![Page 1: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/1.jpg)
Public-seed Pseudorandom Permutations
Pratik Soni Stefano Tessaro
UC Santa Barbara UC Santa Barbara
EUROCRYPT 2017
![Page 2: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/2.jpg)
Cryptographic schemes often built from generic building blocks
![Page 3: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/3.jpg)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
𝐻
𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀
𝐾 ⊕ 𝑜𝑝𝑎𝑑
𝐻
hash function (e.g., SHA-3)
𝐸𝐾
𝑀1
𝐼𝑉
𝑀2
𝐸𝐾
𝑀ℓ
block cipher (e.g., AES)
![Page 4: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/4.jpg)
Cryptographic schemes often built from generic building blocks
Typically: Block ciphers, hash/compression functions!
Is there a universal and simple building block for efficient symmetric cryptography?
𝐻
𝐾 ⊕ 𝑖𝑝𝑎𝑑 || 𝑀
𝐾 ⊕ 𝑜𝑝𝑎𝑑
𝐻
hash function (e.g., SHA-3)
𝐸𝐾
𝑀1
𝐼𝑉
𝑀2
𝐸𝐾
𝑀ℓ
block cipher (e.g., AES)
![Page 5: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/5.jpg)
Recent trend: Start from seedless permutation
![Page 6: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/6.jpg)
Recent trend: Start from seedless permutation
![Page 7: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/7.jpg)
Recent trend: Start from seedless permutation
Sponge paradigm
![Page 8: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/8.jpg)
Recent trend: Start from seedless permutation
Sponge paradigm
![Page 9: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/9.jpg)
Recent trend: Start from seedless permutation
…
Sponge paradigm
![Page 10: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/10.jpg)
Here: 𝜋 is an efficiently computable and invertible one-to-one function
Recent trend: Start from seedless permutation
…
Sponge paradigm
![Page 11: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/11.jpg)
Permutations
“… it would be nice, now, if permutations can be called
the Swiss Army Knife [of cryptography]” — Joan Daemen, Passwords^12
Hashing Garbling
PRNGs Authenticated Encryption
MACs KDFs
![Page 12: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/12.jpg)
Typical instantiations
![Page 13: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/13.jpg)
Typical instantiations
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
![Page 14: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/14.jpg)
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥) 𝐴𝐸𝑆
0128
![Page 15: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/15.jpg)
Typical instantiations
Fixed-key block ciphers
Ad-hoc construction
e.g., in KECCAK, NORX, …
Designed to withstand cryptanalysis
e.g., 𝜋 ∶ 𝑥 → AES(0128, 𝑥)
Faster, no re-keying costs!
𝐴𝐸𝑆
0128
Faster Hash functions [RS08], fast garbling [BHKR13]
![Page 16: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/16.jpg)
Permutations assumptions
Permutations are great in practice, but what about theory?
![Page 17: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/17.jpg)
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
Permutations are great in practice, but what about theory?
𝑆0 0
0
𝜋 𝜋 𝜋
![Page 18: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/18.jpg)
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
e.g., 𝐶 = KECCAK;
𝑌 = Anything non-trivial
𝑋 = ? ? ?
Permutations are great in practice, but what about theory?
𝑆0 0
0
𝜋 𝜋 𝜋
![Page 19: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/19.jpg)
Permutations assumptions
Goal: Standard-model reduction: “If 𝜋 satisfies 𝑋 then 𝐶[𝜋] satisfies 𝑌.”
e.g., 𝐶 = KECCAK;
𝑌 = Anything non-trivial
𝑋 = ? ? ?
Common approach: Use random permutation (RP) model
𝜋 is random + adversary given oracle access to 𝜋 and 𝜋−1
Permutations are great in practice, but what about theory?
Observation: No standard-model proofs known for permutation-based constructions!
𝑆0 0
0
𝜋 𝜋 𝜋
![Page 20: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/20.jpg)
But: random permutations do not exist [CGH98]
![Page 21: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/21.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
![Page 22: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/22.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model
random oracle
![Page 23: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/23.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
ideal model standard model
random oracle CRHF, OWFs, UOWHFs,
CI, UCEs…
![Page 24: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/24.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEs…
????
![Page 25: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/25.jpg)
But: random permutations do not exist [CGH98]
RP model proofs only yield security for generic attacks
Quite different state of affairs than for hash functions:
Hash functions
Permutations
ideal model standard model
random oracle
RP
CRHF, OWFs, UOWHFs, CI, UCEs…
????
What cryptographic hardness can we expect from a permutation? No one-wayness, no compression, no pseudorandomness …
![Page 26: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/26.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
![Page 27: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/27.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
![Page 28: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/28.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
![Page 29: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/29.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
![Page 30: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/30.jpg)
This work, in a nutshell
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
![Page 31: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/31.jpg)
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
![Page 32: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/32.jpg)
This work, in a nutshell
inspired by the UCE framework [BHK13]
First plausible and useful standard-model security assumption for permutations.
“Public-seed Pseudorandom Permutations” (psPRPs)
We address two main questions:
Can we get psPRPs at all?
Are psPRPs useful?
Yes! Yes!
![Page 33: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/33.jpg)
psPRPs have many applications
![Page 34: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/34.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷
![Page 35: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/35.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
![Page 36: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/36.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Efficient garbling from fixed-key block-ciphers
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Sponges
![Page 37: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/37.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Efficient garbling from fixed-key block-ciphers
Sponges
![Page 38: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/38.jpg)
psPRPs have many applications
Deterministic & Hedged PKE
Immunizing backdoored PRGs
CCA-secure Enc. (CCA)
…
Hardcore functions (HC)
KDM-secure symmetric key Enc. (KDM)
Point function Obfuscation (PFOB)
Message-locked Encryption (MLE) 𝒑𝒔𝑷𝑹𝑷 𝑼𝑪𝑬
Efficient garbling from fixed-key block-ciphers
Sponges
Feistel
![Page 39: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/39.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 40: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/40.jpg)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1) 𝜋 ∶ 0,1 𝑛 → 0,1 𝑛
We consider seeded permutations
![Page 41: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/41.jpg)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝐺𝑒𝑛 𝑥 𝜋𝑠 𝑥
𝜋 ∶ 0,1 𝑛 → 0,1 𝑛
𝜋𝑠 1𝜆 𝑠
Seed generation
𝑦 𝜋𝑠−1 𝑦 𝜋𝑠
−1
Forward evaluation
Backward evaluation
Efficient (poly-time) algorithms
(2) ∀𝑥 ∶ 𝜋𝑠−1 𝜋𝑠 𝑥 = 𝑥
(1) 𝜋𝑠 ∶ 0,1 𝑛 → 0,1 𝑛
We consider seeded permutations
![Page 42: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/42.jpg)
Traditional security notion if seed is secret: Pseudorandom Permutation
![Page 43: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/43.jpg)
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 44: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/44.jpg)
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 45: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/45.jpg)
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
5
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Stage 1: • Oracle access • Secret seed
Stage 2: • Learns seed • No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
0/1
![Page 46: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/46.jpg)
𝐷
𝑠 ← Gen(1𝜆)
𝜋s / 𝜋𝑠−1
5
𝜌 ← Perms(𝑛)
𝜌/𝜌−1 ≈
Stage 1: • Oracle access • Secret seed
Stage 2: • Learns seed • No oracle access
Traditional security notion if seed is secret: Pseudorandom Permutation
Limited information
flow
0/1
![Page 47: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/47.jpg)
UCE security
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
![Page 48: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/48.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
![Page 49: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/49.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐻 = (𝐺𝑒𝑛, ℎ)
Bellare Hoang Keelveedhi
![Page 50: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/50.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
![Page 51: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/51.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
𝒔
𝑠 ← Gen(1𝜆)
![Page 52: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/52.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
0/1
𝒔
![Page 53: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/53.jpg)
𝑓 ← Funcs(𝑚, 𝑛) 𝑓
𝑠 ← Gen(1𝜆)
ℎ𝑠
UCE security
𝑆 source
𝐿
𝐻 = (𝐺𝑒𝑛, ℎ)
distinguisher
𝐷
Bellare Hoang Keelveedhi
0/1
𝒔
≈
![Page 54: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/54.jpg)
𝑆
𝐷
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 55: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/55.jpg)
𝑆
𝐷
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 56: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/56.jpg)
𝑆
𝐿
𝐷
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 57: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/57.jpg)
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 58: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/58.jpg)
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 59: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/59.jpg)
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , left and right are indistinguishable.
𝑆
𝐿
𝐷 0/1
𝒔
Makes forward and backward queries!
𝑠 ← Gen(1𝜆)
psPRP security
𝝅𝒔/𝝅𝒔−𝟏 𝝆 ← 𝐏𝐞𝐫𝐦𝐬(𝒏)
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
𝝆/𝝆−𝟏
![Page 60: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/60.jpg)
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
![Page 61: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/61.jpg)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
![Page 62: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/62.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
![Page 63: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/63.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦 𝑦
![Page 64: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/64.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦 𝑦
![Page 65: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/65.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
𝑦
![Page 66: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/66.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1 with prob. 1
𝑦
![Page 67: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/67.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1
1
with prob. 1
with prob. 1/2𝑛
𝑦
![Page 68: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/68.jpg)
(+, 0𝑛) (+, 0𝑛)
𝑠 ← Gen(1𝜆)
𝜋𝑠/𝜋𝑠−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
𝑆
𝐿 = 𝑦
𝐷
𝒔
𝑃 is 𝑝𝑠𝑃𝑅𝑃-secure if ∀ PPT 𝑆, 𝐷 , …
𝑦
Outputs 1 iff 𝑦 = 𝜋𝑠 0𝑛
1
1
with prob. 1
with prob. 1/2𝑛
𝑦
𝑝𝑠𝑃𝑅𝑃-security is impossible against all sources!
≈
![Page 69: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/69.jpg)
Sources need to be restricted
all sources
𝑃 = (Gen, 𝜋, 𝜋−1)
![Page 70: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/70.jpg)
Sources need to be restricted
all sources
𝒮
𝑃 = (Gen, 𝜋, 𝜋−1)
![Page 71: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/71.jpg)
Sources need to be restricted
𝑃 is 𝑝𝑠𝑃𝑅𝑃[𝒮]-secure if ∀ 𝑆 ∈ 𝒮 and ∀ PPT
𝐷, left and right are indistinguishable.
all sources
𝒮
𝑃 = (Gen, 𝜋, 𝜋−1)
𝑆
𝐿
𝐷 0/1
𝒔
𝑠 ← Gen(1𝜆) 𝜋𝑠/𝜋𝑠
−1 𝜌 ← Perms(𝑛) 𝜌/𝜌−1
![Page 72: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/72.jpg)
all
sources
This talk – unpredictable and reset-secure sources
![Page 73: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/73.jpg)
all
sources
𝒮𝑠𝑢𝑝 unpredictable
This talk – unpredictable and reset-secure sources
![Page 74: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/74.jpg)
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
![Page 75: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/75.jpg)
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
![Page 76: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/76.jpg)
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠
![Page 77: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/77.jpg)
all
sources
𝒮𝑠𝑟𝑠 𝒮𝑠𝑢𝑝 unpredictable
reset-secure
This talk – unpredictable and reset-secure sources
Both restrictions model that 𝐷 cannot predict the queries made by the sources!
𝒮𝑠𝑢𝑝 ⊆ 𝒮𝑠𝑟𝑠 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 is a stronger
assumption than 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝 ⟹
![Page 78: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/78.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
𝐴
𝜌 ← Perms(𝑛)
![Page 79: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/79.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝐴
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
![Page 80: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/80.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝐴
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
![Page 81: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/81.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
![Page 82: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/82.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
![Page 83: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/83.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
![Page 84: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/84.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
⊆
𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded
𝒮𝑐𝑢𝑝: 𝐴 is PPT
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
![Page 85: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/85.jpg)
Source restrictions – unpredictability
𝑆 𝜌/𝜌−1
(𝜎, 𝑥𝑖)
𝑦𝑖
𝐴
𝐿
𝑄′
𝑄 ← 𝑄 ∪ { 𝜎, 𝑥𝑖 , (𝜎 , 𝑦𝑖)}
Pr [ 𝑄′ ∩ 𝑄 ≠ 𝜙] = negl(𝜆)
⊆
𝒮𝑠𝑢𝑝: 𝐴 is computationally unbounded
𝒮𝑐𝑢𝑝: 𝐴 is PPT 𝑝𝑠𝑃𝑅𝑃[𝒮𝑐𝑢𝑝] impossible if iO
exists [BFM14]
𝜌 ← Perms(𝑛)
𝜎 ∈ {+,−}
It should be hard for 𝐴 to predict any of 𝑆’s queries or its inverse
![Page 86: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/86.jpg)
Source restrictions – reset-security
![Page 87: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/87.jpg)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝜌 ← Perms(𝑛)
![Page 88: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/88.jpg)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝜌 ← Perms(𝑛)
![Page 89: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/89.jpg)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
𝜌 ← Perms(𝑛)
![Page 90: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/90.jpg)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝜌 ← Perms(𝑛)
![Page 91: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/91.jpg)
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
![Page 92: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/92.jpg)
≈
Source restrictions – reset-security
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
![Page 93: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/93.jpg)
≈
Source restrictions – reset-security
⊆
𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded
𝒮𝑐𝑟𝑠: 𝑅 is PPT
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
![Page 94: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/94.jpg)
≈
Source restrictions – reset-security
⊆
𝒮𝑠𝑟𝑠: 𝑅 is computationally unbounded
𝒮𝑐𝑟𝑠: 𝑅 is PPT
𝑆 𝜌/𝜌−1
𝑅
𝐿
𝜌/𝜌−1
0/1
𝑆 𝜌/𝜌−1
𝑅
𝐿
0/1
𝜌1/𝜌1−1
𝜌 ← Perms(𝑛) 𝜌 ← Perms(𝑛)
𝜌1 ← Perms(𝑛)
𝒮𝑐𝑢𝑝 ⊆ 𝒮𝑐𝑟𝑠
![Page 95: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/95.jpg)
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]
Recap
![Page 96: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/96.jpg)
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]
𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝]
Recap
![Page 97: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/97.jpg)
Recap
![Page 98: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/98.jpg)
Recap
Central assumption in UCE theory
![Page 99: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/99.jpg)
Recap
Central assumption in UCE theory
![Page 100: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/100.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 101: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/101.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
![Page 102: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/102.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
![Page 103: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/103.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 104: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/104.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 105: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/105.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
![Page 106: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/106.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability!
![Page 107: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/107.jpg)
Next
Co-related input hash
Functions (CIH)
Can we get psPRPs at all?
Are psPRPs useful?
Constructions from UCEs
Heuristic Instantiations
Constructions of UCEs
Direct applications Garbling from fixed-key
block ciphers
Common denominator: A new, restricted notion of indifferentiability! CP-sequential
indifferentiability
![Page 108: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/108.jpg)
𝐶
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
![Page 109: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/109.jpg)
𝐴 𝐴
𝐶
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
![Page 110: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/110.jpg)
𝐴 𝐴
𝐶
? 𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
![Page 111: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/111.jpg)
𝐴 𝐴
𝐶
𝑆𝑖𝑚 𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
![Page 112: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/112.jpg)
𝐴 𝐴 ≈
𝐶
0/1
𝑆𝑖𝑚
0/1
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
Indifferentiability[MRH04]
![Page 113: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/113.jpg)
≈
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
![Page 114: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/114.jpg)
≈
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
![Page 115: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/115.jpg)
≈
Remarks:
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
![Page 116: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/116.jpg)
≈
1. Full indifferentiability ⟹ CP-seq indiff.
2. Reverse ordering: seq. indifferentiability [MPS12]
Remarks:
𝐴1 𝐶
𝐴2
𝑠𝑡
0/1
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
0/1
CP-sequential indifferentiability
𝐶 𝑅𝑃 ∼𝑐𝑝𝑖 𝑅𝑂 ⇔ ∃ PPT 𝑆𝑖𝑚 ∀ PPT (𝐴1, 𝐴2):
left and right are indistinguishable.
𝑅𝑃
𝜌/𝜌−1
𝑅𝑂
𝑓
𝜌 ← Perms(𝑛)
𝑓 ← Funcs(∗, 𝑛)
![Page 117: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/117.jpg)
From psPRPs to UCEs
Theorem:
![Page 118: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/118.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
![Page 119: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/119.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
![Page 120: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/120.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝐶[𝑃]
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
![Page 121: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/121.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
![Page 122: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/122.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
𝜋𝑠/𝜋𝑠−1
![Page 123: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/123.jpg)
From psPRPs to UCEs
𝐶 𝑅𝑃 ∼cpi 𝑅𝑂 ⟹ +
𝑃 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure. 𝐶[𝑃]
Similar result proved in [BHK14], but: • Need full indifferentiability • Only stated for UCE domain extension
𝐶
Theorem:
𝑅𝑃
𝜌/𝜌−1
Corollary: Every perm-based indiff. hash-function transforms a psPRP into a UCE!
𝜋𝑠/𝜋𝑠−1
![Page 124: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/124.jpg)
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
![Page 125: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/125.jpg)
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
![Page 126: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/126.jpg)
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
![Page 127: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/127.jpg)
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
![Page 128: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/128.jpg)
From psPRPs to UCEs – Sponges
𝑦 ∈ {0,1}𝑟
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Sponge[𝑃] 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure.
Theorem [BDVP08]: Sponge[𝑅𝑃] ∼cpi 𝑅𝑂.
𝑀 ∈ {0,1}∗
𝑆0 𝑟
n − 𝑟
0
0
𝜌
𝑟
𝜌 𝜌
𝑀1 𝑀2 𝑀𝑙
𝜋𝑠 𝜋𝑠 𝜋𝑠
Validates the Sponge paradigm for UCE applications!
![Page 129: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/129.jpg)
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 130: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/130.jpg)
From psPRPs to UCEs – Chop CP-sequentially indiff. constructions that are not fully indiff.?
![Page 131: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/131.jpg)
From psPRPs to UCEs – Chop
𝜌
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 132: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/132.jpg)
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝜌
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 133: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/133.jpg)
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝜌 𝑛 𝑛
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 134: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/134.jpg)
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 135: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/135.jpg)
From psPRPs to UCEs – Chop
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 136: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/136.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 137: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/137.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 138: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/138.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 139: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/139.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 140: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/140.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 141: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/141.jpg)
From psPRPs to UCEs – Chop
Theorem: Chop[𝑅𝑃] ∼cpi 𝑅𝐹 when 𝑛 − 𝑟 ∈ 𝜔(log 𝜆).
Corollary: 𝑃 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑟𝑠 -secure ⟹ Chop[𝑃] 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure.
Chop 𝑅𝑃 is not indifferentiable
𝑈𝐶𝐸 𝒮𝑠𝑢𝑝 𝑝𝑠𝑃𝑅𝑃 𝒮𝑠𝑢𝑝
𝑥 ∈ {0,1}𝑛 𝑦 ∈ {0,1}𝑟
truncates 𝑛-bits to 𝑟-bits
𝜌 𝜋𝑠 𝑛 𝑛 𝑟
From Chop 𝑃 to VIL UCE: Domain extension techniques [BHK14]
CP-sequentially indiff. constructions that are not fully indiff.?
![Page 142: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/142.jpg)
psPRPs from UCEs Theorem:
![Page 143: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/143.jpg)
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃
Theorem:
![Page 144: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/144.jpg)
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +
𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem:
![Page 145: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/145.jpg)
psPRPs from UCEs
≈ 𝐴1 𝐶
𝐴2
𝑠𝑡
𝑏′
𝐴1
𝐴2
𝑠𝑡
𝑆𝑖𝑚
𝑏′
𝑅𝑂
𝑅𝑃
Corollary: Every hash-function-based indiff. permutation transforms a UCE into a psPRP.
𝐶 𝑅𝑂 ∼cpi 𝑅𝑃 ⟹ +
𝐻 𝑈𝐶𝐸[𝒮𝑠𝑟𝑠]-secure 𝐶 𝐻 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem:
![Page 146: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/146.jpg)
From UCEs to psPRPs – Feistel
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
![Page 147: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/147.jpg)
From UCEs to psPRPs – Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
![Page 148: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/148.jpg)
From UCEs to psPRPs – Feistel
impossible
[CPS08]
[HKT11] [DS16] [DSKT16]
#rounds for indifferentiability
???
𝑛
𝑛
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5
𝑌 ∈ {0,1}2𝑛
𝜓5[𝒇]
𝑋 ∈ {0,1}2𝑛
𝑛
𝑛
𝑛
𝑛
psPRPs exist in the standard model if UCEs exist!!!
![Page 149: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/149.jpg)
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 150: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/150.jpg)
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 151: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/151.jpg)
Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 152: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/152.jpg)
Corollary: 𝑯 𝑈𝐶𝐸 𝒮𝑠𝑟𝑠 -secure ⟹ 𝜓5[𝑯] 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑟𝑠]-secure.
Theorem: 5-round Feistel (𝜓5[𝒇]) ∼cpi 𝑅𝑃.
[HKT11] [DS16] [DSKT16]
#rounds for CP-sequential indifferentiability
This work!!!
Can we reduce the round-complexity of Feistel for UCE to psPRP transformation?
![Page 153: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/153.jpg)
5-round proof is technically involved
![Page 154: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/154.jpg)
5-round proof is technically involved
Our 5-round Sim:
• Relies on chain completion techniques
• Heavily exploits query ordering
• Very different chain-completion strategy from previous works, no recursion needed
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5 Set
uniform Set
uniform
forceVal forceVal
detect detect
![Page 155: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/155.jpg)
5-round proof is technically involved
Our 5-round Sim:
impossible
[LR88]
[HKT11] [DS16] [DSKT16]
#rounds of Feistel for psPRP-security
This work!!! Open: Do 4-rounds suffice?
• Relies on chain completion techniques
• Heavily exploits query ordering
• Very different chain-completion strategy from previous works, no recursion needed
𝑓1 𝑓2 𝑓3 𝑓4 𝑓5
𝑋1 𝑋2 𝑋3 𝑋4 𝑋5 𝑋6
𝑋0 𝑋5 Set
uniform Set
uniform
forceVal forceVal
detect detect
???
![Page 156: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/156.jpg)
Heuristic Instantiations
![Page 157: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/157.jpg)
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
From Block-ciphers e.g. AES
𝐺𝑒𝑛:
𝜋:
![Page 158: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/158.jpg)
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
From Block-ciphers e.g. AES
Ideal-Cipher model
𝐺𝑒𝑛:
𝜋:
![Page 159: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/159.jpg)
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
𝜋
𝑠 ← {0,1}𝑘
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
Ideal-Cipher model
𝐺𝑒𝑛:
𝜋:
𝜋:
𝐺𝑒𝑛:
![Page 160: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/160.jpg)
Heuristic Instantiations
𝐸
𝑠 ← {0,1}𝑘
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
psPRP 𝒮𝑠𝑟𝑠 -secure
psPRP 𝒮𝑠𝑢𝑝 -secure 𝜋
𝑠 ← {0,1}𝑘
From Permutations e.g. the Keccak permutation
From Block-ciphers e.g. AES
𝑃 = (𝐺𝑒𝑛, 𝜋, 𝜋−1)
Ideal-Cipher model
RP model
𝐺𝑒𝑛:
𝜋:
𝜋:
𝐺𝑒𝑛:
![Page 161: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/161.jpg)
Fast Garbling from psPRPs
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 162: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/162.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 163: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/163.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 164: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/164.jpg)
Fast Garbling from psPRPs Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 165: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/165.jpg)
Fast Garbling from psPRPs
This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 166: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/166.jpg)
Fast Garbling from psPRPs
This work: Replace 𝐸 0𝑘 , 𝑥 by 𝜋𝑠 for a random seed
generated upon garbling.
Fast garbling from [BHKR13]
• Only calls fixed-key block cipher
𝑥 → 𝐸(0𝑘 , 𝑥)
• Proof in RP model
• Very fast – no key-schedule
Theorem: Secure garbling when 𝜋𝒔 is 𝑝𝑠𝑃𝑅𝑃[𝒮𝑠𝑢𝑝].
Garbled And
𝐸 0𝑛, 𝐾10 ⊕ 𝐾10 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾01 ⊕ 𝐾01 ⊕ 𝑥𝑔0
𝐸 0𝑛, 𝐾11 ⊕ 𝐾11 ⊕ 𝑥𝑔1
𝐸 0𝑛, 𝐾00 ⊕ 𝐾00 ⊕ 𝑥𝑔0
𝑥𝑎0, 𝑥𝑎
1 𝑥𝑔0, 𝑥𝑔
1 And 𝑥𝑏
0, 𝑥𝑏1
![Page 167: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/167.jpg)
Roadmap
1.Definitions
2.Constructions & Applications
3.Conclusions
Co-related input hash
Functions (CIH)
![Page 168: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/168.jpg)
Conclusion
psPRPs
![Page 169: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/169.jpg)
Conclusion
First standard model assumptions on permutations
psPRPs
![Page 170: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/170.jpg)
Constructions
Conclusion
First standard model assumptions on permutations
psPRPs
![Page 171: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/171.jpg)
Constructions
Conclusion
First standard model assumptions on permutations
Applications psPRPs
![Page 172: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/172.jpg)
Many open questions…
![Page 173: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/173.jpg)
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
![Page 174: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/174.jpg)
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
![Page 175: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/175.jpg)
Many open questions…
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
![Page 176: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/176.jpg)
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
![Page 177: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/177.jpg)
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
![Page 178: Public-seed Pseudorandom Permutations - … Pseudorandom Permutations Pratik Soni Stefano Tessaro UC Santa Barbara UC Santa Barbara EUROCRYPT 2017 . ... psPRP security](https://reader034.vdocuments.us/reader034/viewer/2022051802/5aec04c47f8b9ac3618ff015/html5/thumbnails/178.jpg)
Many open questions…
• Simpler assumptions on permutations?
• More applications: psPRP-based PRNGs, authenticated encryption?
• More efficient constructions: Round complexity of Feistel for psPRPs?
• Applications of public-seed Ideal Ciphers?
psPRPs:
Public-seed Pseudorandomness - general paradigm:
Beyond psPRPs:
Is SHA-3 a CRHF under any non-trivial assumption?
Thank you!