Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Slides:



Advertisements
Similar presentations
Applications of SAT Solvers to Cryptanalysis of Hash Functions
Advertisements

Minimalism in Cryptography: The Even-Mansour Scheme Revisited Orr Dunkelman, Nathan Keller, and Adi Shamir Haifa University, Bar-Ilan University, and The.
Merkle Damgard Revisited: how to Construct a hash Function
Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.
Lecture 5: Cryptographic Hashes
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
1 Cryptanalysis on Hash Functions Xiaoyun Wang 10/28/2005.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
CS526Topic 5: Hash Functions and Message Authentication 1 Computer Security CS 526 Topic 5 Cryptography: Cryptographic Hash Functions And Message Authentication.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Foundations of Network and Computer Security J J ohn Black Lecture #9 Sep 17 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Dan Boneh Collision resistance Generic birthday attack Online Cryptography Course Dan Boneh.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CS 4/585: Cryptography Tom Shrimpton FAB
The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)
Cryptographic hash functions from expander graphs Denis Charles, Microsoft Research Eyal Goren, McGill University Kristin Lauter, Microsoft Research ECC.
Lect : Hash Functions and MAC. 2 1.Introduction - Hash Function vs. MAC 2.Hash Functions  Security Requirements  Finding collisions – birthday.
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Dan Boneh Collision resistance Introduction Online Cryptography Course Dan Boneh.
Cryptography Lecture 7 Arpita Patra. Quick Recall and Today’s Roadmap >> Hash Function: Various Security Notions >> Markle-Damgaard Domain Extension >>
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
1 Strengthening Digital Signatures via Randomized Hashing Shai Halevi and Hugo Krawczyk IBM Research.
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Cryptographic Hash Functions Prepared by Dr. Lamiaa Elshenawy
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Cryptographic Hash Functions
CS426Fall 2010/Lecture 51 Computer Security CS 426 Lecture 5 Cryptography: Cryptographic Hash Function.
Dan Boneh Collision resistance The Merkle-Damgard Paradigm Online Cryptography Course Dan Boneh.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
6.857 Lecture 4: Hash Functions Emily Shen Most slides courtesy of Ron Rivest (Crypto 2008)
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
If the hash algorithm is properly designed and distributes the hashes uniformly over the output space, "finding a hash collision" by random guessing is.
If the hash algorithm is properly designed and distributes the hashes uniformly over the output space, "finding a hash collision" by random guessing is.
Message Integrity and Message Authentication
Cryptographic Hash Functions
Topic 14: Random Oracle Model, Hashing Applications
Digital Signature Schemes and the Random Oracle Model
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Ronald L. Rivest MIT CSAIL CRYPTO 2008
B504/I538: Introduction to Cryptography
Cryptography Lecture 19.
Cryptographic Hash Functions
Quantum-security of commitment schemes and hash functions
Cryptographic Hash Functions Part I
Cryptography Lecture 14.
Cryptography Lecture 13.
Cryptography Lecture 13.
Seyed Amir Hossain Naseredini
Collapse-binding quantum commitments without random oracles
Presentation transcript:

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Notions of hash function security TCR Pre Sec RO aSeceSec CR aPreePre multi coll Nostradamus ? ? ?

What’s wrong with MD? CCC M1M1 M2M2 M3M3 h0h0 h=h 3 h1h1 h2h2 Multicollisions (Joux, Crypto’04) Second preimage (Kelsey and Schneier, Eurocrypt’05) Nostradamus (Kelsey and Kohno, Eurocrypt’06) Birthday paradox

What does indifferentiability mean? SSS M1M1 h0h0 h=h 3 h1h1 h2h2 M2M2 M3M3 Oracle Maurer at al. [CDMP05]

Lucks (Asiacrypt 2005) M1M1 M1M1 M2M2 M2M2 M3M3 M3M3 h0h0 h1h1 Internal state must be wide (2 x output length) Optimal security Compression function “Finalizing function” Rate = 0.25 Not exactly impossible

Simple construction M α1 α2β1 β2α1 α2β1 β2 (only one block shown) Twice as much space for message bits Linear algebra very fast Lucks Double pipe M

Other possibilities M (only one block shown) Lucks Double pipe No internal collisions! Collision resistance 2 n on output length 2n

Ugly construction M1M1 M2M2 M1M1 M2M2 M3M3 Rate 3/8 Provably behaves like a random oracle (2 n )

Proof technique M1M1 M2M2 M1M1 M2M2 M3M3 NOT a random oracle! Hybrid argument fails Inductive “global” proof  Collision counting

Does not seem to lead to attack But necessary for using indifferentiability framework Collision Unsupported query The adversary wins if… Goal: distinguish construction from random oracle

Results Rate ½ (always) Collision resistant (2 n ) Almost behaves like random oracle (2 n ) Simple Ugly Rate 3/8 (for SHA-256) Provably behaves like random oracle (2 n )

Rate comparison Overall rate Compression ratio SHA-256 Merkle-Damgard Simple Ugly Lucks double-pipe

Why should you care? Gap between MD and double pipe is large – Factor of 4 for SHA-256, 3 for MD5 New crop of proof techniques – Steinberger (Eurocrypt’07) – Current work – Shrimpton and Stam (next talk) Apply techniques to new constructions?

Work in progress Constructions with better rate – Nontrivial lower bound? – Possibility of getting close to rate 1 Domain separation Understand model better, esp. role of unsupported queries Simpler constructions and proofs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.