Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute

Crypto-History [oversimplified] 1982 Cryptographic algorithms designed from scratch, no proofs, … 2000 BC Provable security: Security of cryptosystems formalized and proven under computational assumptions. Amazingly successful

The Sky is the Limit! Encryption, signatures, multi-party computation, secure delegation, functional encryption, FHE, …

This Talk – In a Nutshell This talk: Biased selection of problems which cannot be studied within the traditional framework of provable security. Two high-level goals: Leitmotif: Security proofs are in ideal models (e.g. random oracle model, ideal cipher model, etc.) Survey a set problems not as widely considered by the core theory community. 1 Thought-provoking: Foster discussion on ideal models, and show why “we are stuck with them”. 2

Ideal Models Cryptographic primitives – Set P of valid “instances”  Functions {0,1}* → {0,1} n  Permutations {0,1} n → {0,1} n  Pairs ( , op), where  : Z q → {0,1} n, op(  (a),  (b)) =  (a + b) Ideal- P model: 1.Pick P u.a.r from P 2.Every algorithm (i.e., attacker, schemes) given access to P. P P C C Random-oracle model [FiaSha86,BelRog93] Generic-group model [Sho97] Rationale: Ideal primitive P has all security properties expected from P -candidates.

Ideal Models Fact. [CaGoHa98] Security proofs in ideal models are not “sound”. This talk. Problems motivated by design of efficient and highly- secure constructions of symmetric cryptographic primitives (block ciphers, hash functions).  They are only way to give “provable” answers.  Security against limited attacker class (i.e., generic attacks) is partially justified by existing cryptanalytic attacks. Ideal models used in security proofs: “A proof in an ideal model is better than no proof at all.”

Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

Pseudorandom Functions [GoGoMi84] Keyed function F: K × X → Y F F R R D D D D 0/1 SK Definition. F (T, Q,  )-PRF: ∀ (T, Q)-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  x F(SK,x) x R(x) = $ Q adaptive queries Time T Random function R: X → Y [Typically:  = negl for T, Q = poly(k) - here we care about concrete security] PRFs efficient symmetric encryption, MACs, …

Candidates: Block Ciphers E E M SK C E -1 C SK M E.g.: AES, DES, 3DES, IDEA, BLOWFISH, … |M| = |C| = n (e.g. n = 128) E E M’ ≠ M SK C’ ≠ C For every SK: Block cipher is a permutation on n-bit strings |SK| = k (e.g. k = 128, 256, …)

E E Pseudorandom Permutations [LubRac85] Block cipher E: K × X → X P P D D D D 0/1 SK Definition. E (T, Q,  )-PRP: ∀ (T, Q)-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  xE(SK,x) x P(x) Random permutation P: X → X (+,x) (-,y) E -1 (SK,y) P -1 (y) STRONG-PRP

Pseudorandom Constructions Building PRFs / PRPs from weaker pseudorandom objects is a central problem both in theoretical and applied cryptography. E E C C E E Important: We always have T’ < T. Standard-model provable-security: If E is (T, Q,  )-PRP then C is (T’, Q’,  ’)-PRF, where T’ ≈ T Standard-model provable-security: If E is (T, Q,  )-PRP then C is (T’, Q’,  ’)-PRF, where T’ ≈ T Example. PRF from PRP PRP PRF?

Our Problem: From Weak to Strong Ciphers Block-cipher design paradigm: Design weak component Iterate weak component multiple times Sequential composition of weak ciphers Used for 3DES, where E = DES is insecure (widespread in the electronic payment sector) M E E K1K1 E E K2K2 E E K3K3 C DES best attack: DES best attack: 2 90 Expectation: Breaking construction strictly harder than breaking component Hope: T’ > T! Cannot show this in the standard model under any reasonable assumption on E …

Amplification of Generic Security M E E K1K1 E E K2K2 E E K3K3 C “Generic” Security Amplification: Prove that there is no generic attack – treating E as a black-box – which breaks sequential composition with complexity less than T’ >> 2 k. Observation. (Exhaustive key search) E can always be distinguished with 2 k computation and Q = O (k/n) queries.

The Ideal Cipher Model [Sha49] ∀ SK ∈ {0,1} k : E SK uar from the set of all permutations {0,1} n → {0,1} n (+, SK, M) IC C C P P D D D D 0/1 IC E SK (M) (-, SK, C) E SK -1 (C) Q C queries Q  queries SK Definition. C is (Q C, Q ,  )-strong PRP if ∀ (Q C, Q  )-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  (+, SK, M), (-, SK, C) (+, M), (-, C) Two query types:  Primitive queries “Local” computation  Construction queries Key-dependent access to primitive Two query types:  Primitive queries “Local” computation  Construction queries Key-dependent access to primitive

The General Problem IC C C P P D D D D 0/1 SK Problem. Find efficient C which is a (Q C, Q ,  negl)-strong PRP for Q C, Q   both as large as possible. Q C ≤ 2 n Q  < 2 n + k

Two-fold Sequential Composition E E E E SK 1 SK 2 IC EE SK 1, SK 2 (+, x) (+, SK 1, x) y (+, SK 2, y) z z xyz

Two-fold Sequential Composition E E E E SK 1 SK 2 IC EE SK 1, SK 2 D D Meet-in-the-middle attack: [DifHel76] z ← C(+, x) ∀ SK’ 1 : y[SK’ 1 ] ← IC(+, SK’ 1, x) ∀ SK’ 2 : y’[SK’ 2 ] ← IC(-, SK’ 2, z) If ∃ SK’ 1, SK’ 2 : y[SK’ 1 ] = y[SK’ 2 ] then output 1 Else output 0 x z SK’ 1 y[SK’ 1 ] y’[SK’ 2 ] SK’ 2 Fact 1. Pr[D → 1|left] = 1 0/1 Fact 2. If k < n/2: Pr[D → 1|right] < 1/2 P P

DESX [Rivest, 1984] E E SK SK 2 SK 1 Theorem: [KilRog01] DESX is a (Q C, Q ,  negl)-strong PRP if Q C * Q  < 2 n + k. Theorem: [KilRog01] DESX is a (Q C, Q ,  negl)-strong PRP if Q C * Q  < 2 n + k.  Result meaningful even when k = 0 [EveMan96]  Proof succeeds even if SK 1 = SK 2 [DunKelSha11]  Essentially optimal for one-call constructions [GazTes12]

3DES E E SK 1 E E SK 2 E E SK 3 Caveat: If Q C approaches 2 n, then distinguishable with Q  = 2 k queries. Theorem: [BelRog06,GazMau10] 3DES is a (Q C, Q ,  negl)-strong PRP as long as Q C ≤ 2 n and Q  < 2 n/2 + k. Theorem: [BelRog06,GazMau10] 3DES is a (Q C, Q ,  negl)-strong PRP as long as Q C ≤ 2 n and Q  < 2 n/2 + k. Alternative: Back to sequential composition! (used in 3DES)

3DES – Proof Approach   11 11 22 22 KK KK   11 11 ii ii   jj jj   For random i, j, k:  i,  j    … ………… K = 2 k Lemma. Hard to distinguish with fewer than 2 k + n/2 queries.

Beyond Length 3 E E SK 1 E E SK 2 E E SK l Expectation: Security increases with l. Theorem. [Lee13] Security for Q  → 2 k + min{k,n} when l →∞.

Increasing Efficiency [GazTes12] E E SK SK’’ E E Theorem: [GazTes12] 2XOR-Cascade is a (Q C, Q ,  negl)-strong PRP if Q C ≤ 2 n and Q  < 2 k + n/2. Theorem: [GazTes12] 2XOR-Cascade is a (Q C, Q ,  negl)-strong PRP if Q C ≤ 2 n and Q  < 2 k + n/2. SK’ [Same security as 3DES, one block cipher call less]

XOR Cascades E E SK 1 E E SK 2 E E SK l SK’ 1 SK’ 2 SK’ 3 SK’ l SK’ l + 1 Theorem. [LPS12,Lee13,Gaz13,CheSte13] Security for Q  → 2 k + n when l →∞. Optimal!

Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

Hash Functions Example: Block-cipher based hash-functions [PGV93] Practical hash-function constructions are usually only analyzed in ideal models. Goal: Optimize concrete security / # calls tradeoff for standard security properties [Hundreds of papers!] E E X Y Z H(X, Y) = Z

Key-Derivation Functions Goal: Derive secret-key from low-entropy secret (e.g., password) – PKCS#5 standard … H H H Randomly chosen per KDF evaluation pw || salt SK Expectations: 1.Time to break should increase linearly with iteration length. 2.Time to break should increase linearly with number of independent instances. Theorem. [BeRiTe12] Expectations are true for KDFs from the PKCS#5 standard (in the ROM).

Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

So far: Construction C of a primitive Q from a primitive P achieving specific goal, with security proof in ideal- P model. Most ambitious goal. Construction C(.) using ideal primitive P s.t. C(P) “as good as” ideal primitive Q. “If an application is secure in the ideal- Q model, then it is secure in the ideal- P model, where calls to Q are replaced by calls to C(P).”

Indifferentiability [MaReHo04] P P C C Q Q SIM D D D D 0/1 Definition. C (Q C, Q ,  )-indifferentiable: ∃ (efficient) SIM ∀ D: Pr[D → 1|left] – Pr[D → 1|right] <  [Typically: efficient = poly(Q C, Q  ),  = negl(k)] Keyless, deterministic construction

Composability [MaReHo04] G G Q Q 0/1 P P C C G G Arbitrary security game G Pr[G → 1|Q] = negl Pr[G → 1|C(P)] = ? Indifferentiability Pr[G → 1|C(P)] = negl SIM

Indifferentiability Constructions Literature on indifferentiability encompasses by now hundreds of papers Standard security notion for hash function constructions (e.g., in SHA-3 competition) “Hash function has all security properties of a random oracle.” E E IV M1M1 E E M2M2 E E MlMl truncate Theorem. [CDMP05] Construction is indifferentiable from a random oracle in the ideal-cipher model. Typical example. Random oracles from ideal ciphers

Ideal Ciphers from Random Oracles Theorem. [HoKuTe11] 14-round Feistel is indifferentiable from a random permutation. F1F1 F1F1 F2F2 F2F2 F 14 Much more complex than converse. [CoPaSe08]

Indifferentiability Constructions Random oracles from fixed input-length random oracles with optimal security […, MauTes07,…,DodSte11,…] Other constructions Ideal ciphers from random permutations [ABDMS13,LamSeu13] Leads to interesting questions about expander graphs.

Multi-Stage Games G1G1 G1G1 Q Q 0/1 G2G2 G2G2 Examples: Deterministic encryption Leakage resilience … Observation. [RSS11] Indifferentiability does not imply composition for multi-stage games.

Multi-Stage Games New Goal: Find good indifferentiability-like notions with composition properties for multi-stage games.  Reset indifferentiability [RSS11]: Distinguisher is allowed to reset simulator.  Reset indifferentiability sufficient for secure composition in the multi-stage setting.  Many impossibility results: Traditional indifferentiability results are impossible for reset indifferentiability [DGHM13,BBM13,…] ……

Conclusions  Ideally, we would like to avoid ideal models.  A large number of relevant security questions can only be answered using ideal-model security proofs.  Ideal models give rise to a rich area of works with interesting theoretical questions.

Thank you!

DESX – Proof Idea Extend the ideal world: IC D D P P 1 Transcript: T C = {(w, z)}, size Q C T  = {(SK’, x, y)}, size Q  E E SK SK 2 SK 1 2 Random SK, SK 1, SK 2 D wins if ∃ (w,*) ∈ T C : (SK, w ⊕ SK 1, *) ∈ T  ∃ (*,z) ∈ T C : (SK, *, z ⊕ SK 2 ) ∈ T  Lemma 1:  ≤ Pr[D wins] Lemma 2: Pr[D wins] ≤ 2 Q C Q  / 2 n + k