Multi-user security bound for filter permutators in the random oracle model

Abstract

At EUROCRYPT 2016, Méaux et al. introduced a new design strategy for symmetric ciphers for fully homomorphic encryption (FHE), which they dubbed filter permutators. Although less efficient than classical stream ciphers, when used in conjunction with an adequate FHE scheme, they allow constant and small noise growth when homomorphically evaluating decryption circuit. In this article, we present a security proof up to the birthday bound (with respect to the size of the IV and the size of the key space) for this new structure in the random oracle model and in the multi-user setting. In particular, this result justifies the theoretical soundness of filter permutators. We also provide a related-key attack against all instances of FLIP, a stream cipher based on this design.

Appendix A: Proof of Fact 1

Independence comes from the fact that \(T_\mathrm{id} \not \in \varTheta _1\), so no PRG state is involved in a collision. Moreover, this event only involves IVs and the last n bits of G’s output. In order to prove the uniformity, let us fix any \(1\le i \le q_*\), \(0 \le j \le \kappa -2\) and any \(\mu \in \{1,\ldots ,\kappa -j\}\). Then

$$\begin{aligned}&\Pr \left[ (v_{1+j+(i-1)(\kappa -1)}\pmod {\kappa -j})+1=\mu | U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] \\&\qquad =\frac{\Pr \left[ [(v_{1+j+(i-1)(\kappa -1)}\pmod {\kappa -j})=\mu -1] \wedge U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] }{\Pr \left[ U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] }. \end{aligned}$$

Since \(v_{1+j+(i-1)(\kappa -1)}< (\kappa -j)\lfloor 2^b / (\kappa -j) \rfloor \), there are exactly \(\lfloor 2^b / (\kappa -j) \rfloor \) possible values for \(v_{1+j+(i-1)(\kappa -1)}\) such that U is also satisfied. Moreover, since \(T_\mathrm{id} \not \in \varTheta _1\), we know that the value is “fresh”, in the sense that it has never been queried before and is free of any other constraint. Let us also denote by \(U'\) the event U where we removed the condition \(v_{1+j+(i-1)(\kappa -1)}< (\kappa -j)\lfloor 2^b / (\kappa -j) \rfloor \). Thus

$$\begin{aligned}&\Pr \left[ [(v_{1+j+(i-1)(\kappa -1)}\pmod {\kappa -j}) =\mu -1] \wedge U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] \\&\qquad =\frac{\lfloor 2^b / (\kappa -j) \rfloor }{2^b}\mathrm{Pr}\left[ U' \wedge (T_\mathrm {id} \not \in \varTheta _1) \right] . \end{aligned}$$

Moreover, one has

$$\begin{aligned} \Pr \left[ U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] =\frac{(\kappa -j)\lfloor 2^b / (\kappa -j) \rfloor }{2^b}\Pr \left[ U' \wedge ( T_\mathrm {id} \not \in \varTheta _1) \right] , \end{aligned}$$

which gives

$$\begin{aligned} \Pr \left[ (v_{1+j+(i-1)(\kappa -1)}\pmod {\kappa -j})+1=\mu | U \wedge (T_\mathrm{id} \not \in \varTheta _1) \right] =\frac{1}{\kappa -j}. \end{aligned}$$