range extension for weak prfs
play

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) - PowerPoint PPT Presentation

May 24, 2023 •105 likes •596 views

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj odin(ETH Z urich) (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n X n Y n is a pseudorandom function ( PRF) if F ( k , x ) can be

  1. Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj¨ odin(ETH Z¨ urich)

  2. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a pseudorandom function ( PRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R .

  3. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a weak pseudorandom function (wPRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R when queried on random inputs.

  4. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a weak pseudorandom function (wPRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R when queried on random inputs. wPRFs are weaker primitives than PRFs, so relying on the security of a block-cipher like AES as a wPRF is more secure than assuming it to be a PRF.

  5. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e

  6. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C .

  7. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C .

  8. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C . Definition C is a secure range extension for PRFs, if for any PRFs F , also C F is PRF.

  9. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C . Definition C is a secure range extension for wPRFs, if for any wPRFs F , also C F is wPRF.

  10. applications For a wPRF F and a secure expansion C , ( Enc , Dec ) as below is a secure encryption scheme. Enc ( k , M ) : sample X at random and output ( C F ( k , X ) ⊕ M , X ) Dec ( k , ( C , X )) : output C F ( k , X ) ⊕ C .

  11. applications For a wPRF F and a secure expansion C , ( Enc , Dec ) as below is a secure encryption scheme. Enc ( k , M ) : sample X at random and output ( C F ( k , X ) ⊕ M , X ) Dec ( k , ( C , X )) : output C F ( k , X ) ⊕ C . Overhead just one block. Key length depends on the key-expansion of C F .

  12. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · ·

  13. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · · + Secure range extension for PRF and wPRF.

  14. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · · + Secure range extension for PRF and wPRF. − Range expansion = Key expansion (very low).

  15. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · ·

  16. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key.

  17. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key. + Secure range extension for PRF.

  18. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key. + Secure range extension for PRF. − Not Secure range extension for wPRF. E.g. for a wPRF where F ( k , X � [ 0 ]) = F ( k , X � [ 1 ]) .

  19. a general class of range extensions X C [ 1 , 12 , 2 , 321 ] F F 1 F 2 F 3 F 2 F 2 F 1

  20. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . ))

  21. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . )) All known (efficient) secure range expansion for wPRFs are of this form (like in the previous talk).

  22. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . )) All known (efficient) secure range expansion for wPRFs are of this form (like in the previous talk). For which s is C s a secure range expansion for wPRFs?

  23. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1

  24. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction.

  25. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction. ◮ C [ 11 , 22 ] is not secure via a black-box reduction.

  26. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction. ◮ C [ 11 , 22 ] is not secure via a black-box reduction. ◮ C [ 12 , 21 ] cannot be proven secure nor insecure via a black-box reduction.

  27. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction.

  28. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF.

  29. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF. ◮ C α is ugly if it’s not good and not bad.

  30. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF. ◮ C α is ugly if it’s not good and not bad. We completely classify C α (as good, bad or ugly) by simple properties of α .

  31. Theorem (Complete Classification) C α , α = { s 1 , . . . , s t } is ◮ bad if α contains a string with two consecutive identical letters or two identical strings. ◮ good if it’s not bad and whenever a letter c appears before a letter d in some s ∈ α , then d does not appear before c in any string s ′ ∈ α . ◮ ugly if it’s not good nor bad. F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery

Improved Constructions of PRFs Secure Against Related-Key Attacks Kevin Lewi Hart Montgomery Ananth Raghunathan Stanford University Pseudorandom Functions (PRFs) x { 0 , 1 } R k K x k PRF PRF( k , x ) x Rand Rand(

565 views • 23 slides
To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people,

To the weak I became weak, that I might win the weak. I have become all things to all people, that by all means I might save some. I do it all for the sake of the gosepl, that I might share with them in its blessing. Do you not know that in

652 views • 40 slides
WEAK INTERPOLATION PROPERTY over THE MINIMAL LOGIC Larisa Maksimova Sobolev Institute of

WEAK INTERPOLATION PROPERTY over THE MINIMAL LOGIC Larisa Maksimova Sobolev Institute of

Abstract Weak interpolation and joint consistency Propositional J-logics Reduction of WIP Weak interpolation and weak amalgamation Weak interpolation and weak amalgamation Logics with WIP over Gl Description of logics with WIP over Gl and J

621 views • 41 slides
Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 ,

Towards Fresh Re-Keying with Leakage-Resilient PRFs: Cipher Design Principles and Analysis d 1 , F. De Santis 2 , 3 , J. Heyszl 4 , S. Mangard 3 , S. Bela M. Medwed 5 , J.-M. Schmidt 6 , F.-X. Standaert 7 , S. Tillich 8 1 Ecole Normale Sup

754 views • 29 slides
Condensation and symmetry-breaking in the zero-range process with weak disorder Ccile Mailler

Condensation and symmetry-breaking in the zero-range process with weak disorder Ccile Mailler

Condensation and symmetry-breaking in the zero-range process with weak disorder Ccile Mailler Prob@LaB University of Bath joint work with Peter Mrters (Bath) and Daniel Ueltschi (Warwick) June 9th, 2015 Ccile Mailler (Prob@LaB)

658 views • 21 slides
Huercasa dazzles in Fruit Attraction with the presentation of the extension of its range Bio and

Huercasa dazzles in Fruit Attraction with the presentation of the extension of its range Bio and

eComercio Agrario Actualidad del sector agrario http://ecomercioagrario.com/en Huercasa dazzles in Fruit Attraction with the presentation of the extension of its range Bio and the line "On the go" After the celebration of the tenth

252 views • 3 slides
Extension of the product range: Employee Benefits Laurent Therezien Director Southern Europe /

Extension of the product range: Employee Benefits Laurent Therezien Director Southern Europe /

Extension of the product range: Employee Benefits Laurent Therezien Director Southern Europe / UK / North America / Asia Pacific Meeting various HR needs People capital is a companys true competitive advantage Attract, motivate and

109 views • 8 slides
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ13,BW13,BGI14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15 Constrained

916 views • 60 slides
Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed,

Towards Super-Exponential Side-Channel Security with Efficient Leakage-Resilient PRFs M. Medwed, F.-X. Standaert , A. Joux NXP & UCL Crypto Group & Univ. Versailles CHES 2012, Leuven, Belgium SCA security (implementation level) 1 SCA

857 views • 70 slides
Weak-Signal Digital Modes Weak-Signal Digital Modes The weak-signal digimodes have been

Weak-Signal Digital Modes Weak-Signal Digital Modes The weak-signal digimodes have been

Weak-Signal Digital Modes Weak-Signal Digital Modes The weak-signal digimodes have been invented and their software has been created by Joe Taylor, K1JT. In his other life, he is an American astrophysicist and Nobel Prize in Physics

593 views • 23 slides
Modelling and Verification Lecture 4 Weak bisimilarity and weak bisimulation games Properties of

Modelling and Verification Lecture 4 Weak bisimilarity and weak bisimulation games Properties of

Strong Bisimilarity (Reprise) Weak Bisimilarity Case Study: Communication Protocol Congruence Problems Modelling and Verification Lecture 4 Weak bisimilarity and weak bisimulation games Properties of weak bisimilarity Example: a

587 views • 24 slides
The weak-charged WIMP Shigeki Matsumoto (Kavli IPMU) The weak-charged WIMP, Majorana fermion with

The weak-charged WIMP Shigeki Matsumoto (Kavli IPMU) The weak-charged WIMP, Majorana fermion with

The weak-charged WIMP Shigeki Matsumoto (Kavli IPMU) The weak-charged WIMP, Majorana fermion with a weak charge one, is a very attractive dark matter candidate. 1. Motivation for the weak-charged WIMP 2. Future prospect to search for the WIMP

352 views • 19 slides
MPO 2030 Long Range g g Transportation Plan Amendment Request SR 924 East Extension to I-95

MPO 2030 Long Range g g Transportation Plan Amendment Request SR 924 East Extension to I-95

MPO 2030 Long Range g g Transportation Plan Amendment Request SR 924 East Extension to I-95 October 2008 Purpose for the amendment Purpose for the amendment Purpose for the amendment Purpose for the amendment MDX requirements to

341 views • 20 slides
Few-shot learning of weak supervision sources in Snorkel (or, learning weakly supervised weak

Few-shot learning of weak supervision sources in Snorkel (or, learning weakly supervised weak

Few-shot learning of weak supervision sources in Snorkel (or, learning weakly supervised weak supervisors) Jesse Mu Project Outline Replicate Snorkel causal relation extraction system Learn weak supervision sources from tiny sets of

364 views • 12 slides
Weak memory models INF4140 - Models of concurrency Weak memory models Fall 2016 30. 10. 2016

Weak memory models INF4140 - Models of concurrency Weak memory models Fall 2016 30. 10. 2016

Weak memory models INF4140 - Models of concurrency Weak memory models Fall 2016 30. 10. 2016 Overview Weak memory models 1 Introduction 2 Hardware architectures Compiler optimizations Sequential consistency Weak memory models 3 TSO

1.3k views • 87 slides
Making weak maps compose strictly Richard Garner Uppsala University CT 2008, Calais Outline

Making weak maps compose strictly Richard Garner Uppsala University CT 2008, Calais Outline

Making weak maps compose strictly Richard Garner Uppsala University CT 2008, Calais Outline Motivation Weak maps of bicategories Weak maps of tricategories Weak maps of weak -categories (NB: Talk notes available at

915 views • 63 slides
The convergence of HPC and BigData What does it mean for HPC sysadmins? damienfrancois FOSDEM

The convergence of HPC and BigData What does it mean for HPC sysadmins? damienfrancois FOSDEM

The convergence of HPC and BigData What does it mean for HPC sysadmins? damienfrancois FOSDEM 2019 Feb 03, 2019 Brussels | damien.francois@uclouvain.be Scientists are never happy Some have models but they want data Please do not ask me

555 views • 22 slides
Path Guiding in Production Courses JI VORBA WETA DIGITAL Ji Vorba | Path Guiding in

Path Guiding in Production Courses JI VORBA WETA DIGITAL Ji Vorba | Path Guiding in

Path Guiding in Production Courses JI VORBA WETA DIGITAL Ji Vorba | Path Guiding in Production - Introduction WETA DIGITAL LTD.2019 Motivation TODO: split this into multiple slides, should be almost only pictures and illustrations

994 views • 41 slides
Building secure systems with LIO Deian Stefan, Amit Levy, Alejandro Russo and David Mazires

Building secure systems with LIO Deian Stefan, Amit Levy, Alejandro Russo and David Mazires

Building secure systems with LIO Deian Stefan, Amit Levy, Alejandro Russo and David Mazires Building systems is hard. if ((err = SSLHashSHA1.upda goto fail; if ((err = SSLHashSHA1.upda goto fail; goto fail; if ((err = SSLHashSHA1.fina

690 views • 23 slides
Image and Video Coding: Improved Inter-Picture Prediction Review of Hybrid Video Coding Last

Image and Video Coding: Improved Inter-Picture Prediction Review of Hybrid Video Coding Last

Image and Video Coding: Improved Inter-Picture Prediction Review of Hybrid Video Coding Last Lectures: Hybrid Video Coding rec. reference picture s ref [ x , y ] Hybrid Video Coding Partitioning of pictures into blocks Block-adaptive

588 views • 39 slides
Analytic models for compact binaries with spin Jan Steinhoff Max-Planck-Institute for

Analytic models for compact binaries with spin Jan Steinhoff Max-Planck-Institute for

Analytic models for compact binaries with spin Jan Steinhoff Max-Planck-Institute for Gravitational Physics (Albert-Einstein-Institute), Potsdam-Golm, Germany Weekly ACR group seminar at AEI, Golm, Germany 1 / 21 Outline 1 Introduction

748 views • 58 slides
Density matrix (density operator) In this course we described a quantum state by a wavefunction.

Density matrix (density operator) In this course we described a quantum state by a wavefunction.

EE201/MSE207 Lecture 18 Density matrix (density operator) In this course we described a quantum state by a wavefunction. Wavefunction does not contain any randomness (entropy is zero, randomness only for measurement result). However, we often

496 views • 10 slides
Welcome! The webinar will begin shortly. While you are waiting please ensure your sound is working

Welcome! The webinar will begin shortly. While you are waiting please ensure your sound is working

Welcome! The webinar will begin shortly. While you are waiting please ensure your sound is working properly and download the handouts . Sound Check Handouts Handouts have been provided for todays For optimal performance, close out

644 views • 37 slides
Descriptive Statistics there will be a lot of data This is a good thing! But raw data is

Descriptive Statistics there will be a lot of data This is a good thing! But raw data is

4/14/2017 Summarizing Data IMGD 2905 With lots of playtesting, Descriptive Statistics there will be a lot of data This is a good thing! But raw data is just a pile Chapter 3 of numbers Rarely of interest Or even sensible

237 views • 6 slides

More recommend