Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications

Transcription

1 Related-Key Almost Universal Hash Functions: Definitions, Constructions and Applications Peng Wang, Yuling Li, Liting Zhang and Kaiyan Zheng State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences Data Assurance and Communication Security Research Center, Chinese Academy of Sciences University of Chinese Academy of Sciences Institution of Software, Chinese Academy of Sciences FSE 2016 March 23, / 36

2 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 2 / 36

3 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 3 / 36

4 Universal hash functions H : K D R Almost Universal (AU) Definition (AU) H is an ɛ-almost-universal (ɛ-au) hash function, if for any M, M D, M M, Pr[K $ K : H K (M) = H K (M )] ɛ When ɛ is negligible, we say that H is AU. 4 / 36

5 Universal hash functions Almost XOR Universal (AXU) Definition (AXU) Let (R, ) be an abelian group. H is an ɛ-almost-xor- universal (ɛ-axu), if for any M, M D, M M and C R, Pr[K $ K : H K(M) H K(M ) = C] ɛ When ɛ is negligible, we say that H is AXU. 5 / 36

6 Universal hash functions Example H K (M) = MK H K (M) H K (M ) = C MK M K = C (M M )K = C K = C(M M ) 1 1/2 n -AXU Pr[K $ K : H K (M) H K (M ) = C] = 1/2 n 6 / 36

7 Universal hash functions Example H K (M) = MK P oly : {0, 1} n {0, 1} nm {0, 1} n, P oly K (M) = M 1 K m M 2 K m 1 M m K M = M 1 M 2 M m {0, 1} nm, M i {0, 1} n, i = 1,, m. P oly is m/2 n -AXU. 7 / 36

8 Universal hash functions UHF-based schemes Message authentication code (MAC) Tweakable block cipher (TBC) Authenticated encryption (AE) scheme 8 / 36

9 Universal hash functions MAC UHF-based schemes [Wegman and Carter, 1981] [Brassard, 1982] 9 / 36

10 Universal hash functions TBC UHF-based schemes [Liskov et al., 2002] 10 / 36

11 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 11 / 36

12 Related-key attacks firstly applied to block ciphers [Biham, 1993] Bellare and Kohno gave a formal definition of RKA-PRP and RKA-PRF [Bellare and Kohno, 2003] widely applied to MACs, TESes and AE schemes Peyrin, et al: Generic related-key attacks for HMAC. ASIACRYPT Dobraunig, et al: Related-key forgeries for PrØst-OTR. FSE Sun, et al: Weak-key and related-key analysis of hashcounter- hash tweakable enciphering schemes. ACISP / 36

13 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 13 / 36

14 RKA against UHF-based schemes MAC Eg 1. H K (M 1 M 2 ) = M 1 K 2 M 2 K Query: (K M M, K 1) T T = E K (H K 1 (M M)) 2/2 n -AXU = E K (M(K 1) 2 M(K 1)) = E K (MK 2 MK) Forge: (K M M, K) T 14 / 36

15 RKA against UHF-based schemes TBC Eg 2. H K (T ) = T K Query: (T, M) 1/2 n -AXU (K, K 1) C C = E K (M T (K 1)) T (K 1) C T = E K ((M T ) T K) T K Predict: (K (T, M T ), K) C T 15 / 36

16 RKA against UHF-based schemes Problems in the two-key schemes Eg 1. H K 1 (M M) = H K (M M) Eg 2. H K 1 (T ) H K (T ) = T Collisions The attacks have nothing to do with the block cipher. 16 / 36

17 RKA against UHF-based schemes Almost all the existing two-key schemes which based on universal hash function are not related-key secure. 17 / 36

18 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 18 / 36

19 New definitions Definition (RKA-AU) RKA-AU H is an ɛ-related-key-almost-universal (ɛ-rka-au) hash function for the RKD set Φ, if φ, φ Φ, M, M D, (φ, M) (φ, M ), P r[k $ K : H φ(k) (M) = H φ (K)(M )] ɛ. When ɛ is negligible we say that H is RKA-AU. 19 / 36

20 New definitions Definition (RKA-AXU) RKA-AXU Let (R, ) be an abelian group. H is an ɛ-related-key-almost-xor-universal (ɛ-rka-axu) hash function for the RKD set Φ, if φ, φ Φ, M, M D, (φ, M) (φ, M ) and C R, P r[k $ K : H φ(k) (M) H φ (K)(M ) = C] ɛ. When ɛ is negligible we say that H is RKA-AXU. 20 / 36

21 Restrictions on the RKD sets Default RKD set Φ = {XOR : K K, K} 21 / 36

22 Not ideal functions P oly : {0, 1} n {0, 1} nm {0, 1} n, P oly K (M) = M 1 K m M 2 K m 1 M m K M = M 1 M 2 M m {0, 1} nm, M i {0, 1} n, i = 1, 2,, m Let M = M = 0 mn, φ φ. P oly φ(k) (0 mn ) = P oly φ (K)(0 mn ) = 0 P oly is not RKA-AU. 22 / 36

23 Not ideal functions Almost all the existing UHFs are not RKA-AU. MMH : H K(M) = ((( t i=1 MiKi) mod264 ) mod p) mod 2 32, M i, K i Z 2 32 and p = ; Square Hash : H K(M) = t i=1 (Mi + Ki)2 mod p, M i, K i Z p; NMH : H K(M) = ( t/2 i=1 (M2i 1 + K2i 1)(M2i + K2i)) mod p, M i, K i Z 2 32, p = ; NH, WH / 36

24 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 24 / 36

25 Constructions FIL-RKA-AXU: RH1 VIL-RKA-AXU: RH2 25 / 36

26 FIL-RKA-AXU RH1 : {0, 1} n {0, 1} n {0, 1} n, RH1 K (M) = MK + K 3. Proof. Let F (K) = RH1 K 1 (M) RH1 K 2 (M ). F (K) = ( 1 2 )K 2 ( M M )K ( M 1 M 2 ). Case F (K) = C has 2 roots at most. Case 2. 1 = 2. Then M M. F (K) = C has 1 root. Pr[K $ {0, 1} n : F (K) = C] 2/2 n. RH1 is 2/2 n -RKA-AXU over the RKD set Φ. 26 / 36

27 FIL-RKA-AXU Remark from one of reviewers RH1 K (M) = MK + K 3. Φ 0 = {id, f α }. f α (K) = αk, α GF (2 n ), α 3 = 1. RH1 fα(k)(α 1 M) = RH1 K (M) RH1 is not RKA-AU over the RKD set Φ / 36

28 VIL-RKA-AXU P oly K (M) = M 1 K m M 2 K m 1 M m K pad(m) = M 0 i M P oly K (pad(m)) is VIL-AXU but not RKA-AXU. 28 / 36

29 VIL-RKA-AXU P oly K (M) = M 1 K m M 2 K m 1 M m K RH2 : {0, 1} n {0, 1} {0, 1} n, { K l+2 P oly K (pad(m)), RH2 K (M) = K l+3 P oly K (pad(m))k, l is odd l is even l = M /n + 1. RH2 is RKA-AXU over the RKD set Φ. 29 / 36

30 VIL-RKA-AXU RH2 VS Poly RH2 K (M): P oly K (pad(m)) T K 2 T 0 for i = 1 to l for i = 1 to l T (T M i )K T (T M i )K if l is even T T K return T return T 30 / 36

31 Solution Whether it is secure? = 31 / 36

32 Outline 1 Introduction Universal hash functions Related-key attacks RKA against UHF-based schemes 2 New definitions: RKA-AU and RKA-AXU 3 Constructions: RH1, RH2 and RH3 4 Applications in MACs and TBCs 32 / 36

33 Applications related-key secure MACs MAC1 K,K (N, M) = H K (M) F K (N) over Φ 1 Φ 2 MAC2 K,K (M) = F K (H K (M)) over Φ 1 Φ 2 33 / 36

34 Applications related-key secure MACs related-key secure TBCs TBC1 K,K (T, M) = E K (M H K (T )) H K (T ) over Φ 1 Φ 2 TBC2 K (T, M) = π(m H K (T )) H K (T ) over Φ 1 34 / 36

35 Conclusion 1. Propose a new concept of related-key almost universal hash function: RKA-AXU and RKA-AU. 2. Provide several efficient constructions named RH1, RH2 and RH3. 3. Show related-key secure MACs and TBCs, composed of RKA-AXU (RKA-AU) hash functions and other primitives such as RKA-PRPs and RKA-PRFs. 35 / 36

36 Thanks! 36 / 36

37 Bellare, M. and Kohno, T. (2003). A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In Biham, E., editor, EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages Springer. Biham, E. (1993). New types of cryptoanalytic attacks using related keys (extended abstract). In Helleseth, T., editor, EUROCRYPT, volume 765 of Lecture Notes in Computer Science, pages Springer. Brassard, G. (1982). On Computationally Secure Authentication Tags Requiring Short Secret Shared Keys. In International Crytology Conference, pages Liskov, M., Rivest, R. L., and Wagner, D. (2002). Tweakable block ciphers. In Yung, M., editor, CRYPTO 2012, volume 2442 of Lecture Notes in Computer Science, pages Springer. Wegman, M. N. and Carter, L. (1981). New hash functions and their use in authentication and set equality. 36 / 36

38 J. Comput. Syst. Sci., 22(3): / 36