Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Similar documents
Generic Attacks on Feistel Schemes

Generic Attacks on Feistel Schemes

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Block Ciphers Security of block ciphers. Symmetric Ciphers

Multi-Instance Security and its Application to Password- Based Cryptography

An enciphering scheme based on a card shuffle

Introduction to Cryptography

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Introduction to Cryptography

Cryptanalysis of Ladder-DES

Course Business. Harry. Hagrid. Homework 2 Due Now. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Location: Right here

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

RSA hybrid encryption schemes

RSA hybrid encryption schemes

V.Sorge/E.Ritter, Handout 2

B. Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

A Block Cipher Based Pseudo Random Number Generator Secure against Side-Channel Key Recovery

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

DUBLIN CITY UNIVERSITY

Chapter 4 The Data Encryption Standard

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

SHA-3 and permutation-based cryptography

Explaining Differential Fault Analysis on DES. Christophe Clavier Michael Tunstall

R&D Meets Production: The Dark Side

Stream Ciphers And Pseudorandomness Revisited. Table of contents

Introduction to Algorithms / Algorithms I Lecturer: Michael Dinitz Topic: Algorithms and Game Theory Date: 12/4/14

TMA4155 Cryptography, Intro

Threshold Implementations. Svetla Nikova

Yale University Department of Computer Science

A Cryptosystem Based on the Composition of Reversible Cellular Automata

Andrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa

REU 2006 Discrete Math Lecture 3

The number theory behind cryptography

Sampling distributions and the Central Limit Theorem

Purple. Used by Japanese government. Not used for tactical military info. Used to send infamous 14-part message

Derandomized Constructions of k-wise (Almost) Independent Permutations

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Sequential Aggregate Signatures from Trapdoor Permutations

New Linear Cryptanalytic Results of Reduced-Round of CAST-128 and CAST-256

Theory of Probability - Brett Bernstein

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

ElGamal Public-Key Encryption and Signature

Implementation and Performance Testing of the SQUASH RFID Authentication Protocol

Encryption at the Speed of Light? Towards a cryptanalysis of an optical CDMA encryption scheme

Differential Cryptanalysis of REDOC III

Leandro Chaves Rêgo. Unawareness in Extensive Form Games. Joint work with: Joseph Halpern (Cornell) Statistics Department, UFPE, Brazil.

X = {1, 2,...,n} n 1f 2f 3f... nf

From New Technologies to New Solutions: Exploiting FRAM Memories to Enhance Physical Security

Time-Memory Trade-Offs for Side-Channel Resistant Implementations of Block Ciphers. Praveen Vadnala

Classical Cryptography

A Random Network Coding-based ARQ Scheme and Performance Analysis for Wireless Broadcast

Card-based Cryptographic Protocols Using a Minimal Number of Cards

Triple-DES Block of 96 Bits: An Application to. Colour Image Encryption

Counting. Chapter 6. With Question/Answer Animations

Introduction to Cryptography CS 355

DES Data Encryption standard

Game Theory and Algorithms Lecture 19: Nim & Impartial Combinatorial Games

The Capability of Error Correction for Burst-noise Channels Using Error Estimating Code

5. (1-25 M) How many ways can 4 women and 4 men be seated around a circular table so that no two women are seated next to each other.

Towards a Theory of AI Completeness

Say My Name. An Objection to Ante Rem Structuralism. Tim Räz. July 29, 2014

Systematic Privacy by Design Engineering

Multi-Radio Channel Detecting Jamming Attack Against Enhanced Jump-Stay Based Rendezvous in Cognitive Radio Networks

Multicasting over Multiple-Access Networks

Orthomorphisms of Boolean Groups. Nichole Louise Schimanski. A dissertation submitted in partial fulfillment of the requirements for the degree of

A SECURITY MODEL FOR ANONYMOUS CREDENTIAL SYSTEMS

NEEDLE IN THE HAYSTACK SECURE COMMUNICATION

Sometimes-Recurse Shuffle

Local and Direct EM Injection of Power into CMOS Integrated Circuits.

The Math Behind Futurama: The Prisoner of Benda

Sequential Aggregate Signatures from Trapdoor Permutations

Secure Distributed Computation on Private Inputs

Correlation Power Analysis of Lightweight Block Ciphers

Classification of Ciphers

Computing and Communications 2. Information Theory -Channel Capacity

DUBLIN CITY UNIVERSITY

Note Computations with a deck of cards

Math 454 Summer 2005 Due Wednesday 7/13/05 Homework #2. Counting problems:

Permutation Tableaux and the Dashed Permutation Pattern 32 1

Harmonic numbers, Catalan s triangle and mesh patterns

The Statistical Cracks in the Foundation of the Popular Gauge R&R Approach

Diffie-Hellman key-exchange protocol

Block Markov Encoding & Decoding

EE 418 Network Security and Cryptography Lecture #3

Image permutation scheme based on modified Logistic mapping

Permutations with short monotone subsequences

Quarter Turn Baxter Permutations

Lossy Compression of Permutations

Conditional Cube Attack on Reduced-Round Keccak Sponge Function

Countability. Jason Filippou UMCP. Jason Filippou UMCP) Countability / 12

Example Enemy agents are trying to invent a new type of cipher. They decide on the following encryption scheme: Plaintext converts to Ciphertext

Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security

The Tilings of Deficient Squares by Ribbon L-Tetrominoes Are Diagonally Cracked

Cryptology and Graph Theory

Honors Precalculus Chapter 9 Summary Basic Combinatorics

3.5 Marginal Distributions

Enumeration of Two Particular Sets of Minimal Permutations

Transcription:

Eliminating Random Permutation Oracles in the Even-Mansour Cipher Zulfikar Ramzan Joint work w/ Craig Gentry DoCoMo Labs USA ASIACRYPT 2004

Outline Even-Mansour work and open problems. Main contributions (resolving open problems) Related work Formal security theorem & proof sketch Extensions & Negative results 2004-12-16 Zulfikar Ramzan 2

Even-Mansour Construction Goal: block cipher based on single (public) random permutation. C = k2 xor P(M xor k1) Security Model Adversary: o makes chosen plaintext / ciphertext queries o has separate oracle access to P, P -1. [EM91] proved: hard to invert (or compute forward direction of) cipher for un-queried plaintext/ciphertext pair. k 1 k 2 M Random permutation oracle P C 2004-12-16 Zulfikar Ramzan 3

Issues and Open Problems Security is proved in Random Permutation Oracle Model. o How to instantiate Random Permutation Oracle? Security proved w.r.t. hardness of inversion / forgery. o But, there are stronger adversarial models. Q1: Can we prove security outside random permutation oracle model? Q2: Can we prove security w.r.t. to stronger adversarial model? k 1 k 2 M Random permutation oracle P C 2004-12-16 Zulfikar Ramzan 4

Our Contributions Q1: Can we prove security outside the random permutation oracle model? A1: Yes. We build the publicly-computable permutation using (publicly computable) functions. These functions are modeled as random function oracles; i.e., they re not necessarily bijective. Q2: Can we prove security w.r.t. to stronger adversarial model? A2: Yes. We prove super pseudorandomness (i.e., cipher is indistinguishable from a random permutation under chosen message/ciphertext attack). 2004-12-16 Zulfikar Ramzan 5

Super Pseudorandom Permutations Block Cipher is super-pseudorandom if all Probabilistic Poly-time Turing Machines (PPTM) fail Turing Style Test of Block Cipher vs. Truly Random Permutation. X P(X), P -1 (X) PPTM adaptively chooses plaintexts (resp. ciphertexts); is provided corresponding ciphertexts (resp. plaintexts). Should be unable to distinguish cipher from truly random permutation on same domain Luby-Rackoff: constructed secure block cipher based on existence of one-way functions. 2004-12-16 Zulfikar Ramzan 6

Health Warnings Security in the random oracle model does not guarantee security in the real world [CGH97; MRH04; GTK03; BBP04] There are more efficient block cipher constructions in the random oracle model [Ramzan-Reyzin-2000]. Our security analysis indicates that we need 2 n/2 to be large where block size is 2n. Main contribution: solve fundamental theoretical open problems of Even-Mansour work; we don t recommend this as a practical approach for building block ciphers. 2004-12-16 Zulfikar Ramzan 7

Our Construction Replace Random Permutation Oracle with Four Round Feistel. Round functions modeled as lengthpreserving random function oracles (note: may be non-injective). Our Results: o Instantiate (public) permutation using (publicly computable) random function oracles. o Prove super-pseudorandomness. o Therefore: eliminated random permutation oracles in Even- Mansour. Note: adversary has separate black-box access to ALL round functions. S P P -1 k 1 k 2 M f g k 1 k 2 M Random perm. goracle f C C P T 2004-12-16 Zulfikar Ramzan 8

Related Work: Luby-Rackoff LR88: 4-Round Feistel w/ keyed pseudorandom round functions => super pseudorandom permutation. o BUT: adversary not given separate access to internal round functions. LR88: originally motivated by security of DES. o Viewed their construction as idealized DES. o But, DES round functions (S-boxes) are keyed in simple way (i.e., XOR key with input before applying S-box) o LR88 uses pseudorandom round functions (which don t involve simple keying ) S-box We consider simple keying; so, our model is arguably a more apt idealization. 2004-12-16 Zulfikar Ramzan 9

Related Work Continued Ramzan-Reyzin Round Security Framework: o Allows adversaries access to internal rounds. o We can phrase security theorems using round security language. o There are similarities, but Ramzan-Reyzin constructs still had some keyed functions not accessible to adversary. o In this work: (essentially) no keyed functions. All funcs are separately accessible to adversary. o The respective proof strategies have some subtle differences (e.g., we need an extra hybrid). 2004-12-16 Zulfikar Ramzan 10

Two Worlds - Adversarial Model World 1: black-box oracles for forward + reverse direction of cipher. round functions inside cipher (both modeled as random function oracles) World 2: black-box oracles for forward + reverse direction of truly random permutation. two random oracles k 1 f g g f g f Truly Random Permutation k 2 2004-12-16 Zulfikar Ramzan 11

Theorem Statement: Adversarial Model Adversary A is put in one of the two worlds; he makes q queries total to his three black boxes plaintext (or ciphertext or round oracles) ciphertext (or plaintext or oracle responses) Theorem: A successfully distinguishes world one from world two with advantage at most: where block size is 2n. O(q 2 * 2 -n ), 2004-12-16 Zulfikar Ramzan 12

Proof Ideas 1 General Scheme Identify BAD conditions (as function of keys) Show: If for specific pair of keys, BAD conditions don t happen, then o Adversary s transcript view of interacting with World 1 (our construction) is distributed identically to o Adversary s transcript view of interacting with World 2 (truly random permutation) Show: Bad conditions happen with probability O(q 2 * 2 -n ), For technical reasons, we must compose the above paradigm with itself, considering two classes of bad conditions, and we need an additional hybrid in between. Finally, we apply probability argument to above 2004-12-16 Zulfikar Ramzan 13

Proof Ideas 2 Probability Argument First, express adversary s (in)ability to distinguish between worlds in terms of statistical distance between transcripts (Apply Triangle Inequality several times ) Re-express probabilities to be conditioned on whether BAD events occur. (Apply Triangle inequality several more times ) Manipulate formulas to show that adversary s advantage is bounded by probability of BAD conditions occurring. 2004-12-16 Zulfikar Ramzan 14

Proof Ideas 3 Actual BAD conditions BAD conditions depend on possible transcript and probability of BAD occurring is taken over choice of key. Inputs to f (resp. g) during query to block cipher black box matches input to f (resp. g) during query to random oracle. Inputs to f (resp g) during different block cipher queries match. If BAD doesn t happen: 1) external oracles don t see same inputs as internal oracles, so they are useless. 2) All outputs from cipher are uniformly distributed. Intuition: BAD conditions unlikely since randomly chosen key directly or indirectly masks function inputs => collisions unlikely 2004-12-16 Zulfikar Ramzan 15

Extensions: Recycling Key Material Proof only requires key to be XOR ed into left half of input and right half of output. o Immediate 2x reduction in key material. Q: Can we go further? i.e., use same key at beginning and end?? o XOR is symmetric; o same key used at beginning and end is even more symmetric! o The construction would behaves like an involution (not very random)! But, using observation from [PRS02] : if we use group operations other than XOR (i.e., where a+a 0), then we can recycle keys. 2004-12-16 Zulfikar Ramzan 16

Negative Results Can recover entire 4n bit key with 2 n+0.5 known plaintexts and 2 n+0.5 work. o Basic application of the Sliding with a Twist attack [BW00]. o The attack doesn t really exploit Feistel structure. Can attack 3 Feistel round version of our scheme o Straightforward adaptation of attack on 3-round Luby- Rackoff ciphers Open Area: There s a gap between lower bounds from best known attacks and upper bounds from security analysis. 2004-12-16 Zulfikar Ramzan 17

Conclusions Resolved fundamental open questions from Even- Mansour work. o Demonstrated that underlying random permutation oracle could be instantiated with construction involving random function oracles. We also better model idealized DES-like ciphers, which was a motivating goal for the Luby-Rackoff work. Open problem: decrease the gap between best known attacks and security analysis. 2004-12-16 Zulfikar Ramzan 18

Thank You! Questions? TIME EXPIRED 2004-12-16 Zulfikar Ramzan 19

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback