Advertisement

Naor-Reingold Goes Public: The Complexity of Known-Key Security

  • Pratik Soni
  • Stefano Tessaro
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10822)

Abstract

We study the complexity of building secure block ciphers in the setting where the key is known to the attacker. In particular, we consider two security notions with useful implications, namely public-seed pseudorandom permutations (or psPRPs, for short) (Soni and Tessaro, EUROCRYPT ’17) and correlation-intractable ciphers (Knudsen and Rijmen, ASIACRYPT ’07; Mandal, Seurin, and Patarin, TCC ’12).

For both these notions, we exhibit constructions which make only two calls to an underlying non-invertible primitive, matching the complexity of building a pseudorandom permutation in the secret-key setting. Our psPRP result instantiates the round functions in the Naor-Reingold (NR) construction with a secure UCE hash function. For correlation intractability, we instead instantiate them from a (public) random function, and replace the pairwise-independent permutations in the NR construction with (almost) \(O(k^2)\)-wise independent permutations, where k is the arity of the relations for which we want correlation intractability.

Our constructions improve upon the current state of the art, requiring five- and six-round Feistel networks, respectively, to achieve psPRP security and correlation intractability. To do so, we rely on techniques borrowed from Impagliazzo-Rudich-style black-box impossibility proofs for our psPRP result, for which we give what we believe to be the first constructive application, and on techniques for studying randomness with limited independence for correlation intractability.

Keywords

Foundations Known-key security Pseudorandomness psPRPs Correlation-intractability Limited independence 

Notes

Acknowledgments

The authors were supported by NSF grants CNS-1553758 (CAREER), CNS-1423566, CNS-1719146, CNS-1528178, and IIS-1528041, and by a Sloan Research Fellowship.

References

  1. 1.
    Andreeva, E., Bogdanov, A., Dodis, Y., Mennink, B., Steinberger, J.P.: On the indifferentiability of key-alternating ciphers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 531–550. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_29CrossRefGoogle Scholar
  2. 2.
    Andreeva, E., Bogdanov, A., Mennink, B.: Towards understanding the known-key security of block ciphers. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 348–366. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_18Google Scholar
  3. 3.
    Aumasson, J.-P., Jovanovic, P., Neves, S.: NORX8 and NORX16: authenticated encryption for low-end systems. Cryptology ePrint Archive, Report 2015/1154 (2015). http://eprint.iacr.org/2015/1154
  4. 4.
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — an O(n2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_22CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Hoang, V.T.: Resisting randomness subversion: fast deterministic and hedged public-key encryption in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 627–656. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_21Google Scholar
  6. 6.
    Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_23CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Hoang, V.T., Keelveedhi, S.: Cryptography from compression functions: the UCE bridge to the ROM. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 169–187. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_10CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: 2013 IEEE Symposium on Security and Privacy, pp. 478–492. IEEE Computer Society Press, May 2013Google Scholar
  9. 9.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework forcode-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_25CrossRefGoogle Scholar
  10. 10.
    Bellare, M., Rompel, J.: Randomness-efficient oblivious sampling. In: 35th FOCS, pp. 276–287. IEEE Computer Society Press, November 1994Google Scholar
  11. 11.
    Bellare, M., Stepanovs, I.: Point-function obfuscation: a framework and generic constructions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 565–594. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49099-0_21CrossRefGoogle Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: On the indifferentiability of the sponge construction. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 181–197. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_11CrossRefGoogle Scholar
  13. 13.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Sponge-based pseudo-random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 33–47. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_3CrossRefGoogle Scholar
  14. 14.
    Brzuska, C., Farshim, P., Mittelbach, A.: Indistinguishability obfuscation and UCEs: the case of computationally unpredictable sources. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 188–205. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_11CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited (preliminary version). In: 30th ACM STOC, pp. 209–218. ACM Press, May 1998Google Scholar
  16. 16.
    Cogliati, B., Seurin, Y.: Strengthening the known-key security notion for block ciphers. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 494–513. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-52993-5_25CrossRefGoogle Scholar
  17. 17.
    Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_1CrossRefGoogle Scholar
  18. 18.
    Dachman-Soled, D., Katz, J., Thiruvengadam, A.: 10-Round feistel is indifferentiable from an ideal cipher. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 649–678. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_23CrossRefGoogle Scholar
  19. 19.
    Dai, Y., Steinberger, J.: Indifferentiability of 8-round feistel networks. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 95–120. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_4CrossRefGoogle Scholar
  20. 20.
    Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_5Google Scholar
  21. 21.
    Dodis, Y., Stam, M., Steinberger, J., Liu, T.: Indifferentiability of confusion-diffusion networks. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 679–704. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_24CrossRefGoogle Scholar
  22. 22.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_12Google Scholar
  23. 23.
    Gaži, P., Tessaro, S.: Provably robust sponge-based PRNGs and KDFs. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 87–116. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_4CrossRefGoogle Scholar
  24. 24.
    Hoang, V.T., Rogaway, P.: On generalized feistel networks. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 613–630. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_33CrossRefGoogle Scholar
  25. 25.
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 89–98. ACM Press, June 2011Google Scholar
  26. 26.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press, May 1989Google Scholar
  27. 27.
    Knudsen, L.R., Rijmen, V.: Known-key distinguishers for some block ciphers. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 315–324. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_19CrossRefGoogle Scholar
  28. 28.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Mandal, A., Patarin, J., Seurin, Y.: On the public indifferentiability and correlation intractability of the 6-round feistel construction. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 285–302. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28914-9_16CrossRefGoogle Scholar
  30. 30.
    Matsuda, T., Hanaoka, G.: Chosen ciphertext security via UCE. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 56–76. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54631-0_4CrossRefGoogle Scholar
  31. 31.
    Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24638-1_2CrossRefGoogle Scholar
  32. 32.
    Mittelbach, A.: Salvaging indifferentiability in a multi-stage setting. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 603–621. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-55220-5_33CrossRefGoogle Scholar
  33. 33.
    Naor, M., Reingold, O.: On the construction of pseudo-random permutations: Luby-Rackoff revisited (extended abstract). In: 29th ACM STOC, pp. 189–199. ACM Press, May 1997Google Scholar
  34. 34.
    Ramzan, Z., Reyzin, L.: On the round security of symmetric-key cryptographic primitives. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 376–393. Springer, Heidelberg (2000).  https://doi.org/10.1007/3-540-44598-6_24CrossRefGoogle Scholar
  35. 35.
    Rogaway, P., Steinberger, J.: Security/efficiency tradeoffs for permutation-based hashing. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 220–236. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_13CrossRefGoogle Scholar
  36. 36.
    Schmidt, J.P., Siegel, A., Srinivasan, A.: Chernoff-hoeffding bounds for applications with limited independence. In: Ramachandran, V. (ed.), 4th SODA, pp. 331–340. ACM-SIAM, January 1993Google Scholar
  37. 37.
    Soni, P., Tessaro, S.: Public-seed pseudorandom permutations. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 412–441. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_14CrossRefGoogle Scholar
  38. 38.
    Soni, P., Tessaro, S.: Naor-reingold goes public: The complexity of known-key security. Cryptology ePrint Archive, Report 2018/137 (2018). https://eprint.iacr.org/2018/137

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.University of CaliforniaSanta BarbaraUSA

Personalised recommendations