Limit analysis

[martinthomson]

I spent some time with this and concluded that our limits were not good in the first time around. A more careful analysis shows that we are still OK, but the limits are closer than ideal. We're assuming $2^{44}$ work for the adversary here for 40 bits of security, which is probably fine, though it is much weaker than the same analysis I've seen for cipher usage elsewhere.

Concrete numbers: $2^{64}$ becomes $2^{42}$ for AES-128 (double that for AES-256).

[akoshelev]

How useful it is for us to model PRSS in the form of throughput, rather than number of invocations that is bound to 16 byte inputs? This may come down to the same question about vectorization - if we standardize it, it will become tricky to say how many invocations per input row we expect from PRSS.

[akoshelev]

have you build a good intuition around ρ value from that paper? I read it a few times but I don't seem to understand the role of pseudo-random function in AES encryption

[martinthomson]

The way to think of AES is as a PRP (which is a narrower formulation than a PRF). The $\rho$ parameter is defined as the entropy of $\mathcal{R}$.

Follow this through to Theorem 4, where they look at their $\mathrm{MMO}^\pi$ function:

$$ \mathsf{MMO}^\pi(x) \overset{\mathrm{def}}{=} \pi(x)\oplus x $$

There, they use $\mathcal{R}$ to mask the input, in addition to the masking from $\pi(\cdot)$ (i.e., AES) and say:

In the real world, the second oracle is $\mathcal{O}^\mathrm{cr}_R(\cdot) = \mathsf{MMO}^\pi(R\oplus\cdot)$ (for $R$ sampled from a distribution $\mathcal{R}$).

From this, $\rho$ is a limit on the entropy that can pass into the permutation. AES has a similar limiting effect, so effectively $\rho$ is equivalent to the entropy of AES. So $\rho$ is, in effect, the block size of 128 bits.

(Edited to correct differences between $\rho$ and $\pi(\cdot)$.)