Paper 2018/226

Non-Uniform Bounds in the Random-Permutation, Ideal-Cipher, and Generic-Group Models

Sandro Coretti, Input Output Global
Yevgeniy Dodis, New York University
Siyao Guo, NYU Shanghai
Abstract

The random-permutation model (RPM) and the ideal-cipher model (ICM) are idealized models that offer a simple and intuitive way to assess the conjectured standard-model security of many important symmetric-key and hash-function constructions. Similarly, the generic-group model (GGM) captures generic algorithms against assumptions in cyclic groups by modeling encodings of group elements as random injections and allows to derive simple bounds on the advantage of such algorithms. Unfortunately, both well-known attacks, e.g., based on rainbow tables (Hellman, IEEE Transactions on Information Theory '80), and more recent ones, e.g., against the discrete-logarithm problem (Corrigan-Gibbs and Kogan, EUROCRYPT '18), suggest that the concrete security bounds one obtains from such idealized proofs are often completely inaccurate if one considers non-uniform or preprocessing attacks in the standard model. To remedy this situation, this work 1) defines the auxiliary-input (AI) RPM/ICM/GGM, which capture both non-uniform and preprocessing attacks by allowing an attacker to leak an arbitrary (bounded-output) function of the oracle's function table; 2) derives the first non-uniform bounds for a number of important practical applications in the AI-RPM/ICM, including constructions based on the Merkle-Damgard and sponge paradigms, which underly the SHA hashing standards, and for AI-RPM/ICM applications with computational security; and 3) using simpler proofs, recovers the AI-GGM security bounds obtained by Corrigan-Gibbs and Kogan against preprocessing attackers, for a number of assumptions related to cyclic groups, such as discrete logarithms and Diffie-Hellman problems, and provides new bounds for two assumptions. An important step in obtaining these results is to port the tools used in recent work by Coretti et al. (EUROCRYPT '18) from the ROM to the RPM/ICM/GGM, resulting in very powerful and easy-to-use tools for proving security bounds against non-uniform and preprocessing attacks.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
Secret-Key CryptographyGeneric Group ModelNon-Uniformity
Contact author(s)
sandro coretti @ iohk io
dodis @ cs nyu edu
sg191 @ nyu edu
History
2023-02-23: last of 2 revisions
2018-03-01: received
See all versions
Short URL
https://ia.cr/2018/226
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2018/226,
      author = {Sandro Coretti and Yevgeniy Dodis and Siyao Guo},
      title = {Non-Uniform Bounds in the Random-Permutation, Ideal-Cipher, and Generic-Group Models},
      howpublished = {Cryptology {ePrint} Archive, Paper 2018/226},
      year = {2018},
      url = {https://eprint.iacr.org/2018/226}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.