on the public indifferentiability and correlation

play

On the Public Indifferentiability and Correlation Intractability of - PowerPoint PPT Presentation

Jan 20, 2023 •151 likes •1.05k views

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction Avradip Mandal 1 Jacques Patarin 2 Yannick Seurin 3 1 University of Luxembourg 2 University of Versailles, France 3 ANSSI, France March 20, TCC

On the Public Indifferentiability and Correlation Intractability of the 6-Round Feistel Construction Avradip Mandal 1 Jacques Patarin 2 Yannick Seurin 3 1 University of Luxembourg 2 University of Versailles, France 3 ANSSI, France March 20, TCC 2012 Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 1 / 24
Introduction Context L R building cryptographic permutations from F 1 cryptographic functions: the r -round F 2 Feistel construction Ψ r ( L , R ) round functions = random oracles F F 3 does the Feistel construction Ψ F r “behave” . P . . as a random permutation P ? F r − 2 secret round functions ( S , T ) ⇒ Luby-Rackoff F r − 1 public round functions F r ⇒ indifferentiability framework [MRH04] S T Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 2 / 24
Introduction Context L R building cryptographic permutations from F 1 cryptographic functions: the r -round F 2 Feistel construction Ψ r ( L , R ) round functions = random oracles F F 3 does the Feistel construction Ψ F r “behave” . P . . as a random permutation P ? F r − 2 secret round functions ( S , T ) ⇒ Luby-Rackoff F r − 1 public round functions F r ⇒ indifferentiability framework [MRH04] S T Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 2 / 24
Introduction Context L R building cryptographic permutations from F 1 cryptographic functions: the r -round F 2 Feistel construction Ψ r ( L , R ) round functions = random oracles F F 3 does the Feistel construction Ψ F r “behave” . P . . as a random permutation P ? F r − 2 secret round functions ( S , T ) ⇒ Luby-Rackoff F r − 1 public round functions F r ⇒ indifferentiability framework [MRH04] S T Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 2 / 24
Introduction Context L R building cryptographic permutations from F 1 cryptographic functions: the r -round F 2 Feistel construction Ψ r ( L , R ) round functions = random oracles F F 3 does the Feistel construction Ψ F r “behave” . P . . as a random permutation P ? F r − 2 secret round functions ( S , T ) ⇒ Luby-Rackoff F r − 1 public round functions F r ⇒ indifferentiability framework [MRH04] S T Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 2 / 24
Introduction Context L R building cryptographic permutations from F 1 cryptographic functions: the r -round F 2 Feistel construction Ψ r ( L , R ) round functions = random oracles F F 3 does the Feistel construction Ψ F r “behave” . P . . as a random permutation P ? F r − 2 secret round functions ( S , T ) ⇒ Luby-Rackoff F r − 1 public round functions F r ⇒ indifferentiability framework [MRH04] S T Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 2 / 24
Introduction In this talk we consider weaker notions of indifferentiability: public indifferentiability sequential indifferentiability and show them to be equivalent we show that the Feistel construction with 6 rounds is publicly indifferentiable from a random permutation (14 rounds best known result for full indifferentiability [HKT11]) we link the notion of public indifferentiability with the notion of correlation intractability of [CGH98] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 3 / 24
Introduction In this talk we consider weaker notions of indifferentiability: public indifferentiability sequential indifferentiability and show them to be equivalent we show that the Feistel construction with 6 rounds is publicly indifferentiable from a random permutation (14 rounds best known result for full indifferentiability [HKT11]) we link the notion of public indifferentiability with the notion of correlation intractability of [CGH98] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 3 / 24
Introduction In this talk we consider weaker notions of indifferentiability: public indifferentiability sequential indifferentiability and show them to be equivalent we show that the Feistel construction with 6 rounds is publicly indifferentiable from a random permutation (14 rounds best known result for full indifferentiability [HKT11]) we link the notion of public indifferentiability with the notion of correlation intractability of [CGH98] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 3 / 24
Outline Outline Public and Sequential Indifferentiability 1 Public Indifferentiability of the 6-Round Feistel Construction 2 Correlation Intractability 3 Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 4 / 24
Public and Sequential Indifferentiability Outline Public and Sequential Indifferentiability 1 Public Indifferentiability of the 6-Round Feistel Construction 2 Correlation Intractability 3 Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 5 / 24
Public and Sequential Indifferentiability The classical indistinguishability notion Ψ r P F D D 0 / 1 0 / 1 the distinguisher cannot access the round functions. Luby-Rackoff theorem: Ψ 3 is indist. from a random permutation, Ψ 4 is indist. from an invertible random permutation Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 6 / 24
Public and Sequential Indifferentiability The classical indistinguishability notion Ψ r P F D D 0 / 1 0 / 1 the distinguisher cannot access the round functions. Luby-Rackoff theorem: Ψ 3 is indist. from a random permutation, Ψ 4 is indist. from an invertible random permutation Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 6 / 24
Public and Sequential Indifferentiability Full indifferentiability Ψ r P S F D D 0 / 1 0 / 1 Ψ F r is indifferentiable from P is there exists an (efficient) simulator S such that ( P , S P ) and (Ψ F r , F ) are indist. the simulator does not know D ’s queries to P best known result for Feistel: 14 rounds [HKT11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 7 / 24
Public and Sequential Indifferentiability Full indifferentiability Ψ r P S F D D 0 / 1 0 / 1 Ψ F r is indifferentiable from P is there exists an (efficient) simulator S such that ( P , S P ) and (Ψ F r , F ) are indist. the simulator does not know D ’s queries to P best known result for Feistel: 14 rounds [HKT11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 7 / 24
Public and Sequential Indifferentiability Full indifferentiability Ψ r P S F D D 0 / 1 0 / 1 Ψ F r is indifferentiable from P is there exists an (efficient) simulator S such that ( P , S P ) and (Ψ F r , F ) are indist. the simulator does not know D ’s queries to P best known result for Feistel: 14 rounds [HKT11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 7 / 24
Public and Sequential Indifferentiability Full indifferentiability Ψ r P S F D D 0 / 1 0 / 1 Ψ F r is indifferentiable from P is there exists an (efficient) simulator S such that ( P , S P ) and (Ψ F r , F ) are indist. the simulator does not know D ’s queries to P best known result for Feistel: 14 rounds [HKT11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 7 / 24
Public and Sequential Indifferentiability Composition theorem Ψ r S P F Γ A Γ A A ′ 0 / 1 0 / 1 an attacker A against cryptosystem Γ used with Ψ F r . . . . . . implies an attacker A ′ against Γ used with P true for single-stage security games only [RSS11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 8 / 24
Public and Sequential Indifferentiability Composition theorem Ψ r S P F Γ A Γ A A ′ 0 / 1 0 / 1 an attacker A against cryptosystem Γ used with Ψ F r . . . . . . implies an attacker A ′ against Γ used with P true for single-stage security games only [RSS11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 8 / 24
Public and Sequential Indifferentiability Composition theorem Ψ r S P F Γ A Γ A A ′ 0 / 1 0 / 1 an attacker A against cryptosystem Γ used with Ψ F r . . . . . . implies an attacker A ′ against Γ used with P true for single-stage security games only [RSS11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 8 / 24
Public and Sequential Indifferentiability Composition theorem Ψ r S P F Γ A Γ A A ′ 0 / 1 0 / 1 an attacker A against cryptosystem Γ used with Ψ F r . . . . . . implies an attacker A ′ against Γ used with P true for single-stage security games only [RSS11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 8 / 24
Public and Sequential Indifferentiability Composition theorem Ψ r S P F Γ A Γ A A ′ 0 / 1 0 / 1 an attacker A against cryptosystem Γ used with Ψ F r . . . . . . implies an attacker A ′ against Γ used with P true for single-stage security games only [RSS11] Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 8 / 24
Public and Sequential Indifferentiability Public indifferentiability [YMO09,DRS09] Ψ r P S F D D 0 / 1 0 / 1 weaker notion where the simulator is given all queries made by D to P composition theorem still holds for cryptosystems where all queries to P can be revealed to the adversary without affecting security ( e.g. “hash-and-sign” signature schemes) Y. Seurin (ANSSI) Pub. Indiff. of 6-round Feistel March 20, TCC 2012 9 / 24

Recommend

More recommend