1 / 24

Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen

Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6. Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen. MD6 Hash Function. One of earliest announced SHA-3 candidates Presented by Rivest at CRYPTO ’08.

trina
Download Presentation

Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin Ronald L. Rivest Emily Shen

  2. MD6 Hash Function • One of earliest announced SHA-3 candidates • Presented by Rivest at CRYPTO ’08 Compression Function f Fixed input length (FIL), 4-1 compression Mode of Operation MD6f Variable input length (VIL), specified output length d

  3. MD6 Compression Function f key, aux data const 15 8+2 64 89 words Map 1-1 map π Prepend 89 words p 16 words Chop = 64/4

  4. MD6 Mode of Operation

  5. MD6 Mode of Operation Chop to d bits z=1 (“root bit”) (2,0) (2,1) (1,9) empty partially filled

  6. Analyzing Mode of Operation General approach: If compression function f is “secure”, then mode of operation MD6f is “secure” e.g., • f collision-resistant  MD6f collision-resistant • f preimage-resistant  MD6f preimage-resistant • f PRF  MD6f PRF Is this enough? (Crutchfield)

  7. Random-Oracle-Like Behavior • Random oracles (ROs) used to prove security of:signatures, CCA encryption, ZK, etc. • RO in theory  hash function in practice • When is this secure? • f is a FIL-RO  MD6f is a VIL-RO?

  8. Security Notion: Indistinguishability • f and MD6f are fixed public functions… MD6f VIL-RO G ? or ? D

  9. Indifferentiability (Maurer et al. ‘04) • Variant notion of indistinguishability: D has access to inner component • Indifferentiability:  simulator S s.t. left/right indistinguishable to any D • Note: not a symmetric relationship MD6C FIL-RO C VIL-RO G Sim S ? or ? D

  10. Indifferentiability • Theorem (Maurer et al.): IfH is indifferentiable from RO, then any cryptosystem proven with RO is secure when RO is replaced by H • How do we apply this to MD6? • Viewf as RO • Prove MD6f is indifferentiable from RO • Conclude MD6f may safely be plugged into applications that require VIL-RO (viewing f as RO)

  11. Our Results and Interpretation • Our result: MD6RO is indifferentiable from RO • More generally: any* tree-based mode of operation using FIL-RO is indifferentiable from VIL-RO What does this mean? • MD6 mode of operation is safe for use as RO • Gives confidence that mode of operation is well-built • Pushes RO assumption one level down – from MD6 to f Can we push RO assumption even further down? Stay tuned…

  12. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f)

  13. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs

  14. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs level > 0 (non-leaf) metadata f-output 1 f-output 2 f-output 3 f-output 4

  15. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs level = 0 (leaf) raw data metadata

  16. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate z = 1

  17. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate • Final output processing – regular, invertible* function Chop to d bits

  18. * Requirements of Mode of Operation • Deterministic tree structure (wrt calls to f) • Unique parsing of f-inputs into • metadata • raw data • f-outputs • Root predicate • Final output processing • Message reconstructibility

  19. Simulator MD6C FIL-RO C VIL-RO G Sim S ? or ? D

  20. Simulator • On a query x: • Previously seen? Repeat the answer. • Non-root query (z = 0)? Random answer. • Root query (z = 1)? • Reconstruct M s.t. x is final query. If not possible, random answer. • Consult G on M. • Return random answer consistent with G(M).

  21. Proof Sketch • Sequence of games to transform “ideal” game (D interacts with G, S) into “real” game (D interacts with MD6C, C) • Define 3 types of “bad” events (S-collisions and “lucky guesses” by D) • If no bad events, D’s view identical • Probability of bad events is negligible • Therefore, D’s distinguishing advantage is at most negligible

  22. Pushing RO Assumption to Compression Function Level key, aux data const 15 8+2 64 89 words Map 1-1 map π Prepend 89 words p 16 words Chop

  23. Pushing RO Assumption to Compression Function Level • View π as random permutation • Prove f indifferentiable from FIL-RO • Similar proof techniques • f indifferentiable from FIL-RO (viewing π as random) • MD6f indifferentiable from VIL-RO (viewing f as FIL-RO)  MD6f indifferentiable from VIL-RO (viewing π as random)

  24. Conclusion • Proved: Indifferentiability of MD6 mode of operation (viewing compression function as RO) • Result is quite general, applies to many sensible tree-modes (including other SHA-3 candidates, sequential modes) • Proved: Indifferentiability of MD6 compression function (viewing πas random permutation) Interpretation: • MD6 mode of operation does not have structural weaknesses • MD6 mode of operation can be used as RO (assuming random permutation)

More Related