Provable Chosen-Target-Forced-Midx Preimage Resistance
|
|
- Quentin Barrett
- 6 years ago
- Views:
Transcription
1 Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, / 15
2 Introduction Hash Functions 2 / 15
3 Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): 2 / 15
4 Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): M injectively padded: M M 1 M k = M 1 0 M 1 mod m M m 2 / 15
5 Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): M injectively padded: M M 1 M k = M 1 0 M 1 mod m M m M i compressed iteratively using f : {0, 1} n+m {0, 1} n 2 / 15
6 Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance 3 / 15
7 Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance Multicollision resistance Security against length extension attack Chosen-target-forced-prex preimage resistance... 3 / 15
8 Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance Multicollision resistance Security against length extension attack Chosen-target-forced-prex preimage resistance... Chosen-target-forced-prex (CTFP) preimage resistance (security against herding attack) Choose y, given P, nd R such that H(P R) = y Applications: predicting elections, sports games, etc. Ideally, CTFP attack requires 2 n work 3 / 15
9 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 Phase 1 4 / 15
10 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 Phase 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 4 / 15
11 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 4 / 15
12 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 4 / 15
13 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15
14 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15
15 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15
16 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y attack L = M complexity (f -calls) herding O(n) blocks n2 2n/3 4 / 15
17 Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y attack L = M complexity (f -calls) herding elongated herding (0 r n/2) O(n) blocks O(n + 2 r ) blocks n2 2n/3 n2 2n/3 /2 r/3 4 / 15
18 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
19 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
20 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
21 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
22 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
23 Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15
24 Introduction Our Contributions 6 / 15
25 Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks 6 / 15
26 Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks CTFM security bound for MD We formally prove security of MD Analysis directly applies to other hash functions 6 / 15
27 Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks CTFM security bound for MD We formally prove security of MD Analysis directly applies to other hash functions Existence of optimally CTFM secure hash functions? No optimally secure narrow-pipe design known 6 / 15
28 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) 7 / 15
29 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n 7 / 15
30 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f 7 / 15
31 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y 7 / 15
32 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p 7 / 15
33 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p R 7 / 15
34 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R 7 / 15
35 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm 7 / 15
36 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm Adv ctfm H (q): success probability of any adversary making q queries 7 / 15
37 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm Adv ctfm H (q): success probability of any adversary making q queries In remainder, g(p, R 1 R 2 ) = R 1 P R 2, where R 1, R 2 of arbitrary length 7 / 15
38 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security Herding attack for MD g(p, R 2 ) = P R 2 R1 is empty string P is prex 8 / 15
39 Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security Herding attack for MD g(p, R 2 ) = P R 2 R1 is empty string P is prex Herding attack for zipper g(p, R 1 ) = R 1 P R2 is empty string P is sux 8 / 15
40 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) 9 / 15
41 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: Adv ctfm (L 1)tq MD (q) + m2 p/m q + 2 n 2 p ( ) q 2 t e + q3 t2 n 2 2n 9 / 15
42 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) Adv ctfm (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{} 2n E 0 E 1 E 2 9 / 15
43 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm 9 / 15
44 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term 9 / 15
45 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term p dominates second term: E 0 covers event A guesses P 9 / 15
46 CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term p dominates second term: E 0 covers event A guesses P L dominates rst term: larger L gives higher success probability 9 / 15
47 CTFM Security of MD Implications Corollary Let p be large enough (see paper). For any ε > 0: ( lim n Advctfm MD 2 2n/3 /L 1/3 2 -nε) = 0 10 / 15
48 CTFM Security of MD Implications Corollary Let p be large enough (see paper). For any ε > 0: ( lim n Advctfm MD 2 2n/3 /L 1/3 2 -nε) = 0 Implies (asymptotic) optimality of Original attack of Kelsey & Kohno Almost all attacks of Gauravaram et al. and Andreeva et al. Analysis can easily be generalized to other hash functions, such as MD with prex-free or sux-free padding Enveloped MD MD with permutation HAIFA 10 / 15
49 CTFM Security of MD Proof Idea Attack consists of two phases: First phase: A queries f and decides on y A receives random challenge P Second phase: A queries f and outputs g, R s.t. H f (g(p, R)) = y Graph: f (h i 1, M i ) = h i corresponds to arc h i 1 M i h i x at distance k from y: there exists a path x y of length k 11 / 15
50 CTFM Security of MD Proof Idea Attack consists of two phases: First phase: A queries f and decides on y A receives random challenge P Second phase: A queries f and outputs g, R s.t. H f (g(p, R)) = y Graph: f (h i 1, M i ) = h i corresponds to arc h i 1 M i h i x at distance k from y: there exists a path x y of length k A wins if: E 0 E 1 E 2 He guesses P in the rst phase For some node y and k {0,..., L}: graph contains more than t elements at distance k from y Graph contains 3-way collision succ E i Adversary nds CTFM preimage given E i 11 / 15
51 Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions 12 / 15
52 Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions Wide-pipe Wide-piping renders optimal CTFM security (trivial) 12 / 15
53 Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions Wide-pipe Wide-piping renders optimal CTFM security (trivial) Narrow-pipe No optimally CTFM secure narrow-pipe hash function known We consider two possible directions: Salting Message modication: MD with more sophisticated padding 12 / 15
54 Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y 13 / 15
55 Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S 13 / 15
56 Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R 13 / 15
57 Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R Variant 1, 2, 3 : A knows salt, so Adv sctfm H (A) = Adv ctfm (A) H 13 / 15
58 Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R Variant 1, 2, 3 : A knows salt, so Adv sctfm H (A) = Adv ctfm H (A) Variant 4 : A commits to y without knowing hash function instance 13 / 15
59 Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other 14 / 15
60 Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks 14 / 15
61 Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks 14 / 15
62 Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks We describe attack for this and similar hash functions Same complexity as original herding attack (up to constant) Optimal due to our security bound 14 / 15
63 Conclusions Conclusions Chosen-target-forced-midx preimage resistance 15 / 15
64 Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion 15 / 15
65 Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion Introduced proof methodology Optimality of herding attack 15 / 15
66 Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion Introduced proof methodology Optimality of herding attack Optimal (2 n ) security??? Open problem 15 / 15
67 Supporting Slides Supporting Slides SUPPORTING SLIDES!!! 16 / 15
68 Supporting Slides Detailed Proof Idea (1) E 0 E 2 : A guesses P By E 2 : graph contains at most m2 p/m q strings of length p Any such path equals P with probability at most 1/2 p Pr (E 0 E 2 ) m2 p/m q 2 p 17 / 15
69 Supporting Slides Detailed Proof Idea (1) E 0 E 2 : A guesses P By E 2 : graph contains at most m2 p/m q strings of length p Any such path equals P with probability at most 1/2 p Pr (E 0 E 2 ) m2 p/m q 2 p E 1 E 2 : > t elements at distance k from y By E 2 : only 2-way collisions One can show: graph must contain t 2-way collisions ( ) q ( q ) ( ) t q 2 t e Pr (E 1 E 2 ) t 2 n t2 n 17 / 15
70 Supporting Slides Detailed Proof Idea (2) E 2 : 3-way collision Pr (E 2 ) q3 2 2n 18 / 15
71 Supporting Slides Detailed Proof Idea (2) E 2 : 3-way collision Pr (E 2 ) q3 2 2n succ E i : CTFM preimage Forged message of length at most L blocks A needs at least one query to hit any of the L 1 closest layers to y By E 1 : at most t nodes per layer Pr (suc A (q 2 ) E 0 E 1 ) (L 1)tq 2 n 18 / 15
Provable Chosen-Target-Forced-Midfix Preimage Resistance
Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationOn the Complexity of the Herding Attack and Some Related Attacks on Hash Functions
On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions Simon R. Blackburn Department of Mathematics, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationKnown and Chosen Key Differential Distinguishers for Block Ciphers
1/19 Known and Chosen Key Differential Distinguishers for Block Ciphers Josef Pieprzyk joint work with Ivica Nikolić, Przemys law Soko lowski, and Ron Steinfeld ASK 2011, August 29-31, 2011 2/19 Outline
More informationIntroduction to Cryptography
B504 / I538: Introduction to Cryptography Spring 2017 Lecture 12 Recall: MAC existential forgery game 1 n Challenger (C) k Gen(1 n ) Forger (A) 1 n m 1 m 1 M {m} t 1 MAC k (m 1 ) t 1 m 2 m 2 M {m} t 2
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationProblem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed
Problem 1 n bits k zero bits IV Block Block Block Block removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Missing bits January 27, 2011 Practical
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More informationCollapsing sponges: Post-quantum security of the sponge construction
Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationOn the Collision and Preimage Security of MDC-4 in the Ideal Cipher Model
On the ollision and Preimage Security o in the Ideal ipher Model art Mennink Dept. Electrical Engineering, EST/OSI and IT Katholieke Universiteit Leuven, elgium bart.mennink@esat.kuleuven.be bstract. We
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationFunctional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions
Functional Graphs and Their Applications in Generic Attacks on Iterated Hash Constructions Zhenzhen Bao 1, Jian Guo 1 and Lei Wang 2,3 1 School of Physical and Mathematical Sciences, Nanyang Technological
More informationImproved Collision and Preimage Resistance Bounds on PGV Schemes
Improved Collision and Preimage Resistance Bounds on PGV Schemes Lei Duo 1 and Chao Li 1 Department of Science, National University of Defense Technology, Changsha, China Duoduolei@gmail.com Department
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1, Jérémy Jean 1, Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationProvable Second Preimage Resistance Revisited
Provable Second Preimage Resistance Revisited Charles Bouillaguet 1(B) and Bastien Vayssière 2 1 LIFL, Université Lille-1, Lille, France charles.bouillaguet@lifl.fr 2 PRISM Lab, Université de Versailles/Saint-Quentin-en-Yvelines,
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationOn the Security of Hash Functions Employing Blockcipher Postprocessing
On the Security of Hash Functions mploying Blockcipher Postprocessing Donghoon Chang 1, Mridul Nandi 2, and Moti Yung 3 1 National Institute of Standards and Technology, USA pointchang@gmail.com 2 C R
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationSolution of Exercise Sheet 7
saarland Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University university computer science Solution of Exercise Sheet 7 1 Variants of Modes of Operation Let (K,
More informationLinearization and Message Modification Techniques for Hash Function Cryptanalysis
Linearization and Message Modification Techniques for Hash Function Cryptanalysis Jian Guo Institute for Infocomm Research, Singapore. ASK 2011, 30 August 2011 Jian Guo Linearization and Message Modification
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationThe Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function
The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function Jian Guo 1,Jérémy Jean 1(B),Gaëtan Leurent 2, Thomas Peyrin 1, and Lei Wang 1 1 Division of Mathematical
More informationH Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.
Definition - hash function Cryptographic Hash Functions - Introduction Lars R. Knudsen April 21, 2008 Located in the southernmost part of Europe with an artic climate, Hotel Finse 1222 provides the perfect
More informationNew Preimage Attack on MDC-4
New Preimage Attack on MDC-4 Deukjo Hong and Daesung Kwon Abstract In this paper, we provide some cryptanalytic results for double-blocklength (DBL) hash modes of block ciphers, MDC-4. Our preimage attacks
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationIndifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier
Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA dustin.moody@nist.gov Souradyuti Paul NIST, USA, KULeuven, Belgium souradyuti.paul@nist.gov
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationA (Second) Preimage Attack on the GOST Hash Function
A (Second) Preimage Attack on the GOST Hash Function Florian Mendel, Norbert Pramstaller, and Christian Rechberger Institute for Applied Information Processing and Communications (IAIK), Graz University
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationOptimal Collision Security in Double Block Length Hashing with Single Length Key
Optimal Collision Security in Double Block Length Hashing with Single Length Key Bart Mennink Dept. Electrical Engineering, EST/COSIC, KU Leuven, and IBBT, Belgium bart.mennink@esat.kuleuven.be bstract.
More informationIntroduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication
Common Usage of MACs for message authentication Introduction to Cryptography k Alice α m, MAC k (m) Isα= MAC k (m)? Bob k Lecture 5 Benny Pinkas k Alice m, MAC k (m) m,α Got you! α MAC k (m )! Bob k Eve
More informationXMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions
XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions Johannes Buchmann and Andreas Hülsing {buchmann,huelsing}@cdc.informatik.tu-darmstadt.de Cryptography and Computeralgebra
More informationKey words: collision resistance, cryptographic hash functions, preimage resistance, provable security, second-preimage resistance.
Cryptographic ash-function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance Phillip Rogaway 1 and Thomas Shrimpton 2 1 Dept.
More informationSome Plausible Constructions of Double-Block-Length Hash Functions
Some Plausible Constructions of Double-Block-Length Hash Functions Shoichi Hirose Faculty of Engineering, The University of Fukui, Fukui 910-8507 Japan hirose@fuee.fukui-u.ac.jp Abstract. In this article,
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationConstruction of universal one-way hash functions: Tree hashing revisited
Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian
More informationCryptographic Hashes. Yan Huang. Credits: David Evans, CS588
Cryptographic Hashes Yan Huang Credits: David Evans, CS588 Recap: CPA 1. k KeyGen(1 n ). b {0,1}. Give Enc(k, ) to A. 2. A chooses as many plaintexts as he wants, and receives the corresponding ciphertexts
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationImproved Generic Attacks Against Hash-based MACs and HAIFA
Improved Generic Attacks Against Hash-based MACs and HAIFA Itai Dinur 1 and Gaëtan Leurent 2 1 Département d Informatique, École Normale Supérieure, Paris, France Itai.Dinur@ens.fr 2 Inria, EPI SECRET,
More informationA New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost
A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost Mihir Bellare University of California, San Diego Daniele Micciancio Laboratory for Computer Science Massachusetts Institute of
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationMulticollision Attacks on a Class of Hash Functions
Multicollision Attacks on a Class of Hash Functions M. Nandi Applied Statistics Unit Indian Statistical Institute Calcutta, India mridul r@isical.ac.in D. R. Stinson School of Computer Science University
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationSecond Preimage Attacks on Dithered Hash Functions
Second Preimage Attacks on Dithered Hash Functions Charles Bouillaguet 1, Pierre-Alain Fouque 1, Adi Shamir 1,2, and Sebastien Zimmer 1 1 École normale supérieure Département d Informatique 45, rue d Ulm
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i s from any key k K. A block
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationA Sufficient Condition for Optimal Domain Extension of UOWHFs
A Sufficient Condition for Optimal Domain Extension of UOWHFs Mridul Nandi Applied Statistics Unit, Indian Statistical Institute mridul r@isical.ac.in Abstract. In this paper we will provide a non-trivial
More informationUnderstanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.
Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 11 Hash Functions ver. October 29, 2009 These slides were prepared by
More informationImproved indifferentiability security analysis of chopmd Hash Function
Improved indifferentiability security analysis of chopmd Hash Function Donghoon Chang 1 and Mridul Nandi 2 1 Center for Information Security Technologies (CIST) Korea University, Seoul, Korea dhchang@cist.korea.ac.kr
More informationProvable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationHash Functions: From Merkle-Damgård to Shoup. Ilya Mironov
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov mironov@cs.stanford.edu Computer Science Department, Stanford University, Stanford, CA 94305 Abstract. In this paper we study two possible approaches
More informationHash-based signatures & Hash-and-sign without collision-resistance
Hash-based signatures & Hash-and-sign without collision-resistance Andreas Hülsing 22.12.2016 Hash-based Signature Schemes [Mer89] Post quantum Only secure hash function Security well understood Fast 22-12-2016
More informationSecurity Analysis of the Mode of JH Hash Function
Security Analysis of the Mode of JH Hash Function Rishiraj Bhattacharyya, Avradip Mandal 2, and Mridul Nandi 3, Indian Statistical Institute, Kolkata, India rishi r@isical.ac.in 2 Université du Luxembourg,
More informationImproved Indifferentiability Security Bound for the JH Mode
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody Souradyuti Paul Daniel Smith-Tone National Institute of Standards and Technology Gaithersburg, MD, USA dustin.moody@nist.gov National
More informationSecond Preimages for Iterated Hash Functions and their Implications on MACs
Second Preimages for Iterated Hash Functions and their Implications on MACs Mario Lamberger, Norbert Pramstaller, and Vincent Rijmen Institute for Applied Information Processing and Communications (IAIK)
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationTheory and practice for hash functions
Theory and practice for hash functions Bart Preneel www.ecrypt.eu.org eu Title of Presentation Katholieke Universiteit it it Leuven - COSIC firstname.lastname@esat.kuleuven.be Cambridge, 1 February 2012
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationENEE 459-C Computer Security. Message authentication (continue from previous lecture)
ENEE 459-C Computer Security Message authentication (continue from previous lecture) Last lecture Hash function Cryptographic hash function Message authentication with hash function (attack?) with cryptographic
More informationEtude d hypothèses algorithmiques et attaques de primitives cryptographiques
Etude d hypothèses algorithmiques et attaques de primitives cryptographiques Charles Bouillaguet École normale supérieure Paris, France Ph.D. Defense September 26, 2011 Introduction Modes of Operation
More informationDesign of Iteration on Hash Functions and its Cryptanalysis
Design of Iteration on Hash Functions and its Cryptanalysis MRIDUL NANDI Applied Statistics Unit Indian Statistical Institute Kolkata - 700108 India. 1 Design of Iteration on Hash Functions and its Cryptanalysis
More informationHow (not) to efficiently dither blockcipher-based hash functions?
How (not) to efficiently dither blockcipher-based hash functions? Jean-Philippe Aumasson, Raphael C.-W. Phan FHNW, Switzerland Loughborough University, UK 1 / 29 CONTENT OF THE TALK Dithered hashing Blockcipher-based
More informationCryptography CS 555. Topic 13: HMACs and Generic Attacks
Cryptography CS 555 Topic 13: HMACs and Generic Attacks 1 Recap Cryptographic Hash Functions Merkle-Damgård Transform Today s Goals: HMACs (constructing MACs from collision-resistant hash functions) Generic
More informationOn Security Arguments of the Second Round SHA-3 Candidates
On Security Arguments o the Second Round SA-3 Candidates Elena Andreeva Andrey Bogdanov Bart Mennink Bart Preneel Christian Rechberger March 19, 2012 Abstract In 2007, the US National Institute or Standards
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationLecture 24: MAC for Arbitrary Length Messages. MAC Long Messages
Lecture 24: MAC for Arbitrary Length Messages Recall Previous lecture, we constructed MACs for fixed length messages The GGM Pseudo-random Function (PRF) Construction Given. Pseudo-random Generator (PRG)
More information