Tải bản đầy đủ - 0 (trang)
1 Restriction to 1(x) = (x A) and 2(x) = (x B)

1 Restriction to 1(x) = (x A) and 2(x) = (x B)

Tải bản đầy đủ - 0trang

Pen and Paper Arguments for SIMON and SIMON-like Designs



439



Now, consider the following three elements x, y, z:

(a)



x = (0, . . . , 0, 1(a) , 0, . . . , 0)



⇒ Lα (x) = (1(0) , 0, . . . , 0, α2a , 0, . . . , 0)



y = (0, . . . , 0, 1(a+i) , 0, . . . , 0)



⇒ Lα (y) = (0, . . . , 1(i) , 0, . . . , 0, αi+2a , 0, . . . , 0)



z=1



⇒ Lα (z) = (α ≪ a) ⊕ α



(i+a)



Clearly, Lα (x) and Lα (y) are linearly independent. To show that Lα (z) ∈

/

span{Lα (x), Lα (y)}, consider the two cases

/ {0, i, a},

(i) αi+2a = 0 : Then Lα (y)i+a = 0. Since Lα (z)n−a = 1 and n − a ∈

the linear independence follows.

(ii) αi+2a = 1 : Then i + 2a mod n ∈ {0, i} because of the construction of α.

However, since 2a = 0 mod n, it follows that i + 2a = 0 mod n. Hence,

2a = n − i. Now 2a = i, because otherwise n = 4a which is contradictory to

gcd(a, n) = 1 (since n ≥ 6). Thus Lα (x)a = 0. In addition, i = a because

otherwise 3a = 0 mod n which is also contradictory to gcd(a, n) = 1. Now,

/ {0, i, i + a}.

Lα (z)i−a mod n = 1 and i − a ∈

In all cases, we thus have pα ≤ 2−2 if α = 0 and p0 = 1. The interesting

property is the fact that pα ≤ 2− wt(α)−1 if α has a Hamming weight of 2. This is

what we make use of in the following arguments. The basic idea is to guarantee

enough transitions with a probability ≤ 2−3 before a zero input difference into

fS occurs (then p0 = 1). This allows us to catch up the factor 2−2 that we lose for

the zero input difference. Otherwise, if we were not able to guarantee the tighter

bound described in Lemma 2 (2), the input difference into fS of every second

round might be equal to zero in the worst case and our argument would only

provide the trivial bound of 2−T over T rounds. See also Fig. 1 for an illustration.

For the formal proof, we give Corollary 1 at first. It is an implication of Lemma 1

for the Simon-like f function.

Corollary 1. Let for all non-zero differences α, β and all t ≥ 1 the differential

probability of any t-round characteristic starting with (0, α) and ending with

(0, β) be upper bounded by 2−2t . Let further pα ≤ 2−2 . Then,

P (C) ≤ 2−2T +2

for any non-trivial T -round characteristics C with T > 0.

Proof. With the notation in Lemma 1, it is p(t) = 2−2t and q = 2−2 . Thus,

P (C) ≤ max p(k)q T −k−1 = max 2−2k 2−2T +2k+2 = 2−2T +2 .

k≤T



k≤T



Thus, in order to prove an upper bound on the probability of a differential

characteristic of 2−2T +2 we only have to concentrate on t-round characteristics of

the form (0, α) → · · · → (0, β) and prove an upper bound of 2−2t for all of these.

We further can restrict ourselves to the shortest characteristics of this form, e.g.

γ i = 0 for all intermediate γ i . The reason is that one can easily concatenate

these short characteristics to longer ones for which the property holds as well.



440



C. Beierle



We have to do the analysis for a specific choice of the linear mapping θ. As a

more general case, Theorem 2 formulates a sufficient condition for the argument

to work. For a linear mapping θ : Fn2 → Fn2 , the differential branch number is

θ



defined as the minimum number of active bits in the differential (α → θ(α)),

formally

Bθ := min {wt(α) + wt (θ (α))} .

α=0



Theorem 2. Let Bθ ≥ 11. Then for any distinct a, b and any n fulfilling the

properties of Lemma 2, the probability of a T -round differential characteristic is

upper bounded by 2−2T +2 .

Proof. Fix a t-round characteristic of the form

(0, α) → (γ 1 = α, 0) → (γ 2 , δ 2 ) → · · · → (γ t−1 , δ t−1 ) → (0, β)

with γ i = 0 for all i ∈ {1, . . . , t − 1}. Thus, we have pγi ≤ 2−2 for all i. Since

1



γ 1 = α and (0, α) → (α, 0) holds with certainty (p0 = 1), we have to show that

either pγi ≤ 2−4 for at least one i or that pγi , pγj ≤ 2−3 for at least two distinct

indices i, j. In other words, one has to make sure to gain a factor of 2−2 within

the characteristic. In order to show this, we make use of Lemma 2. If wt(α) ≥ 4,

we are clearly done since pγ1 = pα ≤ 2− wt(α) . We thus have to distinguish 3

cases.

(i) wt(α) = 1: Because of the branch number, it is wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 10.

Since further wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 2, we have wt(γ 2 ) ≥ 8 and pγ2 ≤ 2−4 .

(ii) wt(α) = 2: It is wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 9 and wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 4.

Thus, wt(γ 2 ) ≥ 5 and therefore pγ2 ≤ 2−4 .

(iii) wt(α) = 3: We already have pα ≤ 2−3 . Since wt(θ(x) ⊕ θ(x ⊕ α)) ≥ 8 and

wt(ρ(x) ⊕ ρ(x ⊕ α)) ≤ 6, it is wt(γ 2 ) ≥ 2 and therefore pγ2 ≤ 2−3 .

See also Fig. 3 for the propagation of the differential Hamming weights.

We recall that θ does not have to be rotational invariant. Nevertheless, having

a branch number of at least 11 is a quite restrictive property on a linear layer

and in fact, for n = 16, there does not exist such a linear mapping. The reason

is that the minimum distance d of any [32, 16, d] code over F2 is at most 8 [19].

However, for n ∈ {24, 32, 48, 64}, such a linear mapping θ exists as one can also

deduce from [19]. As the previous argument is more generic, we investigate the

linear part of Simon in more detail in the rest of the paper.

3.2



Obtaining the Upper Bound for SIMON and Simeck



In the following, we consider the linear layer θ(x) = (x ≪ c) which has a branch

number of only 2. Choosing (8, 1, 2) for the rotation constants (a, b, c), we obtain

the round function of Simon. Theorem 3 states the same bound as above for all

variants of Simon. Note that the results are dependent on the specific choice of



Pen and Paper Arguments for SIMON and SIMON-like Designs

α

1



0

0



α

2



0

0



α

3



0

0



≤2

ρ



≤4

ρ



≤6

ρ



≥10

θ



≥9

θ



≥8

θ



≥8

γ2



δ2 = α



≥5

γ2



δ2 = α



441



≥2

γ2



δ2 = α



Fig. 3. Propagation of the differential Hamming weight for wt(α) ∈ {1, 2, 3}.



the rotation constants, but can be proven for other choices in a similar way. Of

course, it does not hold for all possible a, b and c. For example, if c = a or c = b,

one obtains the trivial bound of 2−t since

(1, 0, . . . , 0) 0 → 0 (1, 0, . . . , 0) → (1, 0, . . . , 0) 0

would be a valid two-round iterative characteristic with probability 2−2 .

Theorem 3 (Bounds for Simon). Let n ∈ {16, 24, 32, 48, 64} and let θ(x) =

(x ≪ 2). For the rotation constants a = 8, b = 1, the probability of any T -round

differential characteristic is upper bounded by 2−2T +2 .

Proof Again, fix a t-round characteristic of the form

(0, α) → (γ 1 = α, 0) → (γ 2 , δ 2 ) → · · · → (γ t−1 , δ t−1 ) → (0, β)

with γ i = 0 for all i ∈ {1, . . . , t − 1}. We have to show that either pγi ≤ 2−4 for

at least one i or that pγi , pγj ≤ 2−3 for at least two distinct indices i, j. In order

to show this, Lemma 2 is used several times within this proof. Again, we have to

distinguish 3 cases. Note that for simplicity with indices, we assume rotations

to the right in the following. We use the ∗ symbol to indicate an unknown bit.

(i) wt(α) = 1: Considering the rotational equivalence, let w.l.o.g.

α = (1, 0, . . . , 0).

Recall that we get Uα = Im Lα ⊕ fS (α). Since we assume

fS : x → (x ≫ 8) ∧ (x ≫ 1) ⊕ (x ≫ 2),

we obtain

γ 2 = (0, ∗1 , 1, 0, 0, 0, 0, 0, ∗2 , 0, 0, 0, 0, 0, 0, 0 . . . ) ∈ Uα ⊕ 0.



442



C. Beierle



Case 1 (∗2 = 0): Then,2

γ 3 = (1, 0, ∗, ∗,



1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α,







γ 4 = (0, ∗, ∗ , ∗, ∗, ∗, 1, 0, ∗, 0, ∗, ∗, ∗, 0, 0, 0 . . . ) ∈ Uγ3 ⊕ γ 2 .

If now the weight of γ 4 is higher than 1, then pγ3 , pγ4 ≤ 2−3 . Thus, let

wt(γ 4 ) = 1. It follows that

γ 5 = (1, 0, ∗, ∗, 1, 0, 0, ∗, 1, ∗, ∗, 0, 0, 0, ∗, 0 . . . ) ∈ Uγ4 ⊕ γ 3

and thus pγ5 ≤ 2−3 .

Case 2 (∗2 = 1 ): Then pγ2 ≤ 2−3 already holds and3

γ 3 = (∗‡ , 0, ∗, ∗, 1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α.

Again, let w.l.o.g wt(γ 3 ) = 1. It follows that

γ 4 = (0, ∗, 1, 0, 0, ∗, 1, 0, 1, 0, 0, 0, ∗, 0, 0, 0 . . . ) ∈ Uγ3 ⊕ γ 2

and thus pγ4 ≤ 2−3 .

(ii) wt(α) = 2: Considering the rotational equivalence, let w.l.o.g.

α = (1, 0, . . . , 0, 1(i) , 0, . . . , 0)

with i ≤



n

2.



It follows that already pα ≤ 2−3 .



Case 1 (i = 1 ): Then,

γ 2 = (0, ∗, ∗, 1, 0, 0, 0, 0, ∗, ∗, 0, 0, 0, 0, 0, 0 . . . ) ∈ Uα ⊕ 0.

Again, let w.l.o.g. wt(γ 2 ) = 1. Then,

γ 3 = (1, 1, 0, 0, ∗, 1, 0, 0, 0, 0, 0, ∗, 0, 0, 0, 0 . . . ) ∈ Uγ2 ⊕ α

and thus pγ3 ≤ 2−3 .

Case 2 (i = 4): Then,

γ 2 = (0, ∗, 1, 0, 0, ∗, 1, 0, ∗, 0, 0, 0, ∗, 0, 0, 0 . . . ) ∈ Uα ⊕ 0

and pγ2 ≤ 2−3 .



2



3



†: This bit is only unknown if the bitlength is 16 bit (n = 16). Therefore, w.l.o.g. we

assume this bit to be unknown. In the following, we may also consider certain bits

to be unknown if the actual value does not matter for the proof.

‡: Of course, this bit is already equal to 1 if the bitlength n is greater than 16.



Pen and Paper Arguments for SIMON and SIMON-like Designs



443



Case 3 (i = 1, i = 4 ): Then,

γ 2 = (∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗ . . . ) ∈ Uα ⊕ 0.

Again, let w.l.o.g. wt(γ 2 ) = 1. Then,

γ 3 = (1, ∗, ∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗ . . . ) ∈ Uγ2 ⊕ α

and thus pγ3 ≤ 2−3 .

(iii) wt(α) = 3: Let w.l.o.g. α = (1, 0, . . . , 1(i) , 0, . . . , 1(j) , 0, . . . , 0) with i ≥ n3

because of the rotational invariance. Again, pα ≤ 2−3 . Since n ≥ 16, it is

i ≥ 6. We distinguish the following cases:

Case 1 (j = n − 6, i = n − 6): Then,

γ 2 = (∗, ∗, 1, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uα ⊕ 0

and for wt(γ 2 ) = 1 we obtain

γ 3 = (1, 0, 0, ∗, 1, 0, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α

such that pγ3 ≤ 2−3 .

Case 2 (i = n − 6): Then,

γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, 1, ∗, ∗, ∗) ∈ Uα ⊕ 0

if j = n − 5 and

γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, 1, ∗, ∗) ∈ Uα ⊕ 0

if j = n − 5. In both cases, for wt(γ 2 ) = 1 we obtain

γ 3 = (1(0) , 0, 0, 0, ∗, ∗, 0, 0, . . . 0, 0, 1(i) , ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α

such that pγ3 ≤ 2−3 .

Case 3 (j = n − 6): Now, we still have to consider the two possibilities

j − i = 6 and j − i = 6. For the first case, one gets

γ 2 = (∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, 1, ∗, ∗, ∗) ∈ Uα ⊕ 0

and for wt(γ 2 ) = 1,

γ 3 = (1, ∗, ∗, ∗, ∗, ∗, ∗, ∗, . . . ∗, ∗, ∗, ∗, ∗, ∗, 1, ∗) ∈ Uγ2 ⊕ α.

If j − i = 6, then,

γ 2 = (∗, ∗, ∗, ∗, . . . ∗, ∗, 1(i+2) , ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗, ∗) ∈ Uα ⊕ 0

and for wt(γ 2 ) = 1,

γ 3 = (1(1) , ∗, ∗, ∗, . . . 1(i) , ∗, ∗, ∗, 1, ∗, 1(j) , ∗, ∗, ∗, ∗, ∗) ∈ Uγ2 ⊕ α.



444



C. Beierle



Table 1. Number of rounds needed for bounding the differential probability of a characteristic by 2−2n for all instances of Simon and Simeck. The symbol indicates that

there is an appropriate instance of Simeck with the same number of rounds.

Rounds Rounds needed Margin κ

Simon32/64



32



17



15



Simon48/72



36



25



11



Simon48/96



36



25



11



Simon64/96



42



33



9



Simon64/128



44



33



11



Simon96/96



52



49



3



Simon96/144



54



49



5



Simon128/128 68



65



3



Simon128/192 69



65



4



Simon128/256 72



65



7



Using a similar argument, one obtains the bounds for Simeck as the following

theorem states.

Theorem 4. (Bounds for Simeck). Let n ∈ {16, 24, 32} and θ(x) =

(x ≪ 1). For the rotation constants a = 5, b = 0, the probability of any T round differential characteristic is upper bounded by 2−2T +2 .

Interestingly, for every instance of Simon and Simeck, it turns out that our

approach is sufficient in order to bound the probability of differential characteristics below 2−2n where n denotes the bit length of one Feistel branch. For n up to

32, the security margin κ of the corresponding primitive(s) can be considered as

reasonable. See Table 1 for a comparison.



4



Conclusion



We presented a more general description of Simon-like designs by separating

the round function into a linear and a non-linear component and proved upper

bounds on the probability of differential characteristics for specific instances. In

fact, we developed a non-experimental security argument on full-round versions

of Simon that can be verified by pen and paper. We hope that this work encourages to further research on analyzing Simon-like designs. An open question is

whether our approach can be generalized in order to obtain better bounds over

multiple rounds. However, as described earlier, we believe that such an argument

would be much more complex. Furthermore, it would be favorable to avoid the

consideration of every special case individually. This is related to the question

of how to design the linear part θ in this set-up.

Acknowledgements. The author’s work was supported by DFG Research Training

Group GRK 1817 Ubicrypt. Special thanks go to Gregor Leander for his valuable

suggestions and comments.



Pen and Paper Arguments for SIMON and SIMON-like Designs



445



References

1. Abdelraheem, M.A., Alizadeh, J., Alkhzaimi, H.A., Aref, M.R., Bagheri, N.,

Gauravaram, P.: Improved linear cryptanalysis of reduced-round SIMON-32 and

SIMON-48. In: Biryukov, A., Goyal, V. (eds.) INDOCRYPT 2015. LNCS, vol.

9462, pp. 153–179. Springer International Publishing, Heidelberg (2015)

2. Abed, F., List, E., Lucks, S., Wenzel, J.: Differential cryptanalysis of round-reduced

SIMON and SPEAK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540,

pp. 525–545. Springer, Heidelberg (2015)

3. Alizadeh, J., Bagheri, N., Gauravaram, P., Kumar, A., Sanadhya, S.K.: Linear cryptanalysis of round reduced SIMON. Cryptology ePrint Archive, Report

2013/663 (2013). http://eprint.iacr.org/2013/663

4. Alkhzaimi, H.A., Lauridsen, M.M.: Cryptanalysis of the SIMON family of block

ciphers. Cryptology ePrint Archive, Report 2013/543 (2013). http://eprint.iacr.

org/2013/543

5. Ashur, T.: Improved linear trails for the block cipher Simon. Cryptology ePrint

Archive, Report 2015/285 (2015). http://eprint.iacr.org/

6. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:

The SIMON and SPECK families of lightweight block ciphers. Cryptology ePrint

Archive, Report 2013/404 (2013). http://eprint.iacr.org/2013/404

7. Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.:

SIMON and SPECK: block ciphers for the internet of things. In: NIST Lightweight

Cryptography Workshop, Vol. 2015 (2015)

8. Beierle, C., Jovanovic, P., Lauridsen, M.M., Leander, G., Rechberger, C.: Analyzing

permutations for AES-like ciphers: understanding ShiftRows. In: Nyberg, K. (ed.)

CT-RSA 2015. LNCS, vol. 9048, pp. 37–58. Springer, Heidelberg (2015)

9. Benadjila, R., Billet, O., Gilbert, H., Macario-Rat, G., Peyrin, T., Robshaw, M.,

Seurin, Y.: SHA-3 Proposal: ECHO (2010). http://crypto.rd.francetelecom.com/

ECHO/

10. Bertoni, G., Daemen, J., Peeters, M., Assche, G.: The Keccak reference. Submission

to NIST (Round 3), 13 (2011)

11. Biham, E., Anderson, R., Knudsen, L.R.: Serpent: a new block cipher proposal. In:

Vaudenay, S. (ed.) FSE 1998. LNCS, vol. 1372, p. 222. Springer, Heidelberg (1998)

12. Biham, E., Shamir, A.: Differential cryptanalysis of DES-like cryptosystems. In:

Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 2–21.

Springer, Heidelberg (1991)

13. Biryukov, A., Roy, A., Velichkov, V.: Differential analysis of block ciphers SIMON

and SPECK. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp.

546–570. Springer, Heidelberg (2015)

14. Bogdanov, A.A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw,

M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In:

Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466.

Springer, Heidelberg (2007)

15. Chen, H., Wang, X.: Improved linear hull attack on round-reduced SIMON with

dynamic key-guessing techniques. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783,

pp. 428–449. Springer, Heidelberg (2016). doi:10.1007/978-3-662-52993-5 22

16. Daemen, J.: Cipher and hash function design strategies based on linear and differential cryptanalysis. Ph.D. thesis, Doctoral Dissertation, KU Leuven, March

1995



446



C. Beierle



17. Daemen, J., Lamberger, M., Pramstaller, N., Rijmen, V., Vercauteren, F.: Computational aspects of the expected differential probability of 4-round AES and

AES-like ciphers. Computing 85(1–2), 85–104 (2009)

18. Daemen, J., Rijmen, V.: AES Proposal: Rjindael (1998). http://csrc.nist.gov/

archive/aes/rijndael/Rijndael-ammended.pdf

19. Grassl, M.: Bounds on the minimum distance of linear codes and quantum codes

(2007). http://www.codetables.de. Accessed 15 Feb 2016

20. Kă

olbl, S., Leander, G., Tiessen, T.: Observations on the SIMON block cipher family. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp.

161–185. Springer, Heidelberg (2015)

21. Kondo, K., Sasaki, Y., Iwata, T.: On the design rationale of SIMON block cipher:

integral attacks and impossible differential attacks against SIMON variants. In:

Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696,

pp. 518–536. Springer, Heidelberg (2016). doi:10.1007/978-3-319-39555-5 28

22. Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.)

EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)

23. Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis

using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.)

Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012)

24. Nyberg, K., Knudsen, L.: Provable security against a differential attack. J. Cryptol.

8(1), 27–37 (1995)

25. PUB FIPS. 197: Advanced encryption standard (AES), National Institute of

Standards and Technology (2001). http://csrc.nist.gov/publications/fips/fips197/

fips-197.pdf

26. Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28(4),

656–715 (1949)

27. Shirai, T., Preneel, B.: On Feistel ciphers using optimal diffusion mappings across

multiple rounds. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 1–15.

Springer, Heidelberg (2004)

28. Shirai, T., Shibutani, K.: Improving immunity of Feistel ciphers against differential

cryptanalysis by using multiple MDS matrices. In: Roy, B., Meier, W. (eds.) FSE

2004. LNCS, vol. 3017, pp. 260–278. Springer, Heidelberg (2004)

29. Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON,

PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P.,

Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer,

Heidelberg (2014)

30. Todo, Y., Morii, M.: Bit-based division property and application to SIMON family.

In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg

(2016). doi:10.1007/978-3-662-52993-5 18

31. Wang, N., Wang, X., Jia, K., Zhao, J.: Differential attacks on reduced SIMON

versions with dynamic key-guessing techniques. Cryptology ePrint Archive, Report

2014/448 (2014). http://eprint.iacr.org/2014/448

32. Wang, Q., Liu, Z., Varıcı, K., Sasaki, Y., Rijmen, V., Todo, Y.: Cryptanalysis of

reduced-round SIMON32 and SIMON48. In: Meier, W., Mukhopadhyay, D. (eds.)

INDOCRYPT 2014. LNCS, vol. 8885, pp. 143–160. Springer International Publishing, Heidelberg (2014)

33. Yang, G., Zhu, B., Suder, V., Aagaard, M.D., Gong, G.: The Simeck family of lightweight block ciphers. In: Gă

uneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS,

vol. 9293, pp. 307–329. Springer, Heidelberg (2015)



Two-party Computation



Bounded Size-Hiding Private Set Intersection

Tatiana Bradley(B) , Sky Faber, and Gene Tsudik

University of California, Irvine, USA

tebradle@uci.edu



Abstract. Private Set Intersection (PSI) and other private set operations have many current and emerging applications. Numerous PSI techniques have been proposed that vary widely in terms of underlying cryptographic primitives, security assumptions as well as complexity. One

recent strand of PSI-related research focused on an additional privacy

property of hiding participants’ input sizes. Despite some interesting

results, only one practical size-hiding PSI (SH-PSI) has been demonstrated thus far [1].

One legitimate general criticism of size-hiding private set intersection

is that the party that hides its input size can attempt to enumerate

the entire (and possibly limited) domain of set elements, thus learning

the other party’s entire input set. Although this “attack” goes beyond

the honest-but-curious model, it motivates investigation of techniques

that simultaneously hide and limit a participant’s input size. To this

end, this paper explores the design of bounded size-hiding PSI techniques

that allow one party to hide the size of its input while allowing the other

party to limit that size. Its main contribution is a reasonably efficient

(quasi-quadratic in input size) bSH-PSI protocol based on bounded keyed

accumulators. This paper also studies the relationships between several

flavors of the “Strong Diffie-Hellman” (SDH) problem.

Keywords: Private set intersection · Size hiding

Cryptographic accumulators · SDH problem



1



·



Bounded input



·



Introduction



Private set operations have many potential applications in secure cloud computing and storage, as well as other settings involving mutually suspicious parties

that wish to divulge to each other nothing beyond the outcome of a particular

set operation. This serves as one motivating factor for research in more efficient

and more secure techniques. The other, no less important, factor is intellectual

curiosity. There is something inherently appealing about private set operations,

perhaps because they represent an interesting and realistic-sounding application

domain for secure two-party computation.

The most natural and popular private set operation is Private Set Intersection (PSI), a cryptographic technique that allows two parties, server and client,

to interact such that one or both of them (often, client) computes the intersection

c Springer International Publishing Switzerland 2016

V. Zikas and R. De Prisco (Eds.): SCN 2016, LNCS 9841, pp. 449–467, 2016.

DOI: 10.1007/978-3-319-44618-9 24



450



T. Bradley et al.



S ∩ C over their respective input sets S and C. Typically, server and client learn

nothing beyond the size of each other’s set and the resulting intersection. There

are multiple PSI flavors with varying privacy properties, security models, complexities and underlying cryptographic primitives [1,8,13–18,22–25,27,28,33].

One recent PSI research direction focused on techniques that additionally

hide the input size of one participant. This property is sometimes called onesided input size-hiding. This line of research is attractive because, in general,

there are few cryptographic techniques that achieve non-padding-based input

size-hiding. (See Sect. 2 for an overview of related work).

Meanwhile, one important criticism of size-hiding PSI (SH-PSI) is the unlimited nature of the size-hiding feature. In scenarios where the overall input domain

is small1 , a dishonest client can enumerate all (or most) of the possible elements,

use them as its input set and thus learn all (or most) of server’s input set.

On the one hand, this criticism seems unfair because a client that enumerates,

and provides as input, elements that it does not actually have, goes beyond the

“honest-but-curious” (HbC) adversary model considered in, for example, [1]. On

the other hand, it could be that the entire notion of input size-hiding inherently

motivates a slightly different adversary model than HbC.

Consequently, the main motivation for this paper is the need to combine

hiding of one party’s input size with the other party’s ability to upper-bound

it, i.e., to limit the amount of information potentially learned by the first party.

Specifically, the goal is to explore PSI techniques that allow client to hide its set

size while assuring server that it does not exceed some fixed threshold t. At the

first glance, it seems that this can be trivially met by modifying current SH-PSI,

PSI or similar techniques.

One intuitive approach to bounded size-hiding is to amend any regular PSI

protocol by having client always pad its (linear-size) input with dummy elements,

up to the server-selected upper bound t. While this approach would meet our

goals, we consider it to be undesirable, for several reasons:

– Padding by client always incurs O(t) computation and bandwidth costs, even

if |C| and/or |S| are small relative to t.2

– Representation of dummy elements must be indistinguishable from that of

their genuine counterparts. This very likely entails generating a random value

for every dummy element, which, depending on the underlying PRNG, can

involve as little computation as a hash, or as much as a large-integer arithmetic

operation.

– If |C| < t, a misbehaving HbC client can easily cheat – and learn more about

S than it is entitled to – by inserting extra actual elements into its input that

it could later claim are just dummies.3

1

2

3



For example: age, blood type, birthday, country, zip code, etc.

In contrast, bSH-PSI incurs only O(|C|) costs, since client can download server’s

public key only once, ahead of time, i.e., off-line.

As discussed later, although the proposed bSH-PSI has the same issue, it discourages

client’s cheating by imposing a relatively high client computational cost for each

additional element in the accumulator, up to the bound.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

1 Restriction to 1(x) = (x A) and 2(x) = (x B)

Tải bản đầy đủ ngay(0 tr)

×