Provable Time-Memory Trade-Offs: Symmetric Cryptography Against Memory-Bounded Adversaries

Tessaro, Stefano; Thiruvengadam, Aishwarya

doi:10.1007/978-3-030-03807-6_1

Cited by 11 publications

(4 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We state and prove a bound on Adv 1LD-d in Section 4.2. Our proof applies the same reduction technique as Tessaro and Thiruvengadam [31], we are verifying that it works quantumly as well.…”

Section: Security Resultsmentioning

confidence: 56%

“…This is a worst-case decision problem measuring how well an algorithm can distinguish between a pair of lists with zero or exactly one element in common, which can be viewed as a decision version of the claw-finding problem. This reduction technique was originally used by Tessaro and Thiruvengadam [31] to establish a classical time-memory trade-off for the security of double encryption. We observe that their technique works for a quantum adversary.…”

Section: Double Encryptionmentioning

confidence: 99%

“…This leaves the question of whether their security result can be extended to cover full SPRP security, which we resolve by the main theorem of this section. This theorem is proven via a reduction technique of Tessaro and Thiruvengadam [31] which they used to establish a (classical) time-memory tradeoff for the security of double encryption, by reducing its security to the list disjointness problem and conjecturing a time-memory tradeoff for that problem.…”

Section: Double Encryptionmentioning

confidence: 99%

See 2 more Smart Citations

Quantum Key-length Extension

Jaeger¹,

Song²,

Tessaro³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Should quantum computers become available, they will reduce the effective key length of basic secret-key primitives, such as blockciphers. To address this we will either need to use blockciphers which inherently have longer keys or use key-length extension techniques which employ a blockcipher to construct a more secure blockcipher that uses longer keys. We consider the latter approach -in particular, analyzing the security of the FX and double encryption constructions. Classically, these constructs were considered as key-length extension techniques for DES. FX was proven to be a secure key-length extension technique, while double encryption was shown to be no more secure than single encryption due to a meet-in-the-middle attack. In this work we provide positive results, with concrete and tight bounds, for the security of both of these constructions against quantum attackers in ideal models. For FX, we consider security in the so-called "Q1 model," a natural model in which the attacker has quantum access to the ideal primitive, but only classic access to FX. We provide two partial results for FX in this model. The first establishes the security of FX against non-adaptive attackers. The second establishes security against fully adaptive attackers when considering a variant of FX using a random oracle in place of an ideal cipher. This result relies on the techniques of Zhandry (CRYPTO '19) for lazily sampling a quantum random oracle and are thus hard to extend to the true FX construction because it is currently unknown if a quantum random permutation can be lazily sampled. To the best of our knowledge, this result also is the first to introduce techniques to handle Q1 security in ideal models without analyzing the classical and quantum oracles separately, which may be of broader interest. For double encryption we apply a technique of Tessaro and Thiruvengadam (TCC '18) to establish that security reduces to the difficulty of solving the list disjointness problem, which we are able to reduce through a chain of results to the known quantum difficulty of the element distinctness problem.the loss of concrete security due to quantum computers. In this paper we analyze the latter approach. We consider two key-length extension techniques, FX [20] and double encryption, and provide provable bounds against quantum attackers in ideal models.Of broader and independent interest, our study of FX requires us to consider a hybrid quantum model which only allows for classical online access to the encrypted data, whereas offline computation is quantum. This model is often referred to as the "Q1 model" in the cryptanalysis literature [17,5], and is weaker than the stronger, fully-quantum, "Q2 model", which allows for quantum online access. This is necessary in view of existing attacks in the Q2 model showing that FX is no more secure than the underlying cipher [24], but also, Q1 is arguably more realistic and less controversial than Q2. We observe that (in contrast to the plain model) ideal-model proofs in the Q1 model can be harder ...

show abstract

“…We state and prove a bound on Adv 1LD-d in Section 4.2. Our proof applies the same reduction technique as Tessaro and Thiruvengadam [31], we are verifying that it works quantumly as well.…”

Section: Security Resultsmentioning

confidence: 56%

Section: Double Encryptionmentioning

confidence: 99%

Section: Double Encryptionmentioning

confidence: 99%

See 1 more Smart Citation

Quantum Key-length Extension

Jaeger¹,

Song²,

Tessaro³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the field of cryptography, several previous works investigated the security of cryptographic primitives against a space-bounded adversary whose input is given as a data stream composed of a sequence of elements that can be read only once (cf., [ 7 , 20 ]). More recently, Thiruvengadam and Tessaro initiated the study of the security of modes of operation against space-bounded adversaries [ 23 ]. Jaeger and Tessaro’s work [ 15 ], as well as this paper, continue the line of research on streaming algorithms in cryptography.…”

Section: Introductionmentioning

confidence: 99%

On the Streaming Indistinguishability of a Random Permutation and a Random Function

Dinur

2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

An adversary with S bits of memory obtains a stream of Q elements that are uniformly drawn from the set , either with or without replacement. This corresponds to sampling Q elements using either a random function or a random permutation. The adversary’s goal is to distinguish between these two cases. This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary’s advantage is upper bounded by . Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of if . However, the bound’s proof assumed an unproven combinatorial conjecture. Moreover, if there is a gap between the upper bound of and the advantage obtained by known attacks. In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of on the adversary’s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming.

show abstract

Tight Time-Memory Trade-Offs for Symmetric Encryption

Jaeger

Tessaro

2019

Advances in Cryptology – EUROCRYPT 2019

View full text Add to dashboard Cite

Provable Time-Memory Trade-Offs: Symmetric Cryptography Against Memory-Bounded Adversaries

Cited by 11 publications

References 34 publications

Quantum Key-length Extension

Quantum Key-length Extension

On the Streaming Indistinguishability of a Random Permutation and a Random Function

Tight Time-Memory Trade-Offs for Symmetric Encryption

Contact Info

Product

Resources

About