240 likes | 356 Views
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6. Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen. MD6 Hash Function. One of earliest announced SHA-3 candidates Presented by Rivest at CRYPTO ’08.
E N D
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen
MD6 Hash Function • One of earliest announced SHA-3 candidates • Presented by Rivest at CRYPTO ’08 Compression Function f Fixed input length (FIL), 4-1 compression Mode of Operation MD6f Variable input length (VIL), specified output length d
MD6 Compression Function f key, aux data const 15 8+2 64 89 words Map 1-1 map π Prepend 89 words p 16 words Chop = 64/4
MD6 Mode of Operation Chop to d bits z=1 (“root bit”) (2,0) (2,1) (1,9) empty partially filled
Analyzing Mode of Operation General approach: If compression function f is “secure”, then mode of operation MD6f is “secure” e.g., • f collision-resistant MD6f collision-resistant • f preimage-resistant MD6f preimage-resistant • f PRF MD6f PRF Is this enough? (Crutchfield)
Random-Oracle-Like Behavior • Random oracles (ROs) used to prove security of:signatures, CCA encryption, ZK, etc. • RO in theory hash function in practice • When is this secure? • f is a FIL-RO MD6f is a VIL-RO?
Security Notion: Indistinguishability • f and MD6f are fixed public functions… MD6f VIL-RO G ? or ? D
Indifferentiability (Maurer et al. ‘04) • Variant notion of indistinguishability: D has access to inner component • Indifferentiability: simulator S s.t. left/right indistinguishable to any D • Note: not a symmetric relationship MD6C FIL-RO C VIL-RO G Sim S ? or ? D
Indifferentiability • Theorem (Maurer et al.): IfH is indifferentiable from RO, then any cryptosystem proven with RO is secure when RO is replaced by H • How do we apply this to MD6? • Viewf as RO • Prove MD6f is indifferentiable from RO • Conclude MD6f may safely be plugged into applications that require VIL-RO (viewing f as RO)
Our Results and Interpretation • Our result: MD6RO is indifferentiable from RO • More generally: any* tree-based mode of operation using FIL-RO is indifferentiable from VIL-RO What does this mean? • MD6 mode of operation is safe for use as RO • Gives confidence that mode of operation is well-built • Pushes RO assumption one level down – from MD6 to f Can we push RO assumption even further down? Stay tuned…
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f)
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs level > 0 (non-leaf) metadata f-output 1 f-output 2 f-output 3 f-output 4
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs level = 0 (leaf) raw data metadata
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate z = 1
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate • Final output processing – regular, invertible* function Chop to d bits
* Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate • Final output processing • Message reconstructibility
Simulator MD6C FIL-RO C VIL-RO G Sim S ? or ? D
Simulator • On a query x: • Previously seen? Repeat the answer. • Non-root query (z = 0)? Random answer. • Root query (z = 1)? • Reconstruct M s.t. x is final query. If not possible, random answer. • Consult G on M. • Return random answer consistent with G(M).
Proof Sketch • Sequence of games to transform “ideal” game (D interacts with G, S) into “real” game (D interacts with MD6C, C) • Define 3 types of “bad” events (S-collisions and “lucky guesses” by D) • If no bad events, D’s view identical • Probability of bad events is negligible • Therefore, D’s distinguishing advantage is at most negligible
Pushing RO Assumption to Compression Function Level key, aux data const 15 8+2 64 89 words Map 1-1 map π Prepend 89 words p 16 words Chop
Pushing RO Assumption to Compression Function Level • View π as random permutation • Prove f indifferentiable from FIL-RO • Similar proof techniques • f indifferentiable from FIL-RO (viewing π as random) • MD6f indifferentiable from VIL-RO (viewing f as FIL-RO) MD6f indifferentiable from VIL-RO (viewing π as random)
Conclusion • Proved: Indifferentiability of MD6 mode of operation (viewing compression function as RO) • Result is quite general, applies to many sensible tree-modes (including other SHA-3 candidates, sequential modes) • Proved: Indifferentiability of MD6 compression function (viewing πas random permutation) Interpretation: • MD6 mode of operation does not have structural weaknesses • MD6 mode of operation can be used as RO (assuming random permutation)