On the Bit Security of Cryptographic Primitives

Daniele Micciancio; Michael Walter

doi:10.1007/978-3-319-78381-9_1

Annual International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2018: Advances in Cryptology – EUROCRYPT 2018 pp 3-28 | Cite as

On the Bit Security of Cryptographic Primitives

Authors
Authors and affiliations

Daniele Micciancio
Michael WalterEmail author

Conference paper

First Online: 31 March 2018

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)

Abstract

We introduce a formal quantitative notion of “bit security” for a general type of cryptographic games (capturing both decision and search problems), aimed at capturing the intuition that a cryptographic primitive with k-bit security is as hard to break as an ideal cryptographic function requiring a brute force attack on a k-bit key space. Our new definition matches the notion of bit security commonly used by cryptographers and cryptanalysts when studying search (e.g., key recovery) problems, where the use of the traditional definition is well established. However, it produces a quantitatively different metric in the case of decision (indistinguishability) problems, where the use of (a straightforward generalization of) the traditional definition is more problematic and leads to a number of paradoxical situations or mismatches between theoretical/provable security and practical/common sense intuition. Key to our new definition is to consider adversaries that may explicitly declare failure of the attack. We support and justify the new definition by proving a number of technical results, including tight reductions between several standard cryptographic problems, a new hybrid theorem that preserves bit security, and an application to the security analysis of indistinguishability primitives making use of (approximate) floating point numbers. This is the first result showing that (standard precision) 53-bit floating point numbers can be used to achieve 100-bit security in the context of cryptographic primitives with general indistinguishability-based security definitions. Previous results of this type applied only to search problems, or special types of decision problems.

This is a preview of subscription content, to check access.

Notes

Acknowledgment

We would like to thank Krzysztof Pietrzak, Russell Impagliazzo, and Mihir Bellare for helpful discussions and pointers to relevant literature.

A Proof of Theorem 1

Proof

(of Theorem 1). From the definition of Y in Definition 7 we get for any $x,y \in \{0,1\}^{n}$ with $y \ne x$

$\mathrm {Pr}[Y = \bot | X=x] = 1-\alpha $
$\mathrm {Pr}[Y = x | X = x] = \alpha \beta $
$\mathrm {Pr}[Y = y | X = x] = \frac{\alpha (1-\beta )}{2^n - 1}$.

From this we compute

$\mathrm {Pr}[Y = \bot ] = 1-\alpha $
$\mathrm {Pr}[Y = y] = \mathrm {Pr}[Y = y | X=y]\mathrm {Pr}[X=y] + \mathrm {Pr}[Y = y | X\ne y]\mathrm {Pr}[X\ne y] = \frac{\alpha \beta }{2^n} + \frac{2^n-1}{2^n} \frac{\alpha (1-\beta )}{2^n - 1} = \frac{\alpha }{2^n}$.

Now we calculate the conditional entropy

$$\begin{aligned} H(X | Y) =&\sum _{x,y} \mathrm {Pr}[Y = y | X= x] \mathrm {Pr}[X=x] \log \frac{\mathrm {Pr}[Y = y]}{\mathrm {Pr}[Y = y | X= x] \mathrm {Pr}[X=x]} \\ =&\sum _{x} \mathrm {Pr}[Y = \bot | X= x] \mathrm {Pr}[X=x] \log \frac{\mathrm {Pr}[Y = \bot ]}{\mathrm {Pr}[Y = \bot | X= x] \mathrm {Pr}[X=x]} \\&\quad +\mathrm {Pr}[Y = x | X= x] \mathrm {Pr}[X=x] \log \frac{\mathrm {Pr}[Y = x]}{\mathrm {Pr}[Y = x | X= x] \mathrm {Pr}[X=x]} \\&\quad + \sum _{y \ne x \wedge y \ne \bot } \mathrm {Pr}[Y = y | X= x] \mathrm {Pr}[X=x] \log \frac{\mathrm {Pr}[Y = y]}{\mathrm {Pr}[Y = y | X= x] \mathrm {Pr}[X=x]}\\ =&\sum _x \frac{1-\alpha }{2^n}\log \frac{(1-\alpha )2^n}{1-\alpha } + \frac{\alpha \beta }{2^n}\log \frac{\alpha 2^n}{\alpha \beta 2^n} \\&\quad + (2^n - 1)\frac{\alpha (1-\beta )}{(2^n-1)2^n} \log \frac{\alpha 2^n (2^n-1)}{2^n \alpha (1-\beta )} \\ =&~(1-\alpha )n + \alpha \beta \log \frac{1}{\beta } + \alpha (1-\beta )\log \frac{2^n - 1}{1-\beta }\\ =&~(1-\alpha )n + \alpha ((1-\beta )\log (2^n - 1) + H(\mathcal {B}_{\beta })) \end{aligned}$$

Finally, we compute the advantage

$$\begin{aligned} \mathrm {adv}^A&= 1 - \frac{H(X|Y)}{n}\\&= 1 - (1-\alpha ) - \alpha \frac{(1-\beta )\log (2^n-1) + H(\mathcal {B}_{\beta })}{n}\\&= \alpha \left( 1-\frac{(1-\beta )\log (2^n-1) + H(\mathcal {B}_{\beta })}{n} \right) . \end{aligned}$$

$\square $

B Missing Details of Proof for Lemma 2

With the notation of Sect. 5.3, the goal of this section is to prove

$$ \sum _{i=1}^k \mathrm {adv}_{i,i+1} \ge \frac{\alpha _{1} + \alpha _{k}}{\alpha _1 + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _k} \mathrm {adv}_{1,k}. $$

By Eq. (5)

$$ \sum _{i=1}^k \mathrm {adv}_{i,i+1} = \sum _{i=1}^k \frac{(2(\gamma _{i} - \gamma _{i+1}) + \alpha _{i+1} - \alpha _{i})^2}{2(\alpha _{i} + \alpha _{i+1})}. $$

Applying the induction hypothesis, this is lower bounded by

$$ f(\gamma _{k-1}) = \frac{(2(\gamma _{1} - \gamma _{k-1}) + \alpha _{k-1} - \alpha _{1})^2}{2(\alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k-1})} + \frac{(2(\gamma _{k-1} - \gamma _{k}) + \alpha _{k} - \alpha _{k-1})^2}{2(\alpha _{k-1} + \alpha _{k})}. $$

Taking f’s derivative

$$ f'(\gamma _{k-1}) = \frac{2(2(\gamma _{k-1} - \gamma _{k}) + \alpha _{k} - \alpha _{k-1})}{\alpha _{k-1} + \alpha _{k}} - \frac{2(2(\gamma _{1} - \gamma _{k-1}) + \alpha _{k-1} - \alpha _{1})}{\alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k-1}} $$

Note that the second derivative is a positive constant, so if f has an extremum it must be a minimum, and since it is a quadratic function, it is a global minimum. Setting $f'(\gamma _{k-1}) = 0$ and solving for $2\gamma _{k-1}$, we get:

$$\begin{aligned} 2\gamma _{k-1}\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right)&= 2(\gamma _1 + \alpha _{k-1} - \alpha _1)(\alpha _{k-1} + \alpha _{k}) \\&\quad + 2(\gamma _{k} + \alpha _{k} - \alpha _{k-1})\left( \alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k}\right) \end{aligned}$$

Plugging this into the terms of f:

$$\begin{aligned} (2(\gamma _1 - \gamma _{k-1}) + \alpha _{k-1} - \alpha _1) = \frac{2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k}) \left( \alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k}\right) }{\alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}} \end{aligned}$$

and

$$\begin{aligned} (2(\gamma _{k-1} - \gamma _{k}) + \alpha _{k} - \alpha _{k-1}) = \frac{(2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k}) (\alpha _{k-1}+ \alpha _{k})}{\alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}} \end{aligned}$$

which yields that

$$\begin{aligned} f(\gamma _{k-1})&\ge \frac{(2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k})^2 \left( \alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k}\right) ^2}{\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) ^2 \left( \alpha _{1} + 2\sum _{i=2}^{k-2}\alpha _i + \alpha _{k}\right) } \\&\quad \quad + \frac{(2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k})^2 (\alpha _{k-1}+ \alpha _{k})^2}{\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) ^2 (\alpha _{k-1}+ \alpha _{k})} \\&= \frac{(2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k})^2 }{\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) ^2} \left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) \\&= \frac{(2(\gamma _1 - \gamma _k) - \alpha _1 + \alpha _{k})^2 }{\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) } \\&= \frac{\alpha _1 + \alpha _k}{\left( \alpha _{1} + 2\sum _{i=2}^{k-1}\alpha _i + \alpha _{k}\right) }\mathrm {adv}_{1,k} \end{aligned}$$

as desired.

References

1.
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium, pp. 327–343. USENIX Association (2016)Google Scholar
2.
Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_1CrossRefGoogle Scholar
3.
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science, pp. 394–403. IEEE Computer Society Press, October 1997Google Scholar
4.
Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 495–511. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_30CrossRefGoogle Scholar
5.
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34CrossRefGoogle Scholar
6.
Bernstein, D.J., Lange, T.: Non-uniform cracks in the concrete: the power of free precomputation. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 321–340. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_17CrossRefGoogle Scholar
7.
De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_35CrossRefGoogle Scholar
8.
Dodis, Y., Steinberger, J.P.: Message authentication codes from unpredictable block ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_16CrossRefGoogle Scholar
9.
Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001)CrossRefMATHGoogle Scholar
10.
Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefMATHGoogle Scholar
11.
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st Annual ACM Symposium on Theory of Computing, pp. 25–32. ACM Press, May 1989Google Scholar
12.
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefMATHGoogle Scholar
13.
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefMATHGoogle Scholar
14.
Levin, L.A.: Randomness and non-determinism. J. Symbol. Logic 58, 1102–1103 (1993)Google Scholar
15.
Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_16CrossRefGoogle Scholar
16.
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_20Google Scholar
17.
Prest, T.: Sharper bounds in lattice-based cryptography using the Rényi divergence. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 347–374. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_13CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Daniele Micciancio
- 1
Michael Walter
- 2
Email author

1.UC San DiegoSan DiegoUSA
2.IST AustriaKlosterneuburgAustria

On the Bit Security of Cryptographic Primitives

Abstract

Notes

Acknowledgment

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper

Cookies