new techniques for information-theoretic
TRANSCRIPT
Newtechniquesforinformation-theoreticindistinguishability,andapplications
StefanoTessaroUCSB
IMSWorkshoponMathematicsofInformation-TheoreticCryptography
JointworkwithVietTungHoang(FSU)
𝑭 𝑮
½½
???
Thistalk– innutshell
Information-theoreticindistinguishability isanaturalproblemincryptography
Thistalk:
Newtechniquesforinformation-theoreticindistinguishability
Applications: analysisofsymmetriccryptographicconstructions
Basedon:VietTungHoang,StefanoTessaro.“Key-AlternatingCiphersandKey-LengthExtension:ExactBoundsandMulti-UserSecurity“.CRYPTO2016.
Pedagogicalcomponent
Distinguishingadvantage
𝑭 𝑮
0/1 0/1
Adv𝑭,𝑮*+,- 𝑫 = Pr 𝑫𝑭 ⇒ 1 − Pr 𝑫𝑮 ⇒ 1
D D
ComputationalIndistinguishability ∀𝑫 w/runtime𝑇:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀
Twoexampleswewilllookat:PRF andPRP security
Example:Pseudorandomfunctions(PRFs)
𝑭7 𝐑𝐅:,;
0/1 0/1
Adv𝑭<=> 𝑫 = Pr 𝑫𝑭? ⇒ 1 − Pr 𝑫𝐑𝐅 ⇒ 1
D D
uniformsecretkey
𝑭7: {0,1}:→ {0,1};
Randomlyselectedfunction{0,1}:→{0,1};
𝑋+ 𝑭7(𝑋+) 𝑋+ $
Pseudorandompermutations(PRPs)
𝑬7 𝐑𝐏;
0/1 0/1
Adv𝑬<=< 𝑫 = Pr 𝑫𝑬? ⇒ 1 − Pr 𝑫𝐑𝐏 ⇒ 1
D D
uniformsecretkey
𝑬7: {0,1};→ {0,1}; Randomlyselectedpermutation{0,1};→ {0,1};
𝑋+ 𝑬7(𝑋+) 𝑋+ $
permutationforall𝑘
Strong PRPs
𝑬7 𝐑𝐏;
0/1 0/1
Adv𝑭±L<=< 𝑫 = Pr 𝑫𝑬? ⇒ 1 − Pr 𝑫𝐑𝐏 ⇒ 1
D D
Additionallyallowforinversequeries!
𝑌+ 𝑬𝒌L𝟏(𝑌+) 𝑌+ $
ComputationalIndistinguishability ∀𝑫 w/runtime𝑇:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀
Thistalk:Information-theoreticindistinguishability
∀𝑫making𝑞 queries:Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀
NecessaryforPRFs,PRPs,…
Arises(often)fortwospecificreasons:
1. Intermediatestep
2. Securityproofinidealmodel
ExampleI– Feistel Networks[LR85]
Goal:BuildaPRPfromaPRF𝑭
𝑟roun
ds
𝑭7R
𝑭7S
𝑭7𝒓
𝑹V
𝑹W
𝑹X
𝐑𝐏comp IT
Technicalcoreofproof!
Dozensofpapersinthisspirit,analyzingFeistel &friends[LR85,P90,M92,P97,P98,NR99,MP03,P04,MOPS06,MPS09,HR10,HMP12,RY13,MR14,…]
ExampleII– Even-Mansour[EM97]
𝐾0 𝐾1
Goal:Buildblockcipher/PRPfroman(unkeyed)permutation𝜋
𝜋
Caveat: Nonon-trivialcomputationalassumptionon𝜋 yieldssecurity!
Solution:Assumethat𝜋 israndomlychosen
𝜋𝐄𝐌 𝐑𝐏 𝜋~
𝑞 “online”queries
𝐾0𝐾1
𝑝 “off-line”queriesto𝜋 or𝜋LV
Guaranteessecurityforgenericattackstreating𝜋 asblackbox𝑭 𝑮
Adv𝐄𝐌±L<=< 𝑝, 𝑞
Focusonconcretesecurity
𝑭 𝑮
D D
Parameterizedistinguisherthrough#ofqueries𝑞
Adv𝑭,𝑮*+,- 𝑞 = max𝑫∈cd
Adv𝑭,𝑮*+,- 𝑫
Goal:DetermineAdv𝑭,𝑮*+,- 𝑞 aspreciselyaspossible
Butconcreteanalysesarenoteasy…
Key-alternatingciphersaka“iteratedEven-Mansourcipher”
AbstractionofAES-structure,introducedbyBogdanov etal.[BKLSST12]
𝐾0 𝐾1
𝜋V 𝜋W
𝐾2
𝜋=
𝐾𝑟
𝐾𝐴𝐶[𝑛, 𝑟]𝑛
𝜀;,= 𝑝, 𝑞 = Advklm[;,=]±L<=< 𝑝, 𝑞
#queriesto(random)𝜋V,… , 𝜋= and𝜋VLV, … , 𝜋=LV
#queriesto𝐾𝐴𝐶[𝑛, 𝑟] (andinverse)w/randomsecretkeys Convention:
𝑁 = 2;
BoundsforKACs[Forsimplicity,assume𝑝 = 𝑞]
Paper Bound Securitylevel
[EM97] 𝑞W
𝑁𝑁�
[BKLSST12][S12]
4.3𝑞X𝑟𝑁W + (𝑟 + 1)
𝑞𝑁=/(=uV)
=𝑁W/X
[LPS12] 22(2𝑞)
=WuV
𝑁=
�
𝑁=/W=WuV
[CS14] (6𝑞)=uV𝑟=uX
𝑁=
V/(=uW)
Ω(𝑁=/(=uV))
Dreambound
𝑞=uV
𝑁=𝑁=/(=uV)
“Matchingattack"
when𝑟 isconstant
Question:Canweimproveupperboundstomatchthe“dreambound”?Anddoesitmatter?
BoundsforKACs– Doesitmatter?
𝜀 𝑞, 𝑁 = (xy)z{R=z{|
}z
V/(=uW)vs𝛿(𝑞, 𝑁) = yz{R
}z
Asymptotictightness:𝑞(𝑛) = 2z
z{R;
e.g.𝑁 = 2VW�,𝑟 = 10, 𝑝 = 𝑞
0
0.2
0.4
0.6
0.8
1
1.2
1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 73 76 79 82 85 88 91 94 97 100
103
106
109
112
115
118
121
124
127
𝛿(𝑞, 𝑁) = 2L��
𝜀 𝑞, 𝑁 ≫ 1𝑞 = 2VVW
Ourresult– Achievingthe“dreambound”
Theorem.[HT16] Forall 𝑝, 𝑞 ≤ 𝑁,
𝜀;,=(𝑝, 𝑞) ≤y(x<)z
}z
Therestofthetalkwillshowhowthechoiceoftechniquesaffectsprovingsucharesult.
Interlude:ITindistinguishabilityproofs
Commonapproach– bad-eventanalyses[M02,BR06]
𝑭 𝑮
0/1 0/1
D D
Indicate“badevent”hasoccurred
Equivalent-until-bad: 𝑭and𝑮 behaveidentically uptobadeventhappening
Then: Adv𝑭,𝑮*+,- 𝑞 ≤ Pr[badeventwithin𝑞queries]
[Maurer-Pietrzak-Renner‘07]showthatbad-event-analysesare“universal”,butbad-eventdescriptioncanbeextremelylarge.
Recentrevival– Transcript-centricapproach
Interactionsdefinetranscripts𝑭 𝑮
D D
𝑋+ 𝑌+ 𝑋+′ 𝑌+′𝑇𝑭 = ( 𝑋V, 𝑌V , … , 𝑋y, 𝑌y )
𝑇𝑮 = ( 𝑋V′, 𝑌V′ , … , 𝑋y′, 𝑌y′ )
Fact.Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐒𝐃(𝑇𝑭, 𝑇𝑮)
𝐒𝐃 𝑇𝑭, 𝑇𝑮 =12� Pr 𝑇𝑭 = 𝜏 − Pr[𝑇𝑮 = 𝜏]
�
�
Describingsystems
𝑭𝑋+ 𝑌+
𝑭 fullydescribedbyinterpolationprobabilities
𝑝𝑭( 𝑋V, 𝑌V , … , 𝑋y, 𝑌y )
probability𝑭 responds𝑌V,…,𝑌ywhenqueriedwith𝑋V,…,𝑋y
Examples:
𝑝𝑹𝑭�,� 𝑋V, 𝑌V , … , 𝑋y, 𝑌y =12;y
𝑝𝑹𝑷� 𝑋V, 𝑌V , … , 𝑋y, 𝑌y =1
2;(2; − 1)⋯ (2; − 𝑞 + 1)
𝑋V,…,𝑋y distinct
𝑌V,…,𝑌y distinct
Point-wiseproximity[Pat98,Ber99,HT16]
Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐒𝐃(𝑇𝑭, 𝑇𝑮) = � 𝑝𝑮 𝜏 − 𝑝𝑭 𝜏�
�∈�{
Fact:If 𝑫deterministic:1. Pr 𝑇𝑭 = 𝜏 = 0, 𝑝𝑭(𝜏)2. Pr 𝑇𝑭 = 𝜏 = 𝑝𝑭 𝜏 > 0 iff Pr 𝑇𝑮 = 𝜏 = 𝑝𝑮(𝜏) > 0
Lemma.If𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝑞 � 𝑝𝑮 𝜏 forall𝑞-query𝜏,
Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀 𝑞
Τu = 𝜏: Pr 𝑇𝑮 = 𝜏 > Pr 𝑇𝑭 = 𝜏
Point-wiseproximity
SwitchingLemma,revisited
Lemma.If𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝑞 � 𝑝𝑮 𝜏 forall𝑞-query𝜏,
Adv𝑭,𝑮*+,- 𝑫 ≤ 𝜀 𝑞
𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 =1
𝑁 𝑁 − 1 ⋯ 𝑁 − 𝑞 + 1 −1𝑁y
= 𝑝𝑮 𝜏 1 −𝑁(𝑁 − 1)⋯ (𝑁 − 𝑞 + 1)
𝑁y
= 𝑝𝑮 𝜏 � 𝑝����(𝑁, 𝑞)
𝑭 = RF;,; and𝑮 = RP;
Fixarbitrary𝜏 = 𝑋V, 𝑌V , … , 𝑋y, 𝑌y w/distinct𝑋+’sand𝑌+ s
“H-coefficientmethod”Point-wiseproximitynotalwaysapplicable[P98]
ℬ𝒢
goodtranscripts
Lemma.Assume∃ partitionofq-querytranscripts:1. Pr[𝑇𝑮 ∈ ℬ] ≤ 𝛿2. 𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 � 𝑝𝑮 𝜏forall𝜏 ∈ 𝒢
Then:
Adv𝑭,𝑮*+,- 𝑫 ≤ 𝛿 + 𝜀
Methodlargelymisunderstooduntil[Chen-Steinberger,EC’14].([Nandi,INDOCRYPT’06]presentedasimilarlemma.)
badtranscripts
Key-alternatingciphers
BacktoKey-AlternatingCiphers
Theorem.[HT16] Forall 𝑝, 𝑞 ≤ 𝑁,
𝜀;,=(𝑝, 𝑞) ≤y(x<)z
}z
Wewillfirstdiscuss[CS14]’sapproach
𝐾0 𝐾1
𝜋V 𝜋W
𝐾2
𝜋=
𝐾𝑟
𝐾𝐴𝐶[𝑛, 𝑟]𝑛
Transcripts
Distinguishercanperform:• Online queriesto𝐾𝐴𝐶[𝑛, 𝑟] /𝐑𝐏;• Offline queriesto𝜋V, …𝜋=
Transcript:
𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣 , …
Forwardonlinequery𝑋 returned𝑌 Backwardofflinequery𝑣 to
𝜋X returned𝑢
Transcriptsasanundirectedgraph
… … … … … …
𝜋V 𝜋W 𝜋X
𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣 , …
𝑋
𝑢′𝑣′ 𝑣𝑢 𝑌
Badtranscripts
Wanted:partitionintoGood andBad transcripts
𝜏 = +, 𝑋, 𝑌 , 3, −, 𝑢, 𝑣 , … , 1, +, 𝑢 , 𝑣 , … , 𝐾¦, 𝐾V, … , 𝐾=
Addsecretkeystotranscript
Intherealworld:Keysaregiventoadversaryafteritstopsmakingqueries(willnothurtus!)
Intheidealworld:Freshandrandomindependentkeysgiventodistinguisher
Transcripts– Includingkeys
… … … … … …𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X
Aluckycase– Realworld
… … … … … …
𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X
Aluckycase– Idealworld
… … … … … …
𝐾¦ 𝐾V 𝐾W 𝐾X𝜋V 𝜋W 𝜋X
Clearlycannothappenintherealworld:Leadstoeasydistinguishing!
Wecallsuchapathachain
Goodandbad– Firstattempt
Wesay𝜏 isbad isG(𝜏)containsachain
Lemma.
Pr 𝑇+*§¨� ∈ 𝐵 ≤𝑟 + 1 𝑞𝑝=
𝑁= ≤𝑞(2𝑝)=
𝑁=
Probabilityonlydependsonchoiceofkeys,andboundholdsforanychoiceofthepermutations
Keyproblem
Showthatforallgoodtranscripts𝜏<z(�)<ª(�)
≥ 1 − 𝜀
forsome𝜀
Goodratios
Usingtechniquesfrom[CS14].Forallgood𝜏:
𝑝=(𝜏)𝑝+(𝜏)
≥ 1 −� � 𝑅¨,,7[𝜏] � � ®𝑍(𝑖, 𝑗)
𝑁 − 𝑝² − 𝑞
�
(+,²)∈³
�
³∈´(¨,)
�
¦µ¨¶µ=
=
7·V
𝜎 = 𝑖¦, 𝑖V , 𝑖V, 𝑖W , … , 𝑖-LV, 𝑖- where𝑎 = 𝑖¦ < 𝑖V < ⋯ < 𝑖- = 𝑏
0/1coefficients
#ofpathsinvolving𝜋+uV, … , 𝜋²
≤ 𝜀?
Goodandbad– [CS14]
𝜀 𝜏 = � � 𝑅¨,,7[𝜏] � � ®𝑍(𝑖, 𝑗)
𝑁 − 𝑝² − 𝑞
�
(+,²)∈³
�
³∈´(¨,)
�
¦µ¨¶µ=
=
7·V
Oneexpects𝐄 𝑍(𝑖, 𝑗) = 𝑝+uV ⋯𝑝²/𝑁²L+LV
Goal:Findabestpossibleupperbound𝜀on𝜀 𝜏 forgoodtranscripts
Hypothetically:𝑍 𝑖, 𝑗 = 𝑝+uV ⋯𝑝²/𝑁²L+LV,then
𝜀 𝜏 = 𝑂(𝑞𝑝V ⋯𝑝=/𝑁=)
Goodorbad– Caveat
Allwecanguarantee:
Markovinequality: 𝐏𝐫 𝑍 𝑖, 𝑗 > t � 𝐄 𝑍(𝑖, 𝑗) < 1/𝑡
CS14’sidea: Addsuchtranscriptstosetofbadtranscripts
Problem:Needtofindsmallestpossible𝑡,createsnon-tightbound
Ourapproach– ExpectationMethod[HT16]
Theorem.Assume∃ non-negativefunction 𝜀 s.t.𝑝𝑮 𝜏 − 𝑝𝑭 𝜏 ≤ 𝜀 𝜏 � 𝑝𝑮 𝜏
forall𝑞-query𝜏.Then,Adv𝑭,𝑮*+,- 𝑫 ≤ 𝐄 𝜀 𝑇𝑮
H-coefficientmethod: Specialcasewhere
𝜀 𝜏 = ¿1 if𝜏isbad𝜀 if𝜏isgood
Applyingtheexpectationmethod
Let
𝜀 𝜏 = � � 𝑅¨,,7[𝜏] � � ®𝑍(𝑖, 𝑗)
𝑁 − 𝑝² − 𝑞
�
(+,²)∈³
�
³∈´(¨,)
�
Vµ¨¶µ=
=
7·V
𝜀 𝜏 = 1
Good(i.e.,w/ochain)
Bad(i.e.,w/chain)
Lemma.𝐄 𝜀 𝑇Ã*§¨� ≤ y(x<)z
}z
Someadditionalnon-trivialfacts
• Full-domainqueriesallowed• Weshowpoint-wiseproximity
Information-theoreticindistinguishabilityandreductions
Cryptographicreductions
Often,securityofApplication1 canbereducedtosecurityofApplication2
SuccessfuladversaryA forApplication1
SuccessfuladversaryB forApplication2
Notalwaysbest…
Solution– Transcriptreductions
Adv.AforProblem1
“Classical”reduction
Issue: Exploitsa-priori definedquantities,e.g.,overall#queries𝑞
Benefit: Canexploita-posterioridefinedquantities
Here:Transcriptreductions
Adv.BforProblem2
Reduction
Reduction TranscriptforProblem2
TranscriptforProblem1
Multi-usersecurity
𝜋𝐂 𝐑𝐏V 𝜋𝐾1 𝐂
𝐾Å… 𝐑𝐏Å…
𝒖 userswithindependentkeys
(overall)𝑞 “online”queries,
𝑝 “off-line”queries
Distiguishingadv.≡Adv𝐂±L:ÅL<=< 𝑝, 𝑞
Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂
±L<=< 𝑝 + 𝑞𝑟, 𝑞
Canbesubstantial,upto𝑢 = 𝑞 possible!
e.g.,y<}⟹ yS(<uy)
}
HybridArgument
Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂
±L<=< 𝑝 + 𝑞𝑟, 𝑞
𝐑𝐏V 𝜋𝐑𝐏Å…𝐑𝐏W
…
𝜋𝐂𝐾Å…𝐑𝐏V 𝐑𝐏W
𝑢+1hybrids
≤ Adv𝐂±L<=< 𝑝 + 𝑞𝑟, 𝑞
𝜋𝐂𝐾1 𝐂𝐾Å𝐂 …𝐾W
𝜋𝐂𝐾Å𝐂 …𝐑𝐏V𝐾W
Upto𝑞 queriestofirstuser
Needtosimulateusers2, … , 𝑢
Improvinghybridargument
Whatifweknowa-prioribound𝑞+ onqueriesforuser𝑖?[inparticular:𝑞 = ∑ 𝑞+�
+ ]
Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ 𝑢 � Adv𝐂
±L<=< 𝑝 + 𝑞𝑟, 𝑞
Lemma. Adv𝐂±L:ÅL<=< 𝑝, 𝑞 ≤ ∑ Adv𝐂
±L<=<(𝑝 + 𝑞𝑟, 𝑞+)y+·V
Before:y<}⟹ yS(<uy)
}
Now:y<}⟹∑ yª(<uy)
}y+·V = y(<uy)
}
Fromsu tomusecurity– generically
𝜋𝐂 𝐑𝐏V 𝜋𝐾1 𝐂
𝐾Å… 𝐑𝐏Å…
Theorem.[HT16]Ifforall𝜏 with𝑞 onlineand𝑝offlinequeries,
𝑝𝐑𝐏,É(𝜏) − 𝑝𝐂Ê,É(𝜏) ≤ 𝜀(𝑝, 𝑞) � 𝑝𝐑𝐏,É(𝜏)
Thenforall𝜏 with𝑞 onlineand𝑝offlinequeries,
𝑝𝐑𝐏Ë,É(𝜏) − 𝑝𝐂ÊË,É(𝜏) ≤ 2�𝜀(𝑝 + 𝑞𝑟, 𝑞+)Å
+·V
� 𝑝𝐑𝐏Ë,É(𝜏)
Welldefined!Usually≤ 𝜀(𝑝 + 𝑞𝑟, 𝑞)
ApplicationtoKACs
Corollary. Adv𝐊𝐀𝐂[;,=]±L:ÅL<=< 𝑝, 𝑞 ≤ y x <uy=
z
}z
Example.Even-Mansour
Adv𝐄𝐌±L:ÅL<=< 𝑝, 𝑞 ≤
6𝑝𝑞 + 6𝑞W
𝑁DirectproofgivenbyMouha andLuykx (CRYPTO‘15)
Example2– Key-lengthextension
𝑬
𝐾
𝑀 𝐶 𝐾 = 𝑘
Goal:Giveblock-cipherconstruction𝐂𝑬 withsecuritybeyond27 queries(intheideal-ciphermodel)
[BR06,GM09,GT12,G13,L13,GLSST15,DSM?14…]
𝑀 = |𝐶| = 𝑛
XORCascades[GT12,G13,L13,GLSST15]
𝑊0 𝑊1 𝑊2 𝑊𝑟
𝑬 𝑬 𝑬𝐾V 𝐾W 𝐾=
DreamTheorem.
Adv𝐗𝐎𝐑𝐂[7,;,=]±L<=< 𝑝, 𝑞 ≤ Adv𝐊𝐀𝐂 ;,=
±L<=< 𝑝𝑟27 , 𝑞 +
𝑟W
27
≤𝑞𝑝=
2 ;u7 = +𝑟W
27
Expectednumberofrelevantqueries
Nocollisionacrosskeys
XORCascades– Ourresultvspriorwork
Theorem.[GLSST15]
Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ Adv𝐊𝐀𝐂
±L<=< 𝑡𝑝27 , 𝑞 +
1𝑡 +
𝑟W
27
Corollary. Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ 2 y(x<)z
Wz(�{?)
Rz{R + =S
W?
Markovinequality
Weshow: Adv𝐗𝐎𝐑𝐂±L<=< 𝑝, 𝑞 ≤ y(x<)z
Wz(�{?) +=S
W?
ReductiontoproximityofKACsexploitsknowledgeofexactnumberofrelevantqueriesincludedinthetranscript!
Concludingremarks
Whatyouhaveseen:Amixedbagofproblemsrelatedtokey-alternatingciphers.
Commondenominator:Newtechniquesforquantitativestudyofcomputationalindistinguishabilityaimingtightness.
Openproblem:Findfurtherapplications
Thankyou!