1 / 23

Non-Malleable Hash Functions

Non-Malleable Hash Functions. FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi. Non-Malleability. Intuition Given instance f(x) does not help to find f(x*) for related x*. this is a very good test. Non-Malleability. Example 1

taber
Download Presentation

Non-Malleable Hash Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Non-Malleable Hash Functions FORMACRYPT, 2007Alexandra BoldyrevaDavid CashMarc FischlinBogdan Warinschi

  2. Non-Malleability • Intuition • Given instance f(x) does not help to find f(x*) for related x* Bogdan WarinschiFormacrypt meeting 2007 Page 2 this is a very good test

  3. Non-Malleability • Example 1 • given the encryption C1 = Enc(PK,M) • it should be hard to construct an encryption C2 of M xor 11....1 • Example 2 • given a commitment Com(X,N), with N an unknown random nonce • it should be hard to construct a commitment Com(X+1000,N) for the same N Bogdan WarinschiFormacrypt meeting 2007 Page 3 this is a very good test

  4. Non-Malleability • Well studied for encryption, commitments, zero-knowledge • Definitions • Constructions • Applications • How about hash functions? Bogdan WarinschiFormacrypt meeting 2007 Page 5

  5. Non-malleable hash functions • Motivation • Definition • Construction • Applications Bogdan WarinschiFormacrypt meeting 2007 Page 6

  6. Motivation: soundness of the random oracle model Modelling: • in the RO model, hash functions are accessed in a black-box way (by both honest parties and the adversary) • are truly random functions Advantages: • enable security proofs for very efficient primitives/protocols for which we have no other security proofs Bogdan WarinschiFormacrypt meeting 2007 Page 7 this is a very good test

  7. Motivation: soundness of the random oracle model Disadvantages: • Can RO be instantiated with standard hash functions in a way that preserves the security proof? • In general the answer is NO (the RO model is provably unsound) • For some schemes it may be possible to replace a random oracle H with a standard hash functions • What if security of the scheme uses non-malleability of random oracles? Bogdan WarinschiFormacrypt meeting 2007 Page 8 this is a very good test

  8. Motivation: soundness of the random oracle model • Enc(PK,M)=( RSA(PK,r), r xor M ) Bogdan WarinschiFormacrypt meeting 2007 Page 9 this is a very good test

  9. Motivation: soundness of the random oracle model • Enc(PK,M)=( RSA(PK,r), G(r) xor M ) Bogdan WarinschiFormacrypt meeting 2007 Page 10 this is a very good test

  10. Motivation: soundness of the random oracle model • Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M)) • Assume that H is such that given H(r||M) it is possible to construct H(r||M xor 11...1); • Then Enc is malleable: from Enc(PK,M) it is possible to construct Enc(PK, M xor 11....1) • A security-preserving instantiation of H with an actual hash function would require H to be non-malleable Bogdan WarinschiFormacrypt meeting 2007 Page 12 this is a very good test

  11. Motivation: soundness of formal analysis • In symbolic analysis hash functions are non-malleable: • the Dolev Yao adversary can construct H(M) only if if it knows M • The attack where from H(A,N) for unknown nonce N the adversary constructs H(B,N) is not possible in the DY world • To ensure that all attacks in the cryptographic model are captured by the Dolev-Yao adversary, then the attack above should not be possible in the real world Bogdan WarinschiFormacrypt meeting 2007 Page 13 this is a very good test

  12. Non-malleable hash functions • Motivation • Definitions • Construction • Applications Bogdan WarinschiFormacrypt meeting 2007 Page 14

  13. sample x ←Xcompute y ← H(x)let (T,y*) ← Adv(y)let x* ← T(x)success iff H(x*) = y* , y ≠ y* and R( x ,x*)=1 sample x ←Xlet x* ← Sim()success iff R( x ,x*)=1 Definition (sketch) Definition: H is non-malleable w.r.t. distribution X iff Prob [ Adv succeeds ] ≈ Prob [ Sim succeeds ] Bogdan WarinschiFormacrypt meeting 2007 Page 15 Defining Non-Malleable Hash Functions

  14. Non-malleable hash functions • Motivation • Definitions • Construction • Applications Bogdan WarinschiFormacrypt meeting 2007 Page 16

  15. Construction (Part I) • Necessary: H(x) must not leak information about x • Idea: use Canetti‘s perfectly one-way hash functions • Definition: (probabilistic) hash function h is POWHF w.r.t. to X and aux iff (h(x), aux(x)) (h(x'), aux(x)) for x,x' ← X Bogdan WarinschiFormacrypt meeting 2007 Page 17 Constructing Non-Malleable Hash Functions

  16. Construction (Part II) • Even if H(x) hides all information about x, the function H may still be malleable • Idea: append a (ssNIZK) proof of knowledge of x • When an adversary given y=H(x) outputs y*, then he must know some x* such that H(x*)=y*, and he had no information on x: the only relations between x and x* that hold are trivial (and can be easily satisfied by a simulator) Bogdan WarinschiFormacrypt meeting 2007 Page 18 Constructing Non-Malleable Hash Functions

  17. Construction (Putting things together) • Theorem (sketch):Let h be POWHF w.r.t. to X and aux,let (Gen,Prover,Verifier) be ssNIZKPoK. Then H(x) = ( h(x),  ) where  ← Prover(crs,x,h(x))is non-malleable w.r.t. to X and aux.(solution not really efficient, rather feasibility result) Bogdan WarinschiFormacrypt meeting 2007 Page 19 Constructing Non-Malleable Hash Functions

  18. Non-malleable hash functions • Motivation • Definitions • Construction • Applications Bogdan WarinschiFormacrypt meeting 2007 Page 20

  19. Message Authentication via H(k||m) • H(k||m) secure MAC for secret key k if • H random oracle, or • H pseudorandom function • We show that H(k||m) is a secure MAC if H is non-malleable • Security means: an adversary who sees H(k,m1),H(k,m2),...,H(k,mn) cannot compute H(k,m) for m different from m1, m2,...,mn Bogdan WarinschiFormacrypt meeting 2007 Page 21 Application to Message Authentication

  20. Message Authentication via H(k||m) (Proof intuition) • Consider an adversary A who after seeing H(k||m) manages to output a forgery (m’,H(k||m’)) • Construct adversary B against non-malleability: • on input H(k||m) the adversary runs A internally and obtains (m’,H(k||m’)) • output H(k||m’) and T(k||x)=k||m’ • Consider the relation R(x||y,z||w)=1 if x=z, then the adversary B satisfies the relation since R(k||m,k||m’) = 1 Bogdan WarinschiFormacrypt meeting 2007 Page 22 Application to Message Authentication

  21. Instantiating random oracles • Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M)) • If ( RSA(PK,r), G(r) xor M , H(r||M)) is the challenge ciphertext, we argue in the proof that the adversary cannot querry to its decryption oracle the ciphertext ( RSA(PK,r), G(r) xor M‘ , H(r||M‘)) • The security proof is still in the random oracle model Bogdan WarinschiFormacrypt meeting 2007 Page 23

  22. Soundness of formal analysis of hash functions • Ongoing work • Some problems: • general soundness only in the trusted parameters model (NIZK proof systems use a common reference string which needs to be generated honestly) • POWHF’s are not known to exist for arbitrary distributions Bogdan WarinschiFormacrypt meeting 2007 Page 24

  23. Conclusion • Motivation (Interesting, useful) • Definitions • Construction (POWHF+ssNIZKPoK) • Applications (MAC, Encryption) Bogdan WarinschiFormacrypt meeting 2007 Page 25

More Related