Adventures in crypto dark matter: attacks, fixes and analysis for weak pseudorandom functions

Abstract

A weak pseudorandom function (weak PRF) is one of the most important cryptographic primitives for its efficiency although it has lower security than a standard PRF. Recently, Boneh et al. (in: Theory of cryptography conference, Springer, pp 699–729, 2018) introduced two types of new weak PRF candidates, which are called a basic Mod-2/Mod-3 and alternative Mod-2/Mod-3 weak PRF. Both use the mixture of linear computations defined on different small moduli to satisfy conceptual simplicity, low complexity (depth-2 \(\mathsf{ACC^0}\)) and MPC friendliness. In fact, the new candidates are conjectured to be exponentially secure against any adversary that allows exponentially many samples, and a basic Mod-2/Mod-3 weak PRF is the only candidate that satisfies all the features above. However, none of the direct attacks which focus on basic and alternative Mod-2/Mod-3 weak PRFs use their own structures. In this paper, we investigate weak PRFs from two perspectives; attacks, fixes. We first propose direct attacks for an alternative Mod-2/Mod-3 weak PRF and a basic Mod-2/Mod-3 weak PRF when a circulant matrix is used as a secret key. For an alternative Mod-2/Mod-3 weak PRF, we prove that the adversary’s advantage is at least \(2^{-0.105n}\), where n is the size of the input space of the weak PRF. Similarly, we show that the advantage of our heuristic attack on the weak PRF with a circulant matrix key is larger than \(2^{-0.21n}\), which is contrary to the previous expectation that ‘structured secret key’ does not affect the security of a weak PRF. Thus, for an optimistic parameter choice \(n = 2\lambda \) for the security parameter \(\lambda \), parameters should be increased to preserve \(\lambda \)-bit security when an adversary obtains exponentially many samples. Next, we suggest a simple method for repairing two weak PRFs affected by our attack. Moreover, we provide the first direct algorithm for a basic Mod-2/Mod-3 weak PRF with a random secret key even though it does not capture the current parameters.

Appendices

Simple Non-Adaptive Attack

In this section, we provide a simple non-adaptive attack of a basic Mod-2/Mod-3 weak PRF, which runs in polynomial time n. The attack is motivated by rank attack [14, 15].

Assume that adversary has exponentially many samples \((\mathbf{z}_i,v_i)\). The goal is to determine whether \(v_i\) is uniformly sampled from \({{\mathbb {Z}}}_3\) or sampled from a Mod-2/Mod-3weak PRF.

Let s be an integer \(> \max \{m,n\}\). Then, our attack is:

1. 1.

   Find \(s^2\) pairs of vectors \(\{(\mathbf{x}_i,\mathbf{y}_j)\}_{i,j \in [s]}\) such that \(\mathbf{z}_{i,j} = \mathbf{x}_i+ \mathbf{y}_j\) for some \(\mathbf{z}_{i,j}\) in a list of samples.

2. 2.

   Construct a matrix \(\mathbf{M}= (v_{i,j})\), where \(v_{i,j}\) is a sample corresponding to a vector \(\mathbf{z}_{i,j}\).

3. 3.

   Compute a rank of \(\mathbf{M}\).

For an analysis, we borrow a polynomial representation of \({\mathcal {F}}_{\mathbf{A}}(\mathbf{x})\) in [13].

$$\begin{aligned} {\mathcal {F}}_{\mathbf{A}}(\mathbf{x}) = \sum _{i=1}^m \left( \prod _{j=1}^n (1+x_j)^{a_{i,j}} - 1\right) , \end{aligned}$$

where a matrix \(\mathbf{A}=(a_{i,j}) \in \{0.1\}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\). Note that since \(a_{i,j}\) is 0 or 1, the following lemma is trivial.

Lemma A.1

Mod-2/Mod-3 weak PRF is interpreted as a product of matrices. More precisely, for a key \(\mathbf{A}= (a_{i,j}) \in \{ {0,1} \}^{m \times n}\) and a vector \(\mathbf{x}=(x_i) \in \{ {0,1} \}^n\),

$$\begin{aligned} {\mathcal {F}}_{\mathbf{A}}(\mathbf{x}) +m = \sum _{i=1}^n f_i(\mathbf{x}) = \mathbf{1}^T \cdot \prod _{i=1}^n (\mathbf{I}+ \mathsf{diag}(x_i\mathbf{A}_i)) \cdot \mathbf{1}\end{aligned}$$

where \(\mathbf{A}_i\) is the i-th column of \(\mathbf{A}\), and \(f_i (\mathbf{x}) = \prod _{j=1}^n (1+a_{i,j}x_j)\), and \(\mathsf{diag}(x_i\mathbf{A}_i)\) is a diagonal matrix whose j-th diagonal entry is the same as j-th component of a vector \(x_i\mathbf{A}_i\).

Based on the above lemma, we complete the non-adaptive attack. When \(v_{i,j}\)’s are truly random, a rank of \(\mathbf{M}\) is s with high probability. However, if it is of the form \(\mathsf{map}(\mathbf{A}\cdot ([\mathbf{x}_i+\mathbf{y}_j)]_2)\), then a matrix \(\mathbf{M}\) is divided into a product of two matrices using Lemma A.1.

$$\begin{aligned} \mathbf{M}= \begin{pmatrix} \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_1) \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_2) \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_3) \\ \vdots \\ \mathbf{1}^T\cdot \mathbf{H}(\mathbf{x}_\rho ) \end{pmatrix} \cdot \begin{pmatrix} \mathbf{H}(\mathbf{y}_1)\cdot \mathbf{1},&\mathbf{H}(\mathbf{y}_2)\cdot \mathbf{1},&\mathbf{H}(\mathbf{y}_3)\cdot \mathbf{1},&\cdots ,&\mathbf{H}(\mathbf{y}_{\rho })\cdot \mathbf{1}\end{pmatrix} \end{aligned}$$

Hence, a rank of \(\mathbf{M}\) is bounded by \(\min (m,n)\) with high probability. The attack runs in O(n) time and space.

The rank attack only succeeds when an adversary is possible to use an oracle access to input queries. However, in the setting of weak PRF, inputs are selected randomly from \(\{ {0,1} \}^n\), our attack does not work anymore.

Proofs of Theorems

In this section, we provide proofs of Lemma 4.11, Theorems 4.13 and 4.14.

m	64	128	196	256	384	512	1024
\(d_m\)	− 0.53	0.18	− 0.54	− 0.57	− 0.49	0.31	− 0.38

Proof

(of Lemma 4.11) We easily obtain the following relations.

$$\begin{aligned} \mathbf{H}(\mathbf{x}) \cdot \mathbf{H}(\mathbf{y})&= \prod _{i=1}^n(\mathbf{I}+ \mathsf{diag}(x_i\mathbf{A}_i))\cdot \prod _{i=1}^n(\mathbf{I}+ \mathsf{diag}(y_i\mathbf{A}_i))\\&= \prod _{i=1}^n(\mathbf{I}+ \mathsf{diag}(x_i\mathbf{A}_i))(\mathbf{I}+ \mathsf{diag}(y_i\mathbf{A}_i)),\\ \mathbf{H}([\mathbf{x}+\mathbf{y}]_2)&= \prod _{i=1}^n(\mathbf{I}+ \mathsf{diag}([x_i+y_i]_2 \mathbf{A}_i)) \end{aligned}$$

Therefore, it is enough to confirm that

$$\begin{aligned} (\mathbf{I}+ \mathsf{diag}([x_i+y_i]_2 \mathbf{A}_i)) \equiv (\mathbf{I}+ \mathsf{diag}(x_i\mathbf{A}_i))(\mathbf{I}+ \mathsf{diag}(y_i\mathbf{A}_i)) \bmod 3. \end{aligned}$$

(6)

If \((x_i,y_i)\) is one of (0, 0), (1, 0), and (0, 1), the above identity is trivial.

For the last case \((x_i,y_i) = (1,1)\), the right-hand side of an Eq. (6) is the identity matrix. Moreover, the left-hand side of the equation is the same as \((\mathbf{I}+ \mathsf{diag}(\mathbf{A}_i))^2\). Note that \(1^2 \equiv 2^2 \equiv 1 \bmod 3\), and every element of \(\mathbf{A}\) is binary, it must hold that \((\mathbf{I}+ \mathsf{diag}(\mathbf{A}_i))^2 \equiv \mathbf{I}\bmod 3\). Hence, the proof is completed. \(\square \)

Proof

(of Theorem 4.13) Let \(\{\mathbf{x}_i\}_{i=1}^3\) be vectors such that \(\sum _{i=1}^3 \mathbf{x}_i = \mathbf{0}\bmod 2\). Since a key \(\mathbf{A}\) is randomly chosen matrix, \(f_i(\mathbf{x}_k)\) and \(f_j(\mathbf{x}_k)\) are independent with distinct i, j for all k.

Also, without loss of generality, assume that \(\mathbf{x}_1, \mathbf{x}_2\) are mutually independent since \(\mathbf{x}_3\) can be regarded as \(\mathbf{x}_3 = [\mathbf{x}_1 + \mathbf{x}_2]_2\). Moreover, for sufficient large n, it could be assumed that \(f_i(\mathbf{x}_k)\) is uniformly drawn from \(\{1,2\}\) since for any j, k, \(\Pr [f_j(\mathbf{x}_k)=1] \approx 1/2+ 1/2^{n+1}\), and \(f_j(\mathbf{x}_k)\)’s are independent as stated above.

Then we easily confirm that

$$\begin{aligned} \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2) \equiv 0 \bmod 3]&= 1/4,\\ \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2) \equiv 1 \bmod 3]&= 0,\\ \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2) \equiv 2 \bmod 3]&=3/4. \end{aligned}$$

Let \(i_1,i_2,i_3\) be the number of i’s that satisfies \(f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2) \equiv 0,1,2 \bmod 3\), respectively. Then \(\sum _{i=1}^3 ({\mathcal {F}}_{\mathbf{A}}(\mathbf{x}_i)+n) \bmod 3\) is \(i_2+2i_3 \bmod 3\). In this case, \(i_2\) is zero. so, if \(i_3\) is a multiple of 3, then \(f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2) \bmod 3\) is zero.

According to an Eq. (4), we have that

$$\begin{aligned} \Pr&\left[ \sum _{i=1}^3 ({\mathcal {F}}_{\mathbf{A}}(\mathbf{x}_i)+n)=0 \bmod 3 ~|~ \sum _{i=1}^3 \mathbf{x}_i = \mathbf{0}\right] \\&= \frac{\displaystyle \sum _{i\equiv 0 \bmod 3} {{m}\atopwithdelims (){i} }\cdot 3^i }{4^m} = \frac{4^m + (3+\zeta )^m + (3+\zeta ^2)^m}{3\cdot 4^m}\\&= \frac{1}{3} + \left( \frac{\delta ^m + {\bar{\delta }}^m}{3}\right) \cdot \left( \frac{\sqrt{7}}{4}\right) ^m \approx \frac{1}{3} + d_m \cdot \frac{1}{2^{0.60m}} \end{aligned}$$

where \(\zeta \) is 3-rd root of unity, \(\frac{-1+i\sqrt{3}}{2}\) and \(\delta \) is \(\frac{5+i\sqrt{3}}{2\sqrt{7}}\).

\(d_m\) is a value determined according to m. For the parameter m, which is commonly used, it has the following values.

Similarly, for \(k=4\), we can provide a proof by computing almost the same procedures.

Proof

(of Theorem 4.14) Let \(\{\mathbf{x}_i\}_{i=1}^4\) be vectors such that \(\sum _{i=1}^4 \mathbf{x}_i = \mathbf{0}\bmod 2\). Since a key \(\mathbf{A}\) is randomly chosen matrix, \(f_i(\mathbf{x}_k)\) and \(f_j(\mathbf{x}_k)\) are independent with distinct i, j for all k. Without loss of generality, assume that \(\mathbf{x}_1, \mathbf{x}_2, \mathbf{x}_3\) are mutually independent since \(\mathbf{x}_4\) can be regarded as \(\mathbf{x}_4 = [\mathbf{x}_1 + \mathbf{x}_2 +\mathbf{x}_3]_2\). Moreover, for sufficient large n, it could be assumed that \(f_i(\mathbf{x}_k)\) is uniformly drawn from \(\{1,2\}\) since for any j, k, \(\Pr [f_j(\mathbf{x}_k)=1] \approx 1/2+ 1/2^{n+1}\), and \(f_j(\mathbf{x}_k)\)’s are independent as stated above. Then, we observe that

$$\begin{aligned} \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_3)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2)f_i(\mathbf{x}_3) \equiv 0\bmod 3]&= 3/4,\\ \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_3)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2)f_i(\mathbf{x}_3) \equiv 1\bmod 3]&= 1/8,\\ \Pr [f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_3)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2)f_i(\mathbf{x}_3) \equiv 2\bmod 3]&=1/8. \end{aligned}$$

Let \(i_1,i_2,i_3\) be the number of i’s that satisfies \(f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2)f_i(\mathbf{x}_3) \equiv 0,1,2 \bmod 3\), respectively. Then \(\sum _{i=1}^3 ({\mathcal {F}}_{\mathbf{A}}(\mathbf{x}_i)+n) \bmod 3\) is \(i_2+2i_3 \bmod 3\). \(i_2\) is \(m-i_1-i_3\). so, if \(m-i_1+i_3\) is a multiple of 3, then \(f_i(\mathbf{x}_1)+f_i(\mathbf{x}_2)+f_i(\mathbf{x}_1)f_i(\mathbf{x}_2)f_i(\mathbf{x}_3) \bmod 3\) is zero.

According to the similar analysis, it holds that

$$\begin{aligned} \Pr&\left[ \sum _{i=1}^4 ({\mathcal {F}}_{\mathbf{A}}(\mathbf{x}_i)+n) =0 \bmod 3 ~|~ \sum _{i=1}^4 \mathbf{x}_i = \mathbf{0}\right] \\&= \frac{\displaystyle \sum _{i_1=0}^m \left( {{m}\atopwithdelims (){i_1} }\cdot 6^{i_1}\cdot \displaystyle \sum _{m-i_1+i_3 \equiv 0 \bmod 3} {{m-i_1}\atopwithdelims (){i_3} } \right) }{8^m}\\&= \frac{\displaystyle \sum _{i_1=0}^m \left( {{m}\atopwithdelims (){i_1} }\cdot 6^{i_1}\cdot \frac{1}{3}(2^{m-i_1}+\zeta ^{m-i_1}(\zeta +1)^{m-i_1} + \zeta ^{2m-2i_1}(\zeta ^2+1)^{m-i_1})\right) }{8^m}\\&= \frac{1}{3}+\frac{\displaystyle \sum _{i_1=0}^m \left( {{m}\atopwithdelims (){i_1} }\cdot 6^{i_1}\cdot ((-1)^{m-i_1} + (-1)^{m-i_1})\right) }{3\cdot 8^m}\\&= \frac{1}{3} + \frac{2}{3}\cdot \left( \frac{5}{8}\right) ^m \approx \frac{1}{3} + \frac{2}{3}\cdot \frac{1}{2^{0.68m}}, \end{aligned}$$

where \(\zeta \) is 3-th root of unity, \(\frac{-1+i\sqrt{3}}{2}\). \(\square \)