Provable Security of BLAKE with Non-Ideal Compression Function

Size: px

Start display at page:

Download "Provable Security of BLAKE with Non-Ideal Compression Function"

Barbara Watts
5 years ago
Views:

1 Provable Security o BLAKE with No-Ideal Compressio Fuctio Elea Adreeva, Atul Luykx, ad Bart Meik (KU Leuve) Selected Areas i Cryptography Widsor, Caada August 17,

2 Prelimiaries BLAKE H : {0, 1} 2 {0, 1} {0, 1} H(s, M) = h SHA-3 alist HAIFA desig m 1,..., m k padded message blocks o 2 bits t 1,..., t k HAIFA-couter blocks o 4 bits s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h 2 13

3 Prelimiaries BLAKE : {0, 1} {0, 1} 2 {0, 1} 2 {0, 1} 4 {0, 1} (h i 1, s, m i, t i ) = h i Local wide-pipe desig uses E : {0, 1} 2 {0, 1} 2 {0, 1} 2 m i h i 1 s t l i t r i C 2 v i 2 2 E w i 2 s s h i 3 13

4 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal 4 13

5 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal lacks security aalysis 4 13

6 Prelimiaries State o the Art pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal BLAKE ollows HAIFA desig: preseccolidi security or ideal lacks security aalysis Aalysis o BLAKE's H ad with uderlyig E ideal 4 13

7 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E 5 13

8 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries adversary A distict (s, M), (s, M ) s.t. H(s, M) = H(s, M ) Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A success probability A (similar deitios i A attacks ) 5 13.

9 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries (s, M ) {0, 1} λ adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A success probability A (similar deitios i A attacks ) 5 13.

10 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries (s, M ) {0, 1} λ adversary A (s, M) (s, M ) s.t. H(s, M) = H(s, M ) Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A Adv esec[λ] H (q) = max A success probability A max (s,m ) {0,1} λ success probability A (similar deitios i A attacks ) 5 13.

11 Prelimiaries Ideal Model Security: ColSecPre Resistace E, E 1 q queries h {0, 1} (s, M) s.t. H(s, M) = h adversary A Ideal cipher model: E : {0, 1} 2 {0, 1} 2 {0, 1} 2 A has query access to E Adv col H (q) = max A Adv esec[λ] H Adv epre H (q) = max A (q) = max A success probability A max (s,m ) {0,1} max h {0,1} λ success probability A success probability A (similar deitios i A attacks ) 5 13.

12 Prelimiaries Ideal Model Security: Idieretiability Idieretiability o H rom a radom oracle H E is idieretiable rom RO i simulator S such that (H, E) ad (RO, S) idistiguishable (similar deitios i D attacks ) 6 13.

13 Prelimiaries Ideal Model Security: Idieretiability Idieretiability o H rom a radom oracle H E is idieretiable rom RO i simulator S such that (H, E) ad (RO, S) idistiguishable Extesio o idistiguishability: D may kow structure o H (similar deitios i D attacks ) 6 13.

14 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator (idepedetly oud by [Chag+11]) 7 13.

15 Dieretiability o Dieretiability Attack 2 2 E 2 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries (idepedetly oud by [Chag+11]) 7 13.

16 Dieretiability o Dieretiability Attack m h 2 2 E dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h (idepedetly oud by [Chag+11]) 7 13.

17 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y (idepedetly oud by [Chag+11]) 7 13.

18 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 (idepedetly oud by [Chag+11]) 7 13.

19 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 Simulated world D queries S 1 (m, 0) h D queries RO(h, m) y (idepedetly oud by [Chag+11]) 7 13.

20 Dieretiability o Dieretiability Attack m h 2 2 E 0 2 y 2 dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries Real world D queries E 1 (m, 0) h D queries DM(h, m) y h = y with probability 1 Simulated world D queries S 1 (m, 0) h D queries RO(h, m) y h = y with probability O(12 2 ) (idepedetly oud by [Chag+11]) 7 13.

21 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries (idepedetly oud by [Chag+11]) 7 13.

22 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries BLAKE's : duplicate couter prevets this attack S 1 -resposes o-compliat with duplicate couter are useless to D Ater 2 4 queries, this gets suspicious (idepedetly oud by [Chag+11]) 7 13.

23 Dieretiability o Dieretiability Attack m h s t l t r C 2 v 2 2 E w 2 s s y dieretiable rom RO i 2 4 queries Dieretiability: costruct a distiguisher that tricks ay simulator Davies-Meyer dieretiable i 2 queries BLAKE's : duplicate couter prevets this attack S 1 -resposes o-compliat with duplicate couter are useless to D Ater 2 4 queries, this gets suspicious Ivalidates assumptio ideal (idepedetly oud by [Chag+11]) 7 13.

24 Dieretiability o State o the Art, ctd. pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 8 13

25 Dieretiability o State o the Art, ctd. pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 8 13

26 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H BLAKE preserves epre (q) Advepre (q) = O(q2 ) 9 13

27 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries 9 13

28 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y 9 13

29 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) 9 13

30 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) Iverse query: with probability O(12 ) 9 13

31 Security o BLAKE Preimage ad Collisio Resistace o BLAKE m h s t l t r C 2 v 2 2 E w 2 s s y Adv epre H (q) Advepre (q) = O(q2 ) BLAKE preserves epre Let y {0, 1} be target image A makes q queries Ay E-query (m, v, w): preimage i w l w r h (s s) = y Forward query: with probability O(12 ) Iverse query: with probability O(12 ) Similarly, Adv col H (q) Advcol (q) = O(q2 2 ) 9 13

32 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! 10 13

33 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A 10 13

34 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) 10 13

35 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) BLAKE achieves better secod preimage resistace! t i xes particular target state value rom {h 1,..., h l } 10 13

36 Security o BLAKE Secod Preimage Resistace o BLAKE s, m 1, t 1 s, m l, t l s, m1, t1 s, mk, tk h0 2, 2, 4 h h l 1 h l h0 2, 2, 4 h hk 1 hk esec ot preserved: Adv esec[λ] H Adv esec[λ] H (q) = O(q2 ) (q) Adv esec[λ] (q)! Let (s, M ) be target preimage ad (s, M) respose by A -coll (h i 1, s, m i, t i ) {h 1,..., h l } Ay E-query: -coll with probability O(l2 ) BLAKE achieves better secod preimage resistace! t i xes particular target state value rom {h 1,..., h l } Ay E-query: -coll with probability O(12 ) 10 13

37 Security o BLAKE Idieretiability o BLAKE s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h Adv idi H (D) = O((Kq) 2 2 ) (where D makes at most q queries o legth at most K blocks) We restore old idieretiability boud o BLAKE i ICM High-level proo idea S maitais graph: edges correspod to -evaluatios Complete paths should be i correspodece with RO Techical details i paper (idepedetly oud by [Chag+11])

38 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 12 13

39 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal 12 13

40 Coclusios Coclusios pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Dieretiability attack o pre sec col pre H sec H col H idi H ideal ideal ideal ideal ideal ideal Fix i ideal cipher model pre sec col pre H sec H col H idi H E ideal E ideal E ideal E ideal E ideal E ideal 12 13

41 Coclusios Compariso o SHA-3 Fialists [AMPS12] l m pre sec col idi assumptio BLAKE E ideal Grøstl L P, Q ideal JH P ideal Keccak P ideal Skei E ideal NIST's requiremets L l m pre sec col idi assumptio BLAKE E ideal Grøstl L P, Q ideal JH P ideal Keccak P ideal Skei E ideal NIST's requiremets L

42 Supportig Slides Supportig Slides SUPPORTING SLIDES 14 13

43 Supportig Slides Idieretiability o BLAKE s, m 1, t 1 s, m 2, t 2 s, m k, t k h 0 2, 2, 4 h 1 h h k 1 h k = h Adv idi H (D) = O((Kq) 2 2 ) (where D makes at most q queries o legth at most K blocks) Idieretiability: costruct a simulator that tricks ay distiguisher S maitais graph: edges correspod to -evaluatios Ay S-query dees at most oe edge h s m t h s m 1 t 1 Complete path: h 0 h 1 s m k t k hk or correctly padded (m 1,..., m k ), (t 1,..., t k ) 15 13

44 Supportig Slides Idieretiability o BLAKE Forward Query S(m, v) i ew query creates complete path the (ew query likely results i at most 1 complete path) geerate w i accordace with RO else geerate w uiormly at radom ed i add ew edge to graph Iverse Query S 1 (m, w) (ew query likely results i o complete path) geerate v uiormly at radom add ew edge to graph 16 13

Hash Functions Based on Three Permutations: A Generic Security Analysis

Hash Functions Based on Three Permutations: A Generic Security Analysis Hash Fuctios Based o Three Permutatios: A Geeric Security Aalysis Bart Meik ad Bart Preeel KU Leuve CRYPTO 2012 August 21, 2012 1 / 18 Motivatio Hash fuctios based o block ciphers Davies-Meyer '84, PGV