Adventures in crypto dark matter: attacks, fixes and analysis for weak pseudorandom functions

Jung Hee Cheon; Wonhee Cho; Jeong Han Kim; Jiseung Kim

doi:10.1007/s10623-022-01071-x

Adventures in crypto dark matter: attacks, fixes and analysis for weak pseudorandom functions

Jung Hee Cheon
, Wonhee Cho^*
, Jeong Han Kim
, Jiseung Kim

^*Corresponding author for this work

Seoul National University
Korea Institute for Advanced Study

Research output: Contribution to journal › Journal article › peer-review

2 Scopus citations

Abstract

A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (in: Theory of cryptography conference, Springer, pp 699–729, 2018) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 ACC) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all the features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures. In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least 2 ^-^0.105ⁿ, where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack on the weak PRF with a circulant matrix key is larger than 2 ^-^0.21ⁿ, which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice n= 2 λ for the security parameter λ, parameters should be increased to preserve λ-bit security when an adversary obtains exponentially many samples. Next, we suggest a simple method for repairing two weak PRFs affected by our attack. Moreover, we provide the first direct algorithm for a basic Mod-2/Mod-3 weak PRF with a random secret key even though it does not capture the current parameters.

Original language	English
Pages (from-to)	1735-1760
Number of pages	26
Journal	Designs, Codes, and Cryptography
Volume	90
Issue number	8
DOIs	https://doi.org/10.1007/s10623-022-01071-x
State	Published - 2022.08

Keywords

Cryptanalysis
Weak PRF

Quacquarelli Symonds(QS) Subject Topics

Computer Science & Information Systems
Mathematics
Data Science

Access to Document

10.1007/s10623-022-01071-x

Cite this

@article{54c2101917b342c0ac6a550eedb5c69f,

title = "Adventures in crypto dark matter: attacks, fixes and analysis for weak pseudorandom functions",

abstract = "A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (in: Theory of cryptography conference, Springer, pp 699–729, 2018) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 ACC) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all the features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures. In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary{\textquoteright}s advantage is at least 2 -0.105n, where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack on the weak PRF with a circulant matrix key is larger than 2 -0.21n, which is contrary to the previous expectation that {\textquoteleft}structured secret key{\textquoteright} does not affect the security of a weak PRF. Thus, for an optimistic parameter choice n= 2 λ for the security parameter λ, parameters should be increased to preserve λ-bit security when an adversary obtains exponentially many samples. Next, we suggest a simple method for repairing two weak PRFs affected by our attack. Moreover, we provide the first direct algorithm for a basic Mod-2/Mod-3 weak PRF with a random secret key even though it does not capture the current parameters.",

keywords = "Cryptanalysis, Weak PRF",

author = "Cheon, \{Jung Hee\} and Wonhee Cho and Kim, \{Jeong Han\} and Jiseung Kim",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature.",

year = "2022",

month = aug,

doi = "10.1007/s10623-022-01071-x",

language = "English",

volume = "90",

pages = "1735--1760",

journal = "Designs, Codes, and Cryptography",

issn = "0925-1022",

number = "8",

}

TY - JOUR

T1 - Adventures in crypto dark matter

T2 - attacks, fixes and analysis for weak pseudorandom functions

AU - Cheon, Jung Hee

AU - Cho, Wonhee

AU - Kim, Jeong Han

AU - Kim, Jiseung

PY - 2022/8

Y1 - 2022/8

N2 - A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (in: Theory of cryptography conference, Springer, pp 699–729, 2018) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 ACC) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all the features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures. In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least 2 -0.105n, where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack on the weak PRF with a circulant matrix key is larger than 2 -0.21n, which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice n= 2 λ for the security parameter λ, parameters should be increased to preserve λ-bit security when an adversary obtains exponentially many samples. Next, we suggest a simple method for repairing two weak PRFs affected by our attack. Moreover, we provide the first direct algorithm for a basic Mod-2/Mod-3 weak PRF with a random secret key even though it does not capture the current parameters.

AB - A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (in: Theory of cryptography conference, Springer, pp 699–729, 2018) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 ACC) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all the features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures. In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least 2 -0.105n, where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack on the weak PRF with a circulant matrix key is larger than 2 -0.21n, which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice n= 2 λ for the security parameter λ, parameters should be increased to preserve λ-bit security when an adversary obtains exponentially many samples. Next, we suggest a simple method for repairing two weak PRFs affected by our attack. Moreover, we provide the first direct algorithm for a basic Mod-2/Mod-3 weak PRF with a random secret key even though it does not capture the current parameters.

KW - Cryptanalysis

KW - Weak PRF

UR - https://www.scopus.com/pages/publications/85132824523

U2 - 10.1007/s10623-022-01071-x

DO - 10.1007/s10623-022-01071-x

M3 - Journal article

AN - SCOPUS:85132824523

SN - 0925-1022

VL - 90

SP - 1735

EP - 1760

JO - Designs, Codes, and Cryptography

JF - Designs, Codes, and Cryptography

IS - 8

ER -

Adventures in crypto dark matter: attacks, fixes and analysis for weak pseudorandom functions

Abstract

Keywords

Quacquarelli Symonds(QS) Subject Topics

Access to Document

Other files and links

Fingerprint

Cite this