Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007.

Published byPercival Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007."— Presentation transcript:

1 Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007

2 Ad-hoc constructions Hash functions: MD5, SHA-x, RIPEMD, WHIRLPOOL, RadioGatún, … Block ciphers: DES, IDEA, RC5/6, Twofish, AES, Camellia, … Stream ciphers: RC4, A5/x, MUGI, Py, Rabbit, SEAL, Trivium, … Often consist of a “basic function” and a “mode of operation” around it

3 What conjectures to make? We know very little about the true hardness of these “ad hoc constructions” Use conjectures to fill some of the void The more the merrier Only two requirements Can be used to do something interesting* Not known to be false Sometimes we even compromise on this * Let you prove interesting theorems

4 Standard conjectures Block ciphers: strong PRP Hash functions: many many things Collision-resistant, 2 nd pre-image resistant, one-way, UOWHF (TCR) PRF, MAC (when keyed) Also others: hard to find pre-image of zero, hard to find “almost collisions”, hard to find fixed-points, “division-intractability”, …

5 “Unholy conjectures” Random oracles, Ideal ciphers What the customer wants: this is how people who build applications think of these constructs E.g., what’s wrong with E k (k)? “You proved that this is not a random oracle. That’s your problem, not ours” Unfortunately they have a point

6 Theory, anyone? Modes of operation Relations between notions “Weak random oracles” And beyond…

7 Modes of operation View constructs as a black box Results are meaningful even for idealized ciphers or hash functions E.g., DESX stronger than DES, when DES is modeled as ideal cipher [KR96] C P k3k3 k2k2 k1k1 DES

8 ROs and ideal ciphers Using random funcs/perms for extractors In CBC mode, HMAC mode [DGHKR04] Domain extension for ROs [CDMP05] Also building ROs from ideal-ciphers Open: building ideal ciphers from ROs Partial results in [DP06] Open: domain-extenders for ideal ciphers

9 Multi-property-preserving modes Prove many claims on the same mode E.g, for (a variant of) Merkle-Damgård If compression function is collision-resistant then so is the resulting hash function, If compression function is PRF then so is the resulting hash function, If compression function is a random-oracle then so is the resulting hash function, Etc.

10 Relations between notions So many notions, we need taxonomies

11 Collision-resistance vs. the world Not implied by PRPs via BB [S98] Implied by PIR, homomorphic encryption [IKO05] Surprising: collision-resistance follows from secrecy guarantees Connections to the compressibility of SAT [HN06] Equivalent to one-flow statistically-hiding commitment?

12 “Weak random oracles” RO-like but can actually exist At least we can’t prove that they don’t exist Not many of those: Perfect one-way hashing [C97, CMR98] AKA “point-function obfuscators” [W05] “Magic functions” [DNRS99] Sometimes can prove they do not exist [GK03]

13 And beyond… Theory of block ciphers? Embarrassingly lacking Luby-Rackoff [LR88] for Feistel networks? + refinement by Naor-Reingold [NR97] Dodis-Puniya [DP07] analyze Feistel with round functions weaker than PRFs Relevance to block-cipher design is a huge leap of faith

14 Security from round functions Block-cipher recipe: Take a sufficiently non-linear permutation Sprinkle some secret-key material Repeat sufficiently many times Get a secure cipher Moral: security comes from repetition, not so much the original round function Can we make a science of it?

15 Charlie’s conjecture Due to Charlie Rackoff Take “simple enough” permutation family E.g., computed in NC0 Repeat enough times to get “almost four-wise independence” The result is a PRP Can anyone disprove it?

16 Comments X-wise independent reminiscent of “Decorrelation theory” [V] Can’t replace 4-wise with 3-wise Otherwise it’s false Simplicity of round function is important Otherwise it’s false (e.g., if you start from a 4-wise independent permutation) The point is to have many repetitions

17 What can we do with Charlie? The conjecture implies that PRPs exist But PRPs with a very specific structure Do they imply CR hashing? If not: come up with a similar conjecture that implies collision-resistant hashing Or implies both PRPs and CR hashing

18 Summary We know very little about the true hardness of these “ad hoc constructions” Conjectures can fill some of the void The more the merrier Only two requirements Not known to be false (?) Can be used to do something interesting* * Let you prove interesting theorems

19 dank u

Download ppt "Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007."

Similar presentations

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.

Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.

Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.

HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
CMSC 456 Introduction to Cryptography

CMSC 456 Introduction to Cryptography
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.

Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

Similar presentations

Ads by Google