1 / 14

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound. Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research). Notions of hash function security. RO. multicoll. Pre. aPre. ePre. ?. Sec. aSec. eSec. Nostradamus. CR. ?. TCR. ?. What’s wrong with MD?. M 2.

dexter-bonner
Download Presentation

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound ArvindNarayanan (UT Austin) IlyaMironov (Microsoft Research)

  2. Notions of hash function security RO multicoll Pre aPre ePre ? Sec aSec eSec Nostradamus CR ? TCR ?

  3. What’s wrong with MD? M2 M3 M1 h0 h1 h2 h=h3 C C C • Multicollisions (Joux, Crypto’04) • Second preimage (Kelsey and Schneier, Eurocrypt’05) • Nostradamus (Kelsey and Kohno, Eurocrypt’06) Birthday paradox

  4. What does indifferentiability mean? Oracle M1 M2 M3 h0 h1 h2 h=h3 S S S • Maurer at al. • [CDMP05]

  5. Lucks (Asiacrypt2005) Compression function M2 M3 M1 h0 M2 M3 M1 Rate = 0.25 h1 “Finalizing function” • Internal state must be wide (2 x output length) • Optimal security Not exactly impossible

  6. Simple construction M Lucks Double pipe α1α2 β1β2 (only one block shown) M Twice as much space for message bits Linear algebra very fast

  7. Other possibilities M Lucks Double pipe (only one block shown) No internal collisions! Collision resistance 2n on output length 2n

  8. Ugly construction M1 M2 M1 M2 M3 Rate 3/8 Provably behaves like a random oracle (2n)

  9. Proof technique NOT a random oracle! M1 M2 M1 M2 • Hybrid argument fails • Inductive “global” proof • Collision counting M3

  10. The adversary wins if… Goal: distinguish construction from random oracle Collision Does not seem to lead to attack But necessary for using indifferentiability framework Unsupported query

  11. Results • Rate ½ (always) • Collision resistant (2n) • Almost behaves like random oracle (2n) Simple • Rate 3/8 (for SHA-256) • Provably behaves like random oracle (2n) Ugly

  12. Rate comparison Overall rate Merkle-Damgard SHA-256 Ugly Simple Lucks double-pipe Compression ratio 1 2 3 4 5

  13. Why should you care? • Gap between MD and double pipe is large • Factor of 4 for SHA-256, 3 for MD5 • New crop of proof techniques • Steinberger (Eurocrypt’07) • Current work • Shrimpton and Stam (next talk) • Apply techniques to new constructions?

  14. Work in progress • Constructions with better rate • Nontrivial lower bound? • Possibility of getting close to rate 1 • Domain separation • Understand model better, esp. role of unsupported queries • Simpler constructions and proofs

More Related