Abstract
Very recently (in CRYPTO 2017) Dai, Hoang, and Tessaro have introduced the Chi-square method (χ2 method) which can be applied to obtain an upper bound on the statistical distance between two joint probability distributions. The authors have applied this method to prove the pseudorandom function security (PRF-security) of sum of two random permutations. In this work, we revisit their proof and find a non-trivial gap in the proof. We plug this gap for two specific cases and state the general case as an assumption whose proof is essential for the completeness of the proof by Dai et al.. A complete, correct, and transparent proof of the full security of the sum of two random permutations construction is much desirable, especially due to its importance and two decades old legacy. The proposed χ2 method seems to have potential for application to similar problems, where a similar gap may creep into a proof. These considerations motivate us to communicate our observation in a formal way. On the positive side, we provide a very simple proof of the PRF-security of the truncated random permutation construction (a method to construct PRF from a random permutation) using the χ2 method. We note that a proof of the PRF-security due to Stam is already known for this construction in a purely statistical context. However, the use of the χ2 method makes the proof much simpler.
Similar content being viewed by others
Notes
This line of work was initiated by Bellare et al. in [2] who coined the term “Luby-Rackoff backwards” for such conversion.
A quote from the paper [7] “Patarin's tight proof is very involved, with some claims remaining open or unproved.”
In fact, in this setting, i.e, for information theoretic security, there always exists an adversary \(\mathcal {A}^{\prime }\) such that \( \mathbf {Adv}^{\text {prf}}_{f}(\mathcal {A}^{\prime }) = d_{\text {TV}}(\mathbf {P}_{\mathbf {1}}, \mathbf {P}_{\mathbf {0}})\); \(\mathcal {A}^{\prime }\) returns 1 for any \(x^{q} \in \mathcal {E}^{\prime }\), where \(\mathcal {E}^{\prime }\) is such that \(d_{\text {TV}}(\mathbf {P}_{\mathbf {1}}, \mathbf {P}_{\mathbf {0}})= \mathbf {P}_{\mathbf {0}}({\mathcal {E}}^{\prime }) - \mathbf {P}_{\mathbf {1}}({\mathcal {E}}^{\prime })\).
Triangle inequality of total variation metric can be easily shown from the triangle inequality in real numbers.
Which has been shown later in the proof given by Dai et al. In this paper we don’t provide details on this claim and so we skip this proof here.
Let a1,…,a n and b1,…,b n be nonnegative numbers. We denote the sum \(\sum _{i} a_{i}\)and \(\sum _{i} b_{i}\)by a and b respectively. The log sum inequality states that \(\sum _{{i = 1}}^{n}a_{i}\log \frac {a_{i}}{b_{i}} \geq a\log \frac {a}{b}\).
References
Bellare, M., Impagliazzo, R.: A tool for obtaining tighter security analyses of pseudorandom function based constructions, with applications to PRP to PRF conversion. IACR Cryptol. ePrint Arch. 1999, 24 (1999)
Bellare, M., Krovetz, T., Rogaway, P.: Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible, pp 266–280. Springer, Berlin (1998)
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: EUROCRYPT 2002, volume 2332 of LNCS, pp 384–397. Springer (2002)
Cogliati, B., Lampe, R., Patarin, J.: The Indistinguishability of the XOR of k Permutations. In: Fast Software Encryption - 21st International Workshop, FSE 2014, London, UK, March 3-5, 2014. Revised Selected Papers, edited by C. Cid and C. Rechberger, volume 8540 of Lecture Notes in Computer Science, pp 285–302. Springer (2014)
Cogliati, B., Seurin, Y.: EWCDM: An Efficient, Beyond-Birthday Secure, Nonce-Misuse Resistant MAC. In: CRYPTO 2016, Proceedings, Part I, pp 121–149 (2016)
Cover, T.M., Thomas, J.A.: Elements of Information Theory (Wiley Series in Telecommunications and Signal Processing), Wiley-Interscience (2006)
Dai, W., Hoang, V.T., Tessaro, S.: Information-theoretic Indistinguishability via the Chi-squared Method, Cryptology ePrint Archive, Report 2017/537. http://eprint.iacr.org/2017/537 (2017)
Gilboa, S., Gueron, S.: Distinguishing a truncated random permutation from a random function, IACR Cryptology ePrint Archive 2015, 773 (2015)
Gilboa, S., Gueron, S.: The advantage of truncated permutations, CoRR arXiv:1610.02518 (2016)
Gilboa, S., Gueron, S., Morris, B.: How Many Queries are Needed to Distinguish a Truncated Random Permutation from a Random Function? Journal of Cryptology (2017)
Gueron, S., Langley, A., Lindell, Y: AES-GCM-SIV: Specification and Analysis, IACR Cryptology ePrint Archive 2017, 168 (2017)
Gibbs, A.L., Su, F.E.: On choosing and bounding probability metrics. Int. Stat. Rev. 70(3), 419–435 (2002)
Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs, pp 370–389. Springer, Berlin (1998)
Iwata, T., Minematsu, K., Peyrin, T., Seurin, Y.: ZMAC: A fast tweakable block cipher mode for highly secure message authentication, IACR Cryptology ePrint Archive 2017, 535 (2017)
Iwata, T.: New blockcipher modes of operation with beyond the birthday bound security. In: Fast Software Encryption, 13th International Workshop, FSE 2006, Graz, Austria, March 15-17, 2006, Revised Selected Papers, edited by M. J. B. Robshaw, volume 4047 of Lecture Notes in Computer Science, pp 310–327. Springer (2006)
Kullback, S., Leibler, R.A.: On information and sufficiency. Ann. Math. Statist. 22(1), 79–86 (1951)
Lucks, S.: The sum of PRPs is a secure PRF. In: EUROCRYPT 2000, volume 1807 of LNCS, pp 470–484. Springer (2000)
Liese, F., Vajda, I.: Convex statistical distances. Teubner, Leipzig (1987)
Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: Towards optimal security using Mirror theory, Cryptology ePrint Archive, Report 2017/xxx, to be published in CRYPTO 2017. http://eprint.iacr.org/2017/537 (2017)
Patarin, J.: The “Coefficients H” Technique. In: Selected Areas in Cryptography, 2008, volume 5381 of LNCS, pp 328-345. Springer (2008)
Patarin, J.. In: ICITS 2008, volume 5155 of LNCS, pp 232–248. Springer (2008)
Patarin, J.: Introduction to Mirror Theory: Analysis of Systems of Linear Equalities and Linear Non Equalities for Cryptography., Cryptology ePrint Archive, Report 2017/287. http://eprint.iacr.org/2010/287 (2010)
Reiss, R.-D.: Approximate distributions of order statistics: with applications to nonparametric statistics. Springer Science & Business Media, Berlin (2012)
Slivkins, A.: Lecture Notes CMSC 858G: Bandits, Experts and Games (Lecture 3). http://www.cs.umd.edu/slivkins/CMSC858G-fall16/Lecture3.pdf (2016)
Stam, A.J.: Distance between sampling with and without replacement. Statistica Neerlandica 32(2), 81–91 (1978)
Acknowledgments
We thank the reviewers for their comments and suggestions which have improved the quality of our manuscript.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Special Issue on Statistics in Design and Analysis of Symmetric Ciphers
Appendix A: Proof of the χ 2 method
Appendix A: Proof of the χ 2 method
In this section we provide proof of Theorem 1, which is the heart of the χ2 method. The proof is based on Lemma 1, Lemma 2, and Theorem 6. Along the way we also briefly mention some (relevant) facts of KL divergence and χ2 distance.
Kullback-Leibler Divergence. Kullback-Leibler divergence (KL divergence) or relative entropy between P 0 to P 1 is defined as
Note that the KL divergence is defined only if P 0 ≪P 1 (with the convention that \(0 \log {0\over 0}= 0\)). It was first defined by Kullback and Leibler in 1951 [16] as a generalization of the entropy notion of Shannon (see [6]).
It can be shown that the KL divergence between any two distributions is always non-negative (known as Gibbs’ inequality, see [6]). However, it is not symmetric (i.e., dKL(P 0 ,P 1 )≠dKL(P 0 ,P 1 ) in general) and does not satisfy the triangle inequality. Thus, KL divergence is not a metric.
Though not a metric, KL divergence has some useful properties. For example, the KL divergence between any two product distributions is additive over the corresponding marginals (see [6, 23]). The KL divergence between two joint distribution can be obtained as the sum of the KL divergences of corresponding conditional distributions. This is known as the chain rule of KL divergence. It is one of the crucial parts of the χ2 method. We elaborate it in more detail below.
Chain rule of KL divergence. Let \( \mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}\) and \(\mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}}\) be two probability distributions over Ωq. We denote \(\mathbf {P}_{\mathbf {0}}^{ {i}}\) and \(\mathbf {P}_{\mathbf {1}}^{ {i}}\) to represent the marginal probability distributions for first i coordinates of \(\mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}\) and \(\mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}}\) respectively, 1 ≤ i ≤ q. In other words, if X := (X1,…,X q ) and Y := (Y1,…,Y q ) are two joint random variables following the probability distributions \(\mathbf {P}_{\mathbf {0}}^{q}\) and \(\mathbf {P}_{\mathbf {1}}^{q}\) then \(\textbf {P}^{i}_{0}\) and \(\textbf {P}^{i}_{1}\) represent the probability distributions of Xi and Yi respectively. We recall that P 0 (x i ) denotes the conditional distribution \(\textbf {P}(\mathsf {X}_{i} = x_{i}|\mathsf {X}^{i-1} = x^{i-1})\) and similarly \(\mathbf {P}_{\mathbf {1}|x^{i-1}}(x_{i})\). Moreover, \(\text {KL}(x^{i-1}) = d_{\text {KL}}(\mathbf {P}_{\mathbf {0}|x^{i-1}}, \mathbf {P}_{\mathbf {1}|x^{i-1}})\). Now we state chain rule of KL divergence.
Lemma 1 (Chain rule of KL divergence (see [6], Theorem 2.5.3))
Following the above notations,
Proof
The next inequality due to Pinsker (see [6]) gives an upper bound on the total variation distance between two distributions in terms of their KL divergence.
Theorem 6 (Pinsker’s Inequality)
For every probability functionsP 0 ,P 1 ,
Proof
We follow the steps of [24]. Let Ω′ = {x ∈Ω|P 0 (x) ≥P 1 (x)}.Also, let \(p_{i} = \sum _{x \in {\mathrm {\Omega }^{\prime }}} \mathbf {\textit {P}}_{\mathbf {\textit {i}}}(x)\)for i ∈{0, 1}. So,dTV(P 0 ,P 1 ) = p0 − p1. Also, by logsuminequalityFootnote 6,we have \(d_{\text {KL}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}}) \geq p_{0} \log {p_{0} \over p_{1}}+ (1-p_{0}) \log {(1-p_{0}) \over (1-p_{1})}\).Therefore,
χ2distance. χ2 distance has its origin in mathematical statistics dating back to Pearson (see [18] for some history). The χ2 distance between P 0 and P 1 , with P 0 ≪P 1 , is defined as
It can be seen that χ2 distance is not symmetric. Therefore, it is not a metric. However, like KL-divergence, χ2 distance between product distributions can be bounded in terms of the χ2 distances between their marginals (see [23]). The following lemma shows that KL-divergence between two distributions can be upper bounded by their χ2 distance. The first inequality can also be found in earlier works (see [12] for this and many other relations among various distances used in Statistics).
Lemma 2
\(d_{\text {KL}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}}) \leq \log (1 + d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})) \leq d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})\) .
Proof
By the definition of χ2distance we have
The last inequality follows by observing that \(d_{\chi ^{2}}(\mathbf {P}_{\mathbf {0}}, \mathbf {P}_{\mathbf {1}})) \geq 0\)and log(1 + t) ≤ t fort ≥ 0.
1.1 A.1 Proof of Theorem 1
We are now ready to show the upper bound on \(d_{\text {TV}}(\mathbf {P}_{\mathbf {0}}^{\textit {\textbf {q}}}, \mathbf {P}_{\mathbf {1}}^{\textit {\textbf {q}}})\) in terms of expected value of χ2 distance between the conditional distributions P 0 and P 1 . We state and prove the χ2 method, i.e. Theorem 1.
Proof
of Theorem 1 The proof follows directly from Pinsker’s inequality (Theorem 6), chain rule of KLdivergence (Lemma 1), and Lemma 2. More precisely, we have
Rights and permissions
About this article
Cite this article
Bhattacharya, S., Nandi, M. A note on the chi-square method: A tool for proving cryptographic security. Cryptogr. Commun. 10, 935–957 (2018). https://doi.org/10.1007/s12095-017-0276-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-017-0276-z
Keywords
- Random permutation
- pseudorandom function
- χ 2 distance
- KL divergence
- Total variation distance
- Pinsker’s inequality
- Sum of random permutation
- Truncated random permutation