Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf ·...
Transcript of Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf ·...
![Page 1: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/1.jpg)
Improving the Round Complexity of Ideal-Cipher Constructions
Aishwarya Thiruvengadam
1
![Page 2: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/2.jpg)
Block Ciphers
• Building block for many cryptographic constructions
– Hash functions
– Encryption schemes
– Message authentication codes
2
![Page 3: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/3.jpg)
Block Ciphers
• Popular approaches to block cipher designs
– Feistel Networks
• DES
• Applications of keyed round functions
– Key-alternating ciphers
• AES
• Applications of public round permutations
3
![Page 4: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/4.jpg)
Outline
• Security of Block Ciphers
– Indifferentiability [MRH04]
• Security of Feistel Networks [DKT16]
• Security of Key-alternating Ciphers [DSST17]
4
![Page 5: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/5.jpg)
Block Ciphers
• Inputs: key 𝑘, input 𝑥
• Output: 𝑦
• Keyed permutations
• 𝐵𝐶: {0, 1}𝑛 × {0, 1}𝑛 → {0, 1}𝑛
BCx
k
y
5
![Page 6: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/6.jpg)
Security of Block Ciphers:Indistinguishability
• Ideal World
• 𝑃 – random permutation
• Real World
• 𝐵𝐶𝑘 - block cipher with key 𝑘
𝐷
𝐵𝐶𝑘
𝐷
𝑃
6
![Page 7: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/7.jpg)
Security of Block Ciphers:Indifferentiability [MRH04]
• Is an 𝑟-round block cipher an ideal cipher?
– Under appropriate assumptions on the underlying primitive 𝑂
7
![Page 8: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/8.jpg)
Ideal Cipher
• For each key 𝑘
– 𝐵𝐶𝑘(⋅) – uniform random permutation
BCx
k
y
8
![Page 9: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/9.jpg)
Indifferentiability
• Real World
• 𝐵𝐶 – block cipher construction
• 𝑂 = {𝑂1, … , 𝑂𝑟}, round functions
𝐷
𝐵𝐶
𝑂
9
![Page 10: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/10.jpg)
Indifferentiability
• Ideal World
• 𝐼𝐶 – random permutation
• 𝑆 – alg. simulating round functions
• Real World
• 𝐵𝐶 – block cipher construction
• 𝑂 = {𝑂,… , 𝑂𝑟}
𝐷
𝐵𝐶
𝑂
𝐷
𝐼𝐶
𝑆
10
![Page 11: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/11.jpg)
Indifferentiability
• Ideal World • Real World
𝐷
𝐵𝐶
𝑂
𝐷
𝐼𝐶
𝑆
Block cipher construction 𝐵𝐶 indifferentiable from an ideal cipher ICif:
(efficient) 𝑆 s.t.No (efficient) 𝐷 can distinguish between real and ideal w.h.p
11
![Page 12: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/12.jpg)
Indifferentiability of Feistel Networks
12
![Page 13: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/13.jpg)
Feistel Network
• Iterated structure
• Repeated application of round functions
– 𝐹1, … , 𝐹𝑟 : 0,1 𝑛 → {0,1}𝑛
• Yields permutation
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
13
![Page 14: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/14.jpg)
Feistel Network
• Input: 2𝑛-bit string 𝑥0, 𝑥1
• Output (after 𝑟rounds): 2𝑛-bit string 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
14
![Page 15: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/15.jpg)
Feistel Network
• Input: 𝑥0, 𝑥1
• For 𝑖 = 1 to 𝑟
– Input: 𝑥𝑖−1, 𝑥𝑖– 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1– Output: 𝑥𝑖 , 𝑥𝑖+1
• Output (after 𝑟rounds): 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
𝑥1
𝑥2
𝑥3
𝑥2
𝑥3
𝑥4
15
![Page 16: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/16.jpg)
Feistel Network
• Input: 𝑥0, 𝑥1
• For 𝑖 = 1 to 𝑟
– Input: 𝑥𝑖−1, 𝑥𝑖– 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1– Output: 𝑥𝑖 , 𝑥𝑖+1
• Output (after 𝑟rounds): 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
𝑥1
𝑥2
𝑥3
𝑥2
𝑥3
𝑥4
𝑖 = 1
16
![Page 17: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/17.jpg)
Feistel Network
• Input: 𝑥0, 𝑥1
• For 𝑖 = 1 to 𝑟
– Input: 𝑥𝑖−1, 𝑥𝑖– 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1– Output: 𝑥𝑖 , 𝑥𝑖+1
• Output (after 𝑟rounds): 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
𝑥1
𝑥2
𝑥3
𝑥2
𝑥3
𝑥4
𝑖 = 2
17
![Page 18: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/18.jpg)
Feistel Network
• Input: 𝑥0, 𝑥1
• For 𝑖 = 1 to 𝑟
– Input: 𝑥𝑖−1, 𝑥𝑖– 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1– Output: 𝑥𝑖 , 𝑥𝑖+1
• Output (after 𝑟rounds): 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
𝑥1
𝑥2
𝑥3
𝑥2
𝑥3
𝑥4
𝑖 = 3
18
![Page 19: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/19.jpg)
Feistel Network
• Input: 𝑥0, 𝑥1
• For 𝑖 = 1 to 𝑟
– Input: 𝑥𝑖−1, 𝑥𝑖– 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1– Output: 𝑥𝑖 , 𝑥𝑖+1
• Output (after 𝑟rounds): 𝑥𝑟 , 𝑥𝑟+1
𝑥0 𝑥1
𝐹1
𝐹2
𝐹3
𝐹4
𝑥4 𝑥5
𝑥1
𝑥2
𝑥3
𝑥2
𝑥3
𝑥4𝑖 = 4
19
![Page 20: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/20.jpg)
Security of Feistel Networks
• Is an r-round Feistel network an ideal cipher?
– 𝐹 independent, public random functions
20
![Page 21: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/21.jpg)
Related Work
• 5 rounds are insufficient [CPS08]
• 14 rounds sufficient [HKT11,CHKPST14]
• This work :
– 10 rounds are sufficient
• Further improvement : 8 rounds sufficient [DS16]
![Page 22: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/22.jpg)
Our Result
• Sufficient to show:
– 10-round (unkeyed) Feistel network indifferentiable from a random permutation
10-round (keyed) Feistel network indifferentiable from an ideal cipher
22
![Page 23: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/23.jpg)
Indifferentiability
• Ideal World • Real World
𝐷
𝜓
𝐹
𝐷
𝑃
𝑆
Sufficient to show: (efficient) 𝑆 s.t.
No (efficient) 𝐷 can distinguish between real and ideal w.h.p
23
![Page 24: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/24.jpg)
Naïve Simulator Strategy
• On query 𝐹𝑖(𝑥𝑖), return uniform value
24
![Page 25: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/25.jpg)
Naïve Simulator Strategy
• On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
𝐷
𝑃
𝑆
25
![Page 26: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/26.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
𝜓
𝐹
26
![Page 27: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/27.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
𝑃
𝑆
27
![Page 28: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/28.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
28
![Page 29: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/29.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11
29
![Page 30: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/30.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
30
![Page 31: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/31.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
31
![Page 32: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/32.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝜓
𝐹
32
![Page 33: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/33.jpg)
Distinguisher Strategy
• 𝑆: On query 𝐹𝑖(𝑥𝑖), return uniform value
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11w.h.p.
𝑃
𝑆
33
![Page 34: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/34.jpg)
What should Simulator do?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
w.h.p
𝑃
𝑆
𝑦10, 𝑦11
34
![Page 35: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/35.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
35
![Page 36: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/36.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝑦10, 𝑦11
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝜓
𝐹
36
![Page 37: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/37.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
How?
37
![Page 38: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/38.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
How?
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
38
![Page 39: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/39.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
How?
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
But 𝑆 does not know 𝑦10, 𝑦11
39
![Page 40: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/40.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
Query 𝑃 𝑥0, 𝑥1Learn 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑦11
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
40
![Page 41: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/41.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
Query 𝑃 𝑥0, 𝑥1Learn 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑦11
But 𝑆 does not know 𝑥0, 𝑥1
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
41
![Page 42: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/42.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
But 𝑆 does not know 𝑥0, 𝑥1
42
![Page 43: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/43.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1𝑃
𝑆
𝑦10, 𝑦11
43
![Page 44: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/44.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹𝑖(𝑥𝑖)?
𝐹𝑖(𝑥𝑖)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
𝑦10, 𝑦11
44
![Page 45: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/45.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹1(𝑥1)?
𝐹1(𝑥1)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
𝑦10, 𝑦11
𝐹1(𝑥1)
45
![Page 46: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/46.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹2(𝑥2)?
𝐹2(𝑥2)
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
𝐹1 𝑥1𝐹2 𝑥2
46
𝑦10, 𝑦11
![Page 47: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/47.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
𝐹1 𝑥1𝐹2 𝑥2𝐹3 𝑥3𝐹4 𝑥4𝐹5 𝑥5𝐹6 𝑥6
47
𝑦10, 𝑦11
![Page 48: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/48.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
𝐹1 𝑥1𝐹2 𝑥2𝐹3 𝑥3𝐹4 𝑥4𝐹5 𝑥5𝐹6 𝑥6
Do 𝑥1, … , 𝑥6 form a Feistel
sequence?
48
𝑦10, 𝑦11
![Page 49: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/49.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
Do 𝑥1, … , 𝑥6 form a Feistel sequence?
i.e.
For 𝑖 = 5 to 2
𝑥𝑖+1 =? 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
49
𝑦10, 𝑦11
![Page 50: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/50.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
Do 𝑥1, … , 𝑥6 form a Feistel sequence?
i.e.
For 𝑖 = 5 to 2
𝑥𝑖+1 =? 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
Yes
Partial chain detection
50
𝑦10, 𝑦11
![Page 51: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/51.jpg)
How to learn 𝑥0, 𝑥1?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑃
𝑆
Do 𝑥1, … , 𝑥6 form a Feistel sequence?
Yes
Set 𝑥0 = 𝐹1 𝑥1 ⊕𝑥2Set 𝑥1 = 𝐹2 𝑥2 ⊕𝑥3
51
𝑦10, 𝑦11
![Page 52: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/52.jpg)
What should Simulator do?
• Make 𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆 Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑦11
Query 𝑃 𝑥0, 𝑥1Learn 𝑦10, 𝑦11
Detect chain starting at 𝑥0, 𝑥1
52
𝑦10, 𝑦11
![Page 53: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/53.jpg)
How to choose 𝐹𝑖(𝑥𝑖)?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑦11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
53
𝑦10, 𝑦11
![Page 54: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/54.jpg)
How to choose 𝐹𝑖(𝑥𝑖)?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑦10𝑥11 = 𝑦11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
54
![Page 55: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/55.jpg)
How to choose 𝐹𝑖(𝑥𝑖)?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑦10𝑥11 = 𝑦11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
55
![Page 56: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/56.jpg)
How to choose 𝐹𝑖(𝑥𝑖)?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
Choose 𝐹𝑖(𝑥𝑖) s.t.𝑥10, 𝑥11 = 𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑦10𝑥11 = 𝑦11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
Preemptive completion 56
![Page 57: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/57.jpg)
What should Simulator do?
𝐷
Pick arbitrary 𝑥0, 𝑥1Query (𝑥0, 𝑥1)
𝑥0, 𝑥1
𝐹6(𝑥6)?
For 𝑖 = 1 to 10• Query 𝐹𝑖(𝑥𝑖)• 𝑥𝑖+1 = 𝐹𝑖 𝑥𝑖 ⊕𝑥𝑖−1
𝑥10, 𝑥11 =? 𝑦10, 𝑦11
𝑃
𝑆
𝑦10, 𝑦11
𝑥0, 𝑥1 𝑦10, 𝑦11
Detect chain starting at 𝑥0, 𝑥1
Preemptively complete chain s.t. 𝑥10, 𝑥11 =𝑦10, 𝑦11
57
![Page 58: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/58.jpg)
Simulator Strategy
Preemptive completion
Partial chain detection
58
![Page 59: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/59.jpg)
Simulator Strategy:Partial chain Detection
• In example,
– D queried 𝐹1 𝑥1 , … , 𝐹6(𝑥6)
– S checked if 𝑥1, … , 𝑥6 formed a valid Feistel sub-sequence
• What if
– D queried 𝐹6 𝑥6 , … , 𝐹1(𝑥1)?
– D queried 𝐹1 𝑥1 , 𝐹1 𝑥1′ , … , 𝐹6 𝑥6 ?
59
![Page 60: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/60.jpg)
Simulator Strategy:Partial chain Detection
• Three detect zones
– Spanning rounds {9, 10, 1}, {10, 1, 2} and {5, 6}
60
![Page 61: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/61.jpg)
Simulator Strategy:Partial Chain Detection
• Detect zone {5, 6}
61
𝐷
𝐹6(𝑥6)?
𝑃
𝑆
Is there“𝑥5 ∈ 𝐹5”
s.t.
𝑥5, 𝑥6 form a Feistel
sequence?
![Page 62: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/62.jpg)
Simulator Strategy:Partial Chain Detection
• Detect zone {5, 6}
62
𝐷
𝐹5(𝑥5)?
𝑃
𝑆
Is there“𝑥6 ∈ 𝐹6”
s.t.
𝑥5, 𝑥6 form a Feistel
sequence?
![Page 63: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/63.jpg)
Simulator Strategy:Partial chain Detection
• Detect zone {9, 10, 1}
𝐷
𝐹1(𝑥1)?
𝑃
𝑆
Are there“𝑥9 ∈ 𝐹9” and“𝑥10 ∈ 𝐹10”
with
s.t.𝑥1′ = 𝑥1?
𝑥11 = 𝑥9 ⊕𝐹10(𝑥10)and
𝑃−1 𝑥10, 𝑥11= (𝑥0
′ , 𝑥′1 )
![Page 64: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/64.jpg)
Simulator Strategy:Partial chain Detection
• Detect zone {9, 10, 1}
𝐷
𝐹9(𝑥9)?
𝑃
𝑆
Are there“𝑥1 ∈ 𝐹1” and“𝑥10 ∈ 𝐹10”
with
s.t.𝑥1′ = 𝑥1?
𝑥11 = 𝑥9 ⊕𝐹10(𝑥10)and
𝑃−1 𝑥10, 𝑥11= (𝑥0
′ , 𝑥′1 )
![Page 65: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/65.jpg)
Simulator Strategy:Partial chain Detection
• Detect zone {10, 1, 2}
𝐷
𝐹10(𝑥10)?
𝑃
𝑆
Are there“𝑥1 ∈ 𝐹1” and
“𝑥2 ∈ 𝐹2”with
s.t.𝑥10′ = 𝑥10?
𝑥0 = 𝑥2 ⊕𝐹1(𝑥1)and
𝑃 𝑥0, 𝑥1 = (𝑥10′ , 𝑥′11)
![Page 66: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/66.jpg)
Simulator Strategy:Partial chain Detection
• Detect zone {10, 1, 2}
𝐷
𝐹2(𝑥2)?
𝑃
𝑆
Are there“𝑥10 ∈ 𝐹10” and
“𝑥1 ∈ 𝐹1”with
s.t.𝑥10′ = 𝑥10?
𝑥0 = 𝑥2 ⊕𝐹1(𝑥1)and
𝑃 𝑥0, 𝑥1 = (𝑥10′ , 𝑥′11)
![Page 67: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/67.jpg)
Simulator Strategy:Partial chain Detection
• Three detect zones
– Spanning rounds {9, 10, 1}, {10, 1, 2} and {5, 6}
67
![Page 68: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/68.jpg)
Simulator Strategy
Preemptive completion
Partial chain detection
68
![Page 69: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/69.jpg)
Simulator Strategy:Preemptive Completion
69
𝐷
𝑥0, 𝑥1
𝐹6(𝑥6)?
𝑃
𝑆
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑋10𝑥11 = 𝑋11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
𝑦10, 𝑦11
![Page 70: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/70.jpg)
Simulator Strategy:Preemptive Completion
70
𝐷
𝑥0, 𝑥1
𝐹6(𝑥6)?
𝑃
𝑆
Requires adapt positions 𝐹8 𝑥8 , 𝐹9 𝑥9 to be unassigned
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑋10𝑥11 = 𝑋11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
𝑦10, 𝑦11
![Page 71: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/71.jpg)
Simulator Strategy:Preemptive Completion
71
𝐷
𝑥0, 𝑥1
𝐹6(𝑥6)?
𝑃
𝑆
𝑦10, 𝑦11
Requires adapt positions 𝐹8 𝑥8 , 𝐹9 𝑥9 to be unassigned
𝑥0, 𝑥1 𝑦10, 𝑋11
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑋10𝑥11 = 𝑋11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
How?
![Page 72: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/72.jpg)
Simulator Strategy:Preemptive Completion
72
Then 𝐹8 𝑥8 , 𝐹9 𝑥9 will be unassigned w.h.p
Set 𝐹6 𝑥6𝑥7 = 𝐹6 𝑥6 ⊕𝑥5
Set 𝐹7 𝑥7𝑥8 = 𝐹7 𝑥7 ⊕𝑥6
𝑥10 = 𝑋10𝑥11 = 𝑋11
Set 𝐹10 𝑥10𝑥9 = 𝐹10 𝑥10 ⊕𝑥11
𝐹8 𝑥8 = 𝑥9 ⊕𝑥7𝐹9 𝑥9 = 𝑥8 ⊕𝑥10
Then, 𝑥8 and 𝑥9 are not “known”
If 𝐹7 𝑥7 , 𝐹10 𝑥10 are not assigned prior to detection
![Page 73: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/73.jpg)
Simulator Strategy
Preemptive completion
Partial chain detection
73
![Page 74: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/74.jpg)
10-round 𝜓 indifferentiable from 𝑃
• Ideal World • Real World
𝐷
𝜓
𝐹
𝐷
𝑃
𝑆
(1) Shown 𝑆 s.t. no (efficient) 𝐷 can distinguish w.h.p
(2) To show: 𝑆 is efficient
74
![Page 75: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/75.jpg)
Is there“𝑥5 ∈ 𝐹5”
s.t.
Simulator Efficiency
• Partial chain detection
75
𝐷
𝐹6(𝑥6)?
𝑃
𝑆
𝑥5, 𝑥6 form a Feistel
sequence?
Check done even for internal assignments during preemptive
completion
![Page 76: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/76.jpg)
Simulator Efficiency
• No. of partial chains detected
– Detect zone {5, 6}
– Detect zone {9, 10, 1}
– Detect zone {10, 1, 2}
76
![Page 77: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/77.jpg)
Simulator Efficiency
• No. of partial chains detected
– Wrap-around detect zones
• {9, 10, 1} and {10, 1, 2}
– Inner detect zone
• {5, 6}
77
![Page 78: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/78.jpg)
Simulator Efficiency
78
Wrap-around
– {9, 10, 1}
– {10, 1, 2}
𝐷
𝐹1(𝑥1)?
𝑃
𝑆
Are there“𝑥9 ∈ 𝐹9” and“𝑥10 ∈ 𝐹10”
with
s.t.𝑥1′ = 𝑥1?
𝑥11 = 𝑥9 ⊕𝐹10(𝑥10)and
𝑃−1 𝑥10, 𝑥11= (𝑥0
′ , 𝑥′1 )
![Page 79: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/79.jpg)
Simulator Efficiency
79
Wrap-around
– {9, 10, 1}
– {10, 1, 2}
• Involve a query to 𝑃➢ Charged to 𝐷
• At most 𝑞 such chains detected
![Page 80: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/80.jpg)
Simulator Efficiency
80
Wrap-around
– {9, 10, 1}
– {10, 1, 2}
Inner
– {5, 6}
• Involve a query to 𝑃➢ Charged to 𝐷
• At most 𝑞 such chains detected
![Page 81: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/81.jpg)
Simulator Efficiency
81
Inner
– {5, 6}
𝐷
𝐹6(𝑥6)?
𝑃
𝑆
Is there“𝑥5 ∈ 𝐹5”
s.t.
𝑥5, 𝑥6 form a Feistel
sequence?
![Page 82: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/82.jpg)
Simulator Efficiency
82
Wrap-around
– {9, 10, 1}
– {10, 1, 2}
Inner
– {5, 6}
• Involve a query to 𝑃➢ Charged to 𝐷
• At most 𝑞 such chains detected
• Require 𝐹5, 𝐹6 queries to be defined➢ through 𝐷 queries➢ Preemptive
completion of wrap-around chains
![Page 83: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/83.jpg)
10-round 𝜓 indifferentiable from 𝑃
• Ideal World • Real World
𝐷
𝜓
𝐹
𝐷
𝑃
𝑆
We show: (efficient) 𝑆 s.t.
No (efficient) 𝐷 can distinguish between real and ideal with prob. 𝑂(𝑞12/2𝑛)
83
![Page 84: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/84.jpg)
Indifferentiability ofKey-alternating Ciphers
84
![Page 85: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/85.jpg)
Key-alternating Ciphers
85
𝑃1 ⊕
𝑘
𝑃2 ⊕
𝑘
𝑃3 ⊕
𝑘
𝑃4 ⊕
𝑘
𝑃5
• Iterated structure
• Repeated application of (public) permutations
– 𝑃1, … , 𝑃𝑟 : 0,1 𝑛 → {0,1}𝑛
⊕
𝑘
⊕
𝑘
![Page 86: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/86.jpg)
Indifferentiability
• Ideal World • Real World
𝐷
𝐾𝐴𝐶
𝑃
𝐷
𝐼𝐶
𝑆
Sufficient to show: (efficient) 𝑆 s.t.
No (efficient) 𝐷 can distinguish between real and ideal w.h.p
86
![Page 87: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/87.jpg)
Related Work
• 12 rounds sufficient [LS13]
– 3 rounds insufficient
• Here: 5 rounds sufficient
– 4 rounds insufficient [DSST17]
• Idealized key-derivation
– 5 rounds sufficient [ABDMS13]
– 3 rounds sufficient [GL16]
87
![Page 88: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/88.jpg)
Simulator Strategy
Preemptive completion
Partial chain detection
88
![Page 89: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/89.jpg)
Simulator Efficiency
• No. of partial chains detected
– Detect zone {1, 2, 3}
– Detect zone {2, 3, 4}
– Detect zone {3, 4, 5}
– Detect zone {4, 5, 1}
– Detect zone {5, 1 ,2}
89
![Page 90: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/90.jpg)
Simulator Efficiency
• No. of partial chains detected
– Wrap-around detect zones
• {4, 5, 1} and {5, 1, 2}
– (multiple) Inner detect zones
• {1, 2, 3}, {2, 3, 4}, {3, 4, 5}
90
![Page 91: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/91.jpg)
Simulator Efficiency
91
Wrap-around
– {4, 5, 1}
– {5, 1, 2}
• Charged to 𝐷• At most 𝑞 such
chains detected
![Page 92: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/92.jpg)
Simulator Efficiency
92
Wrap-around– {4, 5, 1}
– {5, 1, 2}
Inner– {1, 2, 3}
– {2, 3, 4}
– {3, 4, 5}
• Charged to 𝐷• At most 𝑞 such
chains detected
![Page 93: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/93.jpg)
Simulator Efficiency
93
Wrap-around– {4, 5, 1}
– {5, 1, 2}
Inner– {1, 2, 3}
– {2, 3, 4}
– {3, 4, 5}
• Charged to 𝐷• At most 𝑞 such
chains detected
• Require queries at 1, 2 and 3 to be defined➢ 𝐷 queries➢ Preemptive completion of
▪ wrap-around chains▪ {3, 4, 5} chains
![Page 94: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/94.jpg)
Simulator Efficiency
94
Wrap-around– {4, 5, 1}
– {5, 1, 2}
Inner– {1, 2, 3}
– {2, 3, 4}
– {3, 4, 5}
• Charged to 𝐷• At most 𝑞 such
chains detected
![Page 95: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/95.jpg)
Simulator Efficiency
95
Wrap-around– {4, 5, 1}
– {5, 1, 2}
Inner– {1, 2, 3}
– {2, 3, 4}
– {3, 4, 5}
• Charged to 𝐷• At most 𝑞 such
chains detected
• Require query at 𝑃3 to be defined➢ through 𝐷 queries➢ Preemptive
completion of wrap-around chains
![Page 96: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/96.jpg)
Simulator Efficiency
96
Inner
– {1, 2, 3}
– {2, 3, 4}
– {3, 4, 5}
• {3, 4, 5}
• Require query at 𝑃3 to be defined➢ through 𝐷 queries➢ Preemptive
completion of wrap-around chains
Claim:
• A chain detected at {3, 4, 5} can be uniquely mapped to➢ A P3 query and a 𝐷 query➢ A pair of 𝑃3 queries
![Page 97: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/97.jpg)
5-round KAC indifferentiabefrom an ideal cipher
• Ideal World • Real World
𝐷
𝐾𝐴𝐶
𝑃
𝐷
𝐼𝐶
𝑆
97
We show: efficient 𝑆 s.t.
No (efficient) 𝐷 can distinguish between real and ideal with prob. 𝑂(𝑞38/2𝑛)
![Page 98: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/98.jpg)
Conclusion
• Security of Block Ciphers– Indifferentiability [MRH04]
• Security of Feistel Networks [DKT16]– 10-round Feistel
• Security of Key-alternating Ciphers [DSST17]– 5-round KAC
98
![Page 99: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/99.jpg)
Thank You
99
![Page 100: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/100.jpg)
Simulator Efficiency
• Inner Detect zone {3, 4, 5}
100
𝐷
𝑃3−1(𝑦3)?
𝐼𝐶
𝑆
Are there“𝑥4 ∈ 𝑃4” and
“𝑥5 ∈ 𝑃5”with
𝑦4 = 𝑃4(𝑥4)and
𝑦3 ⊕𝑥5 = 𝑥4 ⊕𝑦4?
![Page 101: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/101.jpg)
Simulator Efficiency
• Inner Detect zone {3, 4, 5}
101
Are there“𝑥4 ∈ 𝑃4” and
“𝑥5 ∈ 𝑃5”with
𝑦4 = 𝑃4(𝑥4)and
𝑦3 ⊕𝑥5 = 𝑥4 ⊕𝑦4?
If 𝑥5 ∈ 𝑃5 due to• 𝐷 query
• 𝑦3 ⊕𝑥5 = 𝑥4 ⊕𝑦4
• Completion of another chain• 𝑦3 ⊕𝑥4 ⊕𝑦4 = 𝑥5 = y3
′ ⊕𝑥4′ ⊕𝑦4
′
• i.e., 𝑦3 ⊕y3′ = 𝑥4 ⊕𝑦4 ⊕𝑥4
′ ⊕𝑦4′
![Page 102: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/102.jpg)
Security of Feistel Networks:Indistinguishability
• Ideal World
• 𝑃 – random permutation
• Real World
• 𝜓 – Feistel construction
• 𝐹 = {𝐹1, … , 𝐹𝑟}
𝐷
𝜓𝐹
𝐷
𝑃
102
![Page 103: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/103.jpg)
Indistinguishability of FeistelNetworks
• [LR88] 4-round Feistelindistinguishable from random permutation
– 𝐹 independent, (secretly-keyed) random
functions
103
![Page 104: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/104.jpg)
Simulator Efficiency
• Related to size of tables 𝐹𝑖• Size of 𝐹𝑖 can increase only due to
– 𝐷 query to 𝐹𝑖• at most 𝑞 such queries
– Preemptive completion of a chain detected by the simulator
104
![Page 105: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/105.jpg)
Simulator Efficiency
• Three detect zones
– Wrap-around: {9, 10, 1}, {10, 1, 2}
– Middle: {5, 6}
• Wrap-around zones
– Involve a query to 𝑃
• Charged to distinguisher 𝐷
– At most 𝑞 such chains get detected
105
![Page 106: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/106.jpg)
Simulator Efficiency
• Three detect zones– Wrap-around: {9, 10, 1},
{10, 1, 2}
– Middle: {5, 6}
• Middle zones with 𝐹5 and 𝐹6 filled due to– 𝐷 query
– Completion of wrap-around chains
106
![Page 107: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/107.jpg)
Simulator Efficiency
• Middle zones with 𝐹5 and 𝐹6 filled due to
– 𝐷 query
• At most 𝑞 such
– Completion of wrap-around chains
• At most 𝑞 such
107
![Page 108: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/108.jpg)
Simulator Efficiency
• Related to size of tables 𝐹𝑖• Size of 𝐹𝑖 can increase only due to
– 𝐷 query to 𝐹𝑖• at most 𝑞 such queries
– Preemptive completion of a chain detected by the simulator
• 𝑞 wrap-around chains
• 𝑂(𝑞2) middle chains
108
![Page 109: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/109.jpg)
Simulator Efficiency
• Related to size of tables 𝑃𝑖• Size of 𝑃𝑖 can increase only due to
– 𝐷 query to 𝑃𝑖• at most 𝑞 such queries
– Preemptive completion of a chain detected by the simulator
109
![Page 110: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/110.jpg)
Simulator Efficiency
• Five detect zones
– Consecutive rounds of three
– Wrap-around: {5, 1, 2}, {4, 5, 1}
– Middle: {1, 2, 3}, {2, 3, 4}, {3, 4, 5}
110
𝑃1 ⊕
𝑘
𝑃2 ⊕
𝑘
𝑃3 ⊕
𝑘
𝑃4 ⊕
𝑘
𝑃5
![Page 111: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/111.jpg)
Simulator Efficiency
• Five detect zones
– Wrap-around: {5, 1, 2}, {4, 5, 1}
– Middle: {1, 2, 3}, {2, 3, 4}, {3, 4, 5}
• Wrap-around zones
– Involve a query to 𝑃
• Charged to distinguisher 𝐷
– At most 𝑞 such chains get detected
111
![Page 112: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/112.jpg)
Simulator Efficiency
• Five detect zones
– Wrap-around: {5, 1, 2}, {4, 5, 1}
– Middle: {1, 2, 3}, {2, 3, 4}, {3, 4, 5}
• Middle zones
– 𝐷 query
– Completion of wrap-around chains
– Completion of other Middle chains
112
![Page 113: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/113.jpg)
Simulator Efficiency
• Five detect zones
– Wrap-around: {5, 1, 2}, {4, 5, 1}
– Middle: {1, 2, 3}, {2, 3, 4}, {3, 4, 5}
• Middle zones 𝑃3– 𝐷 query
– Completion of wrap-around chains
– Completion of other Middle chains
113
![Page 114: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/114.jpg)
Simulator Efficiency
• Size of 𝑃2 can increase only due to
– 𝐷 query to 𝑃𝑖• at most 𝑞 such queries
– Preemptive completion of a chain detected by the simulator
• Wrap-around: {4, 5, 1} – at most 𝑞 such
• Middle: {3, 4, 5}
114
![Page 115: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/115.jpg)
Simulator Efficiency
• Size of 𝑃2 can increase due to
– 𝐷 query to 𝑃𝑖• at most 𝑞 such queries
– Preemptive completion of middle chain at {3, 4, 5}
• Claim: Detection of chain at {3, 4, 5} can be uniquely mapped to
– A 𝑃3 query and a distinguisher query
– Pair of 𝑃3 queries
115
![Page 116: Aishwarya Thiruvengadam - Indian Statistical Instituteask2018/slides/aishwarya-thiruvengadam.pdf · Aishwarya Thiruvengadam 1. Block Ciphers •Building block for many cryptographic](https://reader034.fdocuments.us/reader034/viewer/2022042713/5fab8cf081477447a8003620/html5/thumbnails/116.jpg)
Simulator Efficiency
• Detection of chain at {3, 4, 5}
– 𝑥3 ⊕𝑦5 = 𝑥4 ⊕𝑦4
• Query at 5, 𝑦5, is either due to
– A distinguisher query
– Completion of another chain
• 𝑥3 ⊕𝑥4 ⊕𝑦4 = 𝑦5 = 𝑥3′ ⊕𝑥4
′ ⊕𝑦4′
116