substitution permutation networks pseudorandom functions
play

Substitution-permutation networks, pseudorandom functions, and - PowerPoint PPT Presentation

Sep 12, 2023 •426 likes •654 views

Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola Theory vs. practice gap in cryptography Theoreticians have . . . - liberal

  1. Substitution-permutation networks, pseudorandom functions, and natural proofs Eric Miles Northeastern University joint work with Emanuele Viola

  2. “Theory vs. practice” gap in cryptography Theoreticians have . . . - liberal al notion of efficiency polynomial time - pr prov ovable security based on hardness assumptions Practitioners have . . . - very eff fficient algorithms near linear time - heuristi tic security resistance to known attacks

  3. Common goal: random-looking functions indistinguishable from {f K : {0,1} n  {0,1} n | K} truly random function - theory: pseudorandom function (PRF) [Goldreich-Goldwasser-Micali '84] - practice: block cipher / MAC [Feistel '70s], [Simmons '80s]  PRF - NOTE: block cipher “modes”

  4. Common goal: random-looking functions indistinguishable from {f K : {0,1} n  {0,1} n | K} truly random function GAPS PRF Block cipher / MAC best: |K|  n 2 typical: |K|  n e.g. Advanced Encryption efficiency e.g. factoring-based PRF Standard [Naor-Reingold '04] [Daemen-Rijmen '00] - based on PRG/OWF Substitution-permutation network - “expensive” components methodology input e.g. iterated multiplication S S S S . . . repeat Diffusion key output

  5. Our contributions: bridging the gap New ew candidate PRF based on SP-network - more efficient than previous candidates - application to Natural Proofs [Razborov-Rudich '97] - security derived from “practical” analysis Proof-of-concept theorem: SP SP-netwo work with ran andom S-box ox = secur ure, inefficient PRF. - analogous to [Luby-Rackoff '88] for Feistel networks

  6. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  7. The SP-network paradigm (n=mb)-bit input key 0 [Shannon '49, Feistel-Notz-Smith '75] . . . S S S S S( S(ubsti titution) n)-box  GF(2 b ) round 1 M S : GF(2 b ) key 1 - computationally expensive - good crypto properties . . . S S S S round 2 M Linear trans nsforma mation key 2 GF(2 b ) m  GF(2 b ) m M : - computationally cheap . . . - good diffusion properties . . . S S S S Key XOR round r M key r - only source of secrecy - round keys = uniform, independent (n=mb)-bit output

  8. Linear and differential cryptanalysis [Biham-Shamir '91] [Matsui '94] Two general attacks against a block cipher C - parameters of interest: p LC (C), p DC (C)  2 - W (n)  2 - W (n) security against LC/DC - details: p LC (C) = max A,B E K |Pr x [ ⟨ A, x ⟩ = ⟨ B, C K (x) ⟩ ] - ½| 2 Pr x,K [C K (x) + C K (x + A) = B] p DC (C) = max A,B

  9. LC/DC design principles 2. M has “br branch numbe ber” 1. S-box resists LC/DC. Br(M) = m+1. 2 b -2 S(x) := x satisfies Br(M) := min {wgt(x)+wgt(M(x))} p LC/DC (S)  2 -(b- 2) . b-2) [Nyberg '93] x  0 m 0 0 0 0 0 0 0 M : GF(2 b ) m  GF(2 b ) m  LC/DC Intuition: 1+2 security S S S S S S S S M S-box security 2 - W (b) propagates to m bundles S S S S S S S S M (2 - W (b) ) m = 2 - W (n) S S S S S S S S …

  10. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  11. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] Compare to best complexity PRF [Naor-Reingold '04]: - security from factoring / discrete-log hardness - size = W (n 2 )

  12. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] input EFFICIENCY . . . S S S S S-box: S(x) := x 2 b -2 r = O(log n) M rounds - b = log n  S ∈ size log O(1) n key output Linear transformation - Let G = [ I M] be m  2m Reed-Solomon code. - this gives max branch number [Daemen '95] - Such M is a Cauchy matrix. [Roth-Seroussi '85] - We adapt [Gerasoulis '88] to do Cauchy mult. in size O(n∙log 3 n).

  13. New PRF: quasi-linear size Theorem:  size-n•log O(1) n SPN with LC/DC security 2 -n/2 . [M-Viola] SECURITY Theorem: If p LC/D /DC (S)  2 -(b-2) and Br(M) = m+1, . then r-round SPN has p LC/DC (SPN)  2 -(n-r m) [Kang-Hong-Lee-Yi-Park-Lim '01, M-Viola '12] - r = b/2  security = 2 -n/2 (n = mb) - S(x) = x has p LC/DC bounds [Nyberg 2 b -2 '93]

  14. New PRF: simple candidate input K 2 n -2 2 n -2 S(x) := x ⟨ (x K' ⟩ C K,K' (x) := + K) , ⟩ ⟨ , K' {0,1} Theorem: C K,K' 2 - W (n) -fools parity tests on  2 0.9n outputs. [M-Viola] - compare to [Even-Mansour '91]: - replace EM's random f'n with S: simple attack - also replace + K' with ⟨ , K' ⟩ : fools parity tests - also computable in quasi-linear size [Gao-von zur Gathen-Panario-Shoup '00]

  15. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  16. SP-network with random S-box Theorem: If SP-network has: 1. random S-box [M-Viola] 2. max-branch-number M, then: q-query distinguishing advantage  (rmq) 3 ∙ 2 -b . - when b = w (log n), security = n - w (1) - similar bound as Luby-Rackoff - we exploit structure to bound collision probabilities

  17. SP-network with random S-box input - Fix queries x 1 , …, x q ∈ {0,1} n . K 0 - Pr [  collision in any 2 final-round S-boxes] . . . S S S S  poly(m,q) ∙ 2 -b .  0 - uses M invertible, all entries M - non-trivial for x i  x j , same S-box K 1  output - No collisions is uniform. . . . S S S S output

  18. Outline Introduction SP-network: definition and security New PRF candidates SP-network with random S-box Natural Proofs

  19. Natural Proofs [Razborov-Rudich '97] - CKT = any complexity class (e.g. circuits of size n 2 ) - Observation: Most lower bounds against CKT distinguish CKT truth tables from random truth tables. - Implication: If CKT can compute 2 -n -secure PRF, most techniques can't prove CKT lower bounds. - Gap: best PRF: size W (n 2 ) [Naor-Reingold '04] best lower bound: size O(n) [Blum '84]

  20. Natural Proofs [Razborov-Rudich '97] - CKT = any complexity class (e.g. circuits of size n 2 ) - Observation: Most lower bounds against CKT distinguish CKT truth tables from random truth tables. - Implication: If CKT can compute 2 -n -secure PRF, most techniques can't prove CKT lower bounds. - We narrow the gap in 3 models (if our PRF 2 -n -secure). - Boolean circuits of size n∙log O(1) 1) (n) - TC 0 circuits of size O(n 1+ e ) for any e > 0 [Allender-Koucký '10] - time-O(n 2 ) 1-tape Turing machines

  21. Conclusion SPN structure underexplored for PRF - lends itself to efficient circuits - combinatorial hardness, vs. algebraic for complexity PRF - we give evidence that SPNs are plausible PRF candidates - we provide asymptotic analysis of SPN structure Future directions - simplest, most efficient possible PRF? - linear-size circuits - branching programs - communication protocols - … - analyze our PRF candidates against other attacks

Recommend

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks Benoit Cogliati Yevgeniy Dodis Jonathan Katz Jooyoung Lee John Steinberger John Steinberger Aishwarya Thiruvengadam Aishwarya Thiruvengadam Zhe Zhang

1.03k views • 41 slides
An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel

An Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security Michel Abdalla, Fabrice Benhamouda, Alain Passelgue Pseudorandom functions [GGM86] - efficiently computable function : -

1.01k views • 56 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech

Pseudorandom Functions and Lattices Abhishek Banerjee 1 Chris Peikert 1 Alon Rosen 2 1 Georgia Tech 2 IDC Herzliya Faces of Modern Cryptography 9 September 2011 1 / 14 2 / 14 Pseudorandom Functions [GGM84] A family F = { F s : { 0 , 1 }

1.03k views • 59 slides
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown

Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande (Brown University) Venkata Koppula (University of Texas at Austin) Brent Waters (University of Texas at Austin) Pseudorandom Functions (Goldreich-Goldwasser-Micali

1.96k views • 97 slides
Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu

Pseudorandom fu functions in in alm lmost constant depth fr from lo low-noise LPN Yu Yu Cryptologic Research Center joint work with (John Steinberger) Outline Introduction to LPN Decisional and Computational LPN

416 views • 15 slides
J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

J , the all- 1 matrix. (The corresponding only G -invariant association scheme is the trivial A

Association schemes and Permutation groups permutation groups Let G be a permutation group on . Then the characteristic functions of the orbits of G on Peter J Cameron G

44 views • 3 slides
Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier Ala lain in Passel elgue Ecole normale suprieure Joint work with: Mich ichel l Abdalla la (ENS), Fabric ice Be Benhamouda (ENS), Ken enneth G. . Paterson

986 views • 61 slides
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1

New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline Introduction 1 Construction, Parameters and Efficiency 2 Proof of Security

886 views • 47 slides
On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software

On the Exact Security of Message Authentication using Pseudorandom Functions Fast Software Encryption 17, Tokyo Ashwin Jha 1 , Avradip Mandal 2 , Mridul Nandi 1 1 Indian Statistical Institute, Kolkata, India 2 Fujitsu Laboratories of America,

751 views • 28 slides
Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on

Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on

Yasser F. O. Mohammad REMINDER 1:Fiestel Network Each round consists of: Substitution on left half of text Permutation of the two halves The substitution is controlled by the key of every round Factors of Security: Block

319 views • 19 slides
SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . .

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gatan Leurent 3 Chris Peikert 1 Alon Rosen 2

568 views • 29 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute

Session #6: Another Application of LWE: Pseudorandom Functions Chris Peikert Georgia Institute of Technology Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19 Feb 2012 22 Feb 2012 Lattice-Based

853 views • 52 slides
Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel

Function Families PRF from OWF PRP from PRF Applications Foundation of Cryptography (0368-4162-01), Lecture 4 Pseudorandom Functions Iftach Haitner, Tel Aviv University November 29, 2011 Function Families PRF from OWF PRP from PRF

1.17k views • 58 slides
Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang

Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang

Introduction Three Basic Homomorphisms Homomorphisms from Shuffle-Compatibility Homomorphisms on Noncommutative Symmetric Functions and Permutation Enumeration Yan Zhuang Department of Mathematics and Computer Science Davidson College July

643 views • 50 slides
Invariance groups of finite functions and orbit equivalence of permutation groups Tam as

Invariance groups of finite functions and orbit equivalence of permutation groups Tam as

Invariance groups of finite functions and orbit equivalence of permutation groups Tam as Waldhauser University of Szeged NSAC 2013 Novi Sad, 7th June 2013 Joint work with Eszter Horv ath, Reinhard P oschel, G eza Makay.

732 views • 72 slides
The substitution decomposition of matchings and RNA secondary structures Aziza Jefferson and

The substitution decomposition of matchings and RNA secondary structures Aziza Jefferson and

The substitution decomposition of matchings and RNA secondary structures Aziza Jefferson and Vince Vatter University of Florida Permutation Patterns 2018 July 13, 2018 T HE B IOLOGY PP & MP T HE S UBSTITUTION D ECOMPOSITION A B IT

746 views • 41 slides
Cycle Structure of Permutation Functions over Finite Fields and their Applications in

Cycle Structure of Permutation Functions over Finite Fields and their Applications in

Introduction Deterministic Interleavers Experiments Conclusions Cycle Structure of Permutation Functions over Finite Fields and their Applications in Deterministic Interleavers for Turbo Codes Amin Sakzad Department of Electrical and

718 views • 43 slides
Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Set Transformer: A Framework for Attention-based Permutation-Invariant Neural Networks Juho

Set Transformer: A Framework for Attention-based Permutation-Invariant Neural Networks Juho

Set Transformer: A Framework for Attention-based Permutation-Invariant Neural Networks Juho Lee, Yoonho Lee, Jungtaek Kim , Adam R. Kosiorek, Seungjin Choi, and Yee Whye Teh Set-input problems and Deep Sets [Zaheer et al., 2017] Take

262 views • 10 slides
Introduction to Permutation Models The Mostowski Model with an Application to Ring Theory An

Introduction to Permutation Models The Mostowski Model with an Application to Ring Theory An

Introduction to Permutation Models Models of ZFA Introduction to Permutation Models The Mostowski Model with an Application to Ring Theory An Independence Result Root-Functions in Rings 2C n C n L. Halbeisen (ETH Z urich) 11th

1.24k views • 76 slides
On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien

On the Concrete Security of Goldreichs Pseudorandom Generator Geo ff roy Couteau - Aurlien Dupin - Pierrick Maux - Mlissa Rossi - Yann Rotella ASIACRYPT 2018/12/04 1 1 Goldreich Pseudorandom Generator (Goldreich TOCT 2000)

795 views • 64 slides
Introduction Plethystic substitution Substitution operation in the ring of power series in

Introduction Plethystic substitution Substitution operation in the ring of power series in

A simplicial groupoid for plethysm Alex Cebrian Universitat Aut` onoma de Barcelona July 11, 2018 arXiv:1804.09462 Introduction Plethystic substitution Substitution operation in the ring of power series in infinitely many variables,

567 views • 30 slides

More recommend