LIZARD-Construction - On Stream Ciphers with Provable Beyond-the-Birthday-Bound Security

Let us first define an adequate distinguishing game between Alice and Eve. This can be easily obtained by modifying the Definition 3 in the following points

Definition 17. (i) The game depends on the global parameters π, M, n, R, where π denotes a fixed bijective state transition function π : {0,1}n −→ {0,1}n,M,n,R denote natural numbers, andn,R,πfulfill the conditions [A1, A2]. The game is divided into a query phase and a decision phase. (ii) At the beginning. Alice chooses randomly and w.r.t. the uniform distribution

a secret 5-tupleω= (bω, kω, Pω, Fω, Eω), where • bω∈ {0,1}

• kω∈ {0,1} n

denotes the session secret key. • Pω:{0,1}

−→ {0,1}n denotes a random permutation, • Fω:{0,1}n−→ {0,1}n denotes a randomπ-iterative function. • Eω:{0,1}

−→ {0,1}R denotes a random function.

We denote byΩthe corresponding probability space of all such triples toget- her with the uniform distribution.

(iii) The adversary Eve is supposed to be a randomized oracle algorithm of poten- tially unbounded computational power, who is allowed to pose component oracle queries of type P(u) =?, or P−1(v) =?-, or F(y) =? for inputs

u, v ∈ {0,1}n and y ∈ {0,1}n, which are correctly answered by Alice by

Pω(u),(Pω)−1(v), orFω(y), respectively.

(iv) Moreover, Eve can pose construction oracle queries of the form E(x) =?, wherex∈ {0,1}n.

If bω = 0 (the truly random case), Alice answers such questions with the random packetEω(x).

If bω = 1 (the pseudorandom case), Alice answers such questions in accor- dance with Definition 3, i.e., with the keystream packet corresponding to the initial state y := Pω(x⊕kω)⊕kω induced by the session key kω and the initial valuex. Note again that this keystream packet is the concatenation of theR/n F-values

Fω(y)||Fω(πn(y))|| · · · ||Fω(πn(R/n−1)(y)).

(v) In the query phase, Eve is allowed to pose exactly M oracle queries. In the decision phase, Eve has to submit someb∈ {0,1}n. Eve wins ifb=bω. (vi) Besides the running time and the number M of oracle queries, the essential

cost parameter is the advantage reached by Eve, which is defined to be the absolute value of the difference of the probabilities that Eve outputs 1 under the condition thatbω= 0 andbω= 1, respectively. measured with respect to the uniform distribution onΩ and the internal randomization of Eve. Note that in the truly random case, Alice outputs keystream packets in de- pendence of input initial valuesx∈ {0,1}naccording to a truly random function, and independently ofkωand the ideal primitives Pω andFω. We prove

Auxiliary Supporting Material

Theorem 4. If R > n, then Eve can reach advantage 1/4 with M =Θ(2n/2₎

oracle queries and running timeM =Θ(2n/2).

Proof:We only sketch the proof, which is quite straightforward. Using the same idea as in the proof of Theorem 1, one can show that withΘ(2n/2₎_E_-queries

andΘ(2n/2₎_F_{-queries, Eve can generate an EF-collision (}_{x, y}_{) with probability}

greater 1/2. Here, a pair (x, y)∈ {0,1}n× {0,1}n is called EF-collision, if and only if the block the first n bits of z coincides with Fω(y), where z ∈ {0,1}R denotes the answer of theE-query with input x.

Alice outputsb= 1 (pseudorandom!) ifzn+1equals the last bit ofFω(π(y)).

Note that if bω = 1 (the pseudorandom scenario) the probability that Eve outputsb= 1 is one. In the random scenario, this probability is exactly 1/2.

B

A Short Excursion to Chernov Bounds

At several places of our proof we have to apply a technique called Chernov Bounds in the literature. The basicChernov Bound argument is the following.

Theorem 5. Let N be a positive integer, p∈ (0,1), and A1,· · · , AN be a set of mutually independent random variables, where, for all i= 1,· · ·, N, it holds that P r[Ai= 1−p] =pandP r[Ai=−p] = 1−p. LetA=

PN i=1Ai. Then P r[A > a]< e−2a 2 N ₍₅₁₎ for alla >0.

For aproofsee, e.g., Alon, Spencer, Erdos, The Probabilistic Method, Wiley Interscience 1992, Theorem A4 on page 235.

We derive from Theorem 5 a corresponding result for random{0,1}-variables.

Lemma 7. Let p, N, and Ai for i= 1,· · · , N be defined as in Lemma 7, and let Bi =Ai+p. Note that Bi ∈ {0,1} and P r[Bi = 1] =p. Let B =

PN i=1Bi. Then, for all d >0, it holds

P r[B >(p+d)N]< e−2·d2·N. (52)

Proof of Lemma 7:By definition, B=A+N·p. The proof is completed by puttinga=d·N into the relation in Theorem 5.

Auxiliary Supporting Material

Lemma 8. LetC1,· · · , CN denote a collection of (not necessarily independent) random {0,1}-variables fulfilling P r[Ci = 1] =pi < pfor all i,1≤i≤N, and somep,0< p <1. Let C=PN_i₌₁Ci.

We suppose that, fori > 1, the probabilities pi depend deterministically on (and can be computed from) the outcomes of the experimentsE1,· · · , Ei−1behind

C1,· · · , Ci−1.

Then, for alld >0, it holds

P r[C >(p+d)N]< e−2·d2·N.

At several places we will taked=pD/(2N) and obtain

P r[C >(p+d)N] =P r " C > pN+ r D·N 2 # < e−D. (53)

Proof of Lemma 8: We construct a collection of mutually independent binary random variablesB1,· · ·, BN satisfying

– Ci= 1 impliesBi= 1,

– P r[Bi= 1] =p for alli, 1≤i≤N.

This proves our Lemma 8, asPN_i₌₁Ci ≤PN_i₌₁Bi with probability one, and as Lemma 7 can be applied to B=PN_i₌₁Bi.

The experiments ˜Ei behindBi are for alli, 1≤i≤N, defined as follows:

– Computepi from the outcomes of the experimentsE1,· · · , Ei−1.

– PerformEi and output one (i.e., Bi= 1) ifEi is successful (i.e., ifCi= 1).

– IfEi is not successful (i.e.,Ci= 0), then perform a completely independent experimentE_i0with success probabilityqi= p1−−ppii and output one (i.e.,Bi=

1) ifE0_i is successful. Note thatP r[Bi= 1] equals

P r[Bi= 1|Ci= 1]·P r[Ci= 1] +P r[Bi= 1|Ci= 0]·P r[Ci= 0] = 1·pi+qi·(1−pi) =p.

u t

In document On Stream Ciphers with Provable Beyond-the-Birthday-Bound Security against Time-Memory-Data Tradeoff Attacks (Page 43-45)