167 research outputs found
Information-theoretic Indistinguishability via the Chi-squared Method
Proving tight bounds on information-theoretic indistinguishability is
a central problem in symmetric cryptography. This paper introduces a
new method for information-theoretic indistinguishability proofs,
called ``the chi-squared method\u27\u27. At its core, the method requires
upper-bounds on the so-called divergence (due to Neyman and
Pearson) between the output distributions of two systems being
queries. The method morally resembles, yet also considerably
simplifies, a previous approach proposed by Bellare and Impagliazzo
(ePrint, 1999), while at the same time increasing its expressiveness
and delivering tighter bounds.
We showcase the chi-squared method on some examples. In particular: (1)
We prove an optimal bound of for the XOR of two permutations,
and our proof considerably simplifies previous approaches using the
-coefficient method, (2) we provide improved bounds for the
recently proposed encrypted Davies-Meyer PRF construction by Cogliati
and Seurin (CRYPTO \u2716), and (3) we give a tighter bound for the Swap-or-not
cipher by Hoang, Morris, and Rogaway (CRYPTO \u2712)
Technical Privacy Metrics: a Systematic Survey
The file attached to this record is the author's final peer reviewed versionThe goal of privacy metrics is to measure the degree of privacy enjoyed by users in a system and the amount of protection offered by privacy-enhancing technologies. In this way, privacy metrics contribute to improving user privacy in the digital world. The diversity and complexity of privacy metrics in the literature makes an informed choice of metrics challenging. As a result, instead of using existing metrics, new metrics are proposed frequently, and privacy studies are often incomparable. In this survey we alleviate these problems by structuring the landscape of privacy metrics. To this end, we explain and discuss a selection of over eighty privacy metrics and introduce categorizations based on the aspect of privacy they measure, their required inputs, and the type of data that needs protection. In addition, we present a method on how to choose privacy metrics based on nine questions that help identify the right privacy metrics for a given scenario, and highlight topics where additional work on privacy metrics is needed. Our survey spans multiple privacy domains and can be understood as a general framework for privacy measurement
Coupling of Random Systems
This paper makes three contributions. First, we present a simple theory of
random systems. The main idea is to think of a probabilistic system as an
equivalence class of distributions over deterministic systems. Second, we
demonstrate how in this new theory, the optimal
information-theoretic distinguishing advantage between two systems can be
characterized merely in terms of the statistical distance of probability
distributions, providing a more elementary understanding of the distance of
systems. In particular, two systems that are -close in terms of the
best distinguishing advantage can be understood as being equal with
probability 1-, a property that holds statically, without even
considering a distinguisher, let alone its interaction with the systems.
Finally, we exploit this new characterization of the distinguishing advantage
to prove that any threshold combiner is an amplifier for indistinguishability
in the information-theoretic setting, generalizing and simplifying results
from Maurer, Pietrzak, and Renner (CRYPTO 2007)
Recommended from our members
Complexity Theory
Computational Complexity Theory is the mathematical study of the intrinsic power and limitations of computational resources like time, space, or randomness. The current workshop focused on recent developments in various sub-areas including arithmetic complexity, Boolean complexity, communication complexity, cryptography, probabilistic proof systems, pseudorandomness, and quantum computation. Many of the developments are related to diverse mathematical fields such as algebraic geometry, combinatorial number theory, probability theory, representation theory, and the theory of error-correcting codes
Improved Multi-User Security Using the Squared-Ratio Method
Proving security bounds in contexts with a large number of users is one of the central problems in symmetric-key cryptography today. This paper introduces a new method for information-theoretic multi-user security proofs,
called ``the Squared-Ratio Method\u27\u27. At its core, the method requires the expectation of the square of the ratio of observing the so-called good transcripts (from Patarin\u27s H-coefficient technique) in the real and the ideal world. Central to the method is the observation that for information-theoretic adversaries, the KL-divergence for the multi-user security bound can be written as a summation of the KL-divergence of every single user.
We showcase the Squared-Ratio Method on three examples: the Xor of two Permutations by Bellare et al. (EUROCRYPT \u2798) and Hall et al. (CRYPTO \u2798), the Encrypted Davies-Mayer by Cogliati and Seurin (CRYPTO \u2716), and the two permutation variant of the nEHtM MAC algorithm by Dutta et al. (EUROCRYPT \u2719). With this new tool, we provide improved bounds for the multi-user security of these constructions. Our approach is modular in the sense that the multi-user security can be obtained directly from single-user results
Full Indifferentiable Security of the Xor of Two or More Random Permutations Using the Method
The construction (bitwise-xor of outputs of two independent -bit random permutations) has gained broad attention over the last two decades due to its high security. Very recently, Dai \textit{et al.} (CRYPTO\u2717), by using a method which they term the {\em Chi-squared method} ( method), have shown -bit security of when the underlying random permutations are kept secret to the adversary. In this work, we consider the case where the underlying random permutations are publicly available to the adversary. The best known security of in this security game (also known as {\em indifferentiable security}) is -bit, due to Mennink \textit{et al.} (ACNS\u2715). Later, Lee (IEEE-IT\u2717) proved a better -bit security for the general construction which returns the xor of () independent random permutations. However, the security was shown only for the cases where is an even integer. In this paper, we improve all these known bounds and prove full, {\em i.e.,} -bit (indifferentiable) security of as well as for any . Our main result is -bit security of , and we use the method to prove it
Multi-User Security of the Sum of Truncated Random Permutations (Full Version)
For several decades, constructing pseudorandom functions from pseudorandom permutations, so-called Luby-Rackoff backward construction, has been a popular cryptographic problem. Two methods are well-known and comprehensively studied for this problem: summing two random permutations and truncating partial bits of the output from a random permutation. In this paper, by combining both summation and truncation, we propose new Luby-Rackoff backward constructions, dubbed SaT1 and SaT2, respectively. SaT2 is obtained by partially truncating output bits from the sum of two independent random permutations, and SaT1 is its single permutation-based variant using domain separation. The distinguishing advantage against SaT1 and SaT2 is upper bounded by O(\sqrt{\mu q_max}/2^{n-0.5m}) and O({\sqrt{\mu}q_max^1.5}/2^{2n-0.5m}), respectively, in the multi-user setting, where n is the size of the underlying permutation, m is the output size of the construction, \mu is the number of users, and q_max is the maximum number of queries per user. We also prove the distinguishing advantage against a variant of XORP[3]~(studied by Bhattacharya and Nandi at Asiacrypt 2021) using independent permutations, dubbed SoP3-2, is upper bounded by O(\sqrt{\mu} q_max^2}/2^{2.5n})$. In the multi-user setting with \mu = O(2^{n-m}), a truncated random permutation provides only the birthday bound security, while SaT1 and SaT2 are fully secure, i.e., allowing O(2^n) queries for each user. It is the same security level as XORP[3] using three permutation calls, while SaT1 and SaT2 need only two permutation calls
Fine-Tuning Ideal Worlds for the Xor of Two Permutation Outputs
Security proofs of symmetric-key primitives typically consider an idealized world with access to a (uniformly) random function. The starting point of our work is the observation that such an ideal world leads to underestimating the actual security of certain primitives. As a demonstrating example, , which relies on two independent random permutations, is proven to exhibit far superior concrete security compared to , which employs a single permutation with domain separation. But the main reason for this is an artifact of the idealized model used in the proof, in particular, that (in the random-function-ideal world) might hit a trivially bad event (outputting 0) which does not occur in the real/domain-separated world.
Motivated by this, we put forth the analysis of such primitives in an updated ideal world, which we call the {\em fine-tuned} setting, where the above artifact is eliminated. We provide fine-tuned (and enhanced) security analyses for and -based MACs: and . Our analyses demonstrate that the security of -based and -based constructions are, in fact, far more similar than what was previously proven.
Concretely, for the number of users and the maximum number of queries per user , we show that the multi-user ``fine-tuned\u27\u27 security bound of can be proven as
via the Squared-ratio method proposed by Chen et al. [CRYPTO\u2723], resulted to the same security bound of proven there. We also show the compatibility of the fine-tuned model with the Chi-squared method proposed by Dai et al.
[CRYPTO\u2717], and show that and enjoy the same security bound in the fine-tuned setting regardless of proving tools.
Finally, we turn to the security analysis of MACs in the multi-user setting, where the effect of transitioning the proofs to the fine-tuned setting is even higher. Concretely,
we are able to prove unexpected improvements in the security bounds for both and . Our security proofs rely on a fine-tuned and extended version of Mirror theory for both lower and upper bounds, which yields more versatile and improved security proofs.
Of independent interest, this extension allows us to prove the multi-user MAC security of in the nonce-misuse model, while the previous analysis only applied to the multi-user PRF security in the nonce-respecting model. As a side note, we also point out (and fix) a flaw in the original analysis of Chen et al.
Privacy-Preserving Verification of Clinical Research
We treat the problem of privacy-preserving statistics verification in clinical research. We show that given aggregated results from statistical calculations, we can verify their correctness efficiently, without revealing any of the private inputs used for the calculation. Our construction is based on the primitive of Secure Multi-Party Computation from Shamir's Secret Sharing. Basically, our setting involves three parties: a hospital, which owns the private inputs, a clinical researcher, who lawfully processes the sensitive data to produce an aggregated statistical result, and a third party (usually several verifiers) assigned to verify this result for reliability and transparency reasons. Our solution guarantees that these verifiers only learn about the aggregated results (and what can be inferred from those about the underlying private data) and nothing more. By taking advantage of the particular scenario at hand (where certain intermediate results, e.g., the mean over the dataset, are available in the clear) and utilizing secret sharing primitives, our approach turns out to be practically efficient, which we underpin by performing several experiments on real patient data. Our results show that the privacy-preserving verification of the most commonly used statistical operations in clinical research presents itself as an important use case, where the concept of secure multi-party computation becomes employable in practice
- …