Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007.

Slides:



Advertisements
Similar presentations
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Advertisements

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Origins  clear a replacement for DES was needed Key size is too small Key size is too small The variants are just patches The variants are just patches.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Rennes, 27/11/2014 Cristina Onete Subject Review, Questions, and Exam Practice.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
New Bounds for PMAC, TMAC, and XCBC Kazuhiko Minematsu and Toshiyasu Matsushima, NEC Corp. and Waseda University Fast Software Encryption 2007, March 26-28,
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
HSC: Building Stream Cipher from Secure Hash Functions Juncao Li Nov. 29 th 2007 Department of Computer Science Portland State University.
CMSC 456 Introduction to Cryptography
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 19 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
1 CS 255 Lecture 4 Attacks on Block Ciphers Brent Waters.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Hash Functions 1 Hash Functions Hash Functions 2 Cryptographic Hash Function  Crypto hash function h(x) must provide o Compression  output length is.
Cryptographic Hashing: Blockcipher-Based Constructions, Revisited Tom Shrimpton Portland State University.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Ideal Models in Symmetric Cryptography Stefano Tessaro UC Santa Barbara Visions of Cryptography Weizmann Institute.
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester ITGD 2202 University of Palestine.
Software Security Seminar - 1 Chapter 14. Still Other Block Ciphers 발표자 : 최두호 Applied Cryptography.
Feistel Model Last Updated: Aug 27, Feistel Cipher Structure Described by Horst Feistel (IBM) in 1973 Many symmetric encryption algorithms use this.
CS 4/585: Cryptography Tom Shrimpton FAB
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Kentucky Presentation November, 2006 Cryptography from an art to a science Ganesh Sundaram.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
Hash and MAC Functions CS427 – Computer Security
Multiple Encryption & DES  clearly a replacement for DES was needed Vulnerable to brute-force key search attacks Vulnerable to brute-force key search.
Slide 1 EJ Jung Hash Functions. Integrity checks.
Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.
1 Standardizing Key Derivation Functions Hugo Krawczyk IBM Research Or: google kdf hmac.
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Cryptography 1 Crypto Cryptography 2 Crypto  Cryptology  The art and science of making and breaking “secret codes”  Cryptography  making “secret.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Fifth Edition by William Stallings
Cryptography and Network Security (CS435) Part Nine (Message Authentication)
Giuseppe Bianchi Message Authentication: hash functions and hash-based constructions.
© Information Security Group, ICU1 Block Cipher- introduction  DES Description: Feistel, S-box Exhaustive Search, DC and LC Modes of Operation  AES Description:
Cryptographic Hash Functions
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
Message Authentication Codes CSCI 5857: Encoding and Encryption.
Cryptography Lecture 10 Arpita Patra © Arpita Patra.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
Cryptographic Hash Functions Part I
Cryptography Lecture 19.
Fast and Secure CBC-type MACs
Topic 13: Message Authentication Code
Cryptography Lecture 13.
Cryptography Lecture 15.
Cryptography Lecture 18.
Presentation transcript:

Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007

Ad-hoc constructions Hash functions: MD5, SHA-x, RIPEMD, WHIRLPOOL, RadioGatún, … Block ciphers: DES, IDEA, RC5/6, Twofish, AES, Camellia, … Stream ciphers: RC4, A5/x, MUGI, Py, Rabbit, SEAL, Trivium, … Often consist of a “basic function” and a “mode of operation” around it

What conjectures to make? We know very little about the true hardness of these “ad hoc constructions” Use conjectures to fill some of the void The more the merrier Only two requirements Can be used to do something interesting* Not known to be false Sometimes we even compromise on this * Let you prove interesting theorems

Standard conjectures Block ciphers: strong PRP Hash functions: many many things Collision-resistant, 2 nd pre-image resistant, one-way, UOWHF (TCR) PRF, MAC (when keyed) Also others: hard to find pre-image of zero, hard to find “almost collisions”, hard to find fixed-points, “division-intractability”, …

“Unholy conjectures” Random oracles, Ideal ciphers What the customer wants: this is how people who build applications think of these constructs E.g., what’s wrong with E k (k)? “You proved that this is not a random oracle. That’s your problem, not ours” Unfortunately they have a point

Theory, anyone? Modes of operation Relations between notions “Weak random oracles” And beyond…

Modes of operation View constructs as a black box Results are meaningful even for idealized ciphers or hash functions E.g., DESX stronger than DES, when DES is modeled as ideal cipher [KR96] C P k3k3 k2k2 k1k1 DES

ROs and ideal ciphers Using random funcs/perms for extractors In CBC mode, HMAC mode [DGHKR04] Domain extension for ROs [CDMP05] Also building ROs from ideal-ciphers Open: building ideal ciphers from ROs Partial results in [DP06] Open: domain-extenders for ideal ciphers

Multi-property-preserving modes Prove many claims on the same mode E.g, for (a variant of) Merkle-Damgård If compression function is collision-resistant then so is the resulting hash function, If compression function is PRF then so is the resulting hash function, If compression function is a random-oracle then so is the resulting hash function, Etc.

Relations between notions So many notions, we need taxonomies

Collision-resistance vs. the world Not implied by PRPs via BB [S98] Implied by PIR, homomorphic encryption [IKO05] Surprising: collision-resistance follows from secrecy guarantees Connections to the compressibility of SAT [HN06] Equivalent to one-flow statistically-hiding commitment?

“Weak random oracles” RO-like but can actually exist At least we can’t prove that they don’t exist Not many of those: Perfect one-way hashing [C97, CMR98] AKA “point-function obfuscators” [W05] “Magic functions” [DNRS99] Sometimes can prove they do not exist [GK03]

And beyond… Theory of block ciphers? Embarrassingly lacking Luby-Rackoff [LR88] for Feistel networks? + refinement by Naor-Reingold [NR97] Dodis-Puniya [DP07] analyze Feistel with round functions weaker than PRFs Relevance to block-cipher design is a huge leap of faith

Security from round functions Block-cipher recipe: Take a sufficiently non-linear permutation Sprinkle some secret-key material Repeat sufficiently many times Get a secure cipher Moral: security comes from repetition, not so much the original round function Can we make a science of it?

Charlie’s conjecture Due to Charlie Rackoff Take “simple enough” permutation family E.g., computed in NC0 Repeat enough times to get “almost four-wise independence” The result is a PRP Can anyone disprove it?

Comments X-wise independent reminiscent of “Decorrelation theory” [V] Can’t replace 4-wise with 3-wise Otherwise it’s false Simplicity of round function is important Otherwise it’s false (e.g., if you start from a 4-wise independent permutation) The point is to have many repetitions

What can we do with Charlie? The conjecture implies that PRPs exist But PRPs with a very specific structure Do they imply CR hashing? If not: come up with a similar conjecture that implies collision-resistant hashing Or implies both PRPs and CR hashing

Summary We know very little about the true hardness of these “ad hoc constructions” Conjectures can fill some of the void The more the merrier Only two requirements Not known to be false (?) Can be used to do something interesting* * Let you prove interesting theorems

dank u

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.