Adventures in Crypto Dark Matter: Attacks, Fixes and Analysis for Weak Pseudorandom Function Candidates

A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (TCC’18) introduced two types of new weak PRF candidates, called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. They both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 ACC) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all above features. However, none of direct attacks which focus on a basic and alternative Mod-2/Mod-3 weak PRFs uses their own structures. In this paper, we investigate weak PRFs in three perspectives; attacks, fixes, and a new analysis to support the hardness conjecture of weak PRFs. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least 2−0.105n, where n is the size of input space of weak PRF. Similarly, we show that the advantage of our heuristic attack to the weak PRF with a circulant matrix key is larger than 2−0.21n, which is contrary to previous expectation that ‘a structured secret key’ does not affect the security of a weak PRF. Thus, for optimistic parameter choice n = 2λ for the security parameter λ, parameters should be increased to preserve λ-bit security when an adversary obtains exponentially many samples. Next, we provide a simple method for repairing two weak PRFs affected by our attack while preserving the depth-2 ACC circuit complexity and parameters. Moreover, we provide an observation and a new analysis to support the exponential hardness conjecture of a basic Mod-2/Mod-3 weak PRF when a secret key is uniformly sampled from {0, 1}m×n.

[1]  Ivan Damgård,et al.  Expanding Pseudorandom Functions; or: From Known-Plaintext Security to Chosen-Plaintext Security , 2002, CRYPTO.

[2]  Krzysztof Pietrzak,et al.  A Leakage-Resilient Mode of Operation , 2009, EUROCRYPT.

[3]  Alon Rosen,et al.  Candidate weak pseudorandom functions in AC0 ○ MOD2 , 2014, ITCS.

[4]  Yuval Ishai,et al.  On the Complexity of Decomposable Randomized Encodings, Or: How Friendly Can a Garbling-Friendly PRF Be? , 2020, ITCS.

[5]  Ueli Maurer,et al.  A Fast and Key-Efficient Reduction of Chosen-Ciphertext to Known-Plaintext Security , 2007, EUROCRYPT.

[6]  Peter Schwabe,et al.  Implementing Wagner's generalized birthday attack against the SHA-3 round-1 candidate FSB , 2009, IACR Cryptol. ePrint Arch..

[7]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[8]  Vinod Vaikuntanathan,et al.  From Selective to Adaptive Security in Functional Encryption , 2015, CRYPTO.

[9]  D. Bernstein Better price-performance ratios for generalized birthday attacks , 2007 .

[10]  María Naya-Plasencia,et al.  Optimal Merging in Quantum k-xor and k-xor-sum Algorithms , 2020, EUROCRYPT.

[11]  Mihir Bellare,et al.  New Proofs for NMAC and HMAC: Security without Collision Resistance , 2006, Journal of Cryptology.

[12]  Benny Applebaum,et al.  Bootstrapping Obfuscators via Fast Pseudorandom Functions , 2014, ASIACRYPT.

[13]  Yu Sasaki,et al.  Refinements of the k-tree Algorithm for the Generalized Birthday Problem , 2015, ASIACRYPT.

[14]  Alon Rosen,et al.  Pseudorandom Functions: Three Decades Later , 2017, Tutorials on the Foundations of Cryptography.

[15]  Daniele Micciancio,et al.  On the Bit Security of Cryptographic Primitives , 2018, IACR Cryptol. ePrint Arch..

[16]  Minki Hhan,et al.  Matrix PRFs: Constructions, Attacks, and Applications to Obfuscation , 2019, IACR Cryptol. ePrint Arch..

[17]  Oded Goldreich,et al.  Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme , 1986, CRYPTO.

[18]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[19]  Vinod Vaikuntanathan,et al.  GGH15 Beyond Permutation Branching Programs: Proofs, Attacks, and Candidates , 2018, IACR Cryptol. ePrint Arch..