Breaking A Feistel-Type Block Cipher by Bacteria Engineering
Feistel Networks made Public, and Applications.
38
Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya
description
Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya. L. R. f. Round function. Round values. f. Round function output. S. T. Feistel Network. Construction of a permutation on 2n bits from a n n bit function f . Easily invertible. - PowerPoint PPT Presentation
Transcript of Feistel Networks made Public, and Applications.
Feistel Networks made Public, and
Applications.
Yevgeniy DodisPrashant Puniya
Feistel Network
Construction of a permutation on 2n bits from a nn bit function f.
Easily invertible. Feistel Network : Iterated Feistel Construction.
L R
TS
f Round function
Round values
One roundFeistel Construction
Round function outputf
Block Cipher Design Several practical block ciphers based on
Feistel network. DES, Blowfish, Triple DES… Use 16-48 round Feistel network
Theoretical basis? Luby-Rackoff showed that 4 rounds of Feistel
with pseudorandom round functions is a PRP. Several improvements: Naor-Reingold, Patarin,
Ramzan-Reyzin… All apply to 3-6 rounds of Feistel.
Why the disconnect?
Reason 1 Round functions are not pseudorandom
functions. All above theoretical results assume some of
the round functions to be PRFs. Round functions in actual block ciphers are
heuristically designed and aren’t pseudorandom.
Maybe expect less from round functions. Weaker assumptions on round functions, such
as unpredictability?
Reason 2 Cannot argue secrecy of round values. Necessary for any of the theoretical results
to be applicable. May not necessarily hold for actual block
ciphers with non-pseudorandom round functions. Example: need not hold for unpredictable fns. More generally, there may be situations where
this has to be the case (more details later).
Summary All theoretical results are inapplicable once
we relax the above assumptions, i.e. when Round functions may not be PRFs. Cannot argue secrecy of round values.
In fact, we give a simple attack on the Feistel network in the paper if either of these assumptions does not hold.
Our results (in brief)
Negative Results: If round values are public, O(log n) round
Feistel network is insecure. With unpredictable round fns., O(log n) rounds
need not be secure (even if round values aren’t explicitly revealed)
An attack using exponential (in # of rounds) queries. Positive results:
(log n) rounds preserve PR/Unpredictability even if round values are leaked.
Implications for Block Ciphers
If round functions are pseudorandom O(log n) round Feistel is insecure if round values revealed. (log n) round Feistel is a PRP even if round values revealed!
If round functions are only unpredictable O(log n) round Feistel need not be secure even if round
values are not explicitly revealed. (log n) round Feistel is an unpredictable permutation (UP). Safe fallback security for block ciphers. Even for stronger security notions
Forces a weaker/more clever attack for (log n) rounds. Possible that weaker than PRF round functions suffice!
(log n) matches the number of rounds in block ciphers much better than previous results. E.g. DES on 64 bits uses 16 rounds.
Our results (in brief)
Negative Results: If round values are public, O(log n) round Feistel
network is insecure. With unpredictable round fns., O(log n) rounds
need not be secure (even if round values aren’t explicitly revealed)
An attack using exponential (in # of rounds) queries. Positive results:
(log n) rounds preserve PR/Unpredictability even if round values are leaked.
Give a general abstraction for the Feistel network. Many other applications (stay tuned!)
A useful abstraction. We describe a simple combinatorial game
involving the Feistel network which is applicable to all scenarios that we consider.
Involves a k-round Feistel network and an attacker A. A makes forward/inverse queries to Feistel. Can see all intermediate round values. Goal : Force a collision of the middle ((k/2)th)
round values of two different queries.
Negative Result We describe an attacker that wins this
combinatorial game.
The attacker makes O(1.62k) queries to the k-round Feistel network. Works for arbitrary round functions
Hence, works in polynomial time for the O(log n)-round Feistel network.
Matching Positive Result We find a sufficient combinatorial condition on
the round functions such that no efficient attacker can win if k=(log n).
5-XOR game: Same rules as the main combinatorial game. Goal : Attacker wins if some “new” round function
output = XOR of upto 5 previous round values. 5-XOR resistant functions : resist such attacks.
Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
Matching Positive Result (contd.)
This is a purely deterministic result. If attacker does not win the 5-XOR game, then
it cannot find a (k/2)th round value collision with less than O(1.38k/2) queries.
Using 5-XOR-resistance? Relatively weak property, easily proven to hold
for UFs and PRFs Applied to PRFs (log n) round Feistel is PRP
(even if the round values are public!).
Applied to UFs (log n) round Feistel is UP (even if the round values are public!).
Implication to Domain extension of MACs!
Domain Extension of MACs Problem : Given a fixed-length input (FIL)
MAC, construct an arbitrary-length input (AIL) MAC. Well studied if FIL-MAC is a PRF (in fact, often get AIL-PRF).
Also well studied if FIL-MAC is “shrinking” (variants of
Cascade construction work) [AB99,MS05]. Grey Area: What if the FIL-MAC is neither
PRF nor “shrinking”? Perhaps, most practically relevant case!
(a) FIL-MAC is typically a block cipher.(b) overkill to assume it is a PRF!
Hash-then-MAC Use a hash function to map to a short
message, then apply the FIL-MAC.
If FIL-MAC is a PRF, then an almost-universal hash function works.
With general FIL-MACs, need collision-resistant hash functions!
CBC-MAC Popular domain extension technique for
MACs
Secure if FIL-MAC is a PRF [BKR94].
Simple attack possible with general FIL-MACs [AB99].
Cascade construction Also called Merkle-Damgard construction.
Need a shrinking FIL-MAC.
If FIL-MAC is a PRF, one can chop the output and apply Cascade.
With general FIL-MACs, can chop at most logarithmic number of output bits Very Inefficient (+ poor exact security)
Naor-Reingold construction A very nice technique of getting PRFs
from UFs.
Need to extract a hardcore bit for every output bit of PRF. Very inefficient
Feistel Network 3-rounds already secure if FIL-MAC is a PRF. With general FIL-MACs, [AB99] gave an
attack on 3-round Feistel. “more rounds do not appear to help” [AB]
Our result : With general FIL-MACs, k-round Feistel network is a secure MAC if and only if k=(log n). Extend [AB99] to show that upto logarithmic
number of rounds do not help in general. Somewhat surprisingly, secure with more rounds!
More efficient AIL-MAC? Above method is still somewhat inefficient
for large inputs. To get domain size (n2i), need (log n)i round
Feistel network. Moreover, digest size grows as big as the
domain! Can this be improved?
Yes! Optimize our technique to get 2n n bit MAC. Use existing techniques for “shrinking” MACs
(variants of Cascade).
More efficient AIL-MAC How to get 2nn bit MAC? Chop n bits from the Feistel network output?
Cannot directly apply our technique. With a little work, show that (log n) rounds are still
necessary and sufficient! Our suggestion to practitioners: apply any secure
variant of Cascade to the 2nn MAC obtained by Halving the output of an (log n)-round Feistel
network applied to any secure n-bit block cipher Halving the output of a secure 2n-bit block cipher
itself, if the block cipher is already Feistel-based! Note: this requires at least 256-bit block cipher
Other Applications
Verifiable Random Functions Verifiable Random Functions (VRFs) are
verifiable analogues of PRFs. Given secret key SK:
Can compute VRF f and provide proofs of correctness of f outputs.
Still cannot give proofs for two different outputs for the same input (even for adversarial PK!).
Given public key PK: Can verify proofs of correctness of f outputs. All “unproved” outputs still look random.
Several known constructions [MRV,L,DY,D].
Verifiable Random Permutations We introduce VRPs, similarly natural
verifiable analogues of PRPs. Can we build them from VRFs, just
like PRPs from PRFs? First Attempt: Use a 4-round Feistel
network with VRFs in each round and apply the Luby-Rackoff result. Doesn’t work: need to explicitly give
round values (and their proofs) to prove VRP outputs.
Constructing VRPs from VRFs Use our proof technique that works even if
round values are public.
Result : An (log n) round Feistel network with VRFs as round functions is a verifiable random permutation. Cannot improve to O(log n) rounds, since our
attack works in this case as well.
Applications of VRPs
Non-interactive setup-free perfectly binding commitments.
Non-interactive Lottery. “Invariant Signatures” of [GO92] for NIZKs. Verifiable CBC Encryption/Decryption. Verifiable huge (pseudo)random objects. “Proof-transferrable” implementation of
Ideal Cipher Model.
Non-interactive commitments Non-interactive, setup-free, perfectly-binding
commitments. Best known construction uses one-way permutations
(Naor’s OWF-based commitment uses setup) We note that VRPs work for this purpose.
To commit to m, send (SK(m),PK). To open commitment, send m and the proof for SK(m). Hiding : easy Perfect Binding : a permutation even if PK is chosen
maliciously Note: VRFs do not suffice even for computational binding!
Nevertheless, using our VRF VRP construction, we get such commitments from VRFs Incomparable assumption to OWPs.
Non-interactive Lottery Micali-Rivest suggest using a VRF f.
Dealer publishes PK, and user selects X.
The user wins if fSK(X) satisfies some pre-
determined predicate.
Problem: Dealer can cheat by choosing PK such
that fSK(X) never satisfies the predicate!
Using a VRP instead solves this problem. A permutation even for malicious keys.
Moreover, can determine number of winners beforehand!
VUPs and more… We also give a way to construct verifiable
unpredictable permutations from verifiable unpredictable functions. Using (log n) round Feistel network. Again, O(log n) rounds is not enough Note: this uses full power of our technique.
Hopefully, more applications of our technique will emerge in future…
Summary New understanding of Feistel network with a
weak security requirement on round functions. 5-XOR-resistance, implied by both UFs & PRFs.
Number of rounds we predict is closer to the one used in current block ciphers.
First efficient domain extension for MACs (starting with length-preserving MACs).
Verifiable Random Permutations and applications.
Unpredictable PermutationUP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation.
Part I: UFs are 5-XOR resistant
f
Independently generated UFs
Feistel construction
randomly guess query number where XOR adversary wins
Random round number i
For a forward query, hopefully Ri+1 is:•A new round value.•XOR of previous round values.
If so, thenf(R_i) = Ri-1 XOR of existing round values. (choose at random)
Unpredictable PermutationUP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation.
Part II : Use the combinatorial “Main Theorem” to argue no collisions of (k/2)th round value.
Unpredictable PermutationUP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation.
Part III : No (k/2)th round collision UP
f
Independently generated UFs
Feistel construction
Round number (k/2)
Queries made byUP adversary (use f oracle)
Prediction inputPrediction output
get Rk/2 get R(k/2)+1Now f(Rk/2)=R(k/2)-1 R(k/2)+1
No middle round value collision Rk/2 is a new input to f.
Main TheoremMain Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
Rn/2 in query b = Rn/2 in query a
(b)
(a)
fn/2-1(Rn/2-1a)=Rn/2
b Rn/2-2a
Rn/2-2b Rn/2-1
b Rn/2b
Rn/2-2a Rn/2-1
a Rn/2a
(b’)Rn/2-2
b’ Rn/2-1b’ Rn/2
b’
Rn/2-1 in query b’ = Rn/2-1 in query a
fn/2-2(Rn/2-2a)=Rn/2-1
b’ Rn/2-3a
Part I: Existence of Collision Queries
Main TheoremMain Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
(b1)
(b3)
Rib1 Ri+1
b1 Ri+2b1
Rib3 Ri+1
b3 Ri+2b3
(b2)Ri
b2 Ri+1b2 Ri+2
b2
Part II: Permitted orders of collision queries.f(Ri+1
b3)=Rib2 Ri+2
b1
Main TheoremMain Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
(b1)
(b3)
Rib1 Ri+1
b1 Ri+2b1
Rib3 Ri+1
b3 Ri+2b3
(b2)Ri
b2 Ri+1b2 Ri+2
b2
Part III: More and more and … more collision queries!
Ri-1b3Ri-2
b3
f(Ri-1b3)=Ri-2
b3 f(Ri+1b2) Ri+2
b1
=Ri-2b3 Ri+2
b2 Rib2 Ri+2
b1
(c1)Ri-1
c1
(ci)
Main Theorem
Show that we are not “double counting” queries.
Formulate a recursion on the number of queries to get a closed form expression.
Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.
