Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute.

Published byAnnabelle Fleming Modified over 9 years ago

Similar presentations

Presentation on theme: "Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute."— Presentation transcript:

1 Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute

2 Crypto-History [oversimplified] 1982 Cryptographic algorithms designed from scratch, no proofs, … 2000 BC Provable security: Security of cryptosystems formalized and proven under computational assumptions. Amazingly successful

3 The Sky is the Limit! Encryption, signatures, multi-party computation, secure delegation, functional encryption, FHE, …

4 This Talk – In a Nutshell This talk: Biased selection of problems which cannot be studied within the traditional framework of provable security. Two high-level goals: Leitmotif: Security proofs are in ideal models (e.g. random oracle model, ideal cipher model, etc.) Survey a set problems not as widely considered by the core theory community. 1 Thought-provoking: Foster discussion on ideal models, and show why “we are stuck with them”. 2

5 Ideal Models Cryptographic primitives – Set P of valid “instances”  Functions {0,1}* → {0,1} n  Permutations {0,1} n → {0,1} n  Pairs ( , op), where  : Z q → {0,1} n, op(  (a),  (b)) =  (a + b) Ideal- P model: 1.Pick P u.a.r from P 2.Every algorithm (i.e., attacker, schemes) given access to P. P P C C Random-oracle model [FiaSha86,BelRog93] Generic-group model [Sho97] Rationale: Ideal primitive P has all security properties expected from P -candidates.

6 Ideal Models Fact. [CaGoHa98] Security proofs in ideal models are not “sound”. This talk. Problems motivated by design of efficient and highly- secure constructions of symmetric cryptographic primitives (block ciphers, hash functions).  They are only way to give “provable” answers.  Security against limited attacker class (i.e., generic attacks) is partially justified by existing cryptanalytic attacks. Ideal models used in security proofs: “A proof in an ideal model is better than no proof at all.”

7 Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

8 Pseudorandom Functions [GoGoMi84] Keyed function F: K × X → Y F F R R D D D D 0/1 SK Definition. F (T, Q,  )-PRF: ∀ (T, Q)-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  x F(SK,x) x R(x) = $ Q adaptive queries Time T Random function R: X → Y [Typically:  = negl for T, Q = poly(k) - here we care about concrete security] PRFs efficient symmetric encryption, MACs, …

9 Candidates: Block Ciphers E E M SK C E -1 C SK M E.g.: AES, DES, 3DES, IDEA, BLOWFISH, … |M| = |C| = n (e.g. n = 128) E E M’ ≠ M SK C’ ≠ C For every SK: Block cipher is a permutation on n-bit strings |SK| = k (e.g. k = 128, 256, …)

10 E E Pseudorandom Permutations [LubRac85] Block cipher E: K × X → X P P D D D D 0/1 SK Definition. E (T, Q,  )-PRP: ∀ (T, Q)-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  xE(SK,x) x P(x) Random permutation P: X → X (+,x) (-,y) E -1 (SK,y) P -1 (y) STRONG-PRP

11 Pseudorandom Constructions Building PRFs / PRPs from weaker pseudorandom objects is a central problem both in theoretical and applied cryptography. E E C C E E Important: We always have T’ < T. Standard-model provable-security: If E is (T, Q,  )-PRP then C is (T’, Q’,  ’)-PRF, where T’ ≈ T Standard-model provable-security: If E is (T, Q,  )-PRP then C is (T’, Q’,  ’)-PRF, where T’ ≈ T Example. PRF from PRP PRP PRF?

12 Our Problem: From Weak to Strong Ciphers Block-cipher design paradigm: Design weak component Iterate weak component multiple times Sequential composition of weak ciphers Used for 3DES, where E = DES is insecure (widespread in the electronic payment sector) M E E K1K1 E E K2K2 E E K3K3 C DES best attack: 2 42 3DES best attack: 2 90 Expectation: Breaking construction strictly harder than breaking component Hope: T’ > T! Cannot show this in the standard model under any reasonable assumption on E …

13 Amplification of Generic Security M E E K1K1 E E K2K2 E E K3K3 C “Generic” Security Amplification: Prove that there is no generic attack – treating E as a black-box – which breaks sequential composition with complexity less than T’ >> 2 k. Observation. (Exhaustive key search) E can always be distinguished with 2 k computation and Q = O (k/n) queries.

14 The Ideal Cipher Model [Sha49] ∀ SK ∈ {0,1} k : E SK uar from the set of all permutations {0,1} n → {0,1} n (+, SK, M) IC C C P P D D D D 0/1 IC E SK (M) (-, SK, C) E SK -1 (C) Q C queries Q  queries SK Definition. C is (Q C, Q ,  )-strong PRP if ∀ (Q C, Q  )-distinguishers D: Pr[D → 1|left] – Pr[D → 1|right] <  (+, SK, M), (-, SK, C) (+, M), (-, C) Two query types:  Primitive queries “Local” computation  Construction queries Key-dependent access to primitive Two query types:  Primitive queries “Local” computation  Construction queries Key-dependent access to primitive

15 The General Problem IC C C P P D D D D 0/1 SK Problem. Find efficient C which is a (Q C, Q ,  negl)-strong PRP for Q C, Q   both as large as possible. Q C ≤ 2 n Q  < 2 n + k

16 Two-fold Sequential Composition E E E E SK 1 SK 2 IC EE SK 1, SK 2 (+, x) (+, SK 1, x) y (+, SK 2, y) z z xyz

17 Two-fold Sequential Composition E E E E SK 1 SK 2 IC EE SK 1, SK 2 D D Meet-in-the-middle attack: [DifHel76] z ← C(+, x) ∀ SK’ 1 : y[SK’ 1 ] ← IC(+, SK’ 1, x) ∀ SK’ 2 : y’[SK’ 2 ] ← IC(-, SK’ 2, z) If ∃ SK’ 1, SK’ 2 : y[SK’ 1 ] = y[SK’ 2 ] then output 1 Else output 0 x z SK’ 1 y[SK’ 1 ] y’[SK’ 2 ] SK’ 2 Fact 1. Pr[D → 1|left] = 1 0/1 Fact 2. If k < n/2: Pr[D → 1|right] < 1/2 P P

18 DESX [Rivest, 1984] E E SK SK 2 SK 1 Theorem: [KilRog01] DESX is a (Q C, Q ,  negl)-strong PRP if Q C * Q  < 2 n + k. Theorem: [KilRog01] DESX is a (Q C, Q ,  negl)-strong PRP if Q C * Q  < 2 n + k.  Result meaningful even when k = 0 [EveMan96]  Proof succeeds even if SK 1 = SK 2 [DunKelSha11]  Essentially optimal for one-call constructions [GazTes12]

19 3DES E E SK 1 E E SK 2 E E SK 3 Caveat: If Q C approaches 2 n, then distinguishable with Q  = 2 k queries. Theorem: [BelRog06,GazMau10] 3DES is a (Q C, Q ,  negl)-strong PRP as long as Q C ≤ 2 n and Q  < 2 n/2 + k. Theorem: [BelRog06,GazMau10] 3DES is a (Q C, Q ,  negl)-strong PRP as long as Q C ≤ 2 n and Q  < 2 n/2 + k. Alternative: Back to sequential composition! (used in 3DES)

20 3DES – Proof Approach   11 11 22 22 KK KK   11 11 ii ii   jj jj   For random i, j, k:  i,  j    … ………… K = 2 k Lemma. Hard to distinguish with fewer than 2 k + n/2 queries.

21 Beyond Length 3 E E SK 1 E E SK 2 E E SK l Expectation: Security increases with l. Theorem. [Lee13] Security for Q  → 2 k + min{k,n} when l →∞.

22 Increasing Efficiency [GazTes12] E E SK SK’’ E E Theorem: [GazTes12] 2XOR-Cascade is a (Q C, Q ,  negl)-strong PRP if Q C ≤ 2 n and Q  < 2 k + n/2. Theorem: [GazTes12] 2XOR-Cascade is a (Q C, Q ,  negl)-strong PRP if Q C ≤ 2 n and Q  < 2 k + n/2. SK’ [Same security as 3DES, one block cipher call less]

23 XOR Cascades E E SK 1 E E SK 2 E E SK l SK’ 1 SK’ 2 SK’ 3 SK’ l SK’ l + 1 Theorem. [LPS12,Lee13,Gaz13,CheSte13] Security for Q  → 2 k + n when l →∞. Optimal!

24 Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

25 Hash Functions Example: Block-cipher based hash-functions [PGV93] Practical hash-function constructions are usually only analyzed in ideal models. Goal: Optimize concrete security / # calls tradeoff for standard security properties [Hundreds of papers!] E E X Y Z H(X, Y) = Z

26 Key-Derivation Functions Goal: Derive secret-key from low-entropy secret (e.g., password) – PKCS#5 standard … H H H Randomly chosen per KDF evaluation pw || salt SK Expectations: 1.Time to break should increase linearly with iteration length. 2.Time to break should increase linearly with number of independent instances. Theorem. [BeRiTe12] Expectations are true for KDFs from the PKCS#5 standard (in the ROM).

27 Outline Three selected examples: From Weak to Strong Block Ciphers 1 Hash Functions and Key Derivation 2 Building Ideal Primitives 3

28 So far: Construction C of a primitive Q from a primitive P achieving specific goal, with security proof in ideal- P model. Most ambitious goal. Construction C(.) using ideal primitive P s.t. C(P) “as good as” ideal primitive Q. “If an application is secure in the ideal- Q model, then it is secure in the ideal- P model, where calls to Q are replaced by calls to C(P).”

29 Indifferentiability [MaReHo04] P P C C Q Q SIM D D D D 0/1 Definition. C (Q C, Q ,  )-indifferentiable: ∃ (efficient) SIM ∀ D: Pr[D → 1|left] – Pr[D → 1|right] <  [Typically: efficient = poly(Q C, Q  ),  = negl(k)] Keyless, deterministic construction

30 Composability [MaReHo04] G G Q Q 0/1 P P C C G G Arbitrary security game G Pr[G → 1|Q] = negl Pr[G → 1|C(P)] = ? Indifferentiability Pr[G → 1|C(P)] = negl SIM

31 Indifferentiability Constructions Literature on indifferentiability encompasses by now hundreds of papers Standard security notion for hash function constructions (e.g., in SHA-3 competition) “Hash function has all security properties of a random oracle.” E E IV M1M1 E E M2M2 E E MlMl truncate Theorem. [CDMP05] Construction is indifferentiable from a random oracle in the ideal-cipher model. Typical example. Random oracles from ideal ciphers

32 Ideal Ciphers from Random Oracles Theorem. [HoKuTe11] 14-round Feistel is indifferentiable from a random permutation. F1F1 F1F1 F2F2 F2F2 F 14 Much more complex than converse. [CoPaSe08]

33 Indifferentiability Constructions Random oracles from fixed input-length random oracles with optimal security […, MauTes07,…,DodSte11,…] Other constructions Ideal ciphers from random permutations [ABDMS13,LamSeu13] Leads to interesting questions about expander graphs.

34 Multi-Stage Games G1G1 G1G1 Q Q 0/1 G2G2 G2G2 Examples: Deterministic encryption Leakage resilience … Observation. [RSS11] Indifferentiability does not imply composition for multi-stage games.

35 Multi-Stage Games New Goal: Find good indifferentiability-like notions with composition properties for multi-stage games.  Reset indifferentiability [RSS11]: Distinguisher is allowed to reset simulator.  Reset indifferentiability sufficient for secure composition in the multi-stage setting.  Many impossibility results: Traditional indifferentiability results are impossible for reset indifferentiability [DGHM13,BBM13,…] ……

36 Conclusions  Ideally, we would like to avoid ideal models.  A large number of relevant security questions can only be answered using ideal-model security proofs.  Ideal models give rise to a rich area of works with interesting theoretical questions.

37 Thank you!

38 DESX – Proof Idea Extend the ideal world: IC D D P P 1 Transcript: T C = {(w, z)}, size Q C T  = {(SK’, x, y)}, size Q  E E SK SK 2 SK 1 2 Random SK, SK 1, SK 2 D wins if ∃ (w,*) ∈ T C : (SK, w ⊕ SK 1, *) ∈ T  ∃ (*,z) ∈ T C : (SK, *, z ⊕ SK 2 ) ∈ T  Lemma 1:  ≤ Pr[D wins] Lemma 2: Pr[D wins] ≤ 2 Q C Q  / 2 n + k

Download ppt "Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute."

Similar presentations

Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #3 Aug 28 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.

Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Computer Science CSC 774Dr. Peng Ning1 CSC 774 Advanced Network Security Topic 2. Review of Cryptographic Techniques.

Similar presentations

Ads by Google