feistel structures for mpc and more
play

Feistel Structures for MPC, and More Arnab Roy 1 (joint work with - PowerPoint PPT Presentation

Sep 19, 2022 •49 likes •299 views

Feistel Structures for MPC, and More Arnab Roy 1 (joint work with Martin Albrecht 2 , Lorenzo Grassi 3 , Lo Perrin 4 , Sebas- tian Ramacher 3 , Christian Rechberger 3 , Dragos Rotaru 1,5 and Markus Schofnegger 3 ) University of Bristol, Bristol,

  1. Feistel Structures for MPC, and More Arnab Roy 1 (joint work with Martin Albrecht 2 , Lorenzo Grassi 3 , Léo Perrin 4 , Sebas- tian Ramacher 3 , Christian Rechberger 3 , Dragos Rotaru 1,5 and Markus Schofnegger 3 ) University of Bristol, Bristol, UK 1 Royal Holloway, University of London 2 TU Graz, Austria 3 Inria, Paris, France 4 KU Leuven, Belgium 5 1

  2. Motivation and background

  3. Background • In recent years significant progress in the areas of MPC, FHE, ZK • Communication protocol (Theory → Practice) • Many new applications are being developed • Examples include 1. Private set intersection, privacy preserving search 2. Statistical computation on sensitive data 3. Verifiable computation 4. Cloud computation 2

  4. Background • The role of symmetric-key primitives - Hash function, PRF, PRP • Specific requirements from the protocols • Examples of typical conditions - Low number of multiplications (over integers): MPC, ZK - Low number of AND: MPC - Low multiplicative depth: FHE, MPC • Designs must be secure 3

  5. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? 4

  6. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough 4

  7. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough • Example: • SHA2 optimized : ≈ 25000 AND gates (per compression function) • AES is not efficient for MPC 4

  8. Need for new design • Aren’t there secure symmetric-key designs (AES, SHA2, SHA3, Blake, ... ) ? • Yes, but they are not enough • Example: • SHA2 optimized : ≈ 25000 AND gates (per compression function) • AES is not efficient for MPC • Uses many XOR: non-linear after embedding into F p 4

  9. New design endeavours • New type of symmetric-key designs • New design challenges: Minimize • AND depth and/or No. of ANDs (per bit) • multiplicative complexity and/or depth (per bit) • Can we design primitives which minimize one or more of these metrics? • Example • MiMC, Feistel-MiMC [ZKP, MPC friendly] • Flip, Rasta [FHE friendly] • LowMC, Legendre PRF [MPC friendly] • GMiMC [ZKP, MPC friendly] • More recent designs • Present new cryptanalysis challenges 5

  10. ZKP friendly

  11. Hash function for Zero-knowledge proof system • Finite field (large) friendly hash • Different from the designs optimized for x86 (binary rings) • operations over Z 2 or F 2 makes them very slow for ZK system • Can not use BLAKE2b, SHA2, SHA3 • First new designs: MiMC, Feistel-MiMC • Recent designs • GMiMC (SNARK friendly) • Poseidon(SNARK friendly), Starkad (STARK friendly) • Vision(STARK friendly), Rescue (SNARK friendly) 6

  12. MiMCHash • We work over a field F k i k ⊕ c 1 k k X 3 x X 3 X 3 X 3 y Figure 1: MiMC Figure 2: Feistel-MiMC • Simple design idea: 1. Add (round) key 2. Add round constant 3. Repeat • Uses Sponge mode • Problem : expanding to > 512-bit = 2 elements in F , for 128 bit security 7

  13. Sponge m 1 m 2 m 3 m 4 h 0 h 1 h 2 r f f f f f f c • f is a bijection • c = 256; One F element 8

  14. GMiMC: Extension of MiMC • Uses Generalized Unbalanced Feistel with · · · F F · · · Figure 3: Contracting round Figure 4: Expanding round function function • Round function F i ( x 2 , . . . , x t , k i ) = ( � x j + rc i + k i ) 3 for CRF • Round function F i ( x , k i ) = ( x + rc i + k i ) 3 for ERF • k i = k k i = ( i + 1) k • No. of branches t << log 2 ( | F | ) 9

  15. GMiMCHash • Uses the sponge mode with capacity c = 256; • No. of branches t > 2 • Security Goal : 128-bit security m 1 m 2 m 3 m 4 h 0 h 1 h 2 r f f f f f f c 10

  16. Cryptanalysis • Use of APN function ( x → x 3 ) protects against differential and other statistical attacks • Security relies mostly on algebraic cryptanalysis - Interpolation, GCD, Groebner basis - Interpolation analysis (with root finding) for Hash function • Mostly exploiting the degree of the output polynomial • No weakness found in the GMiMCHash beyond birthday bound (to the best of our knowledge) 11

  17. Performance and application • In SNARK : GMiMCHash is faster ( ≈ 1 . 2 x ) than MiMC/Fesitel-MiMCHash • Main advantage is the expansion • Application examples: ZCash (ZKSNARK), Smart contract, STARK application etc. • StarkWare Hash challenge (https://starkware.co/hash-challenge/) - GMiMCHash, Feistel-MiMCHash - Poseidon and Starkad (SNARK and STARK friendly resp.) - Vision and Rescue (STARK and SNARK friendly resp.) 12

  18. MPC Friendly

  19. MPC friendly encryption • Ciphers optimized for x 86 are not suitable for MPC • Security aim : Secure block cipher • First new design: LowMC (over F 2 ) • Other: Legendre PRF (over integers) • Legendre PRF is secure only upto birthday bound • In SPDZ : MiMC turned out to be efficient in mode of operation (e.g. Authenticated Encryption) (!!) • What about GMiMC? 13

  20. GMiMC in MPC • Securty Goal : At least 128-bit key security • Efficiency in MPC: preprocessing + online computation • GMiMC erf and GMiMC crf have very fast preprocessing phase • Reason : Least no. of multiplications per (encryption) round • Avoids linear scaling with increased blocks (only known case) • Example: GMiMC erf is 5 . 5 x faster than MiMC (with 16 blocks) • Gain in throughput 14

  21. Yet another application

  22. PQ signature • A new application • Picnic : Uses ZKB++; ZKP-based signature scheme • Minimize: No. of multiplications × log 2 ( | F | ) • Current best option: LowMC • Can we use GMiMC? 15

  23. GMiMC in Picnic • Pushing the MiMC design strategy for small field • Security Goal : 256-bit key security with 256-bit input Scheme ( n , t , R ) Sign Verify View size MiMC (256 , 1 , 162) 333 . 97 ms 166 . 28 ms 83456 bits (272 , 1 , 172) 92 . 45 ms 46 . 32 ms 94112 bits GMiMC erf over F 2 n (33 , 8 , 56) 3 . 34 ms 2 . 29 ms 1848 bits LowMC-(256 , 10 , 38) - 3 . 74 ms 3 . 52 ms 1140 bits LowMC-(256 , 1 , 363) - 9 . 55 ms 7 . 12 ms 1089 bits • GMiMC is comparable to LowMC 16

  24. Conclusion and open questions • Finite field friendly designs • Design space exploration • Open questions in design and analysis • Cryptanalysis methods over F p (completely unknown) • New design principle? • Bounds on multiplicative complexity • How far can we extend current cryptanalysis techniques? • Can we obtain generic (algebraic) complexity results for security? Updates on MiMC, GMiMC and similar designs on https://byt3bit.github.io/primesym/ (new, still under construction) 17

  25. Thank you! 18

Recommend

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine

Introduction Full Diffusion Delay Matrix of a Feistel Network New Feistel Networks Proposals An Efficient Example Extended Generalized Feistel Networks using Matrix Representation Thierry P. Berger 1 , Marine Minier 2 , Gal Thomas 1 1 XLIM

448 views • 31 slides
Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris

Generalized Feistel Networks with Optimal Diffusion Lo Perrin DTU, Lyngby Inria, Paris Dagstuhl 2018 (seminar-18021) Introduction Observations on GFNs Multi-Rotating Feistel Network (MRFN) Possible Applications Conclusion In this talk

1.31k views • 52 slides
Structures and Structural Information Mark Burgin University of California, Los Angeles , 520

Structures and Structural Information Mark Burgin University of California, Los Angeles , 520

Structures and Structural Information Mark Burgin University of California, Los Angeles , 520 Portola Plaza , Los Angeles, CA 90095, USA Rainer Feistel Leibniz Institute for Baltic Sea Research , Warnemnde, D-18119, Germany Abstract: Structures

543 views • 6 slides
Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher:

Grbner - Crypto J.-C. Faugre Plan Grbner bases: properties Grbner Bases. Applications in Cryptology Description of the Cipher Families Feistel cipher: FLURRY Feistel cipher modelling Jean-Charles Faugre Algorithms Buchberger

694 views • 57 slides
Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1

Feistel Networks Our Contributions Security Proofs Conclusion Improved Security Bounds for Generalized Feistel Networks Yaobin Shen 1 Chun Guo 2 Lei Wang 1 1 Shanghai Jiao Tong University 2 Shandong University November 13, FSE 2020 Yaobin

407 views • 22 slides
Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design?

Preview question Which of these is a cryptographic primitive based on a Feistel cipher design? CSci 5271 A. DES Introduction to Computer Security Networking (contd) and cryptography B. AES Stephen McCamant C. DSA University of

582 views • 11 slides
On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction Avradip Mandal 1 Jacques Patarin 2 Yannick Seurin 3 1 University of Luxembourg 2 University of Versailles, France 3 ANSSI, France March 20, TCC

1.05k views • 89 slides
General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel

General Diffusion Analysis: How to Find Optimal Permutations for Generalized Type-II Feistel Schemes Victor Cauchois 1 , 2 , Clment Gomez 1 , Gal Thomas 1 1 DGA Maitrise de lInformation, Bruz, France 2 IRMAR, Universit de Rennes 1,

810 views • 68 slides
Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing

Chosen-Key Distinguishers on 12-Round Feistel-SP and 11-Round Collision Attacks on Its Hashing Modes Xiaoyang Dong and Xiaoyun Wang Shandong University, Tsinghua University FSE 2017 Tokyo, Japan Outline 2 Secret-key and Open-key Models u

526 views • 24 slides
Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 2 October, 2012 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel Ciphers DES II.

588 views • 10 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 2 March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 11

553 views • 52 slides
Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University

Security Analysis of Key-Alternating Feistel Ciphers Rodolphe Lampe and Yannick Seurin University of Versailles and ANSSI 4th March 2014 - FSE 2014 Lampe &amp; Seurin (Versailles &amp; ANSSI) Key-Alternating Feistel Ciphers FSE 2014 1 / 16

865 views • 53 slides
Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin

Generic Attacks on Feistel Ciphers With Internal Permutations Joana Treger, Jacques Patarin PRiSM, Universit e de Versailles 2008-11-27 Joana Treger, Jacques Patarin (PRiSM, Universit Generic Attacks on Feistel Ciphers With Internal

1.04k views • 52 slides
Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques

Differential Attacks on Generalized Feistel Schemes Val erie Nachef - Emmanuel Volte - Jacques Patarin CANS 2013 20 November 2013 Outline Introduction 1 State of the Art Our Contribution Definition of the schemes Attacks on Type-1

893 views • 45 slides
Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and

Revisiting Key-alternating Feistel Ciphers for Shorter Keys and Multi-user Security Chun Guo and Lei Wang ICTEAM/ELEN/Crypto Group, Universit e catholique de Louvain Shanghai Jiao Tong University Presented by Yaobin Shen, Shanghai Jiao Tong

653 views • 36 slides
Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang

Complementation Property General Complementation Property Application to Camellia-128 Application to GOST Conclusion Complementing Feistel Ciphers Ivica Nikoli c (joint work with Alex Biryukov) Nanyang Technological University, Singapore

426 views • 24 slides
Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures:

Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures:

Data Structures 1 / 27 Built-in Data Structures Values can be collected in data structures: Lists Tuples Dictionaries Sets This lecture just an overview. See the Python documentation for complete details. 2 / 27 Lists A list

396 views • 27 slides
NRA Structures Standards Update Fergal Cahill (NRA) Project Manager April 2015 Structures

NRA Structures Standards Update Fergal Cahill (NRA) Project Manager April 2015 Structures

NRA Structures Standards Update Fergal Cahill (NRA) Project Manager April 2015 Structures Presentation Outline Drivers of Change Structures Specification NRA Manual Contract Documents Road Works (NRA MCDRW) Structures Standards

1.14k views • 75 slides
Contact manifolds and SU ( 2 ) -structures in 5-dimensions SU ( n ) -structures Sasaki-Einstein

Contact manifolds and SU ( 2 ) -structures in 5-dimensions SU ( n ) -structures Sasaki-Einstein

Contact manifolds Anna Fino Contact manifolds and SU ( 2 ) -structures in 5-dimensions SU ( n ) -structures Sasaki-Einstein structures Hypo structures Hypo evolution equations -Einstein structures Hypo-contact structures Classification

1.16k views • 83 slides
Rapid Strength Concrete for Transportation Structures and Pavements for Transportation Structures

Rapid Strength Concrete for Transportation Structures and Pavements for Transportation Structures

Rapid Strength Concrete for Transportation Structures and Pavements for Transportation Structures and Pavements International Conferences on Advances in Building Sciences and Rehabilitation and Restoration of Structures India, Madras, 2013 B.

334 views • 21 slides
Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian

Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian

Hypo contact Anna Fino Hypo contact and Sasakian SU ( 2 ) -structures in 5-dimensions structures on Lie groups Sasakian structures Sasaki-Einstein structures Hypo structures -Einstein structures Hypo-contact structures Classification

1.22k views • 91 slides
The Ensemble of RNA Structures Example: best structures of the RNA sequence

The Ensemble of RNA Structures Example: best structures of the RNA sequence

The Ensemble of RNA Structures Example: best structures of the RNA sequence GGGGGUAUAGCUCAGGGGUAGAGCAUUUGACUGCAGAUCAAGAGGUCCCUGGUUCAAAUCCAGGUGCCCCCU free energy in kcal/mol (((((((..((((.......))))...........((((....))))(((((.......)))))))))))).

686 views • 41 slides
Trusses and Thin-Walled Shells Structural Concepts Aerospace Structures Truss structures

Trusses and Thin-Walled Shells Structural Concepts Aerospace Structures Truss structures

Trusses and Thin-Walled Shells Structural Concepts Aerospace Structures Truss structures Function of diagonal elements (tension &amp; compression) Wires Rods and tubes Examples CC-BY-SA- TU Delft DASML Shell structures Replacement by sheet

437 views • 7 slides
Towards better data structures: From atoms via compound terms to feature-structures Detmar

Towards better data structures: From atoms via compound terms to feature-structures Detmar

Towards better data structures: From atoms via compound terms to feature-structures Detmar Meurers: Intro to Computational Linguistics I OSU, LING 684.01, 26. February 2003 Overview From atoms to typed-feature structures What do

300 views • 17 slides

More recommend