 Thank you for the introduction Hi, everyone. My name is Joseph. This is joint work with Stefano Tissaro And we're interested in improving Improving security results for symmetric encryption by taking into account limitations of the attackers memory Broadly speaking we can think of attacks as providing trade-offs between how many resources an attacker throws at a problem And how likely that attack is to succeed We can define Informally the security level of a scheme as the number of resources needed to achieve success probability around one The most common resource we consider in this sort of analysis is the computation time of an attack But there are numerous other resources that we know are important in practice Some examples hash function computation Application application specific circuits can be exploit massive parallelism Pipelining and amortization to compute hashes much more quickly than the average user does A second example of pre-computation attacks where an attacker can exploit time to run lots of pre-computation Which then allows its future attacks to be much more efficient From the defense perspective two ways that we've studied these sorts of things Is that's been posed that we should consider memory hard hash functions for which computing the hash function uses lots of memory Which is believed to be much harder to run in this parallel manner that asex are exploiting For the second example Cryptographers in various settings have just have Studied the trade-offs between the amount of memory one stores about their pre-computation and the future attack success You'll notice kind of conveniently both of the examples I've mentioned here dealt with bounding the memory used by attackers So this raises the question of where else might memory restrictions matter In particular in our work. We were interested in looking at symmetric encryption Most classic symmetric encryption schemes are built from prfs and have security up to the birthday bound When the number of queries squared equals two to the block length We want to try to improve this to a space time birthday bound In which now instead of q squared we have q times the amount of space in bits Equaling two to the n To kind of walk through a concrete example, we can think about as which has 128 block length So there's a normal birthday bound would give you a security level up to two to the 64 blocks encrypted If we were able to improve this to a space time birthday bound and kept the number of blocks the same We would find that a tracker to reach the security bound needs to have two to the 64 bits of memory Now to kind of give you a sense of how much memory that actually is Consider nsa's utah data center a couple years ago a Forbes estimate Estimated that this data center might contain somewhere between three and 12 exabytes of data this upper bound is Pretty close to two to the 64 bits So to have a really successful attack against one success one session All you have to do is throw the entire data center at that single session To kind of dig into the formalism a bit more We typically study the security of a scheme pi by defining an advantage function Which maps the amount of resources used to a number between zero and one Capturing how well the best adversary with those resources can succeed in breaking the scheme As cryptographers a lot of our work is just studying these advantage functions From the provable security side, we give security proofs which provide upper bound on the advantage And attacking with crypt analysis provide the lower bound on advantage functions The resources considered From attacks we can often look at attack and try to understand how well it does in times of time memory or Paralism or whatever other resources you're interested in However from the security proof side Most of our proof techniques only really know how to deal with the amount of time used by the attack In this work, we're trying to kind of bring these worlds together with tighter bounds that also take into account the amount of memory Now a typical security result you might see Looks something like this where the security of the scheme pi Is bounded by an attack using a similar amount of runtime and queries against an underlining primitive p Plus some small epsilon term A recent by recent line of work started by oibach at crypto 17 looked at improving this by taking into account space In particular, they were interested in finding memory tight reductions where the amount of space used by the original attacker against pi is comparable to the amount of state used by the new reduction attack against the underlying primitive In our work, we're trying to consider space time trade-offs Where we're improving the analysis by additionally considering s in the bound on that epsilon term An important predecessor line work at tcc last year Studied this by designing new symmetric encryption schemes for which they could prove that this epsilon term was small Even when q was much larger than 2 to the block length By assuming that the amount of space the attacker had was somehow smaller than this In this work, we're coming at this from a different direction where we're instead Looking at already existing symmetric encryption schemes and trying to get as good bounds as we can In particular the scheme as we looked at all had security up to the birthday bound from the standard proofs And we are trying to improve this to a spacetime birthday bound The concretely the results we get in our paper are slightly worse than what's shown here We have an additional square root term over that spacetime birthday bound Now broadly you might be wondering why we think these bounds might actually be the case And for that I'll walk through a kind of a simple example of how this trade-off seems to arise naturally in attack So first let's recall the definition of security for symmetric encryption Which considers an attacker in one of two worlds In a real world it feeds messages into a box and gets back real encryptions under a secret key In the random world the box instead just feeds back random bits The advantage of the adversary is just the difference in probability that it outputs one in these two worlds Measuring how well it can distinguish between them A kind of very basic symmetric encryption scheme Which we know is secure in this setting is one block counter mode in one block counter mode We pick a random string. We shove it through a prf and explore with a message and this produces our cipher text A kind of classic result, which we might see in any crypto 101 course gives a security bound that looks like this Where we reduce security to that of the prf Plus that exact birthday bound term we've been thinking about In fact, we know that this is tight. You can give it a matching attack by just considering an adversary that Gathers q different samples of these cipher texts and then checks if the output of the prf repeats whenever r repeated If that was the case we assume we're in the real world. Otherwise, we assume we're in the random world Simple analysis Just based on the probability that these r values repeats gives a term which is essentially tight with that birthday bound However, you'll note that this attack needs lots of memory In particular, this attack is just remembering every single cipher text it ever saw So then we might wonder what happens if the amount of space is much less than this A kind of natural way to generalize this attack would work as follow When adversary first just stores the first s cipher text it sees And then for all future cipher texts It checks if it repeated r values with one of those previous cipher texts And if so does the Comparison we've been talking about before Otherwise it throws out that cipher text and looks for the next one Again kind of straightforward analysis gives that this Adversary has advantage which is essentially equal to that spacetime trade-off. We've been talking about So the spacetime trade-off seems to arise naturally from the attacks The question is can we prove that this is tight with an upper bound? This is much more difficult because most of our proof techniques don't really know how to address the amount of space used by an attack So concretely in our work We first introduce the framework for analyzing these memory bounded attackers in a streaming indistinguishability setting We apply that framework to look at a security proof for randomized counter mode when you have a prf And provide this sort of spacetime birthday bound Furthermore we look at the classic prp prf switching lemma And we revisit the lemma in the case when queries are either all distinct or all random And again, I get obtained this sort of spacetime birthday bound And then furthermore using the techniques under these two Examples we can provide bound for another a number of other applications Throughout the rest of the talk. I'll be one at a time talking about these different points So first what's our streaming indistinguishability setting look like? We consider two distributions x and y each made up of q elements Then an attacker one at a time is fed these elements either from x or from y And in between each sample it's given the attacker stores some state sigma Which has a bounded size of s we define the advantage of the attacker To be the difference that it outputs one in these two settings giving this sort of indistinguishability that we're used to A useful lemma in this setting which we use for all of our following results Deals with the fact if one of these distributions which i'm picking x here is uniform and independent Using a sort of hybrid argument using k i divergent we're able to reduce the problem of upper bounding the distinguishing advantage To providing a lower bound on the Shannon entropy Of the y i values conditioned on the previous state stored by the attacker This connection to these information theoretic Measurements is kind of the core critical insight allowing the analysis based on state so As the kind of first example that we can walk through with in this setting Let's consider counter mode security using a prf The kind of setting we have there that we saw before is we're considering either the real world where encryption Happens in the specified manner here I'm just showing it for a one block counter mode when we're only Clipping one block of a message at a time versus the random world In typical crypto proof settings the first step we consider a hybrid distribution Where the prf has been replaced by a random function We reduce the difference between the real world and this world by the prf advantage of e There's nothing special going on there in our proofs. That's just the standard uh reduction The core part of our proof then is proving how well An attacker can distinguish between this hybrid and the random world In particular the kind of information theory a core problem you extract out of this Asks how well an attacker can distinguish between a random function applied to random values Or just pure randomness I think to emphasize here this pure randomness will be uniform and independent Randomness, which is exactly what we needed to apply that lemma from before So according to that lemma all we need to do to prove our upper bound Is we need to prove a lower bound on this Shannon entropy I'm not going to walk through the details of that in our proof In this talk But I want to emphasize it's actually a rather short calculation based only on kind of simple properties of Shannon entropy An open question which we weren't able to resolve Is whether or not this is tight in particular that square root Can we either provide a better proof which gets rid of the square root Or is there actually some matching attack which has an advantage with that square root over it The kind of core crux of this analysis that i'm showing on the slide Can also be applied to some of these other settings particularly the security of counter mode Using a prf with multi block messages The encrypt and prf generic construction And a sort of switching lemma applied to weak prfs So let's kind of revisit where we've been so far. I showed you our framework for streaming and distinguishability I talked about how we use this To provide a proof for randomized counter mode using a prf And I've showed half of so of the applications that I mentioned Next up we are going to revisit the standard prp prf switching lemma So let's kind of recall the motivation behind that In practice when we do encryption That prf we use is actually a block cipher A block cipher you may recall is a family of permutations each key provides a different permutation Because of this structure inherent in permutations The prf advantage can only be so good in particular There's there's an attack which has both a bound advantage Against any permutation in terms of prf security The standard way we kind of think about this in practice As we think of our block cipher as being a good prp And then we have a generic switching lemma which has for any choice of e The difference between prp and prf security cannot be that big in particular It's bounded by a birthday bound term In our work we were interested in proving birthday bounds by changing them to spacetime birthday bounds So you might ask the question Can we improve this switching lemma by placing bounds on the amount of memory used by an attacker? In general the answer is no And this comes from the kind of classic psycho detection algorithms such as the one by floyd Which shows how to find a collision in a random function Using only a square root amount of Queries and a very small amount of memory So we cannot hope for really any trade-off by bounding the amount of memory an attacker uses However Sorry So in general there's no switching lemma improvement which we can make for bounded memory However, we can do it in some special cases In particular the cases I mentioned before when either all the queries made by the attacker are distinct Or all the queries made by the attacker are picked at random In our work, we were only able to prove this by making a Kind of weak conjecture about the combinatorial properties of hypergraphs, which I'll get to in a moment I should point out that there's some recent work by junior appointed posted on eprint Which improved this birthday bound for the switching lemma By making a connection to communication complexity Both getting rid of the square root in the term plus a small n term Which is not too important and was able to do so without any conjectures The information theoretic core of this switching lemma in particular for distinct inputs We're considering a distinct x1 through xq And this is either fed through a random function or random permutation We ask how well an attacker can distinguish between the two If you kind of look at this problem for a bit, you'll actually realize that it's identical to a kind of More basic question of how well an attacker can distinguish between uniform independent samples x1 through xq from some set of size n Or y1 and yq picked uniformly but without replacement. So these y's are not equal to each other Now that we've shown we have the setting with uniform independent x's We can again call back to that lemma we mentioned earlier where we just have to bound shannon entropy This bound unlike in the randomized counter mode proof is actually quite difficult And it's in that bound where we needed to call to our conjecture Just to talk briefly about what our conjecture was. Let's recall what a hypergraph is in a hypergraph. We have n nodes And edges between the nodes consist of subsets of all the n nodes In particular our conjecture Worryed about k uniform hypergraphs, which means that each edge is a set consisting of k elements And the picture shown here, it's a three uniform hypergraph The degree of any particular node is then defined as the number of edges Which that node is part of The kind of structure of such a graph can be studied by the sum of square of degrees In which you just simply square up You sum up the square of every node's degree The kind of problem one might consider for this is for any particular value of n k m What is the k uniform hypergraph with m hyper edges, which maximizes the sum of square of degrees? This is a problem which has been considered a bit in the mathematical community It's well understood in the case of typical graphs when our hyper edges are just normal edges consisting of only two nodes But the full solution isn't understood in the more general case Where the degree of our edit or sorry when the size of our edges is more nodes In particular our conjecture considered parameters of a particular size where the edges Each consists of more than half of the nodes in the graph And in particular the number of edges is this very nice size In which a complete sub-hypergraph Fits perfectly and we conjecture that this complete hypergraph is the maximal Hypergraph for sum of squares for these particular choices of parameters This is hopefully a reasonable assumption and in particular This is a natural generalization of what we know to be the case for normal graphs Then using this conjecture, we're able to prove a bound on that Shannon entropy Which then in turn gives us our spacetime trade-off and that distinguishing advantage This distinguishing advantage between uniform samples with or without replacement Actually has a number of applications The switching lemma for distinct queries follows from it The switching lemma for random queries, which all go into a bit more in a moment follows from it We can use it to prove security for stateful counter mode when you use a prp We can use it for stateful OFB when you use a prp It also provides switching lemma for weak prp and security for one block counter mode with a prp This is different from our earlier analysis which considered randomized counter mode with a prf An open question which we haven't resolved is whether you get this sort of spacetime But they bound for multi block counter mode using a prp Finally quickly walk through the proof for switching lemma when the inputs are random It boils down to distinguishing between these two Worlds where it's either a random function or a random power mutation applied to uniform independent samples We prove it by transitioning between a number of different distributions First we can use Our advantage to switch these axes to be sampled without replacement A random function applied to values sampled without replacement is equivalent to just picking samples uniformly with replacement Once we've done this we can again apply a bound to make these samples be played picked without replacement again Once we've done that it's equivalent to just applying a random permutation to our y's And then finally another call to our bound lets us replace those y's back with the original axes With replacement the same analysis can be tweaked for some of those other applications I mentioned With that I've reached the end of my talk and I just want to give you the kind of one sentence summary Which is that we revisited the analysis of classic symmetric encryption schemes and improved them by giving spacetime trade-offs To replace birthday bounds with spacetime birthday bounds. Thank you