Presentation is loading. Please wait.

Presentation is loading. Please wait.

Merkle Puzzles Are Optimal Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A.

Similar presentations


Presentation on theme: "Merkle Puzzles Are Optimal Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A."— Presentation transcript:

1 Merkle Puzzles Are Optimal Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A A A AA A AA A A A A A AAAA A

2 Some faces of modern cryptography Stone Age 1974 Merkle KA n 2 sec, ideal OWF 1976 Diffie- Hellman KA exp(n), ~dlog* RSA TDP exp(n) sec, factoring* 1989 Rabin TDP ~exp(n), factoring Naor-Yung SIG exp(n) sec, OWF* Fundamental Question: Is there OWF based KA with super poly security? Why is it important? Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n 6 secure in black-box way.

3 Some faces of modern cryptography Stone Age 1974 Merkle KA n 2 sec, ideal OWF 1976 Diffie- Hellman KA exp(n), ~dlog* RSA TDP exp(n) sec, factoring* 1989 Rabin TDP ~exp(n), factoring Naor-Yung SIG exp(n) sec, OWF* Fundamental Question: Is there OWF based KA with super poly security? Our Result: Improve IR89s bound to n 2 Theoretical motivation: power of interaction Practical motivation: rule out protocol w/ 10 9 operations security [Biham-Ishai-Goren08] Impagliazzo-Rudich 89: No KA based on random oracle can be proven more than n 6 secure in black-box way.

4 Talk Plan Formal defs and model. Overview of Merkles Protocol Description of our attacking algorithm Analysis of attack.

5 Formal Defs Def: Key exchange protocol AliceBob sAsA sBsB Correct nes s: Security: For every eavesdropping adv outputting s E Random oracle model: All parties have black-box access to a random function H :{ 0, 1 } n { 0, 1 } n (same model, different motivation than [Bellare-Rogaway 93]) This talk: Complexity = # queries to H H

6

7 Our Result Main Thm: 8 n -query protocol, 9 O (( n / ² ) 2 )-query Eve s.t. Pr [ s E = s A ] > Pr [ s A = s B ] - ² Alice sAsA sBsB H Bob Def: q 2 { 0, 1 } n is intersection query (IQ) for some execution of a protocol, if both Alice and Bob make the query q to H (). Main Thm follows from: Main Lemma: 8 n -query protocol, 9 O (( n / ² ) 2 )-query Eve Pr [ Eve makes all IQs ] > 1 - ² Intuition: w.l.o.g, last queries of Alice and Bob are s A, s B.

8 Main Lemma: 8 n -query protocol, 9 O (( n / ² ) 2 )-query Eve Pr [ Eve makes all IQs ] > 1 – O ( ² ) Alice sAsA sBsB H Bob Attack Algor ithm: Can show: E[# Eves queries ] · O ( n 2 / ² ) Need: 8 i, Pr[ Eve misses q i | not missing q j j < i ] · ² / n Intuition: If Eve didnt miss any IQ so far, it has as much chance at hitting Alices next query as Bob does.

9 Lemma: 8 i, Pr[ Eve misses q i | not missing q j j < i ] · 10² / n Proof attempt: Suppose not, Alices i th query q = q i is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non- shared locations. (*) Alices and Bobs views are independent conditioned on Eves knowledge Alices v i e w Bobs v i e w Bad s e t ¹ ( ) ¸ 1 0 ² / n Fix Alices view A= ( r A, h A ) that still makes Pr[miss] > 10² / n But then >² / n overall prob that q asked by Bob- contradiction! (*) is false. Cause of [IR89]s technical complexity: handled by making more queries, show non-independence Eve makes progress per query. We show directly that views are close to being independent. (small mutual information)

10 Lemma: 8 i, Pr[ Eve misses q i | not missing q j j < i ] · ² / n Proof attempt: Suppose not, Alices i th query q = q i is the first one missed. Eve knows all messages and all shared queries of Alice and Bob. Oracle gives random answers in all non- shared locations. (*) Alices and Bobs views are independent conditioned on Eves knowledge Alices v i e w Bobs v i e w Bad s e t Fix Alices view A= ( r A, h A ) that still makes Pr[miss] > 10² / n ¹() >5²/n¹() >5²/n Implies We show: 8 A,B8 A,B

11 Views are almost independent Thus theorem follows from: Depends only on |r A |, |Q A | Depends only on |r B |, |Q B | Cor: Probabilities in product and non-product are same up to mult factor of 0.99

12 N M ®M

13 Main Lemma: 8 n -query protocol, 9 O (( n / ² ) 2 )-query Eve Pr [ Eve learns all IQs ] > 1 – O ( ² ) Alice sAsA sBsB H Bob Attack Algor ithm: Left to do: E[# Eves queries ] · O ( n 2 / ² ) Proved: 8 i, Pr[ Eve misses q i | not missing q j j < i ] · 10² / n Cor: Pr[ Eve misses some IQ ] · 10²

14 Attack Algor ithm: Efficiency of attack Lemma: E[# Eves queries ] · O ( n 2 / ² ) Left to do: E[# Eves queries ] · O ( n 2 / ² )

15 Open Questions O(n 2 ) bound for random permutations (we improve [IR89]s O ~ (n 12 ) bound to O(n 4 )) can also consider ideal cipher, other symmetric primitives. Rule out a construction with non-trivial (i.e., ! (n) ) security w.r.t. quantum adversaries?? Find non-black-box constructions of key exchange from one-way functions, or other unstructured assumptions.


Download ppt "Merkle Puzzles Are Optimal Boaz Barak Mohammad Mahmoody-Ghidary TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A."

Similar presentations


Ads by Google