Public-seed Pseudorandom Permutations Pratik Soni Stefano Tessaro - PowerPoint PPT Presentation

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 source 𝑇 𝐼 = (𝐻𝑓𝑜, ℎ) Bellare Hoang Keelveedhi

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 source 𝑇 𝐼 = (𝐻𝑓𝑜, ℎ) Bellare Hoang Keelveedhi

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 source 𝑇 𝑀 𝐼 = (𝐻𝑓𝑜, ℎ) 𝐸 distinguisher Bellare Hoang Keelveedhi

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 source 𝑇 𝑀 𝒕 𝐼 = (𝐻𝑓𝑜, ℎ) 𝐸 distinguisher Bellare Hoang Keelveedhi

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 source 𝑇 𝑀 𝒕 𝐼 = (𝐻𝑓𝑜, ℎ) 0/1 𝐸 distinguisher Bellare Hoang Keelveedhi

UCE security 𝑡 ← Gen(1 𝜇 ) 𝑔 ← Funcs(𝑛, 𝑜) ℎ 𝑡 𝑔 ≈ source 𝑇 𝑀 𝒕 𝐼 = (𝐻𝑓𝑜, ℎ) 0/1 𝐸 distinguisher Bellare Hoang Keelveedhi

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) 𝐸

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 Makes forward and 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) backward queries! 𝐸

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 Makes forward and 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) backward queries! 𝑀 𝒕 𝐸

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 Makes forward and 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) backward queries! 𝑀 𝒕 0/1 𝐸

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 Makes forward and 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) backward queries! 𝑀 𝒕 0/1 𝐸 𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , left and right are indistinguishable.

psPRP security 𝑡 ← Gen(1 𝜇 ) 𝝇 ← 𝐐𝐟𝐬𝐧𝐭(𝒐) 𝝇/𝝇 −𝟐 −𝟐 𝝆 𝒕 /𝝆 𝒕 Makes forward and 𝑇 𝑄 = (𝐻𝑓𝑜, 𝜌, 𝜌 −1 ) backward queries! 𝑀 𝒕 0/1 𝐸 𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , left and right are indistinguishable.

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , …

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇 𝑀 = 𝑧 𝒕 𝐸

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇 𝑀 = 𝑧 𝒕 Outputs 1 iff 𝐸 𝑧 = 𝜌 𝑡 0 𝑜

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇 𝑀 = 𝑧 𝒕 1 with prob. 1 Outputs 1 iff 𝐸 𝑧 = 𝜌 𝑡 0 𝑜

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇 𝑀 = 𝑧 𝒕 1 with prob. 1 Outputs 1 iff 𝐸 𝑧 = 𝜌 𝑡 0 𝑜 with prob. 1/2 𝑜 1

𝑄 is 𝑞𝑡𝑄𝑆𝑄 -secure if ∀ PPT 𝑇, 𝐸 , … 𝑡 ← Gen(1 𝜇 ) 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 −1 𝜌 𝑡 /𝜌 𝑡 ≈ 𝑧 𝑧 (+, 0 𝑜 ) (+, 0 𝑜 ) 𝑇 𝑀 = 𝑧 𝒕 1 with prob. 1 Outputs 1 iff 𝐸 𝑧 = 𝜌 𝑡 0 𝑜 with prob. 1/2 𝑜 1 𝑞𝑡𝑄𝑆𝑄 -security is impossible against all sources!

𝑄 = (Gen, 𝜌, 𝜌 −1 ) Sources need to be restricted all sources

𝑄 = (Gen, 𝜌, 𝜌 −1 ) Sources need to be restricted all sources 𝒯

𝑄 = (Gen, 𝜌, 𝜌 −1 ) Sources need to be restricted 𝑡 ← Gen(1 𝜇 ) all sources 𝜍 ← Perms(𝑜) −1 𝜍/𝜍 −1 𝜌 𝑡 /𝜌 𝑡 𝒯 𝑇 𝑀 𝒕 𝐸 0/1 𝑄 is 𝑞𝑡𝑄𝑆𝑄[𝒯] -secure if ∀ 𝑇 ∈ 𝒯 and ∀ PPT 𝐸 , left and right are indistinguishable.

This talk – unpredictable and reset-secure sources all sources

This talk – unpredictable and reset-secure sources all sources 𝒯 𝑡𝑣𝑞 unpredictable

This talk – unpredictable and reset-secure sources all sources reset-secure 𝒯 𝑡𝑠𝑡 𝒯 𝑡𝑣𝑞 unpredictable

This talk – unpredictable and reset-secure sources all sources reset-secure 𝒯 𝑡𝑠𝑡 𝒯 𝑡𝑣𝑞 unpredictable Both restrictions model that 𝐸 cannot predict the queries made by the sources!

This talk – unpredictable and reset-secure sources all sources reset-secure 𝒯 𝑡𝑠𝑡 𝒯 𝑡𝑣𝑞 unpredictable Both restrictions model that 𝐸 cannot predict the queries made by the sources! 𝒯 𝑡𝑣𝑞 ⊆ 𝒯 𝑡𝑠𝑡

This talk – unpredictable and reset-secure sources all sources reset-secure 𝒯 𝑡𝑠𝑡 𝒯 𝑡𝑣𝑞 unpredictable Both restrictions model that 𝐸 cannot predict the queries made by the sources! 𝑞𝑡𝑄𝑆𝑄 𝒯 𝑡𝑠𝑡 is a stronger 𝒯 𝑡𝑣𝑞 ⊆ 𝒯 𝑡𝑠𝑡 ⟹ assumption than 𝑞𝑡𝑄𝑆𝑄 𝒯 𝑡𝑣𝑞

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) 𝜍/𝜍 −1 𝑇 𝐵

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝐵

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝐵

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑧 𝑗 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝐵

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑧 𝑗 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝑀 𝐵

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑧 𝑗 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝑀 It should be hard for 𝐵 to predict any of 𝑇 ’s queries or its inverse 𝐵 [ 𝑅 ′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇) Pr 𝑅′

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑧 𝑗 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝑀 It should be hard for 𝐵 to predict any of 𝑇 ’s queries or its inverse 𝐵 [ 𝑅 ′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇) Pr 𝑅′ 𝒯 𝑡𝑣𝑞 : 𝐵 is computationally unbounded ⊆ 𝒯 𝑑𝑣𝑞 : 𝐵 is PPT

Source restrictions – unpredictability 𝜍 ← Perms(𝑜) (𝜏, 𝑦 𝑗 ) 𝜏 ∈ {+, −} 𝜍/𝜍 −1 𝑇 𝑧 𝑗 𝑅 ← 𝑅 ∪ { 𝜏, 𝑦 𝑗 , (𝜏 , 𝑧 𝑗 )} 𝑀 It should be hard for 𝐵 to predict any of 𝑇 ’s queries or its inverse 𝐵 [ 𝑅 ′ ∩ 𝑅 ≠ 𝜚] = negl(𝜇) Pr 𝑅′ 𝒯 𝑡𝑣𝑞 : 𝐵 is computationally unbounded ⊆ 𝑞𝑡𝑄𝑆𝑄[𝒯 𝑑𝑣𝑞 ] impossible if iO 𝒯 𝑑𝑣𝑞 : 𝐵 is PPT exists [BFM14]

Source restrictions – reset-security

Source restrictions – reset-security 𝜍/𝜍 −1 𝑇 𝜍 ← Perms(𝑜) 𝑆

Source restrictions – reset-security 𝜍/𝜍 −1 𝑇 𝜍 ← Perms(𝑜) 𝑆

Source restrictions – reset-security 𝜍/𝜍 −1 𝑇 𝜍 ← Perms(𝑜) 𝑀 𝜍/𝜍 −1 𝑆

Source restrictions – reset-security 𝜍/𝜍 −1 𝑇 𝜍 ← Perms(𝑜) 𝑀 𝜍/𝜍 −1 𝑆 0/1

Source restrictions – reset-security 𝜍/𝜍 −1 𝜍/𝜍 −1 𝑇 𝑇 𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) 𝑀 𝑀 𝜍/𝜍 −1 𝑆 𝑆 −1 𝜍 1 /𝜍 1 𝜍 1 ← Perms(𝑜) 0/1 0/1

Source restrictions – reset-security 𝜍/𝜍 −1 𝜍/𝜍 −1 𝑇 𝑇 𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) ≈ 𝑀 𝑀 𝜍/𝜍 −1 𝑆 𝑆 −1 𝜍 1 /𝜍 1 𝜍 1 ← Perms(𝑜) 0/1 0/1

Source restrictions – reset-security 𝜍/𝜍 −1 𝜍/𝜍 −1 𝑇 𝑇 𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) ≈ 𝑀 𝑀 𝜍/𝜍 −1 𝑆 𝑆 −1 𝜍 1 /𝜍 1 𝜍 1 ← Perms(𝑜) 0/1 0/1 𝒯 𝑡𝑠𝑡 : 𝑆 is computationally unbounded ⊆ 𝒯 𝑑𝑠𝑡 : 𝑆 is PPT

Source restrictions – reset-security 𝜍/𝜍 −1 𝜍/𝜍 −1 𝑇 𝑇 𝜍 ← Perms(𝑜) 𝜍 ← Perms(𝑜) ≈ 𝑀 𝑀 𝜍/𝜍 −1 𝑆 𝑆 −1 𝜍 1 /𝜍 1 𝜍 1 ← Perms(𝑜) 0/1 0/1 𝒯 𝑡𝑠𝑡 : 𝑆 is computationally unbounded ⊆ 𝒯 𝑑𝑣𝑞 ⊆ 𝒯 𝑑𝑠𝑡 𝒯 𝑑𝑠𝑡 : 𝑆 is PPT

Recap 𝑞𝑡𝑄𝑆𝑄[𝒯 𝑡𝑠𝑡 ] 𝑞𝑡𝑄𝑆𝑄[𝒯 𝑡𝑣𝑞 ]

Recap 𝑞𝑡𝑄𝑆𝑄[𝒯 𝑡𝑠𝑡 ] 𝑞𝑡𝑄𝑆𝑄[𝒯 𝑡𝑣𝑞 ]

Recap

Recap Central assumption in UCE theory

Recap Central assumption in UCE theory

Roadmap 1.Definitions 2.Constructions & Applications 3.Conclusions