substitution permutation networks pseudorandom functions
play

Substitution-permutation networks, pseudorandom functions, and - PowerPoint PPT Presentation

Sep 12, 2023 •426 likes •654 views

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola Theory vs. practice gap in cryptography Theoreticians have . . . - liberal

  1. Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola

  2. “Theory vs. practice” gap in cryptography Theoreticians have . . . - liberal al notion of efficiency polynomial time - pr prov ovable security based on hardness assumptions Practitioners have . . . - very eff fficient algorithms near linear time - heuristi tic security resistance to known attacks

  3. Common goal: random-looking functions indistinguishable from {f K : {0,1} n  {0,1} n | K} truly random function - theory: pseudorandom function (PRF) [Goldreich-Goldwasser-Micali '84] - practice: block cipher / MAC [Feistel '70s], [Simmons '80s]  PRF - NOTE: block cipher “modes”

  4. Common goal: random-looking functions indistinguishable from {f K : {0,1} n  {0,1} n | K} truly random function GAPS PRF Block cipher / MAC best: |K|  n 2 typical: |K|  n e.g. Advanced Encryption efficiency e.g. factoring-based PRF Standard [Naor-Reingold '04] [Daemen-Rijmen '00] - based on PRG/OWF Substitution-permutation network - “expensive” components methodology input e.g. iterated multiplication S S S S . . . repeat Diffusion key output

  5. Our contributions: bridging the gap New ew candidate PRF based on SP-network - more efficient than previous candidates - application to Natural Proofs [Razborov-Rudich '97] - security derived from “practical” analysis Proof-of-concept theorem: SP SP-netwo work with ran andom S-box ox = secur ure, inefficient PRF. - analogous to [Luby-Rackoff '88] for Feistel networks

  6. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  7. The SP-network paradigm (n=mb)-bit input key 0 [Shannon '49, Feistel-Notz-Smith '75] . . . S S S S S( S(ubsti titution) n)-box  GF(2 b ) round 1 M S : GF(2 b ) key 1 - computationally expensive - good crypto properties . . . S S S S round 2 M Linear trans nsforma mation key 2 GF(2 b ) m  GF(2 b ) m M : - computationally cheap . . . - good diffusion properties . . . S S S S Key XOR round r M key r - only source of secrecy - round keys = uniform, independent (n=mb)-bit output

  8. Linear and differential cryptanalysis [Biham-Shamir '91] [Matsui '94] Two general attacks against a block cipher C - parameters of interest: p LC (C), p DC (C)  2 - W (n)  2 - W (n) security against LC/DC - details: p LC (C) = max A,B E K |Pr x [ ⟨ A, x ⟩ = ⟨ B, C K (x) ⟩ ] - ½| 2 Pr x,K [C K (x) + C K (x + A) = B] p DC (C) = max A,B

  9. LC/DC design principles 2. M has “br branch numbe ber” 1. S-box resists LC/DC. Br(M) = m+1. 2 b -2 S(x) := x satisfies Br(M) := min {wgt(x)+wgt(M(x))} p LC/DC (S)  2 -(b- 2) . b-2) [Nyberg '93] x  0 m 0 0 0 0 0 0 0 M : GF(2 b ) m  GF(2 b ) m  LC/DC Intuition: 1+2 security S S S S S S S S M S-box security 2 - W (b) propagates to m bundles S S S S S S S S M (2 - W (b) ) m = 2 - W (n) S S S S S S S S …

  10. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  11. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] Compare to best complexity PRF [Naor-Reingold '04]: - security from factoring / discrete-log hardness - size = W (n 2 )

  12. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] input EFFICIENCY . . . S S S S S-box: S(x) := x 2 b -2 r = O(log n) M rounds - b = log n  S ∈ size log O(1) n key output Linear transformation - Let G = [ I M] be m  2m Reed-Solomon code. - this gives max branch number [Daemen '95] - Such M is a Cauchy matrix. [Roth-Seroussi '85] - We adapt [Gerasoulis '88] to do Cauchy mult. in size O(n∙log 3 n).

  13. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] SECURITY Theorem: If p LC/D /DC (S)  2 -(b-2) and Br(M) = m+1, . then r-round SPN has p LC/DC (SPN)  2 -(n-r m) [Kang-Hong-Lee-Yi-Park-Lim '01, M-Viola '12] - r = b/2  security = 2 -n/2 (n = mb) - S(x) = x has p LC/DC bounds [Nyberg 2 b -2 '93]

  14. New PRF: simple candidate input K 2 n -2 2 n -2 S(x) := x ⟨ (x K' ⟩ C K,K' (x) := + K) , ⟩ ⟨ , K' {0,1} Theorem: C K,K' 2 - W (n) -fools parity tests on  2 0.9n outputs. [M-Viola] - compare to [Even-Mansour '91]: - replace EM's random f'n with S: simple attack - also replace + K' with ⟨ , K' ⟩ : fools parity tests - also computable in quasi-linear size [Gao-von zur Gathen-Panario-Shoup '00]

  15. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  16. SP-network with random S-box Theorem: If SP-network has: 1. random S-box [M-Viola] 2. max-branch-number M, then: q-query distinguishing advantage  (rmq) 3 ∙ 2 -b . - when b = w (log n), security = n - w (1) - similar bound as Luby-Rackoff - we exploit structure to bound collision probabilities

  17. SP-network with random S-box input - Fix queries x 1 , …, x q ∈ {0,1} n . K 0 - Pr [  collision in any 2 final-round S-boxes] . . . S S S S  poly(m,q) ∙ 2 -b .  0 - uses M invertible, all entries M - non-trivial for x i  x j , same S-box K 1  output - No collisions is uniform. . . . S S S S output

  18. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  19. Natural Proofs [Razborov-Rudich '97] - CKT = any complexity class (e.g. circuits of size n 2 ) - Observation: Most lower bounds against CKT distinguish CKT truth tables from random truth tables. - Implication: If CKT can compute 2 -n -secure PRF, most techniques can't prove CKT lower bounds. - Gap: best PRF: size W (n 2 ) [Naor-Reingold '04] best lower bound: size O(n) [Blum '84]

  20. Natural Proofs [Razborov-Rudich '97] - CKT = any complexity class (e.g. circuits of size n 2 ) - Observation: Most lower bounds against CKT distinguish CKT truth tables from random truth tables. - Implication: If CKT can compute 2 -n -secure PRF, most techniques can't prove CKT lower bounds. - We narrow the gap in 3 models (if our PRF 2 -n -secure). - Boolean circuits of size n∙log O(1) 1) (n) - TC 0 circuits of size O(n 1+ e ) for any e > 0 [Allender-Koucký '10] - time-O(n 2 ) 1-tape Turing machines

  21. Conclusion SPN structure underexplored for PRF - lends itself to efficient circuits - combinatorial hardness, vs. algebraic for complexity PRF - we give evidence that SPNs are plausible PRF candidates - we provide asymptotic analysis of SPN structure Future directions - simplest, most efficient possible PRF? - linear-size circuits - branching programs - communication protocols - … - analyze our PRF candidates against other attacks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

Association schemes and Permutation groups permutation groups Let G be a permutation group on . Then the characteristic functions of the orbits of G on Peter J Cameron G

44 views • 3 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on

Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on

Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on left half of text Permutation of the two halves The substitution is controlled by the key of every round Factors of Security: Block

319 views • 19 slides
SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gatan Leurent 3 Chris Peikert 1 Alon Rosen 2

568 views • 29 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang

Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang

Introduction Three Basic Homomorphisms Homomorphisms from Shuffle-Compatibility Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang Department of Mathematics and Computer Science Davidson College July

643 views • 50 slides
LCL Problems Janne H. Korhonen on Grids Aalto University LCL Problems Janne H. Korhonen on

LCL Problems Janne H. Korhonen on Grids Aalto University LCL Problems Janne H. Korhonen on

LCL Problems Janne H. Korhonen on Grids Aalto University LCL Problems Janne H. Korhonen on Grids Aalto University joint work with: Tuomo Lempiinen, Patric R.J. stergrd, Christopher Purcell, Jukka Suomela (Aalto) Sebastian

597 views • 30 slides
Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work

Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work

Factoring bivariate lacunary polynomials without heights Bruno Grenet ENS Lyon Joint work with Arkadev Chattophyay Pascal Koiran TIFR, Mumbai ENS Lyon Natacha Portier Yann Strozecki ENS Lyon U. Versailles Palindromic Dagstuhl

1.07k views • 92 slides
Complexity of Counting Antonis Antonopoulos CoReLab NTUA March 2014 Introduction Main

Complexity of Counting Antonis Antonopoulos CoReLab NTUA March 2014 Introduction Main

Introduction Main Theorems Gaps Intervals Complexity of Counting Antonis Antonopoulos CoReLab NTUA March 2014 Introduction Main Theorems Gaps Intervals Introduction 1 Introduction Main Theorems 2 Valiants Theorem Todas

772 views • 29 slides
Osgoode Fish and Game Club April 21, 2015 Introduction Overview: South Nation Watershed

Osgoode Fish and Game Club April 21, 2015 Introduction Overview: South Nation Watershed

Osgoode Fish and Game Club April 21, 2015 Introduction Overview: South Nation Watershed Castor Subwatershed Why do we monitor? Monitoring Programs Stewardship Programs How to get Involved South Nation

624 views • 17 slides
Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik

Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik

Introduction Definitions and Notations Approximation Compromise Solutions Kai-Simon Goetzmann, TU Berlin (Joint work with Christina B using, Jannik Matuschke and Sebastian Stiller) SCOR 2012 Kai-Simon Goetzmann, TU Berlin Compromise

380 views • 36 slides
Trash Excluders Trash Excluders Shaun Kroes Shaun Kroes City of Moorpark City of Moorpark

Trash Excluders Trash Excluders Shaun Kroes Shaun Kroes City of Moorpark City of Moorpark

Trash Excluders Trash Excluders Shaun Kroes Shaun Kroes City of Moorpark City of Moorpark Trash Excluders Trash Excluders P. 76: 5(e)(1) P. 76: 5(e)(1) Each Permittee shall install trash excluders, Each Permittee

302 views • 9 slides
Fair Trash Reduction Pilot Program (FuTuRe) New Windsor A volume-based service, citizens pay

Fair Trash Reduction Pilot Program (FuTuRe) New Windsor A volume-based service, citizens pay

Fair Trash Reduction Pilot Program (FuTuRe) New Windsor A volume-based service, citizens pay for only the amount of waste generated On November 6, 2018, the pilot began and trash was picked up for the first time under the program The

75 views • 3 slides
ReI eImagine Tr Trash Kent County Sustainable Business Park Our Journey Toward Zero Kent

ReI eImagine Tr Trash Kent County Sustainable Business Park Our Journey Toward Zero Kent

ReI eImagine Tr Trash Kent County Sustainable Business Park Our Journey Toward Zero Kent Countys Integrated Solid Waste Management System Waste To Energy, Single Stream Recycling, Landfill, Transfer Station and Recycling Service Centers.

216 views • 10 slides

More recommend