A Block Cipher Based on PUF-PRFs - 7 Encrypting with PUF-(w)PRFs 7.1 General Thoughts

7 Encrypting with PUF-(w)PRFs 7.1 General Thoughts

7.3 A Block Cipher Based on PUF-PRFs

One of the most important results with respect to PRFs was developed by Luby and Rackoff in [34]. They showed how to construct pseudorandom permutations from PRFs. Briefly summarized, a pseudorandom permutation (PRP) is a PRF that is a permutation as well. PRPs can be seen as an idealization of block ciphers. Conse-quently, the Luby–Rackoff construction is often termed as Luby–Rackoff cipher.

Unfortunately, the Luby–Rackoff result does not automatically apply to the case of PUF-PRFs. As explained previously, PUF-(w)PRFs differ from (w)PRFs as they additionally need some helper data for correct execution. First, it is unclear if and how the existence and necessity of helper data would fit into the established concept of PRPs. Second, an attacker might adaptively choose plaintexts to force internal collisions and use the information leakage of the helper data for checking for these events.

Nonetheless, we can show that a Luby–Rackoff cipher based on PUF-wPRFs also yields a secure block cipher. For this purpose, we consider the set of concrete security notions for symmetric encryption schemes that have been presented and dis-cussed in [4]. More precisely, we prove that a randomized version of a three-round Luby–Rackoff cipher based on PUF-PRFs fulfills real-or-random indistinguisha-bility against a chosen-plaintext attacker.¹In a nutshell, a real-or-random attacker adaptively chooses plaintexts and hands them to an encryption oracle. This oracle

1Due to the lack of space, we consider here the simplest case, being a three rounds Luby–Rackoff cipher and a chosen-plaintext attackers.

encrypts either received plaintexts (real case) or some random plaintexts (random case). The encryptions are given back to the attacker. Her task is to distinguish between both cases. Thus, eventually she outputs a guess (a bit). The scheme is real-or-random indistinguishable if the advantage of winning the game is negligible (in some security parameter). We recall the formal definition:

Definition 9 (Real-or-random security) [4] An Encryption scheme with encryp-tion mechanismE, decryption mechanismD, and keyspaceKis said to be(q; ε)-secure, in the real-or-random sense, if for any adversaryAwhich makes at most q oracle queries,

Adv^rr_A ^def= |Pr[k←K:AÔÊk(·) =1] −Pr[k←K:AÔÊk(^$⁾ =1]|. (13) The notation O_E_k_(·) indicates an oracle which, in response to a query x, returns y ^def= Ek(x), while O_Ek($) is an oracle which, in response to a query x, chooses x^∗← {0,1}^|^x^|and then returns y^def=Ek(x).

Next, we first define the considered block cipher, a three-round PUF-PRF-based Luby–Rackoff cipher and prove its security afterward. The working principle is very similar to the original Luby–Rackoff cipher and is displayed in Fig.1. The main differences are twofold. First, at the beginning some uniformly random valueρ ∈ {0,1}is chosen to randomize the right part R of the plaintext. Second, the round functions are PUF-wPRFs instead of PRFs.

Definition 10 (3-round PUF-wPRF-based Luby–Rackoff cipher) LetFdenote a family of PUF-wPRFs with input and output length n.²The three-round

PUF-PRF-ω3

ω2

ω1

R Plaintext L

Ciphertext

Helper data

f₁ f₂

f₃

X Y

z₁

z₂ z₃

x₁ x₂

x₃

Random value

Fig. 1 A randomized three-round Luby–Rackoff cipher based on PUF-PRFs

2Although the fuzzy extractor usually reduces the output length, such situation can exist if the output length of the PUF is bigger than the input length.

based Luby–Rackoff cipher C_F uses three different PUF-wPRFs f1,f2,f3 ∈ F as round functions. That is each fi is composed of two functionsGen◦Πi and Rep◦Πi for an appropriate fuzzy extractorE=(Gen,Rep).

Given a plaintext(L,R)∈ {0,1}ⁿ× {0,1}ⁿ, first a random valueρ← {0,^∗ 1}ⁿis sampled. Then, the following values are computed:

x1def

= R⊕ρ, (z1, ω1)^def=(Gen◦Π1)(x1) (14) x2

def= L⊕z1, (z2, ω2)^def=(Gen◦Π2)(x2) (15) x3

def= x1⊕z2, (z3, ω3)^def=(Gen◦Π3)(x3) (16)

X ^def= x2⊕z3, Y ^def=x3 (17)

The ciphertext is(X,Y, ω1, ω2, ω3, ρ).

Decryption works similar to the case of the “traditional” Luby–Rackoff cipher where the helper dataωiis used together with theRepprocedure for reconstructing the output zi of the PUF-PRF fi and the valueρ to “derandomize” the input to the first round function f1. More precisely the following computations are performed:

x₃^def=Y, z₃^def=(Rep◦Π3)(x₃, ω3), (18) x₂^def= X⊕z₃, z₂^def=(Rep◦Π2)(x₂, ω2), (19) x₁^def= x₃⊕z₂, z₁^def=(Rep◦Π1)(x1, ω1), (20) L ^def= x₂⊕z₁, R ^def=x₁⊕ρ. (21) Due to the correctness properties of the fuzzy extractor, one can deduce that zi =z_iand xi =x_i for i=1,2,3. In particular it follows that L =L and R =R.

Theorem 4 LetE^F be the encryption scheme defined in Definition10using a family Fof PUF-wPRFs (with parameters as specified in Theorem1). Then, the advantage of a real-or-random attacker making up to qprfqueries is at most 5εprf+2qprf·εFE+ 3·^q^prf₂n².

Proof Let{(L⁽ⁱ⁾,R⁽ⁱ⁾}i=1,...,q_prfdenote the sequence of the adaptively chosen plain-texts, x⁽_jⁱ⁾, z⁽_jⁱ⁾ be the values as specified in Eqs. (14), (15) and (16),ρ⁽ⁱ⁾ the ran-domly chosen values.

LetO_E(·)denote the oracle that honestly encrypts given plaintexts whileO_E($)

encrypts randomly chosen plaintexts. We have to show that Adv(O_E(·),O_E($)) ≤ 5εprf+2qprf·εFE+3· ^q^prf₂ⁿ². We prove the claim by defining a sequence of ora-cles and estimating the advantages of distinguishing between them. The differences between the oracles are that parts of the involved values are replaced by some uniform random values. To allow an easier tracking of the differences, we intro-duce the following notation. LetV:= {L,R,x1,z1, ω1, . . . ,x3,z3, ω3, ρ,X,Y}be the set of values that occur during one encryption (see Eqs. (14), (15) and (16) in

Definition10). For V ⊆V, oracleO[V]encrypts given plaintexts but during each encryption process, the values indicated in V are randomized.³For example, it holds thatO[∅] =O_E(·)(nothing is randomized) andO[{L,R}] =O_E($) (the plaintexts are randomized). LetDbe an arbitrary distinguisher betweenO[∅]andO[{L,R}]. We will consider the following in equations:

Adv(D)^def= |Pr[1←D^O[∅]] −Pr[1←D^O[{^L^,^R^}]]| (22)

≤ |Pr[1←D^O[∅]] −Pr[1←D^O[{^x²^}]]| + (23)

|Pr[1←D^O[{^x²^}]] −Pr[1←D^O[{^x¹^,^x²^}]]| + (24)

|Pr[1←DÔ[{^x¹^,^x²^}]] −Pr[1←DÔ[{^L^,^R^}]]|. (25) Similar to the proof of Theorem1, we will give upper bounds for each expression (23), (24), and (25). Let us start with (23):|Pr[1←DÔ[∅]] −Pr[1←DÔ[{^x²^}]]|.

Recall that x2=L⊕z1(Eq.15). Thus, randomizing x2is equivalent to randomizing z1and henceO[{x2}] =O[{z1}]. By definition, the only difference betweenO[∅]

andO[{z1}]is the tuple(z1, ω1)=Gen(Π1(x1)), namely:

• (z1, ω1)=Gen(Π1(x1))in the case ofO[∅]and

• z1←Unand(z₁, ω1)=Gen(Π(x1))in the case ofO[{z1}].

Under the assumption that the values x₁⁽ⁱ⁾are pairwise distinct, the advantage to distinguish between both cases is at most 2εprf+qprf·εFEaccording to Theorem1.

Furthermore, as the valuesρ⁽ⁱ⁾are uniformly random, the probability of a collision in the values x₁⁽ⁱ⁾is at most ^q^prf

2ⁿ . As a consequence, we have Adv(O[∅],O[{x2}])≤2εprf+qprf·εFE+qprf2

2ⁿ . (26)

Next, we consider the differences betweenO[{x2}]andO[{x1,x2}]. As explained above, randomizing x2is equivalent to randomizing z1. Thus, we can consider the differences betweenO[{z1}]andO[{x1,z1}], instead. Observe that the value x1is involved in the derivation of the following values:

1. z1←Unand(z₁, ω1)=Gen(Π(x1))(Eq. (14)).

2. x3=x1⊕z2(Eq. (16)).

As z2is independent of(z₁, ω1), these two features are independent and can be examined separately. Regarding the first feature, the difference is

1. z1←Unand(z₁, ω1)=Gen(y1)with y1=Π1(x1)in the case ofO[{z1}].

2. z1←Unand(z₁, ω1)=Gen(y1)with y1←Din the case ofO[{z1,x1}].

3As the randomization is done for every encryption, we omit for simplicity the superscripts(i)at the values.

As the PUFs are assumed to be wPRFs, the advantage to distinguish these two cases is at mostεprfif the values x₁⁽ⁱ⁾ are pairwise different and uniformly random.

As explained above the probability of a collision in the values x₁⁽ⁱ⁾ is at most ^q^prf

2ⁿ . Furthermore, the values x⁽₁ⁱ⁾are derived by an XOR with a uniformly random value.

Taking together, the advantage to distinguish betweenO[{z1}]andO[{z1,x1}]based on the first feature is at mostεprf+^q₂^prfn².

Now we turn our attention to the second feature: x3 = x1⊕z2. With the same arguments as above, randomizing x1here is equivalent to randomizing z2. We make here use of the fact that z2is only involved in the definition of x3(or, equivalently, of Y ). Analogously to the case of randomizing z1 (see above) it follows that the advantage of distinguishing betweenO[{z1}]andO[{z1,x1}]based on the second feature is at most 2εprf+qprf·εFE+^q^prf₂n².

Altogether, it follows that

Adv(O[{x2}],O[{x1,x2}])≤3εprf+qprf·εFE+2qprf2

2ⁿ . (27)

Finally, we have to investigate Adv(O[{x1,x2}],O[{L,R}]). Recall that x1 def= R⊕ρ (Eq. (14)). Thus, it is indistinguishable whether x1 is randomized or R.

Likewise x2

def= L ⊕z1 (Eq. (15)) implies that it indistinguishable whether x2or L is realized. This implies thatO[{x1,x2}] =O[{L,R}]and in particular

Adv(O[{x1,x2}],O[{L,R}])=0. (28) Summing up, the advantage of a real-or-random attacker is at most 5εprf+2qprf· εFE+3·^q^prf₂n² what concludes the proof. "#

Dans le document Information Security and Cryptography Texts and Monographs (Page 167-171)