Provable Seconde Preimage Resistance Revisited

Provable Seconde Preimage Resistance Revisited Charles Bouillaguet 1 Bastien Vayssiere 2 1 LIFL University o Lille, France 2 PRISM University o Versailles, France SAC 2013 1 / 29

Cryptographic Hash Functions M ϵ {0,1}* H h ϵ {0,1} n It should behave like a random oracle. In particular, with respect to the ollowing cryptanalysis : Collision attacks : Find M M such that H(M ) = H(M). Ideal security : 2 n/2 Second Preimage attacks : Given M, ind M such that H(M ) = H(M). Ideal security : 2 n Preimage attacks : Given h {0, 1} n, ind M such that H(M) = h. Ideal security : 2 n 2 / 29

Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. Random (l blocks) M M ' Adversary against H Success : M M ', H (M )=H (M ') Figure: Spr[l] notion, or unkeyed hash unctions 3 / 29

Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. Random (l blocks) M, K M ' Adversary against H Success : M M ', H (M, K )=H (M ', K ) Figure: Sec[l] notion, or keyed hash unctions 4 / 29

Second Preimage Notions o Security Usually deined with the execution time (t) and the probability o success (ε) o an adversary. Global complexity : t/ε. M (l blocks) Random K M ' Adversary against H Success : M M ', H (M, K )=H (M ', K ) Figure: esec[l] notion, or keyed hash unctions 5 / 29

Iterated Hash Functions Most hash unctions are iterated hash unctions. Classical mode : Merkle-Damgård [Merkle Damgård, 1989]. Used in MD5, SHA0, SHA1, SHA2. M m 1 m 2 m l H IV h 6 / 29

Iterated Hash Functions Most hash unctions are iterated hash unctions. Classical mode : Merkle-Damgård [Merkle Damgård, 1989]. Used in MD5, SHA0, SHA1, SHA2. M m 1 m 2 m l H IV h Length Strengthening...10000 M 7 / 29

Provable Security o Modes Generic attacks on hash unctions The attack works on H or any. = the mode o operation itsel is unsecure! How to measure the security against generic attacks? 1 Replace by a Random Oracle 2 Find an upper bound on the advantage o the adversaries against H. One also need to know about the security o H when is a real lie compression unction ( Random Oracle). Reductions in the Standard Model Idea : exhibit a reduction which transorm any adversary against H into an adversary against. For a given security notion, the reduction proves that the property o is preserved by the mode o operations. Example : Merkle-Damgård was published with a reduction which convert any collision on H into a collision on, in linear time. 8 / 29

Generic attacks on Merkle-Damgård Generic attacks on Merkle-Damgård: Multi-collisions [Joux, 2004] Second Preimages Attacks [Kelsey and Schneier, 2005] Herding Attacks [Kelsey and Kohno, 2006]. Generic Second Preimage Attack o Kelsey and Schneier Second preimage o messages o l blocks in 2 n l + log(l)2n/2... even or replaced by a random oracle. (Ideal security : 2 n ) Research or new modes wide-pipe modes : extend the internal state [Lucks, 2005] design narrow-pipe modes with proos o resistance to collisions, preimages... and second preimages! We ocus on the second issue. 9 / 29

HAIFA mode o operations [Biham Dunkelman, 2006] m i salt #hashed bits h i 1 h i Provable Security in the Random Oracle Model [BDFJ 2009] For a Random Oracle, the success probability o any adversary breaking the Spr[l] notion o H in q queries is lower than q 2 n 1. 10 / 29

Reduction in the Standard Model Three narrow-pipe mode with a proo o security in the Standard Model : 1 Shoup s UOWHF, [Shoup, 2000] 2 Backward Chaining Mode, [Andreeva and Preneel, 2008] 3 Split Padding, [Yasuda, 2008] The designers provided a reduction o a notion o second preimage security o which : terminates in t + O (l) time with success probability ε/l. deined or an adversary (t, ε)-breaking a notion o H. 11 / 29

Shoup s UOWHF, [Shoup, 2000] m i, K h i 1 h i μ ν(i) Provable Security in the Standard Model I an adversary is able to break the esec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the esec notion o in time t + O (l), with probability ε/l. 12 / 29

Backward Chaining Mode, [Andreeva and Preneel, 2008] m 1 m 2 m l 1 +(0, K 1 ) m l +K 2 IV h m 2 msb +K 1 m 3 msb m l msb +K 2 msb K 3 Provable Security in the Standard Model I an adversary is able to break the Sec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the Spr notion o in time t + O (l), with probability ε/l. 13 / 29

Backward Chaining Mode, [Andreeva and Preneel, 2008] m 1 m 2 m l 1 +(0, K 1 ) m l +K 2 IV h m 2 msb +K 1 m 3 msb m l msb +K 2 msb K 3 Provable Security in the Standard Model I an adversary is able to break the Sec[l] notion o H with probability ε in time t, then one can construct an adversary that breaks the Spr notion o in time t + O (l), with probability ε/l. 14 / 29

Objectives M, K,i h i 1 h i Figure: Abstract narrow-pipe mode o operations For the narrow-pipe modes in this abstract model, we provide simple suicient properties to obtain : optimal second preimage security in the Random Oracle Model, optimal second preimage security in the Standard Model, or a narrow-pipe mode,...and keep the proo o Merkle-Damgård that it preserves the collision resistance! 15 / 29

Suicient Conditions to Preserve the Collision Resistance Three suicient conditions : Length strengthening : the last input o contains M Message injectivity : M M = i, x i x i Chaining value injectivity : h i 1 h i 1 = x i x i At our knowledge, those properties are veriied by all existing narrow-pipe modes. Any collision between messages o less than l blocks on H can be transormed into a collision on in O (l) computations. 16 / 29

Reuse the Proo o Merkle-Damgård I M M, and the last input block involves the message length, then we have a collision at the end. M, K,1 M, K,l 1 M, K,l IV H (M, K ) = IV H (M ', K ) 17 / 29

Reuse the Proo o Merkle-Damgård Case M = M. Since M is a second preimage o (M, K), M M and it has a distinct sequence o blocks. The point o connection will be the last index i such that x i x i. I i = l, the collision on H directly implies the collision (x l) = (x l ) = H(M, K) M, K,1 M, K,l 1 M, K,l IV H (M, K ) = IV H (M ', K ) Point o Connection 18 / 29

Reuse the Proo o Merkle-Damgård I the point o connection is not the last iteration, since identical inputs o are always due to identical previous chaining values, we obtain a collision too. M, K,i M, K,i+1 H (M, K ) = = H (M ', K ) 19 / 29

Reuse the Proo o Merkle-Damgård I the point o connection is not the last iteration, since identical inputs o are always due to identical previous chaining values, we obtain a collision too. M, K,i M, K,i+1 H (M, K ) = = = H (M ', K ) Point o Connection 20 / 29

Resistance to Generic Attacks Suppose is a Random Oracle. We want to give an upper bound on the probability that q queries enable an adversary to ind a second preimage M o a random challenge (M, K). i M M, the length strenghtening provide that x l is a preimage o h = H (M, K). With q queries it cannot happen with probability higher than q2 n. i M = M, the point o connection can happen at l distinct positions... 21 / 29

Domain separation Domain separation o the mode : existence o a generic algorithm (IdxEx) such that or any M, K and any i-th input x o IdxEx(x) = i M, K,1 M, K,i M, K,l IV H (M ) x i IdxEx For HAIFA : IdxEx(x j ) = i #hashed bits block bit length 22 / 29

Domain separation I M = M and M is a second preimage o (M, K), there is a point o connection. There was a query x to which veriied (x ) = (x i ) = h i. Block Space x???? h 1 h 2... h l... x h 1 h 2 h l Can succeed as a preimage o any one o a set o l blocks With domain separation : only 1 case Each query has a probability 2 n to bring this point o connection. In q queries, the probability to have at least one such query is 1 (1 2 n ) q q2 n 23 / 29

Optimal Resistance to Generic Attacks Theorem Let H ( ) be a narrow-pipe mode with domain separation, length-strengthening, message and chaining value injectivities. This mode has optimal resistance to generic second preimage attacks. Proo. Let ε be the success probability o the adversary against H, is replaced by a Random Oracle. Let M be a second preimage o (M, K) or H. 1 I M M : Length-strenghtening = A ound a preimage o h. Probability q2 n. 2 I M = M : point o connection i = idxex(x i ) Each query x to the oracle can only succeed i (x ) = h idxex(x ). Probability q2 n. ε q(2 n + 2 n ) = q 2 n 1 24 / 29

Reduction in the Standard Model Goal : ind a suicient property which permits to design a reduction which convert any adversary o Sec[l] notion o H into an adversary or the notion Spr o. Adversary against x Reduction M,K Adversary Against H x' M' Success : x x ', (x)= (x ' ) The level o security is the lower bound provided on t/ε when is secure or the notion Spr. 25 / 29

Embedding o the Challenge into the Query x,i Embedding M, K,i (M, K) IV H (M, K ) Embedding : an eicient algorithm which computes a uniormly distributed challenge (M, K) rom an input (x, i), in time O (l). x 26 / 29

Probable Security in the Standard Model A reduction breaking the Spr notion o in t + O (l). Reduction Challenger or the notion Spr o x Random i Embedding Find point o Connection : j M, K M ' Adversary against Sec[l] o H x j ' The reduction succeeds when the adversary succeeds (probability ε) and point o connection = point o embedding (probability 1 l ) The probability o success o the Reduction is ε/l. 27 / 29

Unavoidable Security Loss I is secure or Spr notion : t + cl ε/l 2 n This reduction only gives the lower bound t ε 2n l cl ε For long messages, the reduction does not guarantee any security... Question Can we get a better reduction? Is there a narrow-pipe mode with a better reduction? Unortunately, this security loss is unavoidable or a narrow-pipe mode, with this type o reduction. 28 / 29

Thanks or your attention! Questions? 29 / 29