Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Published byKelley Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi."— Presentation transcript:

1 Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi

2 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 2 Non-Malleability  Intuition  Given instance f(x) does not help to find f(x*) for related x* this is a very good test

3 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 3 Non-Malleability  Example 1  given the encryption C1 = Enc(PK,M)  it should be hard to construct an encryption C2 of M xor 11....1  Example 2  given a commitment Com(X,N), with N an unknown random nonce  it should be hard to construct a commitment Com(X+1000,N) for the same N this is a very good test

4 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 4 Non-Malleability  Example 3  given encryption scheme (K,E,D) construct encryption scheme (K 1,E 1,D 1 ) :  K=K 1,  E 1 =E(PK,M)b, where b is a randomly chosen bit  D 1 (SK,Cb)=D(SK,C)  the scheme is malleable: given an encryption Cb of message M it is easy to construct an encryption Cb‘ of message M‘ such that M=M‘

5 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 5 Non-Malleability  Well studied for encryption, commitments, zero- knowledge –Definitions –Constructions –Applications  How about hash functions?

6 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 6 Non-malleable hash functions  Motivation  Definition  Construction  Applications

7 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 7 Motivation: soundness of the random oracle model Modelling: –in the RO model, hash functions are accessed in a black-box way (by both honest parties and the adversary) –are truly random functions Advantages: –enable security proofs for very efficient primitives/protocols for which we have no other security proofs this is a very good test

8 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 8 Motivation: soundness of the random oracle model Disadvantages:  Can RO be instantiated with standard hash functions in a way that preserves the security proof? –In general the answer is NO (the RO model is provably unsound) –For some schemes it may be possible to replace a random oracle H with a standard hash functions –What if security of the scheme uses non-malleability of random oracles? this is a very good test

9 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 9 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), r xor M ) this is a very good test

10 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 10 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M ) this is a very good test

11 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 11 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M)) this is a very good test

12 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 12 Motivation: soundness of the random oracle model  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M)) –Assume that H is such that given H(r||M) it is possible to construct H(r||M xor 11...1); –Then Enc is malleable: from Enc(PK,M) it is possible to construct Enc(PK, M xor 11....1) –A security-preserving instantiation of H with an actual hash function would require H to be non- malleable this is a very good test

13 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 13 Motivation: soundness of formal analysis  In symbolic analysis hash functions are non- malleable: –the Dolev Yao adversary can construct H(M) only if if it knows M –The attack where from H(A,N) for unknown nonce N the adversary constructs H(B,N) is not possible in the DY world  To ensure that all attacks in the cryptographic model are captured by the Dolev-Yao adversary, then the attack above should not be possible in the real world this is a very good test

14 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 14 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

15 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 15 Definition (sketch) sample x ← X compute y ← H(x) let (T,y*) ← Adv(y) let x* ← T(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 sample x ← X let x* ← Sim() success iff R( x,x*)=1 Defining Non-Malleable Hash Functions Definition: H is non-malleable w.r.t. distribution X iff Prob [ Adv succeeds ] ≈ Prob [ Sim succeeds ]

16 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 16 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

17 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 17 Construction (Part I)  Necessary: H(x) must not leak information about x  Idea: use Canetti‘s perfectly one-way hash functions  Definition: (probabilistic) hash function h is POWHF w.r.t. to X and aux iff (h(x), aux(x))  (h(x'), aux(x)) for x,x' ← X Constructing Non-Malleable Hash Functions

18 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 18 Construction (Part II)  Even if H(x) hides all information about x, the function H may still be malleable  Idea: append a (ssNIZK) proof of knowledge of x  When an adversary given y=H(x) outputs y*, then he must know some x* such that H(x*)=y*, and he had no information on x: the only relations between x and x* that hold are trivial (and can be easily satisfied by a simulator) Constructing Non-Malleable Hash Functions

19 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 19 Construction (Putting things together)  Theorem (sketch): Let h be POWHF w.r.t. to X and aux, let (Gen,Prover,Verifier) be ssNIZKPoK. Then H(x) = ( h(x),  ) where  ← Prover(crs,x,h(x)) is non-malleable w.r.t. to X and aux. (solution not really efficient, rather feasibility result) Constructing Non-Malleable Hash Functions

20 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 20 Non-malleable hash functions  Motivation  Definitions  Construction  Applications

21 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 21 Message Authentication via H(k||m)  H(k||m) secure MAC for secret key k if H random oracle, or H pseudorandom function  We show that H(k||m) is a secure MAC if H is non-malleable  Security means: an adversary who sees H(k,m 1 ),H(k,m 2 ),...,H(k,m n ) cannot compute H(k,m) for m different from m 1, m 2,...,m n Application to Message Authentication

22 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 22 Message Authentication via H(k||m) (Proof intuition)  Consider an adversary A who after seeing H(k||m) manages to output a forgery (m’,H(k||m’))  Construct adversary B against non-malleability: –on input H(k||m) the adversary runs A internally and obtains (m’,H(k||m’)) –output H(k||m’) and T(k||x)=k||m’  Consider the relation R(x||y,z||w)=1 if x=z, then the adversary B satisfies the relation since R(k||m,k||m’) = 1 Application to Message Authentication

23 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 23 Instantiating random oracles  Enc(PK,M)=( RSA(PK,r), G(r) xor M, H(r||M))  If ( RSA(PK,r), G(r) xor M, H(r||M)) is the challenge ciphertext, we argue in the proof that the adversary cannot querry to its decryption oracle the ciphertext ( RSA(PK,r), G(r) xor M‘, H(r||M‘))  The security proof is still in the random oracle model

24 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 24 Soundness of formal analysis of hash functions  Ongoing work  Some problems: –general soundness only in the trusted parameters model (NIZK proof systems use a common reference string which needs to be generated honestly) –POWHF’s are not known to exist for arbitrary distributions

25 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 25 Conclusion  Motivation (Interesting, useful)  Definitions  Construction (POWHF+ssNIZKPoK)  Applications (MAC, Encryption)

26 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 26 Mapping MAC-Adversaries to NM-Adversaries sample x ← X, compute y ← H(x) let y* ← A(y) let x* ← A(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 m ← B() sample k ← K compute y ← H(k||m) let (m*,y*) ← B(y) success iff H(k||m*)=y*, y ≠ y* Application to Message Authentication r x ← aux(x) rxrx p ← A() (p), X(p) samples k ← K, outputs x=k||p X(p) samples k ← K, outputs x=k||p x*=k||m* ← A(k||m) Pr [ A succ ] = Pr [ B succ ] (if relation always evaluates to 1 for A)

27 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 27 Towards Picking the Relation define relation R(r x,x*) such that –always evaluates to 1 for adversary A –but very small probability for every simulator Sim MAC insecure  Pr [ A succ ] = Pr [ B succ ] ≥ 1/p(n) butPr [ Sim succ ] << 1/p(n)  H not non-malleable Application to Message Authentication

28 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 28 Actually Picking the Relation let aux t (k||m) output t pairs (s j, ‹s j,k› mod 2) for j=1,2,..,t let R(r x, k*||m*)=1 iff ‹s j,k›=‹s j,k*› mod 2 for j=1,2,..,t then R(r x,k||m*)=1, but Pr[ R(r x,k*||m*)=1 ]=2 −t for k*≠ k If h POWHF w.r.t. to X and empty aux, then h POWHF w.r.t. to X and aux t for t=O(log n) !!! Application to Message Authentication Goldreich-Levin hardcore bits (recall: A outputs x*=k||m*)

29 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 29 Comparing Adversary and Simulator sample x ← X, compute y ← H(x) let y* ← A(y) let x* ← A(x) success iff H(x*) = y*, y ≠ y* and R( x,x*)=1 p ← Sim() sample x ← X(p), let x* ← Sim() success iff R ( r x,x*)=1 Application to Message Authentication r x ← aux t (x) rxrx p ← A() (p), Pr [ A succ ] = Pr [ B succ ] ≥ 1/p(n) r x ← aux t (x) x*=k*||m* independent of k, r x Pr [ Sim succ ] = 2 −t ≤ 1 / 2p(n) for t=log p(n) +1

30 ► Non-Malleable Hash Functions Marc Fischlin WCP 2007 Page 30  defined, constructed and applied NM hashes  not in this talk: black-box separation of OWP and NM hashes (a la Hsiao-Reyzin)  future: investigate usefulness of definition Conclusion this is a very good test

31 ► key word #1Here comes the text. It may have more than a single line. key word #2aHere comes another text. The key key word #2bword, too, has two lines. key word #3A single line only. key word #4Another single line. title of talk Marc Fischlin WCP 2007 Page 31 Test — Type 2 key word #1Here comes the text. It may have more than a single line. key word #2aHere comes another text. The key key word #2bword, too, has two lines. key word #3A single line only. key word #4Another single line. this is a very good test

32 title of talk Marc Fischlin WCP 2007 Page 32 Chapter Title this is a very good test

33 Non-Malleable Hash Functions ► Bogdan Warinschi Formacrypt meeting 2007 Page 33 Test — Type 1  line 1 –subline 1.1 –subline 1.2  line 2  line 3 this is a very good test

Download ppt "Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi."

Similar presentations

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)

TAMPER DETECTION AND NON-MALLEABLE CODES Daniel Wichs (Northeastern U)
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Similar presentations

Ads by Google