Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elègue Ecole normale supérieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson (RHUL)
Practice o RKAs introduced by Biham and Knudsen in early 90’s. o Since then, a huge number of papers mounting RKAs. o Security goal for AES and other modern blockciphers. o Recent RKAs on AES-192 and AES-256. [BK09,BDKKS10]
Single Si le-Key Attack on a Rela lated-Key Attack (RKA) on a cryptosystem F cryptosystem F k k k 1 k n … F F F F … x F(k,x) x F(k,x) x F(k 1 ,x) x F(k n ,x) k 1 , …, k n derived from k in ad adversary-specified way.
Formalization [BK03] defines RKA security in terms of classes Φ of Related-Key Deriving (RKD) functions. k k 1 k n F F F … x x x F(k,x) F(k 1 ,x) … F(k n ,x) k i = φ i (k) where φ i ∈ Φ
Previous Works o Before 2010: RKA-PRFs for limited classes, strong assumptions, ideal models. [BK03,Lucks04,GL10] o [BC10]: RKA-PRFs for group-induced classes, standard assumptions, standard model. o Limitations of [BC10]: - Claw-free classes. - Exponential time reduction for additive case (exponential in the input size). - Minor bug in the framework. o Related works: [BLMR13] Additive PRF from lattices and multilinear maps.
Our Contributions We repair and extend the [BC10] framework. Construction of Φ -RKA-PRFs: o Lar Larger classes (wit ith cla claws) (affine and poly olynomia ial classes). o Standard assumptions, standard model. o Poly lynomia ial-Time Reduction. This is talk alk: pol olynomial-time reduction for ad additive case.
Outline Par art 1: 1: Security model. Par art 2: 2: The Bellare-Cash framework. Par art 3: 3: Additive case with polynomial-time reduction.
Part 1: Security Model: Φ -RKA-PRF F: 𝐿 × 𝐸 → 𝑆 a PRF, Φ a class of RKD functions (set of functions φ : 𝐿 → 𝐿 ). andom k ∈ 𝐿 , b ∈ {0,1} . In Init itia iali lize : Pick at at ran RKA PRF Oracle If b = 1 If b = 0 φ (k) φ (k) ( φ ,x) ∈ Φ × 𝐸 A F $ y ∈ 𝑆 Until adversary A outputs b ’ . x F( φ (k),x) x $ lize : b = b ’ . Fin Finali
Part 2: How to construct RKA-PRFs from PRFs? The Bellare-Cash Framework
Key-Malleability F is Φ -Key-Malle lleable: F( φ (k),x) computable from F(k, . ), for any φ , x. PRF Oracle k x i φ ,x Key Transfor ormer F KT KT F F( φ (k),x) F(k,x i ) x i F(k,x i )
Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ RKA PRF Oracle A
Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x)
Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x) If match ⟹ or If oracle le = = F If If doesn’t match ⟹ or oracle = $ $
Good Thing About Key-Malleability Φ -Key-Malleable PRF ⟹ Φ -RKA-secure again inst Uniq ique-Input adversarie ies (that never queries the same input x twice). How to force the adversary ry to be be uniq ique-in input?
Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x.
Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction).
Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction). Solution: [B So [BC10 10] Key-Fin ingerprin int (w (w 1 ,…, w m ) = set of inputs s.t. corresponding outputs uniquely define the key. F(k ’ ,w 1 ),…,F(k ’ ,w m )) if iff k ≠ k ’ (F(k,w 1 ),…, F( F(k,w m )) ≠ (F( F(k,H((F (F(k,w 1 ),…,F( k,w m )) )),x))
The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free
The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. - Proof based on Key-Transformer.
Reduction time? n Π k[i] x[i] NR(k,x) = g [NR97] i = 1 NR(k+1,11…1) = g (k 1 +1).(k 2 +1). … .(k n +1) = g k 1 k 2 … k n . g k 2 k 3 … k n . g k 1 k 3 … k n . … . g k 1 . g 2 n terms Π = NR(k,x) x ∈ {0,1} n Running time of the key transformer: O(2 (2 n )
Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. (Not detailed in this talk) - Proof based on Key-Transformer.
Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint PRF Φ -Key-Malleable Limitations: Proof based on Key-Transformer ⟹ Pol - olynomia ial l Tim ime Reduction for Φ + .
A Direct Polynomial-Time Security Proof n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 We can prove UI-RKA security for Φ + using key-malleability. Exp-time reduction … Our paper: we provide a better reduction by provin ing it it dir irectly.
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g x[1] x[2] x[3] . . . x[n-1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 g k[1] x[2] x[3] . . . x[n-1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 g k[1] x[3] . . . x[n-1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . g k[1]k[3] . . x[n-1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . g k [1]k[3]… x[n-1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 g k [1]k[3]…k[n -1] x[n]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1]
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1] = NR(k,101…10)
n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 x[1] k[1] Level 1 x[2] k[2] Level 2 x[3] k[3] Level 3 2 i nodes at level i . . . . . . x[n-1] k[n-1] Level n-1 x[n] k[n] Level n Outputs = Leaves (2 n values)
UI-RKA security: k[1] ? k[2] k[3] . . . k[n-1] k[n] $
Id Idea: use a hybrid proof. k[1] k[2] k[3] . . . k[n-1] k[n]
Id Idea: use a hybrid proof. $ k[2] k[3] . . . k[n-1] k[n]
Idea: use a hybrid proof. Id $ k[3] . . . k[n-1] k[n]
Id Idea: use a hybrid proof. $ . . . k[n-1] k[n]
Id Idea: use a hybrid proof. . . . $ k[n-1] k[n]
Idea: use a hybrid proof. Id . . . $ k[n]
Id Idea: use a hybrid proof. . . . $
? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]
Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]
Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]
Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] + + 1 $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]
Attack with 3 queries g g k[1] . . $ . k[ k[i] i] k[i] $ k[i+1] k[i+1] . . . . . . . . . k[n]
Values used at level i: 1. g a g a 1. g g k[1] . . g a . k[i] k[ i] g a g a . . . . . . . . . k[n]
Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. g g k[1] . . g a . k[ k[i] i] g a g ak[i] g a g c . . . . . . . . . k[n]
Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]
Values used at level i: 1. g a g a 1. Hyb ybrid ids ar are not ot 2. g ak[i] g c 2. in indis istin inguis ishable le 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]
Values used at level i: 1. g a g a 1. Indistin In inguishable le 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? ? g c .g .g a 3. g g k[1] . . g a . k[ k[i] i] + 1 g a g a g c .g .g a g a(k[i]+1) . . . . . . . . . k[n]
Each time we need to define a new random value at level i: g $ k[i+1] . . .
Recommend
More recommend