Docstoc

Jutla-PRF-DAG

Document Sample
Jutla-PRF-DAG Powered By Docstoc
					PRF Domain Extension using
         DAGs
        Charanjit Jutla
       IBM T J Watson
P1      P2           P3         Pm




 f      f                 f      f




                tilde-f


V1     V2           V3          Vm




     n bits to mn bits domain
P1            P2        P3        P4            P5



     f             f          f                      f   C



                                       f




                             V3

                   V2                      V5
         V1

                             V4
      Requirements on the DAG
•   Directed Acyclic Graph G = (V,E)
•   |V| = m
•   Unique source and sink nodes
•   G is non-redundant
    – no two nodes have the same set of immediate
      predecessors



       Then, PRF Domain Extension to mn bits
P1            P2        P3        P4            P5



     f             f          f                      f



                                       f




                             V3

                   V2                      V5
         V1

                             V4
A Parallel Mode for Four
      Processors




    In general, 3+log* m depth
          Really Basic Intuition
•   C_i = f ( P_i xor XOR<j,i> in E C_ j )
•   Call M_i = P_i xor XOR<j,i> in E C_ j
•   M_i is input to node V_i
•   Can two such M_i1 and M_i2 collide?
    – i1= i2 ::: hopefully plaintexts are different???
    – i1 \=i2
      XOR<j,i1> C_ j       ?= XOR<j,i2> C_ j
     Using Galois Field GF(2^n)
• XOR<j,i1> C_ j   ?=    XOR<j,i2> C_ j

•   XOR<j,i1> a_{j,i1}*C_ j    ?=
    XOR<j,i2> a_{j,i2}*C_ j
           Edge-Colored DAGs
•   Directed Acyclic Graph G = (V,E)
•   |V| = m
•   Edge Coloring ψ: E  GF(2^n)*
•   Unique sink node
•   G is non-singular
    – If two nodes (say u and v) have the same set of
      immediate predecessors (say W), then
      exists w \in W :: ψ(w,u) \= ψ(w,v)

      Then, PRF Domain Extension to mn bits
A Parallel Mode for Four
      Processors

   *1

    *x

  *x^2

*(1+x)
            PMAC [BR02]
(Parallelizable Authentication Mode)




        color m
                 PMAC [BR02]
                To be precise….
Constant 0




             color m
 Variable Length Domain Ext.
• length need not be multiple of n
  – naïve padding with 10^t doesn’t work
  – how to distinguish b/w full length and partial
  – UNLESS full length is authenticated differently
     • [PR00], [BR00]
• naïve CBC-MAC for diff length – flawed
  – C1 = CBCMAC_f ( P1)
  – C1 = CBCMAC_f ( P1 || C1 xor P1)
             Collection of DAGs
•   2 DAGs for each block len t : G_{2t} G_{2t+1}
•   each DAG must have unique sink node
•   each DAG must have at least t nodes
•   each DAG individually non-singular
    – is that enough? NO
            Incorrect Construction
        Define all graphs on the same set of vertices V




       V1           V2            V3        V4




       V1           V2            V3        V4



G_i cannot be allowed to be an induced subgraph of another G_j
    Requirements for VIL-PRF
• If for any pair of vertices (say u, v, u\=v)
  and graphs G_i and G_i’, the set of
  incident nodes of u in G_i and v in G_i’ are
  same, then at least one incident edge is
  colored differently.
  – Non-singular over all graphs
• for each graph G_i, it is not the case that
  there is another graph G_i’ which is
  identical till the “largest” node of G_i
              Optimizied VIL Mode
col2                       col3
                      1


col4                       col5
                      2

       col2
                      3


                      4



                      5
                Current Best Mode
col2                        col3
                       1


col4                        col5
                       2

         col2
                       3


                       4

  col2                       col3

                       5
                   Parallel VIL mode
              v2                                  v2



              v3                                  v3
     color5                              color5
v1   color6           v2^n          v1   color6        v2^n



                             col1


                             col2


                             col3


                             col4
                   Proof
• Most theorems involving PRF, PRP
  constructions, as well as Modes of
  Operations --- from smaller primitives ---
  have to tackle collisions in calls to the
  smaller primitive
• Modulo that, proving randomness is easy
      Collisions in calls to oracle
• automatic collisions -- as in CBC-MAC
• Unforced collisions
• Forced collisions (adversarial, adaptive)
  – can try to prove there are no forced collisions
  – Fix last blocks of the transrcipt – visible to A
  – Conditioned on this,
  – On Average over all possible transcripts c,
   same as collisions in the transcript
  Thus, adversary left with playing “automatic collisions”
THE END

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:3
posted:3/4/2010
language:Icelandic
pages:22