related key security for pseudorandom
play

Related-Key Security for Pseudorandom Functions Beyond the Linear - PowerPoint PPT Presentation

Feb 17, 2024 •373 likes •986 views

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

  1. Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elègue Ecole normale supérieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson (RHUL)

  2. Practice o RKAs introduced by Biham and Knudsen in early 90’s. o Since then, a huge number of papers mounting RKAs. o Security goal for AES and other modern blockciphers. o Recent RKAs on AES-192 and AES-256. [BK09,BDKKS10]

  3. Single Si le-Key Attack on a Rela lated-Key Attack (RKA) on a cryptosystem F cryptosystem F k k k 1 k n … F F F F … x F(k,x) x F(k,x) x F(k 1 ,x) x F(k n ,x) k 1 , …, k n derived from k in ad adversary-specified way.

  4. Formalization [BK03] defines RKA security in terms of classes Φ of Related-Key Deriving (RKD) functions. k k 1 k n F F F … x x x F(k,x) F(k 1 ,x) … F(k n ,x) k i = φ i (k) where φ i ∈ Φ

  5. Previous Works o Before 2010: RKA-PRFs for limited classes, strong assumptions, ideal models. [BK03,Lucks04,GL10] o [BC10]: RKA-PRFs for group-induced classes, standard assumptions, standard model. o Limitations of [BC10]: - Claw-free classes. - Exponential time reduction for additive case (exponential in the input size). - Minor bug in the framework. o Related works: [BLMR13] Additive PRF from lattices and multilinear maps.

  6. Our Contributions We repair and extend the [BC10] framework. Construction of Φ -RKA-PRFs: o Lar Larger classes (wit ith cla claws) (affine and poly olynomia ial classes). o Standard assumptions, standard model. o Poly lynomia ial-Time Reduction. This is talk alk: pol olynomial-time reduction for ad additive case.

  7. Outline Par art 1: 1: Security model. Par art 2: 2: The Bellare-Cash framework. Par art 3: 3: Additive case with polynomial-time reduction.

  8. Part 1: Security Model: Φ -RKA-PRF F: 𝐿 × 𝐸 → 𝑆 a PRF, Φ a class of RKD functions (set of functions φ : 𝐿 → 𝐿 ). andom k ∈ 𝐿 , b ∈ {0,1} . In Init itia iali lize : Pick at at ran RKA PRF Oracle If b = 1 If b = 0 φ (k) φ (k) ( φ ,x) ∈ Φ × 𝐸 A F $ y ∈ 𝑆 Until adversary A outputs b ’ . x F( φ (k),x) x $ lize : b = b ’ . Fin Finali

  9. Part 2: How to construct RKA-PRFs from PRFs? The Bellare-Cash Framework

  10. Key-Malleability F is Φ -Key-Malle lleable: F( φ (k),x) computable from F(k, . ), for any φ , x. PRF Oracle k x i φ ,x Key Transfor ormer F KT KT F F( φ (k),x) F(k,x i ) x i F(k,x i )

  11. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ RKA PRF Oracle A

  12. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x)

  13. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x) If match ⟹ or If oracle le = = F If If doesn’t match ⟹ or oracle = $ $

  14. Good Thing About Key-Malleability Φ -Key-Malleable PRF ⟹ Φ -RKA-secure again inst Uniq ique-Input adversarie ies (that never queries the same input x twice). How to force the adversary ry to be be uniq ique-in input?

  15. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x.

  16. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction).

  17. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction). Solution: [B So [BC10 10] Key-Fin ingerprin int (w (w 1 ,…, w m ) = set of inputs s.t. corresponding outputs uniquely define the key. F(k ’ ,w 1 ),…,F(k ’ ,w m )) if iff k ≠ k ’ (F(k,w 1 ),…, F( F(k,w m )) ≠ (F(  F(k,H((F (F(k,w 1 ),…,F( k,w m )) )),x))

  18. The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free

  19. The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. - Proof based on Key-Transformer.

  20. Reduction time? n Π k[i] x[i] NR(k,x) = g [NR97] i = 1 NR(k+1,11…1) = g (k 1 +1).(k 2 +1). … .(k n +1) = g k 1 k 2 … k n . g k 2 k 3 … k n . g k 1 k 3 … k n . … . g k 1 . g 2 n terms Π = NR(k,x) x ∈ {0,1} n  Running time of the key transformer: O(2 (2 n )

  21. Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. (Not detailed in this talk) - Proof based on Key-Transformer.

  22. Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint PRF Φ -Key-Malleable Limitations: Proof based on Key-Transformer ⟹ Pol - olynomia ial l Tim ime Reduction for Φ + .

  23. A Direct Polynomial-Time Security Proof n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 We can prove UI-RKA security for Φ + using key-malleability.  Exp-time reduction … Our paper: we provide a better reduction by provin ing it it dir irectly.

  24. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1

  25. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g x[1] x[2] x[3] . . . x[n-1] x[n]

  26. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 g k[1] x[2] x[3] . . . x[n-1] x[n]

  27. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 g k[1] x[3] . . . x[n-1] x[n]

  28. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . g k[1]k[3] . . x[n-1] x[n]

  29. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . g k [1]k[3]… x[n-1] x[n]

  30. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 g k [1]k[3]…k[n -1] x[n]

  31. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1]

  32. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1] = NR(k,101…10)

  33. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 x[1] k[1] Level 1 x[2] k[2] Level 2 x[3] k[3] Level 3 2 i nodes at level i . . . . . . x[n-1] k[n-1] Level n-1 x[n] k[n] Level n Outputs = Leaves (2 n values)

  34. UI-RKA security: k[1] ? k[2] k[3] . . . k[n-1] k[n] $

  35. Id Idea: use a hybrid proof. k[1] k[2] k[3] . . . k[n-1] k[n]

  36. Id Idea: use a hybrid proof. $ k[2] k[3] . . . k[n-1] k[n]

  37. Idea: use a hybrid proof. Id $ k[3] . . . k[n-1] k[n]

  38. Id Idea: use a hybrid proof. $ . . . k[n-1] k[n]

  39. Id Idea: use a hybrid proof. . . . $ k[n-1] k[n]

  40. Idea: use a hybrid proof. Id . . . $ k[n]

  41. Id Idea: use a hybrid proof. . . . $

  42. ? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  43. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  44. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  45. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] + + 1 $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  46. Attack with 3 queries g g k[1] . . $ . k[ k[i] i] k[i] $ k[i+1] k[i+1] . . . . . . . . . k[n]

  47. Values used at level i: 1. g a g a 1. g g k[1] . . g a . k[i] k[ i] g a g a . . . . . . . . . k[n]

  48. Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. g g k[1] . . g a . k[ k[i] i] g a g ak[i] g a g c . . . . . . . . . k[n]

  49. Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]

  50. Values used at level i: 1. g a g a 1. Hyb ybrid ids ar are not ot 2. g ak[i] g c 2. in indis istin inguis ishable le 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]

  51. Values used at level i: 1. g a g a 1. Indistin In inguishable le 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? ? g c .g .g a 3. g g k[1] . . g a . k[ k[i] i] + 1 g a g a g c .g .g a g a(k[i]+1) . . . . . . . . . k[n]

  52. Each time we need to define a new random value at level i: g $ k[i+1] . . .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D.

Pseudorandom Number Generation Thanks once again to A. Joseph, D. Tygar, U. Vazirani, and D. Wagner at the University of California, Berkeley Fall 2012 CS 334: Computer Security 1 What Can Go Wrong? An example: This generates a 16

836 views • 35 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money

Pseudorandom States, No-Cloning Pseudorandom States, No-Cloning Theorems and Quantum Money Theorems and Quantum Money Zhengfeng Ji (UTS:QSI) QCrypt 2018, Shanghai 1 . 1 A Joint Work With A Joint Work With Yi-Kai Liu Fang Song (NIST and

257 views • 24 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
1 Privacy has become the mainstay of security We have loads of data that we freely give away via

1 Privacy has become the mainstay of security We have loads of data that we freely give away via

Introduction and welcome Two main topics: Security related Research related Theyre related but each has it own distinct requirements 1 Privacy has become the mainstay of security We have loads of data that we freely give away via web pages

448 views • 21 slides
Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano,

Load Balancing in Ceph: Load Balancing With Pseudorandom Placement Esteban Molina-Estolano, Carlos Maltzahn, Scott Brandt University of California, Santa Cruz The Load Balancing Problem Pseudorandom placement for distributed storage

513 views • 12 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Objectives Random Bit Generation Pseudorandom Bit Generation Statistical Tests

Pseudorandomness Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Random Bit Generation Pseudorandom Bit Generation

379 views • 17 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
in OpenMP Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism

in OpenMP Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism

Barriers in OpenMP Paolo Burgio paolo.burgio@unimore.it Outline Expressing parallelism Understanding parallel threads Memory Data management Data clauses Synchronization Barriers, locks, critical sections Work

796 views • 42 slides
Why this issue brief? To encourage more companies to take action on operationalizing the UN

Why this issue brief? To encourage more companies to take action on operationalizing the UN

Scaling Up Action on Human Rights Operationalizing the UN Guiding Principles on Business and Human Rights Why this issue brief? To encourage more companies to take action on operationalizing the UN Guiding Principles (UNGPs) by: Building

274 views • 14 slides
Lecture 12.2 MPI Async and Barrier EN 600.320/420 Instructor: Randal Burns 7 March 2018

Lecture 12.2 MPI Async and Barrier EN 600.320/420 Instructor: Randal Burns 7 March 2018

Lecture 12.2 MPI Async and Barrier EN 600.320/420 Instructor: Randal Burns 7 March 2018 Department of Computer Science, Johns Hopkins University Tags: Out of Order Delivery MPI_Send (buff, count, datatype, dest, tag, comm ) MPI_Recv (buff,

443 views • 8 slides
Development and Testing of Structurally Independent Foundations for a 54 Tall High-Speed

Development and Testing of Structurally Independent Foundations for a 54 Tall High-Speed

Development and Testing of Structurally Independent Foundations for a 54 Tall High-Speed Containment Single Slope Concrete Barrier Texas A&M Transportation Institute Prepared by: Sofokli Cakalli, Nauman Sheikh, James Kovar, Roger Bligh,

459 views • 10 slides
Web Guide to Physical Accessibility of Buildings ICCHP/ULD 2016, Linz July 1315, 2016

Web Guide to Physical Accessibility of Buildings ICCHP/ULD 2016, Linz July 1315, 2016

Web Guide to Physical Accessibility of Buildings ICCHP/ULD 2016, Linz July 1315, 2016 Svatoslav Ondra P. ervenka, M. Hanouskov, K. Sobol Introduction activities of Masaryk University (MU) dozens of buildings which are of

608 views • 16 slides
Principle of the radix sort Sorts a list of fixed size integer keys - Separates the key into

Principle of the radix sort Sorts a list of fixed size integer keys - Separates the key into

Principle of the radix sort Sorts a list of fixed size integer keys - Separates the key into individual digits of some radix - Sorts digit-by-digit In this case we use a least significant digit sort - Sorts first the least significant digit

1.02k views • 22 slides
Peeking through the language barrier: the development of a free/open-source gisting system for

Peeking through the language barrier: the development of a free/open-source gisting system for

Machine translation for Basque The Apertium MT platform Apertium Basque to English Evaluation of gisting: a novel strategy Results Conclusions and future work Peeking through the language barrier: the development of a free/open-source gisting

513 views • 27 slides
4E : The Quantum Universe modphys@hepmail.ucsd.edu Lecture 17, April 28 Vivek Sharma The Case

4E : The Quantum Universe modphys@hepmail.ucsd.edu Lecture 17, April 28 Vivek Sharma The Case

4E : The Quantum Universe modphys@hepmail.ucsd.edu Lecture 17, April 28 Vivek Sharma The Case of a Rusty Twisted Pair of Naked Wires & How Quantum Mechanics Saved ECE Majors ! Twisted pair of Cu Wire (metal) in virgin form

404 views • 15 slides

More recommend