Farasha: A Provable Permutation-Based Parallelizable PRF

Abstract

The pseudorandom function Farfalle, proposed by Bertoni et al. at ToSC 2017, is a permutation based arbitrary length input and output PRF. At its core are the public permutations and feedback shift register based rolling functions. Being an elegant and parallelizable design, it is surprising that the security of Farfalle has been only investigated against generic cryptanalysis techniques such as differential/linear and algebraic attacks and nothing concrete about its provable security is known. To fill this gap, in this work, we propose Farasha, a new permutation-based parallelizable PRF with provable security. Farasha can be seen as a simple and provable Farfalle-like construction where the rolling functions in the compression and expansion phases of Farfalle are replaced by a uniform almost xor universal (AXU) and a simple counter, respectively. We then prove that in the random permutation model, the compression phase of Farasha can be shown to be an uniform AXU function and the expansion phase can be mapped to an Even-Mansour block cipher. Consequently, combining these two properties, we show that Farasha achieves a security of \(\min \{\text {keysize, permutation size/2}\}\). Finally, we provide concrete instantiations of Farasha with AXU functions providing different performance trade-offs. We believe our work will bring new insights in further understanding the provable security of Farfalle-like constructions.

A Security Proofs

1.1 A.1 Proof of Lemma 1

Proof

Let \(\sigma _i\) be the number of queries to \(P_i\). By the PRP/PRF switching lemma, the advantage after switching \(P_i\) by PRF \(\rho _i\) is bounded by \(\frac{\sigma _i^2}{2 \cdot 2^b}\). Since the permutations as well as the functions are independent of each other, the total advantage of the \(\mu \) switchings is given by

$$\begin{aligned} \frac{1}{2}\frac{1}{2^b} \sum _{i = 1}^{\mu } \sigma _i^2 \le \frac{1}{2} \frac{1}{2^b} \Big (\sum _{i = 1}^{\mu } \sigma _i\Big )^2 = \frac{\sigma ^2}{2 \cdot {2^b}}. \end{aligned}$$

(24)

1.2 A.2 PRF Security of \(\textsf {Farasha}^{\#}\)

In \(\textsf {Farasha}^{\#}\) (see Sect. 5.1), we first expand a k-bit key K to a 2k-bit key \(K' = P''(K)\). The key \(K'\) is then used as a key for Farasha. Denote the modified left-side as \(\textsf {Farasha}\text {-}\textsf {L}^{\#} (K,M) = \textsf {Farasha}\text {-}\textsf {L} (P''(K),M)\). Then, the security of \(\textsf {Farasha}^{\#}\) follows from Lemma 3.

Lemma 3

(PRF security of Farasha\(^{\#}\)). Consider Farasha as defined in Theorem 3 and additionally let and \(\textsf {Farasha}\text {-}\textsf {L}^{\#}\) as defined above. Then for adversaries \(\mathcal {A}, \mathcal {A}'\), we have

(25)

where \(q_{p''}\) is the number of primitive queries to \(P''\).

Proof

With another public permutation \(P''\) for the key expansion, \(P''^{\pm }\) is the additional (primitive) oracle available to the adversary \(\mathcal {A}\). Let \(\mathcal {A}\) make \(q_{p''}\) primitive queries to \(P''\) and denote its input-output pairs as \(\tau _{p''} = \{ (u_i, v_i)\, | \, P''(u_i) = v_i, \, 1 \le i \le q_{p''}\}\). Now, in addition to all cases in proof of Theorem 3, we need to consider an additional bad event, i.e., when one of the queries in \(\tau _{p''}\) matches the key K. The probability of this event is at most \(q_{p''}/2^k\). Given that the construction after the key expansion is identical to \(\textsf {Farasha}\text {-}\textsf {L} \), accounting for this term in Lemma 2 (resp. Theorem 3) gives the adversarial advantage of \(\textsf {Farasha}\text {-}\textsf {L}^{\#} \) (resp. \(\textsf {Farasha}^{\#}\)) as given in Eq. 25. This proves the lemma.

1.3 A.3 Proof of Theorem 2

Proof Idea. Let \((M_{ij}, C_{ij})\) denote the j-th plaintext and ciphertext pair corresponding to the EM instance with key \(K_i\), i.e., \(E_{K_i}\). Furthermore, \((x_j, y_j)\) denote the input/output of the j-th public permutation query. The bad events are identical to the independent keys analysis done in [35], and are as follows.

$$\begin{aligned} \exists \, i, i', j, j': i \ne i':\, & M_{ij} \oplus M_{i'j'} = K_i \oplus K_{i'} & \vee \, \, & C_{ij} \oplus C_{i'j'} = K_i \oplus K_{i'} \end{aligned}$$

(26a)

$$\begin{aligned} \exists \, i, j, j':\, & M_{ij} \oplus x_{j'} = K_i & \vee \, \, & C_{ij} \oplus y_{j'} = K_i \end{aligned}$$

(26b)

The probabilities that Eq. 26a and Eq. 26b hold is bounded by \(\epsilon \) due to the \(\epsilon \)-uniform-AXU property. The rest of the proof is identical to the one in [35], and the \(1/2^b\) term can be generalised to \(\epsilon \) with \(\epsilon =1/2^{b}\) for independent keys.

Proof

The adversarial model for the modified key setting is depicted in Fig. 3, with an adversary \(\mathcal {A}\) having bidirectional access to \(\mu +1\) oracles \((\mathcal {O}_1,\cdots , \mathcal {O}_{\mu }, \mathcal {O})\). In the ideal world, these are . In the real world, these are \((E_{K_1}, \cdots , E_{K_{\mu }}, P)\), where \(E_{K_i}(M_{ij}) = P(M_{ij} \oplus K_i) \oplus K_i\) for \(i = 1, \cdots , \mu \). Note that, in this setting, the keys \(K_i\) are the output of a keyed hash function \(H_K\) and satisfy the \(\epsilon \)-uniform-AXU property. The adversary makes \(\sigma _i\) queries to oracle \(\mathcal {O}_i\) (resp. \(q_p\) queries to oracle \(\mathcal {O}\)), which are captured in transcripts \(\tau _i\) for \(1 \le i \le \mu \) (resp. \(\tau _p\)). Thus, the transcripts in the real-world are:

$$\begin{aligned} \begin{aligned} \tau _i &= \{ (M_{ij}, C_{ij})\, | \, M_{ij}, C_{ij} \in \{0,1\}^b, \, E_{K_i}(M_{ij}) = C_{ij}, \, 1 \le i \le \sigma _i\} \\ \tau _{p} &= \{ (x_i, y_i)\, | \, x_i, y_i \in \{0,1\}^b, \, P(x_i) = y_i, \, 1 \le i \le q_{p}\} \\ \end{aligned} \end{aligned}$$

(27)

We assume the adversary never makes duplicate queries, so that \(M_{ij} \ne M_{ij'}, C_{ij} \ne C_{ij'}, x_j \ne x_{j'}, y_i \ne y_{j'}\) for all \(i,j,j'\) where \(j\ne j'\). We denote the total number of keyed (or construction) queries by \(\sigma = \sum _{i=1}^{\mu }\sigma _i\).

After all the queries by \(\mathcal {A}\) are done, but before it outputs its decision, the key K (of the hash function \(H_K\)) in the real world and a dummy key in the ideal world is released to the adversary. This enables the adversary to compute the keys \((K_1, \cdots , K_{\mu })\). The interaction of \(\mathcal {A}\) with the oracles can be summarized by a transcript \(\tau = \{K, \tau _1, \cdots , \tau _{\mu }, \tau _p\}\) or equivalently, \(\tau = \{K_1, \cdots , K_{\mu }, \tau _1, \cdots , \tau _{\mu }, \tau _p\}\).

Without loss of generality we assume that \(\mathcal {A}\) is deterministic. Given the fixed deterministic adversary \(\mathcal {A}\), we denote the probability distribution of transcripts in the real world by X, and in the ideal world by Y. We say that a transcript \(\tau \) is attainable if it can be obtained from interacting with \((P_1, \cdots , P_{\mu }, P)\), i.e., \({\text {Pr}}{[Y = \tau ]} > 0\). In our proof, we use the H-coefficient technique, as given by Lemma 4.

Lemma 4

(H-coefficient Technique [36]). Let us consider a fixed deterministic adversary \(\mathcal {A}\), and let \(\mathcal {T}=\mathcal {T}_{good} \cup \mathcal {T}_{bad}\) be a partition of the set of attainable transcripts. Let \(\delta \) be such that for all \(\tau \in \mathcal {T}_{good}\)

$$\begin{aligned} \frac{{\text {Pr}}{[X = \tau ]}}{{\text {Pr}}{[Y=\tau ]}} \ge 1 - \delta \end{aligned}$$

(28)

Then, .

We say that a transcript \(\tau \in \mathcal {T}\) is bad if two different queries result in the same input (or output) to P, were \(\mathcal {A}\) interacting with the real world. Stated formally, \(\tau \) is bad if one of the following conditions is met:

$$\begin{aligned} \exists \, i, i', j, j': i \ne i':\, & M_{ij} \oplus M_{i'j'} = K_i \oplus K_{i'} & \vee \text { } & C_{ij} \oplus C_{i'j'} = K_i \oplus K_i' \end{aligned}$$

(29a)

$$\begin{aligned} \exists \, i, j, j': \, & M_{ij} \oplus x_{j'} = K_i & \vee \text { } & C_{ij} \oplus y_{j'} = K_i \end{aligned}$$

(29b)

A transcript that is not a bad transcript, is referred to as a good transcript.

Upper Bounding \({\text {Pr}}{[Y \in \mathcal {T}_{bad}]}.\) We want to upper bound the event that a transcript \(\tau \) in the ideal world satisfies Eq. 29a or 29b. Recall that for \(i = 1, \cdots , \mu \), keys \(K_i\) satisfy the \(\epsilon \)-uniform-AXU property. For any fixed \(i\ne i'\), there are at most \(2\sigma _i \sigma _{i'}\) possible plaintext pairs and ciphertext pairs. With keys satisfying \(\epsilon \)-AXU property, the probability of satisfying the condition in Eq. 29a is bounded by \(2\sigma _i \sigma _{i'} \epsilon \). Analogously, for any fixed i, there are at most \(2\sigma _i q_p\) distinct values in Eq. 29b. Since the keys are also \(\epsilon \)-uniform, the probability of satisfying the condition in Eq. 29b is bounded by \(2\sigma _i q_p \epsilon \). Therefore,

$$\begin{aligned} {\text {Pr}}{[Y \in T_{bad}]} & \le \big (\varSigma _i \varSigma _{i'<i} 2\sigma _i \sigma _{i'} \epsilon \big ) + \big (\varSigma _i 2\sigma _i q_p \epsilon \big )\\ & \le \sigma ^2 \epsilon + 2\sigma q_p \epsilon . \end{aligned}$$

Lower Bounding Ratio \({\text {Pr}}{[X = \tau ]} / {\text {Pr}}{[Y = \tau ]}.\) Let us consider a good and attainable transcript \(\tau \in \mathcal {T}_{good}\). Then, denote by \(\varOmega _X = 2^{b} \cdot 2^b!\) the set of all possible oracles in the real world and by \(comp_X(\tau ) \subseteq \varOmega _X \) the set of oracles in \(\varOmega _X\) compatible with transcript \(\tau \). Define \(\varOmega _Y = 2^{b} \cdot (2^b!)^{\mu +1}\) and \(comp_Y(\tau )\) similarly. According to the H-coefficient technique:

$$\begin{aligned} {\text {Pr}}{[X = \tau ]} = \frac{|comp_X(\tau )|}{|\varOmega _X|} \text { and } {\text {Pr}}{[Y = \tau ]} = \frac{|comp_Y(\tau )|}{|\varOmega _Y|} \end{aligned}$$

(31)

First, we calculate \(|comp_X(\tau )|\). As \(\tau \in \mathcal {T}_{good}\), there are no two queries in \(\tau \) with the same input or output of the underlying permutation. Any query tuple in \(\tau \), therefore, fixes exactly one input-output pair of the underlying oracle. Because \(\tau \) consists of \(\sigma + q_p\) query tuples, the number of possible oracles in the real world equals \((2^b - \sigma - q_p)!\). By a similar reasoning, the number of possible oracles in the ideal world equals \(\prod _{i=1}^{\mu } (2^b - \sigma _i)! \cdot (2^b - q_p)!\). Therefore,

$$\begin{aligned} {\text {Pr}}{[X = \tau ]} = \frac{(2^b - \sigma - q_p)!}{2^{b} \cdot 2^{b}!} \end{aligned}$$

(32)

$$\begin{aligned} \begin{aligned} {\text {Pr}}{[Y = \tau ]} & = \frac{\prod _{i=1}^{\mu } (2^b - \sigma _i)! \cdot (2^b - q_p)!}{2^{b} \cdot (2^b!)^{\mu +1}} \\ & \le \frac{ (2^b - \sigma - q_p)! \cdot (2^b!)^{\mu }}{2^{b} \cdot (2^b!)^{\mu +1}} \\ &= \frac{(2^b - \sigma - q_p)!}{2^{b} \cdot 2^{b}!} = {\text {Pr}}{[X = \tau ]} \end{aligned} \end{aligned}$$

(33)

It then follows that \({\text {Pr}}{[X = \tau ]} /{\text {Pr}}{[Y = \tau ]} \ge 1\). Thus,

This proves the theorem.