non-trivial black-box combiners for collision-resistant hash-functions don t exist

Size: px

Start display at page:

Download "non-trivial black-box combiners for collision-resistant hash-functions don t exist"

Tracey Cole
5 years ago
Views:

1 non-trivial black-box combiners for collision-resistant hash-functions don t exist Krzysztof Pietrzak (CWI Amsterdam) Eurocrypt May

2 black-box combiners [H05,HKNRR05,PM06,BB06] C is a secure combiner for XXX 1, if C A,B is a secure implementation of XXX if either A or B is a secure implementation of XXX. 1 put your favorite primitve here

3 example 1: symmetric encryption C ENC 1,ENC 2 ([K 1, K 2 ], M) = ENC 2 (K 2, ENC 1 (K 1, M)) K 1 K 2 M ENC 1 ENC 2

4 example 2: one way functions C F 1,F 2 (X 1, X 2 ) = F 1 (X 1 ) F 2 (X 2 ) X 1 X 2 F 1 F 2

5 example 3: bike

6 example 4: collision resistant hashing C H 1,H 2 (M) = H 1 (M) H 2 (M) M H 1 H 2

7 Combined primitives have a twice as large keyspace (ENC,bike), input length (OWF) or output length (OWF & CRHF) compared to the underlying primitive. X 1 X 2 K 1 K 2 F 1 F 2 M ENC 1 ENC 2 M H 1 H 2

8 Combined primitives have a twice as large keyspace (ENC,bike), input length (OWF) or output length (OWF & CRHF) compared to the underlying primitive. X 1 X 2 K 1 K 2 F 1 F 2 M ENC 1 ENC 2 M H 1 H 2 do there exist combiners for CRHF with short output?

9 first try: ignore some bit in the output Let C H 1,H 2 (M) = H 1 (M) H 2 (M) but with the last output bit removed.

10 first try: ignore some bit in the output Let C H 1,H 2 (M) = H 1 (M) H 2 (M) but with the last output bit removed. Let H 1, H 2 : {0, 1} {0, 1} v be uniformly random.

11 first try: ignore some bit in the output Let C H 1,H 2 (M) = H 1 (M) H 2 (M) but with the last output bit removed. Let H 1, H 2 : {0, 1} {0, 1} v be uniformly random. Let M M be such that 1. C H 1,H 2 (M) = C H 1,H 2 (M ) 2. H 2 (M) H 2 (M ) (i.e. they differ in the last bit)

12 first try: ignore some bit in the output Let C H 1,H 2 (M) = H 1 (M) H 2 (M) but with the last output bit removed. Let H 1, H 2 : {0, 1} {0, 1} v be uniformly random. Let M M be such that 1. C H 1,H 2 (M) = C H 1,H 2 (M ) 2. H 2 (M) H 2 (M ) (i.e. they differ in the last bit) Such a (M, M ) is of no use to find a collision for H 2 : Pr[find coll. in H 2 given M, M with q queries] = Pr[ find collision in URF:{0, 1} {0, 1} v ] q 2 /2 v+1

13 first try: ignore some bit in the output ignoring even a single bit in C H 1,H 2 (M) = H 1 (M) H 2 (M) breaks the combiner completely!

14 first try: ignore some bit in the output ignoring even a single bit in C H 1,H 2 (M) = H 1 (M) H 2 (M) breaks the combiner completely! Maybe there s a more clever combiner!

15 first try: ignore some bit in the output ignoring even a single bit in C H 1,H 2 (M) = H 1 (M) H 2 (M) breaks the combiner completely! Maybe there s a more clever combiner! No, there isn t... But first some definitions.

16 oracle circuit oracle TM C : {0, 1} m {0, 1} n P : {0, 1} 2m {0, 1} Adv P (H 1, H 2, M, M ) = Pr P s coins [P H 1,H 2 (M, M ) (X, X, Y, Y ); H 1 (X) = H 1 (X ) H 2 (Y) = H 2 (Y )] Definition (BB Combiner for CRHFs) (C, P) is an ǫ-secure combiner for CRHFs if for all H 1, H 2 : {0, 1} {0, 1} m and all M M where C H 1,H 2 (M) = C H 1,H 2 (M ) we have Adv P (H 1, H 2, M, M ) 1 ǫ

17 the Boneh-Boyen impossibility result Theorem (Boneh-Boyen, crypto 06) For any (C, P) C : {0, 1} m {0, 1} n P : {0, 1} 2n {0, 1} where C A,B queries A and B exactly once if C is shrinking (i.e. m > n) and n < 2v then there exist H 1 : {0, 1} {0, 1} v H 2 : {0, 1} {0, 1} v and M M : C H 1,H 2(M) = C H 1,H 2(M ) with Adv P (H 1, H 2, M, M ) q 2 /2 v+1 Where q is the # of oracle queries made by P.

18 more than one query won t help either Theorem For any (C, P), where C, P make q C, q P oracle queries C : {0, 1} m {0, 1} n P : {0, 1} 2n {0, 1} if m > n and n < 2v 2 log(q C ), then there exist H 1 : {0, 1} {0, 1} v H 2 : {0, 1} {0, 1} v and M M : C H 1,H 2(M) = C H 1,H 2(M ) with Adv P (H 1, H 2, M, M ) (q C + q P ) 2 /2 v+1

19 proof idea Have to come up with an oracle O, which on input C comes up with H 1, H 2 and M, M s.t. 1. C H 1,H 2 (M) = C H 1,H 2 (M ) 2. given M, M at least one of the H i s is a CRHF.

20 proof idea Have to come up with an oracle O, which on input C comes up with H 1, H 2 and M, M s.t. 1. C H 1,H 2 (M) = C H 1,H 2 (M ) 2. given M, M at least one of the H i s is a CRHF. Show that random H 1, H 2, M, M statisfy 1. and 2. with non-zero probability. satisfying 2. means, that the oracle queries made in the computation of C H 1,H 2(M), C H 1,H 2(M ) do not contain collisions for H 1 and H 2.

21 proof sketch for m > n and n < 2v 2 log(q C ) consider any C : {0, 1} m {0, 1} n For H 1, H 2 : {0, 1} {0, 1} v and M, M {0, 1} m define the predicates E 1 C H 1,H 2 (M) = C H 1,H 2 (M ) M M E 2 the computation of C H 1,H 2(M), C H 1,H 2(M ) contains collisions for H 1 and H 2.

22 proof sketch cont. E 1 C H 1,H 2 (M) = C H 1,H 2 (M ) M M E 2 computation of C H 1,H 2 (M) = C H 1,H 2 (M ) contains collisions for H 1 and H 2 Lemma (main technical) For radom H 1, H 2 and M, M we have Pr[E 1 ] > Pr[E 2 ] and thus Pr[E 1 E 2 ] > 0

23 proof sketch cont. E 1 C H 1,H 2 (M) = C H 1,H 2 (M ) M M E 2 computation of C H 1,H 2 (M) = C H 1,H 2 (M ) contains collisions for H 1 and H 2 Lemma (main technical) For radom H 1, H 2 and M, M we have Pr[E 1 ] > Pr[E 2 ] and thus Pr[E 1 E 2 ] > 0 This implies that there exist H 1, H 2 and M, M such that E 1 and E 2, i.e. M, M is a collision for C H 1,H 2, but does not give collisions for H 1 and H 2 (the theorem follows easily from that).

24 proof sketch of main technical lemma Lemma (main technical) For radom H 1, H 2 and M, M we have Pr[E 1 ] > Pr[E 2 ] Proof. Pr[E 1 ] Pr[C H 1,H 2 (M) = C H 1,H 2 (M )] Pr[M = M ] 2 n 2 m Let X i denote the inputs to H i during the computation of C H 1,H 2(M), C H 1,H 2(M ). Pr[E 2 ] = Pr[ X X X i : H i (X) = H i (X )] i=1,2 max Pr[ Y 1,Y 2, Y 1 + Y 2 =q C i=1,2 Y Y Y i : H i (X) = H i (X )]] (q 2 C/2 v+1 ) 2 < 2 n 2 m Pr[E 1 ]

25 if you really want a combiner with short output... a proposition

26 M H 1 H 2 H 3 Secure if H 1 or H 2 and H 3 is a CRHF.

27 M H 1 H 2 H 3 Secure if H 1 or H 2 and H 3 is a CRHF. Seems pointless, if we have to assume that H 3 is secure, why not simply use H 3 to hash M?

28 M H 1 H 2 H 3 Secure if H 1 or H 2 and H 3 is a CRHF. Seems pointless, if we have to assume that H 3 is secure, why not simply use H 3 to hash M? In H 3 (H 1 (M) H 2 (M)), the H 3 is invoked on a short input. So we can use inefficient provably secure H 3.

29 M H 1 H 2 H 3 Secure if H 1 or H 2 and H 3 is a CRHF. Seems pointless, if we have to assume that H 3 is secure, why not simply use H 3 to hash M? In H 3 (H 1 (M) H 2 (M)), the H 3 is invoked on a short input. So we can use inefficient provably secure H 3. Say H 3 (a, b) = g a h b (finding a collision for H 3 is as hard as discrete log). M g H 1(M) h H 2(M)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017 COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Last Time Hardcore Bits Hardcore Bits Let F be a one- way function with domain x, range y Definition: A function h:xà {0,1} is