The sum-capture problem for abelian groups

Let $G$ be a finite abelian group, let $0 < \alpha < 1$, and let $A \subseteq G$ be a random set of size $|G|^\alpha$. We let $$\mu(A) = \max_{B,C:|B|=|C|=|A|}|\{(a,b,c) \in A \times B \times C : a = b + c \}|.$$ The issue is to determine upper bounds on $\mu(A)$ that hold with high probability over the random choice of $A$. Mennink and Preneel \cite{BM} conjecture that $\mu(A)$ should be close to $|A|$ (up to possible logarithmic factors in $|G|$) for $\alpha \leq 1/2$ and that $\mu(A)$ should not much exceed $|A|^{3/2}$ for $\alpha \leq 2/3$. We prove the second half of this conjecture by showing that $$\mu(A) \leq |A|^3/|G| + 4|A|^{3/2}\ln(|G|)^{1/2}$$ with high probability, for all $0 < \alpha < 1$. We note that $3\alpha - 1 \leq (3/2)\alpha$ for $\alpha \leq 2/3$. In previous work, Alon et al$.$ have shown that $\mu(A) \leq O(1)|A|^3/|G|$ with high probability for $\alpha \geq 2/3$ while Kiltz, Pietrzak and Szegedy show that $\mu(A) \leq |A|^{1 + 2\alpha}$ with high probability for $\alpha \leq 1/4$. Current bounds on $\mu(A)$ are essentially sharp for the range $2/3 \leq \alpha \leq 1$. Finding better bounds remains an open problem for the range $0 < \alpha < 2/3$ and especially for the range $1/4 < \alpha < 2/3$ in which the bound of Kiltz et al$.$ doesn't improve on the bound given in this paper (even if that bound applied). Moreover the conjecture of Mennink and Preneel for $\alpha \leq 1/2$ remains open

PPSZ for General k-SAT - Making Hertli\u27s Analysis Simpler and 3-SAT Faster

The currently fastest known algorithm for k-SAT is PPSZ named after its inventors Paturi, Pudlak, Saks, and Zane. Analyzing its running time is much easier for input formulas with a unique satisfying assignment. In this paper, we achieve three goals. First, we simplify Hertli\u27s analysis for input formulas with multiple satisfying assignments. Second, we show a "translation result": if you improve PPSZ for k-CNF formulas with a unique satisfying assignment, you will immediately get a (weaker) improvement for general k-CNF formulas. Combining this with a result by Hertli from 2014, in which he gives an algorithm for Unique-3-SAT slightly beating PPSZ, we obtain an algorithm beating PPSZ for general 3-SAT, thus obtaining the so far best known worst-case bounds for 3-SAT

Indifferentiability of 10-Round Feistel Networks

We prove that a (balanced) 10-round Feistel network is indifferentiable from a random permutation. In a previous seminal result, Holenstein et al. had established indifferentiability of Feistel at 14 rounds. Our simulator achieves security $O(q^8/2^n)$ and query complexity $O(q^4)$, where $n$ is half the block length, similarly to the 14-round simulator of Holenstein et al., so that our result is a strict (and also the first) improvement of that work. Our simulator is very similar to a 10-round simulator of Seurin that was subsequently found to be flawed. Indeed, the main change of our simulator is to switch to FIFO path completion from LIFO path completion. This relatively minor change results in an overall significant paradigm shift, including a conceptually simpler proof

Indifferentiability of 8-Round Feistel Networks

We prove that a balanced 8-round Feistel network is indifferentiable from a random permutation. This result comes on the heels of (and is part of the same body of work as) a 10-round indifferentiability result for Feistel network recently announced by the same team of authors. The current 8-round simulator achieves similar security, query complexity and runtime as the 10-round simulator and is not significantly more involved. The security of our simulator is also slightly better than the security of the 14-round simulator of Holenstein et al. for essentially the same runtime and query complexity

Tight security bounds for multiple encryption

Multiple encryption---the practice of composing a blockcipher several times with itself under independent keys---has received considerable attention of late from the standpoint of provable security. Despite these efforts proving definitive security bounds (i.e., with matching attacks) has remained elusive even for the special case of triple encryption. In this paper we close the gap by improving both the best known attacks and best known provable security, so that both bounds match. Our results apply for arbitrary number of rounds and show that the security of $\ell$-round multiple encryption is precisely $\exp(\kappa + \min\{\kappa (\ell\u27-2)/2), n (\ell\u27-2)/\ell\u27\})$ where $\exp(t) = 2^t$ and where $\ell\u27 = 2\lceil \ell/2\rceil$ is the even integer closest to $\ell$ and greater than or equal to $\ell$, for all $\ell \geq 1$. Our technique is based on Patarin\u27s H-coefficient method and reuses a combinatorial result of Chen and Steinberger originally required in the context of key-alternating ciphers

The preimage security of double-block-length compression functions

We give improved bounds on the preimage security of the three ``classical\u27\u27 double-block-length, double-call, blockcipher-based compression functions, these being Abreast-DM, Tandem-DM and Hirose\u27s scheme. For Hirose\u27s scheme, we show that an adversary must make at least $2^{2n-5}$ blockcipher queries to achieve chance $0.5$ of inverting a randomly chosen point in the range. For Abreast-DM and Tandem-DM we show that at least $2^{2n-10}$ queries are necessary. These bounds improve upon the previous best bounds of $\Omega(2^n)$ queries, and are optimal up to a constant factor since the compression functions in question have range of size $2^{2n}$

Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks

Substitution-Permutation Networks (SPNs) refer to a family of constructions which build a wn-bit block cipher from n-bit public permutations (often called S-boxes), which alternate keyless and “local” substitution steps utilizing such S-boxes, with keyed and “global” permu- tation steps which are non-cryptographic. Many widely deployed block ciphers are constructed based on the SPNs, but there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the provable security of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying n-bit permutation is modeled as a public random permutation. When the permutation step is linear (which is the case for most existing designs), we show that 3 SPN rounds are necessary and sufficient for security. On the other hand, even 1-round SPNs can be secure when non-linearity is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond- birthday” (up to 2 2n/3 adversarial queries) security, and, as the number of non-linear rounds increases, our bounds are meaningful for the number of queries approaching 2 n . Finally, our non-linear SPNs can be made tweakable by incorporating the tweak into the permutation layer, and provide good multi-user security. As an application, our construction can turn two public n-bit permuta- tions (or fixed-key block ciphers) into a tweakable block cipher working on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the tweakable block cipher provides security up to 2 2n/3 adversarial queries in the random permutation model, while only requiring w calls to each permutation, and 3w field multiplications for each wn-bit input

Random Oracles and Non-Uniformity

We revisit security proofs for various cryptographic primitives in the auxiliary-input random-oracle model (AI-ROM), in which an attacker $A$ can compute arbitrary $S$ bits of leakage about the random oracle $\mathcal O$ before attacking the system and then use additional $T$ oracle queries to $\mathcal O$ during the attack. This model has natural applications in settings where traditional random-oracle proofs are not useful: (a) security against non-uniform attackers; (b) security against preprocessing. We obtain a number of new results about the AI-ROM: Unruh (CRYPTO \u2707) introduced the pre-sampling technique, which generically reduces security proofs in the AI-ROM to a much simpler $P$-bit-fixing random-oracle model (BF-ROM), where the attacker can arbitrarily fix the values of $\mathcal O$ on some $P$ coordinates, but then the remaining coordinates are chosen at random. Unruh\u27s security loss for this transformation is $\sqrt{ST/P}$. We improve this loss to the optimal value $O(ST/P)$, which implies nearly tight bounds for a variety of indistinguishability applications in the AI-ROM. While the basic pre-sampling technique cannot give tight bounds for unpredictability applications, we introduce a novel multiplicative version of pre-sampling, which allows to dramatically reduce the size of $P$ of the pre-sampled set to $P=O(ST)$ and yields nearly tight security bounds for a variety of unpredictability applications in the AI-ROM. Qualitatively, it validates Unruh\u27s polynomial pre-sampling conjecture ---disproved in general by Dodis et al. (EUROCRYPT \u2717)---for the special case of unpredictability applications. Using our techniques, we reprove nearly all AI-ROM bounds obtained by Dodis et al. (using a much more laborious compression technique), but we also apply it to many settings where the compression technique is either inapplicable (e.g., computational reductions) or appears intractable (e.g., Merkle-Damgard hashing). We show that for any salted Merkle-Damgard hash function with m-bit output there exists a collision-finding circuit of size $\Theta(2^{m/3})$ (taking salt as the input), which is significantly below the $2^{m/2}$ birthday security conjectured against uniform attackers. We build two general compilers showing how to generically extend the security of applications proven in the traditional ROM to the AI-ROM. One compiler simply prepends a public salt to the random oracle and shows that salting generically provably defeats preprocessing. Overall, our results make it much easier to get concrete security bounds in the AI-ROM. These bounds in turn give concrete conjectures about the security of these applications (in the standard model) against non-uniform attackers

Provable Security of Substitution-Permutation Networks

Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying $S$-box is modeled as a public random permutation. We show that 3~rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed. Additionally, our results imply security in settings where an SPN structure is used for domain extension of a block cipher, even when the attacker has direct access to the small-domain block cipher