domain extension for random oracles: beyond the birthday paradox bound arvind narayanan (ut austin)...
TRANSCRIPT
Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound
Arvind Narayanan (UT Austin)Ilya Mironov (Microsoft Research)
Notions of hash function security
TCR
Pre
Sec
RO
aSeceSec
CR
aPreePremulticoll
Nostradamus
? ?
?
What’s wrong with MD?
C C C
M1 M2 M3
h0 h=h3h1 h2
•Multicollisions (Joux, Crypto’04)•Second preimage (Kelsey and Schneier, Eurocrypt’05)•Nostradamus (Kelsey and Kohno, Eurocrypt’06)
Birthday paradox
What does indifferentiability mean?
S S S
M1
h0 h=h3h1 h2
M2
M3
Oracle
•Maurer at al.•[CDMP05]
Lucks (Asiacrypt 2005)M1
M1
M2
M2
M3
M3
h0
h1
• Internal state must be wide (2 x output length)• Optimal security
Compression function
“Finalizing function”
Rate = 0.25
Not exactly impossible
Simple constructionM
α1 α2 β1 β2
(only one block shown)
Twice as much space for message bitsLinear algebra very fast
Lucks Double pipe
M
Other possibilitiesM
(only one block shown)
Lucks Double pipe
No internal collisions!Collision resistance 2n on output length 2n
Ugly constructionM1 M2
M1 M2
M3
Rate 3/8Provably behaves like a random oracle (2n)
Proof technique
M1 M2
M1 M2
M3
NOT a random oracle!
•Hybrid argument fails•Inductive “global” proof
Collision counting
Does not seem to lead to attack
But necessary for using indifferentiability framework
Collision
Unsupported query
The adversary wins if…Goal: distinguish construction from random oracle
Results
•Rate ½ (always)•Collision resistant (2n)•Almost behaves like random oracle (2n)Simple
Ugly
•Rate 3/8 (for SHA-256)•Provably behaves like random oracle (2n)
Rate comparison
Overall rate
Compression ratio1 2 3 4 5
SHA-256
Merkle-Damgard
Simple
Ugly
Lucks double-pipe
Why should you care?
• Gap between MD and double pipe is large– Factor of 4 for SHA-256, 3 for MD5
• New crop of proof techniques– Steinberger (Eurocrypt’07)– Current work– Shrimpton and Stam (next talk)
• Apply techniques to new constructions?
Work in progress
• Constructions with better rate– Nontrivial lower bound?– Possibility of getting close to rate 1
• Domain separation• Understand model better, esp. role of
unsupported queries• Simpler constructions and proofs