# PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson.

## Presentation on theme: "PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson."— Presentation transcript:

PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson

ffff P1 P2P3Pm V1 V2V3Vm n bits to mn bits domain tilde-f

V1 V2 V4 V3 V5 P1 P2P3P5P4 ff f f f C

Requirements on the DAG Directed Acyclic Graph G = (V,E) |V| = m Unique source and sink nodes G is non-redundant –no two nodes have the same set of immediate predecessors Then, PRF Domain Extension to mn bits

V1 V2 V4 V3 V5 P1 P2P3P5P4 ff f f f

A Parallel Mode for Four Processors In general, 3+log* m depth

Really Basic Intuition C_i = f ( P_i xor XOR in E C_ j ) Call M_i = P_i xor XOR in E C_ j M_i is input to node V_i Can two such M_i1 and M_i2 collide? –i1= i2 ::: hopefully plaintexts are different??? –i1 \=i2 XOR C_ j ?= XOR C_ j

Using Galois Field GF(2^n) XOR C_ j ?= XOR C_ j XOR a_{j,i1}*C_ j ?= XOR a_{j,i2}*C_ j

Edge-Colored DAGs Directed Acyclic Graph G = (V,E) |V| = m Edge Coloring ψ: E GF(2^n)* Unique sink node G is non-singular –If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v) Then, PRF Domain Extension to mn bits

A Parallel Mode for Four Processors *x *x^2 *(1+x) *1

PMAC [BR02] (Parallelizable Authentication Mode) color m

PMAC [BR02] To be precise…. color m Constant 0

Variable Length Domain Ext. length need not be multiple of n –naïve padding with 10^t doesnt work –how to distinguish b/w full length and partial –UNLESS full length is authenticated differently [PR00], [BR00] naïve CBC-MAC for diff length – flawed – C1 = CBCMAC_f ( P1) – C1 = CBCMAC_f ( P1 || C1 xor P1)

Collection of DAGs 2 DAGs for each block len t : G_{2t} G_{2t+1} each DAG must have unique sink node each DAG must have at least t nodes each DAG individually non-singular – is that enough? NO

Incorrect Construction V1 V2V3 V4 V1 V2V3 V4 G_i cannot be allowed to be an induced subgraph of another G_j Define all graphs on the same set of vertices V

Requirements for VIL-PRF If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i, the set of incident nodes of u in G_i and v in G_i are same, then at least one incident edge is colored differently. –Non-singular over all graphs for each graph G_i, it is not the case that there is another graph G_i which is identical till the largest node of G_i

Optimizied VIL Mode col2col3 col4col5 col2 1234512345

Current Best Mode col2col3 col4col5 col2 1234512345 col3

Parallel VIL mode v1 v2 v3 v2^n color5 color6 v1 v2 v3 v2^n color5 color6 col1 col2 col3 col4

Proof Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives --- have to tackle collisions in calls to the smaller primitive Modulo that, proving randomness is easy

Collisions in calls to oracle automatic collisions -- as in CBC-MAC Unforced collisions Forced collisions (adversarial, adaptive) –can try to prove there are no forced collisions –Fix last blocks of the transrcipt – visible to A –Conditioned on this, –On Average over all possible transcripts c, same as collisions in the transcript Thus, adversary left with playing automatic collisions

THE END

Download ppt "PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson."

Similar presentations