1 Restriction to 1(x) = (x A) and 2(x) = (x B)
Tải bản đầy đủ - 0trang
Pen and Paper Arguments for SIMON and SIMON-like Designs
439
Now, consider the following three elements x, y, z:
(a)
x = (0, . . . , 0, 1(a) , 0, . . . , 0)
⇒ Lα (x) = (1(0) , 0, . . . , 0, α2a , 0, . . . , 0)
y = (0, . . . , 0, 1(a+i) , 0, . . . , 0)
⇒ Lα (y) = (0, . . . , 1(i) , 0, . . . , 0, αi+2a , 0, . . . , 0)
z=1
⇒ Lα (z) = (α ≪ a) ⊕ α
(i+a)
Clearly, Lα (x) and Lα (y) are linearly independent. To show that Lα (z) ∈
/
span{Lα (x), Lα (y)}, consider the two cases
/ {0, i, a},
(i) αi+2a = 0 : Then Lα (y)i+a = 0. Since Lα (z)n−a = 1 and n − a ∈
the linear independence follows.
(ii) αi+2a = 1 : Then i + 2a mod n ∈ {0, i} because of the construction of α.
However, since 2a = 0 mod n, it follows that i + 2a = 0 mod n. Hence,
2a = n − i. Now 2a = i, because otherwise n = 4a which is contradictory to
gcd(a, n) = 1 (since n ≥ 6). Thus Lα (x)a = 0. In addition, i = a because
otherwise 3a = 0 mod n which is also contradictory to gcd(a, n) = 1. Now,
/ {0, i, i + a}.
Lα (z)i−a mod n = 1 and i − a ∈
In all cases, we thus have pα ≤ 2−2 if α = 0 and p0 = 1. The interesting
property is the fact that pα ≤ 2− wt(α)−1 if α has a Hamming weight of 2. This is
what we make use of in the following arguments. The basic idea is to guarantee
enough transitions with a probability ≤ 2−3 before a zero input diﬀerence into
fS occurs (then p0 = 1). This allows us to catch up the factor 2−2 that we lose for
the zero input diﬀerence. Otherwise, if we were not able to guarantee the tighter
bound described in Lemma 2 (2), the input diﬀerence into fS of every second
round might be equal to zero in the worst case and our argument would only
provide the trivial bound of 2−T over T rounds. See also Fig. 1 for an illustration.
For the formal proof, we give Corollary 1 at ﬁrst. It is an implication of Lemma 1
for the Simon-like f function.
Corollary 1. Let for all non-zero diﬀerences α, β and all t ≥ 1 the diﬀerential
probability of any t-round characteristic starting with (0, α) and ending with
(0, β) be upper bounded by 2−2t . Let further pα ≤ 2−2 . Then,
P (C) ≤ 2−2T +2
for any non-trivial T -round characteristics C with T > 0.
Proof. With the notation in Lemma 1, it is p(t) = 2−2t and q = 2−2 . Thus,
P (C) ≤ max p(k)q T −k−1 = max 2−2k 2−2T +2k+2 = 2−2T +2 .
k≤T
k≤T
Thus, in order to prove an upper bound on the probability of a diﬀerential
characteristic of 2−2T +2 we only have to concentrate on t-round characteristics of
the form (0, α) → · · · → (0, β) and prove an upper bound of 2−2t for all of these.
We further can restrict ourselves to the shortest characteristics of this form, e.g.
γ i = 0 for all intermediate γ i . The reason is that one can easily concatenate
these short characteristics to longer ones for which the property holds as well.
440
C. Beierle
We have to do the analysis for a speciﬁc choice of the linear mapping θ. As a
more general case, Theorem 2 formulates a suﬃcient condition for the argument
to work. For a linear mapping θ : Fn2 → Fn2 , the diﬀerential branch number is
θ
deﬁned as the minimum number of active bits in the diﬀerential (α → θ(α)),
formally
Bθ := min {wt(α) + wt (θ (α))} .
α=0
Theorem 2. Let Bθ ≥ 11. Then for any distinct a, b and any n fulﬁlling the
properties of Lemma 2, the probability of a T -round diﬀerential characteristic is
upper bounded by 2−2T +2 .
Proof. Fix a t-round characteristic of the form
(0, α) → (γ 1 = α, 0) → (γ 2 , δ 2 ) → · · · → (γ t−1 , δ t−1 ) → (0, β)
with γ i = 0 for all i ∈ {1, . . . , t − 1}. Thus, we have pγi ≤ 2−2 for all i. Since
1
γ 1 = α and (0, α) → (α, 0) holds with certainty (p0 = 1), we have to show that
either pγi ≤ 2−4 for at least one i or that pγi , pγj ≤ 2−3 for at least two distinct
indices i, j. In other words, one has to make sure to gain a factor of 2−2 within
the characteristic. In order to show this, we make use of Lemma 2. If wt(α) ≥ 4,
we are clearly done since pγ1 = pα ≤ 2− wt(α) . We thus have to distinguish 3
cases.
(i) wt(α) = 1: Because of the branch number, it is wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 10.
Since further wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 2, we have wt(γ 2 ) ≥ 8 and pγ2 ≤ 2−4 .
(ii) wt(α) = 2: It is wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 9 and wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 4.
Thus, wt(γ 2 ) ≥ 5 and therefore pγ2 ≤ 2−4 .
(iii) wt(α) = 3: We already have pα ≤ 2−3 . Since wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 8 and
wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 6, it is wt(γ 2 ) ≥ 2 and therefore pγ2 ≤ 2−3 .
See also Fig. 3 for the propagation of the diﬀerential Hamming weights.
We recall that θ does not have to be rotational invariant. Nevertheless, having
a branch number of at least 11 is a quite restrictive property on a linear layer
and in fact, for n = 16, there does not exist such a linear mapping. The reason
is that the minimum distance d of any [32, 16, d] code over F2 is at most 8 [19].
However, for n ∈ {24, 32, 48, 64}, such a linear mapping θ exists as one can also
deduce from [19]. As the previous argument is more generic, we investigate the
linear part of Simon in more detail in the rest of the paper.
3.2
Obtaining the Upper Bound for SIMON and Simeck
In the following, we consider the linear layer θ(x) = (x ≪ c) which has a branch
number of only 2. Choosing (8, 1, 2) for the rotation constants (a, b, c), we obtain
the round function of Simon. Theorem 3 states the same bound as above for all
variants of Simon. Note that the results are dependent on the speciﬁc choice of
Pen and Paper Arguments for SIMON and SIMON-like Designs
α
1
0
0
α
2
0
0
α
3
0
0
≤2
ρ
≤4
ρ
≤6
ρ
≥10
θ
≥9
θ
≥8
θ
≥8
γ2
δ2 = α
≥5
γ2
δ2 = α
441
≥2
γ2
δ2 = α
Fig. 3. Propagation of the diﬀerential Hamming weight for wt(α) ∈ {1, 2, 3}.
the rotation constants, but can be proven for other choices in a similar way. Of
course, it does not hold for all possible a, b and c. For example, if c = a or c = b,
one obtains the trivial bound of 2−t since
(1, 0, . . . , 0) 0 → 0 (1, 0, . . . , 0) → (1, 0, . . . , 0) 0
would be a valid two-round iterative characteristic with probability 2−2 .
Theorem 3 (Bounds for Simon). Let n ∈ {16, 24, 32, 48, 64} and let θ(x) =
(x ≪ 2). For the rotation constants a = 8, b = 1, the probability of any T -round
diﬀerential characteristic is upper bounded by 2−2T +2 .
Proof Again, ﬁx a t-round characteristic of the form
(0, α) → (γ 1 = α, 0) → (γ 2 , δ 2 ) → · · · → (γ t−1 , δ t−1 ) → (0, β)
with γ i = 0 for all i ∈ {1, . . . , t − 1}. We have to show that either pγi ≤ 2−4 for
at least one i or that pγi , pγj ≤ 2−3 for at least two distinct indices i, j. In order
to show this, Lemma 2 is used several times within this proof. Again, we have to
distinguish 3 cases. Note that for simplicity with indices, we assume rotations
to the right in the following. We use the ∗ symbol to indicate an unknown bit.
(i) wt(α) = 1: Considering the rotational equivalence, let w.l.o.g.
α = (1, 0, . . . , 0).
Recall that we get Uα = Im Lα ⊕ fS (α). Since we assume
fS : x → (x ≫ 8) ∧ (x ≫ 1) ⊕ (x ≫ 2),
we obtain
γ 2 = (0, ∗1 , 1, 0, 0, 0, 0, 0, ∗2 , 0, 0, 0, 0, 0, 0, 0 . . . ) ∈ Uα ⊕ 0.
442
C. Beierle
Case 1 (∗2 = 0): Then,2
γ 3 = (1, 0, ∗, ∗,
1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α,
†
γ 4 = (0, ∗, ∗ , ∗, ∗, ∗, 1, 0, ∗, 0, ∗, ∗, ∗, 0, 0, 0 . . . ) ∈ Uγ3 ⊕ γ 2 .
If now the weight of γ 4 is higher than 1, then pγ3 , pγ4 ≤ 2−3 . Thus, let
wt(γ 4 ) = 1. It follows that
γ 5 = (1, 0, ∗, ∗, 1, 0, 0, ∗, 1, ∗, ∗, 0, 0, 0, ∗, 0 . . . ) ∈ Uγ4 ⊕ γ 3
and thus pγ5 ≤ 2−3 .
Case 2 (∗2 = 1 ): Then pγ2 ≤ 2−3 already holds and3
γ 3 = (∗‡ , 0, ∗, ∗, 1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α.
Again, let w.l.o.g wt(γ 3 ) = 1. It follows that
γ 4 = (0, ∗, 1, 0, 0, ∗, 1, 0, 1, 0, 0, 0, ∗, 0, 0, 0 . . . ) ∈ Uγ3 ⊕ γ 2
and thus pγ4 ≤ 2−3 .
(ii) wt(α) = 2: Considering the rotational equivalence, let w.l.o.g.
α = (1, 0, . . . , 0, 1(i) , 0, . . . , 0)
with i ≤
n
2.
It follows that already pα ≤ 2−3 .
Case 1 (i = 1 ): Then,
γ 2 = (0, ∗, ∗, 1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0, 0 . . . ) ∈ Uα ⊕ 0.
Again, let w.l.o.g. wt(γ 2 ) = 1. Then,
γ 3 = (1, 1, 0, 0, ∗, 1, 0, 0, 0, 0, 0, ∗, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α
and thus pγ3 ≤ 2−3 .
Case 2 (i = 4): Then,
γ 2 = (0, ∗, 1, 0, 0, ∗, 1, 0, ∗, 0, 0, 0, ∗, 0, 0, 0 . . . ) ∈ Uα ⊕ 0
and pγ2 ≤ 2−3 .
2
3
†: This bit is only unknown if the bitlength is 16 bit (n = 16). Therefore, w.l.o.g. we
assume this bit to be unknown. In the following, we may also consider certain bits
to be unknown if the actual value does not matter for the proof.
‡: Of course, this bit is already equal to 1 if the bitlength n is greater than 16.
Pen and Paper Arguments for SIMON and SIMON-like Designs
443
Case 3 (i = 1, i = 4 ): Then,
γ 2 = (∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗ . . . ) ∈ Uα ⊕ 0.
Again, let w.l.o.g. wt(γ 2 ) = 1. Then,
γ 3 = (1, ∗, ∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗ . . . ) ∈ Uγ2 ⊕ α
and thus pγ3 ≤ 2−3 .
(iii) wt(α) = 3: Let w.l.o.g. α = (1, 0, . . . , 1(i) , 0, . . . , 1(j) , 0, . . . , 0) with i ≥ n3
because of the rotational invariance. Again, pα ≤ 2−3 . Since n ≥ 16, it is
i ≥ 6. We distinguish the following cases:
Case 1 (j = n − 6, i = n − 6): Then,
γ 2 = (∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uα ⊕ 0
and for wt(γ 2 ) = 1 we obtain
γ 3 = (1, 0, 0, ∗, 1, 0, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α
such that pγ3 ≤ 2−3 .
Case 2 (i = n − 6): Then,
γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, 1, ∗, ∗, ∗) ∈ Uα ⊕ 0
if j = n − 5 and
γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, 1, ∗, ∗) ∈ Uα ⊕ 0
if j = n − 5. In both cases, for wt(γ 2 ) = 1 we obtain
γ 3 = (1(0) , 0, 0, 0, ∗, ∗, 0, 0, . . . 0, 0, 1(i) , ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α
such that pγ3 ≤ 2−3 .
Case 3 (j = n − 6): Now, we still have to consider the two possibilities
j − i = 6 and j − i = 6. For the ﬁrst case, one gets
γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, 1, ∗, ∗, ∗) ∈ Uα ⊕ 0
and for wt(γ 2 ) = 1,
γ 3 = (1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, 1, ∗) ∈ Uγ2 ⊕ α.
If j − i = 6, then,
γ 2 = (∗, ∗, ∗, ∗, . . . ∗, ∗, 1(i+2) , ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uα ⊕ 0
and for wt(γ 2 ) = 1,
γ 3 = (1(1) , ∗, ∗, ∗, . . . 1(i) , ∗, ∗, ∗, 1, ∗, 1(j) , ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α.
444
C. Beierle
Table 1. Number of rounds needed for bounding the diﬀerential probability of a characteristic by 2−2n for all instances of Simon and Simeck. The symbol indicates that
there is an appropriate instance of Simeck with the same number of rounds.
Rounds Rounds needed Margin κ
Simon32/64
32
17
15
Simon48/72
36
25
11
Simon48/96
36
25
11
Simon64/96
42
33
9
Simon64/128
44
33
11
Simon96/96
52
49
3
Simon96/144
54
49
5
Simon128/128 68
65
3
Simon128/192 69
65
4
Simon128/256 72
65
7
Using a similar argument, one obtains the bounds for Simeck as the following
theorem states.
Theorem 4. (Bounds for Simeck). Let n ∈ {16, 24, 32} and θ(x) =
(x ≪ 1). For the rotation constants a = 5, b = 0, the probability of any T round diﬀerential characteristic is upper bounded by 2−2T +2 .
Interestingly, for every instance of Simon and Simeck, it turns out that our
approach is suﬃcient in order to bound the probability of diﬀerential characteristics below 2−2n where n denotes the bit length of one Feistel branch. For n up to
32, the security margin κ of the corresponding primitive(s) can be considered as
reasonable. See Table 1 for a comparison.
4
Conclusion
We presented a more general description of Simon-like designs by separating
the round function into a linear and a non-linear component and proved upper
bounds on the probability of diﬀerential characteristics for speciﬁc instances. In
fact, we developed a non-experimental security argument on full-round versions
of Simon that can be veriﬁed by pen and paper. We hope that this work encourages to further research on analyzing Simon-like designs. An open question is
whether our approach can be generalized in order to obtain better bounds over
multiple rounds. However, as described earlier, we believe that such an argument
would be much more complex. Furthermore, it would be favorable to avoid the
consideration of every special case individually. This is related to the question
of how to design the linear part θ in this set-up.
Acknowledgements. The author’s work was supported by DFG Research Training
Group GRK 1817 Ubicrypt. Special thanks go to Gregor Leander for his valuable
suggestions and comments.
Pen and Paper Arguments for SIMON and SIMON-like Designs
445
References
1. Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N.,
Gauravaram, P.: Improved linear cryptanalysis of reduced-round SIMON-32 and
SIMON-48. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol.
9462, pp. 153–179. Springer International Publishing, Heidelberg (2015)
2. Abed, F., List, E., Lucks, S., Wenzel, J.: Diﬀerential cryptanalysis of round-reduced
SIMON and SPEAK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540,
pp. 525–545. Springer, Heidelberg (2015)
3. Alizadeh, J., Bagheri, N., Gauravaram, P., Kumar, A., Sanadhya, S.K.: Linear cryptanalysis of round reduced SIMON. Cryptology ePrint Archive, Report
2013/663 (2013). http://eprint.iacr.org/2013/663
4. Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the SIMON family of block
ciphers. Cryptology ePrint Archive, Report 2013/543 (2013). http://eprint.iacr.
org/2013/543
5. Ashur, T.: Improved linear trails for the block cipher Simon. Cryptology ePrint
Archive, Report 2015/285 (2015). http://eprint.iacr.org/
6. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:
The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint
Archive, Report 2013/404 (2013). http://eprint.iacr.org/2013/404
7. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:
SIMON and SPECK: block ciphers for the internet of things. In: NIST Lightweight
Cryptography Workshop, Vol. 2015 (2015)
8. Beierle, C., Jovanovic, P., Lauridsen, M.M., Leander, G., Rechberger, C.: Analyzing
permutations for AES-like ciphers: understanding ShiftRows. In: Nyberg, K. (ed.)
CT-RSA 2015. LNCS, vol. 9048, pp. 37–58. Springer, Heidelberg (2015)
9. Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M.,
Seurin, Y.: SHA-3 Proposal: ECHO (2010). http://crypto.rd.francetelecom.com/
ECHO/
10. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: The Keccak reference. Submission
to NIST (Round 3), 13 (2011)
11. Biham, E., Anderson, R., Knudsen, L.R.: Serpent: a new block cipher proposal. In:
Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 222. Springer, Heidelberg (1998)
12. Biham, E., Shamir, A.: Diﬀerential cryptanalysis of DES-like cryptosystems. In:
Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21.
Springer, Heidelberg (1991)
13. Biryukov, A., Roy, A., Velichkov, V.: Diﬀerential analysis of block ciphers SIMON
and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp.
546–570. Springer, Heidelberg (2015)
14. Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw,
M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In:
Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466.
Springer, Heidelberg (2007)
15. Chen, H., Wang, X.: Improved linear hull attack on round-reduced SIMON with
dynamic key-guessing techniques. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783,
pp. 428–449. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5 22
16. Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Doctoral Dissertation, KU Leuven, March
1995
446
C. Beierle
17. Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected diﬀerential probability of 4-round AES and
AES-like ciphers. Computing 85(1–2), 85–104 (2009)
18. Daemen, J., Rijmen, V.: AES Proposal: Rjindael (1998). http://csrc.nist.gov/
archive/aes/rijndael/Rijndael-ammended.pdf
19. Grassl, M.: Bounds on the minimum distance of linear codes and quantum codes
(2007). http://www.codetables.de. Accessed 15 Feb 2016
20. Kă
olbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp.
161–185. Springer, Heidelberg (2015)
21. Kondo, K., Sasaki, Y., Iwata, T.: On the design rationale of SIMON block cipher:
integral attacks and impossible diﬀerential attacks against SIMON variants. In:
Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696,
pp. 518–536. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39555-5 28
22. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.)
EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
23. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Diﬀerential and linear cryptanalysis
using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.)
Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012)
24. Nyberg, K., Knudsen, L.: Provable security against a diﬀerential attack. J. Cryptol.
8(1), 27–37 (1995)
25. PUB FIPS. 197: Advanced encryption standard (AES), National Institute of
Standards and Technology (2001). http://csrc.nist.gov/publications/ﬁps/ﬁps197/
ﬁps-197.pdf
26. Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4),
656–715 (1949)
27. Shirai, T., Preneel, B.: On Feistel ciphers using optimal diﬀusion mappings across
multiple rounds. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 1–15.
Springer, Heidelberg (2004)
28. Shirai, T., Shibutani, K.: Improving immunity of Feistel ciphers against diﬀerential
cryptanalysis by using multiple MDS matrices. In: Roy, B., Meier, W. (eds.) FSE
2004. LNCS, vol. 3017, pp. 260–278. Springer, Heidelberg (2004)
29. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) diﬀerential characteristic search: application to SIMON,
PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P.,
Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer,
Heidelberg (2014)
30. Todo, Y., Morii, M.: Bit-based division property and application to SIMON family.
In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg
(2016). doi:10.1007/978-3-662-52993-5 18
31. Wang, N., Wang, X., Jia, K., Zhao, J.: Diﬀerential attacks on reduced SIMON
versions with dynamic key-guessing techniques. Cryptology ePrint Archive, Report
2014/448 (2014). http://eprint.iacr.org/2014/448
32. Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of
reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.)
INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer International Publishing, Heidelberg (2014)
33. Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck family of lightweight block ciphers. In: Gă
uneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS,
vol. 9293, pp. 307–329. Springer, Heidelberg (2015)
Two-party Computation
Bounded Size-Hiding Private Set Intersection
Tatiana Bradley(B) , Sky Faber, and Gene Tsudik
University of California, Irvine, USA
tebradle@uci.edu
Abstract. Private Set Intersection (PSI) and other private set operations have many current and emerging applications. Numerous PSI techniques have been proposed that vary widely in terms of underlying cryptographic primitives, security assumptions as well as complexity. One
recent strand of PSI-related research focused on an additional privacy
property of hiding participants’ input sizes. Despite some interesting
results, only one practical size-hiding PSI (SH-PSI) has been demonstrated thus far [1].
One legitimate general criticism of size-hiding private set intersection
is that the party that hides its input size can attempt to enumerate
the entire (and possibly limited) domain of set elements, thus learning
the other party’s entire input set. Although this “attack” goes beyond
the honest-but-curious model, it motivates investigation of techniques
that simultaneously hide and limit a participant’s input size. To this
end, this paper explores the design of bounded size-hiding PSI techniques
that allow one party to hide the size of its input while allowing the other
party to limit that size. Its main contribution is a reasonably eﬃcient
(quasi-quadratic in input size) bSH-PSI protocol based on bounded keyed
accumulators. This paper also studies the relationships between several
ﬂavors of the “Strong Diﬃe-Hellman” (SDH) problem.
Keywords: Private set intersection · Size hiding
Cryptographic accumulators · SDH problem
1
·
Bounded input
·
Introduction
Private set operations have many potential applications in secure cloud computing and storage, as well as other settings involving mutually suspicious parties
that wish to divulge to each other nothing beyond the outcome of a particular
set operation. This serves as one motivating factor for research in more eﬃcient
and more secure techniques. The other, no less important, factor is intellectual
curiosity. There is something inherently appealing about private set operations,
perhaps because they represent an interesting and realistic-sounding application
domain for secure two-party computation.
The most natural and popular private set operation is Private Set Intersection (PSI), a cryptographic technique that allows two parties, server and client,
to interact such that one or both of them (often, client) computes the intersection
c Springer International Publishing Switzerland 2016
V. Zikas and R. De Prisco (Eds.): SCN 2016, LNCS 9841, pp. 449–467, 2016.
DOI: 10.1007/978-3-319-44618-9 24
450
T. Bradley et al.
S ∩ C over their respective input sets S and C. Typically, server and client learn
nothing beyond the size of each other’s set and the resulting intersection. There
are multiple PSI ﬂavors with varying privacy properties, security models, complexities and underlying cryptographic primitives [1,8,13–18,22–25,27,28,33].
One recent PSI research direction focused on techniques that additionally
hide the input size of one participant. This property is sometimes called onesided input size-hiding. This line of research is attractive because, in general,
there are few cryptographic techniques that achieve non-padding-based input
size-hiding. (See Sect. 2 for an overview of related work).
Meanwhile, one important criticism of size-hiding PSI (SH-PSI) is the unlimited nature of the size-hiding feature. In scenarios where the overall input domain
is small1 , a dishonest client can enumerate all (or most) of the possible elements,
use them as its input set and thus learn all (or most) of server’s input set.
On the one hand, this criticism seems unfair because a client that enumerates,
and provides as input, elements that it does not actually have, goes beyond the
“honest-but-curious” (HbC) adversary model considered in, for example, [1]. On
the other hand, it could be that the entire notion of input size-hiding inherently
motivates a slightly diﬀerent adversary model than HbC.
Consequently, the main motivation for this paper is the need to combine
hiding of one party’s input size with the other party’s ability to upper-bound
it, i.e., to limit the amount of information potentially learned by the ﬁrst party.
Speciﬁcally, the goal is to explore PSI techniques that allow client to hide its set
size while assuring server that it does not exceed some ﬁxed threshold t. At the
ﬁrst glance, it seems that this can be trivially met by modifying current SH-PSI,
PSI or similar techniques.
One intuitive approach to bounded size-hiding is to amend any regular PSI
protocol by having client always pad its (linear-size) input with dummy elements,
up to the server-selected upper bound t. While this approach would meet our
goals, we consider it to be undesirable, for several reasons:
– Padding by client always incurs O(t) computation and bandwidth costs, even
if |C| and/or |S| are small relative to t.2
– Representation of dummy elements must be indistinguishable from that of
their genuine counterparts. This very likely entails generating a random value
for every dummy element, which, depending on the underlying PRNG, can
involve as little computation as a hash, or as much as a large-integer arithmetic
operation.
– If |C| < t, a misbehaving HbC client can easily cheat – and learn more about
S than it is entitled to – by inserting extra actual elements into its input that
it could later claim are just dummies.3
1
2
3
For example: age, blood type, birthday, country, zip code, etc.
In contrast, bSH-PSI incurs only O(|C|) costs, since client can download server’s
public key only once, ahead of time, i.e., oﬀ-line.
As discussed later, although the proposed bSH-PSI has the same issue, it discourages
client’s cheating by imposing a relatively high client computational cost for each
additional element in the accumulator, up to the bound.