TY - GEN

T1 - On the Streaming Indistinguishability of a Random Permutation and a Random Function

AU - Dinur, Itai

N1 - Publisher Copyright:
© International Association for Cryptologic Research 2020.

PY - 2020/1/1

Y1 - 2020/1/1

N2 - An adversary with S bits of memory obtains a stream of Q elements that are uniformly drawn from the set {1,2,...,N}, either with or without replacement. This corresponds to sampling Q elements using either a random function or a random permutation. The adversary’s goal is to distinguish between these two cases. This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary’s advantage is upper bounded by √Q · S/N. Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of O(log N) if Q · S ≈ N. However, the bound’s proof assumed an unproven combinatorial conjecture. Moreover, if Q · S << N there is a gap between the upper bound of √Q · S/N and the Q · S/N advantage obtained by known attacks. In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of O(log Q · Q · S/N) on the adversary’s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming.

AB - An adversary with S bits of memory obtains a stream of Q elements that are uniformly drawn from the set {1,2,...,N}, either with or without replacement. This corresponds to sampling Q elements using either a random function or a random permutation. The adversary’s goal is to distinguish between these two cases. This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary’s advantage is upper bounded by √Q · S/N. Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of O(log N) if Q · S ≈ N. However, the bound’s proof assumed an unproven combinatorial conjecture. Moreover, if Q · S << N there is a gap between the upper bound of √Q · S/N and the Q · S/N advantage obtained by known attacks. In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of O(log Q · Q · S/N) on the adversary’s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming.

KW - Communication complexity

KW - Mode of operation

KW - Provable security

KW - Streaming algorithm

KW - Switching lemma

KW - Time-memory tradeoff

UR - http://www.scopus.com/inward/record.url?scp=85084813866&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-45724-2_15

DO - 10.1007/978-3-030-45724-2_15

M3 - Conference contribution

AN - SCOPUS:85084813866

SN - 9783030457235

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 433

EP - 460

BT - Advances in Cryptology – EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

A2 - Canteaut, Anne

A2 - Ishai, Yuval

PB - Springer

T2 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2020

Y2 - 10 May 2020 through 14 May 2020

ER -