1 / 38

Feistel Networks made Public, and Applications.

Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya. L. R. f. Round function. Round values. f. Round function output. S. T. Feistel Network. Construction of a permutation on 2n bits from a n n bit function f . Easily invertible.

joella
Download Presentation

Feistel Networks made Public, and Applications.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Feistel Networks made Public, and Applications. Yevgeniy Dodis Prashant Puniya

  2. L R f Round function Round values f Round function output S T Feistel Network • Construction of a permutation on 2n bits from a nn bit function f. • Easily invertible. • Feistel Network : Iterated Feistel Construction. One round Feistel Construction

  3. Block Cipher Design • Several practical block ciphers based on Feistel network. • DES, Blowfish, Triple DES… • Use 16-48 round Feistel network • Theoretical basis? • Luby-Rackoff showed that 4 rounds of Feistel with pseudorandom round functions is a PRP. • Several improvements: Naor-Reingold, Patarin, Ramzan-Reyzin… • All apply to 3-6 rounds of Feistel. • Why the disconnect?

  4. Reason 1 • Round functions are not pseudorandom functions. • All above theoretical results assume some of the round functions to be PRFs. • Round functions in actual block ciphers are heuristically designed and aren’t pseudorandom. • Maybe expect less from round functions. • Weaker assumptions on round functions, such as unpredictability?

  5. Reason 2 • Cannot argue secrecy of round values. • Necessary for any of the theoretical results to be applicable. • May not necessarily hold for actual block ciphers with non-pseudorandom round functions. • Example: need not hold for unpredictable fns. • More generally, there may be situations where this has to be the case (more details later).

  6. Summary • All theoretical results are inapplicable once we relax the above assumptions, i.e. when • Round functions may not be PRFs. • Cannot argue secrecy of round values. • In fact, we give a simple attack on the Feistel network in the paper if either of these assumptions does not hold.

  7. Our results (in brief) • Negative Results: • If round values are public, O(log n) round Feistel network is insecure. • With unpredictable round fns., O(log n) rounds need not be secure (even if round values aren’t explicitly revealed) • An attack using exponential (in # of rounds) queries. • Positive results: • (log n) rounds preserve PR/Unpredictability even if round values are leaked.

  8. Implications for Block Ciphers • If round functions are pseudorandom • O(log n) round Feistel is insecure if round values revealed. • (log n) round Feistel is a PRP even if round values revealed! • If round functions are only unpredictable • O(log n) round Feistel need not be secure even if round values are not explicitly revealed. • (log n) round Feistel is an unpredictable permutation (UP). • Safe fallback security for block ciphers. • Even for stronger security notions • Forces a weaker/more clever attack for (log n) rounds. • Possible that weaker than PRF round functions suffice! • (log n) matches the number of rounds in block ciphers much better than previous results. • E.g. DES on 64 bits uses 16 rounds.

  9. Our results (in brief) • Negative Results: • If round values are public, O(log n) round Feistel network is insecure. • With unpredictable round fns., O(log n) rounds need not be secure (even if round values aren’t explicitly revealed) • An attack using exponential (in # of rounds) queries. • Positive results: • (log n) rounds preserve PR/Unpredictability even if round values are leaked. • Give a general abstraction for the Feistel network. • Many other applications (stay tuned!)

  10. A useful abstraction. • We describe a simple combinatorial game involving the Feistel network which is applicable to all scenarios that we consider. • Involves a k-round Feistel network and an attacker A. • A makes forward/inverse queries to Feistel. • Can see all intermediate round values. • Goal : Force a collision of the middle ((k/2)th) round values of two different queries.

  11. Negative Result • We describe an attacker that wins this combinatorial game. • The attacker makes O(1.62k) queries to the k-round Feistel network. • Works for arbitrary round functions • Hence, works in polynomial time for the O(log n)-round Feistel network.

  12. Matching Positive Result • We find a sufficient combinatorial condition on the round functions such that no efficient attacker can win if k=(log n). • 5-XOR game: • Same rules as the main combinatorial game. • Goal : Attacker wins if some “new” round function output = XOR of upto 5 previous round values. • 5-XOR resistant functions : resist such attacks. Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.

  13. Matching Positive Result (contd.) • This is a purely deterministic result. • If attacker does not win the 5-XOR game, then it cannot find a (k/2)th round value collision with less than O(1.38k/2) queries. • Using 5-XOR-resistance? • Relatively weak property, easily proven to hold for UFs and PRFs • Applied to PRFs (log n) round Feistel is PRP (even if the round values are public!). • Applied to UFs (log n) round Feistel is UP (even if the round values are public!). • Implication to Domain extension of MACs!

  14. Domain Extension of MACs • Problem : Given a fixed-length input (FIL) MAC, construct an arbitrary-length input (AIL) MAC. • Well studied if FIL-MAC is a PRF (in fact, often get AIL-PRF). • Also well studied if FIL-MAC is “shrinking” (variants of Cascade construction work) [AB99,MS05]. • Grey Area: What if the FIL-MAC is neither PRF nor “shrinking”? • Perhaps, most practically relevant case! (a) FIL-MAC is typically a block cipher. (b) overkill to assume it is a PRF!

  15. Hash-then-MAC • Use a hash function to map to a short message, then apply the FIL-MAC. • If FIL-MAC is a PRF, then an almost-universal hash function works. • With general FIL-MACs, need collision-resistant hash functions!

  16. CBC-MAC • Popular domain extension technique for MACs • Secure if FIL-MAC is a PRF [BKR94]. • Simple attack possible with general FIL-MACs [AB99].

  17. Cascade construction • Also called Merkle-Damgard construction. • Need a shrinking FIL-MAC. • If FIL-MAC is a PRF, one can chop the output and apply Cascade. • With general FIL-MACs, can chop at most logarithmic number of output bits • Very Inefficient (+ poor exact security)

  18. Naor-Reingold construction • A very nice technique of getting PRFs from UFs. • Need to extract a hardcore bit for every output bit of PRF. • Very inefficient

  19. Feistel Network • 3-rounds already secure if FIL-MAC is a PRF. • With general FIL-MACs, [AB99] gave an attack on 3-round Feistel. • “more rounds do not appear to help” [AB] • Our result : With general FIL-MACs, k-round Feistel network is a secure MAC if and only if k=(log n). • Extend [AB99] to show that upto logarithmic number of rounds do not help in general. • Somewhat surprisingly, secure with more rounds!

  20. More efficient AIL-MAC? • Above method is still somewhat inefficient for large inputs. • To get domain size (n2i), need (log n)i round Feistel network. • Moreover, digest size grows as big as the domain! • Can this be improved? • Yes! • Optimize our technique to get 2n  n bit MAC. • Use existing techniques for “shrinking” MACs (variants of Cascade).

  21. More efficient AIL-MAC • How to get 2nn bit MAC? • Chop n bits from the Feistel network output? • Cannot directly apply our technique. • With a little work, show that (log n) rounds are still necessary and sufficient! • Our suggestion to practitioners: apply any secure variant of Cascade to the 2nn MAC obtained by • Halving the output of an w(log n)-round Feistel network applied to any secure n-bit block cipher • Halving the output of a secure 2n-bit block cipher itself, if the block cipher is already Feistel-based! • Note: this requires at least 256-bit block cipher

  22. Other Applications

  23. Verifiable Random Functions • Verifiable Random Functions (VRFs) are verifiable analogues of PRFs. • Given secret key SK: • Can compute VRF f and provide proofs of correctness of f outputs. • Still cannot give proofs for two different outputs for the same input (even for adversarial PK!). • Given public key PK: • Can verify proofs of correctness of f outputs. • All “unproved” outputs still look random. • Several known constructions [MRV,L,DY,D].

  24. Verifiable Random Permutations • We introduce VRPs, similarly natural verifiable analogues of PRPs. • Can we build them from VRFs, just like PRPs from PRFs? • First Attempt: Use a 4-round Feistel network with VRFs in each round and apply the Luby-Rackoff result. • Doesn’t work: need to explicitly give round values (and their proofs) to prove VRP outputs.

  25. Constructing VRPs from VRFs • Use our proof technique that works even if round values are public. • Result : An (log n) round Feistel network with VRFs as round functions is a verifiable random permutation. • Cannot improve to O(log n) rounds, since our attack works in this case as well.

  26. Applications of VRPs • Non-interactive setup-free perfectly binding commitments. • Non-interactive Lottery. • “Invariant Signatures” of [GO92] for NIZKs. • Verifiable CBC Encryption/Decryption. • Verifiable huge (pseudo)random objects. • “Proof-transferrable” implementation of Ideal Cipher Model.

  27. Non-interactive commitments • Non-interactive, setup-free, perfectly-binding commitments. • Best known construction uses one-way permutations (Naor’s OWF-based commitment uses setup) • We note that VRPs work for this purpose. • To commit to m, send (SK(m),PK). • To open commitment, send m and the proof for SK(m). • Hiding : easy • Perfect Binding : a permutation even if PK is chosen maliciously • Note: VRFs do not suffice even for computational binding! • Nevertheless, using our VRF  VRP construction, we get such commitments from VRFs • Incomparable assumption to OWPs.

  28. Non-interactive Lottery • Micali-Rivest suggest using a VRF f. • Dealer publishes PK, and user selects X. • The user wins if fSK(X) satisfies some pre-determined predicate. • Problem: Dealer can cheat by choosing PK such that fSK(X) never satisfies the predicate! • Using a VRP instead solves this problem. • A permutation even for malicious keys. • Moreover, can determine number of winners beforehand!

  29. VUPs and more… • We also give a way to construct verifiable unpredictable permutations from verifiable unpredictable functions. • Using (log n) round Feistel network. • Again, O(log n) rounds is not enough • Note: this uses full power of our technique. • Hopefully, more applications of our technique will emerge in future…

  30. Summary • New understanding of Feistel network with a weak security requirement on round functions. • 5-XOR-resistance, implied by both UFs & PRFs. • Number of rounds we predict is closer to the one used in current block ciphers. • First efficient domain extension for MACs (starting with length-preserving MACs). • Verifiable Random Permutations and applications.

  31. Feistel construction Random round number i Independently generated UFs • For a forward query, hopefully Ri+1 is: • A new round value. • XOR of previous round values. If so, then f(R_i) = Ri-1 XOR of existing round values. (choose at random) randomly guess query number where XOR adversary wins Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part I: UFs are 5-XOR resistant f

  32. Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part II : Use the combinatorial “Main Theorem” to argue no collisions of (k/2)th round value.

  33. Feistel construction Round number (k/2) Independently generated UFs Queries made by UP adversary (use f oracle) Prediction output Prediction input get Rk/2 Now f(Rk/2)=R(k/2)-1 R(k/2)+1 get R(k/2)+1 Unpredictable Permutation UP Theorem: A k=(log n) round Feistel construction with independent UFs in each round is an unpredictable permutation. Part III : No (k/2)th round collision  UP f No middle round value collision  Rk/2 is a new input to f.

  34. (b’) (b) (a) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part I: Existence of Collision Queries Rn/2-2b Rn/2-1b Rn/2b Rn/2 in query b = Rn/2 in query a Rn/2-2b’ Rn/2-1b’ Rn/2b’ fn/2-1(Rn/2-1a)=Rn/2b Rn/2-2a Rn/2-1 in query b’ = Rn/2-1 in query a fn/2-2(Rn/2-2a)=Rn/2-1b’ Rn/2-3a Rn/2-2a Rn/2-1a Rn/2a

  35. (b1) (b2) (b3) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part II: Permitted orders of collision queries. f(Ri+1b3)=Rib2 Ri+2b1 Rib1 Ri+1b1 Ri+2b1 Rib2 Ri+1b2 Ri+2b2 Rib3 Ri+1b3 Ri+2b3

  36. (b2) (b1) (c1) (ci) (b3) Main Theorem Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries. Part III: More and more and … more collision queries! Rib1 Ri+1b1 Ri+2b1 Rib2 Ri+1b2 Ri+2b2 f(Ri-1b3)=Ri-2b3 f(Ri+1b2) Ri+2b1 Ri-1c1 =Ri-2b3 Ri+2b2 Rib2 Ri+2b1 Ri-2b3 Ri-1b3 Rib3 Ri+1b3 Ri+2b3

  37. Main Theorem • Show that we are not “double counting” queries. • Formulate a recursion on the number of queries to get a closed form expression. Main Theorem: If round functions of a k-round Feistel network are 5-XOR resistant, then no attacker can find a (k/2)th round value collision within O(1.38k/2) queries.

  38. Questions?

More Related