Uninstantiability of Full-Domain Hash

Transcription

1 Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008

2 Why talk about this old stuff?

3 Why talk about this old stuff? 1 To motivate the next talk on programmable hash functions.

4 Why talk about this old stuff? 1 To motivate the next talk on programmable hash functions. 2 The statement of the result is somewhat subtle, and often misunderstood/wrongly cited.

5 Why talk about this old stuff? 1 To motivate the next talk on programmable hash functions. 2 The statement of the result is somewhat subtle, and often misunderstood/wrongly cited. 3 I like it, it s quite simple (for a black-box impossibility result), and hopefully the ideas can be used in other contexts.

6 ...are practical Random Oracles are Practical [Bellare-Rogaway CCS 93] Random oracle model: All parties have access to a uniformly random function R : {0,1} {0,1} n. Proof in the RO model: 1 Prove that some cryptosystem C R is secure relative to R. 2 In practice, replace R with some real hash function H, and hope C H is still secure. For many cryptographic tasks, known solution in the RO model are much more efficient than in the plain model. For some primitives we only have provably secure constructions in the RO model.

7 ...are practical Signature Schemes Definition Definition (Signature Scheme) Signature scheme Π is a triple of efficient algorithms KG,Sign,Ver The key generation algorithm KG on input a security parameter n N outputs a secret/public key pair. (Correctness) For all M and n N (sk,pk) KG(1 n ) φ Sign(sk,M) Pr[Ver(pk,φ) = 1] = 1

8 ...are practical Signature Schemes Definition Definition (Signature Scheme) Signature scheme Π is a triple of efficient algorithms KG,Sign,Ver The key generation algorithm KG on input a security parameter n N outputs a secret/public key pair. (Correctness) For all M and n N (sk,pk) KG(1 n ) φ Sign(sk,M) Pr[Ver(pk,φ) = 1] = 1 Π is existentially unforgeable under chosen message attacks if Pr[(sk,pk) KG(1 n );(φ,m) A Sign(sk,.) (pk);φ = Sign(sk,M)] is negligible for all efficient A.

9 ...are practical Signature Schemes Definition Definition (Signature Scheme) Signature scheme Π is a triple of efficient algorithms KG,Sign,Ver The key generation algorithm KG on input a security parameter n N outputs a secret/public key pair. (Correctness) For all M and n N (sk,pk) KG(1 n ) φ Sign(sk,M) Pr[Ver(pk,φ) = 1] = 1 Π is existentially unforgeable under chosen message attacks if Pr[(sk,pk) KG(1 n );(φ,m) A Sign(sk,.) (pk);φ = Sign(sk,M)] is negligible for all efficient A. Π is existentially unforgeable under a no message attack if the following is negligible Pr[(sk,pk) KG(1 n );(φ,m) A(pk);φ = Sign(sk,M)]

10 Fiat-Shamir Example 1: Fiat-Shamir Paradigm Fiat-Shamir Paradigm [Crypto 86]: Turn any 3-round authentication scheme P,V (where the verifier V is public-coin and the soundness error is negligible) into a signature scheme. P(sk, pk) α β γ V (pk) β R {0,1} n accept if R(pk,α,β,γ) = ok. Here R is some efficiently computable relation.

11 Fiat-Shamir Example 1: Fiat-Shamir Paradigm Fiat-Shamir Paradigm [Crypto 86]: Turn any 3-round authentication scheme P,V (where the verifier V is public-coin and the soundness error is negligible) into a signature scheme. P(sk, pk) α β γ V (pk) β = H(M,α) accept if R(pk,α,β,γ) = ok. Here R is some efficiently computable relation. Idea: turn this authentication scheme into a signature scheme by using some hash function H to compute β: Sign(sk,M) = [α,h(m,α),γ], where α,γ are computed by P. Ver(pk,[α,β,γ],M) = 1 if (1) β = H(α,M) and (2) R(pk,α,β,γ) = ok.

12 Fiat-Shamir Example 1: Fiat-Shamir Paradigm Theorem (Pointcheval,Sterm EC 96) (Informal) In the random oracle model (i.e. when H = R), the Fiat-Shamir methodology applied to any authentication scheme gives a secure (existentially unforgeable under chosen message attacks) signature scheme.

13 Trapdoor Permutation Definition (Trapdoor Permutation) Tuple of efficient algorithms KG TD,F, where for n N a security parameter and pk,td KG TD (1 n ) F(pk,.) is a permutation f pk : {0,1} n {0,1} n. F(td,.) is f 1 pk. For any efficient A, (pk,td) KG TD (1 n ) and x R {0,1} n Pr[A(pk,f pk (x)) = x] = negl(n)

14 Claw-Free pairs of TDPs Definition (Claw-Free Trapdoor-Permutations) Triple of efficient algorithms KG TD,F,G, where for n N a security parameter and pk,td KG TD (1 n ) F(pk,.)/G(pk,.) compute permutations f pk,g pk on {0,1} n. F(td,.)/G(td,.) compute f 1 1 pk /gpk. For any efficient A, (pk,td) KG TD (1 n ) and x R {0,1} n Pr[A(k) = (x,y) where f pk (x) = g pk (y)] = negl(n)

15 Example 2: Full-Domain-Hash Signature Scheme Definition (FDH Signature Scheme) FDH signature scheme KG FDH,sign,verify based on trapdoor permutation KG TD,F and hash function H KG FDH Run (pk,td) KG TD (1 n ) and output it. Sign sign(td,m) = f 1 pk (H(M)) Verify verify(φ,k,m) : f pk (φ)? = H(M)

16 Example 2: Full-Domain-Hash Signature Scheme Theorem (Bellare-Rogaway 93) In the random oracle model (i.e. H = R), FDH is secure (existentially unforgeable under chosen message attacks) for any trapdoor permutation f. If f is induced by a family of claw-free trapdoor-permutations, then a tight (i.e. optimal for black-box) security reduction exists [Coron 00,Coron 02]

17 Encryption Example 3: Encryption Definition (Encryption Scheme from [BR93]) Key is a key/trapdoor pair (pk,td) for a TDP, encryption of M is enc(pk,m) = [f pk (r),h(r) M] where r R {0,1} n dec(td,[r,c]) = C H(r) where r = f 1 pk (R) Theorem (Security in the RO model [BR93]) The encryption scheme is a CPA secure encryption scheme for any trapdoor permutation in the random oracle model (i.e. H = R).

18 Instantiating ROs Can ROs be Instantiated? A a proof in the RO is only heuristic.

19 Instantiating ROs Can ROs be Instantiated? A a proof in the RO is only heuristic. Can one always instantiate the random oracle with a real-world hash function H?

20 Instantiating ROs Can ROs be Instantiated? A a proof in the RO is only heuristic. Can one always instantiate the random oracle with a real-world hash function H? No Theorem (Canetti,Gorldreich,Halevi STOC 98) There exists a signature-scheme which is secure in the RO-model, but insecure when the random oracle is instantiated with any efficiently computable hash function H.

21 Instantiating ROs The random oracle methodology, revisited Canetti, Goldreich Halevi STOC 98 sk M sign Sign sk (M) F(i)? = M(i) { sk if F(i) = M(i) for i = 1,..., M otherwise F : {0,1} {0,1} n

22 Instantiating ROs The random oracle methodology, revisited Canetti, Goldreich Halevi STOC 98 sk M sign Sign sk (M) F(i)? = M(i) { sk if F(i) = M(i) for i = 1,..., M otherwise F : {0,1} {0,1} n Insecure for efficient F: If F is some efficient hash function, then the scheme outputs sk on input M = F.

23 Instantiating ROs The random oracle methodology, revisited Canetti, Goldreich Halevi STOC 98 sk M sign Sign sk (M) F(i)? = M(i) { sk if F(i) = M(i) for i = 1,..., M otherwise F : {0,1} {0,1} n Insecure for efficient F: If F is some efficient hash function, then the scheme outputs sk on input M = F. Secure for RO: If F is a RO, then with high probability, there does not exist any M with M(i) = F(i) for i = 1,..., M.

24 Instantiating ROs Replacing ROs in Particular Constructions Can t replace ROs in general, but maybe for some particular examples.

25 Instantiating ROs Replacing ROs in Particular Constructions Can t replace ROs in general, but maybe for some particular examples. Yes, the Bellare-Rogaway encryption scheme f pk (r),h(r) M can be instantiated with Perfectly One-Way Probabilistic Hash Functions [Canetti, CRYPTO 97] Caveat, needs randomization and non-standard assumptions.

26 Instantiating ROs Replacing ROs in Particular Constructions Can t replace ROs in general, but maybe for some particular examples. Yes, the Bellare-Rogaway encryption scheme f pk (r),h(r) M can be instantiated with Perfectly One-Way Probabilistic Hash Functions [Canetti, CRYPTO 97] Caveat, needs randomization and non-standard assumptions. NO, for Fiat-Shamir. Theorem (Goldwasser-Kalai FOCS 03) There exists a three round authentication scheme, which does not give a secure signature scheme when Fiat-Shamir is applied to it with any efficient hash-function.

27 Instantiating ROs Fiat-Shamir is not sound Idea:Take any 3-round auth. protocol, but additionally let V accept all [α,β,γ] where β = α(α). Here α(α) means parse α as a circuit, and evaluate it on input (the prefix of) α.

28 Instantiating ROs Fiat-Shamir is not sound Idea:Take any 3-round auth. protocol, but additionally let V accept all [α,β,γ] where β = α(α). Here α(α) means parse α as a circuit, and evaluate it on input (the prefix of) α. Protocol is still sound, as Pr[β = α(α) : β R {0,1} n ] 2 n.

29 Instantiating ROs Fiat-Shamir is not sound Idea:Take any 3-round auth. protocol, but additionally let V accept all [α,β,γ] where β = α(α). Here α(α) means parse α as a circuit, and evaluate it on input (the prefix of) α. Protocol is still sound, as Pr[β = α(α) : β R {0,1} n ] 2 n. Apply Fiat-Shamir to the above scheme with hash function H, then [H,H(H),γ] is a valid signature (of the empty message). Trivial to forge!

30 Instantiating ROs Fiat-Shamir is not sound Idea:Take any 3-round auth. protocol, but additionally let V accept all [α,β,γ] where β = α(α). Here α(α) means parse α as a circuit, and evaluate it on input (the prefix of) α. Protocol is still sound, as Pr[β = α(α) : β R {0,1} n ] 2 n. Apply Fiat-Shamir to the above scheme with hash function H, then [H,H(H),γ] is a valid signature (of the empty message). Trivial to forge! The length of the first message is H, Golwasser-Kalai (based on work by Barak) give a stronger counterexample where the length of the first message is basically independent of H.

31 Counterexamples for FDH? Is there a counterexample for FDH? Definition (FDH Signature Scheme) KG FDH Run (pk, td) KG TD (1 n ) and output (pk, sk = td) Sign sign(td, M) = f 1 pk (H(M)) Verify verify(φ, k, M) : f pk (φ)? = H(M)

32 Counterexamples for FDH? Is there a counterexample for FDH? Definition (FDH Signature Scheme) KG FDH Run (pk, td) KG TD (1 n ) and output (pk, sk = td) Sign sign(td, M) = f 1 pk (H(M)) Verify verify(φ, k, M) : f pk (φ)? = H(M) As no efficient H which make FDH provably secure are known, maybe there is a strong counterexample (like for Fiat-Shamir).

33 Counterexamples for FDH? Is there a counterexample for FDH? Definition (FDH Signature Scheme) KG FDH Run (pk, td) KG TD (1 n ) and output (pk, sk = td) Sign sign(td, M) = f 1 pk (H(M)) Verify verify(φ, k, M) : f pk (φ)? = H(M) As no efficient H which make FDH provably secure are known, maybe there is a strong counterexample (like for Fiat-Shamir). Theorem (imaginary counterexample for FDH soundness) TDP where f 1 pk (H(M)) can be forged for any efficient H.

34 Counterexamples for FDH? Is there a counterexample for FDH? Definition (FDH Signature Scheme) KG FDH Run (pk, td) KG TD (1 n ) and output (pk, sk = td) Sign sign(td, M) = f 1 pk (H(M)) Verify verify(φ, k, M) : f pk (φ)? = H(M) As no efficient H which make FDH provably secure are known, maybe there is a strong counterexample (like for Fiat-Shamir). Theorem (imaginary counterexample for FDH soundness) TDP where f 1 pk (H(M)) can be forged for any efficient H. Hard to imagine such a counterexample, there s just not enough structure...

35 Counterexamples for FDH? As there s little hope to show that FDH is not sound, we do the next best thing. Informally, we prove that there s no black-box security proof for FDH, from a TDP family under any assumption 1 where the challenger does not use the trapdoor (or at most a bounded number of times). 2 which is satisfied by random permutations.

36 Hard Games Hard Games Definition (Game) A game is defined by oracle PPTMs: prover A and challenger C. A f 1,...,f k (1 n ),C f 1,...,f k (1 n ) = b means C finally outputs b {0, 1} where A, C both get oracle access to f 1,...,f k, each {0,1} n {0,1} n (k is a parameter of the game, n is a security parameter). Definition (Hard Game) C defines a hard game if for any opptm A Pr[ A f 1,...,f k (1 n ),C f 1,...,f k (1 n ) = 1] = negl(n) where each f i is a random permutation over {0,1} n.

37 Hard Games Hard Games Examples Definition (Hard Game) C defines a hard game if for any opptm A Pr[ A f1,...,f k (1 n ), C f1,...,f k (1 n ) = 1] = negl(n) where each f i is a random permutation over {0, 1} n. One-Wayness: C f 1 samples x {0,1} n and sends y := f 1 (x) to A f 1. C f 1 outputs 1 if A sends back x. Claw-Freeness: A f 1,f 2 sends x 1,x 2 to C f 1,f 2, which outputs 1 if f 1 (x 1 ) = f 2 (x 2 ). Evasive Relation: A f 1,...,f k sends x 1,...,x k to C f 1,...,f k, which accepts if R(f 1 (x 1 ),...,f k (x k )) = 1, where R is an evasive relation, i.e. for random y 1,...,y k {0,1} n Pr[R(y 1,...,y k ) = 1] = negl(n)

38 Hard Games Definition (TDP secure for hard game) A trapdoor permutation (KG TD,F) is secure for a hard game C if for any PPTM A Pr[ A(pk 1,...,pk k ),C f 1,...,f k (1 n ) = 1] = negl(n) where for i = 1,...,k : (pk i,td i ) KG TD and f i = F(pk i,.). Normal security definition for TDP just requires it to be secure for the one-way game.

39 Main Theorem Theorem (Main) There is no black-box reduction from a trapdoor permutations family which is secure for all hard games to a full-domain hash signature scheme secure against chosen-message attacks. Will explain what that means on next slide.

40 Main Theorem The Theorem Explained Let F = (KG TD,F) be a TDP. Consider any construction H F : I {0,1} m {0,1} n of a hash function family (we ll write h I (.) for H F (I,.)). Consider the signature scheme Sign([pk,I],M) = f 1 pk (h I(M)) where (pk,td) KegGen and I can be arbitrarily correlated with pk (thus description of H can depend on pk). Theorem: one can t show (via black-box reduction) that f 1 pk (h I(M)) is existentially unforgeable under a chosen message attack, even assuming that F is secure for any hard game. We need the domain to be at least the description size of H, i.e. {0,1} = 2 m H (can be shown to be basically necessary).

41 Main Theorem The Assumption Explained Theorem (Main) There is no black-box reduction from a trapdoor permutations family which is secure for all hard games to a full-domain hash signature scheme secure against chosen-message attacks. An efficient TDP secure for all hard games does not exist. e.g. the game where C f 1 outputs 1 if A(pk 1 ) sends description of efficient G and x 0,...,x t (where t = G ) s.t. G(x i ) = f 1 (x i ) for i = 0,...,t. This game is hard, as for random f 1, such a G will not exists w.h.p. But for any efficient f 1 (.) = F(pk 1,.) can simply set G(.) = F(pk 1,.). This is ok, as we prove a negative result. Ruling out TDPs secure for all hard games, also rules out TDPs secure for any subset of hard games (which we actually could hope for a TDP satisfies).

42 Main Theorem Proof of Main Theorem To prove the theorem, we must come up with oracles F and B such that:

43 Main Theorem Proof of Main Theorem To prove the theorem, we must come up with oracles F and B such that: 1 F implements a TDP (just the interface, no security assumptions yet).

44 Main Theorem Proof of Main Theorem To prove the theorem, we must come up with oracles F and B such that: 1 F implements a TDP (just the interface, no security assumptions yet). 2 B breaks any FDH scheme: There is an efficient A such that A F,B finds a forgery for any signature scheme of the form sign(m) = f 1 h F (m) in a chosen message attack, where f is the TDP implemented by F and h is any oracle circuit.

45 Main Theorem Proof of Main Theorem To prove the theorem, we must come up with oracles F and B such that: 1 F implements a TDP (just the interface, no security assumptions yet). 2 B breaks any FDH scheme: There is an efficient A such that A F,B finds a forgery for any signature scheme of the form sign(m) = f 1 h F (m) in a chosen message attack, where f is the TDP implemented by F and h is any oracle circuit. 3 F secure for all hard games relative to B: There is no efficient D where D F,B breaks the security of TDP implemented by F. This means that D F,B cannot win any hard game C instantiated with this TDP with non-negligible probability.

46 Main Theorem Construction of F Definition (of TDP F) For n N choose 2 n + 1 permutations f 0,n,...,f 2 n 1,n and t n at random and set F(td2pk,n,td) t n (td) F(eval,n,pk,x) f pk,n (x) F(invert,n,td,y) f 1 pk,n (y) Now e.g. KG TD (1 n ) will first sample td R {0,1} n, get pk = F(pk2td, n, td) and output (pk, td). F (alone) is secure for any hard game as: an efficient A F (pk) will find the corresponding trapdoor tk = tn 1 (pk) with negl. probability. one cannot efficiently distinguish random permutation from a permutation sampled at random from a set of exponentially many permutations sampled at random.

47 Main Theorem Definition of breaking oracle B B gets from A as input pk {0,1} n and circuit h: this is a request to break the FDH scheme sign(m) = f 1 pk (hf (m)).

48 Main Theorem Definition of breaking oracle B B gets from A as input pk {0,1} n and circuit h: this is a request to break the FDH scheme sign(m) = f 1 pk (hf (m)). B wants to break any scheme of that form, but does not want to help A in winning any hard game (so that F is still secure for any hard game relative to B). Use fact that in hard game A F (pk) C f pk the attacker A has no access to f 1 pk. in chosen message attack on FDH A F (pk) f 1 pk (hf (.)) the attacker has some access to f 1 pk.

49 Main Theorem Definition of breaking oracle B B gets from A as input pk {0,1} n and circuit h: this is a request to break the FDH scheme sign(m) = f 1 pk (hf (m)). B wants to break any scheme of that form, but does not want to help A in winning any hard game (so that F is still secure for any hard game relative to B). Use fact that in hard game A F (pk) C f pk the attacker A has no access to f 1 pk. in chosen message attack on FDH A F (pk) f 1 pk (hf (.)) the attacker has some access to f 1 pk. B will output a forgery f 1 pk (hf (0)) for message 0, but only if it gets as input v 1,...,v t where t = h and v i = sign(i) = f 1 pk (hf (i)) That almost works, but not quite yet...

50 Main Theorem First Problem: Collisions Consider A F,B (pk) who plays the one-wayness game, and must find f 1 pk (y). Can abuse B as follows: Define h(0) = y and h(i) = f pk (X) (for i 0 and any X). Send h,v 1,...,v h to B where v i = X. B will output f 1 1 pk (h(0)) = fpk (y) as v i = f 1 pk (h(i)) as required. Thus A can win the one-way hard game...

51 Main Theorem First Problem: Collisions Consider A F,B (pk) who plays the one-wayness game, and must find f 1 pk (y). Can abuse B as follows: Define h(0) = y and h(i) = f pk (X) (for i 0 and any X). Fix: Send h,v 1,...,v h to B where v i = X. B will output f 1 1 pk (h(0)) = fpk (y) as v i = f 1 pk (h(i)) as required. Thus A can win the one-way hard game... Define B s.t. it will only output forgery if v i v j for all i j. B still breaks all FDH schemes, as v i = v j implies h(i) = h(j) and thus the scheme can be forged without the help of B anyway.

52 Main Theorem Second Problem: use f pk in h. Consider A F,B (pk) who plays the one-wayness game, and must find f 1 pk (y). Can abuse B as follows: Define h(0) = y and h(i) = f pk (i) (for i 0). Send h,v 1,...,v h to B where v i = i. B will output f 1 pk 1 (h(0)) = fpk (y) as i = v i = f 1 1 pk (h(i)) = fpk (f pk(i)) as required. Thus A can win the one-way hard game...

53 Main Theorem Second Problem: use f pk in h. Consider A F,B (pk) who plays the one-wayness game, and must find f 1 pk (y). Can abuse B as follows: Define h(0) = y and h(i) = f pk (i) (for i 0). Fix: Send h,v 1,...,v h to B where v i = i. B will output f 1 pk 1 (h(0)) = fpk (y) as i = v i = f 1 1 pk (h(i)) = fpk (f pk(i)) as required. Thus A can win the one-way hard game... B checks if any v i appears as output of f pk in the computation of v 1 = h F (0),...,v h = h F ( h ), and only outputs a forgery if this is not the case. B still breaks all FDH schemes, as if above check fails, attacker already knows f 1 pk (v i) for some h F (j) and thus can forge without B.

54 Main Theorem Surprisingly, this two seemingly ad-hoc fixes are sufficient to prove that now B will not help an attacker to win any hard game, i.e. F is secure for any hard game relative to B. Lemma (B does not break security of F) With probability 1 (over the choice of F) for any efficient A and any hard game C (with k implicitly defined by C) Pr (pk pk i R 2 n[(ab,f 1,...,pk k ),C f pk 1,...,f pkk (1 n )) 1] = negl(n)

55 Main Theorem Hard Games with Inversions Can t prove security of sing(m) = f 1 (h(m)) under any assumption which is (1) satisfied by random permutations and where the challenger (2) does not make inverse queries (i.e. does not need the trapdoor). Can relax (2) and consider games with inversions Pr[ A(pk 1,...,pk k ),C f 1,...,f k,f 1 1,...,f 1 k (1 n ) = 1] = negl(n) where C is allowed at most p(n) queries to the inverse oracles for a fixed polynomial p(n). f 1 pk i Bound p(n) on # of inversion queries necessary as otherwise can consider forging FDH in a chosen message-attack game : E.g. forging f1 1 (f 2 (.)) in a chosen message attack is a hard game with inversion. But then sign(m) = f 1 pk 1 (f pk2 (m)) is a secure instantiation of FDH.

56 Main Theorem Conclusions Can t hope to prove sing(m) = f 1 (h(m)) secure under any assumption which is satisfied by random permutations. Does not mean that e.g. FDH with SHA1 & RSA is insecure, we just can t prove it. Maybe can avoid impossibility result by using special properties of RSA which random permutations do not have (e.g. the homomorphic property of RSA).