Eurocrypt 2018 Talk Simple PoSW - pub.ist.ac.atpub.ist.ac.at/crypto/MC18/MC18_Lecture8.pdf · the...
50
1 November 27th, 2018 Modern Cryptography Lecture 8 h Z 1 x 1 Z 0 = IV h Z 2 x 2 h Z B x B h x B +1 = L ... H(x) ... Applications of Cryptographic Hash-Functions Practical Constructions of Secret-Key Primitives
Transcript of Eurocrypt 2018 Talk Simple PoSW - pub.ist.ac.atpub.ist.ac.at/crypto/MC18/MC18_Lecture8.pdf · the...
1 November 27th, 2018
Modern Cryptography Lecture 8
h Z1
x1
Z0 = IV h Z2
x2
h ZB
xB
h
xB+1 = L
. . . H(x)
. . .
Applications of Cryptographic
Hash-Functions
Practical Constructions of Secret-Key
Primitives
2 - 1
Webpage
Page for first part, Homeworks, Slideshttp://pub.ist.ac.at/crypto/ModernCrypto18.html
Retake exam date Wed. Feb. 27th. 1-3pm for firstpart, 3.30-5.30pm for 2nd part.
2 - 2
Webpage
Page for first part, Homeworks, Slideshttp://pub.ist.ac.at/crypto/ModernCrypto18.html
https://phd.pages.ist.ac.at/student-open-day-2018/
3 - 1
Recall: Collision Resistance§5.1.1
Definition 5.1 A hash function (with output length `) is apair of PPT algorithms (Gen,H) satisfying• s← Gen(1n) on input a security parameter n outptus a
key s, |s| ≥ n.• For a key s and x ∈ {0, 1}∗, H(s, x) outputs a string in{0, 1}`(n).
If the input x is restricted to x ∈ `′(n), `′(n) > `(n), then(Gen,H) is a fixed-length hash function, or compressionfunction.
3 - 2
Recall: Collision Resistance§5.1.1
Definition 5.1 A hash function (with output length `) is apair of PPT algorithms (Gen,H) satisfying• s← Gen(1n) on input a security parameter n outptus a
key s, |s| ≥ n.• For a key s and x ∈ {0, 1}∗, H(s, x) outputs a string in{0, 1}`(n).
If the input x is restricted to x ∈ `′(n), `′(n) > `(n), then(Gen,H) is a fixed-length hash function, or compressionfunction.
Definition 5.2 Π = (Gen,H) is collision resistant if for allPPT A
Prs←Gen(1n)
[
def= Hash-collA,Π(n)=1︷ ︸︸ ︷
A(s)→ (x 6= x′) ∧H(s, x) = H(s, x′)] = negl(n)
4 - 1
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
4 - 2
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
The Random Oracle Methodology1. Scheme designed and proven secure in the RO.2. In real world, RO is instantiated with a cryptographic
hash-function.
It’s a heuristic, not a proof. Shows construction has noinherent design flaws.Better than no proof, and surprisingly reliable in practice.
4 - 3
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
Proof techniques in the ROM1. If x has not been queried, the H(x) is uniform.2. If AH(·) makes query x, the reduction sees this query.3. (programmability) The reduction can program H(x) to
output a uniform value of it’s choice.
4 - 4
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
H : {0, 1}n/2 → {0, 1}n satisfies∣∣∣∣ Pry←{0,1}n
[AH(·)(y) = 1]− Prx←{0,1}n/2
[AH(·)(H(x)) = 1]
∣∣∣∣ = negl(n)
so H is a pseudorandom generator.
some trivial constructions in the ROM
4 - 5
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
some trivial constructions in the ROMFor H : {0, 1}2n → {0, 1}n let
Fk(x)def= H(k‖x)
Then F is a pseudorandom function.
4 - 6
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
some trivial constructions in the ROMH : {0, 1}∗ → {0, 1}n is a collision resistant hash function.
All constructions we’ve seen just use that H(x) is uniform (butnot programmability, or that the reduction learns x).
4 - 7
The Random Oracle Model §5.5
• Assume random function H : {0, 1}∗ → {0, 1}n exist “inthe sky” and can be queried by everyone.
• “fresh” H sampled before security experiment starts.
The ROM cannot be proven sound in general: There exist (veryartificial) schemes that are secure in the ROM, but insecure ifthe RO H is instantiated with any real-world hash function.
5
Additional Applications of Hash Functinos §5.6
6 - 1
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
6 - 2
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
6 - 3
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
6 - 4
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
H( )
6 - 5
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
H( )
H( )already stored?
6 - 6
Fingerprinting and Deduplication §5.6.1
• Virus fingerprinting: virus scanners store only hashes ofcomputer viruses. Sufficient to identify them. To avoidbeing detected, computers viruses can “mutate”.
• Deduplication: cloud storage provider keeps hashes of allstored files in a small database. If user wants upload newfile x, check if H(x) is stored.– If yes, file is already there and needs not to be uploaded,
just store a pointer. Saves bandwidth and storage.– If H is collision resistant, a malicious client cannot make
server return wrong file.
H( )
7 - 1
Merkle Trees §5.6.2
• How can the client be sure it gets the right file F back?• He can store the short fingerprint H(F ) and check if
received file matches it!• To make client accept wrong file F ′ 6= F requires breaking
the collision resistance of H as it must hold thatH(F ) = H(F ′).
7 - 2
Merkle Trees §5.6.2
• How can the client be sure it gets the right file F back?• He can store the short fingerprint H(F ) and check if
received file matches it!• To make client accept wrong file F ′ 6= F requires breaking
the collision resistance of H as it must hold thatH(F ) = H(F ′).
H( )
7 - 3
Merkle Trees §5.6.2
• How can the client be sure it gets the right file F back?• He can store the short fingerprint H(F ) and check if
received file matches it!• To make client accept wrong file F ′ 6= F requires breaking
the collision resistance of H as it must hold thatH(F ) = H(F ′).
H( ) H( )?=
7 - 4
Merkle Trees §5.6.2
• If the client stores many files F1, F2, . . . , F` he can• Store all hi := H(Fi).
Needs linear in ` space.• Store only one hash locally φ = H(h1, . . . , h`), andh1, . . . , h` on server.Needs linear in ` communication to retrieve all h1, . . . , h`.
• Merkle hash-trees allows for log(`) communication!
h000 h001 h010 h011 h100 h101 h110 h111
F000 F001 F010 F011 F100 F101 F110 F111
φ
7 - 5
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
7 - 6
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
Theorem 5.11 if (Gen,H) is collision resistant, then(Gen,MTt) is also collision resistant (for fixed t).
7 - 7
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
• Client stores φ, server stores Fi’s and all the h’s.• If client requests file, say F010, the sever sends F010 together
with all log(`) h values (in orange) required to compute theroot. It accepts if the recomputed value is φ.
h′010 := H(F010) , h′01 := H(h′010, h011)
h′0 := H(h00, h01) , φ′ := H(h0, h′1) , φ′
?= φ
7 - 8
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
If server can make the client accept two different files for thesame slot, say F010 6= F ′010, then we can efficiently extract acollision for H. Let the two openings be
(F010, h011, h00, h1) , (F ′010, h′011, h
′00, h
′1)
7 - 9
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
If server can make the client accept two different files for thesame slot, say F010 6= F ′010, then we can efficiently extract acollision for H. Let the two openings be
(F010, h011, h00, h1) , (F ′010, h′011, h
′00, h
′1)
If h010 := H(F010) is equal to h′010 := H(F ′010) output collisionF010, F
′010 for H.
7 - 10
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
If server can make the client accept two different files for thesame slot, say F010 6= F ′010, then we can efficiently extract acollision for H. Let the two openings be
(F010, h011, h00, h1) , (F ′010, h′011, h
′00, h
′1)
otherwise, if h011 6= h′011 and h01 := H(h010, h011) is equal toh′01 := H(h′010, h
′011) output collision (h010, h011), (h′010, h
′011).
7 - 11
Merkle Trees §5.6.2
h000 h001
h00
h010 h011
h01
h0
h100 h101
h10
h110 h111
h11
h1
φ
F000 F001 F010 F011 F100 F101 F110 F111
MT t(F1, . . . , Ft) = φ wherehx = H(Fx)hx = H(hx‖0, hx‖1) root
φ = H(h0, h1)
If server can make the client accept two different files for thesame slot, say F010 6= F ′010, then we can efficiently extract acollision for H. Let the two openings be
(F010, h011, h00, h1) , (F ′010, h′011, h
′00, h
′1)
Continue until collision is found. Full proof is similar to Merkle-Damgaardfrom last lecture and omitted. Like MD, MT is a domain extension forcollision resistant hash function, but MT can be evaluated in parallel.
8
Practical Constructions of Symmetric-Key Primitives
All primitives we’ve seen so far (except collision-resistant hashfunctions) can in theory be constructed from any one-wayfunction (Chapter 7 in the book, which we’ll not cover).
We will see show heuristic constructions used in practice. Someof the design principles can be justified by theoretical analysis.
We’ll cover block-ciphers §6.2. Chapter 6 in the book coversalso stream-ciphers and hash-functions.
9 - 1
Block Ciphers §6.2Block cipher: F : {0, 1}n × {0, 1}` → {0, 1}`• For every k, Fk(·) is a permutation.• Fk(·) and Fk(·) must be efficiently computable.• F must be a (strong) pseudorandom permutation, but we
use concrete (not asymptotic) security:– Distinguishing Fk(·) (k ← {0, 1}n) from a random
permutation should take 2n time given access to Fk,F−1k .
– Equivalently, no better attack than brute-forcing thekeyshould exists.
9 - 2
Block Ciphers §6.2Block cipher: F : {0, 1}n × {0, 1}` → {0, 1}`• For every k, Fk(·) is a permutation.• Fk(·) and Fk(·) must be efficiently computable.• F must be a (strong) pseudorandom permutation, but we
use concrete (not asymptotic) security:– Distinguishing Fk(·) (k ← {0, 1}n) from a random
permutation should take 2n time given access to Fk,F−1k .
– Equivalently, no better attack than brute-forcing thekeyshould exists.
DES (Data Encryption Standard) n = 56, ` = 64.70ties, developed by IBM, adapted by NBS in 76.
triple DES n ∈ {112, 168}, ` = 64.AES (Advanced Encryption Standard)
n ∈ {128, 192, 256}, ` = 128.NIST request for proposals 97. Winner Rijdael announced2000 (Belgian).
10 - 1
Substition-Permutation Networks §6.2.1
10 - 2
Substition-Permutation Networks §6.2.1AES is a SPN Network with 10,12 or14 rounds (depending on key-size).16 S-boxes {0, 1}8→ {0, 1}8.
One round of such an SPN networkconsists of1. Key mixing: x := x⊕ k′, where k′
is the “round key”2. Substitution:x := S1(x1)‖ . . . ‖S16(x16).xi is ith byte of x.
3. Permutation: Permute the bitsusing fixed premutation.
Round keys k1, . . . , kr+1 of r-roundSPN network derived via key schedulefrom key k. Sboxes and permutationknown (Kerckhoff).
10 - 3
Substition-Permutation Networks §6.2.1AES is a SPN Network with 10,12 or14 rounds (depending on key-size).16 S-boxes {0, 1}8→ {0, 1}8.
One round of such an SPN networkconsists of1. Key mixing: x := x⊕ k′, where k′
is the “round key”2. Substitution:x := S1(x1)‖ . . . ‖S16(x16).xi is ith byte of x.
3. Permutation: Permute the bitsusing fixed premutation.
Round keys k1, . . . , kr+1 of r-roundSPN network derived via key schedulefrom key k. Sboxes and permutationknown (Kerckhoff).
10 - 4
Substition-Permutation Networks §6.2.1
10 - 5
Substition-Permutation Networks §6.2.1
Avalanche effect: smallchange in input must“affect” every bit ofoutput.
• S-boxes designed sothat changing singleinput bit changes atleast two output bits.
• Output of every S-boxused as inputs tomultiple S-boxes in thenext round.
11 - 1
Feistel Networks §6.2.2
For f : {0, 1}`/2 → {0, 1}`/2, oneround of a Feistel networkFNf : {0, 1}` → {0, 1}` isdefined as
FNf (L,R)def= (L,L⊕ f(R))
this is a permutation with inverse
FN−1f (L,R)def= (R⊕ f(L), L)
11 - 2
Feistel Networks §6.2.2
Theorem 7.23 If the fi are PRFswith independent keys, then the3-round Feistel network is a PRP(strong PRP with 4 rounds).
Theoretical justification of Feistel.Luby-Rackoff, 1988.
11 - 3
Feistel Networks §6.2.2
Theorem 7.23 If the fi are PRFswith independent keys, then the3-round Feistel network is a PRP(strong PRP with 4 rounds).
Theoretical justification of Feistel.Luby-Rackoff, 1988.
In Feistel based block-cipherconstructions the fi are not PRFsand the keys are not independent(but round keys derived from thekey). On the other hand, one usesmuch more than just 3 rounds.Advantage of SPN networks is thatthe building block fi does not haveto be a permutation itself!
11 - 4
Feistel Networks §6.2.2
DES (Data Encryption Standard) is a16-round Feistel network with blocklength ` = 64 and key length n = 56.Due to the small key size DES was bruteforced in 1997, today it can be brokenwithin minutes.Replaced with AES or triple DES (ifreplacing DES is difficult for e.g. legacyreasons).But apart from key-size, DES isconsidered to be an excellent designwhich took into account much know-howthat was not publicly known when it wasdesigned in the 70ties. In particular, thedesigners know about linear cryptanalysisonly published in 1990.
11 - 5
Feistel Networks §6.2.2
11 - 6
Feistel Networks §6.2.2
12 - 1
3DES: Increasing the Key Length §6.2.4
DES has short n = 56 bit keys and` = 64 blocks• too small block size: Many
security bounds (e.g. forencryption in counter mode) are ofthe form q2/2n, where q is thenumber of adversarial queries. Forsecurity one needs q � 232, whichmight not always be realistic.
• too short keys: the 56 bit key ofDES was brute-forced in 1998.Completely insecure today.
12 - 2
3DES: Increasing the Key Length §6.2.4
We can increase the key-size, and hopefully the security, of ablock-cipher by cascading.
Fk1 Fk2
Double encryption using2 independent keys.
Fk1 F−1k2Fk3
Triple encryptionusing 3independent keys.
Fk1 F−1k2Fk1
Triple encryptionusing 2independent keys.Used for tripleDES
12 - 3
3DES: Increasing the Key Length §6.2.4
We can increase the key-size, and hopefully the security, of ablock-cipher by cascading.
Fk1 Fk2
Double encryption using2 independent keys.
Fk1 F−1k2Fk3
Triple encryptionusing 3independent keys.
Fk1 F−1k2Fk1
Triple encryptionusing 2independent keys.Used for tripleDES
middle F in inverse direction for backwardscompatibility: if k1 = k2 = k3 thenFk3(F
−1k2
(Fk1(·))) becomes Fk1(·).
12 - 4
3DES: Increasing the Key Length §6.2.4
Fk1 Fk2
Double encryption using2 independent keys.
Why triple not duble encryption? Because of ameet-in-the-middle attack:For any F : {0, 1}n × {0, 1}` → {0, 1}`. Double encryption canbe broken (key-recovery attack) in time 2n in aknown-plaintext attack. So no more secure than single use ofF. (Not quite as this attacks needs O(2n) space, whereasbrute forcing single F requires constant space).
proof on blackboard
12 - 5
3DES: Increasing the Key Length §6.2.4
Fk1 Fk2
Double encryption using2 independent keys.
Why triple not duble encryption? Because of ameet-in-the-middle attack:For any F : {0, 1}n × {0, 1}` → {0, 1}`. Double encryption canbe broken (key-recovery attack) in time 2n in aknown-plaintext attack. So no more secure than single use ofF. (Not quite as this attacks needs O(2n) space, whereasbrute forcing single F requires constant space).
proof on blackboard
12 - 6
3DES: Increasing the Key Length §6.2.4
Fk1 Fk2
Double encryption using2 independent keys.
Why triple not duble encryption? Because of ameet-in-the-middle attack:For any F : {0, 1}n × {0, 1}` → {0, 1}`. Double encryption canbe broken (key-recovery attack) in time 2n in aknown-plaintext attack. So no more secure than single use ofF. (Not quite as this attacks needs O(2n) space, whereasbrute forcing single F requires constant space).
proof on blackboard
![pub.ist.ac.atpub.ist.ac.at/~edels/Papers/1985-J-06-ProportionalLinkLinkage.pdf · uaql 'x ssal Iou sawuap [x] (1) Jl NHVS dalS Ãq paugep aq ueo spotnaw osaql Jauuruqslapg pue . Investigation](https://static.fdocuments.net/doc/165x107/5b8240cd7f8b9ae47b8e0d24/pubistacatpubistacatedelspapers1985-j-06-pro-uaql-x-ssal-iou-sawuap.jpg)
