233 research outputs found
The sum-capture problem for abelian groups
Let be a finite abelian group, let , and let be a random set of size . We let
The issue is to determine upper bounds on that hold with high
probability over the random choice of . Mennink and Preneel \cite{BM}
conjecture that should be close to (up to possible logarithmic
factors in ) for and that should not much
exceed for . We prove the second half of this
conjecture by showing that with high probability, for all . We note that for .
In previous work, Alon et al have shown that
with high probability for while Kiltz, Pietrzak and Szegedy
show that with high probability for . Current bounds on are essentially sharp for the range . Finding better bounds remains an open problem for the
range and especially for the range in
which the bound of Kiltz et al doesn't improve on the bound given in this
paper (even if that bound applied). Moreover the conjecture of Mennink and
Preneel for remains open
PPSZ for General k-SAT - Making Hertli\u27s Analysis Simpler and 3-SAT Faster
The currently fastest known algorithm for k-SAT is PPSZ named after its inventors Paturi, Pudlak, Saks, and Zane. Analyzing its running time is much easier for input formulas with a unique satisfying assignment. In this paper, we achieve three goals. First, we simplify Hertli\u27s analysis for input formulas with multiple satisfying assignments. Second, we show a "translation result": if you improve PPSZ for k-CNF formulas with a unique satisfying assignment, you will immediately get a (weaker) improvement for general k-CNF formulas. Combining this with a result by Hertli from 2014, in which he gives an algorithm for Unique-3-SAT slightly beating PPSZ, we obtain an algorithm beating PPSZ for general 3-SAT, thus obtaining the so far best known worst-case bounds for 3-SAT
Indifferentiability of 10-Round Feistel Networks
We prove that a (balanced) 10-round Feistel
network is indifferentiable from a random
permutation. In a previous seminal result,
Holenstein et al. had established
indifferentiability of Feistel at 14 rounds.
Our simulator achieves security
and query complexity , where is
half the block length, similarly to
the 14-round simulator of Holenstein et al.,
so that our result is a strict (and also the first)
improvement of that work.
Our simulator is very similar to a 10-round
simulator of Seurin that was subsequently
found to be flawed. Indeed, the main change
of our simulator is to switch to FIFO path
completion from LIFO path completion.
This relatively minor change results in an
overall significant paradigm shift, including a
conceptually simpler proof
Indifferentiability of 8-Round Feistel Networks
We prove that a balanced 8-round Feistel network is indifferentiable
from a random permutation. This result comes on the heels of (and is
part of the same body of work as) a 10-round indifferentiability
result for Feistel network recently announced by the same team of
authors. The current 8-round simulator achieves similar security,
query complexity and runtime as the 10-round simulator and is not
significantly more involved. The security of our simulator is also
slightly better than the security of the 14-round simulator of
Holenstein et al. for essentially the same runtime and query
complexity
Tight security bounds for multiple encryption
Multiple encryption---the practice of composing a blockcipher several
times with itself under independent keys---has received considerable
attention of late from the standpoint of provable security. Despite
these efforts proving definitive security bounds (i.e., with matching
attacks) has remained elusive even for the special case of triple
encryption. In this paper we close the gap by improving both the best
known attacks and best known provable security, so that both bounds
match. Our results apply for arbitrary number of rounds and show that
the security of -round multiple encryption is precisely
where
and where is the even
integer closest to and greater than or equal to , for all
. Our technique is based on Patarin\u27s H-coefficient
method and reuses a combinatorial result of Chen and Steinberger
originally required in the context of key-alternating ciphers
The preimage security of double-block-length compression functions
We give improved bounds on the preimage security of the three ``classical\u27\u27 double-block-length, double-call, blockcipher-based compression functions, these being Abreast-DM, Tandem-DM and
Hirose\u27s scheme. For Hirose\u27s scheme, we show that an
adversary must make at least blockcipher queries to achieve chance of inverting a randomly chosen point in the range.
For Abreast-DM and Tandem-DM we show that
at least queries are necessary.
These bounds improve upon the previous best bounds of queries, and are optimal up to a constant factor since the compression functions in question have range of size
Provable Security of (Tweakable) Block Ciphers Based on Substitution-Permutation Networks
Substitution-Permutation Networks (SPNs) refer to a family
of constructions which build a wn-bit block cipher from n-bit public
permutations (often called S-boxes), which alternate keyless and “local”
substitution steps utilizing such S-boxes, with keyed and “global” permu-
tation steps which are non-cryptographic. Many widely deployed block
ciphers are constructed based on the SPNs, but there are essentially no
provable-security results about SPNs.
In this work, we initiate a comprehensive study of the provable security
of SPNs as (possibly tweakable) wn-bit block ciphers, when the underlying
n-bit permutation is modeled as a public random permutation. When the
permutation step is linear (which is the case for most existing designs),
we show that 3 SPN rounds are necessary and sufficient for security. On
the other hand, even 1-round SPNs can be secure when non-linearity
is allowed. Moreover, 2-round non-linear SPNs can achieve “beyond-
birthday” (up to 2 2n/3 adversarial queries) security, and, as the number
of non-linear rounds increases, our bounds are meaningful for the number
of queries approaching 2 n . Finally, our non-linear SPNs can be made
tweakable by incorporating the tweak into the permutation layer, and
provide good multi-user security.
As an application, our construction can turn two public n-bit permuta-
tions (or fixed-key block ciphers) into a tweakable block cipher working
on wn-bit inputs, 6n-bit key and an n-bit tweak (for any w ≥ 2); the
tweakable block cipher provides security up to 2 2n/3 adversarial queries
in the random permutation model, while only requiring w calls to each
permutation, and 3w field multiplications for each wn-bit input
Random Oracles and Non-Uniformity
We revisit security proofs for various cryptographic primitives in the auxiliary-input random-oracle model (AI-ROM), in which an attacker can compute arbitrary bits of leakage about the random oracle before attacking the system and then use additional oracle queries to during the attack. This model has natural applications in settings where traditional random-oracle proofs are not useful: (a) security against non-uniform attackers; (b) security against preprocessing.
We obtain a number of new results about the AI-ROM:
Unruh (CRYPTO \u2707) introduced the pre-sampling technique, which generically reduces security proofs in the AI-ROM to a much simpler -bit-fixing random-oracle model (BF-ROM), where the attacker can arbitrarily fix the values of on some coordinates, but then the remaining coordinates are chosen at random. Unruh\u27s security loss for this transformation is . We improve this loss to the optimal value , which implies nearly tight bounds for a variety of indistinguishability applications in the AI-ROM.
While the basic pre-sampling technique cannot give tight bounds for unpredictability applications, we introduce a novel multiplicative version of pre-sampling, which allows to dramatically reduce the size of of the pre-sampled set to and yields nearly tight security bounds for a variety of unpredictability applications in the AI-ROM. Qualitatively, it validates Unruh\u27s polynomial pre-sampling conjecture ---disproved in general by Dodis et al. (EUROCRYPT \u2717)---for the special case of unpredictability applications.
Using our techniques, we reprove nearly all AI-ROM bounds obtained by Dodis et al. (using a much more laborious compression technique), but we also apply it to many settings where the compression technique is either inapplicable (e.g., computational reductions) or appears intractable (e.g., Merkle-Damgard hashing).
We show that for any salted Merkle-Damgard hash function with m-bit output there exists a collision-finding circuit of size (taking salt as the input), which is significantly below the birthday security conjectured against uniform attackers.
We build two general compilers showing how to generically extend the security of applications proven in the traditional ROM to the AI-ROM. One compiler simply prepends a public salt to the random oracle and shows that salting generically provably defeats preprocessing.
Overall, our results make it much easier to get concrete security bounds in the AI-ROM. These bounds in turn give concrete conjectures about the security of these applications (in the standard model) against non-uniform attackers
Provable Security of Substitution-Permutation Networks
Many modern block ciphers are constructed based on the paradigm of substitution-permutation networks (SPNs). But, somewhat surprisingly---especially in comparison with Feistel networks, which have been analyzed by dozens of papers going back to the seminal work of Luby and Rackoff---there are essentially no provable-security results about SPNs. In this work, we initiate a comprehensive study of the security of SPNs as strong pseudorandom permutations when the underlying -box is modeled as a public random permutation. We show that 3~rounds of S-boxes are necessary and sufficient for secure linear SPNs, but that even 1-round SPNs can be secure when non-linearity is allowed.
Additionally, our results imply security in settings where an SPN structure is used for domain extension of a block cipher, even when the attacker has direct access to the small-domain block cipher
- …