1 / 32

Cryptography

Cryptography. Lecture 15. Q and A; b ring the written answers to TA before the class. 1. What is random oracle model? Summarize it. 2. Hash function in the random oracle is powerful. It can be used to build all primitives we have seen so far. What are the constructions briefly?

lilai
Download Presentation

Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography Lecture 15

  2. QandA;bringthewrittenanswerstoTAbeforetheclass • 1.Whatisrandomoraclemodel?Summarizeit. • 2.Hashfunctionintherandomoracleispowerful.Itcanbeusedtobuildallprimitiveswehaveseensofar.Whataretheconstructionsbriefly? • 3.Merkletreesaretrade-offsbetweentwoextremes.Whatarethetwoextremes?ConvinceyourselfwhyMerkletreeswork

  3. RandomOracleModelandOther applications ofhash functions

  4. Hash functions are ubiquitous • Collision-resistance  “fingerprinting” • Used as a one-way function • Key derivation

  5. Fingerprinting • E.g.,file integrity • Assuming it is possible to get a reliable copy of H(x) for file x • Note: different from integrity in the context of message-authentication codes

  6. Outsourced storage • How to outsource files to an untrusted server? x x h=H(x) x H(x)=?h

  7. Outsourced storage x1, …, xn x1, …, xn hi =H(xi) i xi H(xi)=?hi O(n) client storage!

  8. Outsourced storage x1, …, xn x1, …, xn h =H(x1, …, xn) i x1, …, xn H(x1, …, xn)=?h O(n|x|) communication!

  9. Outsourced storage x1, …, xn x1, …, xn h =H(H(x1), …, H(xn)) i xi, h1, …, hn H(h1, …, H(xi), …, hn)=?h |xi| + O(n) communication!

  10. Merkle tree x1 x2 x2 x3 x4 Verify… Only store the root! O(log n) communication/computation!

  11. Outsourced storage • Using a Merkle tree, we can solve the outsourcing problem with O(1) client storage and |x| + O(log n) communication

  12. SecureDeduplication • Attheserverside • Hashthecontenttoderivethekeyk=H(m) • ThenusethekeytoencryptionmtogetC=Ek(m) • Samemleadstothesamec. • Cannotachieve“Chosendistributionattack”security,guaranteeingsecurityonlywhenmisrandomenough.

  13. Password hashing • Server stores H(pw) instead of pw • Requires more than one-wayness of H… • See later discussion on random oracles • Salting… • H(”salt”,pwd)

  14. CommitmentScheme • Hiding:MishiddengivenC. • Binding:CcanbeonlyopenedtoM. M C= Commit Phase M Receiver Sender Reveal Phase Receiver Sender M

  15. CommitmentScheme • Usecase:auction • Commit(m):c=H(r||m) • Reveal(c):returnrandm

  16. Key derivation • Consider deriving a (shared) key from (shared) high-entropy information • E.g., biometric data • E.g., generating randomness • Cryptographic keys must be uniform, but shared data is only high-entropy

  17. Min-entropy • Let X be a distribution • The min-entropy of X (measured in bits) isH(X) = - log maxx { Pr[X=x] } • I.e., if H(X) = n, then the probability of guessing x sampled from X is (at most) 2-n • Min-entropy is more suitable for crypto than entropy

  18. Key derivation • Given shared information x (sampled from distribution X), derive shared key k=H(x) • In what sense can we claim that k is a “good” (i.e., uniformly distributed) cryptographic key?

  19. Recallsecurity goal(ToIntroduceRandomOracleModel) • Main goal is collision resistance • Want optimal birthday security • Also want preimage resistance, 2nd-preimage resistance • Want optimal security here as well • “Optimal” measured relative to a random function • Why not design H to be a “random function”?

  20. The random-oracle (RO) model • Treat H as a public, random function • Then H(x) is uniform for any x… • …unless the attacker computes H(x) explicitlybyqueryingx

  21. Many applications • One canonical example: key derivation

  22. The random-oracle (RO) model • Treat H as a public, random function • Then H(x) is uniform for any x… • …unless the attacker computes H(x)… • …but the attacker cannot do that (with high probability) if X has high min-entropy!

  23. The RO model • Intuitively • Assume the hash function “is random” • Models attacks that are agnostic to the specific hash function being used • Security in the real world as long as “no weaknesses found” in the hash function

  24. The RO model • Formally • Choose a uniform hash function as part of the security experiment • Attacker can only evaluate H via explicit queries to an oracle • Simulate H for the attacker as part of the security proof/reduction

  25. The RO model • In practice • Prove security in the RO model • Instantiate the RO with a “good” hash function • Hope for the best…

  26. Pros and cons of the RO model • Cons • There is no such thing as a public hash function that “is random” • Not even clear what this means formally • Known counterexamples • There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function • Sometimes over-abused (arguably)

  27. Pros and cons of the RO model • Pros • No known example of “natural” scheme secure in the RO model being attacked in the real world • If an attack is found, just replace the hash • Proof in the RO model better than no proof at all • Evidence that the basic design principles are sound

  28. PRFfromHashFunctionintheRandomOracleModel • Fk(x)=H(k||x) • Notethatitdoesnotuseanycomputationalassumption,butreliesonHisarandomoracle(whichisalreadyverystrong).

  29. HashFunctionscandoallmajorcryptographicfunctions • Exportlaw(historically) • Encryptionforbidden • HMACwasdesignedtocircumventthis • NotjustMAC • AsshowninbuildingPRF • Andthereforeallsortsofmajorfunctions

  30. Ideal-cipher model • “Stronger” than the RO model! • Model block cipher F: {0,1}n x {0,1}n {0,1}n as a collection of public, independent, random permutations • I.e., for each key k, Fk is a random permutation on {0,1}n

  31. The ideal-cipher model • This is more than assuming F is a PRP • Fk random even when k is known! • (No weak keys) • (No related-key attacks) • Formally, similar to the RO model • In particular, the only way to evaluate F is via explicit oracle queries • Attacker allowed to query F and F-1

  32. Building a hash function • Two-stage approach • Build a compression function (from a block cipher) • I.e., collision-resistant hash function for fixed-length inputs • Build a full-fledged hash function from a compression function • Other approaches are possible

More Related