Newtechniquesforinformation-theoreticindistinguishability,andapplications

StefanoTessaroUCSB

IMSWorkshoponMathematicsofInformation-TheoreticCryptography

JointworkwithVietTungHoang(FSU)

𝑭 𝑮

½½

???

Thistalk– innutshell

Information-theoreticindistinguishability isanaturalproblemincryptography

Thistalk:

Newtechniquesforinformation-theoreticindistinguishability

Applications: analysisofsymmetriccryptographicconstructions

Basedon:VietTungHoang,StefanoTessaro.“Key-AlternatingCiphersandKey-LengthExtension:ExactBoundsandMulti-UserSecurity“.CRYPTO2016.

Pedagogicalcomponent

Distinguishingadvantage

𝑭 𝑮

0/1 0/1

Adv𝑭,𝑮*+,- 𝑫 = Pr 𝑫𝑭 ⇒ 1 − Pr 𝑫𝑮 ⇒ 1

D D

ComputationalIndistinguishability ∀𝑫 w/runtime𝑇:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀

Twoexampleswewilllookat:PRF andPRP security

Example:Pseudorandomfunctions(PRFs)

𝑭7 𝐑𝐅:,;

0/1 0/1

Adv𝑭<=> 𝑫 = Pr 𝑫𝑭? ⇒ 1 − Pr 𝑫𝐑𝐅 ⇒ 1

D D

uniformsecretkey

𝑭7: {0,1}:→ {0,1};

Randomlyselectedfunction{0,1}:→{0,1};

𝑋+ 𝑭7(𝑋+) 𝑋+ $

Pseudorandompermutations(PRPs)

𝑬7 𝐑𝐏;

0/1 0/1

Adv𝑬<=< 𝑫 = Pr 𝑫𝑬? ⇒ 1 − Pr 𝑫𝐑𝐏 ⇒ 1

D D

uniformsecretkey

𝑬7: {0,1};→ {0,1}; Randomlyselectedpermutation{0,1};→ {0,1};

𝑋+ 𝑬7(𝑋+) 𝑋+ $

permutationforall𝑘

Strong PRPs

𝑬7 𝐑𝐏;

0/1 0/1

Adv𝑭±L<=< 𝑫 = Pr 𝑫𝑬? ⇒ 1 − Pr 𝑫𝐑𝐏 ⇒ 1

D D

Additionallyallowforinversequeries!

𝑌+ 𝑬𝒌L𝟏(𝑌+) 𝑌+ $

ComputationalIndistinguishability ∀𝑫 w/runtime𝑇:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀

Thistalk:Information-theoreticindistinguishability

∀𝑫making𝑞 queries:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀

NecessaryforPRFs,PRPs,…

Arises(often)fortwospecificreasons:

1. Intermediatestep

2. Securityproofinidealmodel

ExampleI– Feistel Networks[LR85]

Goal:BuildaPRPfromaPRF𝑭

𝑟roun

ds

𝑭7R

𝑭7S

𝑭7𝒓

𝑹V

𝑹W

𝑹X

𝐑𝐏comp IT

Technicalcoreofproof!

Dozensofpapersinthisspirit,analyzingFeistel &friends[LR85,P90,M92,P97,P98,NR99,MP03,P04,MOPS06,MPS09,HR10,HMP12,RY13,MR14,…]

ExampleII– Even-Mansour[EM97]

𝐾0 𝐾1

Goal:Buildblockcipher/PRPfroman(unkeyed)permutation𝜋

𝜋

Caveat: Nonon-trivialcomputationalassumptionon𝜋 yieldssecurity!

Solution:Assumethat𝜋 israndomlychosen

𝜋𝐄𝐌 𝐑𝐏 𝜋~

𝑞 “online”queries

𝐾0𝐾1

𝑝 “off-line”queriesto𝜋 or𝜋LV

Guaranteessecurityforgenericattackstreating𝜋 asblackbox𝑭 𝑮

Adv𝐄𝐌±L<=< 𝑝, 𝑞

Focusonconcretesecurity

𝑭 𝑮

D D

Parameterizedistinguisherthrough#ofqueries𝑞

Adv𝑭,𝑮*+,- 𝑞 = max𝑫∈cd

Adv𝑭,𝑮*+,- 𝑫

Goal:DetermineAdv𝑭,𝑮*+,- 𝑞 aspreciselyaspossible

Butconcreteanalysesarenoteasy…

Key-alternatingciphersaka“iteratedEven-Mansourcipher”

AbstractionofAES-structure,introducedbyBogdanov etal.[BKLSST12]

𝐾0 𝐾1

𝜋V 𝜋W

𝐾2

𝜋=

𝐾𝑟

𝐾𝐴𝐶[𝑛, 𝑟]𝑛

𝜀;,= 𝑝, 𝑞 = Advklm[;,=]±L<=< 𝑝, 𝑞

#queriesto(random)𝜋V,… , 𝜋= and𝜋VLV, … , 𝜋=LV

#queriesto𝐾𝐴𝐶[𝑛, 𝑟] (andinverse)w/randomsecretkeys Convention:

𝑁 = 2;

BoundsforKACs[Forsimplicity,assume𝑝 = 𝑞]

Paper Bound Securitylevel

[EM97] 𝑞W

𝑁𝑁�

[BKLSST12][S12]

4.3𝑞X𝑟𝑁W + (𝑟 + 1)

𝑞𝑁=/(=uV)

=𝑁W/X

[LPS12] 22(2𝑞)

=WuV

𝑁=

�

𝑁=/W=WuV

[CS14] (6𝑞)=uV𝑟=uX

𝑁=

V/(=uW)

Ω(𝑁=/(=uV))

Dreambound

𝑞=uV

𝑁=𝑁=/(=uV)

“Matchingattack"

when𝑟 isconstant

Question:Canweimproveupperboundstomatchthe“dreambound”?Anddoesitmatter?

BoundsforKACs– Doesitmatter?

𝜀 𝑞, 𝑁 = (xy)z{R=z{|

}z

V/(=uW)vs𝛿(𝑞, 𝑁) = yz{R

}z

Asymptotictightness:𝑞(𝑛) = 2z

z{R;

e.g.𝑁 = 2VW�,𝑟 = 10, 𝑝 = 𝑞

0

0.2

0.4

0.6

0.8

1

1.2

1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100

103

106

109

112

115

118

121

124

127

𝛿(𝑞, 𝑁) = 2L��

𝜀 𝑞, 𝑁 ≫ 1𝑞 = 2VVW

Ourresult– Achievingthe“dreambound”

Theorem.[HT16] Forall 𝑝, 𝑞 ≤ 𝑁,

𝜀;,=(𝑝, 𝑞) ≤y(x<)z

}z

Therestofthetalkwillshowhowthechoiceoftechniquesaffectsprovingsucharesult.

Interlude:ITindistinguishabilityproofs

Commonapproach– bad-eventanalyses[M02,BR06]

𝑭 𝑮

0/1 0/1

D D

Indicate“badevent”hasoccurred

Equivalent-until-bad: 𝑭and𝑮 behaveidentically uptobadeventhappening

Then: Adv𝑭,𝑮*+,- 𝑞 ≤ Pr[badeventwithin𝑞queries]

[Maurer-Pietrzak-Renner‘07]showthatbad-event-analysesare“universal”,butbad-eventdescriptioncanbeextremelylarge.

Recentrevival– Transcript-centricapproach

Interactionsdefinetranscripts𝑭 𝑮

D D

𝑋+ 𝑌+ 𝑋+′ 𝑌+′𝑇𝑭 = ( 𝑋V, 𝑌V , … , 𝑋y, 𝑌y )

𝑇𝑮 = ( 𝑋V′, 𝑌V′ , … , 𝑋y′, 𝑌y′ )

Fact.Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐒𝐃(𝑇𝑭, 𝑇𝑮)

𝐒𝐃 𝑇𝑭, 𝑇𝑮 =12� Pr 𝑇𝑭 = 𝜏 − Pr[𝑇𝑮 = 𝜏]

�

�

Describingsystems

𝑭𝑋+ 𝑌+

𝑭 fullydescribedbyinterpolationprobabilities

𝑝𝑭( 𝑋V, 𝑌V , … , 𝑋y, 𝑌y )

probability𝑭 responds𝑌V,…,𝑌ywhenqueriedwith𝑋V,…,𝑋y

Examples:

𝑝𝑹𝑭�,� 𝑋V, 𝑌V , … , 𝑋y, 𝑌y =12;y

𝑝𝑹𝑷� 𝑋V, 𝑌V , … , 𝑋y, 𝑌y =1

2;(2; − 1)⋯ (2; − 𝑞 + 1)

𝑋V,…,𝑋y distinct

𝑌V,…,𝑌y distinct

Point-wiseproximity[Pat98,Ber99,HT16]

Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐒𝐃(𝑇𝑭, 𝑇𝑮) = � 𝑝𝑮 𝜏 − 𝑝𝑭 𝜏�

�∈�{

Fact:If 𝑫deterministic:1. Pr 𝑇𝑭 = 𝜏 = 0, 𝑝𝑭(𝜏)2. Pr 𝑇𝑭 = 𝜏 = 𝑝𝑭 𝜏 > 0 iff Pr 𝑇𝑮 = 𝜏 = 𝑝𝑮(𝜏) > 0

Lemma.If𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝑞 � 𝑝𝑮 𝜏 forall𝑞-query𝜏,

Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀 𝑞

Τu = 𝜏: Pr 𝑇𝑮 = 𝜏 > Pr 𝑇𝑭 = 𝜏

Point-wiseproximity

SwitchingLemma,revisited

Lemma.If𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝑞 � 𝑝𝑮 𝜏 forall𝑞-query𝜏,

Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀 𝑞

𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 =1

𝑁 𝑁 − 1 ⋯ 𝑁 − 𝑞 + 1 −1𝑁y

= 𝑝𝑮 𝜏 1 −𝑁(𝑁 − 1)⋯ (𝑁 − 𝑞 + 1)

𝑁y

= 𝑝𝑮 𝜏 � 𝑝����(𝑁, 𝑞)

𝑭 = RF;,; and𝑮 = RP;

Fixarbitrary𝜏 = 𝑋V, 𝑌V , … , 𝑋y, 𝑌y w/distinct𝑋+’sand𝑌+ s

“H-coefficientmethod”Point-wiseproximitynotalwaysapplicable[P98]

ℬ𝒢

goodtranscripts

Lemma.Assume∃ partitionofq-querytranscripts:1. Pr[𝑇𝑮 ∈ ℬ] ≤ 𝛿2. 𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 � 𝑝𝑮 𝜏forall𝜏 ∈ 𝒢

Then:

Adv𝑭,𝑮*+,- 𝑫 ≤ 𝛿 + 𝜀

Methodlargelymisunderstooduntil[Chen-Steinberger,EC’14].([Nandi,INDOCRYPT’06]presentedasimilarlemma.)

badtranscripts

Key-alternatingciphers

BacktoKey-AlternatingCiphers

Theorem.[HT16] Forall 𝑝, 𝑞 ≤ 𝑁,

𝜀;,=(𝑝, 𝑞) ≤y(x<)z

}z

Wewillfirstdiscuss[CS14]’sapproach

𝐾0 𝐾1

𝜋V 𝜋W

𝐾2

𝜋=

𝐾𝑟

𝐾𝐴𝐶[𝑛, 𝑟]𝑛

Transcripts

Distinguishercanperform:• Online queriesto𝐾𝐴𝐶[𝑛, 𝑟] /𝐑𝐏;• Offline queriesto𝜋V, …𝜋=

Transcript:

𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣  , …

Forwardonlinequery𝑋 returned𝑌 Backwardofflinequery𝑣 to

𝜋X returned𝑢

Transcriptsasanundirectedgraph

… … … … … …

𝜋V 𝜋W 𝜋X

𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣  , …

𝑋

𝑢′𝑣′ 𝑣𝑢 𝑌

Badtranscripts

Wanted:partitionintoGood andBad transcripts

𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣  , … , 𝐾¦, 𝐾V, … , 𝐾=

Addsecretkeystotranscript

Intherealworld:Keysaregiventoadversaryafteritstopsmakingqueries(willnothurtus!)

Intheidealworld:Freshandrandomindependentkeysgiventodistinguisher

Transcripts– Includingkeys

… … … … … …𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X

Aluckycase– Realworld

… … … … … …

𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X

Aluckycase– Idealworld

… … … … … …

𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X

Clearlycannothappenintherealworld:Leadstoeasydistinguishing!

Wecallsuchapathachain

Goodandbad– Firstattempt

Wesay𝜏 isbad isG(𝜏)containsachain

Lemma.

Pr 𝑇+*§¨� ∈ 𝐵 ≤𝑟 + 1 𝑞𝑝=

𝑁= ≤𝑞(2𝑝)=

𝑁=

Probabilityonlydependsonchoiceofkeys,andboundholdsforanychoiceofthepermutations

Keyproblem

Showthatforallgoodtranscripts𝜏<z(�)<ª(�)

≥ 1 − 𝜀

forsome𝜀

Goodratios

Usingtechniquesfrom[CS14].Forallgood𝜏:

𝑝=(𝜏)𝑝+(𝜏)

≥ 1 −� � 𝑅¨,­,7[𝜏] � � ®𝑍(𝑖, 𝑗)

𝑁 − 𝑝² − 𝑞

�

(+,²)∈³

�

³∈´(¨,­)

�

¦µ¨¶­µ=

=

7·V

𝜎 = 𝑖¦, 𝑖V , 𝑖V, 𝑖W , … , 𝑖-LV, 𝑖- where𝑎 = 𝑖¦ < 𝑖V < ⋯ < 𝑖- = 𝑏

0/1coefficients

#ofpathsinvolving𝜋+uV, … , 𝜋²

≤ 𝜀?

Goodandbad– [CS14]

𝜀 𝜏 = � � 𝑅¨,­,7[𝜏] � � ®𝑍(𝑖, 𝑗)

𝑁 − 𝑝² − 𝑞

�

(+,²)∈³

�

³∈´(¨,­)

�

¦µ¨¶­µ=

=

7·V

Oneexpects𝐄 𝑍(𝑖, 𝑗) = 𝑝+uV ⋯𝑝²/𝑁²L+LV

Goal:Findabestpossibleupperbound𝜀on𝜀 𝜏 forgoodtranscripts

Hypothetically:𝑍 𝑖, 𝑗 = 𝑝+uV ⋯𝑝²/𝑁²L+LV,then

𝜀 𝜏 = 𝑂(𝑞𝑝V ⋯𝑝=/𝑁=)

Goodorbad– Caveat

Allwecanguarantee:

Markovinequality: 𝐏𝐫 𝑍 𝑖, 𝑗 > t � 𝐄 𝑍(𝑖, 𝑗) < 1/𝑡

CS14’sidea: Addsuchtranscriptstosetofbadtranscripts

Problem:Needtofindsmallestpossible𝑡,createsnon-tightbound

Ourapproach– ExpectationMethod[HT16]

Theorem.Assume∃ non-negativefunction 𝜀 s.t.𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝜏 � 𝑝𝑮 𝜏

forall𝑞-query𝜏.Then,Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐄 𝜀 𝑇𝑮

H-coefficientmethod: Specialcasewhere

𝜀 𝜏 = ¿1 if𝜏isbad𝜀 if𝜏isgood

Applyingtheexpectationmethod

Let

𝜀 𝜏 = � � 𝑅¨,­,7[𝜏] � � ®𝑍(𝑖, 𝑗)

𝑁 − 𝑝² − 𝑞

�

(+,²)∈³

�

³∈´(¨,­)

�

Vµ¨¶­µ=

=

7·V

𝜀 𝜏 = 1

Good(i.e.,w/ochain)

Bad(i.e.,w/chain)

Lemma.𝐄 𝜀 𝑇Ã*§¨� ≤ y(x<)z

}z

Someadditionalnon-trivialfacts

• Full-domainqueriesallowed• Weshowpoint-wiseproximity

Information-theoreticindistinguishabilityandreductions

Cryptographicreductions

Often,securityofApplication1 canbereducedtosecurityofApplication2

SuccessfuladversaryA forApplication1

SuccessfuladversaryB forApplication2

Notalwaysbest…

Solution– Transcriptreductions

Adv.AforProblem1

“Classical”reduction

Issue: Exploitsa-priori definedquantities,e.g.,overall#queries𝑞

Benefit: Canexploita-posterioridefinedquantities

Here:Transcriptreductions

Adv.BforProblem2

Reduction

Reduction TranscriptforProblem2

TranscriptforProblem1

Multi-usersecurity

𝜋𝐂 𝐑𝐏V 𝜋𝐾1 𝐂

𝐾Å… 𝐑𝐏Å…

𝒖 userswithindependentkeys

(overall)𝑞 “online”queries,

𝑝 “off-line”queries

Distiguishingadv.≡Adv𝐂±L:ÅL<=< 𝑝, 𝑞

Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂

±L<=< 𝑝 + 𝑞𝑟, 𝑞

Canbesubstantial,upto𝑢 = 𝑞 possible!

e.g.,y<}⟹ yS(<uy)

}

HybridArgument

Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂

±L<=< 𝑝 + 𝑞𝑟, 𝑞

𝐑𝐏V 𝜋𝐑𝐏Å…𝐑𝐏W

…

𝜋𝐂𝐾Å…𝐑𝐏V 𝐑𝐏W

𝑢+1hybrids

≤ Adv𝐂±L<=< 𝑝 + 𝑞𝑟, 𝑞

𝜋𝐂𝐾1 𝐂𝐾Å𝐂 …𝐾W

𝜋𝐂𝐾Å𝐂 …𝐑𝐏V𝐾W

Upto𝑞 queriestofirstuser

Needtosimulateusers2, … , 𝑢

Improvinghybridargument

Whatifweknowa-prioribound𝑞+ onqueriesforuser𝑖?[inparticular:𝑞 = ∑ 𝑞+�

+ ]

Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂

±L<=< 𝑝 + 𝑞𝑟, 𝑞

Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ ∑ Adv𝐂

±L<=<(𝑝 + 𝑞𝑟, 𝑞+)y+·V

Before:y<}⟹ yS(<uy)

}

Now:y<}⟹∑ yª(<uy)

}y+·V = y(<uy)

}

Fromsu tomusecurity– generically

𝜋𝐂 𝐑𝐏V 𝜋𝐾1 𝐂

𝐾Å… 𝐑𝐏Å…

Theorem.[HT16]Ifforall𝜏 with𝑞 onlineand𝑝offlinequeries,

𝑝𝐑𝐏,É(𝜏) − 𝑝𝐂Ê,É(𝜏) ≤ 𝜀(𝑝, 𝑞) � 𝑝𝐑𝐏,É(𝜏)

Thenforall𝜏 with𝑞 onlineand𝑝offlinequeries,

𝑝𝐑𝐏Ë,É(𝜏) − 𝑝𝐂ÊË,É(𝜏) ≤ 2�𝜀(𝑝 + 𝑞𝑟, 𝑞+)Å

+·V

� 𝑝𝐑𝐏Ë,É(𝜏)

Welldefined!Usually≤ 𝜀(𝑝 + 𝑞𝑟, 𝑞)

ApplicationtoKACs

Corollary. Adv𝐊𝐀𝐂[;,=]±L:ÅL<=< 𝑝, 𝑞 ≤ y x <uy=

z

}z

Example.Even-Mansour

Adv𝐄𝐌±L:ÅL<=< 𝑝, 𝑞 ≤

6𝑝𝑞 + 6𝑞W

𝑁DirectproofgivenbyMouha andLuykx (CRYPTO‘15)

Example2– Key-lengthextension

𝑬

𝐾

𝑀 𝐶 𝐾 = 𝑘

Goal:Giveblock-cipherconstruction𝐂𝑬 withsecuritybeyond27 queries(intheideal-ciphermodel)

[BR06,GM09,GT12,G13,L13,GLSST15,DSM?14…]

𝑀 = |𝐶| = 𝑛

XORCascades[GT12,G13,L13,GLSST15]

𝑊0 𝑊1 𝑊2 𝑊𝑟

𝑬 𝑬 𝑬𝐾V 𝐾W 𝐾=

DreamTheorem.

Adv𝐗𝐎𝐑𝐂[7,;,=]±L<=< 𝑝, 𝑞 ≤ Adv𝐊𝐀𝐂 ;,=

±L<=< 𝑝𝑟27 , 𝑞 +

𝑟W

27

≤𝑞𝑝=

2 ;u7 = +𝑟W

27

Expectednumberofrelevantqueries

Nocollisionacrosskeys

XORCascades– Ourresultvspriorwork

Theorem.[GLSST15]

Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ Adv𝐊𝐀𝐂

±L<=< 𝑡𝑝27 , 𝑞 +

1𝑡 +

𝑟W

27

Corollary. Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ 2 y(x<)z

Wz(�{?)

Rz{R + =S

W?

Markovinequality

Weshow: Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ y(x<)z

Wz(�{?) +=S

W?

ReductiontoproximityofKACsexploitsknowledgeofexactnumberofrelevantqueriesincludedinthetranscript!

Concludingremarks

Whatyouhaveseen:Amixedbagofproblemsrelatedtokey-alternatingciphers.

Commondenominator:Newtechniquesforquantitativestudyofcomputationalindistinguishabilityaimingtightness.

Openproblem:Findfurtherapplications

Thankyou!