Presentation is loading. Please wait.

Presentation is loading. Please wait.

Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.

Published byIra Wilkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin."— Presentation transcript:

1 Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen

2 MD6 Hash Function One of earliest announced SHA-3 candidates Presented by Rivest at CRYPTO ’08 Mode of Operation MD6 f Variable input length (VIL), specified output length d Compression Function f Fixed input length (FIL), 4-1 compression

3  1-1 map π const 15 8+2 64 89 words 16 words Prepend Map Chop MD6 Compression Function f key, auxdata = 64/4

4 MD6 Mode of Operation

5 (2,0) (2,1) z =1 (“root bit”) Chop to d bits (1,9) partially filled empty

6 Analyzing Mode of Operation General approach: If compression function f is “secure”, then mode of operation MD6 f is “secure” e.g., f collision-resistant  MD6 f collision-resistant f preimage-resistant  MD6 f preimage-resistant f PRF  MD6 f PRF Is this enough? (Crutchfield)

7 Random-Oracle-Like Behavior Random oracles (ROs) used to prove security of: signatures, CCA encryption, ZK, etc. RO in theory  hash function in practice When is this secure? f is a FIL-RO  MD6 f is a VIL-RO?

8 Security Notion: Indistinguishability f and MD6 f are fixed public functions… MD6 f VIL-RO G D ? or ?

9 Variant notion of indistinguishability: D has access to inner component Indifferentiability:  simulator S s.t. left/right indistinguishable to any D Note: not a symmetric relationship Indifferentiability (Maurer et al. ‘04) MD6 C FIL-RO C VIL-RO G Sim S D ? or ?

10 Indifferentiability Theorem (Maurer et al.): If H is indifferentiable from RO, then any cryptosystem proven with RO is secure when RO is replaced by H How do we apply this to MD6? View f as RO Prove MD6 f is indifferentiable from RO Conclude MD6 f may safely be plugged into applications that require VIL-RO (viewing f as RO)

11 Our Results and Interpretation Our result: MD6 RO is indifferentiable from RO More generally: any* tree-based mode of operation using FIL-RO is indifferentiable from VIL-RO What does this mean? MD6 mode of operation is safe for use as RO Gives confidence that mode of operation is well-built Pushes RO assumption one level down – from MD6 to f Can we push RO assumption even further down? Stay tuned…

12 Deterministic tree structure (wrt calls to f ) * Requirements of Mode of Operation

13 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation

14 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation metadata f -output 1 f -output 3 f -output 2 f -output 4 level > 0 (non-leaf)

15 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs * Requirements of Mode of Operation metadata level = 0 (leaf) raw data

16 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate * Requirements of Mode of Operation z = 1

17 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate Final output processing – regular, invertible* function * Requirements of Mode of Operation Chop to d bits

18 Deterministic tree structure (wrt calls to f ) Unique parsing of f -inputs into –metadata –raw data –f -outputs Root predicate Final output processing Message reconstructibility * Requirements of Mode of Operation

19 Simulator MD6 C FIL-RO C VIL-RO G Sim S D ? or ?

20 Simulator On a query x: –Previously seen? Repeat the answer. –Non-root query ( z = 0)? Random answer. –Root query ( z = 1)? Reconstruct M s.t. x is final query. If not possible, random answer. Consult G on M. Return random answer consistent with G(M).

21 Proof Sketch Sequence of games to transform “ideal” game ( D interacts with G, S ) into “real” game ( D interacts with MD6 C, C ) Define 3 types of “bad” events ( S -collisions and “lucky guesses” by D ) If no bad events, D ’s view identical Probability of bad events is negligible Therefore, D ’s distinguishing advantage is at most negligible

22 Pushing RO Assumption to Compression Function Level  1-1 map π const 15 8+2 64 89 words 16 words Prepend Map Chop key, auxdata

23 Pushing RO Assumption to Compression Function Level View π as random permutation Prove f indifferentiable from FIL-RO Similar proof techniques f indifferentiable from FIL-RO (viewing π as random) MD6 f indifferentiable from VIL-RO (viewing f as FIL-RO)  MD6 f indifferentiable from VIL-RO (viewing π as random)

24 Conclusion Proved: Indifferentiability of MD6 mode of operation (viewing compression function as RO) Result is quite general, applies to many sensible tree- modes (including other SHA-3 candidates, sequential modes) Proved: Indifferentiability of MD6 compression function (viewing π as random permutation) Interpretation: MD6 mode of operation does not have structural weaknesses MD6 mode of operation can be used as RO (assuming random permutation)

Download ppt "Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.

Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
CMSC 414 Computer (and Network) Security Lecture 9 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 9 Jonathan Katz.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Similar presentations

Ads by Google