380 likes | 460 Views
Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya. L. R. f. Round function. Round values. f. Round function output. S. T. Feistel Network. Construction of a permutation on 2n bits from a n n bit function f . Easily invertible.
E N D
Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya
L R f Round function Round values f Round function output S T Feistel Network • Construction of a permutation on 2n bits from a nn bit function f. • Easily invertible. • Feistel Network : Iterated Feistel Construction. One round Feistel Construction
Block Cipher Design • Several practical block ciphers based on Feistel network. • DES, Blowfish, Triple DES… • Use 16-48 round Feistel network • Theoretical basis? • Luby-Rackoff showed that 4 rounds of Feistel with pseudorandom round functions is a PRP. • Several improvements: Naor-Reingold, Patarin, Ramzan-Reyzin… • All apply to 3-6 rounds of Feistel. • Why the disconnect?
Reason 1 • Round functions are not pseudorandom functions. • All above theoretical results assume some of the round functions to be PRFs. • Round functions in actual block ciphers are heuristically designed and aren’t pseudorandom. • Maybe expect less from round functions. • Weaker assumptions on round functions, such as unpredictability?
Reason 2 • Cannot argue secrecy of round values. • Necessary for any of the theoretical results to be applicable. • May not necessarily hold for actual block ciphers with non-pseudorandom round functions. • Example: need not hold for unpredictable fns. • More generally, there may be situations where this has to be the case (more details later).
Summary • All theoretical results are inapplicable once we relax the above assumptions, i.e. when • Round functions may not be PRFs. • Cannot argue secrecy of round values. • In fact, we give a simple attack on the Feistel network in the paper if either of these assumptions does not hold.
Our results (in brief) • Negative Results: • If round values are public, O(log n) round Feistel network is insecure. • With unpredictable round fns., O(log n) rounds need not be secure (even if round values aren’t explicitly revealed) • An attack using exponential (in # of rounds) queries. • Positive results: • (log n) rounds preserve PR/Unpredictability even if round values are leaked.
Implications for Block Ciphers • If round functions are pseudorandom • O(log n) round Feistel is insecure if round values revealed. • (log n) round Feistel is a PRP even if round values revealed! • If round functions are only unpredictable • O(log n) round Feistel need not be secure even if round values are not explicitly revealed. • (log n) round Feistel is an unpredictable permutation (UP). • Safe fallback security for block ciphers. • Even for stronger security notions • Forces a weaker/more clever attack for (log n) rounds. • Possible that weaker than PRF round functions suffice! • (log n) matches the number of rounds in block ciphers much better than previous results. • E.g. DES on 64 bits uses 16 rounds.
Our results (in brief) • Negative Results: • If round values are public, O(log n) round Feistel network is insecure. • With unpredictable round fns., O(log n) rounds need not be secure (even if round values aren’t explicitly revealed) • An attack using exponential (in # of rounds) queries. • Positive results: • (log n) rounds preserve PR/Unpredictability even if round values are leaked. • Give a general abstraction for the Feistel network. • Many other applications (stay tuned!)
A useful abstraction. • We describe a simple combinatorial game involving the Feistel network which is applicable to all scenarios that we consider. • Involves a k-round Feistel network and an attacker A. • A makes forward/inverse queries to Feistel. • Can see all intermediate round values. • Goal : Force a collision of the middle ((k/2)th) round values of two different queries.
Negative Result • We describe an attacker that wins this combinatorial game. • The attacker makes O(1.62k) queries to the k-round Feistel network. • Works for arbitrary round functions • Hence, works in polynomial time for the O(log n)-round Feistel network.
Matching Positive Result • We find a sufficient combinatorial condition on the round functions such that no efficient attacker can win if k=(log n). • 5-XOR game: • Same rules as the main combinatorial game. • Goal : Attacker wins if some “new” round function output = XOR of upto 5 previous round values. • 5-XOR resistant functions : resist such attacks. Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
Matching Positive Result (contd.) • This is a purely deterministic result. • If attacker does not win the 5-XOR game, then it cannot find a (k/2)th round value collision with less than O(1.38k/2) queries. • Using 5-XOR-resistance? • Relatively weak property, easily proven to hold for UFs and PRFs • Applied to PRFs (log n) round Feistel is PRP (even if the round values are public!). • Applied to UFs (log n) round Feistel is UP (even if the round values are public!). • Implication to Domain extension of MACs!
Domain Extension of MACs • Problem : Given a fixed-length input (FIL) MAC, construct an arbitrary-length input (AIL) MAC. • Well studied if FIL-MAC is a PRF (in fact, often get AIL-PRF). • Also well studied if FIL-MAC is “shrinking” (variants of Cascade construction work) [AB99,MS05]. • Grey Area: What if the FIL-MAC is neither PRF nor “shrinking”? • Perhaps, most practically relevant case! (a) FIL-MAC is typically a block cipher. (b) overkill to assume it is a PRF!
Hash-then-MAC • Use a hash function to map to a short message, then apply the FIL-MAC. • If FIL-MAC is a PRF, then an almost-universal hash function works. • With general FIL-MACs, need collision-resistant hash functions!
CBC-MAC • Popular domain extension technique for MACs • Secure if FIL-MAC is a PRF [BKR94]. • Simple attack possible with general FIL-MACs [AB99].
Cascade construction • Also called Merkle-Damgard construction. • Need a shrinking FIL-MAC. • If FIL-MAC is a PRF, one can chop the output and apply Cascade. • With general FIL-MACs, can chop at most logarithmic number of output bits • Very Inefficient (+ poor exact security)
Naor-Reingold construction • A very nice technique of getting PRFs from UFs. • Need to extract a hardcore bit for every output bit of PRF. • Very inefficient
Feistel Network • 3-rounds already secure if FIL-MAC is a PRF. • With general FIL-MACs, [AB99] gave an attack on 3-round Feistel. • “more rounds do not appear to help” [AB] • Our result : With general FIL-MACs, k-round Feistel network is a secure MAC if and only if k=(log n). • Extend [AB99] to show that upto logarithmic number of rounds do not help in general. • Somewhat surprisingly, secure with more rounds!
More efficient AIL-MAC? • Above method is still somewhat inefficient for large inputs. • To get domain size (n2i), need (log n)i round Feistel network. • Moreover, digest size grows as big as the domain! • Can this be improved? • Yes! • Optimize our technique to get 2n n bit MAC. • Use existing techniques for “shrinking” MACs (variants of Cascade).
More efficient AIL-MAC • How to get 2nn bit MAC? • Chop n bits from the Feistel network output? • Cannot directly apply our technique. • With a little work, show that (log n) rounds are still necessary and sufficient! • Our suggestion to practitioners: apply any secure variant of Cascade to the 2nn MAC obtained by • Halving the output of an w(log n)-round Feistel network applied to any secure n-bit block cipher • Halving the output of a secure 2n-bit block cipher itself, if the block cipher is already Feistel-based! • Note: this requires at least 256-bit block cipher
Verifiable Random Functions • Verifiable Random Functions (VRFs) are verifiable analogues of PRFs. • Given secret key SK: • Can compute VRF f and provide proofs of correctness of f outputs. • Still cannot give proofs for two different outputs for the same input (even for adversarial PK!). • Given public key PK: • Can verify proofs of correctness of f outputs. • All “unproved” outputs still look random. • Several known constructions [MRV,L,DY,D].
Verifiable Random Permutations • We introduce VRPs, similarly natural verifiable analogues of PRPs. • Can we build them from VRFs, just like PRPs from PRFs? • First Attempt: Use a 4-round Feistel network with VRFs in each round and apply the Luby-Rackoff result. • Doesn’t work: need to explicitly give round values (and their proofs) to prove VRP outputs.
Constructing VRPs from VRFs • Use our proof technique that works even if round values are public. • Result : An (log n) round Feistel network with VRFs as round functions is a verifiable random permutation. • Cannot improve to O(log n) rounds, since our attack works in this case as well.
Applications of VRPs • Non-interactive setup-free perfectly binding commitments. • Non-interactive Lottery. • “Invariant Signatures” of [GO92] for NIZKs. • Verifiable CBC Encryption/Decryption. • Verifiable huge (pseudo)random objects. • “Proof-transferrable” implementation of Ideal Cipher Model.
Non-interactive commitments • Non-interactive, setup-free, perfectly-binding commitments. • Best known construction uses one-way permutations (Naor’s OWF-based commitment uses setup) • We note that VRPs work for this purpose. • To commit to m, send (SK(m),PK). • To open commitment, send m and the proof for SK(m). • Hiding : easy • Perfect Binding : a permutation even if PK is chosen maliciously • Note: VRFs do not suffice even for computational binding! • Nevertheless, using our VRF VRP construction, we get such commitments from VRFs • Incomparable assumption to OWPs.
Non-interactive Lottery • Micali-Rivest suggest using a VRF f. • Dealer publishes PK, and user selects X. • The user wins if fSK(X) satisfies some pre-determined predicate. • Problem: Dealer can cheat by choosing PK such that fSK(X) never satisfies the predicate! • Using a VRP instead solves this problem. • A permutation even for malicious keys. • Moreover, can determine number of winners beforehand!
VUPs and more… • We also give a way to construct verifiable unpredictable permutations from verifiable unpredictable functions. • Using (log n) round Feistel network. • Again, O(log n) rounds is not enough • Note: this uses full power of our technique. • Hopefully, more applications of our technique will emerge in future…
Summary • New understanding of Feistel network with a weak security requirement on round functions. • 5-XOR-resistance, implied by both UFs & PRFs. • Number of rounds we predict is closer to the one used in current block ciphers. • First efficient domain extension for MACs (starting with length-preserving MACs). • Verifiable Random Permutations and applications.
Feistel construction Random round number i Independently generated UFs • For a forward query, hopefully Ri+1 is: • A new round value. • XOR of previous round values. If so, then f(R_i) = Ri-1 XOR of existing round values. (choose at random) randomly guess query number where XOR adversary wins Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part I: UFs are 5-XOR resistant f
Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part II : Use the combinatorial “Main Theorem” to argue no collisions of (k/2)th round value.
Feistel construction Round number (k/2) Independently generated UFs Queries made by UP adversary (use f oracle) Prediction output Prediction input get Rk/2 Now f(Rk/2)=R(k/2)-1 R(k/2)+1 get R(k/2)+1 Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part III : No (k/2)th round collision UP f No middle round value collision Rk/2 is a new input to f.
(b’) (b) (a) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part I: Existence of Collision Queries Rn/2-2b Rn/2-1b Rn/2b Rn/2 in query b = Rn/2 in query a Rn/2-2b’ Rn/2-1b’ Rn/2b’ fn/2-1(Rn/2-1a)=Rn/2b Rn/2-2a Rn/2-1 in query b’ = Rn/2-1 in query a fn/2-2(Rn/2-2a)=Rn/2-1b’ Rn/2-3a Rn/2-2a Rn/2-1a Rn/2a
(b1) (b2) (b3) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part II: Permitted orders of collision queries. f(Ri+1b3)=Rib2 Ri+2b1 Rib1 Ri+1b1 Ri+2b1 Rib2 Ri+1b2 Ri+2b2 Rib3 Ri+1b3 Ri+2b3
(b2) (b1) (c1) (ci) (b3) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part III: More and more and … more collision queries! Rib1 Ri+1b1 Ri+2b1 Rib2 Ri+1b2 Ri+2b2 f(Ri-1b3)=Ri-2b3 f(Ri+1b2) Ri+2b1 Ri-1c1 =Ri-2b3 Ri+2b2 Rib2 Ri+2b1 Ri-2b3 Ri-1b3 Rib3 Ri+1b3 Ri+2b3
Main Theorem • Show that we are not “double counting” queries. • Formulate a recursion on the number of queries to get a closed form expression. Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.