure ⟹ Chop[𝑄] 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]- secure.

Chop 𝑆𝑄 is not indifferentiable

𝑉𝐷𝐹 𝒯𝑡𝑣𝑞 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑣𝑞

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍 𝜌𝑡

𝑜 𝑜 𝑠

CP-sequentially indiff. constructions that are not fully indiff.?

From psPRPs to UCEs – Chop

Theorem: Chop[𝑆𝑄] ∼cpi 𝑆𝐺 when 𝑜 − 𝑠 ∈ 𝜕(log 𝜇). Corollary: 𝑄 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑠𝑡 -secure ⟹ Chop[𝑄] 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]- secure.

Chop 𝑆𝑄 is not indifferentiable

𝑉𝐷𝐹 𝒯𝑡𝑣𝑞 𝑞𝑡𝑄𝑆𝑄 𝒯𝑡𝑣𝑞

𝑦 ∈ {0,1}𝑜 𝑧 ∈ {0,1}𝑠 truncates 𝑜-bits to 𝑠-bits

𝜍 𝜌𝑡

𝑜 𝑜 𝑠

From Chop 𝑄 to VIL UCE: Domain extension techniques [BHK14] CP-sequentially indiff. constructions that are not fully indiff.?

psPRPs from UCEs

Theorem:

psPRPs from UCEs

≈

𝐵1 𝐷 𝐵2 𝑡𝑢 𝑐′ 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 𝑐′ 𝑆𝑃 𝑆𝑄

𝐷 𝑆𝑃 ∼cpi 𝑆𝑄 Theorem:

psPRPs from UCEs

≈

𝐵1 𝐷 𝐵2 𝑡𝑢 𝑐′ 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 𝑐′ 𝑆𝑃 𝑆𝑄

𝐷 𝑆𝑃 ∼cpi 𝑆𝑄

⟹ +

𝐼 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]-secure 𝐷 𝐼 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure. Theorem:

psPRPs from UCEs

≈

𝐵1 𝐷 𝐵2 𝑡𝑢 𝑐′ 𝐵1 𝐵2 𝑡𝑢 𝑇𝑗𝑛 𝑐′ 𝑆𝑃 𝑆𝑄

Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP. 𝐷 𝑆𝑃 ∼cpi 𝑆𝑄

⟹ +

𝐼 𝑉𝐷𝐹[𝒯𝑡𝑠𝑡]-secure 𝐷 𝐼 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]-secure. Theorem:

From UCEs to psPRPs – Feistel

𝑜 𝑜 𝑔

1

𝑔

2

𝑔

3

𝑔

4

𝑔

5

𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌6 𝑌0 𝑌5

𝑍 ∈ {0,1}2𝑜

𝜔5[𝒈]

𝑌 ∈ {0,1}2𝑜

𝑜 𝑜 𝑜 𝑜

From UCEs to psPRPs – Feistel

impossible [CPS08] [HKT11] [DS16] [DSKT16] #rounds for indifferentiability

???

𝑜 𝑜 𝑔

1

𝑔

2

𝑔

3

𝑔

4

𝑔

5

𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌6 𝑌0 𝑌5

𝑍 ∈ {0,1}2𝑜

𝜔5[𝒈]

𝑌 ∈ {0,1}2𝑜

𝑜 𝑜 𝑜 𝑜

From UCEs to psPRPs – Feistel

impossible [CPS08] [HKT11] [DS16] [DSKT16] #rounds for indifferentiability

???

𝑜 𝑜 𝑔

1

𝑔

2

𝑔

3

𝑔

4

𝑔

5

𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌6 𝑌0 𝑌5

𝑍 ∈ {0,1}2𝑜

𝜔5[𝒈]

𝑌 ∈ {0,1}2𝑜

𝑜 𝑜 𝑜 𝑜

psPRPs exist in the standard model if UCEs exist!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

[HKT11] [DS16] [DSKT16] #rounds for CP-sequential indifferentiability

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

Theorem: 5-round Feistel (𝜔5[𝒈]) ∼cpi 𝑆𝑄.

[HKT11] [DS16] [DSKT16] #rounds for CP-sequential indifferentiability This work!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

Corollary: 𝑰 𝑉𝐷𝐹 𝒯𝑡𝑠𝑡 -secure ⟹ 𝜔5[𝑰] 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑠𝑡]- secure. Theorem: 5-round Feistel (𝜔5[𝒈]) ∼cpi 𝑆𝑄.

[HKT11] [DS16] [DSKT16] #rounds for CP-sequential indifferentiability This work!!!

Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?

5-round proof is technically involved

5-round proof is technically involved

Our 5-round Sim:

• Relies on chain completion

techniques

• Heavily exploits query ordering
• Very different chain-completion

strategy from previous works, no recursion needed

𝑔

1

𝑔

2

𝑔

3

𝑔

4

𝑔

5

𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌6 𝑌0 𝑌5 Set uniform Set uniform forceVal forceVal detect detect

5-round proof is technically involved

Our 5-round Sim:

impossible [LR88] [HKT11] [DS16] [DSKT16] #rounds of Feistel for psPRP-security This work!!!

Open: Do 4-rounds suffice?

• Relies on chain completion

techniques

• Heavily exploits query ordering
• Very different chain-completion

strategy from previous works, no recursion needed

𝑔

1

𝑔

2

𝑔

3

𝑔

4

𝑔

5

𝑌1 𝑌2 𝑌3 𝑌4 𝑌5 𝑌6 𝑌0 𝑌5 Set uniform Set uniform forceVal forceVal detect detect

???

Heuristic Instantiations

Heuristic Instantiations

𝐹 𝑡 ← {0,1}𝑙

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

From Block-ciphers e.g. AES

𝐻𝑓𝑜: 𝜌:

Heuristic Instantiations

𝐹 𝑡 ← {0,1}𝑙

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

psPRP 𝒯𝑡𝑠𝑡 -secure From Block-ciphers e.g. AES Ideal-Cipher model

𝐻𝑓𝑜: 𝜌:

Heuristic Instantiations

𝐹 𝑡 ← {0,1}𝑙

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

psPRP 𝒯𝑡𝑠𝑡 -secure 𝜌 𝑡 ← {0,1}𝑙 From Permutations e.g. the Keccak permutation From Block-ciphers e.g. AES

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

Ideal-Cipher model

𝐻𝑓𝑜: 𝜌: 𝜌: 𝐻𝑓𝑜:

Heuristic Instantiations

𝐹 𝑡 ← {0,1}𝑙

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

psPRP 𝒯𝑡𝑠𝑡 -secure psPRP 𝒯𝑡𝑣𝑞 -secure 𝜌 𝑡 ← {0,1}𝑙 From Permutations e.g. the Keccak permutation From Block-ciphers e.g. AES

𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌−1)

Ideal-Cipher model RP model

𝐻𝑓𝑜: 𝜌: 𝜌: 𝐻𝑓𝑜:

Fast Garbling from psPRPs

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Fast Garbling from psPRPs

Fast garbling from [BHKR13]

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Fast Garbling from psPRPs

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑦 → 𝐹(0𝑙, 𝑦)

• Very fast – no key-schedule

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Fast Garbling from psPRPs

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑦 → 𝐹(0𝑙, 𝑦)

• Proof in RP model
• Very fast – no key-schedule

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Fast Garbling from psPRPs

This work: Replace 𝐹 0𝑙, 𝑦 by 𝜌𝑡 for a random seed generated upon garbling.

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑦 → 𝐹(0𝑙, 𝑦)

• Proof in RP model
• Very fast – no key-schedule

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Fast Garbling from psPRPs

This work: Replace 𝐹 0𝑙, 𝑦 by 𝜌𝑡 for a random seed generated upon garbling.

Fast garbling from [BHKR13]

• Only calls fixed-key block cipher

𝑦 → 𝐹(0𝑙, 𝑦)

• Proof in RP model
• Very fast – no key-schedule

Theorem: Secure garbling when 𝜌𝒕 is 𝑞𝑡𝑄𝑆𝑄[𝒯𝑡𝑣𝑞].

Garbled And

𝐹 0𝑜, 𝐿10 ⊕ 𝐿10 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿01 ⊕ 𝐿01 ⊕ 𝑦𝑕 𝐹 0𝑜, 𝐿11 ⊕ 𝐿11 ⊕ 𝑦𝑕

1

𝐹 0𝑜, 𝐿00 ⊕ 𝐿00 ⊕ 𝑦𝑕 𝑦𝑏

0, 𝑦𝑏 1

𝑦𝑕

0, 𝑦𝑕 1

And

𝑦𝑐

0, 𝑦𝑐 1

Roadmap

1.Definitions 2.Constructions & Applications 3.Conclusions

Conclusion

psPRPs

Conclusion

First standard model assumptions on permutations

psPRPs

Constructions

Conclusion

First standard model assumptions on permutations

psPRPs

Constructions

Conclusion

First standard model assumptions on permutations Applications

psPRPs

Many open questions…

Many open questions…

• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

psPRPs:

Many open questions…

• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

psPRPs: Public-seed Pseudorandomness - general paradigm:

Many open questions…

• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs: Public-seed Pseudorandomness - general paradigm:

Many open questions…

• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs: Public-seed Pseudorandomness - general paradigm: Beyond psPRPs:

Many open questions…

• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs: Public-seed Pseudorandomness - general paradigm: Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?

Many open questions…

• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs,

authenticated encryption?

• More efficient constructions: Round

complexity of Feistel for psPRPs?

• Applications of public-seed Ideal Ciphers?

psPRPs: Public-seed Pseudorandomness - general paradigm: Beyond psPRPs:

Is SHA-3 a CRHF under any non-trivial assumption?

Thank you!