domain extension for random oracles: beyond the birthday paradox bound arvind narayanan (ut austin)...

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound

Arvind Narayanan (UT Austin)Ilya Mironov (Microsoft Research)

Notions of hash function security

TCR

Pre

Sec

RO

aSeceSec

CR

aPreePremulticoll

Nostradamus

? ?

?

What’s wrong with MD?

C C C

M1 M2 M3

h0 h=h3h1 h2

•Multicollisions (Joux, Crypto’04)•Second preimage (Kelsey and Schneier, Eurocrypt’05)•Nostradamus (Kelsey and Kohno, Eurocrypt’06)

Birthday paradox

What does indifferentiability mean?

S S S

M1

h0 h=h3h1 h2

M2

M3

Oracle

•Maurer at al.•[CDMP05]

Lucks (Asiacrypt 2005)M1

M1

M2

M2

M3

M3

h0

h1

• Internal state must be wide (2 x output length)• Optimal security

Compression function

“Finalizing function”

Rate = 0.25

Not exactly impossible

Simple constructionM

α1 α2 β1 β2

(only one block shown)

Twice as much space for message bitsLinear algebra very fast

Lucks Double pipe

M

Other possibilitiesM

(only one block shown)

Lucks Double pipe

No internal collisions!Collision resistance 2n on output length 2n

Ugly constructionM1 M2

M1 M2

M3

Rate 3/8Provably behaves like a random oracle (2n)

Proof technique

M1 M2

M1 M2

M3

NOT a random oracle!

•Hybrid argument fails•Inductive “global” proof

Collision counting

Does not seem to lead to attack

But necessary for using indifferentiability framework

Collision

Unsupported query

The adversary wins if…Goal: distinguish construction from random oracle

Results

•Rate ½ (always)•Collision resistant (2n)•Almost behaves like random oracle (2n)Simple

Ugly

•Rate 3/8 (for SHA-256)•Provably behaves like random oracle (2n)

Rate comparison

Overall rate

Compression ratio1 2 3 4 5

SHA-256

Merkle-Damgard

Simple

Ugly

Lucks double-pipe

Why should you care?

• Gap between MD and double pipe is large– Factor of 4 for SHA-256, 3 for MD5

• New crop of proof techniques– Steinberger (Eurocrypt’07)– Current work– Shrimpton and Stam (next talk)

• Apply techniques to new constructions?

Work in progress

• Constructions with better rate– Nontrivial lower bound?– Possibility of getting close to rate 1

• Domain separation• Understand model better, esp. role of

unsupported queries• Simpler constructions and proofs