Perfectly-Crafted Swiss Army Knives in Theory

Transcription

1 Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG)

2 Hash Functions as a Universal Tool collision resistance (second) preimage resistance pseudorandom generator pseudorandom function key derivation Page 2

3 NIST s Request for Candidates besides standard security requirements candidates will be compared for security for source: Federal Register / Vol. 72, No. 212 / November 2 nd, 2007 Page 3

4 Another View on Swiss Army Knives collision resistance pseudorandom generator (second) preimage resistance and more pseudorandom function key derivation Page 4

5 Theme of the talk What are the properties my hash function should have? What are the non-standard properties needed in in standard applications? Page 5

6 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 6 Fiat-Shamir Transformation

7 Fiat-Shamir Transformation, 1986 Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute c = H (R; m) compute t=r cxmodq R c ( R, t) choose c à Z q check correctness Page 7 ) Fiat-Shamir Transformation

8 Security of the Fiat-Shamir Transformation Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute c = H (R; m) compute t=r cxmodq Pointcheval, Stern, 1996: Signature scheme is is existentially unforgeable under adaptive chosen message attacks (under DL DL assumption) in in random oracle model of of Bellare, Rogaway, ( R, t) check correctness Page 8 ) Fiat-Shamir Transformation

9 Insufficient Hash Function Properties Alice knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p collision public: p; g; resistance q and y is is not not enough! hash function H Bob suppose 8 >< 00:::0 if R = 1 H(R;m) = and m = m 0 >: 1kH (R;m) else then then (1,0) (1,0) valid valid signature for for m 0 0 compute c = H (R; m) compute t=r cxmodq ( R, t) check correctness Page 9 ) Fiat-Shamir Transformation

10 Hash Function Properties for Fiat-Shamir sufficient properties for H to make Fiat-Shamir secure? Goldwasser-Tauman Kalai, 2003: no efficient hash function will do the job! Page 10 Fiat-Shamir Transformation

11 Idea of Impossibility Result of Goldwasser-Kalai Alice public: p; g; q and y Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p compute t=r cxmodq Page 11 R c t Com= commit to short program P (supposedly computing c from R and Com) or decommit to P to show that program does compute c choose c à Z q accept if R; c; t valid or P (R; Com) = c Fiat-Shamir Transformation

12 GK modification preserves interactive security Alice public: p; g; q and y Bob knows x 2 Z q s.t. y = g x mod p in in the the choose interactive r à Zprotocol: q compute R = g r mod p challenge c random, so so malicious Alice Alice cannot cannot really really use use alternative strategy to to compute make make Bob Bob accept accept t=r cxmodq Page 12 R c t Com= commit to short program P (supposedly computing c from R and Com) or decommit to P to show that program does compute c choose c à Z q accept if R; c; t valid or P (R; Com) = c Fiat-Shamir Transformation

13 and of Fiat-Shamir with Random Oracles Alice public: p; g; q and y hash function H Bob knows x 2 Z q s.t. y = g x mod p choose r à Z q compute R = g r mod p Com=commit to some program P in in the the random oracle oracle model: model: still still secure secure signature scheme computec= H(R;Com;m) compute t=r cxmodq ( R;Com, t ), Page 13 reveal P accept if R; c; t valid or P (R; Com) = c for c= H(R;Com;m) Fiat-Shamir Transformation

14 but not of Fiat-Shamir w/out Random Oracles! Alice pick message m pick arbitrary R; t public: p; g; q and y hash function SHA1 Com = commit to P( ; )= SHA1( ; ;m) instantiaton Bob with with efficiently computable function: malicious Alice Alice can can easily easily use use alternative strategy and and forge forge signatures ( R;Com, t ) + Page 14 ) decommit to SHA1( ; ;m) accept if R; c; t valid or P (R; Com) = c c= SHA1(R;Com;m) Fiat-Shamir Transformation

15 Properties for Special Fiat-Shamir Protocols? result by Goldwasser-Kalai for artificial protocol still some hope for common cases (DL, RSA, ) Page 15 Fiat-Shamir Transformation

16 Seed Incompressibility Halevi, Myers,Rackoff, 2008 compress(s) seed s example collision resistance: x i f s (x i ) output x 1 ;x 2 ;:::;f s (x 1 );f s (x 2 );::: satisfying some evasive relation f s ( ) seed incompressibility: Pr [ success ] 0 s= hashfunction description (key) compress(s) = collision x 1 6=x 2 s.t. jx 1 j+ jx 2 j< jsj relation = check x 1 6=x 2 and f s (x 1 )= f s (x 2 ) Page 16 Fiat-Shamir Transformation

17 Seed Incompressibility and Fiat-Shamir compress(s) x i f s (x i ) seed s f s ( ) s= hashfunction description (key) c= f s (pk;r) in protocol compress(s) = (pk; R; t ) s.t. j(pk;r;t)j < jsj output x 1 ;x 2 ;:::;f s (x 1 );f s (x 2 );::: satisfying some evasive relation Page 17 relation = parse x 1 =(pk;r),x 2 =t, c= f s (x 1 ), and check that Bob accepts(pk;r;c;t) Fiat-Shamir Transformation

18 Seed Incompressibility and GK Separation Alice pick message m pick arbitrary R; t public: p; g; q and y hash function SHA1 Com = commit to P( ; )= SHA1( ; ;m) Bob doesn t doesn t contradict Goldwasser-Kalai result: result: there, there, communication > s ( R;Com, t ) + Page 18 ) decommit to SHA1( ; ;m) accept if R; c; t valid or P (R; Com) = c c= SHA1(R;Com;m) Fiat-Shamir Transformation

19 Limitations of Seed Incompressibility only gives a non-interactive zero-knowledge argument, not proof of knowledge, as required for signatures can only be used once securely do seed incompressibility functions exist??? Page 19 Fiat-Shamir Transformation

20 Summary Fiat-Shamir Methodology no (efficient) hash function works for all protocols situation for common protocols (DL, RSA, ) unclear seed incompressibility nice property, maybe useful elsewhere Page 20 Fiat-Shamir Transformation

21 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 21 OAEP

22 OAEP Encryption (Bellare, Rogaway, 1994) m 0 k r ciphertext C of message m: G H pad message to m 0 k and pick random string r s t s = G(r) m 0 k t = H(s) r f f ( s t ) C = f ( s t ) Page 22 OAEP

23 OAEP Decryption m 0 k r m z=0 k r? G G H H s= G(r) m 0 k t=h(s) r s t f f ( s t ) f 1 f ( s t ) Page 23 OAEP

24 Security of OAEP history: [BR94] [S01] [FOPS01] Fujisaki, Okamoto, Pointcheval, Stern [FOPS01]: OAEP is IND-CCA2 secure if G, H are modeled as random oracles f partial one-way trapdoor permutation Page 24 OAEP

25 Partial One-Wayness m 0 k r s s f f G H lsb G(r) f t partial one-wayness: hard to recover parts of s t from f(s t) OAEP also IND-CCA2 if f only applied to s-part (f =g ID for trapdoor perm. g) f only to s-part, s w/o k least significant bits f ( s ) f ( f s () s lsb t ) G(r) t Page 25 OAEP

26 Necessary Properties for G and H? both should be good pseudorandom generators necessary for both: some kind of non-malleability (or, make assumptions about f) Boldyreva, F, 2005 Page 26 OAEP

27 Malleability: Idea Changing the container carefully adjusts the content properly. Page 27 OAEP

28 Malleability: Example y=g xx mod p y*=y g mod p x x*=x+1 mod q Page 28 OAEP

29 Non-Malleability non-malleability: having the container should not help to to produce related content some kind of animal (same success probability with or or w/o container) Page 29 OAEP

30 Non-Malleability of Hash Functions see Boldyreva, Cash, F, Warinschi y=h(x) chooses distribution transforms (1 st stage) adversary A y* x transforms (2 nd stage) x* such that y*=h(x*) and x x* satisfy some relation Page 30 OAEP

31 Non-Malleability of Hash Functions II transforms (1 st stage) non-malleability: y=h(x) for for any any A there is is S such that that Pr[A Pr[Awins] Pr[S y* Pr[Swins] simulator S chooses distribution outputs immediately transforms (2 nd stage) x x* such that y*=h(x*) and x x* satisfy some relation Page 31 OAEP

32 Non-malleability for G is necessary m 0 k r flip flip G H flip flip assume: f(x) = f(x ±) G(x) =G(x ± ) OAEP with xor-malleable f, G, ciphertext C=f(s t) of m s t flip bit in C, affecting only t f f ( s t ) yields valid C* for m* m Page 32 OAEP

33 Towards a sufficient condition for G Boldyreva, F, 2006 OAEP (for random oracle H) is IND-CCA2 if G is near-collision resistant pseudorandom generator f applied to s-part is one-way and t-part output in clear s t f f(s) t near-collision resistant pseudorandom generator G near-coll.resistant: if r r* then lsb k G(r) lsb k G(r*) Page 33 OAEP

34 Why near-collision resistance helps m 0 k r flip flip G flip flip recall attack if G xor-malleable (s*=s, distinct r* r) H near-collision resistance of G s lsb G(r) t bits in 0 k are flipped to 1 f derived ciphertext invalid f ( s ) t Page 34 OAEP

35 Towards a secure full instantiation m 0 k r G dependency problem: s = m 0 k G(r) input to H, H(s) masks r in t = H(s) r H idea 1: assume m random s s f f f ( s ) f ( s ) lsb G(r) lsb G(r) t t idea 2: output lsb k G(r) in clear, incorporate trapdoor, allowing to recover r (can be built from standard assumptions) Page 35 OAEP

36 Security of full instantiation full instantiation of OAEP is OW-CPA (one-way for random messages) if H non-malleable pseudorandom generator G near-coll. resistant trapdoor pseudorandom generator f applied to s-part only is one-way (and lsb G(r) and t output in clear) Bleichenbacher s attack on PKCS #1 v1.5 doesn t work Page 36 OAEP

37 Summary for OAEP non-malleability necessary for hash functions (for G special case near-collision resistance) partly also sufficient notion of non-malleability hard to check for designers ( for any adversary there is a simulator ) Page 37 OAEP

38 Summary for OAEP (cont) relaxed non-malleability notion: some non-trivial distribution y=h(x) Page 38 x outputs δ, Δ 0 and wins if y Δ = H(x δ) unfortunately: non-malleability of compression function non-malleability of hash function OAEP

39 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 39 HMAC and RMX

40 Bellare, Canetti, Krawczyk, 1996 HMAC and NMAC: Technically blocks of padded message given hash function H with compression function h m 1 m 2 m n h iter (k in,m 1 m n ) (also add padding) k in h h h = random for NMAC = h(iv,k ipad) for HMAC k out h = random for NMAC = h(iv,k opad) for HMAC NMAC(k in,k out, M) HMAC(k in,k out, M) What are the requirements on the compression function? Page 40 HMAC and RMX

41 Security without collision resistance (PRF) Bellare, 2006 m 1 m 2 m n k in h h h h NMAC(k in,k out, M) k out (PRF ) computational almost universal (cau) pseudorandom function (PRF) If h is cau and PRF, then NMAC is PRF Page 41 HMAC and RMX

42 Security without collision resistance (MAC) m 1 m 2 m n k in h h h h NMAC(k in,k out, M) k out (PRF ) computational almost universal (cau) (PRF ) privacy-prsrv. MAC (ppmac) If h is cau and ppmac, then NMAC is MAC Page 42 HMAC and RMX

43 NMAC: Assumptions and Implications assumption on h level of security publication wcr, PRF PRF [BCK96] wcr, MAC MAC [BCK96] cau, PRF PRF [B06] cau, ppmac MAC [B06] PRF = pseudorandom function wcr = weakly collision resistant MAC = message authentication code cau = computational almost universal (note: PRF MAC, ppmac, cau) ppmac = privacy-preserving MAC Page 43 HMAC and RMX

44 NMAC: Assumptions and Implications assumption on h level of security publication wcr, PRF PRF [BCK96] wcr, MAC MAC [BCK96] cau, PRF PRF [B06] cau, ppmac MAC [B06] non-malleable, unpredictable MAC [F08] PRF = pseudorandom function wcr = weakly collision resistant MAC = message authentication code cau = computational almost universal (note: PRF MAC, ppmac, cau) ppmac = privacy-preserving MAC Page 44 HMAC and RMX

45 Unpredictability of Compression Function 1. adversary B chooses y and m 1 m n 2. pick secret key k 3. B wins if y= h iter (k,m 1 m n ) unpredictability: Pr[B wins] 0 for for any B Page 45 HMAC and RMX

46 Non-Malleability + Unpredictability MAC M i t i key k in ;k out NMAC non-malleability: \containers\ t i do not help producing t output new M with valid tag t unpredictability: predicting NMAC from scratch infeasible Page 46 HMAC and RMX

47 Relationship of Notions (compression function) does not imply in general PRF implies implies does not imply in general ppmac non-malleable (for HMAC case) + unpredictable incomparable Page 47 HMAC and RMX

48 Weaker assumption interesting? compression function should be good PRF anyway hence, would also be non-malleable + unpredictable verifying simpler properties still useful: safety net property is advantage of hash function possibly easier to check Page 48 HMAC and RMX

49 Randomized Hashing and RMX Halevi, Krawczyk, 2006 idea: add random salt to hash in hash-and-sign schemes random salt r (fresh for each signing) message m H H r (m) sign signature (including r) goal: relax assumption about collision-resistance of H Page 49 HMAC and RMX

50 enhanced target collision resistance (etcr) M r H H r (M) H r* (M*) sign signature try to find M M* with H(M)=H(M*) collision-resistance infeasible try to find M, get r, find (M,r) (M*,r*) with H r (M)=H r* (M*) etcr infeasible Page 50 HMAC and RMX

51 RMX The hash function H r (m) = H (r, r m 1, r m 2,, r m n ) is etcr if compression function is one-way and chosen second-preimage resistant (c-spr). c-spr: infeasible to win the following game: receive random m find c,c*,m* such that (c,m) (c*,m*) and h(c,m)=h(c*,m*) Page 51 HMAC and RMX

52 Summary good compression function should be PRF and CR sufficient for HMAC and (randomized) hash-and-sign weaker requirements NM and c-spr still interesting Page 52 HMAC and RMX

53 Agenda Fiat-Shamir transformation OAEP HMAC and RMX Summary Page 53 Summary

54 Other Applications key derivation based on HMAC PRF-like assumption on compression function suffices Dodis et al., Crypto 2004 / Fouque et al. AsiaCCS 2008 FDH full domain hash (see next talk) and RSA-PSS Page 54 Summary

55 Other Applications (cont) client puzzles server picks random x server gives client y=h(x) as well as x except for 20 bits client should return x assumption: hard to even find those 20 bits faster than exhaustive search Page 55 source: Federal Register / Vol. 72, No. 212 / November 2 nd, 2007 Summary

56 Applications and Properties standard applications (like FIPS hash-and-sign) key derivation (SP A) SP (random bit generators) FIPS 198 (hash-based MACs) SP (randomized hashing) HMAC-PRF other PRFs OAEP Fiat-Shamir collision-resistance preimage resistance second preimage resistance PRF (compression function) PRG (hash function) etcr / c-spr PRF (hash function) non-malleability (compression f.) non-malleability (hash function) seed incompressiblity Page 56 Summary

57 What s left to do? design hash functions with all properties numerous theoretical questions still open, like: NM compression function NM hash function further applications of seed incompressibility practical design guidelines for theoretical requirements see c-spr, non-malleability, seed incompressibility Page 57 Summary

58 Thank You! Page 58 Summary