Introduction to Provable Security...Introduction What is Provable Security? absolute securityreductionist security (e.g., lower bound on the number of active S-boxes) based onbased

Introduction to Provable Security

Bart Mennink

KU Leuven (Belgium)

IACR School on Design and Security ofCryptographic Algorithms and Devices

October 20, 2015

1 / 58

Introduction

What is Provable Security?

←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

absolute security reductionist security(e.g., lower bound on thenumber of active S-boxes)

←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

based on based oncrypto primitive math problem

←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

absolute security reductionist security

(e.g., lower bound on thenumber of active S-boxes)

←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−


←−−−−−−−−−−−−−−

←−−−−−

−−−−−−

−−−

keyed keyless

2 / 58

Introduction

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BCEven-Mansour←−−−−−−−−−−− . .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS


←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC

Even-Mansour←−−−−−−−−−−− . .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC

Even-Mansour←−−−−−−−−−−−

. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .Hash

HMAC−−−−−−−−−−−→

. .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS


←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Introduction

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS


←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

3 / 58

Keyed

Sponges

Keyed Constructions

4 / 58

Keyed Blockcipher1 cipher

m cE

k

• Blockcipher: a family of permutations indexed by key

• Ek for secret k should behave like permutation π

5 / 58

Keyed Blockcipher1 cipher

m cE

k

• Blockcipher: a family of permutations indexed by key

• Ek for secret k should behave like permutation π

5 / 58

Keyed Blockcipher: (S)PRP Security9 indistsimpleEnoD

ICEk πkeyed blockcipher ideal permutation

• Two oracles: Ek (for secret random key k) and π

• Distinguisher D has query access to either Ek or π

• Forward query: m −→ Ek(m) or π(m)• Inverse query: c −→ E−1k (c) or π−1(c)

• D can also make �o�ine� evaluations of E

• D tries to determine which oracle it communicates with

6 / 58

Keyed Blockcipher: (S)PRP Security3 indistsimpleE

ICEk π

distinguisher D

keyed blockcipher ideal permutation


• Distinguisher D has query access to either Ek or π

• Forward query: m −→ Ek(m) or π(m)• Inverse query: c −→ E−1k (c) or π−1(c)



6 / 58


ICEk π

distinguisher D



• Distinguisher D has query access to either Ek or π• Forward query: m −→ Ek(m) or π(m)• Inverse query: c −→ E−1k (c) or π−1(c)



6 / 58


ICEk π

distinguisher D






6 / 58


ICEk π

distinguisher D






6 / 58


ICEk π

distinguisher D


De�nitionE is a (strong) pseudorandom permutation if

Adv(s)prpE (D) =

∣∣∣Pr[DE

(±)k = 1

]−Pr

[Dπ(±)

= 1]∣∣∣

is small. D is parametrized by: • Q online queries• T o�ine evaluations

7 / 58

Keyed Tweakable Blockcipher2 ciphertweakable

m

t

c

k

E

• Tweak: �exibility to the cipher

• Each key and tweak givesa di�erent permutation

• Ek for secret k should behavelike tweakable permutation π

De�nitionE is a (strong) tweakable pseudorandom permutation if

Adv(s)tprp

E(D) =

∣∣∣Pr[DE

(±)k = 1

]−Pr

[Dπ(±)

= 1]∣∣∣


8 / 58


m

t

c

k

E





Adv(s)tprp

E(D) =

∣∣∣Pr[DE

(±)k = 1

]−Pr

[Dπ(±)

= 1]∣∣∣


8 / 58


m

t

c

k

E





Adv(s)tprp

E(D) =

∣∣∣Pr[DE

(±)k = 1

]−Pr

[Dπ(±)

= 1]∣∣∣


8 / 58

Keyed One-Way Function4 compfn

m cFk

• Keyed one-way function(could be compressing)

• Fk for secret k should behavelike random function $

De�nitionF is a pseudorandom function if

AdvprfF (D) =

∣∣∣Pr[DFk = 1

]−Pr

[D$ = 1

]∣∣∣is small. D is parametrized by: • Q online queries of length `

• T o�ine evaluations

9 / 58


m cFk




AdvprfF (D) =

∣∣∣Pr[DFk = 1

]−Pr

[D$ = 1



9 / 58


m cFk




AdvprfF (D) =

∣∣∣Pr[DFk = 1

]−Pr

[D$ = 1



9 / 58

Indistinguishability

Generalization: Indistinguishability of Random Systems2 indistsimpleO

IC

construction

O P

distinguisher D

Advind(D) =∣∣Pr

[DO = 1

]−Pr

[DP = 1

]∣∣ = ∆D(O ; P)

How to Prove that Advind(D) is Small?

• Game-playing technique

• H-coe�cient technique

10 / 58



IC

construction

O P

distinguisher D

Advind(D) =∣∣Pr

[DO = 1

]−Pr

[DP = 1

]∣∣ = ∆D(O ; P)




10 / 58



IC

construction

O P

distinguisher D

Advind(D) =∣∣Pr

[DO = 1

]−Pr

[DP = 1

]∣∣ = ∆D(O ; P)




10 / 58

Game-Playing Technique

• Bellare and Rogaway [BR06]

• Similar to Maurer's methodology [Mau02]

2 indistsimpleO

IC

construction

O P

distinguisher D

• Basic idea:• From O to P in small steps

• Intermediate steps (presumably) easy to analyze

11 / 58




2 indistsimpleO

IC

construction

O P

distinguisher D



11 / 58




2 indistsimpleO

IC

construction

O P

distinguisher D



11 / 58




2 indistsimpleO

IC

construction

O P

distinguisher D

• Basic idea:• From O to P in small steps• Intermediate steps (presumably) easy to analyze

11 / 58


Triangle Inequality

∆(O;P) ≤ ∆(O;R) + ∆(R;P)

Fundamental Lemma

If O and P are identical until bad, then:

∆(O;P) ≤ Pr [P sets bad]

12 / 58


Triangle Inequality

∆(O;P) ≤ ∆(O;R) + ∆(R;P)

Fundamental Lemma

If O and P are identical until bad, then:


12 / 58


Triangle Inequality

∆(O;P) ≤ ∆(O;R) + ∆(R;P)

Fundamental LemmaIf O and P are identical until bad, then:


12 / 58

Example: PRP-PRF Switch (1/4)7 indistsimpleSwitch

ICFk = Ek $

distinguisher D

keyed blockcipher random function

TheoremFor any distinguisher D making Q queries to Ek/$ and To�ine evaluations

∆D(Ek; $) ≤ AdvprpE (D) +

(Q2

)2n

13 / 58

Example: PRP-PRF Switch (2/4)

Step 1. �Replace� Ek by Random Permutation π

• Triangle inequality:

∆D(Ek; $)

≤ ∆D(Ek;π) + ∆D(π; $)

• ∆D(Ek;π) = AdvprpE (D) by de�nition

• ∆D(π; $)• D is parametrized by Q queries to π/$

14 / 58




∆D(Ek; $)

≤ ∆D(Ek;π) + ∆D(π; $)



14 / 58




∆D(Ek; $) ≤ ∆D(Ek;π) + ∆D(π; $)



14 / 58




∆D(Ek; $) ≤ ∆D(Ek;π) + ∆D(π; $)



14 / 58




∆D(Ek; $) ≤ ∆D(Ek;π) + ∆D(π; $)



14 / 58


Step 2. Random Permutation to Random Function

• Consider lazily sampled π and $• Initially empty list of responses L• Randomly generated response for every new query

Oracle π

y$←− {0, 1}n\L

L ∪←− yreturn y

Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

15 / 58




Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

15 / 58




Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

15 / 58




Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

15 / 58


Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

identical identical until bad


∆D(π; $)

≤ ∆D(π;π′) + ∆D(π′; $)

≤ 0 +

Pr [π′ sets bad]

≤ (Q2)2n

16 / 58


Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y



∆D(π; $) ≤ ∆D(π;π′) + ∆D(π′; $)

≤ 0 +

Pr [π′ sets bad]

≤ (Q2)2n

16 / 58


Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y

identical

identical until bad


∆D(π; $) ≤ ∆D(π;π′) + ∆D(π′; $)

≤ 0 +

Pr [π′ sets bad] ≤ (Q2)2n

16 / 58


Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y



∆D(π; $) ≤ ∆D(π;π′) + ∆D(π′; $)

≤ 0 + Pr [π′ sets bad]

≤ (Q2)2n

16 / 58


Oracle π

y$←− {0, 1}n\L


Oracle π′

y$←− {0, 1}n

if y ∈ Ly

$←− {0, 1}n\Lbad


Oracle $

y$←− {0, 1}n

return y



∆D(π; $) ≤ ∆D(π;π′) + ∆D(π′; $)

≤ 0 + Pr [π′ sets bad] ≤ (Q2)2n

16 / 58

H-Coe�cient Technique

• Patarin [Pat91,Pat08]

• Popularized by Chen and Steinberger [CS14]

• Similar to �Strong Interpolation Technique� [Ber05]

2 indistsimpleO

IC

construction

O P

distinguisher D

• Basic idea:• Each conversation de�nes a transcript τ

• O ≈ P for most of the transcripts• Remaining transcripts occur with small probability

17 / 58




• Similar to �Strong Interpolation Technique� [Ber05]2 indistsimpleO

IC

construction

O P

distinguisher D



17 / 58





IC

construction

O P

distinguisher D



17 / 58





IC

construction

O P

distinguisher D

• Basic idea:• Each conversation de�nes a transcript τ• O ≈ P for most of the transcripts

• Remaining transcripts occur with small probability

17 / 58





IC

construction

O P

distinguisher D

• Basic idea:• Each conversation de�nes a transcript τ• O ≈ P for most of the transcripts• Remaining transcripts occur with small probability

17 / 58


• D is computationally unbounded and deterministic

• Each conversation de�nes a transcript τ

• Consider good and bad transcripts

LemmaLet ε > 0 be such that for all good transcripts τ :

Pr [O gives τ ]

Pr [P gives τ ]≥ 1− ε

Then, ∆D(O;P ) ≤ ε+ Pr [bad transcript for P]

Trade-o�: de�ne bad transcripts smartly!

18 / 58






Pr [O gives τ ]




18 / 58






Pr [O gives τ ]




18 / 58






Pr [O gives τ ]




18 / 58

Example: Even-Mansour (1/10)

1 EM

m c

k k

P

Ek(m) = P (m⊕ k)⊕ k

19 / 58

Example: Even-Mansour (2/10)1 p-indistEM1

IC

PSfrag

E±k π±

distinguisher D

Slightly Di�erent Security Model

• Underlying permutation

randomized

• Information-theoretic distinguisher D• Q construction queries• T o�ine evaluations ≈ T primitive queries

• Unbounded computational power

20 / 58


IC

PSfrag

E±k P± π±

distinguisher D


• Underlying permutation

randomized



20 / 58


IC

PSfrag

E±k P± π± P±

distinguisher D


• Underlying permutation randomized



20 / 58


IC

PSfrag

E±k P± π± P±

distinguisher D


• Underlying permutation randomized

• Information-theoretic distinguisher D• Q construction queries• T o�ine evaluations ≈ T primitive queries• Unbounded computational power

20 / 58


IC

PSfrag

E±k P± π± P±

distinguisher D


• Without loss of generality, D is deterministic• No random choices

• Reason: at the end we maximize over all distinguishers

21 / 58


IC

PSfrag

E±k P± π± P±

distinguisher D


• Without loss of generality, D is deterministic• No random choices

• Reason: at the end we maximize over all distinguishers

21 / 58


IC

PSfrag

E±k P± π± P±

distinguisher D

TheoremFor any deterministic distinguisher D making Q queries toEk/$ and T primitive queries

AdvsprpE (D) = ∆D(E±k , P

±;π±, P±) ≤ 2QT

2n

22 / 58


Step 1. De�ne how transcripts look like

Step 2. De�ne good and bad transcripts

Step 3. Upper bound Pr [bad transcript for (π±, P±)]

Step 4. Lower boundPr[(E±k ,P

±) gives τ ]Pr[(π±,P±) gives τ ]

≥ 1− ε (∀ good τ)

23 / 58


1. De�ne how transcripts look like

• Construction queries:

τE = {(m1, c1), . . . , (mQ, cQ)}

• Primitive queries:

τP = {(x1, y1), . . . , (xT , yT )}

• Unordered lists (ordering not needed in current proof)

• 1-to-1 correspondence between any D and any (τE , τP )

• Bonus information!• After interaction of D with oracles: reveal the key

• Real world (E±k , P±): key used for encryption

• Ideal world (π±, P±): dummy key k$←− {0, 1}n

24 / 58




τE = {(m1, c1), . . . , (mQ, cQ)}


τP = {(x1, y1), . . . , (xT , yT )}






24 / 58




τE = {(m1, c1), . . . , (mQ, cQ)}


τP = {(x1, y1), . . . , (xT , yT )}






24 / 58




τE = {(m1, c1), . . . , (mQ, cQ)}


τP = {(x1, y1), . . . , (xT , yT )}






24 / 58




τE = {(m1, c1), . . . , (mQ, cQ)}


τP = {(x1, y1), . . . , (xT , yT )}






24 / 58

Example: Even-Mansour (7/10)1 EM

m c

k k

P

2. De�ne good and bad transcripts

• Intuition:

• (m, c) ∈ τE �de�nes� P -query (m⊕ k, c⊕ k)

• Should not collide with any (x, y) ∈ τP• Transcript τ = (τE , τP , k) is bad if

∃(m, c) ∈ τE , (x, y) ∈ τP such that m⊕ k = x or c⊕ k = y

• Note: no internal collisions in τE and τP

25 / 58


m c

k k

P


• Intuition:• (m, c) ∈ τE �de�nes� P -query (m⊕ k, c⊕ k)




25 / 58


m c

k k

P



• Should not collide with any (x, y) ∈ τP

• Transcript τ = (τE , τP , k) is bad if



25 / 58


m c

k k

P






25 / 58


m c

k k

P






25 / 58


3. Upper bound Pr[bad transcript for (π±, P±)

]• Transcript τ = (τE , τP , k) is bad if


⇐⇒

k ∈ {m⊕ x, c⊕ y | (m, c) ∈ τE , (x, y) ∈ τP }︸︷︷︸of size ≤ 2QT−→

independently generated n-bit dummy key

Pr[bad transcript for (π±, P±)

]≤ 2QT

2n

26 / 58





⇐⇒

k ∈ {m⊕ x, c⊕ y | (m, c) ∈ τE , (x, y) ∈ τP }

︸︷︷︸of size ≤ 2QT−→



]≤ 2QT

2n

26 / 58





⇐⇒

k ∈ {m⊕ x, c⊕ y | (m, c) ∈ τE , (x, y) ∈ τP }︸︷︷︸of size ≤ 2QT

−→



]≤ 2QT

2n

26 / 58





⇐⇒




]≤ 2QT

2n

26 / 58





⇐⇒




]≤ 2QT

2n

26 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )

• Counting �compatible� oracles (modulo details):

Pr [O gives τ ] =

∣∣oracles O that could give τ∣∣∣∣oracles O∣∣

• For real world (E±k , P±):

Pr[(E±k , P

±) gives τ]

=

(2n −Q− T )!

2n · 2n!

• For ideal world (π±, P±):

Pr[(π±, P±) gives τ

]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr [O gives τ ] =



Pr[(E±k , P

±) gives τ]

=

(2n −Q− T )!

2n · 2n!



]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr [O gives τ ] =



Pr[(E±k , P

±) gives τ]

=

(2n −Q− T )!

2n · 2n!



]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr [O gives τ ] =



Pr[(E±k , P

±) gives τ]

=

(2n −Q− T )!

2n · 2n!



]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr [O gives τ ] =



Pr[(E±k , P

±) gives τ]

=(2n −Q− T )!

2n · 2n!



]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr [O gives τ ] =



Pr[(E±k , P

±) gives τ]

=(2n −Q− T )!

2n · 2n!



]=

(2n −Q)!(2n − T )!

2n · (2n!)2

27 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )

• Putting things together:

Pr[(E±k , P

±) gives τ]


] =(2n−Q−T )!

2n·2n!(2n−Q)!(2n−T )!

2n·(2n!)2

=(2n −Q− T )!2n!

(2n −Q)!(2n − T )!

≥ 1

• We put ε = 0

• Conclusion:


±;π±, P±) ≤ 2QT

2n+ 0

28 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr[(E±k , P

±) gives τ]


] =(2n−Q−T )!

2n·2n!(2n−Q)!(2n−T )!

2n·(2n!)2

=(2n −Q− T )!2n!

(2n −Q)!(2n − T )!

≥ 1

• We put ε = 0

• Conclusion:


±;π±, P±) ≤ 2QT

2n+ 0

28 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr[(E±k , P

±) gives τ]


] =(2n−Q−T )!

2n·2n!(2n−Q)!(2n−T )!

2n·(2n!)2

=(2n −Q− T )!2n!

(2n −Q)!(2n − T )!

≥ 1

• We put ε = 0

• Conclusion:


±;π±, P±) ≤ 2QT

2n+ 0

28 / 58


4. Lower boundPr

[(E

±k ,P

±) gives τ]

Pr[(π

±,P±) gives τ

] ≥ 1− ε (∀ good τ )


Pr[(E±k , P

±) gives τ]


] =(2n−Q−T )!

2n·2n!(2n−Q)!(2n−T )!

2n·(2n!)2

=(2n −Q− T )!2n!

(2n −Q)!(2n − T )!

≥ 1

• We put ε = 0

• Conclusion:


±;π±, P±) ≤ 2QT

2n+ 0

28 / 58

Keyed Authenticated Encryption

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−

OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein

←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC

Even-Mansour

←−−−−−−−−−−− . .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

29 / 58

Keyed Authenticated Encryption

. .HashHMAC−−−−−−−−−−−→

. .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−

OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein

←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC

Even-Mansour

←−−−−−−−−−−− . .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

29 / 58

Keyed Authenticated Encryption5 AE

m

n, a

c, tAE

k

• Con�dentiality: c should always look random

• Authenticity: t is �hard to forge�

• (AEk,ADk) for secret k should behave like ($,⊥)

30 / 58

Keyed Authenticated Encryption: AE Security6 indistsimpleAE

ICAE k,ADk $,⊥

distinguisher D

keyed AE scheme random cipher, ⊥ function

De�nition(AE ,AD) is a secure authenticated encryption scheme if1

AdvaeAE (D) =

∣∣∣Pr[DAEk,ADk = 1

]−Pr

[D$,⊥ = 1


(nonce-respecting/misusing)• T o�ine evaluations

31 / 581 Also known as CCA3 security

Example: OCBx (1/2)2 OCBgen

A1 A2 Aa M1 M2 Md⊕Mi

C1 C2 Cd

T

EN,A1

k EN,A2

k EN,Aa

k EN,M⊕k EN,M1

k EN,M2

k EN,Md

k

• Generalized OCB by Rogaway et al. [RBBK01,Rog04,KR11]

• Internally based on tweakable blockcipher E• Tweak (N, tweak) is unique for every evaluation


∆D(AE

Ek

k ,AD

Ek

k ; $,⊥)

≤ ∆D(AE π,AD π; $,⊥) + ∆D′(E±k ; π±)

32 / 58

STPRP security of E −→

Example: OCBx (1/2)3 OCBgenalert


C1 C2 Cd

T

EN,A1

k EN,A2

k EN,Aa

k EN,M⊕k EN,M1

k EN,M2

k EN,Md

k




∆D(AE Ekk ,AD Ek

k ; $,⊥)

≤ ∆D(AE π,AD π; $,⊥) + ∆D′(E±k ; π±)

32 / 58


Example: OCBx (1/2)4 OCBgenalertpi


C1 C2 Cd

T

πN,A1 πN,A2 πN,Aa πN,M⊕ πN,M1 πN,M2 πN,Md




∆D(AE Ekk ,AD Ek

k ; $,⊥) ≤ ∆D(AE π,AD π; $,⊥) + ∆D′(E±k ; π±)

32 / 58




C1 C2 Cd

T





∆D(AE Ekk ,AD Ek

k ; $,⊥) ≤ ∆D(AE π,AD π; $,⊥) + ∆D′(E±k ; π±)

32 / 58




C1 C2 Cd

T


• Nonce uniqueness ⇒ tweak uniqueness

• Encryption calls behave like random functions: AE π = $

• Authentication behaves like random function

• Tag forged with probability at most 1/(2n − 1)

∆D(AE π,AD π; $,⊥)

≤ 1/(2n − 1)

33 / 58



C1 C2 Cd

T






∆D(AE π,AD π; $,⊥)

≤ 1/(2n − 1)

33 / 58



C1 C2 Cd

T






∆D(AE π,AD π; $,⊥)

≤ 1/(2n − 1)

33 / 58



C1 C2 Cd

T






∆D(AE π,AD π; $,⊥)

≤ 1/(2n − 1)

33 / 58



C1 C2 Cd

T




• Authentication behaves like random function• Tag forged with probability at most 1/(2n − 1)

∆D(AE π,AD π; $,⊥)

≤ 1/(2n − 1)

33 / 58



C1 C2 Cd

T




• Authentication behaves like random function• Tag forged with probability at most 1/(2n − 1)

∆D(AE π,AD π; $,⊥) ≤ 1/(2n − 1)

33 / 58

Tomorrow's Talk

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS

. .BC . .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

34 / 58

Keyless Constructions

35 / 58

Hash Functions

H 011 . . . 01n∗

36 / 58

Hash Functions: Classical Security Requirements

gCollisiong1 col

H

HM

M ′

h

Find M 6= M ′

Application:

p2012 Flame virusp

Preimage2 pre

HM

h

Given h, �nd M

Application:

passphrase protection

Second Preimage3 sec

H

HM

M ′

h

Given M , �nd M ′ 6= M

Application:

data integrity

37 / 58

Hash Functions from Compression Functions

1 MDp

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nF FF · · ·

· · ·

Merkle-Damgård with Strengthening

• Damgård [Dam89] and Merkle [Mer89]

• Consecutive evaluation of compression function F

• Length encoding at the end

38 / 58


1 MDp

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nF FF · · ·

· · ·

Security of Merkle-Damgård

• H and F have same security models

• Ideally, we want:

F is col/sec/pre secure =⇒ H is col/sec/pre secure

39 / 58


1 MDp

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nF FF · · ·

· · ·

Security of Merkle-Damgård

• H and F have same security models

• Ideally, we want:

F is col/sec/pre secure =⇒ H is col/sec/pre secure

39 / 58

Collision Security of Merkle-Damgård

• Suppose we are given a collision H(M) = H(M ′)3 MDproof0·

M1 Mk len(M)

iv

iv

h1 hk–1 hk

M ′1 M ′

k′ len(M ′)

h′1 h′

k′–1 h′k′

h

h

m

m

n n

n n

F FF

F FF

· · ·

· · ·

· · ·

· · ·

• Then, F (hk, len(M)) = F (h′k′ , len(M ′))

• If (hk, len(M)) 6= (h′k′ , len(M ′)): this is an F -collision• Else,

F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·

• We can �nd F -collision

40 / 58


• Suppose we are given a collision H(M) = H(M ′)4 MDproof0coll

M1 Mk len(M)

iv

iv

h1 hk–1 hk

M ′1 M ′

k′ len(M ′)

h′1 h′

k′–1 h′k′

h

h

m

m

n

n

n

n

FF

FF

F

F

· · ·

· · ·

· · ·

· · ·

• Then, F (hk, len(M)) = F (h′k′ , len(M ′))

• If (hk, len(M)) 6= (h′k′ , len(M ′)): this is an F -collision• Else,

F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·


40 / 58



M1 Mk len(M)

iv

iv

h1 hk–1 hk

M ′1 M ′

k′ len(M ′)

h′1 h′

k′–1 h′k′

h

h

m

m

n

n

n

n

FF

FF

F

F

· · ·

· · ·

· · ·

· · ·

• Then, F (hk, len(M)) = F (h′k′ , len(M ′))• If (hk, len(M)) 6= (h′k′ , len(M ′)): this is an F -collision

• Else,

F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·


40 / 58


• Suppose we are given a collision H(M) = H(M ′)5 MDproof1a

n

n

F

F

·

M1 Mk len(M)

iv

iv

h1 hk–1 hk

M ′1 M ′

k′ len(M ′) = len(M)

h′1 h′

k′–1 h′k′=hk

h

h

m

m

n

n

FF

FF

· · ·

· · ·

· · ·

· · ·

• Then, F (hk, len(M)) = F (h′k′ , len(M ′))• If (hk, len(M)) 6= (h′k′ , len(M ′)): this is an F -collision• Else,

F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·


40 / 58


• Suppose we are given a collision H(M) = H(M ′)6 MDproof1b

n

n

F

F

·

M1 Mk len(M)

iv

iv

h1 hk–1 hk

M ′1 M ′

k len(M ′) = len(M)

h′1 h′

k–1 hk

h

h

m

m

n

n

FF

FF

· · ·

· · ·

· · ·

· · ·


F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·


40 / 58



M1 Mk

iv

iv

h1 hk–1 hk

M ′1 M ′

k

h′1 h′

k–1 hk

m

m

n

n

FF

FF

· · ·

· · ·

· · ·

· · ·


F (hk−1,Mk) = F (h′k−1,M′k)

• · · ·


40 / 58



F

F

·

M1 Mk

iv

iv

h1 hk–1 hk

M ′1 M ′

k

h′1 h′

k–1 hk

m

m

n

n

F

F

· · ·

· · ·

· · ·

· · ·

• Then, F (hk, len(M)) = F (h′k′ , len(M ′))• If (hk, len(M)) 6= (h′k′ , len(M ′)): this is an F -collision• Else, F (hk−1,Mk) = F (h′k−1,M

′k)

• · · ·


40 / 58



M1

iv

iv

h1 hk–1

M ′1

h′1 hk–1

m

m

n

n

F

F

· · ·

· · ·

· · ·

· · ·


′k)

• · · ·


40 / 58



F

F

·

M1

iv

ivh1

M ′1

h1

m

m

n

n


′k)

• · · ·


40 / 58



F

F

·

M1

iv

ivh1

M ′1

h1

m

m

n

n


′k)

• · · ·

• We can �nd F -collision40 / 58

Preimage Security of Merkle-Damgård

• Let h be any range value

• Suppose we are given a preimage H(M) = h1 MDp

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nF FF · · ·

· · ·

• Then, F (hk, len(M)) = h

• We can �nd F -preimage for h

41 / 58



• Suppose we are given a preimage H(M) = h2 MDpre

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nFF F· · ·

· · ·



41 / 58



• Suppose we are given a preimage H(M) = h2 MDpre

M1 Mk len(M)

ivh1 hk–1 hk

h

m

n nFF F· · ·

· · ·



41 / 58

Second Preimage Security of Merkle-Damgård

• Second preimage for H: easier than for F

• Kelsey and Schneier [KS05]

• Assume F is an ideal function• Let M be any preimage for H (forget about len(M))• Second preimage attack complexity ≈ 2n/k• Work-around trick if len(M) is included

42 / 58




• Assume F is an ideal function• Let M be any preimage for H (forget about len(M))

• Second preimage attack complexity ≈ 2n/k• Work-around trick if len(M) is included

11 MDpsec1k

M1 Mk−1 Mk

ivh1 hk–2 hk–1

h

m

n nF FF · · ·

· · ·

42 / 58




• Assume F is an ideal function• Let M be any preimage for H (forget about len(M))• Second preimage attack complexity ≈ 2n/k

• Work-around trick if len(M) is included

12 MDpsec2

M1 Mk−1 Mk

M ′1

iv

iv

h1 hk–2 hk–1h

m

m

n n

n

F FF

F

· · ·

· · ·

42 / 58




• Assume F is an ideal function• Let M be any preimage for H (forget about len(M))• Second preimage attack complexity ≈ 2n/k• Work-around trick if len(M) is included

12 MDpsec2

M1 Mk−1 Mk

M ′1

iv

iv

h1 hk–2 hk–1h

m

m

n n

n

F FF

F

· · ·

· · ·

42 / 58

Compression Functions from Blockciphers/Permutations

Blockcipher Based.1 compfSBL

E

F

pPermutation Based.p2 compfpi

P

F

• Proofs in ideal model• E or P assumed to be uniformly random primitives• Proof via combinatorics and probability theory

43 / 58

Compression Functions from Blockciphers/Permutations

Blockcipher Based.1 compfSBL

E

F

pPermutation Based.p2 compfpi

P

F

• Proofs in ideal model• E or P assumed to be uniformly random primitives• Proof via combinatorics and probability theory

43 / 58

Compression Functions from Blockciphers

• Classical approach

• PGV compression functions [PGV93]

• Used in MD5, SHA-1/2, . . .

Group G1 Group G2

1 4

5 8

9 12

1

2 3

6 7

10 11

2

44 / 58

−→Matyas-Meyer-Oseas ('85)

−→Davies-Meyer

(≈'84)

←−−Miyaguchi-Preneel ('89)




• Used in MD5, SHA-1/2, . . .

Group G1 Group G2

1 4

5 8

9 12

1

2 3

6 7

10 11

2

44 / 58


−→Davies-Meyer

(≈'84)





• Used in MD5, SHA-1/2, . . .

Group G1 Group G2

1 4

5 8

9 12

1

2 3

6 7

10 11

2

44 / 58


−→Davies-Meyer

(≈'84)


Security of Davies-Meyer Compression Function1 DM

M

hin hE

• Black et al. [BRS02]

• Assume that E is an ideal cipher

• Adversary A makes Q queries to E• Forward query (k, x)→ y• Inverse query (k, y)→ x

• Query (k, x, y) corresponds to DM(x, k) = x⊕ y• A must make the required queries for the attack

45 / 58

Security of Davies-Meyer Compression Function2 DM1

M

hin h

k

x yE





45 / 58

Security of Davies-Meyer Compression Function3 DM2k

M

hin h = x⊕ y

k

x yE




• Query (k, x, y) corresponds to DM(x, k) = x⊕ y

• A must make the required queries for the attack

45 / 58


M

hin h = x⊕ y

k

x yE





45 / 58


M

hin h = x⊕ y

k

x yE

Collision Resistance

• Consider ith query (k, x, y) (forward or inverse)

• Response is random from set of size at least 2n − (i− 1)• Renders collision if x⊕ y = x′⊕ y′ for any earlier (k′, x′, y′)• There are i− 1 earlier queries (k′, x′, y′)

Pr [collision for DM] ≤Q∑i=1

i− 1

2n − (i− 1)

≤(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE


• Consider ith query (k, x, y) (forward or inverse)• Response is random from set of size at least 2n − (i− 1)

• Renders collision if x⊕ y = x′⊕ y′ for any earlier (k′, x′, y′)• There are i− 1 earlier queries (k′, x′, y′)


i− 1

2n − (i− 1)

≤(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE


• Consider ith query (k, x, y) (forward or inverse)• Response is random from set of size at least 2n − (i− 1)• Renders collision if x⊕ y = x′⊕ y′ for any earlier (k′, x′, y′)

• There are i− 1 earlier queries (k′, x′, y′)


i− 1

2n − (i− 1)

≤(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE


• Consider ith query (k, x, y) (forward or inverse)• Response is random from set of size at least 2n − (i− 1)• Renders collision if x⊕ y = x′⊕ y′ for any earlier (k′, x′, y′)• There are i− 1 earlier queries (k′, x′, y′)


i− 1

2n − (i− 1)

≤(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE




i− 1

2n − (i− 1)

≤(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE




i− 1

2n − (i− 1)≤

(Q2

)2n −Q

46 / 58


M

hin h = x⊕ y

k

x yE

Preimage Resistance

• Consider any �xed target value h

• Consider ith query (k, x, y) (forward or inverse)

• Response is random from set of size at least 2n − (i− 1)• Renders preimage if x⊕ y = h

Pr [preimage for DM] ≤Q∑i=1

1

2n − (i− 1)≤ Q

2n −Q

47 / 58


M

hin h = x⊕ y

k

x yE

Preimage Resistance


• Consider ith query (k, x, y) (forward or inverse)• Response is random from set of size at least 2n − (i− 1)• Renders preimage if x⊕ y = h


1

2n − (i− 1)≤ Q

2n −Q

47 / 58


M

hin h = x⊕ y

k

x yE

Preimage Resistance


• Consider ith query (k, x, y) (forward or inverse)• Response is random from set of size at least 2n − (i− 1)• Renders preimage if x⊕ y = h


1

2n − (i− 1)≤ Q

2n −Q

47 / 58

Security of Davies-Meyer Compression Function1 DM

M

hin hE

• Can we prove security if E is not ideal?

• What if E is SPRP?

• Even-Mansour is SPRP• But DMEM(hin,M) = DMEM(hin ⊕ δ,M ⊕ δ)• E is used as keyless primitive

• Bottom line:• Be careful with choice of security model• Be careful with instantiation of the construction

48 / 58

Security of Davies-Meyer Compression Function4 DM-EMk

M

hin hP


• What if E is SPRP?• Even-Mansour is SPRP

• But DMEM(hin,M) = DMEM(hin ⊕ δ,M ⊕ δ)• E is used as keyless primitive


48 / 58


M

hin hP


• What if E is SPRP?• Even-Mansour is SPRP• But DMEM(hin,M) = DMEM(hin ⊕ δ,M ⊕ δ)

• E is used as keyless primitive


48 / 58


M

hin hP


• What if E is SPRP?• Even-Mansour is SPRP• But DMEM(hin,M) = DMEM(hin ⊕ δ,M ⊕ δ)• E is used as keyless primitive


48 / 58


M

hin hP


• What if E is SPRP?• Even-Mansour is SPRP• But DMEM(hin,M) = DMEM(hin ⊕ δ,M ⊕ δ)• E is used as keyless primitive


48 / 58


• Similar ideas for other PGVs

• Additional proof tricks for double length functions

• �Wish lists� [LSS10]

• �Free super queries� [LSS11]

• Many case distinctions (up to ≈ 40 in worst case)

u

vw

y

z

E

E

u

v

w

y

z

E

E

u

v wconst

y

z

E

E

1 FAexa1

u v w

c1

linear mapping

v + 2c1

u + w

2v + c1

2w

y z

E

E E

49 / 58



• Additional proof tricks for double length functions

• �Wish lists� [LSS10]



u

vw

y

z

E

E

u

v

w

y

z

E

E

u

v wconst

y

z

E

E

1 FAexa1

u v w

c1

linear mapping

v + 2c1

u + w

2v + c1

2w

y z

E

E E

49 / 58



• Additional proof tricks for double length functions• �Wish lists� [LSS10]



u

vw

y

z

E

E

u

v

w

y

z

E

E

u

v wconst

y

z

E

E

1 FAexa1

u v w

c1

linear mapping

v + 2c1

u + w

2v + c1

2w

y z

E

E E

49 / 58

Compression Functions from Permutations

• Blockcipher calls require re-keying

• Instead use �xed-key blockciphers, or permutations

• Formalized by Black et al. [BCS05]• More primitive calls needed• Similar proof techniques but more cases

Sponge ('07) Grøstl ('09) Shrimpton-Stam ('08)

x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1

collision: 1 query collision: 2n/4 queries collision: 2n/2 queries

preimage: 1 query preimage: 2n/2 queries preimage: 22n/3 queries

50 / 58

←−are the Sponges insecure?

No ,!



• Instead use �xed-key blockciphers, or permutations

• Formalized by Black et al. [BCS05]• More primitive calls needed• Similar proof techniques but more cases


x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58


No ,!



• Instead use �xed-key blockciphers, or permutations• Formalized by Black et al. [BCS05]

• More primitive calls needed• Similar proof techniques but more cases


x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58


No ,!





Sponge ('07)

Grøstl ('09) Shrimpton-Stam ('08)

x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1

collision: 1 query

collision: 2n/4 queries collision: 2n/2 queries

preimage: 1 query

preimage: 2n/2 queries preimage: 22n/3 queries

50 / 58


No ,!





Sponge ('07) Grøstl ('09)

Shrimpton-Stam ('08)

x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1

collision: 1 query collision: 2n/4 queries

collision: 2n/2 queries

preimage: 1 query preimage: 2n/2 queries

preimage: 22n/3 queries

50 / 58


No ,!






x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58


No ,!



• Instead use �xed-key blockciphers, or permutations• Formalized by Black et al. [BCS05]• More primitive calls needed• Similar proof techniques but more cases


x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58


No ,!





x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58


No ,!





x1

x2

zP

1

x1

x2 z

P1

P2

1

x1

x2 z

P1

P2 P3

1



50 / 58

←−are the Sponges insecure? No ,!

Security of Sponge

. .HashHMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)FFSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge/SS


←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

51 / 58

Keyed

Sponges

(insecure)

direct

proof?

Security of Sponge

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

SHA-x/MDy

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge

/SS

. .BCEven-Mansour←−−−−−−−−−−−

. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

51 / 58

Keyed

Sponges

(insecure)

direct

proof?

Security of Sponge

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

(secure)

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge

/SS


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

51 / 58

Keyed

Sponges

(insecure)

direct

proof?

Security of Sponge

. .Hash

HMAC−−−−−−−−−−−→ . .MAC/AE

←−−−−−−−

(secure)

Merkle-Damgård

. . .

←−−−−−−−OCB

COPA

OTR. . .

←−−−−−−−−−−−−−−

OMD

. .(C)F

FSkein←−−−−−−−−−−− . .TBC

Feistel

−−−−−−−→

←−−−−−−−

PRP-PRF

PGV

←−−−−−−−

TEM/XPX

←−−−−−−−−−−−−−−

←−−−−−−−−−−−−−−

LRW/XEX

Sponge

/SS


. .P

←−−−−−−−−−−−−−−−−−−−−−−−−

GCM

CMAC

51 / 58

Keyed

Sponges

(insecure)

direct

proof?

Indistinguishability of Hash Functions

• H should behave like random oracle RO

• Indistinguishability of random systems:8 indistsimpleH

ICH RO

distinguisher D

hash function random oracle

• But H is not a random system

• Distinguisher succeeds with probability 1

• Solution: indi�erentiability

52 / 58


• H should behave like random oracle RO• Indistinguishability of random systems:8 indistsimpleH

ICH RO

distinguisher D





52 / 58



ICH RO

distinguisher D





52 / 58



ICH RO

distinguisher D





52 / 58

Indi�erentiability of Hash Functions1 p-indiffH

ICH P RO S

real world simulated world

distinguisher

hashfunction

idealprimitive

randomoracle

simulatorfor P

• Maurer et al. [MRH04]

• H is indi�erentiable from RO if for some simulator S:∆D(H,P;RO,S) is small

• Proof idea:

Step 1. Construct a clever simulator SStep 2. Use game-playing or H-coe�cient technique

53 / 58


ICH P RO S


distinguisher

hashfunction

idealprimitive

randomoracle

simulatorfor P



• Proof idea:


53 / 58


ICH P RO S


distinguisher

hashfunction

idealprimitive

randomoracle

simulatorfor P



• Proof idea:


53 / 58


ICH P RO S


distinguisher

hashfunction

idealprimitive

randomoracle

simulatorfor P

• H can replace RO in certain scenarios• Single-stage only, Ristenpart et al. [RSS11]

• Indi�erentiability =⇒ coll/pre/sec security

54 / 58


ICH P RO S


distinguisher

hashfunction

idealprimitive

randomoracle

simulatorfor P

• H can replace RO in certain scenarios• Single-stage only, Ristenpart et al. [RSS11]

• Indi�erentiability =⇒ coll/pre/sec security

54 / 58

Indi�erentiability of Sponge

M1 Mk

iv

z1 zl

r

cPPPP

· · ·

· · ·· · ·

· · ·· · ·

· · ·

· · ·· · ·

1

• Bertoni et al. [BDPA07]

• Sponge indi�erentiable from random oracle

∆D(Sponge, P ;RO,S) ≤ Q2

2c

(with Q the total complexity)

• Optimal collision, preimage, second preimage security

(if c ≥ 2n)

55 / 58


M1 Mk

iv

z1 zl

r

cPPPP

· · ·

· · ·· · ·

· · ·· · ·

· · ·

· · ·· · ·

1




2c



(if c ≥ 2n)

55 / 58


M1 Mk

iv

z1 zl

r

cPPPP

· · ·

· · ·· · ·

· · ·· · ·

· · ·

· · ·· · ·

1




2c



(if c ≥ 2n)

55 / 58

Indi�erentiability of Blockciphers2 p-indiffE

ICE± P rE± S


distinguisher

block-cipher

idealprimitive

idealcipher

simulatorfor P

• Similar model for keyless blockciphers

• Blockcipher behaves like ideal cipher

• Can be plugged into PGV compression functions

• Much (!!) harder to prove

56 / 58

Indi�erentiability of Blockciphers2 p-indiffE

ICE± P rE± S


distinguisher

block-cipher

idealprimitive

idealcipher

simulatorfor P

• Similar model for keyless blockciphers

• Blockcipher behaves like ideal cipher

• Can be plugged into PGV compression functions

• Much (!!) harder to prove

56 / 58

Indi�erentiability of Blockciphers3 Feistelk

Fi

Feistel bound remark

Coron et al. '08 218 q8 /2n 6 rnd (�awed)Holenstein et al. '10 266 q10/2n 14 rndGuo and Lin '15 2222q30/2n 21 rnd (alter. key)Dachman-Soled et al. '15 251 q12/2n 10 rndDai and Steinberger '15 223 q8 /2n 10 rnd

2 EMi

ki−1 ki

P

Even-Mansour bound remark

Andreeva et al. '13 234q10/2n 5 rnd (random kdf)Lampe and Seurin '13 291q12/2n 12 rndGuo and Lin '15 211q8 /2n 15 rnd (alter. key)

Extremely hard research question!

57 / 58

−−→pointless for n = 128; security up to q . 2 for n = 256

−−→security up to q . 8 for n = 128


Fi



2 EMi

ki−1 ki

P




57 / 58




Fi



2 EMi

ki−1 ki

P




57 / 58




Fi



2 EMi

ki−1 ki

P




57 / 58




Fi



2 EMi

ki−1 ki

P




57 / 58




Fi



2 EMi

ki−1 ki

P




57 / 58



Conclusion

Recipe

• Model:• Keyed: usually indistinguishability• Keyless: indi�erentiability or dedicated security model

• Technique: game-playing, H-coe�cient,explicit reduction, combinatorics, . . .

• Approach depends on speci�c scheme and application

Thank you for your attention!

58 / 58

Conclusion

Recipe





58 / 58

Conclusion

Recipe





58 / 58

Documents

Introduction to Provable Security...Introduction What is Provable Security? absolute securityreductionist security (e.g., lower bound on the number of active S-boxes) based onbased