Provable Chosen-Target-Forced-Midx Preimage Resistance

Provable Chosen-Target-Forced-Midx Preimage Resistance Elena Andreeva and Bart Mennink (K.U.Leuven) Selected Areas in Cryptography Toronto, Canada August 11, 2011 1 / 15

Introduction Hash Functions 2 / 15

Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): 2 / 15

Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): M injectively padded: M M 1 M k = M 1 0 M 1 mod m M m 2 / 15

Introduction Hash Functions Merkle-Damgård Hash Function Design (MD): M injectively padded: M M 1 M k = M 1 0 M 1 mod m M m M i compressed iteratively using f : {0, 1} n+m {0, 1} n 2 / 15

Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance 3 / 15

Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance Multicollision resistance Security against length extension attack Chosen-target-forced-prex preimage resistance... 3 / 15

Introduction Hash Function Security Requirements Preimage resistance Second preimage resistance Collision resistance Multicollision resistance Security against length extension attack Chosen-target-forced-prex preimage resistance... Chosen-target-forced-prex (CTFP) preimage resistance (security against herding attack) Choose y, given P, nd R such that H(P R) = y Applications: predicting elections, sports games, etc. Ideally, CTFP attack requires 2 n work 3 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 Phase 1 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 Phase 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y attack L = M complexity (f -calls) herding O(n) blocks n2 2n/3 4 / 15

Introduction Herding Attack for MD [Kelsey & Kohno, 06] Phase 2 iv P h h 1 h 2 h 3 h 4 h 5 h 6 h 7 h 8 Phase 1 y attack L = M complexity (f -calls) herding elongated herding (0 r n/2) O(n) blocks O(n + 2 r ) blocks n2 2n/3 n2 2n/3 /2 r/3 4 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Herding Attack Beyond MD Herding attack generalized to MD-based hash functions Merkle-Damgård with checksums [Gauravaram et al., 08, 10] Hash twice, concatenated, zipper and tree hash [Andreeva et al., 09] 5 / 15

Introduction Our Contributions 6 / 15

Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks 6 / 15

Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks CTFM security bound for MD We formally prove security of MD Analysis directly applies to other hash functions 6 / 15

Introduction Our Contributions Chosen-target-forced-midx (CTFM) preimage resistance Formalize and generalize security against herding Notion particularly covers all known attacks CTFM security bound for MD We formally prove security of MD Analysis directly applies to other hash functions Existence of optimally CTFM secure hash functions? No optimally secure narrow-pipe design known 6 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p R 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm Adv ctfm H (q): success probability of any adversary making q queries 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security p : L : length of forced midx (bits) max. length of forged preimage (blocks) Denition H using ideal compression function f : {0, 1} n+m {0, 1} n Adversary A query access to f A f y P $ {0, 1} p g, R A wins if H f (g(p, R)) = y and rng(g) 2 Lm Adv ctfm H (q): success probability of any adversary making q queries In remainder, g(p, R 1 R 2 ) = R 1 P R 2, where R 1, R 2 of arbitrary length 7 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security Herding attack for MD g(p, R 2 ) = P R 2 R1 is empty string P is prex 8 / 15

Chosen-Target-Forced-Midx (CTFM) Security Chosen-Target-Forced-Midx (CTFM) Security Herding attack for MD g(p, R 2 ) = P R 2 R1 is empty string P is prex Herding attack for zipper g(p, R 1 ) = R 1 P R2 is empty string P is sux 8 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: Adv ctfm (L 1)tq MD (q) + m2 p/m q + 2 n 2 p ( ) q 2 t e + q3 t2 n 2 2n 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) Adv ctfm (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{} 2n E 0 E 1 E 2 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term p dominates second term: E 0 covers event A guesses P 9 / 15

CTFM Security of MD CTFM Security of MD p : L : length of forced midx (bits) max. length of forged preimage (blocks) Theorem For any integral t > 0: ( ) (L 1)tq MD (q) + m2 p/m q q 2 t e + + q3 2 n 2 p t2 n 2 }{{}}{{}}{{}}{{} 2n succ E i E 0 E 1 E 2 Adv ctfm t: tradeo between rst and third term p dominates second term: E 0 covers event A guesses P L dominates rst term: larger L gives higher success probability 9 / 15

CTFM Security of MD Implications Corollary Let p be large enough (see paper). For any ε > 0: ( lim n Advctfm MD 2 2n/3 /L 1/3 2 -nε) = 0 10 / 15

CTFM Security of MD Implications Corollary Let p be large enough (see paper). For any ε > 0: ( lim n Advctfm MD 2 2n/3 /L 1/3 2 -nε) = 0 Implies (asymptotic) optimality of Original attack of Kelsey & Kohno Almost all attacks of Gauravaram et al. and Andreeva et al. Analysis can easily be generalized to other hash functions, such as MD with prex-free or sux-free padding Enveloped MD MD with permutation HAIFA 10 / 15

CTFM Security of MD Proof Idea Attack consists of two phases: First phase: A queries f and decides on y A receives random challenge P Second phase: A queries f and outputs g, R s.t. H f (g(p, R)) = y Graph: f (h i 1, M i ) = h i corresponds to arc h i 1 M i h i x at distance k from y: there exists a path x y of length k 11 / 15

CTFM Security of MD Proof Idea Attack consists of two phases: First phase: A queries f and decides on y A receives random challenge P Second phase: A queries f and outputs g, R s.t. H f (g(p, R)) = y Graph: f (h i 1, M i ) = h i corresponds to arc h i 1 M i h i x at distance k from y: there exists a path x y of length k A wins if: E 0 E 1 E 2 He guesses P in the rst phase For some node y and k {0,..., L}: graph contains more than t elements at distance k from y Graph contains 3-way collision succ E i Adversary nds CTFM preimage given E i 11 / 15

Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions 12 / 15

Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions Wide-pipe Wide-piping renders optimal CTFM security (trivial) 12 / 15

Optimally CTFM Secure Hash Functions Optimally CTFM Secure Hash Functions Wide-pipe Wide-piping renders optimal CTFM security (trivial) Narrow-pipe No optimally CTFM secure narrow-pipe hash function known We consider two possible directions: Salting Message modication: MD with more sophisticated padding 12 / 15

Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y 13 / 15

Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S 13 / 15

Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R 13 / 15

Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R Variant 1, 2, 3 : A knows salt, so Adv sctfm H (A) = Adv ctfm (A) H 13 / 15

Optimally CTFM Secure Hash Functions Salted-Chosen-Target-Forced-Midx (SCTFM) Security H : {0, 1} s {0, 1} {0, 1} n H(S, M) = y Variant 1: y, S A f P $ {0, 1} p g, R Variant 2: y A f P $ {0, 1} p g, R, S Variant 3: $ S {0, 1} s y A f P $ {0, 1} p g, R Variant 4: y A f P $ {0, 1} p S $ {0, 1} s g, R Variant 1, 2, 3 : A knows salt, so Adv sctfm H (A) = Adv ctfm H (A) Variant 4 : A commits to y without knowing hash function instance 13 / 15

Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other 14 / 15

Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks 14 / 15

Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks 14 / 15

Optimally CTFM Secure Hash Functions Message Modication Herding attack: edges in diamond added independently of each other Idea: create dependence among message blocks We describe attack for this and similar hash functions Same complexity as original herding attack (up to constant) Optimal due to our security bound 14 / 15

Conclusions Conclusions Chosen-target-forced-midx preimage resistance 15 / 15

Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion 15 / 15

Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion Introduced proof methodology Optimality of herding attack 15 / 15

Conclusions Conclusions Chosen-target-forced-midx preimage resistance Security notion Introduced proof methodology Optimality of herding attack Optimal (2 n ) security??? Open problem 15 / 15

Supporting Slides Supporting Slides SUPPORTING SLIDES!!! 16 / 15

Supporting Slides Detailed Proof Idea (1) E 0 E 2 : A guesses P By E 2 : graph contains at most m2 p/m q strings of length p Any such path equals P with probability at most 1/2 p Pr (E 0 E 2 ) m2 p/m q 2 p 17 / 15

Supporting Slides Detailed Proof Idea (1) E 0 E 2 : A guesses P By E 2 : graph contains at most m2 p/m q strings of length p Any such path equals P with probability at most 1/2 p Pr (E 0 E 2 ) m2 p/m q 2 p E 1 E 2 : > t elements at distance k from y By E 2 : only 2-way collisions One can show: graph must contain t 2-way collisions ( ) q ( q ) ( ) t q 2 t e Pr (E 1 E 2 ) t 2 n t2 n 17 / 15

Supporting Slides Detailed Proof Idea (2) E 2 : 3-way collision Pr (E 2 ) q3 2 2n 18 / 15

Supporting Slides Detailed Proof Idea (2) E 2 : 3-way collision Pr (E 2 ) q3 2 2n succ E i : CTFM preimage Forged message of length at most L blocks A needs at least one query to hit any of the L 1 closest layers to y By E 1 : at most t nodes per layer Pr (suc A (q 2 ) E 0 E 1 ) (L 1)tq 2 n 18 / 15