Docstoc

Narayanan_DomainExtensionsForRandomOracles

Document Sample
Narayanan_DomainExtensionsForRandomOracles Powered By Docstoc
					Domain Extension for Random Oracles:
 Beyond the Birthday Paradox Bound

            Arvind Narayanan (UT Austin)
        Ilya Mironov (Microsoft Research)
Notions of hash function security
                            multi
      RO
             aPre
              Pre
             ePre           coll


                                             ?

             aSec
              Sec
             eSec

                                    Nostradamus



              CR


  ?
              TCR       ?
       What’s wrong with MD?

            M1            M2            M3


  h0             h1            h2        h=h3
        C             C             C




•Multicollisions (Joux, Crypto’04)
•Second preimage (Kelsey and Schneier, Eurocrypt’05)
•Nostradamus (Kelsey and Kohno, Eurocrypt’06)


             Birthday paradox
What does indifferentiability mean?

           M1          M2        M3




      h0        h1          h2        h=h3
           S         Oracle
                       S         S




                                       •Maurer at al.
                                       •[CDMP05]
      Lucks (Asiacrypt 2005)
                                        Compression
        M1          M2             M3     function


 h0


        M1          M2             M3


 h1          Rate = 0.25
                                        “Finalizing
                                         function”

• Internal state must be wide (2 x output length)
• Optimal security
                          Not exactly
                          impossible
        Simple construction
                      M




                                                          Lucks
                              α1 α2                  Double pipe
                              β1 β2



                      M          (only one block shown)

Twice as much space for message bits
Linear algebra very fast
     Other possibilities
                  M




                                                       Lucks
                                                  Double pipe




                              (only one block shown)

No internal collisions!
Collision resistance 2n on output length 2n
 Ugly construction
             M1           M2




             M1           M2


     M3
Rate 3/8
Provably behaves like a random oracle (2n)
     Proof technique
                 NOT a random
                    oracle!
     M1    M2




     M1    M2
                •Hybrid argument fails
M3              •Inductive “global” proof
                    Collision counting
        The adversary wins if…
        Goal: distinguish construction from random oracle

                                Collision

 Does not seem to lead to
          attack

   But necessary for using      Unsupported query
indifferentiability framework
         Results

          •Rate ½ (always)
          •Collision resistant (2n)
          •Almost behaves like
Simple    random oracle (2n)



          •Rate 3/8 (for SHA-256)
          •Provably behaves like
          random oracle (2n)
 Ugly
                   Rate comparison
Overall rate
                                             Merkle-Damgard


                         SHA-256

                                                        Ugly

                                       Simple          Lucks
                                                     double-pipe




               1     2      3      4     5      Compression ratio
         Why should you care?
• Gap between MD and double pipe is large
  – Factor of 4 for SHA-256, 3 for MD5
• New crop of proof techniques
  – Steinberger (Eurocrypt’07)
  – Current work
  – Shrimpton and Stam (next talk)
• Apply techniques to new constructions?
              Work in progress
• Constructions with better rate
  – Nontrivial lower bound?
  – Possibility of getting close to rate 1
• Domain separation
• Understand model better, esp. role of
  unsupported queries
• Simpler constructions and proofs

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:3/4/2010
language:English
pages:14