Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.

Slides:



Advertisements
Similar presentations
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advertisements

Merkle Damgard Revisited: how to Construct a hash Function
Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CMSC 414 Computer (and Network) Security Lecture 9 Jonathan Katz.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
8. Data Integrity Techniques
1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.
Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007.
The MD6 Hash Function Ronald L. Rivest MIT CSAIL CRYPTO 2008 (aka “Pumpkin Hash”)
Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Theory of Computation II Topic presented by: Alberto Aguilar Gonzalez.
IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Hash Functions Ramki Thurimella. 2 What is a hash function? Also known as message digest or fingerprint Compression: A function that maps arbitrarily.
Hashes Lesson Introduction ●The birthday paradox and length of hash ●Secure hash function ●HMAC.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
6.857 Lecture 4: Hash Functions Emily Shen Most slides courtesy of Ron Rivest (Crypto 2008)
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
Authenticated encryption
Modern symmetric-key Encryption
Secrecy of (fixed-length) stream ciphers
Topic 14: Random Oracle Model, Hashing Applications
Cryptographic Hash Functions Part I
Cryptography Lecture 13.
Ronald L. Rivest MIT CSAIL CRYPTO 2008
B504/I538: Introduction to Cryptography
Cryptography Lecture 19.
Topic 7: Pseudorandom Functions and CPA-Security
Cryptographic Hash Functions Part I
Cryptography Lecture 8.
Cryptography Lecture 14.
Cryptography Lecture 14.
Cryptography Lecture 13.
The power of Pairings towards standard model security
Cryptography Lecture 13.
Cryptography Lecture 15.
Cryptography Lecture 18.
Blockchains Lecture 4.
Presentation transcript:

Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen

MD6 Hash Function One of earliest announced SHA-3 candidates Presented by Rivest at CRYPTO ’08 Mode of Operation MD6 f Variable input length (VIL), specified output length d Compression Function f Fixed input length (FIL), 4-1 compression

 1-1 map π const words 16 words Prepend Map Chop MD6 Compression Function f key, auxdata = 64/4

MD6 Mode of Operation

(2,0) (2,1) z =1 (“root bit”) Chop to d bits (1,9) partially filled empty

Analyzing Mode of Operation General approach: If compression function f is “secure”, then mode of operation MD6 f is “secure” e.g., f collision-resistant  MD6 f collision-resistant f preimage-resistant  MD6 f preimage-resistant f PRF  MD6 f PRF Is this enough? (Crutchfield)

Random-Oracle-Like Behavior Random oracles (ROs) used to prove security of: signatures, CCA encryption, ZK, etc. RO in theory  hash function in practice When is this secure? f is a FIL-RO  MD6 f is a VIL-RO?

Security Notion: Indistinguishability f and MD6 f are fixed public functions… MD6 f VIL-RO G D ? or ?

Variant notion of indistinguishability: D has access to inner component Indifferentiability:  simulator S s.t. left/right indistinguishable to any D Note: not a symmetric relationship Indifferentiability (Maurer et al. ‘04) MD6 C FIL-RO C VIL-RO G Sim S D ? or ?

Indifferentiability Theorem (Maurer et al.): If H is indifferentiable from RO, then any cryptosystem proven with RO is secure when RO is replaced by H How do we apply this to MD6? View f as RO Prove MD6 f is indifferentiable from RO Conclude MD6 f may safely be plugged into applications that require VIL-RO (viewing f as RO)

Our Results and Interpretation Our result: MD6 RO is indifferentiable from RO More generally: any* tree-based mode of operation using FIL-RO is indifferentiable from VIL-RO What does this mean? MD6 mode of operation is safe for use as RO Gives confidence that mode of operation is well-built Pushes RO assumption one level down – from MD6 to f Can we push RO assumption even further down? Stay tuned…

Deterministic tree structure (wrt calls to f ) * Requirements of Mode of Operation

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation metadata f -output 1 f -output 3 f -output 2 f -output 4 level > 0 (non-leaf)

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation metadata level = 0 (leaf) raw data

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate * Requirements of Mode of Operation z = 1

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate Final output processing – regular, invertible* function * Requirements of Mode of Operation Chop to d bits

Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate Final output processing Message reconstructibility * Requirements of Mode of Operation

Simulator MD6 C FIL-RO C VIL-RO G Sim S D ? or ?

Simulator On a query x: –Previously seen? Repeat the answer. –Non-root query ( z = 0)? Random answer. –Root query ( z = 1)? Reconstruct M s.t. x is final query. If not possible, random answer. Consult G on M. Return random answer consistent with G(M).

Proof Sketch Sequence of games to transform “ideal” game ( D interacts with G, S ) into “real” game ( D interacts with MD6 C, C ) Define 3 types of “bad” events ( S -collisions and “lucky guesses” by D ) If no bad events, D ’s view identical Probability of bad events is negligible Therefore, D ’s distinguishing advantage is at most negligible

Pushing RO Assumption to Compression Function Level  1-1 map π const words 16 words Prepend Map Chop key, auxdata

Pushing RO Assumption to Compression Function Level View π as random permutation Prove f indifferentiable from FIL-RO Similar proof techniques f indifferentiable from FIL-RO (viewing π as random) MD6 f indifferentiable from VIL-RO (viewing f as FIL-RO)  MD6 f indifferentiable from VIL-RO (viewing π as random)

Conclusion Proved: Indifferentiability of MD6 mode of operation (viewing compression function as RO) Result is quite general, applies to many sensible tree- modes (including other SHA-3 candidates, sequential modes) Proved: Indifferentiability of MD6 compression function (viewing π as random permutation) Interpretation: MD6 mode of operation does not have structural weaknesses MD6 mode of operation can be used as RO (assuming random permutation)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.