Related-Key Security for Pseudorandom Functions Beyond the Linear - - PowerPoint PPT Presentation

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

Ala lain in Passel elègue Ecole normale supérieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson (RHUL)

• RKAs introduced by Biham and Knudsen in early 90’s.
• Since then, a huge number of papers mounting RKAs.
• Security goal for AES and other modern blockciphers.
• Recent RKAs on AES-192 and AES-256. [BK09,BDKKS10]

Practice

F

k x F(k,x)

F

k1 x F(k1,x)

F

kn x F(kn,x)

… …

Si Single le-Key Attack on a cryptosystem F Rela lated-Key Attack (RKA) on a cryptosystem F k1, …, kn derived from k in ad adversary-specified way.

F

k x F(k,x)

F

k x F(k,x)

F

k1 F(k1,x)

F

kn F(kn,x)

… … ki= φi(k) where φi ∈ Φ

[BK03] defines RKA security in terms of classes Φ of Related-Key Deriving (RKD) functions.

Formalization

x x

• Before 2010: RKA-PRFs for limited classes, strong assumptions, ideal models.

[BK03,Lucks04,GL10]

• [BC10]: RKA-PRFs for group-induced classes, standard assumptions, standard model.
• Limitations of [BC10]:
• Claw-free classes.
• Exponential time reduction for additive case (exponential in the input size).
• Minor bug in the framework.
• Related works: [BLMR13] Additive PRF from lattices and multilinear maps.

Previous Works

We repair and extend the [BC10] framework. Construction of Φ-RKA-PRFs:

• Lar

Larger classes (wit ith cla claws) (affine and poly

• lynomia

ial classes).

• Standard assumptions, standard model.
• Poly

lynomia ial-Time Reduction. This is talk alk: pol

• lynomial-time reduction for ad

additive case.

Our Contributions

Par art 1: 1: Security model. Par art 2: 2: The Bellare-Cash framework. Par art 3: 3: Additive case with polynomial-time reduction.

Outline

Part 1: Security Model: Φ-RKA-PRF

F: 𝐿 × 𝐸 → 𝑆 a PRF, Φ a class of RKD functions (set of functions φ: 𝐿 → 𝐿). (φ,x) ∈ Φ × 𝐸 y ∈ 𝑆 Until adversary A outputs b’.

A

RKA PRF Oracle

F

φ(k) x F(φ(k),x) φ(k) x $

If b = 1 If b = 0

Fin Finali lize : b = b’.

$

In Init itia iali lize : Pick at at ran andom k ∈ 𝐿, b ∈ {0,1}.

Part 2: How to construct RKA-PRFs from PRFs? The Bellare-Cash Framework

Key-Malleability

F(φ(k),x) φ,x xi

F

k xi F(k,xi)

PRF Oracle

Key Transfor

• rmer

KT KTF

F(k,xi)

F is Φ-Key-Malle lleable: F(φ(k),x) computable from F(k, . ), for any φ, x.

A

Bad Thing About Key-Malleability

Φ-Key-Malleable ⟹ Not Φ-RKA-secure. RKA PRF Oracle

φ,x F(φ(k),x) or $

id,xi

A

F(k,xi) or $

Bad Thing About Key-Malleability

Φ-Key-Malleable ⟹ Not Φ-RKA-secure. RKA PRF Oracle

φ,x F(φ(k),x) or $ KTF(φ,x) Verification

id,xi

A

F(k,xi) or $

Bad Thing About Key-Malleability

Φ-Key-Malleable ⟹ Not Φ-RKA-secure. If If match ⟹ or

• racle

le = = F If If doesn’t match ⟹ or

• racle = $

$ RKA PRF Oracle

φ,x F(φ(k),x) or $ KTF(φ,x) Verification

Good Thing About Key-Malleability

Φ-Key-Malleable PRF ⟹ Φ-RKA-secure again inst Uniq ique-Input adversarie ies (that never queries the same input x twice).

How to force the adversary ry to be be uniq ique-in input?

Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x.

Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works (don’t kn know k k durin ing th the reduction).

Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works (don’t kn know k k durin ing th the reduction). So Solution: [B [BC10 10] Key-Fin ingerprin int (w (w1,…,wm) = set of inputs s.t. corresponding outputs uniquely define the key. (F(k,w1),…,F( F(k,wm)) ≠ (F( F(k’,w1),…,F(k’,wm)) if iff k ≠ k’  F(k,H((F (F(k,w1),…,F(k,wm)) )),x))

The Bellare-Cash Framework

PRF Φ-Key-Malleable Φ Claw-Free Φ-RKA-PRF against UI Adversaries Key-Fingerprint Φ-RKA-PRF

The Bellare-Cash Framework

PRF Φ-Key-Malleable Φ Claw-Free Φ-RKA-PRF against UI Adversaries Key-Fingerprint Φ-RKA-PRF Limitations:

• Claw-free classes only.
• Proof based on Key-Transformer.

Reduction time?

NR(k+1,11…1) = g(k1+1).(k2+1). … .(kn+1) = gk1k2…kn . gk2k3…kn . gk1k3…kn . … . gk1 . g 2n terms = NR(k,x) Running time of the key transformer: O(2 (2n)

Π

x ∈ {0,1}n

NR(k,x) = g [NR97]

n i = 1

Π k[i]x[i]

PRF Φ-Key-Malleable Φ Claw-Free Φ-RKA-PRF against UI Adversaries Key-Fingerprint Φ-RKA-PRF

Part 3: Our Contributions

Limitations:

• Claw-free classes only. (Not detailed in this talk)
• Proof based on Key-Transformer.

PRF Φ-Key-Malleable Φ-RKA-PRF against UI Adversaries Key-Fingerprint Φ-RKA-PRF

Part 3: Our Contributions

Limitations:

• Proof based on Key-Transformer ⟹ Pol
• lynomia

ial l Tim ime Reduction for Φ+.

We can prove UI-RKA security for Φ+ using key-malleability. Exp-time reduction… Our paper: we provide a better reduction by provin ing it it dir irectly.

A Direct Polynomial-Time Security Proof

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

x[1] x[2] x[3] . . . x[n-1] x[n]

Naor-Reingold PRF: NR(k,x) = g

n i = 1

Π k[i]x[i]

g

1 x[2] x[3] . . . x[n-1] x[n] gk[1]

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

1 x[3] . . . x[n-1] x[n] gk[1]

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

1 1 . . . x[n-1] x[n] gk[1]k[3]

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

1 1 . . . x[n-1] x[n] gk[1]k[3]…

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

1 1 . . . 1 x[n] gk[1]k[3]…k[n-1]

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

1 1 . . . 1 gk[1]k[3]…k[n-1]

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

g

gk[1]k[3]…k[n-1] = NR(k,101…10) 1 1 . . . 1

NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

x[1] x[2] x[3] . . . x[n-1] x[n] k[1] k[2] k[3] k[n] . . . k[n-1] Level 1 Level 2 Level 3 Level n-1 Level n

2i nodes at level i Outputs = Leaves (2n values) NR(k,x) = g

n i = 1

Π k[i]x[i] Naor-Reingold PRF:

k[n] k[n-1] $

?

UI-RKA security:

k[1] k[2] k[3] . . .

k[1] k[2] k[3] k[n] . . . k[n-1]

Id Idea: use a hybrid proof.

$ k[2] k[3] k[n] . . . k[n-1]

Id Idea: use a hybrid proof.

$ k[3] k[n] . . . k[n-1]

Id Idea: use a hybrid proof.

$ k[n] . . . k[n-1]

Id Idea: use a hybrid proof.

$ k[n] k[n-1]

. . .

Id Idea: use a hybrid proof.

$ k[n]

. . .

Id Idea: use a hybrid proof.

$

. . .

Id Idea: use a hybrid proof.

$ k[i] k[n]

. . .

k[n-1] k[i+1] $ k[n]

. . .

k[n-1] k[i+1]

?

$ k[i] k[n]

. . .

k[n-1] k[i+1] $ k[n]

. . .

k[n-1] k[i+1]

?

Proble lem: Keys might change at each query! Fir First question: How to define the random values? Ne New ran andom valu alue for an any new key?

$ k[i] [i] k[n]

. . .

k[n-1] k[i+1] $ k[n]

. . .

k[n-1] k[i+1]

?

Proble lem: Keys might change at each query! Fir First question: How to define the random values? Ne New ran andom valu alue for an any new key?

$ k[i] [i] + + 1 k[n]

. . .

k[n-1] k[i+1] $ k[n]

. . .

k[n-1] k[i+1]

?

Proble lem: Keys might change at each query! Fir First question: How to define the random values? Ne New ran andom valu alue for an any new key?

g g

. . . . . .

k[1] k[ k[i] i] k[n]

. . . . . .

Attack with 3 queries

$ k[i] k[i+1] $ k[i+1]

g g

. . . . . .

k[1] k[ k[i] i] k[n]

. . . . . .

• 1. ga

1. ga Values used at level i:

ga ga ga

g g

. . . . . .

k[1] k[ k[i] i] k[n]

. . . . . .

• 1. ga
• 2. gak[i]

1. ga 2. gc Values used at level i:

ga ga ga gak[i] gc

g g

. . . . . .

k[1] k[ k[i] i] + 1 k[n]

. . . . . .

Values used at level i:

ga ga ga ga(k[i]+1) gc’ ?

• 1. ga
• 2. gak[i]
• 3. ga(k[i]+1) = gak[i].ga

1. ga 2. gc 3. gc’ ≠ gc.g .ga

a ?

g g

. . . . . .

k[1] k[ k[i] i] + 1 k[n]

. . . . . .

Values used at level i:

ga ga ga ga(k[i]+1) gc’ ?

• 1. ga
• 2. gak[i]
• 3. ga(k[i]+1) = gak[i].ga

1. ga 2. gc 3. gc’ ≠ gc.g .ga

a ?

Hyb ybrid ids ar are not

• t

in indis istin inguis ishable le

g g

. . . . . .

k[1] k[ k[i] i] + 1 k[n]

. . . . . .

Values used at level i:

ga ga ga ga(k[i]+1) gc.g .ga

• 1. ga
• 2. gak[i]
• 3. ga(k[i]+1) = gak[i].ga

1. ga 2. gc 3. gc’ ≠ gc.g .ga

a ?

? gc.g .ga In Indistin inguishable le

g

. . .

$ k[i+1]

Each time we need to define a new random value at level i:

g

. . .

$ k[i+1]

Each time we need to define a new random value at level i:

g

. . .

$ k[i+1]

Each time we need to define a new random value at level i:

• 1. Check if it is supposed to be related to values previously defined.

g

. . .

$ k[i+1]

Each time we need to define a new random value at level i:

• 1. Check if it is supposed to be related to values previously defined.
• 2. If related: compute from previous values

Otherwise: set to a fresh random value.

g

$ k[i] k[n]

. . .

k[n-1]

Clai laim: these hybrids are indistinguishable under the DDH assumption.

k[i+1]

g

$ k[n]

. . .

k[n-1] k[i+1]

DDH

To

• conclu

lude th the proof: Last hybrid random ≈ random UI-RKA security game. Uniq ique-in inputs guarantee th this is. Valu alues s at t le level n ar are never rela lated. Alw lways fr fresh unif iformly ran andom valu alues.

$

Additive UI-RKA-PRF secure under DDH

DDH DDH DDH DDH DDH DDH . . .

Reductio ion tim time: Running time ≈ Time to check if the values are related for each query. We show how to do it in O(Q4) in the paper (Q = # of queries).  Polynomial time reduction!

Φ-RKA-PRF against UI Adversaries Key-Fingerprint Φ-RKA-PRF

Summary

Generic Framework extending [BC10]. Polynomial time reduction for additive, affine and polynomial classes for NR.

Thank you for your attention. Questions?