Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 2 Non-Malleability  Intuition  Given instance f(x) does not help to find f(x*) for related x* this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 3 Non-Malleability  Example 1  given the encryption C1 = Enc(PK,M)  it should be hard to construct an encryption C2 of M xor  Example 2  given a commitment Com(X,N), with N an unknown random nonce  it should be hard to construct a commitment Com(X+1000,N) for the same N this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 4 Non-Malleability  Example 3  given encryption scheme (K,E,D) construct encryption scheme (K 1,E 1,D 1 ) :  K=K 1,  E 1 =E(PK,M)b, where b is a randomly chosen bit  D 1 (SK,Cb)=D(SK,C)  the scheme is malleable: given an encryption Cb of message M it is easy to construct an encryption Cb‘ of message M‘ such that M=M‘

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 5 Non-Malleability  Well studied for encryption, commitments, zero- knowledge –Definitions –Constructions –Applications  How about hash functions?

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 6 Non-malleable hash functions  Motivation  Definition  Construction  Applications

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 7 Motivation: soundness of the random oracle model Modelling: –in the RO model, hash functions are accessed in a black-box way (by both honest parties and the adversary) –are truly random functions Advantages: –enable security proofs for very efficient primitives/protocols for which we have no other security proofs this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 8 Motivation: soundness of the random oracle model Disadvantages:  Can RO be instantiated with standard hash functions in a way that preserves the security proof? –In general the answer is NO (the RO model is provably unsound) –For some schemes it may be possible to replace a random oracle H with a standard hash functions –What if security of the scheme uses non-malleability of random oracles? this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 9 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), r xor M ) this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 10 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M ) this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 11 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M)) this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 12 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M)) –Assume that H is such that given H(r||M) it is possible to construct H(r||M xor ); –Then Enc is malleable: from Enc(PK,M) it is possible to construct Enc(PK, M xor ) –A security-preserving instantiation of H with an actual hash function would require H to be non- malleable this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 13 Motivation: soundness of formal analysis  In symbolic analysis hash functions are non- malleable: –the Dolev Yao adversary can construct H(M) only if if it knows M –The attack where from H(A,N) for unknown nonce N the adversary constructs H(B,N) is not possible in the DY world  To ensure that all attacks in the cryptographic model are captured by the Dolev-Yao adversary, then the attack above should not be possible in the real world this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 14 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 15 Definition (sketch) sample x ← X compute y ← H(x) let (T,y*) ← Adv(y) let x* ← T(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 sample x ← X let x* ← Sim() success iff R( x,x*)=1 Defining Non-Malleable Hash Functions Definition: H is non-malleable w.r.t. distribution X iff Prob [ Adv succeeds ] ≈ Prob [ Sim succeeds ]

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 16 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 17 Construction (Part I)  Necessary: H(x) must not leak information about x  Idea: use Canetti‘s perfectly one-way hash functions  Definition: (probabilistic) hash function h is POWHF w.r.t. to X and aux iff (h(x), aux(x))  (h(x'), aux(x)) for x,x' ← X Constructing Non-Malleable Hash Functions

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 18 Construction (Part II)  Even if H(x) hides all information about x, the function H may still be malleable  Idea: append a (ssNIZK) proof of knowledge of x  When an adversary given y=H(x) outputs y*, then he must know some x* such that H(x*)=y*, and he had no information on x: the only relations between x and x* that hold are trivial (and can be easily satisfied by a simulator) Constructing Non-Malleable Hash Functions

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 19 Construction (Putting things together)  Theorem (sketch): Let h be POWHF w.r.t. to X and aux, let (Gen,Prover,Verifier) be ssNIZKPoK. Then H(x) = ( h(x),  ) where  ← Prover(crs,x,h(x)) is non-malleable w.r.t. to X and aux. (solution not really efficient, rather feasibility result) Constructing Non-Malleable Hash Functions

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 20 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 21 Message Authentication via H(k||m)  H(k||m) secure MAC for secret key k if H random oracle, or H pseudorandom function  We show that H(k||m) is a secure MAC if H is non-malleable  Security means: an adversary who sees H(k,m 1 ),H(k,m 2 ),...,H(k,m n ) cannot compute H(k,m) for m different from m 1, m 2,...,m n Application to Message Authentication

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 22 Message Authentication via H(k||m) (Proof intuition)  Consider an adversary A who after seeing H(k||m) manages to output a forgery (m’,H(k||m’))  Construct adversary B against non-malleability: –on input H(k||m) the adversary runs A internally and obtains (m’,H(k||m’)) –output H(k||m’) and T(k||x)=k||m’  Consider the relation R(x||y,z||w)=1 if x=z, then the adversary B satisfies the relation since R(k||m,k||m’) = 1 Application to Message Authentication

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 23 Instantiating random oracles  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M))  If ( RSA(PK,r), G(r) xor M, H(r||M)) is the challenge ciphertext, we argue in the proof that the adversary cannot querry to its decryption oracle the ciphertext ( RSA(PK,r), G(r) xor M‘, H(r||M‘))  The security proof is still in the random oracle model

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 24 Soundness of formal analysis of hash functions  Ongoing work  Some problems: –general soundness only in the trusted parameters model (NIZK proof systems use a common reference string which needs to be generated honestly) –POWHF’s are not known to exist for arbitrary distributions

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 25 Conclusion  Motivation (Interesting, useful)  Definitions  Construction (POWHF+ssNIZKPoK)  Applications (MAC, Encryption)

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 26 Mapping MAC-Adversaries to NM-Adversaries sample x ← X, compute y ← H(x) let y* ← A(y) let x* ← A(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 m ← B() sample k ← K compute y ← H(k||m) let (m*,y*) ← B(y) success iff H(k||m*)=y*, y ≠ y* Application to Message Authentication r x ← aux(x) rxrx p ← A() (p), X(p) samples k ← K, outputs x=k||p X(p) samples k ← K, outputs x=k||p x*=k||m* ← A(k||m) Pr [ A succ ] = Pr [ B succ ] (if relation always evaluates to 1 for A)

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 27 Towards Picking the Relation define relation R(r x,x*) such that –always evaluates to 1 for adversary A –but very small probability for every simulator Sim MAC insecure  Pr [ A succ ] = Pr [ B succ ] ≥ 1/p(n) butPr [ Sim succ ] << 1/p(n)  H not non-malleable Application to Message Authentication

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 28 Actually Picking the Relation let aux t (k||m) output t pairs (s j, ‹s j,k› mod 2) for j=1,2,..,t let R(r x, k*||m*)=1 iff ‹s j,k›=‹s j,k*› mod 2 for j=1,2,..,t then R(r x,k||m*)=1, but Pr[ R(r x,k*||m*)=1 ]=2 −t for k*≠ k If h POWHF w.r.t. to X and empty aux, then h POWHF w.r.t. to X and aux t for t=O(log n) !!! Application to Message Authentication Goldreich-Levin hardcore bits (recall: A outputs x*=k||m*)

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 29 Comparing Adversary and Simulator sample x ← X, compute y ← H(x) let y* ← A(y) let x* ← A(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 p ← Sim() sample x ← X(p), let x* ← Sim() success iff R ( r x,x*)=1 Application to Message Authentication r x ← aux t (x) rxrx p ← A() (p), Pr [ A succ ] = Pr [ B succ ] ≥ 1/p(n) r x ← aux t (x) x*=k*||m* independent of k, r x Pr [ Sim succ ] = 2 −t ≤ 1 / 2p(n) for t=log p(n) +1

► Non-Malleable Hash Functions Marc Fischlin WCP 2007 Page 30  defined, constructed and applied NM hashes  not in this talk: black-box separation of OWP and NM hashes (a la Hsiao-Reyzin)  future: investigate usefulness of definition Conclusion this is a very good test

► key word #1Here comes the text. It may have more than a single line. key word #2aHere comes another text. The key key word #2bword, too, has two lines. key word #3A single line only. key word #4Another single line. title of talk Marc Fischlin WCP 2007 Page 31 Test — Type 2 key word #1Here comes the text. It may have more than a single line. key word #2aHere comes another text. The key key word #2bword, too, has two lines. key word #3A single line only. key word #4Another single line. this is a very good test

title of talk Marc Fischlin WCP 2007 Page 32 Chapter Title this is a very good test

Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 33 Test — Type 1  line 1 –subline 1.1 –subline 1.2  line 2  line 3 this is a very good test