220 likes | 239 Views
This paper presents two new and simple theorems on composition of permutation generators with independent keys, demonstrating increased security using "H coefficients". Applications on Random Feistel schemes are discussed, along with a comparison of these theorems with previous results.
E N D
Two Simple Composition Theorems with H-Coefficients Jacques Patarin Africacrypt 2018
Aim of this work We will present here two new and simple Theorems that show that when we compose permutation generators with independant keys, then the «security » increases. These new Theorems are written in term of « H coefficients » (we will explain below what these coefficients are). Then we will present some applications on Random Feistel schemes. We will also compare our new Theorems with previous results.
Notations (1/2) • Let n be an integer. • In = {0, 1}n Therefore |In| = 2n • Fn = {applications from In to In} Therefore |Fn| = 2n2n • Bn = {permutations on In}. Therefore |Bn| = 2n !
Notations (2/2) • KPA: Known Plaintext Attack. • NCPA: Non adaptive Chosen Plaintext Attack. • CPA: Adaptive Chosen Plaintext Attack. • NCCA: Non adaptive Chosen Plaintext and Ciphertext Attack. • CCA: Chosen Plaintext and Ciphertext Attack.
Example 1 of Composition • Example 1: AESk o AESk-1 = Id. Therefore, when we compose pseudorandom permutations the security can sometimes dramatically decreass. However we will only study compositions with independent keys.
Example 2: Butterfly scheme • The « Butterfly » scheme is the appplication of F2n defined by: Butterfly [L, R] = [S, T] ⇔ (S = f1(L) f2(R)) and (T = f3(L) f4(R)). It is easy to distinghuish a Butterfly scheme from a random application of F2n with a NCPA with q = 4 querries. This comes from the fact that if: [L1, R1] → [S1, T1] [L1, R2] → [S2, T2] [L2, R1] → [S3, T3] [L2, R2] → [S4, T4] Then we have: S1 S2 S3 S4 = 0, and T1 T2 T3 T4 = 0.
Example 3: Benes Scheme • The composition of two Butterfly schemes with independent keys is called a « Benes » scheme. • It is possible to prove that a « Benes » scheme is CPA secure when the number q of queries satisfy: q << 2n. • However, if we compose Benes schemes with independent keys then the security… decreases. • This comes to the fact that we consider here applications (and not permutations) and the number of collisions can only increass. • However from now on, we will only consider the composition of permutations.
Two weak make one strong The famous « two weak make one strong » Theorem of Maurer and Pietrzak (2002, 2007) says that if F and G are NCPA secure, then the composition G-1 o F is CCA secure. This result only holds in the information-theoretic setting, not in the computational setting (Myers 2004, Pietrzak 2005).
What about 3 weaks? • In [Cogliati, Patarin, Seurin, 2014] it was proved this Theorem: Let E, F, and G be 3 block ciphers with the same message space M. Let q be the number of queries. Denote εE = AdvENCPA (q), εF = AdvFNCPA (q), εF-1 = AdvF-1NCPA (q), εG-1 = AdvG-1NCPA (q). We have: AdvGoFoECCA (q) ≤ εE εF + εE εG-1 + εF-1 εG-1 + min {εE εF , εE εG-1 , εF-1 εG-1 } Here the security increass in quality (from NCPA to CCA) and in quantity (products of two small values).
What about n weaks? In [Cogliati, Patarin, Seurin, 2014] we have this Theorem: Let E1,…En be n block ciphers with the same message M. Fix q ≥ 1. For i = 1,…, n, let εi = max {AdvEiNCPA (q), AdvEi-1NCPA (q)}. Then: AdvEno…oE1CCA (q) ≤ 2n-1 max (Πεj) 1 ≤ i ≤ n 1 ≤ j ≤ n, j ≠ i
Definition of the coefficients H Let G be a permutation generator that generates permutations from {0,1}N to {0,1}N from a set of parameters K. The values of K will be called « keys ». Let q be an integer (called the « number of queries »). Let a = (ai), 1≤ i ≤ q, be q pairwise distinct elements of {0,1}N, and similarly let b = (bi), 1≤ i ≤ q, be q pairwise distinct elements of {0,1}N. Then, by definition, H(a, b) denotes the number of keys k ∈ K such that: ∀i, 1≤ i ≤ q, Gk(ai) = bi. Remarks. • The set K that we will use will generally be much larger than usual sets of cryptographic keys. Then G will be considered as a “generic generator”. • H(a, b) is simply denoted by H when there is no risk of confusion about the values a and b.
From coefficients H to CCA security In [Patarin, 1991] this Theorem was proved: Theorem 1. Let αand β be real numbers, α > 0 and β> 0. If it exist a subset E of ({0, 1}qN)² such that we have these two properties 1) and 2): • For all (a, b) ∈ E we have: H(a, b) ≥ |K| (1 - α) /[2N (2N – 1)…(2N – q +1)] 2) For all CCA acting on a random permutation f of BN, the probability that (a, b) ∈ E is ≥ 1 – βwhere (a, b) denotes here the successive bi = f(ai) or ai = f-1(bi), 1 ≤ i ≤q, that will appear Then for every CCA with q queries we have: AdvCCA≤ α+ β This Theorem is one of the Theorem used in the « coefficients H technique » to prove security results on Generic cryptographic schemes
A new composition Theorem with coefficients H Theorem 2. Let α1and α2 be two real numbers. Let G1 and G2 be two permutations generators (with the same key space K) such that, for all sequences of pairwise distinct elements ai, 1≤ i ≤ q, and for all sequences of pairwise distinct elements bi, 1≤ i ≤ q, we have: HG1 (a, b) ≥ |K|(1 - α1) / [2N (2N – 1)…(2N – q +1)] and similarly: HG2 (a, b) ≥ |K|(1 - α2) / [2N (2N – 1)…(2N – q +1)]. Then, if we compose two such generators G1 and G2 with random independent keys, for all sequences of pairwise distinct elements ai, 1≤ i ≤ q, and for all sequences of pairwise distinct elements bi, 1≤ i ≤ q,we will have: HG2 o G1 (a, b) ≥ |K|²(1 - α1 α2) / [ 2N (2N – 1)…(2N – q +1)]
Corollaries of Theorem 1 and Theorem 2 Corollary 1 Let q and n be two integers. Let α1, …, αn be n real values. Let G1,…, Gn be n permutation generators such that: for all sequences of pairwise distinct elements ai, and for all sequences of pairwise distinct elements bi, 1≤ i ≤ q we have: HGj ≥ |K| (1 - αj)/ [2N (2N – 1)…(2N – q +1)] If we compose n such generators G1,…, Gk with random and independant keys we will have: AdvGn o…oG1CCA≤ α1…αn Remark If we compare this Corollary with the previous Theorem of [Cogliati, Patarin, Seurin, 2014] we have two significant improvements: we do not have the coefficient in 2n-1, and we do not loose one of the product. This is due to the fact that we have a stronger hypothesis here: we have no “holes” in the H property.
A new composition Theorem to eliminate a « Hole » Theorem 3. Let G1 and G2 be two permutation generators with the same key space K. J denotes the set of all q pairwise distinct values of {0,1}N. If: (1) For all sequences of pairwise distinct elements ai, and for all sequences of pairwise distinct elements bi ∈ E1, 1≤ i ≤ q we have: HG1 ≥ |K| (1 – α1)/ [2N (2N – 1)…(2N – q +1)] with |E1| ≥ |J| (1 – ε1). (2) For all sequences of pairwise distinct elements ai, and for all sequences of pairwise distinct elements bi ∈ E2, 1≤ i ≤ q we have: HG2 ≥ |K| (1 – α1)/ [2N (2N – 1)…(2N – q +1)] with |E2| ≥ |J| (1 – ε2). Then for the composition generator G2-1 o G1, for all sequences of pairwise distinct elements ai, and for all sequences of pairwise distinct elements bi, 1≤ i ≤ q we have: H G2-1 o G1≥ |K|² (1 – ε1 – ε2) (1 – α1) (1 – α2) / [2N (2N – 1)…(2N – q +1)] (We have no more holes).
Security results on balanced random Feistel schemes We have applied these Theorems on the theory of random (balanced) Feistel schemes (i.e. Luby-Rackoff constructions). The security results that we have obtained are not the best results known but they are not far, and the security proofs and much simpler. (The best security results for more than 5 rounds are obtained via a difficult variant of the coefficients H technique called « Mirror Theory »). (The coupling technique gives also when the number of rounds tends to infinity the best security bound).
Holes on 5 rounds • A random (balanced) Feistel scheme has « holes » in the H properties when the number of queries q satisfy q << 2n. • This is not true for 6 rounds random (balanced) Feistel scheme. • This result shows that there is a fundamental difference between 5 and 6 rounds. • However it is not possible to use these «holes» in order to design a CCA attack on 5 rounds when q << 2n.