PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson

ffff P1 P2P3Pm V1 V2V3Vm n bits to mn bits domain tilde-f

V1 V2 V4 V3 V5 P1 P2P3P5P4 ff f f f C

Requirements on the DAG Directed Acyclic Graph G = (V,E) |V| = m Unique source and sink nodes G is non-redundant –no two nodes have the same set of immediate predecessors Then, PRF Domain Extension to mn bits

V1 V2 V4 V3 V5 P1 P2P3P5P4 ff f f f

A Parallel Mode for Four Processors In general, 3+log* m depth

Really Basic Intuition C_i = f ( P_i xor XOR in E C_ j ) Call M_i = P_i xor XOR in E C_ j M_i is input to node V_i Can two such M_i1 and M_i2 collide? –i1= i2 ::: hopefully plaintexts are different??? –i1 \=i2 XOR C_ j ?= XOR C_ j

Using Galois Field GF(2^n) XOR C_ j ?= XOR C_ j XOR a_{j,i1}*C_ j ?= XOR a_{j,i2}*C_ j

Edge-Colored DAGs Directed Acyclic Graph G = (V,E) |V| = m Edge Coloring ψ: E GF(2^n)* Unique sink node G is non-singular –If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v) Then, PRF Domain Extension to mn bits

A Parallel Mode for Four Processors *x *x^2 *(1+x) *1

PMAC [BR02] (Parallelizable Authentication Mode) color m

PMAC [BR02] To be precise…. color m Constant 0

Variable Length Domain Ext. length need not be multiple of n –naïve padding with 10^t doesnt work –how to distinguish b/w full length and partial –UNLESS full length is authenticated differently [PR00], [BR00] naïve CBC-MAC for diff length – flawed – C1 = CBCMAC_f ( P1) – C1 = CBCMAC_f ( P1 || C1 xor P1)

Collection of DAGs 2 DAGs for each block len t : G_{2t} G_{2t+1} each DAG must have unique sink node each DAG must have at least t nodes each DAG individually non-singular – is that enough? NO

Incorrect Construction V1 V2V3 V4 V1 V2V3 V4 G_i cannot be allowed to be an induced subgraph of another G_j Define all graphs on the same set of vertices V

Requirements for VIL-PRF If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i, the set of incident nodes of u in G_i and v in G_i are same, then at least one incident edge is colored differently. –Non-singular over all graphs for each graph G_i, it is not the case that there is another graph G_i which is identical till the largest node of G_i

Optimizied VIL Mode col2col3 col4col5 col

Current Best Mode col2col3 col4col5 col col3

Parallel VIL mode v1 v2 v3 v2^n color5 color6 v1 v2 v3 v2^n color5 color6 col1 col2 col3 col4

Proof Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives --- have to tackle collisions in calls to the smaller primitive Modulo that, proving randomness is easy

Collisions in calls to oracle automatic collisions -- as in CBC-MAC Unforced collisions Forced collisions (adversarial, adaptive) –can try to prove there are no forced collisions –Fix last blocks of the transrcipt – visible to A –Conditioned on this, –On Average over all possible transcripts c, same as collisions in the transcript Thus, adversary left with playing automatic collisions

THE END