public-seed pseudorandom permutationsย ยท kdm-secure symmetric key enc. (kdm) point function...
TRANSCRIPT
![Page 1: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/1.jpg)
Public-seed Pseudorandom Permutations
Pratik Soni Stefano Tessaro
UC Santa Barbara UC Santa Barbara
EUROCRYPT 2017
![Page 2: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/2.jpg)
Cryptographic schemes often built from generic building blocks
![Page 3: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/3.jpg)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
๐ป
๐พ โ ๐๐๐๐ || ๐
๐พ โ ๐๐๐๐
๐ป
hash function (e.g., SHA-3)
๐ธ๐พ
๐1
๐ผ๐
๐2
๐ธ๐พ
๐โ
block cipher (e.g., AES)
![Page 4: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/4.jpg)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
Is there a universal and simple building block for efficient symmetric cryptography?
๐ป
๐พ โ ๐๐๐๐ || ๐
๐พ โ ๐๐๐๐
๐ป
hash function (e.g., SHA-3)
๐ธ๐พ
๐1
๐ผ๐
๐2
๐ธ๐พ
๐โ
block cipher (e.g., AES)
![Page 5: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/5.jpg)
Recent trend: Start from seedless permutation
![Page 6: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/6.jpg)
Recent trend: Start from seedless permutation
![Page 7: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/7.jpg)
Recent trend: Start from seedless permutation
Sponge paradigm
![Page 8: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/8.jpg)
Recent trend: Start from seedless permutation
Sponge paradigm
![Page 9: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/9.jpg)
Recent trend: Start from seedless permutation
โฆ
Sponge paradigm
![Page 10: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/10.jpg)
Here: ๐ is an efficiently computable and invertible one-to-one function
Recent trend: Start from seedless permutation
โฆ
Sponge paradigm
![Page 11: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/11.jpg)
Permutations
โโฆ it would be nice, now, if permutations can be called
the Swiss Army Knife [of cryptography]โ โ Joan Daemen, Passwords^12
Hashing Garbling
PRNGs Authenticated Encryption
MACs KDFs
![Page 12: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/12.jpg)
Typical instantiations
![Page 13: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/13.jpg)
Typical instantiations
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
![Page 14: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/14.jpg)
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
e.g., ๐ โถ ๐ฅ โ AES(0128, ๐ฅ) ๐ด๐ธ๐
0128
![Page 15: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/15.jpg)
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, โฆ
Designed to withstand cryptanalysis
e.g., ๐ โถ ๐ฅ โ AES(0128, ๐ฅ)
Faster, no re-keying costs!
๐ด๐ธ๐
0128
Faster Hash functions [RS08], fast garbling [BHKR13]
![Page 16: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/16.jpg)
Permutations assumptions
Permutations are great in practice, but what about theory?
![Page 17: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/17.jpg)
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
Permutations are great in practice, but what about theory?
๐0 0
0
๐ ๐ ๐
![Page 18: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/18.jpg)
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = KECCAK;
๐ = Anything non-trivial
๐ = ? ? ?
Permutations are great in practice, but what about theory?
๐0 0
0
๐ ๐ ๐
![Page 19: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/19.jpg)
Permutations assumptions
Goal: Standard-model reduction: โIf ๐ satisfies ๐ then ๐ถ[๐] satisfies ๐.โ
e.g., ๐ถ = KECCAK;
๐ = Anything non-trivial
๐ = ? ? ?
Common approach: Use random permutation (RP) model
๐ is random + adversary given oracle access to ๐ and ๐โ1
Permutations are great in practice, but what about theory?
Observation: No standard-model proofs known for permutation-based constructions!
๐0 0
0
๐ ๐ ๐
![Page 20: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/20.jpg)
But: random permutations do not exist [CGH98]
![Page 21: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/21.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
![Page 22: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/22.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model
random oracle
![Page 23: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/23.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model standard model
random oracle CRHF, OWFs, UOWHFs,
CI, UCEsโฆ
![Page 24: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/24.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEsโฆ
????
![Page 25: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/25.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEsโฆ
????
What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness โฆ
![Page 26: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/26.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
![Page 27: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/27.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
![Page 28: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/28.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
![Page 29: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/29.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
![Page 30: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/30.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
![Page 31: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/31.jpg)
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
![Page 32: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/32.jpg)
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
โPublic-seed Pseudorandom Permutationsโ (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
Yes! Yes!
![Page 33: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/33.jpg)
psPRPs have many applications
![Page 34: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/34.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท
![Page 35: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/35.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
![Page 36: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/36.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Sponges
![Page 37: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/37.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Efficient garbling from fixed-key block-ciphers
Sponges
![Page 38: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/38.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
โฆ
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) ๐๐๐ท๐น๐ท ๐ผ๐ช๐ฌ
Efficient garbling from fixed-key block-ciphers
Sponges
Feistel
![Page 39: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/39.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 40: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/40.jpg)
๐ = (๐บ๐๐, ๐, ๐โ1) ๐ โถ 0,1 ๐ โ 0,1 ๐
We consider seeded permutations
![Page 41: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/41.jpg)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐บ๐๐ ๐ฅ ๐๐ ๐ฅ
๐ โถ 0,1 ๐ โ 0,1 ๐
๐๐ 1๐ ๐
Seed generation
๐ฆ ๐๐ โ1 ๐ฆ ๐๐
โ1
Forward evaluation
Backward evaluation
Efficient (poly-time) algorithms
(2) โ๐ฅ โถ ๐๐ โ1 ๐๐ ๐ฅ = ๐ฅ
(1) ๐๐ โถ 0,1 ๐ โ 0,1 ๐
We consider seeded permutations
![Page 42: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/42.jpg)
Traditional security notion if seed is secret: Pseudorandom Permutation
![Page 43: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/43.jpg)
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
๐ โ Perms(๐)
๐/๐โ1 โ
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 44: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/44.jpg)
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
๐ โ Perms(๐)
๐/๐โ1 โ
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 45: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/45.jpg)
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
5
๐ โ Perms(๐)
๐/๐โ1 โ
Stage 1: โข Oracle access โข Secret seed
Stage 2: โข Learns seed โข No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 46: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/46.jpg)
๐ท
๐ โ Gen(1๐)
๐s / ๐๐ โ1
5
๐ โ Perms(๐)
๐/๐โ1 โ
Stage 1: โข Oracle access โข Secret seed
Stage 2: โข Learns seed โข No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
Limited information
flow
0/1
![Page 47: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/47.jpg)
UCE security
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
![Page 48: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/48.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
![Page 49: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/49.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ป = (๐บ๐๐, โ)
Bellare Hoang Keelveedhi
![Page 50: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/50.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
![Page 51: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/51.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
๐
๐ โ Gen(1๐)
![Page 52: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/52.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
0/1
๐
![Page 53: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/53.jpg)
๐ โ Funcs(๐, ๐) ๐
๐ โ Gen(1๐)
โ๐
UCE security
๐ source
๐ฟ
๐ป = (๐บ๐๐, โ)
distinguisher
๐ท
Bellare Hoang Keelveedhi
0/1
๐
โ
![Page 54: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/54.jpg)
๐
๐ท
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 55: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/55.jpg)
๐
๐ท
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 56: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/56.jpg)
๐
๐ฟ
๐ท
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 57: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/57.jpg)
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 58: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/58.jpg)
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , left and right are indistinguishable.
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 59: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/59.jpg)
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , left and right are indistinguishable.
๐
๐ฟ
๐ท 0/1
๐
Makes forward and backward queries!
๐ โ Gen(1๐)
psPRP security
๐ ๐/๐ ๐โ๐ ๐ โ ๐๐๐ซ๐ฆ๐ฌ(๐)
๐ = (๐บ๐๐, ๐, ๐โ1)
๐/๐โ๐
![Page 60: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/60.jpg)
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
![Page 61: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/61.jpg)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
![Page 62: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/62.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
![Page 63: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/63.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ ๐ฆ
![Page 64: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/64.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ ๐ฆ
![Page 65: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/65.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
๐ฆ
![Page 66: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/66.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1 with prob. 1
๐ฆ
![Page 67: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/67.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1
1
with prob. 1
with prob. 1/2๐
๐ฆ
![Page 68: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/68.jpg)
(+, 0๐) (+, 0๐)
๐ โ Gen(1๐)
๐๐ /๐๐ โ1 ๐ โ Perms(๐) ๐/๐โ1
๐
๐ฟ = ๐ฆ
๐ท
๐
๐ is ๐๐ ๐๐ ๐-secure if โ PPT ๐, ๐ท , โฆ
๐ฆ
Outputs 1 iff ๐ฆ = ๐๐ 0๐
1
1
with prob. 1
with prob. 1/2๐
๐ฆ
๐๐ ๐๐ ๐-security is impossible against all sources!
โ
![Page 69: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/69.jpg)
Sources need to be restricted
all sources
๐ = (Gen, ๐, ๐โ1)
![Page 70: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/70.jpg)
Sources need to be restricted
all sources
๐ฎ
๐ = (Gen, ๐, ๐โ1)
![Page 71: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/71.jpg)
Sources need to be restricted
๐ is ๐๐ ๐๐ ๐[๐ฎ]-secure if โ ๐ โ ๐ฎ and โ PPT
๐ท, left and right are indistinguishable.
all sources
๐ฎ
๐ = (Gen, ๐, ๐โ1)
๐
๐ฟ
๐ท 0/1
๐
๐ โ Gen(1๐) ๐๐ /๐๐
โ1 ๐ โ Perms(๐) ๐/๐โ1
![Page 72: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/72.jpg)
all
sources
This talk โ unpredictable and reset-secure sources
![Page 73: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/73.jpg)
all
sources
๐ฎ๐ ๐ข๐ unpredictable
This talk โ unpredictable and reset-secure sources
![Page 74: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/74.jpg)
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
![Page 75: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/75.jpg)
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
![Page 76: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/76.jpg)
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
๐ฎ๐ ๐ข๐ โ ๐ฎ๐ ๐๐
![Page 77: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/77.jpg)
all
sources
๐ฎ๐ ๐๐ ๐ฎ๐ ๐ข๐ unpredictable
reset-secure
This talk โ unpredictable and reset-secure sources
Both restrictions model that ๐ท cannot predict the queries made by the sources!
๐ฎ๐ ๐ข๐ โ ๐ฎ๐ ๐๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ is a stronger
assumption than ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐ โน
![Page 78: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/78.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
๐ด
๐ โ Perms(๐)
![Page 79: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/79.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ด
๐ โ Perms(๐)
๐ โ {+,โ}
![Page 80: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/80.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ด
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
![Page 81: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/81.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
![Page 82: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/82.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
๐ โ Perms(๐)
๐ โ {+,โ}
![Page 83: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/83.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
![Page 84: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/84.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
โ
๐ฎ๐ ๐ข๐: ๐ด is computationally unbounded
๐ฎ๐๐ข๐: ๐ด is PPT
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
![Page 85: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/85.jpg)
Source restrictions โ unpredictability
๐ ๐/๐โ1
(๐, ๐ฅ๐)
๐ฆ๐
๐ด
๐ฟ
๐โฒ
๐ โ ๐ โช { ๐, ๐ฅ๐ , (๐ , ๐ฆ๐)}
Pr [ ๐โฒ โฉ ๐ โ ๐] = negl(๐)
โ
๐ฎ๐ ๐ข๐: ๐ด is computationally unbounded
๐ฎ๐๐ข๐: ๐ด is PPT ๐๐ ๐๐ ๐[๐ฎ๐๐ข๐] impossible if iO
exists [BFM14]
๐ โ Perms(๐)
๐ โ {+,โ}
It should be hard for ๐ด to predict any of ๐โs queries or its inverse
![Page 86: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/86.jpg)
Source restrictions โ reset-security
![Page 87: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/87.jpg)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ โ Perms(๐)
![Page 88: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/88.jpg)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ โ Perms(๐)
![Page 89: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/89.jpg)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
๐ โ Perms(๐)
![Page 90: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/90.jpg)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ โ Perms(๐)
![Page 91: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/91.jpg)
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
![Page 92: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/92.jpg)
โ
Source restrictions โ reset-security
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
![Page 93: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/93.jpg)
โ
Source restrictions โ reset-security
โ
๐ฎ๐ ๐๐ : ๐ is computationally unbounded
๐ฎ๐๐๐ : ๐ is PPT
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
![Page 94: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/94.jpg)
โ
Source restrictions โ reset-security
โ
๐ฎ๐ ๐๐ : ๐ is computationally unbounded
๐ฎ๐๐๐ : ๐ is PPT
๐ ๐/๐โ1
๐
๐ฟ
๐/๐โ1
0/1
๐ ๐/๐โ1
๐
๐ฟ
0/1
๐1/๐1โ1
๐ โ Perms(๐) ๐ โ Perms(๐)
๐1 โ Perms(๐)
๐ฎ๐๐ข๐ โ ๐ฎ๐๐๐
![Page 95: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/95.jpg)
๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]
๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐]
Recap
![Page 96: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/96.jpg)
๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]
๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐]
Recap
![Page 97: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/97.jpg)
Recap
![Page 98: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/98.jpg)
Recap
Central assumption in UCE theory
![Page 99: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/99.jpg)
Recap
Central assumption in UCE theory
![Page 100: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/100.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 101: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/101.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
![Page 102: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/102.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
![Page 103: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/103.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 104: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/104.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 105: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/105.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 106: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/106.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability!
![Page 107: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/107.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability! CP-sequential
indifferentiability
![Page 108: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/108.jpg)
๐ถ
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
![Page 109: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/109.jpg)
๐ด ๐ด
๐ถ
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
![Page 110: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/110.jpg)
๐ด ๐ด
๐ถ
? ๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
![Page 111: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/111.jpg)
๐ด ๐ด
๐ถ
๐๐๐ ๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
![Page 112: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/112.jpg)
๐ด ๐ด โ
๐ถ
0/1
๐๐๐
0/1
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
Indifferentiability[MRH04]
![Page 113: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/113.jpg)
โ
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
![Page 114: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/114.jpg)
โ
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
![Page 115: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/115.jpg)
โ
Remarks:
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
![Page 116: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/116.jpg)
โ
1. Full indifferentiability โน CP-seq indiff.
2. Reverse ordering: seq. indifferentiability [MPS12]
Remarks:
๐ด1 ๐ถ
๐ด2
๐ ๐ก
0/1
๐ด1
๐ด2
๐ ๐ก
๐๐๐
0/1
CP-sequential indifferentiability
๐ถ ๐ ๐ โผ๐๐๐ ๐ ๐ โ โ PPT ๐๐๐ โ PPT (๐ด1, ๐ด2):
left and right are indistinguishable.
๐ ๐
๐/๐โ1
๐ ๐
๐
๐ โ Perms(๐)
๐ โ Funcs(โ, ๐)
![Page 117: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/117.jpg)
From psPRPs to UCEs
Theorem:
![Page 118: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/118.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐
๐ถ
Theorem:
๐ ๐
๐/๐โ1
![Page 119: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/119.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure
๐ถ
Theorem:
๐ ๐
๐/๐โ1
![Page 120: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/120.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐ถ[๐]
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
![Page 121: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/121.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
![Page 122: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/122.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
Similar result proved in [BHK14], but: โข Need full indifferentiability โข Only stated for UCE domain extension
๐ถ
Theorem:
๐ ๐
๐/๐โ1
๐๐ /๐๐ โ1
![Page 123: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/123.jpg)
From psPRPs to UCEs
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure. ๐ถ[๐]
Similar result proved in [BHK14], but: โข Need full indifferentiability โข Only stated for UCE domain extension
๐ถ
Theorem:
๐ ๐
๐/๐โ1
Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!
๐๐ /๐๐ โ1
![Page 124: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/124.jpg)
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
![Page 125: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/125.jpg)
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
![Page 126: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/126.jpg)
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
![Page 127: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/127.jpg)
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Sponge[๐] ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure.
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
![Page 128: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/128.jpg)
From psPRPs to UCEs โ Sponges
๐ฆ โ {0,1}๐
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Sponge[๐] ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure.
Theorem [BDVP08]: Sponge[๐ ๐] โผcpi ๐ ๐.
๐ โ {0,1}โ
๐0 ๐
n โ ๐
0
0
๐
๐
๐ ๐
๐1 ๐2 ๐๐
๐๐ ๐๐ ๐๐
Validates the Sponge paradigm for UCE applications!
![Page 129: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/129.jpg)
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 130: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/130.jpg)
From psPRPs to UCEs โ Chop CP-sequentially indiff. constructions that are not fully indiff.?
![Page 131: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/131.jpg)
From psPRPs to UCEs โ Chop
๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 132: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/132.jpg)
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 133: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/133.jpg)
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 134: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/134.jpg)
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 135: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/135.jpg)
From psPRPs to UCEs โ Chop
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 136: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/136.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 137: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/137.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 138: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/138.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 139: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/139.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 140: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/140.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐๐ถ๐ธ ๐ฎ๐ ๐ข๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 141: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/141.jpg)
From psPRPs to UCEs โ Chop
Theorem: Chop[๐ ๐] โผcpi ๐ ๐น when ๐ โ ๐ โ ๐(log ๐).
Corollary: ๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐๐ -secure โน Chop[๐] ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure.
Chop ๐ ๐ is not indifferentiable
๐๐ถ๐ธ ๐ฎ๐ ๐ข๐ ๐๐ ๐๐ ๐ ๐ฎ๐ ๐ข๐
๐ฅ โ {0,1}๐ ๐ฆ โ {0,1}๐
truncates ๐-bits to ๐-bits
๐ ๐๐ ๐ ๐ ๐
From Chop ๐ to VIL UCE: Domain extension techniques [BHK14]
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 142: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/142.jpg)
psPRPs from UCEs Theorem:
![Page 143: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/143.jpg)
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
๐ถ ๐ ๐ โผcpi ๐ ๐
Theorem:
![Page 144: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/144.jpg)
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ป ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure ๐ถ ๐ป ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem:
![Page 145: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/145.jpg)
psPRPs from UCEs
โ ๐ด1 ๐ถ
๐ด2
๐ ๐ก
๐โฒ
๐ด1
๐ด2
๐ ๐ก
๐๐๐
๐โฒ
๐ ๐
๐ ๐
Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.
๐ถ ๐ ๐ โผcpi ๐ ๐ โน +
๐ป ๐๐ถ๐ธ[๐ฎ๐ ๐๐ ]-secure ๐ถ ๐ป ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem:
![Page 146: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/146.jpg)
From UCEs to psPRPs โ Feistel
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
![Page 147: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/147.jpg)
From UCEs to psPRPs โ Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
![Page 148: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/148.jpg)
From UCEs to psPRPs โ Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
๐
๐
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5
๐ โ {0,1}2๐
๐5[๐]
๐ โ {0,1}2๐
๐
๐
๐
๐
psPRPs exist in the standard model if UCEs exist!!!
![Page 149: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/149.jpg)
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 150: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/150.jpg)
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 151: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/151.jpg)
Theorem: 5-round Feistel (๐5[๐]) โผcpi ๐ ๐.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 152: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/152.jpg)
Corollary: ๐ฏ ๐๐ถ๐ธ ๐ฎ๐ ๐๐ -secure โน ๐5[๐ฏ] ๐๐ ๐๐ ๐[๐ฎ๐ ๐๐ ]-secure.
Theorem: 5-round Feistel (๐5[๐]) โผcpi ๐ ๐.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 153: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/153.jpg)
5-round proof is technically involved
![Page 154: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/154.jpg)
5-round proof is technically involved
Our 5-round Sim:
โข Relies on chain completion techniques
โข Heavily exploits query ordering
โข Very different chain-completion strategy from previous works, no recursion needed
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5 Set
uniform Set
uniform
forceVal forceVal
detect detect
![Page 155: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/155.jpg)
5-round proof is technically involved
Our 5-round Sim:
impossible
[LR88]
[HKT11] [DS16] [DSKT16]
#rounds of Feistel for psPRP-security
This work!!! Open: Do 4-rounds suffice?
โข Relies on chain completion techniques
โข Heavily exploits query ordering
โข Very different chain-completion strategy from previous works, no recursion needed
๐1 ๐2 ๐3 ๐4 ๐5
๐1 ๐2 ๐3 ๐4 ๐5 ๐6
๐0 ๐5 Set
uniform Set
uniform
forceVal forceVal
detect detect
???
![Page 156: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/156.jpg)
Heuristic Instantiations
![Page 157: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/157.jpg)
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
From Block-ciphers e.g. AES
๐บ๐๐:
๐:
![Page 158: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/158.jpg)
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
From Block-ciphers e.g. AES
Ideal-Cipher model
๐บ๐๐:
๐:
![Page 159: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/159.jpg)
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
๐
๐ โ {0,1}๐
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
๐ = (๐บ๐๐, ๐, ๐โ1)
Ideal-Cipher model
๐บ๐๐:
๐:
๐:
๐บ๐๐:
![Page 160: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/160.jpg)
Heuristic Instantiations
๐ธ
๐ โ {0,1}๐
๐ = (๐บ๐๐, ๐, ๐โ1)
psPRP ๐ฎ๐ ๐๐ -secure
psPRP ๐ฎ๐ ๐ข๐ -secure ๐
๐ โ {0,1}๐
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
๐ = (๐บ๐๐, ๐, ๐โ1)
Ideal-Cipher model
RP model
๐บ๐๐:
๐:
๐:
๐บ๐๐:
![Page 161: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/161.jpg)
Fast Garbling from psPRPs
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 162: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/162.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 163: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/163.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 164: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/164.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 165: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/165.jpg)
Fast Garbling from psPRPs
This work: Replace ๐ธ 0๐ , ๐ฅ by ๐๐ for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 166: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/166.jpg)
Fast Garbling from psPRPs
This work: Replace ๐ธ 0๐ , ๐ฅ by ๐๐ for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
โข Only calls fixed-key block cipher
๐ฅ โ ๐ธ(0๐ , ๐ฅ)
โข Proof in RP model
โข Very fast โ no key-schedule
Theorem: Secure garbling when ๐๐ is ๐๐ ๐๐ ๐[๐ฎ๐ ๐ข๐].
Garbled And
๐ธ 0๐, ๐พ10 โ ๐พ10 โ ๐ฅ๐0
๐ธ 0๐, ๐พ01 โ ๐พ01 โ ๐ฅ๐0
๐ธ 0๐, ๐พ11 โ ๐พ11 โ ๐ฅ๐1
๐ธ 0๐, ๐พ00 โ ๐พ00 โ ๐ฅ๐0
๐ฅ๐0, ๐ฅ๐
1 ๐ฅ๐0, ๐ฅ๐
1 And ๐ฅ๐
0, ๐ฅ๐1
![Page 167: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/167.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 168: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/168.jpg)
Conclusion
psPRPs
![Page 169: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/169.jpg)
Conclusion
First standard model assumptions on permutations
psPRPs
![Page 170: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/170.jpg)
Constructions
Conclusion
First standard model assumptions on permutations
psPRPs
![Page 171: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/171.jpg)
Constructions
Conclusion
First standard model assumptions on permutations
Applications psPRPs
![Page 172: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/172.jpg)
Many open questionsโฆ
![Page 173: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/173.jpg)
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
![Page 174: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/174.jpg)
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
![Page 175: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/175.jpg)
Many open questionsโฆ
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
![Page 176: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/176.jpg)
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
![Page 177: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/177.jpg)
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
![Page 178: Public-seed Pseudorandom Permutationsย ยท KDM-secure symmetric key Enc. (KDM) Point function Obfuscation (PFOB) Message-locked ๐๐๐ท๐น๐ท ... is -secure if โ PPT , , left](https://reader031.vdocuments.net/reader031/viewer/2022020306/5d46da6d88c9936a5f8ba23a/html5/thumbnails/178.jpg)
Many open questionsโฆ
โข Simpler assumptions on permutations?
โข More applications: psPRP-based PRNGs, authenticated encryption?
โข More efficient constructions: Round complexity of Feistel for psPRPs?
โข Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Thank you!