Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier
|
|
- Lizbeth Gaines
- 6 years ago
- Views:
Transcription
1 Indifferentiability Security of the Fast Widepipe Hash: Breaking the Birthday Barrier Dustin Moody NIST, USA Souradyuti Paul NIST, USA, KULeuven, Belgium Daniel Smith-Tone NIST, USA Abstract The main result of the paper is the solution to a longstanding open problem in the hash function literature: to show that an n-bit iterative hash function can achieve both the rate 1 efficiency, and the indifferentiability security bound that is more than n/2 bits. No hash functions, not even the SHA3 finalists, achieve this property. The Fast Widepipe (FWP) hash mode has been proposed by Nandi and Paul in 2010, as a faster variant of the popular Widepipe (WP) construction proposed by Lucks in Both FWP and WP can be constructed from an identical primitive; however, FWP enjoys a speed-up factor of at least 2 compared to WP for a reasonable selection of parameter-values. Despite many heuristic arguments provided in favor of the optimal security of FWP, the proven indifferentiability bound for the mode was only up to the birthday barrier of n/2 bits. In this paper, we break the barrier. We improve the bound to 2n/3 bits. We compare the FWP mode with other popular modes with respect to security and efficiency. To the best of our knowledge, this is the first time the indifferentiability security bound of a hash mode with rate 1 has been shown to be beyond the birthday barrier. The novel technique used to break the barrier that is based on the detection of a special set of events namely, 3-multi-collision on n bits, n-bit and 2n-bit query collisions may be of independent interest; the technique is likely to be applied to other similar rate 1 hash functions such as the JH and the Parazoa family. Our rigorous experiments give evidence that the bound could be further improved, possibly towards very close to n bits. 1 Introduction Iterative hash functions are usually composed of two parts: (1) a basic primitive (denoted by C) with finite domain and range, and (2) an iterative mode of operation (denoted by H) to extend the domain of the hash function. We denote a hash function using the mode H and the primitive C by H C. In studying the security of a hash function, it turns out that both the security of the primitive C, as well as the security of the mode of operation H need to be examined separately, since one can be attacked independent of the other. The most popular hash mode of operation is the classical Merkle-Damgärd mode [14, 23. It has the desirable property that if C is collision resistant, then MD C will also be collision resistant. Many practical hash functions, such as MD4 [28, MD5 [29, SHA-0/1/2 [25, 26 follow the Merkle- Damgärd mode of operation. However, several recent attacks have greatly undermined the security of any hash function based on Merkle-Damgärd mode. These attacks include the length-extension attack, Joux s multi-collision attack [18, the herding attack [19, and the Kelsey-Schneier preimage 1
2 attack [20, among others. All the above attacks targeted the mode of operation, and they work no matter how secure the underlying primitive C is. A telltale sign of the demise of the Merkle- Damgärd mode is that none of the 64 submissions to the ongoing SHA3 competition used the Merkle-Damgärd mode. In search of a secure replacement for the Merkle-Damgärd mode, we have broadly witnessed several stages of improvement: (1) Additional postprocessing and/or counters injected into the Merkle-Damgärd mode to eliminate the length-adjustment related attacks (e.g., HAIFA [8, EMD [4, MDP [17); (2) Widening of the output length of the primitive C to eliminate Joux s multicollision type attacks (e.g., Widepipe-MD [21, JH [30, Gröstl [16, Sponge [5, Shabal [10, Parazoa [3); (3) Multiple applications of the primitive C on the same message-block (e.g., Doublepipe MD [21). Another research direction, motivated by the innovative attacks on the hash mode of operation, has been the development of new security frameworks that can cover the above attacks as well as many others still unforeseen. Indifferentiability framework is one of them. It was introduced by Maurer et al. [22 in 2004, and was first applied to analyze hash mode of operation by Coron et al. [13 in Briefly, in this framework, we measure the extent to which a hash function is behaving as a random oracle under some idealized assumption (e.g. random oracle, ideal permutation, ideal cipher) on the underlying compression function. Indeed, security of a hash mode established in the indifferentiability framework guarantees resistance to many attacks including collision, 1st preimage, 2nd pre-image, length-extension and Joux s multi-collision, among others. Some limitations of the indifferentiability framework have been recently discovered in [15 and [27. Nevertheless, the framework still covers most known attack scenarios and, therefore, security of a mode in that setting is able to guarantee resistance to many generic attacks. The Challenge: Despite the plentifulness of iterative hash modes of operation, not one of them has been shown to have an optimal security-performance tradeoff. By security, we mean the proven indifferentiability security bound of the hash mode. By performance, we mean the rate of the hash function: The rate of a hash function, based on an ideal primitive with a bits of input, and b bits of message-block, is defined to be b/(a b). This quantity shows the fraction of the primitive-input bits being used for message-injection during the hash computation. It is clear that higher rate implies faster hash computation. To the best of our knowledge, there are no hash modes with rate 1 whose indifferentiability security bounds are larger than n/2 bits. The rates and security bounds of many popular hash modes have been tabulated in Table 1. Relevant previous work: Merkle-Damgärd Vs. Widepipe Vs. Fast Widepipe. To make a Merkle-Damgärd hash function (proposed in 1989) secure against the aforementioned Joux s multi-collision-type attacks, Lucks, in 2005, has proposed to make the intermediate chaining values of the Merkle-Damgärd mode twice as large as the final hash value; this mode is known as the Widepipe mode [21 (see Figure 1). Suppose the basic primitive in a Merkle-Damgärd hash function is: C : {0, 1} l+n {0, 1} n. Lucks has, very rightly, proposed to use a primitive C : {0, 1} l+n {0, 1} 2n to avoid many multi-collision-type attacks. The message-block and the chaining input to C in a Widepipe mode are now l n and 2n bits. Widepipe hash mode achieves close to n bits of indifferentiability security, albeit at the cost of a low rate of 1/2 (Table 1). Fast Widepipe (FWP) hash mode was proposed by Nandi and Paul in 2010 [24, as a faster variant of the Widepipe mode [21 (see Figure 1). Using any Widepipe primitive C : {0, 1} l+n {0, 1} 2n the FWP mode achieves the higher rate of 1 by allowing l bits of message-block and n bits of chaining value.[24. However, the security bound of the mode was only up to n/2 bits. 2
3 M1 M2 M3 Mk-1 Mk IV IV l-n n n C l-n l-n l-n l-n C C C C (i) n-bit hash M1 M2 M3 Mk-1 Mk IV IV l n n C l l l l-n C C C C n-bit hash (ii) Figure 1: (i) Widepipe mode and (ii) Fast Widepipe (FWP) Mode; both are using the identical primitive C. All unlabeled wires are n bits. M i s are message-blocks. Our contribution. In this paper, we extend the indifferentiability security bound of FWP mode from n/2 bits to 2n/3 bits. This is the first time the indifferentiability security of a hash mode with rate 1 has been shown to be better than the birthday bound. In addition to this main result, our proof technique may be of independent interest, as it is novel and, can potentially be used for more improved security analysis of this mode and similar ones such as the JH and the Parazoa family of modes. The main hurdle in breaking the birthday barrier of the FWP was two-pronged. First, any analysis based on the probability of collision in just n bits of output can only give a bound of n/2 bits this approach is usually followed to achieve bounds up to n/2 bits. Secondly, collisionprevention on 2n bits of output does not prevent collision in n bits of input-chain, resulting in a total message which is quadratic in i after i queries, again giving a bound only of n/2 bits. This problem arises due to the XOR operations between the interleaving n bits of successive outputs. We overcome this issue by identifying a special set of events (described in Section 4) occurring with low probabilities, namely, 3-multi-collision on the n bits of output (Type1-b,e,g), and n-bit query collision (Type1-f), in addition to the usual 2n-bit output and query collision (Type1-a,c,d). Another important feature of our methodology is allowing the growth of the graph T s, representing all possible messages, for two phases rather than the usual approach of just one. These events helped us bound the number of paths in the graph by a linear function in i, using simple combinatorial results (see Lemma 5.1). This linear bound on the size of T s, allows us to achieve a bound of 2n/3 bits. The theoretically obtained bound of 2n/3 bits agrees well with our experimental results. Moving further, our experimental results performed with a different set of events give ample evidence that the indifferentiability bound for the FWP can be stretched close to even n bits. The theoretical analysis of this result is left as an open problem. Notation and Convention. Throughout the paper we shall use the little-endian bit-ordering system. The symbol x denotes the bit-length of the bit-string x (or, the size of the set x). Let n be a fixed number. Let x parse x 1 x 2 denote parsing x into x 1 and x 2 such that x 1 n and x 2 x n. Similarly, x parse x 1 x 2 x 3 means parsing x into x 1, x 2 and x 3 such that x 1 x 2 n and x 3 x 2n. The notation M pad m 1 m k 1 m k is explained in Section 1.1. Let S t denote the sample space of the discrete random variable t. The relation A B is satisfied if and only if [ A x [ B x for all x S, where S S A S B. Other notation which we will use is 3
4 Mode of Message imitive imitive Indiff. rate Ideal operation block input output bound (b/(a b)) imitive length (b) length (a) length MD [14, 23 l l + n n 0 1 RO MDP [17 l l + n n n/2 1 RO EMD [4 l l + n n n/2 1 RO HAIFA [8 l l + n n n/2 1 RO chopmd [11, 13 l l + 2n 2n n log n 1/2 RO BLAKE [1, 12 2n 4n 2n n/2 1 IC Shabal [10 n 4n 2n n 1/3 IC JH [7 n 2n 2n n/3 1 IP Sponge [5 n 2n 2n n/2 1 IP Grøstl [16 2n 2n ( 2) 2n ( 2) n/2 1 IP Parazoa [3 n 2n 2n n/2 1 IP FWP [24 l l + n 2n n/2 1 RO FWP(this paper) l l + n 2n 2n/3 1 RO Table 1: For each case the hash-output is n-bit. For a fair comparison, we chose l n. The symbols and denote optimal and close to optimal. RO, IC and IP are abbreviations for random oracle, ideal cipher, and ideal permutation respectively. included in Table 2. Table 2: Notation a : b a is assigned the value of b a $ S a is assigned a value uniformly chosen from the set S A B Algorithm A with oracle access to B Dom(T ) The set of indices I in table T such that T [i i I ab a b [x, y The set of integers between x and y including them a[x, y The bit-string between the x th and y th bit-positions of a U[0, 2 n 1 The uniform distribution over the integers between 0 and 2 n Description of the FWP Mode Suppose l n 1. Let C : {0, 1} l+n {0, 1} 2n be a cryptographic primitive used to build the FWP hash function: {0, 1} {0, 1} n. The diagram and the description of the FWP transform are given in Figures 1 and 2. The semantics for the notation M pad m 1 m k 1 m k is as follows: Using an injective function pad : {0, 1} i 1 {0, 1} (i+1)l n, M is mapped into a string m 1 m k 1 m k such that k + 1, m i l for 1 i k 1, and m k l n. In addition to the aforementioned M l injectivity property of pad( ), another property is needed to prove the indifferentiability of FWP : there should exist a function we call it depad( ) that can efficiently compute M, given pad(m). 4
5 FWP(M) 01. M pad m 1 m 2... m k 1 m k ; 02. y 0 IV, y 0 IV ; 03. for(i 1, 2,... k 1) y i y i C(y i 1m i ) y i 1 0; 04. y k y k C(y k 1y k 1 m k); 05. return y k ; Figure 2: Pseudocode for FWP Figure 3: Indifferentiability framework for a hash function. Formally, the function depad: i 1 {0, 1} (i+1)l n {λ} {0, 1} computes depad(pad(m)) M, for all M {0, 1} ; otherwise depad( ) returns λ. The reader should convince herself that the padding rules of all practical hash functions have the above properties. For practical purposes, we now concretely define pad( ) for M {0, 1} 264 as follows: Append t zero bits and a 64-bit encoding of M to the message M. Select the least integer t 0 such that M + t + n mod l. The value IV IV used to initialize FWP can be any fixed 2n-bit constant. More details about the FWP transform can be found in [ eliminaries: Introduction to Indifferentiability Framework We begin with the definition of a random oracle. This useful object will be used frequently in the subsequent discussion. Definition 1.1 (Random oracle) A random oracle is a function RO : X Y chosen uniformly at random from the set of all Y X functions that map X Y. In other words, a function RO : X Y is a random oracle if and only if, for each x X, the value of RO(x) is chosen uniformly at random from Y. Corollary 1.2 If a function RO : X Y is a random oracle, then [ RO(x) y RO(x 1 ) y 1, RO(x 2 ) y 2,..., RO(x q ) y q 1 Y where x / {x 1, x 2,..., x q }, y Y and q Z. Next we introduce the indifferentiability framework and briefly discuss its significance. The following definition is a slightly modified version of the original definition provided in [13, 22. Definition 1.3 (Indifferentiability framework) [22 An interactive Turing machine (ITM) T with oracle access to an ideal primitive F is said to be (t A, t S, q, ε)-indifferentiable from an ideal primitive G if there exists a simulator S such that, for any distinguisher A, the following equation is satisfied: Adv G,S T,F (A) [AT,F 1 [A G,S 1 ε. The simulator S is an ITM which has oracle access to G and runs in time at most t S. The distinguisher A runs in time at most t A. The number of queries used by A is at most q. The ε is a negligible function in the security parameter of T. 5
6 We define Adv G,S T,F max A [A T,F 1 [A G,S 1. From Definition 1.3, we have that Adv G,S T,F ε. Briefly, the significance of the indifferentiability framework is the following. Suppose, an ideal primitive G (e.g. a variable-input-length random oracle) is indifferentiable from an algorithm T based on another ideal primitive F (e.g. a fixed-input-length random oracle). In such case, any cryptographic system P based on G is as secure as the P based on T F (i.e., T F replaces G in P). For a more detailed explanation, we refer the reader to [22. Pictorial Description of Definition 1.3(Figure 3). In the figure, the five entities involved in Definition 1.3 are shown: T, F, G and S have been replaced by a hash mode H, random oracles ro, RO, and a simulator s. In our case H is the FWPhash mode described in Figure 2, with C as ro. Suppose the oracle Turing machine T, and the ideal primitives F, G are respectively, a hash function H, and random oracles ro and RO. In this setting, Definition 1.3 addresses the degree to which any computationally bounded adversary is unable to distinguish between Option 1 and Option 2. 2 Indifferentiability Framework for FWP: Definitions ro FWP ro FWP1 S1 RO S A Game(FWP ro,ro) A G1 A Game(RO,S) Figure 4: Schematic diagrams of the security games used in the indifferentiability framework for FWP. The arrows show the directions in which the queries are submitted. To study the indifferentiability security of the FWP mode, we use a random oracle ro : {0, 1} l+n {0, 1} 2n for the primitive C specified in the design of FWP. To obtain the indifferentiability security bound for the FWP mode, we follow the usual game-playing techniques [4, 2. The schematic diagrams of the two cryptographic systems Option 1 and Option 2 (of Figure 3) are Game(FWP,ro) and Game(RO,S) in the present context (see Figure 4). The other game G 1 is derived from them. The pseudocode for all the games has been provided in Section 3. Informally, a game takes an adversarial query as input and produces the output. A simple example is the description of Game(FWP,ro) which is provided in Figure 6(a). We now formally define a game. Definition 2.1 (Game) A game is a stateful probabilistic algorithm that takes an adversarygenerated query as input, updates the current state, and, produces an output to the adversary. The notion of equivalence of games will play a central role in the security reduction processes to follow. To put it loosely, two games are equivalent if their input-output distributions are identical. The formal definition is below. To make the definition simpler we restrict ourselves only to games that expose identical interfaces to the adversaries. This allows us to define equivalence of a pair of games when they interact with the same adversary. This setup is relevant in our indifferentiability framework. First, we define an important parameter of a game called the view. 6
7 Definition 2.2 (View of a game) Let (x i y i ) denote the i th query and the response from the game G, when it interacts with the adversary A. The view of the game G with respect to the adversary A, after i queries is defined to be the sequence {(x 1 y 2 ),, (x i y i )}. Definition 2.3 (Equivalence of games) Denote the views of the games G 1 and G 2 after i queries by V 1i and V 2i, when they are interacting with the adversary A. The games G 1 and G 2 are said to be equivalent with respect to the adversary A if and only if V 1i V 2i, for all i > 0. Equivalence between the games G 1 and G 2 with respect to the adversary A is denoted by G 1 A G2, or simply G 1 G 2, when the adversary is clear from the context. Now we state an important lemma relating the equivalence of games and the adversarial outputs. The result immediately follows from Definition 2.3. A Lemma 2.4 If G 1 G2 then [ A G 1 1 [ A G 2 1. The probabilities are taken over all coin tosses in the games and the adversary. Roadmap. From Section 1.2, we have Adv RO,S FWP,ro max A [ A FWP,ro 1 [ A RO,S 1. In the following sections we shall estimate Adv RO,S FWP,ro using the following approach: In Section 3 and 4 we describe the security games presented in Figure 4; an important part of the description is designing a simulator S for the indifferentiability framework for FWP, and computing an upper bound of O(σ 5 ) on S s running time, where σ is the maximum number of invocations to ro. Additionally, we shall show that Game(FWP,ro) G 1, which implies by Lemma 2.4, [ A FWP,ro 1 [ A G 1 1. This, in turn, implies: Adv RO,S FWP,ro max [ A G 1 1 [ A RO,S 1. A Then in Section 6 we shall show max [ A G 1 1 [ A RO,S 1 ( σ 3 O A 2 2n + σ ) 2 n. 3 Description of the Security Games for FWP In this section, we elaborate on the games Game(FWP, ro), G 1, and Game(RO, S) that are schematically presented in Figure 4. The pseudocode for all the games is given in Figures 5 and 9. The functionalities FWP, FWP1, and RO are mappings {0, 1} {0, 1} n. We use the generic term long oracle (or l-oracle) to identify any of them and call any query submitted to a long oracle an l-query. Similarly, ro, S1, and S are mappings {0, 1} l+n {0, 1} 2n which are called short oracles (or s-oracles). The corresponding queries are called s-queries. We assume that identical queries are not submitted more than once. The games will use several global and local variables: The global variables D l and D s are two tables to store query-response pairs: D l for l-queries, and D s for s-queries. D l, D s and all local variables are initialized with ; the graph T s is also a global variable which initially contains only the root node (IV, IV ); the local variables are re-initialized every new invocation of the game, while the global data-structures maintain their states across the queries. Description of Game(FWP, ro) (Fig. 6(a)). The game Game(FWP, ro) implements the FWP ro using the l-oracle FWP and the s-oracle ro. The definition of the function FWP ro has been provided 7
8 Figure 5: The main games Game(FWP, ro) and Game(RO, S) FWP(M) 01. M pad m 1 m 2... m k 1 m k ; 02. y 0 : IV, y 0 : IV ; 03. for(i : 1, 2,... k 1) y i y i : ro(y i 1m i ) y i 1 0; 04. r : ro(y k 1 y k 1 m k); 05. return r[n, 2n 1; ro(x) (a) Game(FWP,ro) $ 11. if x / Dom(D s ) D s [x {0, 1} 2n ; 12. return D s [x; RO(M) 001. if M Dom(D l ) return D l [M[n, 2n 1; 002. r $ {0, 1} 2n ; D l [M : r; 003. return r[n, 2n 1; MessageRecon(x, T s ) 201. x parse yy m; 202. if FindNode(yy ) 0 return M : ; 203. M : FindBranch(yy ); 204. M : {M M M, M : depad(m m) λ}; 205. return M; S(x) (b) Game(RO,S) 101. r $ {0, 1} 2n ; 102. M : MessageRecon(x, T s ); 103. if M 1 M / Dom(D l ) D l [M : r; 104. if M 1 M Dom(D l ) r : D l [M; 105. D s [x : r; 106. FullGraph(D s ); 107. return r; in Section 2. The ro has been implemented through lazy sampling. The query-response pairs for the s-oracle are stored in the table D s. Description of Game(RO,S) (Fig. 6(b)). The s-oracle S( ) of this game is the simulator of the indifferentiability framework for FWP. The l-oracle of this game implements the random oracle RO( ). Construction of an effective simulator is an important part for the analysis of indifferentiability security of a hash mode of operation. The purpose of the simulator S is two-fold: (1) to output value that is uniformly distributed, and (2) to respond in such a way that FWP ro (M) and RO(M) are identically distributed. It is easy to conclude that, as long as the simulator S is able to output values satisfying the above conditions, no adversary can distinguish between (RO, S) and (FWP, ro). Our design strategy for S is fairly intuitive and simple. Before going into the detailed description, we first define the data structures and the subroutines used by the game. The game uses three global data structures: the table D s to store all s-queries and 2n-bit responses, each chosen according to the uniform distribution U[0, 2 2n 1, the table D l to store all l-queries and 2n-bit responses, each chosen according to the uniform distribution U[0, 2 2n 1, a specially designed directed graph T s ; we discuss below how T s is updated. Subroutine FullGraph: The subroutine updates the directed graph T s using the elements stored in D s. The graph T s is built in such a way that each path originating from the rootnode (IV, IV ) represents the execution of FWP( ) on a prefix of some message. See Figure 6 for the pictorial description of how several components of the graph T s is built. For example, suppose M pad m 1 m 2 M. Then the path IV IV m 1 y1 y 1 m 2 y2 y 2 represents the first twoblock execution of FWP(M) where, y 1 y 1 ro(iv m 1) IV 0 and y 2 y 2 ro(y 1m 2 ) y
9 Additionally and more importantly, the graph T s contains all possible paths derived from the elements in D s ; hence the name FullGraph. IVIV m1 ma y1 y1 m2 y2 y2 ya ya y1 y1 n l m2 ro ro n n y2' y2 m3 (ii) y3y3 (i) Figure 6: (i) The directed graph T s that is updated by the subroutines FullGraph, or PartialGraph (see Sect. 3). Example: The edge (y 1 y 1, m 2, y 2 y 2 ) is composed of the head node y 1y 1, the arrow m 2, and the tail node y 2 y 2. The left and right coordinates of a node (y ay a) is y a and y a. (ii) Generation of the edge (y 1 y 1, m 2, y 2 y 2 ) of T s using ro; the shaded rectangle is viewed as the compression function of FWP with y 1 y 1 m 2 and y 2 y 2 being the input and the output. Subroutine MessageRecon(x, T s ): The purpose of this subroutine is to reconstruct all messages M, such that FWP ro (M) can be computed using the elements in D s, and ro(x). Also, the final input to ro in FWP ro (M) is x, hence FWP ro (M) ro(x)[n, 2n 1. To serve the purpose, the subroutine proceeds as follow: first, the subroutine FindNode(x[0, 2n 1 yy ) checks whether the node yy is present in the graph T s (line 202). If present, then the subroutine FindBranch(yy ) collects all paths P from the root node (IV, IV ) to the node yy, and finally returns a set M containing messages M, such that pad(m) is the sequence of arrows on a path P concatenated with x[2n, l + n 1 m (lines ). If no such message is found then the subroutine returns the empty set (lines 202, and 204). This operation is pictorially described in Figure 7. On a new s-query x, the S assigns a uniformly sampled 2n-bit value to r (line 101). Then the subroutine MessageRecon(x, T s ) is invoked that returns a set of messages M (line 102). If the size of M is 1 and M M is not an old l-query, the D l [M is assigned the value of r (line 103). If the size of M is 1 and M M is an old l-query, the r is assigned the value of D l [M (line 104). Finally, in lines 105 and 106 the table D s and the graph T s are updated. In line 107 the value of r is returned. On an l-query M, the RO first checks whether the M has already been reconstructed using the s-queries; in such case, M already belongs to Dom(D l ) and the RO returns the most significant n bits of the D l [M, that is D l [M[n, 2n 1 (line 001). Otherwise, the D l [M is assigned a uniformly sampled 2n-bit value (line 002), and the most significant n bits of it are returned (line 003). The running time of the simulator S is dominated by the running time of MessageRecon and FullGraph. 9
10 IVIV IVIV m1 ma m1 ma y1 y1 ya ya y1 y1 m2 ya ya mb xyy m m m2 y2 y2 mb ybyb m3 y2 y2 yy y y s-query m3 y3y3 y3y3 Figure 7: Operations in MesgRecon on the graph T s in Game(RO, S) (or, on the graph T s in G 1 ). Figure 8: The graphs T s, and T s (enclosed in the dotted line) in G 1. The red nodes are unknown to the adversary, generated by ro-queries in the execution of l-queries. In Appendix A, we show that the worst-case running time of the S on the i th query is O(i 4 ). Description of G 1 (Fig. 9). The description of the game G 1 apparently looks a bit artificial in the sense that it was constructed as a hybridization of the games Game(FWP, ro) and Game(RO, S). The purpose of this game is to be a transit point from Game(FWP, ro) to Game(RO, S) so that their difference in execution can be understood. As in game Game(RO, S), the global variables of this game are the tables D s and D l, and the graph T s. First, in the description of this game, we omit the statements where the variable BAD is set (lines 000, 100, 405, 413, and 414), since they do not impact the output and the global data structures. The variable BAD is set when certain events occur in the global data structures. Those events will be discussed, when we compute [ A G 1 1 [ A RO,S 1 in Sect. 6. Now we describe the subroutines used by this game. Subroutine PartialGraph(x, r): Like the subroutine FullGraph, this subroutine also builds the graph T s in such a way that each directed path originating from the root-node (IV, IV ) represents the execution of FWP( ) on a prefix of some message (depicted in Fig. 6). However, there are differences. Rather than building all possible paths using the new pair (x, r) and the old pairs in D s, the PartialGraph augments the T s in at most two phases; hence the name PartialGraph. The details are as follows. First, the subroutine CreateCoset(y c x[0, n 1) is invoked, which returns a set Coset containing all nodes in T s, whose left-coordinate is y c (lines 401 and 402). The size of Coset determines the number of nodes to be added to T s in the 1st phase of the current iteration. 1st phase (lines 403 and 404): Using the members of Coset and the new pair (x, r), new edges are constructed, stored in Edge, and added to T s using the subroutine AddEdge. 2nd phase (lines 406 through 412): The set Edge in turn generates another set of edges in a for-loop, using the old query-response pairs stored in table D s : if the least- 10
11 FWP1(M) 000. if Type3 BAD : True; 001. if M Dom(D l ) return D l [M[n, 2n 1; 002. M pad m 1 m 2 m k 1 m k ; 003. y 0 : IV, y 0 : IV ; 004. for(i : 1,, k 1){ 005. b : 0; 006. if y i 1 m i / Dom(D s ) b : 1; 007. r : ro(y i 1 m i ); 008. y i y i : r y i 1 0; 009. if b 1 PartialGraph(y i 1 m i, r);} 010. if y k 1 y k 1 m k / Dom(D s ) b : 1; 011. r : ro(y k 1 y k 1 m k); 012. D l [M : r; 013. if b 1 PartialGraph(y k 1 y k 1 m k, r); 014. return r[n, 2n 1; MessageRecon(x, T s) 201. x parse yy m; 202. if FindNode(yy ) 0 return M : ; 203. M : FindBranch(yy ); 204. M : {M M M, M : depad(m m) λ}; 205. return M; ro(x) $ 301. if x / Dom(D s ) D s [x {0, 1} 2n ; 302. return D s [x; Figure 9: The game G 1 S1(x) 100. if Type2 BAD :True; 101. b : 0; 102. if x / Dom(D s ) b : 1; 103. r : ro(x); 104. M : MessageRecon(x, T s); 105. if M 1 M / Dom(D l ) D l [M : r; 106. If b 1 PartialGraph(x, r); 107. return r; PartialGraph(x, r) 401. x parse y c m; r parse y y ; 402. Coset : CreateCoset(y c ); 1st Phase: ( ) 403. Edge : {(y c y c, m, yy ) y : y y c, y c y c Coset}; 404. for (y c y c, m, yy ) Edge {AddEdge(y c y c, m, yy ); 405. if Type1-a Type1-b Type1-c BAD : True;} 2nd Phase: ( ) 406. for x Dom(D s ){ 407. if (y c y c, m, yy ) Edge 408. such that y : x[0, n {z : D s [x[0, n 1 y ; 410. z : D s [x[n, 2n 1; 411. m : x[n, m + n 1; 412. AddEdge(yy, m, zz );} 413. if Type1-d Type1-e Type1-f BAD : True;} 414. if Type1-g BAD : True; 11
12 significant n bits of an old query x in Dom(D s ) equals the left-coordinate y of the tail node of an edge in Edge (lines 407-8), then a new edge is constructed and added to T s at the contact point y x[0, n 1, by calling AddEdge( ) (line 412). Subroutine MessageRecon(x, T s): This subroutine has been described already in game Game(RO, S). The only change here is that, instead of the graph T s, the second argument to this subroutine is T s which is the maximal connected subgraph of T s with the root-node (IV, IV ), generated by a part of the table D s that contains only the s-queries and responses. Note that, in addition to s-queries and responses, D s contains ro-queries and responses, generated during the execution of l-queries (see Figure 8). This marks a significant difference between this game and the game Game(RO, S), which does not have any ro-query arising during the processing of an l-query. We shall quantify this difference in Section 6. On an s-query x, ro(x) is computed (line 103). The ro is implemented through lazy sampling (lines 301 and 302). Then the subroutine MessageRecon is called with (x, T s) that returns a set of reconstructed messages M (line 104). If the size of M is 1, and if the M M is not a previous l-query, D l [M is assigned the value of ro(x) (line 105). Before finally returning r (line 107), the subroutine PartialGraph is called on input (x, r) if (x, r) is fresh, i.e., b1 to update the existing graph T s (line 107). If an l-query M has already been reconstructed by S1 on some previous s-query, then D l [M[n, 2n 1 is returned (line 001). Otherwise, in lines 002 till 011, FWP1 mimics FWP, in addition to updating the graph T s (lines 009 and 013), whenever a new intermediate input is generated (lines 006 and 010). The D l [M is assigned the value of r in line 012, which is the output from the final ro call (line 011). Finally, r[n, 2n 1 is returned (line 014). Remark 1 The difference in the ways the directed graph T s is constructed by the subroutines Full- Graph and PartialGraph forms the first non-trivial step towards breaking the birthday bound for indifferentiability security of FWP. The PartialGraph augments the T s in at most two phases every invocation; it is easy to see that the T s constructed by the PartialGraph is a connected subgraph of the T s constructed by the FullGraph. We shall see later that, if the events in the lines 405, 413, and 414 do not occur, T s of Game(RO, S), and T s of G 1 are identical. As a consequence, the probability of occurrence of such events constitutes a significant fraction of FWP s overall indifferentiability bound of O( σ3 + σ 2 2n 2 ). It seems possible that, if the PartialGraph augments the T n s in more phases than just two, the indifferentiability bound could be improved further (see Section 7); however, in such cases, theoretical determination of a non-trivial upper-bound on the probability of events that tell apart the above subroutines turns out to be hard. With the above description of the games at our disposal, now we are well equipped to state and prove an easy but important result. oposition 3.1 For any distinguishing adversary A, Game(FWP, ro) G 1. oof. From the description of S1, we observe that, for all x {0, 1} l+n, S1(x) ro(x) (line 101). Likewise, from the descriptions of FWP1 and FWP, for all M {0, 1}, FWP1(M) FWP(M). The events Type1, Type2, and Type3 are still not defined. These events finally tell apart the game G 1 from the game Game(RO, S). We describe them in the following sections. 12
13 4 Definition of the events BAD i, and GOOD i In the remaining part of the paper, by a query we will mean either a message-block in an l-query, or an s-query. As a result, prior to the i th query, the sum of s-queries and message-blocks contained in l-queries is i 1. The purpose of this section is to concretely define the Type1, Type2 and Type3 events mentioned in lines 405, 413, 414, 001, and 000 of game G 1 (Figure 9). Before that, we define a couple of additional events that can be defined using Type1, Type2, and Type3 events. The symbol BAD i denotes the event when the variable BAD is set in the lines 000, 100, 405, and 413 on the i th query in game G 1. In other words, BAD i occurs when one or more of Type1, Type2, and Type3 events occur on the i th query in game G 1. The symbol GOOD i denotes i j1 BAD i for all i > 0. The symbol GOOD 0 denotes the event when no queries are submitted in game G 1. On a high level, the intuition behind the construction of the BAD i events in the game G 1 is rather straight-forward: we make sure if BAD i does not occur, and if GOOD i 1 did occur, then the views of G 1 and Game(RO, S) (up to the i th query) are identically distributed for any attacker A. Hence, the BAD i events should establish our main theorem. Theorem 4.1 (Computational Paradigm) For the games G 1 with an indifferentiability adversary A limited by σ queries and Game(RO,S), interacting [ A G 1 1 [ A RO,S 1 σ 2 [ D A sets BAD D i+1 [ BAD i+1 GOOD i i0 where D [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1, [ A sets BAD [ GOOD σ 1, and D i+1 [ A G 1 [ 1 GOOD i BAD i+1 A RO,S 1 GOOD i BAD i+1. This computational paradigm in Theorem 4.1 has been used in most well-known constructions [2, 4, 5, 6, as well as, in the earlier security proof for FWP by Nandi and Paul [24. We also follow this paradigm. However, it is worth remembering that the BAD i events designed by Nandi and Paul in their original attempts led to indifferentiability bounds which did not go beyond the birthday barrier [24. In the present case, we had to use deeper insight to construct a different set of BAD i events to move beyond the barrier. This primarily involved tricks to overcome the interleaving of branches in successive ro calls in the FWP mode. These tricks, as mentioned in Remark 1, are an important contribution of this paper. 4.1 Type1 Event Suppose x is a fresh query, i.e. x / Dom(D s ) (a fresh query sets b in lines 106, 002, and 010 of Figure 9). Let (y c y c, m, yy ) be a new edge generated from that new query-response pair (x, r) (lines 401 through 404). Type1 event can occur for seven different cases, which are described in lines 405, 413 and 414 of Figure 9. 13
14 yc Type1-a y c m yc y c Type1-b m Type1-c y c m yc 1st phase y* y y Node-collision Type1-d yc y c m Old y* y y E1 Old1 E2 Old2 3-collision on left-coordinates Type1-e yc y c m y* y y old Query-collision (2n bits) Type1-f y c m yc 2nd phase Notation y* y y* y y* y y y y E3 m E5 E8 m m Old1 z z E4 Node-collision random n bits Old2 E: event that equality occurs n bits Old1 z z E6 Old2 n-bit equality l-n bits E7 Old3 3-collision on left-coordinates Old1 z z E9 l bits Old2 Query-collision (n bits) 2n-bit equality (a) Type1-a,b,c,d,e,f events when Bad is set in lines 405 and 413 of game G 1 (Fig. 9). x Old1 Old2 y 3-collision on right-coordinates (b) Type1-g event for which Bad is set in line 414 of game G 1. Figure 10: Type1 events when Bad is set in lines 405, 413 and 414 of game G 1 (Fig. 9). 14
15 Type1-a event (Figure 10(a)(Type1-a)): already in T s. This event occurs, if yy collides with a node Type1-b event (Figure 10(a)(Type1-b)): This event occurs, if y collides with the leftcoordinate of a node already in T s (event E 1 ), and if there exists another node with the left-coordinate y (denoted by event E 2 ). Type1-c event (Figure 10(a)(Type1-c)): This event occurs, if yy collides with the leastsignificant 2n bits of an old query stored in D s (equivalently saying, if there exists x Dom(D s ) such that yy x[0, 2n 1). Type1-d event (Figure 10(a)(Type1-d)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 3 ), and if the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with a node already in T s (event E 4 ). Type1-e event (Figure 10(a)(Type1-e)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 5 ), if the left-coordinate z of the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with the left-coordinate of a node already in T s (event E 6 ), and if there exists another node with the left-coordinate z (denoted by event E 7 ). Type1-f event (Figure 10(a)(Type1-e)): This event occurs, if y collides with the leastsignificant n bits of an old query (event E 8 ), and if the left-coordinate z of the resulting node zz (zz D s [ym [0, 2n 1 y 0) collides with the least-significant n bits of an old query stored in D s (event E 9 ). Type1-g event (Figure 10(b)): This event occurs if y equals the right coordinates of the outputs of two old queries. Remark 2 It is worth noting at this point that the Theorem 4.1 is also true without the Type1-b,e,g events. These events have been artificially created to easily bound the number of different types of nodes in the graph T s after i rounds, given GOOD i occurred (see node-counting lemma Lemma 5.1). The number of nodes, so computed, in turn helps us estimating several event probabilities computed in Section 6.4. Estimating the event probabilities without Type1-b,e,g events turns out to be hard. Inclusion of these artificial events only increase the constants hidden in the adversarial advantage computed in the form O( σ3 + σ 2 2n 2 ) in Equation 17. Since the probability of Type1-f which is an n unavoidable stopping condition in our two-phase framework, equals the probability of each of Type1- b,e,g up to a constant factor, removal of them from the computational paradigm does not improve the bound when n is increased asymptotically. However, removal of these events will play a crucial role when we attempt to provide experimental evidence that the real indifferentiability bound of the FWP can be extended beyond 2n/3 bits, by switching from two-phase to three-phase framework (see Section 7). In the next two subsections, we deal with a query which is already in the table D s. 4.2 Type2 Event This event is mentioned in line 100 of game G 1 (picture in Fig. 11(a)): Before we define this event, we first classify all query-response pairs to the random oracle ro stored in D s, according to its known and unknown parts (see Fig. 11(a)(i)). The known part of a query-response pair is the part that is present in the view of the game G 1, while the unknown part is not present in the view. We note that there are six types of such pairs. The first five types are generated due to the intermediate ro calls by l-queries. The type Q6 queries are the s-queries. All the types are described in Figure 11(a)(i). 15
16 Legends Red and green objects are unknown and known to the adversary Q1 Q2 Q3 Q4 Q5 Q6 (i) Q3 Q4 Q1 Q5 Q2 (ii) Input and output for oracle ro; Head node, and tail node denote (n,n,l-n)-bit input,and (n,n)-bit output U[0,2 2n -1 (iii) ~ (iv) inputs and outputs for oracle ro; all arrows are n bits each, except for the bold arrow which is l-n bits (a) (i) Six types of input-output pairs for ro-query; (ii), (iii), and (iv) Type2 events for which Bad is set in line 100 of game G 1. Q1 Q2 Q3 Q4 Q5 A path on Ts representing an l-query Q1/Q2/Q5 Q3/Q4 Q6 ~ U[0,2 n -1 Q6 (i) (ii) (iii) (b) Type3 events for which Bad is set in line 000 of game G 1. Figure 11: Pictorial description of Type2, and Type3 events of the game G 1 (Fig. 9). 16
17 Q1: In Q1, the least-significant n bits of input, and the least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. Q2: In Q2, all 2n bits of input and the least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. Q3: In Q3, all 2n bits of output are unknown. Q4: In Q4, the least-significant n bits of input and all 2n bits of output are unknown. Q5: The least-significant n bits of output are unknown. This is the final input to ro in computation of FWP ro (M), where M is an l-query. On that basis, we divide a Q5 query into following two cases that are also depicted in Figure 12. (1) In an l-query, all ro-queries preceding the last Q5 query is of type Q6; (2) All ro-queries preceding the last Q5 query has at least one query of type other than Q6. Q6, where all bits are known. Since the rule of the game is not to resubmit an old s-query, a new s-query cannot belong to the type Q6. This event occurs if a new s-query x Dom(D s ) is of type Q i, where i {1, 2, 3, 4, 5} (see Figure 11(a)(ii-iv)). IVIV IVIV Q6 Q1 Q2 Q3 Q4 Q5 A path on Ts representing an l-query Q6 Q6 Q6 Q6 Q5 ~ U[0,2 n -1 Q5 Case 1 Case 2 Figure 12: Two possible cases of Type2 for Q5 (see description in Section 4). 4.3 Type3 Event This event is mentioned in line 000 of game G 1 (picture in Fig. 11(b)). This event occurs if a query x Dom(D s ) fulfils the following conditions: 17
18 (1) The query x is the final query to ro in computation of FWP ro (M), where M is a new l-query. (2) FWP ro (M) can be computed on an already existing path P on the graph T s, and the queryresponses on P are not all Q6. For the purpose of a detailed description, We divide (2) into three subcases, according to the final query x. (2.i) If x is of type Q1, or Q2, or Q5. A simple observation shows that this case cannot happen if the variable BAD is never set, since this case implies a nodecollision in T s, that is impossible. (2.ii) If x is of type Q3 or Q4. (2.iii) If x is of type Q6, and one of the intermediate query-response pairs is not type Q oof of Theorem 4.1 With the help of the events described in Section 4, we are all set to prove our main theorem. The 2nd part of the theorem is easy. To prove the 1st part, we proceed the following way. We first observe [ A G 1 1 [ A RO,S 1 ( [ A G 1 [ 1 GOOD σ 1 A RO,S ) 1 GOOD σ 1 [ GOOD σ 1 + ( [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1 ) [ GOOD σ 1. (1) If we can show that [ A G 1 1 GOOD σ 1 [ A RO,S 1 GOOD σ 1 (2) then Equation 1 becomes the 1st part of Theorem. In the remaining part we establish Equation 2. Let V 1,i and V 2,i denote the views of the games G 1, and Game(RO, S), after i queries have been processed. To prove Equation 2, it is sufficient to show that, given GOOD σ 1, V 1,σ and V 2,σ are identically distributed. We prove it by induction on the number of rounds i. Induction Hypothesis: Given GOOD i 1, V 1,i and V 2,i are identically distributed. Base: The hypothesis is true when i 1. Induction Step: We have to show that, given GOOD i, V 1,i+1 and V 2,i+1 are identically distributed. Let (I 1,i+1, O 1,i+1 ) and (I 2,i+1, O 2,i+1 ) denote the parts of the views generated only in the interactions of A with the games G 1, and Game(RO, S) respectively in the (i + 1) th round, i.e., while processing the (i + 1) th query. All we have to do is to verify the following two propositions. oposition 4.2 Given GOOD i, and V 1,i V 2,i, the input-views I 1,i+1 and I 2,i+1 are identically distributed. oof. This result is trivial since V 1,i V 2,i. oposition 4.3 Given GOOD i, V 1,i V 2,i, and I 1,i+1 I 2,i+1, the output-views O 1,i+1 and O 2,i+1 are either empty strings, or identically distributed. oof. Let I 1,i+1 I 2,i+1 I i+1. Now we divide it into two cases. (1) I i+1 is a new s-query: Now, given GOOD i, for the game Game(RO, S), S(I i+1 ) follows the 18
19 uniform distribution U[0, 2 2n 1. For the game G 1, given GOOD i, since I i+1 is not any of the type Q1 to Q6 stored in the table D s, S1(I i+1 ) also follows the uniform distribution U[0, 2 2n 1. (2) I i+1 is a message-block of a padded l-query for each game. Since V 1,i V 2,i, the l-queries are identical for both the games. Suppose the message-blocks of the l-query M after padding are m 1, m 2, m 3,, m k where m j l where 1 j k 1, and m k l n. Note that if I i+1 m j where 1 j k 1, then O 1,i+1 and O 2,i+1 are null strings. The only remaining case to complete the proof is when I i+1 m k. Suppose, for the game G 1, in computation of FWP ro (M), the final input to ro is yy m k where y y n. This case is again divided into two subcases. (2.i) The graph T s of G 1 already had a branch P computing FWP ro (M) just before the time the l-query M was submitted. First, we establish the following lemma which is the main ingredient in the proof. Lemma 4.4 The graphs T s and T s of the games G 1, and Game(RO, S) are isomorphic after processing i queries, given GOOD i and V 1,i V 2,i. oof. For each new ro-query, the graph T s of game G 1 is augmented in two phases (see Figure 9). In those two phases all possible nodes are added to the graph T s. Analyzing the Type1-f event in Section 4, it is seen that, if this event does not occur then no nodes can be added beyond these two phases. In other words, if Type1-f does not occur in i rounds then the graph T s contains all paths generated from all elements stored in the table D s in i rounds. This implies that the graph T s of the game G 1 which is the maximal connected subgraph of T s with the root-node generated by the s-queries and responses (IV, IV ) contains all paths generated from all s-queries. Now we also note that the graph T s of the game Game(RO, S) also contains all paths generated from all s-queries. Since V 1,i V 2,i, the graphs T s and T s of the games G 1, and Game(RO, S) are isomorphic after i rounds. We notice that the branch P can only only have Q6 queries (or, s-queries) since GOOD i occurred. Therefore, P is branch of the subgraph T s also. Since GOOD i occurred, and V 1,i V 2,i, using Lemma 4.4, P is also a branch in T s of game Game(RO, S). Hence O 1,i+1 O 2,i+1 ro(yy m k ). (2.ii) The graph T s of G 1 did not have any branch computing FWP ro (M) just before the time the l-query M was submitted. Since the Type1-a,c,d and f events did not occur in the previous rounds, yy m k is a fresh query, i.e., yy m k / D s. Therefore, O 1,i+1 ro(yy m k )[n, 2n 1 follows the uniform distribution U[2 n 1. Now it is trivial to see that the subgraph T s of G 1 also did not have any branch computing FWP ro (M). Given GOOD i and V 1,i V 2,i, using Lemma 4.4, the graph T s of game Game(RO, S) does not contain any branch computing FWP ro (M). Therefore, O 2,i+1 RO(M) follows the uniform distribution U[2 n 1. The proof is now complete. 5 Tools Needed to Bound Event obabilities In order to compute the event probabilities defined in Section 4, we need a few combinatorial results. We first fix the notation. Set i : The multiset of nodes in T s after i iterations (or, equivalently, after submission of i queries) of game G 1. 19
20 D si : The table D s after i rounds. Left-Coset A (x): Suppose A is a multiset on {0, 1} 2n. The multiset Left-Coset A (x) {a A a[0, n 1 x} contains all elements of A whose least significant n bits equal x. Such a submultiset will be called a left-coset of A, or simply a left-coset for short. Right-Coset A (x): Suppose A is a multiset on {0, 1} 2n. The multiset Right-Coset A (x) {a A a[n, 2n 1 x} contains all elements of A whose most-significant n bits equal x. Such a sub-multiset will be called a right-coset of A, or simply a right-coset for short. twin-left: A 2n-bit string a is a twin-left of a 2n-bit string b, if a[0, n 1 b[0, n 1. twin-right: A 2n-bit string a is a twin-right of a 2n-bit string b, if a[n, 2n 1 b[n, 2n 1. N 1,i : The number of nodes added to T s, during the 1st phase of the i th iteration of game G 1. N 2,i : The number of nodes added to T s, during the 2nd phase of the i th iteration of game G 1. R x,i : The number of queries where the most significant n bits (or the right-coordinate) of the output equals x. Now, we state and prove a crucial lemma that upper-bounds the size of the graph T s. Lemma 5.1 (Node Counting) Given GOOD i occurred (i > 0), (i) N 1,i+1 2, (ii) N 2,i+1 i+1, (iii) R x,i 2 for all x {0, 1} n and, (iv) Set i 2i + 1. oof. Since GOOD i occurred, Type1-b or Type1-e or Type1-g did not occur during the first i rounds of game G 1 ; therefore, the size of a maximal left-coset is 2 after i rounds. (i) N 1,i+1 is upper-bounded by the size of a maximal left-coset. Hence the result. (ii) In the 2nd phase of (i + 1) th round, a query cannot be added to more than 1 node, since the nodes generated at the 1st phase have distinct left-coordinates. As there are i + 1 queries, we get the result. (iii) This is easily established using the Type1-g event. (iv) This is proved using the following observation: the number of edges in T s after i queries is at most 2i, since more than 2i edges in T s would require at least one query to be added to the graph at more than 2 nodes, which leads to a contradiction due to the fact that the GOOD i occurred, or equivalently Type1-b,e did not occur. Now, each edge has one tail node. Therefore, including the root-node (IV, IV ), we get the result. We need the help of another three lemmas to provide a rigorous analysis for the upper-bounds that we compute in the subsequent sections: (1) one addresses a correction factor, (2) (and (3)) upper-bounds the collision probability on the left-coordinate (and right-coordinate). Lemma 5.2 (Correction Factor) If the advantage of an indifferentiable adversary A for the games G 1 and Game(RO,S), limited by σ queries, is bounded by ε, which is a negligible function in the security parameter n, then [ GOOD i 1 C for some constant C > 0, for all 0 i σ 1 and for all n > 0. 20
Improved Indifferentiability Security Bound for the JH Mode
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody Souradyuti Paul Daniel Smith-Tone National Institute of Standards and Technology Gaithersburg, MD, USA dustin.moody@nist.gov National
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationProvable Chosen-Target-Forced-Midx Preimage Resistance
Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15 Introduction Hash Functions 2 /
More informationSecurity Analysis of the Mode of JH Hash Function
Security Analysis of the Mode of JH Hash Function Rishiraj Bhattacharyya, Avradip Mandal 2, and Mridul Nandi 3, Indian Statistical Institute, Kolkata, India rishi r@isical.ac.in 2 Université du Luxembourg,
More informationAn introduction to Hash functions
An introduction to Hash functions Anna Rimoldi eriscs - Universitée de la Méditerranée, Marseille Secondo Workshop di Crittografia BunnyTN 2011 A. Rimoldi (eriscs) Hash function 12 September 2011 1 / 27
More informationFunctional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners
Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners Zhenzhen Bao 1,2, Lei Wang 1,3, Jian Guo 2, and Dawu Gu 1 1 Shanghai Jiao Tong University, Shanghai, China 2 Nanyang Technological
More informationImproved indifferentiability security analysis of chopmd Hash Function
Improved indifferentiability security analysis of chopmd Hash Function Donghoon Chang 1 and Mridul Nandi 2 1 Center for Information Security Technologies (CIST) Korea University, Seoul, Korea dhchang@cist.korea.ac.kr
More informationLecture 14: Cryptographic Hash Functions
CSE 599b: Cryptography (Winter 2006) Lecture 14: Cryptographic Hash Functions 17 February 2006 Lecturer: Paul Beame Scribe: Paul Beame 1 Hash Function Properties A hash function family H = {H K } K K is
More informationDomain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration
Domain Extender for Collision Resistant Hash Functions: Improving Upon Merkle-Damgård Iteration Palash Sarkar Cryptology Research Group Applied Statistics Unit Indian Statistical Institute 203, B.T. Road,
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Davies-Meyer Hashes in Practice Hash
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationProvable Seconde Preimage Resistance Revisited
Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29 Cryptographic Hash Functions
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 16 October 30, 2017 CPSC 467, Lecture 16 1/52 Properties of Hash Functions Hash functions do not always look random Relations among
More informationOn the Security of Hash Functions Employing Blockcipher Post-processing
On the Security of Hash Functions Employing Blockcipher Post-processing Donghoon Chang 1, Mridul Nandi 2, Moti Yung 3 1 National Institute of Standards and Technology (NIST), USA 2 C R Rao AIMSCS, Hyderabad,
More informationSecurity Analysis and Comparison of the SHA-3 Finalists BLAKE, Grøstl, JH, Keccak, and Skein
Security Analysis and Comparison of the SA-3 Finalists BLAKE, Grøstl, J, Keccak, and Skein Elena Andreeva, Bart Mennink, Bart Preneel and Marjan Škrobot Dept. Electrical Engineering, ESAT/COSIC and IBBT
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationA Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA
A Novel Permutation-Based Hash Mode of Operation FP and the Hash Function SAMOSA Souradyuti Paul 1, Ekawat Homsirikamol 2, and Kris Gaj 2 1 University of Waterloo, Canada, and K.U. Leuven, Belgium souradyuti.paul@esat.kuleuven.be
More informationBuilding Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions
Building Quantum-One-Way Functions from Block Ciphers: Davies-Meyer and Merkle-Damgård Constructions Akinori Hosoyamada and Kan Yasuda NTT Secure Platform Laboratories, 3-9-, Midori-cho Musashino-shi,
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 23 February 2011 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationCollapsing sponges: Post-quantum security of the sponge construction
Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationSecurity of Permutation-based Compression Function lp231
Security of Permutation-based Compression Function lp231 Jooyoung Lee 1 and Daesung Kwon 2 1 Sejong University, Seoul, Korea, jlee05@sejong.ac.kr 2 The Attached Institute of Electronics and Telecommunications
More informationHASH FUNCTIONS. Mihir Bellare UCSD 1
HASH FUNCTIONS Mihir Bellare UCSD 1 Hashing Hash functions like MD5, SHA1, SHA256, SHA512, SHA3,... are amongst the most widely-used cryptographic primitives. Their primary purpose is collision-resistant
More informationSecurity Properties of Domain Extenders for Cryptographic Hash Functions
Security Properties of Domain Extenders for Cryptographic Hash Functions Elena Andreeva, Bart Mennink, and Bart Preneel Abstract Cryptographic hash functions reduce inputs of arbitrary or very large length
More informationImproved High-Order Conversion From Boolean to Arithmetic Masking
Improved High-Order Conversion From Boolean to Arithmetic Masking Luk Bettale 1, Jean-Sébastien Coron 2, and Rina Zeitoun 1 1 IDEMIA, France luk.bettale@idemia.com, rina.zeitoun@idemia.com 2 University
More informationThe Security of Abreast-DM in the Ideal Cipher Model
The Security of breast-dm in the Ideal Cipher Model Jooyoung Lee, Daesung Kwon The ttached Institute of Electronics and Telecommunications Research Institute Yuseong-gu, Daejeon, Korea 305-390 jlee05@ensec.re.kr,ds
More information2: Iterated Cryptographic Hash Functions
2: Iterated ryptographic Hash Functions we want hash function H : ({0, 1} n ) {0, 1} n of potentially infinite input size instead we have compression function F : {0, 1} m {0, 1} n {0, 1} n and define
More informationThe Hash Function JH 1
The Hash Function JH 1 16 January, 2011 Hongjun Wu 2,3 wuhongjun@gmail.com 1 The design of JH is tweaked in this report. The round number of JH is changed from 35.5 to 42. This new version may be referred
More informationOn High-Rate Cryptographic Compression Functions
On High-Rate Cryptographic Compression Functions Richard Ostertág and Martin Stanek Department o Computer Science Faculty o Mathematics, Physics and Inormatics Comenius University Mlynská dolina, 842 48
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationConstruction of universal one-way hash functions: Tree hashing revisited
Discrete Applied Mathematics 155 (2007) 2174 2180 www.elsevier.com/locate/dam Note Construction of universal one-way hash functions: Tree hashing revisited Palash Sarkar Applied Statistics Unit, Indian
More informationCSA E0 235: Cryptography (19 Mar 2015) CBC-MAC
CSA E0 235: Cryptography (19 Mar 2015) Instructor: Arpita Patra CBC-MAC Submitted by: Bharath Kumar, KS Tanwar 1 Overview In this lecture, we will explore Cipher Block Chaining - Message Authentication
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationLow-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512
Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512 Takanori Isobe and Taizo Shirai Sony Corporation 1-7-1 Konan, Minato-ku, Tokyo 108-0075, Japan {Takanori.Isobe,Taizo.Shirai}@jp.sony.com
More informationAvoiding collisions Cryptographic hash functions. Table of contents
Avoiding collisions Cryptographic hash functions Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction Collision resistance Birthday attacks
More informationProvable Chosen-Target-Forced-Midfix Preimage Resistance
Provable Chosen-Target-Forced-Midfix Preimage Resistance Elena Andreeva and Bart Mennink Dept. Electrical Engineering, ESAT/COSIC and IBBT Katholieke Universiteit Leuven, Belgium {elena.andreeva, bart.mennink}@esat.kuleuven.be
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationAttacks on hash functions. Birthday attacks and Multicollisions
Attacks on hash functions Birthday attacks and Multicollisions Birthday Attack Basics In a group of 23 people, the probability that there are at least two persons on the same day in the same month is greater
More informationHigher Order Universal One-Way Hash Functions
Higher Order Universal One-Way Hash Functions Deukjo Hong 1, Bart Preneel 2, and Sangjin Lee 1 1 Center for Information Security Technologies(CIST), Korea University, Seoul, Korea {hongdj,sangjin}@cist.korea.ac.kr
More informationProvable Security in Symmetric Key Cryptography
Provable Security in Symmetric Key Cryptography Jooyoung Lee Faculty of Mathematics and Statistics, Sejong University July 5, 2012 Outline 1. Security Proof of Blockcipher-based Hash Functions K i E X
More informationSome Attacks on Merkle-Damgård Hashes
Overview Some Attacks on Merkle-Damgård Hashes John Kelsey, NIST and KU Leuven May 8, 2018 m 0 m 1 m 2 m 3 10*L h 0 h 1 h 2 h final Introduction 1 / 63 Overview Cryptographic Hash unctions Thinking About
More information3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function
3C - A Provably Secure Pseudorandom Function and Message Authentication Code. A New mode of operation for Cryptographic Hash Function Praveen Gauravaram 1, William Millan 1, Juanma Gonzalez Neito 1, Edward
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA-2 MD5 Birthday Attack on Hash Functions Constructing New
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationOn the Complexity of the Herding Attack and Some Related Attacks on Hash Functions
On the Complexity of the Herding Attack and Some Related Attacks on Hash Functions Simon R. Blackburn Department of Mathematics, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom
More informationHash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.
Hash Functions 1 Hash Functions A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length. 0 1 1 0 1 0 0 1 Long Message Hash Function 1 1 1
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Authenticated Encryption Syntax Syntax: Enc: K M à C Dec: K C à M { } Correctness: For all k K, m M, Dec(k, Enc(k,m) ) = m Unforgeability
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationSponge Functions. 1 Introduction. Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1
Sponge Functions Guido Bertoni 1, Joan Daemen 1, Michaël Peeters 2, and Gilles Van Assche 1 gro.noekeon@noekeon.org 1 STMicroelectronics 2 NXP Semiconductors Abstract. A good cryptographic hash function
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationAURORA: A Cryptographic Hash Algorithm Family
AURORA: A Cryptographic Hash Algorithm Family Submitters: Sony Corporation 1 and Nagoya University 2 Algorithm Designers: Tetsu Iwata 2, Kyoji Shibutani 1, Taizo Shirai 1, Shiho Moriai 1, Toru Akishita
More informationNew attacks on Keccak-224 and Keccak-256
New attacks on Keccak-224 and Keccak-256 Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 Computer Science department, The Weizmann Institute, Rehovot, Israel 2 Computer Science Department, University
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationNew Proofs for NMAC and HMAC: Security without Collision-Resistance
A preliminary version of this paper appears in Advances in Cryptology CRYPTO 06, Lecture Notes in Computer Science Vol. 4117, C. Dwork ed., Springer-Verlag, 2006. This is the full version. New Proofs for
More informationCryptanalysis of Tweaked Versions of SMASH and Reparation
Cryptanalysis of Tweaked Versions of SMASH and Reparation Pierre-Alain Fouque, Jacques Stern, and Sébastien Zimmer CNRS-École normale supérieure-inria Paris, France {Pierre-Alain.Fouque,Jacques.Stern,Sebastien.Zimmer}@ens.fr
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationIndifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding
Indifferentiable Security Analysis of Popular Hash Functions with Prefix-free Padding Donghoon Chang 1, Sangjin Lee 1, Mridul Nandi 2, and Moti Yung 3 1 Center for Information Security Technologies(CIST),
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Please sign up for class mailing list by end of today Quiz #1 will be on Thursday,
More informationIndifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis 1, Leonid Reyzin 2, Ronald L. Rivest 3, and Emily Shen 3 1 New
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationLecture 1. Crypto Background
Lecture 1 Crypto Background This lecture Crypto background hash functions random oracle model digital signatures and applications Cryptographic Hash Functions Hash function takes a string of arbitrary
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationREU 2015: Complexity Across Disciplines. Introduction to Cryptography
REU 2015: Complexity Across Disciplines Introduction to Cryptography Symmetric Key Cryptosystems Iterated Block Ciphers Definition Let KS : K K s be a function that produces a set of subkeys k i K, 1 i
More informationRandom Oracles and Auxiliary Input
Random Oracles and Auxiliary Input Dominique Unruh Saarland University, Saarbrücken, Germany, unru h@ c s. uni-s b. de Abstract. We introduce a variant of the random oracle model where oracle-dependent
More informationCryptographic Hash Function. Norwegian University of Science and Technology. Trondheim, Norway
Cryptographic Hash Function BLUE MIDNIGHT WISH Norwegian University of Science and Technology Trondheim, Norway Danilo Gligoroski Vlastimil Klima Svein Johan Knapskog Mohamed El-Hadedy Jørn Amundsen Stig
More informationHASH FUNCTIONS 1 /62
HASH FUNCTIONS 1 /62 What is a hash function? By a hash function we usually mean a map h : D {0,1} n that is compressing, meaning D > 2 n. E.g. D = {0,1} 264 is the set of all strings of length at most
More informationHigh-Order Conversion From Boolean to Arithmetic Masking
High-Order Conversion From Boolean to Arithmetic Masking Jean-Sébastien Coron University of Luxembourg jean-sebastien.coron@uni.lu Abstract. Masking with random values is an effective countermeasure against
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationProvable Security of Cryptographic Hash Functions
Provable Security of Cryptographic Hash Functions Mohammad Reza Reyhanitabar Centre for Computer and Information Security Research University of Wollongong Australia Outline Introduction Security Properties
More informationAugmented Black-Box Simulation and Zero Knowledge Argument for NP
Augmented Black-Box Simulation and Zero Knowledge Argument for N Li Hongda, an Dongxue, Ni eifang The Data Assurance and Communication Security Research Center, School of Cyber Security, University of
More informationSecurity Analysis of the Compression Function of Lesamnta and its Impact
Security Analysis of the Compression Function of Lesamnta and its Impact Shoichi Hirose 1, Hidenori Kuwakado 2, Hirotaka Yoshida 3, 4 1 University of Fukui hrs shch@u-fukui.ac.jp 2 Kobe University kuwakado@kobe-u.ac.jp
More informationAdaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications
Adaptive Preimage Resistance Analysis Revisited: Requirements, Subtleties and Implications Donghoon Chang 1 and Moti Yung 2 1 The Computer Security Division, National Institute of Standards and Technology,
More informationMulticollision Attacks on a Class of Hash Functions
Multicollision Attacks on a Class of Hash Functions M. Nandi Applied Statistics Unit Indian Statistical Institute Calcutta, India mridul r@isical.ac.in D. R. Stinson School of Computer Science University
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCryptanalysis of Luffa v2 Components
Cryptanalysis of Luffa v2 Components Dmitry Khovratovich 1, María Naya-Plasencia 2, Andrea Röck 3, and Martin Schläffer 4 1 University of Luxembourg, Luxembourg 2 FHNW, Windisch, Switzerland 3 Aalto University
More informationPseudorandom Generators
Principles of Construction and Usage of Pseudorandom Generators Alexander Vakhitov June 13, 2005 Abstract In this report we try to talk about the main concepts and tools needed in pseudorandom generators
More informationOn Quantum Indifferentiability
On Quantum Indifferentiability Tore Vincent Carstens, Ehsan Ebrahimi, Gelo Noel Tabia, and Dominique Unruh University of Tartu, Estonia March 8, 2018 Abstract We study the indifferentiability of classical
More informationThe Hash Function Fugue
The Hash Function Fugue Shai Halevi William E. Hall Charanjit S. Jutla IBM T.J. Watson Research Center October 6, 2009 Abstract We describe Fugue, a hash function supporting inputs of length upto 2 64
More informationHash Function Balance and its Impact on Birthday Attacks
An extended abstract of this paper appears in Advances in Cryptology EUROCRYPT 04, Lecture Notes in Computer Science Vol. 307, C. Cachin and J. Camenisch eds., Springer-Verlag, 004. This is the full version.
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationA Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)
A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC) Bruce Kapron, Lior Malka, Venkatesh Srinivasan Department of Computer Science University of Victoria, BC, Canada V8W 3P6 Email:bmkapron,liorma,venkat@cs.uvic.ca
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationExtracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.
106 CHAPTER 3. PSEUDORANDOM GENERATORS Using the ideas presented in the proofs of Propositions 3.5.3 and 3.5.9, one can show that if the n 3 -bit to l(n 3 ) + 1-bit function used in Construction 3.5.2
More informationBeyond the MD5 Collisions
Beyond the MD5 Collisions Daniel Joščák Daniel.Joscak@i.cz S.ICZ a.s. Hvězdova 1689/2a, 140 00 Prague 4; Faculty of Mathematics and Physics, Charles University, Prague Abstract We summarize results and
More informationThe Indistinguishability of the XOR of k permutations
The Indistinguishability of the XOR of k permutations Benoit Cogliati, Rodolphe Lampe, Jacques Patarin University of Versailles, France Abstract. Given k independent pseudorandom permutations f 1,...,
More informationHigher Order Universal One-Way Hash Functions from the Subset Sum Assumption
Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption Ron Steinfeld, Josef Pieprzyk, Huaxiong Wang Dept. of Computing, Macquarie University, Australia {rons, josef, hwang}@ics.mq.edu.au
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationDistinguishing a truncated random permutation from a random function
Distinguishing a truncated random permutation from a random function Shoni Gilboa Shay Gueron July 9 05 Abstract An oracle chooses a function f from the set of n bits strings to itself which is either
More informationHash Functions: From Merkle-Damgård to Shoup. Ilya Mironov
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov mironov@cs.stanford.edu Computer Science Department, Stanford University, Stanford, CA 94305 Abstract. In this paper we study two possible approaches
More informationCrypto Engineering (GBX9SY03) Hash functions
Crypto Engineering (GBX9SY03) Hash functions Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2017 10 18 Hash functions 2017 10 18 1/32 First
More informationA Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model
A Generalization of PGV-Hash Functions and Security Analysis in Black-Box Model Wonil Lee 1, Mridul Nandi 2, Palash Sarkar 2, Donghoon Chang 1, Sangjin Lee 1, and Kouichi Sakurai 3 1 Center for Information
More informationBreaking H 2 -MAC Using Birthday Paradox
Breaking H 2 -MAC Using Birthday Paradox Fanbao Liu 1,2, Tao Xie 1 and Changxiang Shen 2 1 School of Computer, National University of Defense Technology, Changsha, 410073, Hunan, P. R. China 2 School of
More informationChapter One. The Real Number System
Chapter One. The Real Number System We shall give a quick introduction to the real number system. It is imperative that we know how the set of real numbers behaves in the way that its completeness and
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More information