range extension for weak prfs
play

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) - PowerPoint PPT Presentation

Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj odin(ETH Z urich) (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n X n Y n is a pseudorandom function ( PRF) if F ( k , x ) can be


  1. Range Extension for Weak PRFs Krzysztof Pietrzak (CWI Amsterdam) Johan Sj¨ odin(ETH Z¨ urich)

  2. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a pseudorandom function ( PRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R .

  3. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a weak pseudorandom function (wPRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R when queried on random inputs.

  4. (weak) pseudorandom functions F = {F 1 , F 2 , . . . } , F n : K n × X n → Y n is a weak pseudorandom function (wPRF) if ◮ F ( k , x ) can be efficiently computed. ◮ F ( k , . ) (with a random key k ∈ K n ) cannot be efficiently distinguished from a uniformly random function R when queried on random inputs. wPRFs are weaker primitives than PRFs, so relying on the security of a block-cipher like AES as a wPRF is more secure than assuming it to be a PRF.

  5. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e

  6. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C .

  7. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C .

  8. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C . Definition C is a secure range extension for PRFs, if for any PRFs F , also C F is PRF.

  9. black-box range extension Let C be a circuit with oracle gates, such that for any F : K × { 0 , 1 } n → { 0 , 1 } n we have C F : K t × { 0 , 1 } n ′ → { 0 , 1 } n · e ◮ t is the key expansion factor of C . ◮ e is the range expansion factor of C . Definition C is a secure range extension for wPRFs, if for any wPRFs F , also C F is wPRF.

  10. applications For a wPRF F and a secure expansion C , ( Enc , Dec ) as below is a secure encryption scheme. Enc ( k , M ) : sample X at random and output ( C F ( k , X ) ⊕ M , X ) Dec ( k , ( C , X )) : output C F ( k , X ) ⊕ C .

  11. applications For a wPRF F and a secure expansion C , ( Enc , Dec ) as below is a secure encryption scheme. Enc ( k , M ) : sample X at random and output ( C F ( k , X ) ⊕ M , X ) Dec ( k , ( C , X )) : output C F ( k , X ) ⊕ C . Overhead just one block. Key length depends on the key-expansion of C F .

  12. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · ·

  13. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · · + Secure range extension for PRF and wPRF.

  14. example 1: parallel evaluation C F ( { k 1 , . . . , k t } , X ) = F ( k 1 , X ) , . . . , F ( k t , X ) X F 1 F 2 F t · · · + Secure range extension for PRF and wPRF. − Range expansion = Key expansion (very low).

  15. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · ·

  16. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key.

  17. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key. + Secure range extension for PRF.

  18. example 2: parallel evaluation with one key C F ( k , X ) = F ( k , X � [ 0 ]) , . . . , F ( k , X � [ e − 1 ]) e = 2 z , X ∈ { 0 , 1 } n − z [ i ] is binary representation of [ i ] padded to length z . X X � [ 0 ] X � [ 1 ] X � [ e − 1 ] F F F · · · + Just one key. + Secure range extension for PRF. − Not Secure range extension for wPRF. E.g. for a wPRF where F ( k , X � [ 0 ]) = F ( k , X � [ 1 ]) .

  19. a general class of range extensions X C [ 1 , 12 , 2 , 321 ] F F 1 F 2 F 3 F 2 F 2 F 1

  20. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . ))

  21. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . )) All known (efficient) secure range expansion for wPRFs are of this form (like in the previous talk).

  22. a general class of range extensions Definition X C [ 1 , 12 , 2 , 321 ] Let s = { s 1 , . . . , s e } , each s i ∈ { 1 , . . . , t } ∗ . Define F F 1 F 2 F 3 C s F ( k 1 , . . . , k t , X ) = Y 1 , . . . , Y e where Y i is computed by applying F on input X F 2 F 2 sequentially as defined by s i , i.e. with m = | s i | F 1 Y i = F ( k s i [ m ] , F ( k s i [ m − 1 ] , . . . , F ( k s i [ 1 ] , X ) . . . )) All known (efficient) secure range expansion for wPRFs are of this form (like in the previous talk). For which s is C s a secure range expansion for wPRFs?

  23. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1

  24. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction.

  25. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction. ◮ C [ 11 , 22 ] is not secure via a black-box reduction.

  26. The Good, the Bad and the Ugly [1] Which of C [ 12 , 2 ] , C [ 11 , 22 ] , C [ 12 , 21 ] is a secure range extension for wPRFs? F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1 ◮ C [ 12 , 2 ] is secure via a black-box reduction. ◮ C [ 11 , 22 ] is not secure via a black-box reduction. ◮ C [ 12 , 21 ] cannot be proven secure nor insecure via a black-box reduction.

  27. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction.

  28. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF.

  29. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF. ◮ C α is ugly if it’s not good and not bad.

  30. The Good, the Bad and the Ugly [2] ◮ C α , α ⊂ N ∗ is good if the security of C α (as range expansion for wPRFs) can be proven via a black-box reduction. ◮ C α is bad if there is a black-box construction G , such that for any F ◮ If F is a wPRF, so is G F . ◮ C α G F is not a wPRF. ◮ C α is ugly if it’s not good and not bad. We completely classify C α (as good, bad or ugly) by simple properties of α .

  31. Theorem (Complete Classification) C α , α = { s 1 , . . . , s t } is ◮ bad if α contains a string with two consecutive identical letters or two identical strings. ◮ good if it’s not bad and whenever a letter c appears before a letter d in some s ∈ α , then d does not appear before c in any string s ′ ∈ α . ◮ ugly if it’s not good nor bad. F 1 F 2 F 1 F 2 F 1 F 2 F 2 F 1 F 2 F 2 F 1

Recommend


More recommend