[Resource Topic] 2023/1704: Fine-Tuning Ideal Worlds for the Xor of Two Permutation Outputs

Welcome to the resource topic for 2023/1704

Fine-Tuning Ideal Worlds for the Xor of Two Permutation Outputs

Authors: Wonseok Choi, Minki Hhan, Yu Wei, Vassilis Zikas


Security proofs of symmetric-key primitives typically consider an idealized world with access to a (uniformly) random function. The starting point of our work is the observation that such an ideal world leads to underestimating the actual security of certain primitives. As a demonstrating example, \mathsf{XoP2}, which relies on two independent random permutations, is proven to exhibit far superior concrete security compared to \mathsf{XoP}, which employs a single permutation with domain separation. But the main reason for this is an artifact of the idealized model used in the proof, in particular, that (in the random-function-ideal world) \mathsf{XoP} might hit a trivially bad event (outputting 0) which does not occur in the real/domain-separated world.
Motivated by this, we put forth the analysis of such primitives in an updated ideal world, which we call the {\em fine-tuned} setting, where the above artifact is eliminated. We provide fine-tuned (and enhanced) security analyses for \mathsf{XoP} and \mathsf{XoP}-based MACs: \mathsf{nEHtM} and \mathsf{DbHtS}. Our analyses demonstrate that the security of \mathsf{XoP}-based and \mathsf{XoP2}-based constructions are, in fact, far more similar than what was previously proven.
Concretely, for the number of users u and the maximum number of queries per user q_m, we show that the multi-user ``fine-tuned’’ security bound of \mathsf{XoP} can be proven as
via the Squared-ratio method proposed by Chen et al. [CRYPTO’23], resulted to the same security bound of \mathsf{XoP2} proven there. We also show the compatibility of the fine-tuned model with the Chi-squared method proposed by Dai et al.
[CRYPTO’17], and show that \mathsf{XoP} and \mathsf{XoP2} enjoy the same security bound in the fine-tuned setting regardless of proving tools.
Finally, we turn to the security analysis of MACs in the multi-user setting, where the effect of transitioning the proofs to the fine-tuned setting is even higher. Concretely,
we are able to prove unexpected improvements in the security bounds for both \mathsf{nEHtM} and \mathsf{DbHtS}. Our security proofs rely on a fine-tuned and extended version of Mirror theory for both lower and upper bounds, which yields more versatile and improved security proofs.
Of independent interest, this extension allows us to prove the multi-user MAC security of \mathsf{nEHtM} in the nonce-misuse model, while the previous analysis only applied to the multi-user PRF security in the nonce-respecting model. As a side note, we also point out (and fix) a flaw in the original analysis of Chen et al…

ePrint: https://eprint.iacr.org/2023/1704

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .