related key security for pseudorandom
play

Related-Key Security for Pseudorandom Functions Beyond the Linear - PowerPoint PPT Presentation

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson


  1. Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elègue Ecole normale supérieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson (RHUL)

  2. Practice o RKAs introduced by Biham and Knudsen in early 90’s. o Since then, a huge number of papers mounting RKAs. o Security goal for AES and other modern blockciphers. o Recent RKAs on AES-192 and AES-256. [BK09,BDKKS10]

  3. Single Si le-Key Attack on a Rela lated-Key Attack (RKA) on a cryptosystem F cryptosystem F k k k 1 k n … F F F F … x F(k,x) x F(k,x) x F(k 1 ,x) x F(k n ,x) k 1 , …, k n derived from k in ad adversary-specified way.

  4. Formalization [BK03] defines RKA security in terms of classes Φ of Related-Key Deriving (RKD) functions. k k 1 k n F F F … x x x F(k,x) F(k 1 ,x) … F(k n ,x) k i = φ i (k) where φ i ∈ Φ

  5. Previous Works o Before 2010: RKA-PRFs for limited classes, strong assumptions, ideal models. [BK03,Lucks04,GL10] o [BC10]: RKA-PRFs for group-induced classes, standard assumptions, standard model. o Limitations of [BC10]: - Claw-free classes. - Exponential time reduction for additive case (exponential in the input size). - Minor bug in the framework. o Related works: [BLMR13] Additive PRF from lattices and multilinear maps.

  6. Our Contributions We repair and extend the [BC10] framework. Construction of Φ -RKA-PRFs: o Lar Larger classes (wit ith cla claws) (affine and poly olynomia ial classes). o Standard assumptions, standard model. o Poly lynomia ial-Time Reduction. This is talk alk: pol olynomial-time reduction for ad additive case.

  7. Outline Par art 1: 1: Security model. Par art 2: 2: The Bellare-Cash framework. Par art 3: 3: Additive case with polynomial-time reduction.

  8. Part 1: Security Model: Φ -RKA-PRF F: 𝐿 × 𝐸 → 𝑆 a PRF, Φ a class of RKD functions (set of functions φ : 𝐿 → 𝐿 ). andom k ∈ 𝐿 , b ∈ {0,1} . In Init itia iali lize : Pick at at ran RKA PRF Oracle If b = 1 If b = 0 φ (k) φ (k) ( φ ,x) ∈ Φ × 𝐸 A F $ y ∈ 𝑆 Until adversary A outputs b ’ . x F( φ (k),x) x $ lize : b = b ’ . Fin Finali

  9. Part 2: How to construct RKA-PRFs from PRFs? The Bellare-Cash Framework

  10. Key-Malleability F is Φ -Key-Malle lleable: F( φ (k),x) computable from F(k, . ), for any φ , x. PRF Oracle k x i φ ,x Key Transfor ormer F KT KT F F( φ (k),x) F(k,x i ) x i F(k,x i )

  11. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ RKA PRF Oracle A

  12. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x)

  13. Bad Thing About Key-Malleability Φ -Key-Malleable ⟹ Not Φ -RKA-secure. φ ,x F( φ (k),x) or $ Verification RKA PRF Oracle A id,x i F(k,x i ) or $ KT F ( φ ,x) If match ⟹ or If oracle le = = F If If doesn’t match ⟹ or oracle = $ $

  14. Good Thing About Key-Malleability Φ -Key-Malleable PRF ⟹ Φ -RKA-secure again inst Uniq ique-Input adversarie ies (that never queries the same input x twice). How to force the adversary ry to be be uniq ique-in input?

  15. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x.

  16. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction).

  17. Id Idea: Instead of computing F(k,x), compute F(k,H(k,x)) with H colli llision-resistant hash function. Why? If φ or x change, so does k or x. Proble lem: Not clear how to prove this works ( don’t kn know k k durin ing th the reduction). Solution: [B So [BC10 10] Key-Fin ingerprin int (w (w 1 ,…, w m ) = set of inputs s.t. corresponding outputs uniquely define the key. F(k ’ ,w 1 ),…,F(k ’ ,w m )) if iff k ≠ k ’ (F(k,w 1 ),…, F( F(k,w m )) ≠ (F(  F(k,H((F (F(k,w 1 ),…,F( k,w m )) )),x))

  18. The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free

  19. The Bellare-Cash Framework Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. - Proof based on Key-Transformer.

  20. Reduction time? n Π k[i] x[i] NR(k,x) = g [NR97] i = 1 NR(k+1,11…1) = g (k 1 +1).(k 2 +1). … .(k n +1) = g k 1 k 2 … k n . g k 2 k 3 … k n . g k 1 k 3 … k n . … . g k 1 . g 2 n terms Π = NR(k,x) x ∈ {0,1} n  Running time of the key transformer: O(2 (2 n )

  21. Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint Φ -Key-Malleable PRF Φ Claw-Free Limitations: - Claw-free classes only. (Not detailed in this talk) - Proof based on Key-Transformer.

  22. Part 3: Our Contributions Φ -RKA-PRF Φ -RKA-PRF against UI Adversaries Key-Fingerprint PRF Φ -Key-Malleable Limitations: Proof based on Key-Transformer ⟹ Pol - olynomia ial l Tim ime Reduction for Φ + .

  23. A Direct Polynomial-Time Security Proof n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 We can prove UI-RKA security for Φ + using key-malleability.  Exp-time reduction … Our paper: we provide a better reduction by provin ing it it dir irectly.

  24. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1

  25. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g x[1] x[2] x[3] . . . x[n-1] x[n]

  26. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 g k[1] x[2] x[3] . . . x[n-1] x[n]

  27. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 g k[1] x[3] . . . x[n-1] x[n]

  28. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . g k[1]k[3] . . x[n-1] x[n]

  29. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . g k [1]k[3]… x[n-1] x[n]

  30. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 g k [1]k[3]…k[n -1] x[n]

  31. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1]

  32. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 g 1 0 1 . . . 1 0 g k [1]k[3]…k[n -1] = NR(k,101…10)

  33. n Π k[i] x[i] Naor-Reingold PRF: NR(k,x) = g i = 1 x[1] k[1] Level 1 x[2] k[2] Level 2 x[3] k[3] Level 3 2 i nodes at level i . . . . . . x[n-1] k[n-1] Level n-1 x[n] k[n] Level n Outputs = Leaves (2 n values)

  34. UI-RKA security: k[1] ? k[2] k[3] . . . k[n-1] k[n] $

  35. Id Idea: use a hybrid proof. k[1] k[2] k[3] . . . k[n-1] k[n]

  36. Id Idea: use a hybrid proof. $ k[2] k[3] . . . k[n-1] k[n]

  37. Idea: use a hybrid proof. Id $ k[3] . . . k[n-1] k[n]

  38. Id Idea: use a hybrid proof. $ . . . k[n-1] k[n]

  39. Id Idea: use a hybrid proof. . . . $ k[n-1] k[n]

  40. Idea: use a hybrid proof. Id . . . $ k[n]

  41. Id Idea: use a hybrid proof. . . . $

  42. ? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  43. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  44. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  45. Proble lem: Keys might change at each query! First question: How to define the random values? Fir New ran Ne andom valu alue for an any new key? ? $ k[i] [i] + + 1 $ k[i+1] k[i+1] . . . . . . k[n-1] k[n-1] k[n] k[n]

  46. Attack with 3 queries g g k[1] . . $ . k[ k[i] i] k[i] $ k[i+1] k[i+1] . . . . . . . . . k[n]

  47. Values used at level i: 1. g a g a 1. g g k[1] . . g a . k[i] k[ i] g a g a . . . . . . . . . k[n]

  48. Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. g g k[1] . . g a . k[ k[i] i] g a g ak[i] g a g c . . . . . . . . . k[n]

  49. Values used at level i: 1. g a g a 1. 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]

  50. Values used at level i: 1. g a g a 1. Hyb ybrid ids ar are not ot 2. g ak[i] g c 2. in indis istin inguis ishable le 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? 3. g g k[1] . . g a . k[ k[i] i] + 1 g c ’ ? g a g a g a(k[i]+1) . . . . . . . . . k[n]

  51. Values used at level i: 1. g a g a 1. Indistin In inguishable le 2. g ak[i] g c 2. 3. g a(k[i]+1) = g ak[i] .g a g c ’ ≠ g c .g .g a a ? ? g c .g .g a 3. g g k[1] . . g a . k[ k[i] i] + 1 g a g a g c .g .g a g a(k[i]+1) . . . . . . . . . k[n]

  52. Each time we need to define a new random value at level i: g $ k[i+1] . . .

Recommend


More recommend