Advertisement

Algebraic XOR-RKA-Secure Pseudorandom Functions from Post-Zeroizing Multilinear Maps

  • Michel AbdallaEmail author
  • Fabrice Benhamouda
  • Alain Passelègue
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11922)

Abstract

Due to the vast number of successful related-key attacks against existing block-ciphers, related-key security has become a common design goal for such primitives. In these attacks, the adversary is not only capable of seeing the output of a function on inputs of its choice, but also on related keys. At Crypto 2010, Bellare and Cash proposed the first construction of a pseudorandom function that could provably withstand such attacks based on standard assumptions. Their construction, as well as several others that appeared more recently, have in common the fact that they only consider linear or polynomial functions of the secret key over complex groups. In reality, however, most related-key attacks have a simpler form, such as the XOR of the key with a known value. To address this problem, we propose the first construction of RKA-secure pseudorandom function for XOR relations. Our construction relies on multilinear maps and, hence, can only be seen as a feasibility result. Nevertheless, we remark that it can be instantiated under two of the existing multilinear-map candidates since it does not reveal any encodings of zero. To achieve this goal, we rely on several techniques that were used in the context of program obfuscation, but we also introduce new ones to address challenges that are specific to the related-key-security setting.

Keywords

Pseudorandom functions Related-key security Multilinear maps Post-zeroizing constructions 

Notes

Acknowledgements

The first author was supported in part by the European Research Council under the European Union’s Seventh Framework Programme (FP7/2007–2013 Grant Agreement 339563 – CryptoCloud). The second author was supported in part by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office (ARO) under Contract No. W911NF-15-C-0236. Part of this work was done while the second author was at École normale supérieure, Paris, France, and at IBM Research, Yorktown Heights, NY, USA. Part of this work was done while the third author was at École normale supérieure, Paris, France, and at UCLA, Los Angeles, CA, USA.

References

  1. [ABD16]
    Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 153–178. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_6CrossRefGoogle Scholar
  2. [ABP15]
    Abdalla, M., Benhamouda, F., Passelègue, A.: An algebraic framework for pseudorandom functions and applications to related-key security. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 388–409. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_19CrossRefGoogle Scholar
  3. [ABP17]
    Abdalla, M., Benhamouda, F., Passelègue, A.: Algebraic XOR-RKA-secure pseudorandom functions from post-zeroizing multilinear maps. Cryptology ePrint Archive, Report 2017/500 (2017). http://eprint.iacr.org/2017/500
  4. [ABPP14]
    Abdalla, M., Benhamouda, F., Passelègue, A., Paterson, K.G.: Related-key security for pseudorandom functions beyond the linear barrier. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 77–94. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_5CrossRefGoogle Scholar
  5. [ABPP18]
    Abdalla, M., Benhamouda, F., Passelègue, A., Paterson, K.G.: Related-key security for pseudorandom functions beyond the linear barrier. J. Cryptol. 31(4), 917–964 (2018)MathSciNetCrossRefGoogle Scholar
  6. [AW14]
    Applebaum, B., Widder, E.: Related-key secure pseudorandom functions: the case of additive attacks. Cryptology ePrint Archive, Report 2014/478 (2014). http://eprint.iacr.org/2014/478
  7. [BC10]
    Bellare, M., Cash, D.: Pseudorandom functions and permutations provably secure against related-key attacks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 666–684. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_36CrossRefGoogle Scholar
  8. [BCM11]
    Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-25385-0_26CrossRefGoogle Scholar
  9. [BDK05]
    Biham, E., Dunkelman, O., Keller, N.: Related-key boomerang and rectangle attacks. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 507–525. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_30CrossRefGoogle Scholar
  10. [BDK+10]
    Biryukov, A., Dunkelman, O., Keller, N., Khovratovich, D., Shamir, A.: Key recovery attacks of practical complexity on AES-256 variants with up to 10 Rounds. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 299–319. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_15CrossRefGoogle Scholar
  11. [BGK+14]
    Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_13CrossRefGoogle Scholar
  12. [Bih94]
    Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_34CrossRefGoogle Scholar
  13. [BK03]
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_31CrossRefGoogle Scholar
  14. [BLMR13]
    Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_23CrossRefGoogle Scholar
  15. [BMSZ16]
    Badrinarayanan, S., Miles, E., Sahai, A., Zhandry, M.: Post-zeroizing obfuscation: new mathematical tools, and the case of evasive circuits. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 764–791. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_27CrossRefGoogle Scholar
  16. [BP14]
    Banerjee, A., Peikert, C.: New and improved key-homomorphic pseudorandom functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 353–370. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_20CrossRefGoogle Scholar
  17. [BR06]
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_25CrossRefGoogle Scholar
  18. [BR14]
    Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54242-8_1CrossRefGoogle Scholar
  19. [CFL+16]
    Cheon, J.H., Fouque, P.A., Lee, C., Minaud, B., Ryu, H.: Cryptanalysis of the new CLT multilinear map over the integers. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 509–536. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_20CrossRefGoogle Scholar
  20. [CGH+15]
    Coron, J.S., et al.: Zeroizing without low-level zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_12CrossRefGoogle Scholar
  21. [CGH17]
    Chen, Y., Gentry, C., Halevi, S.: Cryptanalyses of candidate branching program obfuscators. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 278–307. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56617-7_10CrossRefGoogle Scholar
  22. [CHKL18]
    Cheon, J.H., Hhan, M., Kim, J., Lee, C.: Cryptanalysis on the HHSS obfuscation arising from absence of safeguards. IEEE Access 6, 40096–40104 (2018)CrossRefGoogle Scholar
  23. [CHL+15]
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_1CrossRefGoogle Scholar
  24. [CJL16]
    Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero. LMS J. Comput. Math. 19A, 255–266 (2016)MathSciNetCrossRefGoogle Scholar
  25. [CLLT16]
    Coron, J.S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of GGH15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 607–628. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_21CrossRefGoogle Scholar
  26. [CLLT17]
    Coron, J.S., Lee, M.S., Lepoint, T., Tibouchi, M.: Zeroizing attacks on indistinguishability obfuscation over CLT13. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 41–58. Springer, Heidelberg (2017).  https://doi.org/10.1007/978-3-662-54365-8_3CrossRefGoogle Scholar
  27. [CLT13]
    Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_26CrossRefGoogle Scholar
  28. [CLT15]
    Coron, J.S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_13CrossRefGoogle Scholar
  29. [CS15]
    Cogliati, B., Seurin, Y.: On the provable security of the iterated even-mansour cipher against related-key and chosen-key attacks. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 584–613. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_23CrossRefGoogle Scholar
  30. [CVW18]
    Chen, Y., Vaikuntanathan, V., Wee, H.: GGH15 beyond permutation branching programs: proofs, attacks, and candidates. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 577–607. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-96881-0_20CrossRefGoogle Scholar
  31. [FP15]
    Farshim, P., Procter, G.: The related-key security of iterated Even-Mansour ciphers. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 342–363. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_17CrossRefGoogle Scholar
  32. [FX15]
    Fujisaki, E., Xagawa, K.: Efficient RKA-secure KEM and IBE schemes against invertible functions. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 3–20. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-22174-8_1CrossRefGoogle Scholar
  33. [GGH13a]
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_1CrossRefGoogle Scholar
  34. [GGH+13b]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual Symposium on Foundations of Computer Science, pp. 40–49. IEEE Computer Society Press, October 2013Google Scholar
  35. [GGH15]
    Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46497-7_20CrossRefGoogle Scholar
  36. [GGM86]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefGoogle Scholar
  37. [GLSW15]
    Gentry, C., Lewko, A.B., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. In: Guruswami, V. (ed.) 56th Annual Symposium on Foundations of Computer Science, pp. 151–170. IEEE Computer Society Press, October 2015Google Scholar
  38. [GLW14]
    Gentry, C., Lewko, A., Waters, B.: Witness encryption from instance independent assumptions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 426–443. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_24CrossRefGoogle Scholar
  39. [GMM+16]
    Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 241–268. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53644-5_10CrossRefGoogle Scholar
  40. [Hal15]
    Halevi, S.: Graded encoding, variations on a scheme. Cryptology ePrint Archive, Report 2015/866 (2015). http://eprint.iacr.org/2015/866
  41. [HJ16]
    Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_21CrossRefGoogle Scholar
  42. [JW15]
    Jafargholi, Z., Wichs, D.: Tamper detection and continuous non-malleable codes. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 451–480. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46494-6_19CrossRefGoogle Scholar
  43. [Knu93]
    Knudsen, L.R.: Cryptanalysis of LOKI 91. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 196–208. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57220-1_62CrossRefGoogle Scholar
  44. [LMR14]
    Lewi, K., Montgomery, H., Raghunathan, A.: Improved constructions of PRFs secure against related-key attacks. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 44–61. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-07536-5_4CrossRefGoogle Scholar
  45. [Men16]
    Mennink, B.: XPX: generalized tweakable Even-Mansour with improved security guarantees. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 64–94. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_3CrossRefGoogle Scholar
  46. [MSW14]
    Miles, E., Sahai, A., Weiss, M.: Protecting obfuscation against arithmetic attacks. Cryptology ePrint Archive, Report 2014/878 (2014). http://eprint.iacr.org/2014/878
  47. [MSZ16]
    Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53008-5_22CrossRefGoogle Scholar
  48. [NR97]
    Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th Annual Symposium on Foundations of Computer Science, pp. 458–467. IEEE Computer Society Press, October 1997Google Scholar
  49. [Sho97]
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_18CrossRefGoogle Scholar
  50. [WLZZ16]
    Wang, P., Li, Y., Zhang, L., Zheng, K.: Related-key almost universal hash functions: definitions, constructions and applications. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 514–532. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_26CrossRefGoogle Scholar
  51. [Zim15]
    Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_15CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.DIENSÉcole normale supérieure, CNRS, PSL Research UniversityParisFrance
  2. 2.InriaParisFrance
  3. 3.Algorand FoundationNewYorkUSA
  4. 4.Inria, ENS LyonLyonFrance

Personalised recommendations