TY - GEN
T1 - On the Streaming Indistinguishability of a Random Permutation and a Random Function
AU - Dinur, Itai
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2020.
PY - 2020/1/1
Y1 - 2020/1/1
N2 - An adversary with S bits of memory obtains a stream of Q elements that are uniformly drawn from the set {1,2,...,N}, either with or without replacement. This corresponds to sampling Q elements using either a random function or a random permutation. The adversary’s goal is to distinguish between these two cases. This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary’s advantage is upper bounded by √Q · S/N. Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of O(log N) if Q · S ≈ N. However, the bound’s proof assumed an unproven combinatorial conjecture. Moreover, if Q · S << N there is a gap between the upper bound of √Q · S/N and the Q · S/N advantage obtained by known attacks. In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of O(log Q · Q · S/N) on the adversary’s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming.
AB - An adversary with S bits of memory obtains a stream of Q elements that are uniformly drawn from the set {1,2,...,N}, either with or without replacement. This corresponds to sampling Q elements using either a random function or a random permutation. The adversary’s goal is to distinguish between these two cases. This problem was first considered by Jaeger and Tessaro (EUROCRYPT 2019), which proved that the adversary’s advantage is upper bounded by √Q · S/N. Jaeger and Tessaro used this bound as a streaming switching lemma which allowed proving that known time-memory tradeoff attacks on several modes of operation (such as counter-mode) are optimal up to a factor of O(log N) if Q · S ≈ N. However, the bound’s proof assumed an unproven combinatorial conjecture. Moreover, if Q · S << N there is a gap between the upper bound of √Q · S/N and the Q · S/N advantage obtained by known attacks. In this paper, we prove a tight upper bound (up to poly-logarithmic factors) of O(log Q · Q · S/N) on the adversary’s advantage in the streaming distinguishing problem. The proof does not require a conjecture and is based on a hybrid argument that gives rise to a reduction from the unique-disjointness communication complexity problem to streaming.
KW - Communication complexity
KW - Mode of operation
KW - Provable security
KW - Streaming algorithm
KW - Switching lemma
KW - Time-memory tradeoff
UR - http://www.scopus.com/inward/record.url?scp=85084813866&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-45724-2_15
DO - 10.1007/978-3-030-45724-2_15
M3 - Conference contribution
AN - SCOPUS:85084813866
SN - 9783030457235
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 433
EP - 460
BT - Advances in Cryptology – EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
A2 - Canteaut, Anne
A2 - Ishai, Yuval
PB - Springer
T2 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2020
Y2 - 10 May 2020 through 14 May 2020
ER -