Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Published byJerome Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)"— Presentation transcript:

1 Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

2 Notions of hash function security TCR Pre Sec RO aSeceSec CR aPreePre multi coll Nostradamus ? ? ?

3 What’s wrong with MD? CCC M1M1 M2M2 M3M3 h0h0 h=h 3 h1h1 h2h2 Multicollisions (Joux, Crypto’04) Second preimage (Kelsey and Schneier, Eurocrypt’05) Nostradamus (Kelsey and Kohno, Eurocrypt’06) Birthday paradox

4 What does indifferentiability mean? SSS M1M1 h0h0 h=h 3 h1h1 h2h2 M2M2 M3M3 Oracle Maurer at al. [CDMP05]

5 Lucks (Asiacrypt 2005) M1M1 M1M1 M2M2 M2M2 M3M3 M3M3 h0h0 h1h1 Internal state must be wide (2 x output length) Optimal security Compression function “Finalizing function” Rate = 0.25 Not exactly impossible

6 Simple construction M α1 α2β1 β2α1 α2β1 β2 (only one block shown) Twice as much space for message bits Linear algebra very fast Lucks Double pipe M

7 Other possibilities M (only one block shown) Lucks Double pipe No internal collisions! Collision resistance 2 n on output length 2n

8 Ugly construction M1M1 M2M2 M1M1 M2M2 M3M3 Rate 3/8 Provably behaves like a random oracle (2 n )

9 Proof technique M1M1 M2M2 M1M1 M2M2 M3M3 NOT a random oracle! Hybrid argument fails Inductive “global” proof  Collision counting

10 Does not seem to lead to attack But necessary for using indifferentiability framework Collision Unsupported query The adversary wins if… Goal: distinguish construction from random oracle

11 Results Rate ½ (always) Collision resistant (2 n ) Almost behaves like random oracle (2 n ) Simple Ugly Rate 3/8 (for SHA-256) Provably behaves like random oracle (2 n )

12 Rate comparison Overall rate Compression ratio 12345 SHA-256 Merkle-Damgard Simple Ugly Lucks double-pipe

13 Why should you care? Gap between MD and double pipe is large – Factor of 4 for SHA-256, 3 for MD5 New crop of proof techniques – Steinberger (Eurocrypt’07) – Current work – Shrimpton and Stam (next talk) Apply techniques to new constructions?

14 Work in progress Constructions with better rate – Nontrivial lower bound? – Possibility of getting close to rate 1 Domain separation Understand model better, esp. role of unsupported queries Simpler constructions and proofs

Download ppt "Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)"

Similar presentations

Applications of SAT Solvers to Cryptanalysis of Hash Functions

Applications of SAT Solvers to Cryptanalysis of Hash Functions
Minimalism in Cryptography: The Even-Mansour Scheme Revisited Orr Dunkelman, Nathan Keller, and Adi Shamir Haifa University, Bar-Ilan University, and The.

Minimalism in Cryptography: The Even-Mansour Scheme Revisited Orr Dunkelman, Nathan Keller, and Adi Shamir Haifa University, Bar-Ilan University, and The.
Merkle Damgard Revisited: how to Construct a hash Function

Merkle Damgard Revisited: how to Construct a hash Function
Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.

Higher Order Universal One-Way Hash Functions Deukjo Hong Graduate School of Information Security, Center for Information Security Technologies, Korea.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
1 Cryptanalysis on Hash Functions Xiaoyun Wang 10/28/2005.

1 Cryptanalysis on Hash Functions Xiaoyun Wang 10/28/2005.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.

1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,

New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.

Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #5 Sep 7 th 2004 CSCI 6268/TLEN 5831, Fall 2004.
Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #7 Sep 11 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.

Breaking the ICE - Multicollisions in Iterated Concatenated and Expanded (ICE) Hash Functions Ya’akov Hoch and Adi Shamir.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

Similar presentations

Ads by Google