Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris University of California, Davis Dept of Mathematics.

Published byAnne Hardy Modified over 9 years ago

Similar presentations

Presentation on theme: "1 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris University of California, Davis Dept of Mathematics."— Presentation transcript:

1 1 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris University of California, Davis Dept of Mathematics Phil Rogaway Till Stegers University of California, Davis Dept of Computer Science CRYPTO 2009 — August 18, 2009 `

2 2 More generally, How to encipher {0,1,…, N - 1} ? How to encipher a CCN? PRF F : K  {0,1} 128  {0,1} 128 PRP E : K  {0,1,…, N-1}  : {0,1,…, N-1} A special case of Format-Preserving Encryption (FPE) [Brightwell, Smith 97; Spies 08; Bellare, Ristenpart, R, Steger 09] 5887 3229 0447 4263

3 3 Known technique Balanced Feistel [Luby, Rackoff 88; Maurer, Pietrzak 03; Patarin 04] Benes construction [Aiello, Venkatesan 96; Patarin 08] Feistel adapted to Z a  Z b [Black Rogaway 02] Induced ordering on AES K (0),…, AES K (N  1) “Knuth shuffle” De novo constructions [Schroeppel 98] Poor proven bounds for small N Preprocessing time  (N) Provable security not possible Cycle walking For enciphering on X  M when | X |  /  | M | is reasonably large Wide-block modes [Naor, Reingold 99; Halevi 04] Starts beyond blockcipher’s blocksize Granboulan-Pornin construction [GP 07] Very inefficient Limitation Ad hoc modes [FIPS 74: 1981, Brightwell, Smith 97; Mattsson 09] [Folklore; Black Rogaway02]

4 4 What’s wrong with balanced Feistel? [Patarin 04] Approximate security bounds Attacks [Luby, Rackoff 88] [Maurer, Pietrzak 03] In practice, probably nothing. But, information theoretically, it only tolerates 2 n/2 queries For constant rounds 2 n/2 – 1/R 2 n/2 –  2 n/4 2 n/2 N = 2 n For R rounds 2 n/2 + lg R (asymptotic) (R rounds) (3 and 4 rounds)

5 5 0 12 3 4 56 7 8 910 11 12 1314 15 8 1213 0 1 4 5 14 9 1510 2 6 7 3 11 14 9 8 12 15 1310 2 6 70 1 3 114 5 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [Naor ~1989] An oblivious shuffle: you can follow the path of a card without attending to the other cards. The riffle shuffle is not oblivious. The Thorp shuffle is. Encrypting by shuffling 0 12 3 4 56 7 8 910 11 12 1314 15

6 6 Edward Thorp To shuffle a deck of N cards (N even): For round r = 1, 2, …, R do Cut the deck exactly in half Using a fair coin toss c, drop left-then-right (c=0) or right-then-left (c=1) Thorp Shuffle Th[N, R] [Thorp 73]

7 7 0 12 3 4 5 6 7 1 0 0 1 One round of the Thorp shuffle 1. Cards at positions x and x + N/2 are said to be adjacent 3. The coins indicate if adjacent cards get moved coin = 0 coin = 1 or 2. Flip a coin for each pair of adjacent cards

8 8 At round r, move the card at position x  {0,…, N-1} to position 2 x + (r, x) if x < N/2 2(x  N/2) + (1  (r, x  N/2)) otherwise FKFK F K Thorp shuffle = maximally unbalanced Feistel when N = 2 n equivalent

9 9 Measuring adversarial success Adv (q) = max Pr[A E K  1] – Pr[A   1] A  NCPA(q) N,R ncpa Adv (q) = max Pr[A E K E K  1] – Pr[A   1] A  CCA(q) N,R cca A E K (  ) 11  (  ) 11 11 11 E = Th[N, R] strong PRP nonadaptive PRP

10 10 R = O(r log 44 N) R = O(r log 19 N) R = O(r log 4 N) What is Known? Adv (q)    r N,R ncpa if [Morris 05] [Montenegro, Tetali 06] [Morris 08] For q = N, Adv (q)  N,R cca If R = n, q2q2 N (n+1) (security to about N 1/2 queries) [Naor, Reingold 99] N = 2 n (throw in pairwise independent permutations, too)

11 11 Main result — Thorp shuffle — CCA Theorem Let N = 2 n and R=4nr (ie, 4r passes). Adv cca (q)  2q2q r+1 4qn N r Can tolerate q = N 1  1/r queries with 4r passes. log 2 ( q ) Advantage r = 1, 2, 5, 10, 25 N, R N = 2 50 Unbalanced Feistel provably stronger than balanced Feistel (4, 8, 20, 40, 100 passes)

12 12 Proving CCA security 1. Prove NCPA security of the “projected Thorp shuffle” (and its inverse) using a coupling argument 2. Conclude CCA security using a wonderful theorem from [Maurer, Pietrzak, Renner 2007] : Adv (q)  Adv (q) + Adv (q) F ° G  1 cca F cpa G

13 13 Notation and basic setup { X t } Markov chain — the projected Thorp shuffle Fix distinct z 1, …, z q  C = {0,1} n and define: X t Positions of cards z 1, …, z q at time t X t ( i ) Location of card z i at time t  Stationary distribution of { X t } = Uniform distribution on q-tuples of positions, {0,1} n  t Distribution of {X t } Want to show :   t   is small (for t not too big)

14 14 Hybrid argument X t = Positions of cards z 1, …, z q at time t assuming cards z 1, …, z ` start in designated positions, z ` , …, z q start in random (uniform, distinct) positions ` For 0  `  q, let ` +1 XtXt q XtXt 0 XtXt ` XtXt Designated cards have specified posns. Designated cards have random initial posns.  -distributed  t - distributed... Then   t      t  t    ` =0 q1q1 ` +1 ` Fix `

15 15 Coupling arguments Markov chain { W t } with transition matrix P Stationary distribution  Want to show || P t (x,  ) –  || is small Construct a pair process, {(W t, U t )} (defined on a single prob space), the coupling, where  { W t } and { U t } are MCs with transition matrix P  If W t = U t then W t+1 = U t+1  W 0 = x and U 0 ~  Let T  min {t : W t = U t } Coupling time Then || P t (x,  ) –  ||  Pr ( W t  U t ) = Pr (T > t) [Doeblin 1930s; Aldous 1980s]

16 16 What gets coupled ` +1 XtXt q XtXt 0 XtXt ` XtXt... Then   t      t  t    ` +1 ` Fix ` First ` +1 cards in designated positions.  t distributed ` +1 First ` cards in designated positions; ( ` +1) st card at a random position.  t distributed ` ` =0 q1q1

17 17 Re-conceptualizing how our MC evolves 0 12 3 4 5 6 7 1 0 0 1 0 1 1 1 1 0 0 0 Before: a coin c(r, x) for each round r and position (x, x + N/2). The coin determined if cards went or 0 1 2 3 4 56 7 0 1 1 1 1 1 0 0 0 Now: a coin c(r, x) for each round r and designated card x. Card z i adjacent to a non-designated card: use its coin to decide if it goes left (0) or right (1) Card z i adjacent to z j where i <j : use the coin of z i to decide where it goes … and so where z j goes, too. Update rule: Towards defining our coupling coins are associated with positions coins are associated with designated cards

18 18 Defining our coupling... z ` +1 c ` +1 z `z ` c ` z 1z 1 c 1c 1 z 2z 2 c 2c 2... z ` +1 z `z ` z 1z 1 z 2z 2 XtXt To define the pair process ( X t, X t ) Start cards z 1, …, z ` in the specified locations for both X t and X t Start card z ` +1 at specified location in X t Start card z ` +1 at uniform location in X t Evolve the process with the same coins and the update rule Then: Cards z 1, …, z ` follow the same trajectory Once z ` +1 and z ` +1 match, they stay the same Card z ` +1 is uniform c ` +1 c ` c 1c 1 c 2c 2 ` +1 XtXt ` ` ` `

19 19 Waiting for the ( ` +1) cards to couple st z 1 trajectory z 2 trajectory z ` trajectory z ` +1 trajectory

20 20 After a “burn-in” period, designated cards are rarely adjacent Claim: For any pair of cards z i and z j and any time t  n  1, P(z i and z j are adjacent at time t)  1/ 2 n  1 Reason: The only way for z i and z j to end up adjacent at time t is if there were consistent coin tosses in in each of the prior n  1 steps. The probability of this is 1/2 n  1.

21 21 The coupling bound   t      t  t    ` +1 ` Want to show this is small. By coupling, it’s  P(T > t) where T is the coupling time for X t and X t : ` +1 ` T = min { t: P ( X t  X t ) ` +1 ` P (T > 2n  1)  2  n  `  ( 1 / 2 n-1 ) Cards z ` +1 fail to converge only if z ` +1 is adjacent to some z i in X t or z ` +1 is adjacent to some z i in X t for some i  `, in one of the last n  time steps. At most 2n ` ways for this to happen. Just showed: P ( z ` +1 and z i are adjacent at time t  n+1 )  1/ 2 n  1 Claim: ` +1 ` }

22 22 Concluding the result    t    ` = 0 q1q1  P (T > 2n-1 )  2  n  `  2 1  n  P (T > r (2n-1) )    2  n  `  2 1  n  r so ( n ` 2 2-n ) r  q r+1 4qn N r  0 q x r dx ( n2 2-n ) r  Adv ncpa (q) N, R

23 23 Extensions and directions For a weaker security notion, DPA, two passes is enough. A simple trick lets you do 5 rounds per AES When N is not a power of 2, things get more complex (in progress; constants increase) NIST submission (“FFX mode”) (with T. Spies) coming soon Coupling technique generally useful in cryptography. Analyze other unbalanced Feistel schemes with V.T. Hoang. Open: Tiny N ? CCA security for 2 or 4 passes ? Can perfect shuffling (à la [Granboulan, Pornin 07]) be practical?

24 24 Theorem Let N = 2 n and R=2nr (ie, 2r passes). Adv dpa (q)  4qn N r Asymptotically: you can tolerate q = N 1  queries with two rounds N, R log 2 ( q ) Advantage r = 1, 2 N = 2 50 Thorp shuffle — DPA security

25 25 The 5x speedup trick

Download ppt "1 How to Encipher Messages on a Small Domain Deterministic Encryption and the Thorp Shuffle Ben Morris University of California, Davis Dept of Mathematics."

Similar presentations

Generating Random Spanning Trees Sourav Chatterji Sumit Gulwani EECS Department University of California, Berkeley.

Generating Random Spanning Trees Sourav Chatterji Sumit Gulwani EECS Department University of California, Berkeley.
Correctness of Gossip-Based Membership under Message Loss Maxim GurevichIdit Keidar Technion.

Correctness of Gossip-Based Membership under Message Loss Maxim GurevichIdit Keidar Technion.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Gibbs sampler - simple properties It’s not hard to show that this MC chain is aperiodic. Often is reversible distribution. If in addition the chain is.

Gibbs sampler - simple properties It’s not hard to show that this MC chain is aperiodic. Often is reversible distribution. If in addition the chain is.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis

Length-Doubling Ciphers and Tweakable Ciphers Haibin Zhang Computer Science Department University of California, Davis
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.

Princeton University COS 433 Cryptography Fall 2007 Boaz Barak COS 433: Cryptography Princeton University Fall 2007 Boaz Barak Lectures 1-6: Short Recap.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
. Hidden Markov Model Lecture #6. 2 Reminder: Finite State Markov Chain An integer time stochastic process, consisting of a domain D of m states {1,…,m}

. Hidden Markov Model Lecture #6. 2 Reminder: Finite State Markov Chain An integer time stochastic process, consisting of a domain D of m states {1,…,m}
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Planning under Uncertainty

Planning under Uncertainty
1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.

1 Optimization problems such as MAXSAT, MIN NODE COVER, MAX INDEPENDENT SET, MAX CLIQUE, MIN SET COVER, TSP, KNAPSACK, BINPACKING do not have a polynomial.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
13. The Weak Law and the Strong Law of Large Numbers

13. The Weak Law and the Strong Law of Large Numbers
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.

Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 2: Perfect Secrecy.
1 On the Computation of the Permanent Dana Moshkovitz.

1 On the Computation of the Permanent Dana Moshkovitz.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

Similar presentations

Ads by Google