Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya - - PowerPoint PPT Presentation

Combiners for Backdoored Random Oracles

Balthazar Bauer, Pooya Farshim, Sogol Mazaheri

ENS, Paris TU Darmstadt

Backdoors

1

Backdoors

It makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact.

James Comey (former FBI director, Oct. 2014)

1

Hash Functions

✵✽❜❢❢✶❡✵❜✵✶✻✷

Hash Functions are Everywhere:

KDFs OWFs FDH MACs PoW

2

Hash Functions

✵✽❜❢❢✶❡✵❜✵✶✻✷

Hash Functions are Everywhere:

KDFs OWFs FDH MACs PoW security proofs are not always possible...

2

Random Oracles

✵✽❜❢❢✶❡✵❜✵✶✻✷

3

Random Oracles = Ideal Hash Functions

ideal hash function ✵✽❜❢❢✶❡✵❜✵✶✻✷

3

Random Oracles = Ideal Hash Functions

ideal hash function ✵✽❜❢❢✶❡✵❜✵✶✻✷

Random Oracles are Practical,

enabling proofs of many practical schemes: RSA-OAEP TLS Identification protocols FDH DSA PSS

3

Backdoored Random Oracles (BROs)

H

x H(x)

4

Backdoored Random Oracles (BROs)

H

x H(x)

4

Backdoored Random Oracles (BROs)

H

random oracle x H(x)

4

Backdoored Random Oracles (BROs)

H

random oracle x H(x)

BDH

backdoor oracle f f (H)

4

Backdoored Random Oracles (BROs)

H

random oracle x H(x)

BDH

backdoor oracle f f (H)

adaptive and unrestricted access to the backdoor oracle

4

Backdoor Capabilities

BDH

5

Backdoor Capabilities

BDH

collisions? (x, x′)

5

Backdoor Capabilities

BDH

collisions? (x, x′) H−(y)? x

5

Backdoor Capabilities

BDH

collisions? (x, x′) H−(y)? x H−(y) starting with k zeros? 0k|x

5

Backdoor Capabilities

BDH

collisions? (x, x′) H−(y)? x H−(y) starting with k zeros? 0k|x any f

f (H)

5

Backdoor Capabilities

BDH

collisions? (x, x′) H−(y)? x H−(y) starting with k zeros? 0k|x any f

f (H)

no security is possible...

5

Combining BROs

H

x H(x)

BDH

f f (H)

6

Combining BROs

H

x H(x)

BDH

f f (H)

G

x G(x)

BDG

f f (G)

6

Combining BROs

H

x H(x)

BDH

f f (H)

G

x G(x)

BDG

f f (G)

Can we combine two independent but backdoored hash functions to build one that is secure against adversaries with access to both backdoor oracles?

6

Combiners

7

Combiners

H

concatenation:

G

7

Combiners

H

concatenation:

G H

xor:

⊕

G

7

Combiners

H

concatenation:

G H

xor:

⊕

G H

cascade:

G

7

Combiners

H

concatenation:

G H

xor:

⊕

G H

cascade:

G H

xor:

⊕

G H

cascade:

G

7

Concatenation in 2-BRO

H G BDH BDG

8

Concatenation in 2-BRO

H G BDH BDG

• ne-way security?

8

Concatenation in 2-BRO

H G BDH BDG

• ne-way security?

pseudorandomness? collision-resistance?

8

Concatenation in 2-BRO

H G BDH BDG

• ne-way security?

pseudorandomness? collision-resistance? We need results from communication complexity...

8

Communication Complexity

A B

t(A, B)

9

Communication Complexity

A B

A B

9

Communication Complexity

A B

A B

INT: find x ∈ A ∩ B. DISJ: decide A ∩ B = ∅

9

Communication Complexity

A B

A B

INT: find x ∈ A ∩ B. DISJ: decide A ∩ B = ∅

Theorem ([Babai, Frankl, Simon 86]): For independent random sets A, B ⊆ [2n] of size 2n/2, and protocols with 99% correctness, it holds that CC(DISJ) ≥ Ω(2n/2).

9

Communication Complexity - Generalized

|A|, |B| lower-bound problem by = 2n/2 Ω(2n/2) DISJ

[Babai, Frankl, Simon 86]

≈ 2n/2 Ω(2n/2) DISJ

[Moshkovitz, Barak 12], [Guruswami, Cheraghchi 13]

10

Communication Complexity - Generalized

|A|, |B| lower-bound problem by = 2n/2 Ω(2n/2) DISJ

[Babai, Frankl, Simon 86]

≈ 2n/2 Ω(2n/2) DISJ

[Moshkovitz, Barak 12], [Guruswami, Cheraghchi 13]

Theorem: For independent random sets A, B ⊆ [2n] of expected sizes 2n(1−α) and 2n(1−β) respectively, CC(INT) ≥ Ω(2n(min(α,β)+α+β−1)), for (α, β) in the feasible region.

10

Communication Complexity - Generalized

|A|, |B| lower-bound problem by = 2n/2 Ω(2n/2) DISJ

[Babai, Frankl, Simon 86]

≈ 2n/2 Ω(2n/2) DISJ

[Moshkovitz, Barak 12], [Guruswami, Cheraghchi 13]

Theorem: For independent random sets A, B ⊆ [2n] of expected sizes 2n(1−α) and 2n(1−β) respectively, CC(INT) ≥ Ω(2n(min(α,β)+α+β−1)), for (α, β) in the feasible region.

10

One-Way Security of Concatenation Combiner

Theorem: Inverting a random value u|v under H|G in the 2-BRO model is as hard as the set-intersection problem.

11

One-Way Security of Concatenation Combiner

Theorem: Inverting a random value u|v under H|G in the 2-BRO model is as hard as the set-intersection problem. Let A := H−(u) and B := G−(v). A B

11

One-Way Security of Concatenation Combiner

Theorem: Inverting a random value u|v under H|G in the 2-BRO model is as hard as the set-intersection problem. Let A := H−(u) and B := G−(v). A B Then, for any pre-image x of u|v: x ∈ H−(u) and x ∈ G−(v)

11

One-Way Security of Concatenation Combiner

Theorem: Inverting a random value u|v under H|G in the 2-BRO model is as hard as the set-intersection problem. Let A := H−(u) and B := G−(v). A B x Then, for any pre-image x of u|v: x ∈ H−(u) and x ∈ G−(v) Hence, x ∈ A ∩ B.

11

Security of Concatenation in 2-BRO

One-Way Security

Inverting a random value u|v is as hard as the set-intersection problem.

12

Security of Concatenation in 2-BRO

One-Way Security

Inverting a random value u|v is as hard as the set-intersection problem.

Pseudorandomness

Deciding whether a random value u|v has a pre-image is as hard as the set-disjointness problem.

12

Security of Concatenation in 2-BRO

One-Way Security

Inverting a random value u|v is as hard as the set-intersection problem.

Pseudorandomness

Deciding whether a random value u|v has a pre-image is as hard as the set-disjointness problem.

Collision-Resistance

Finding a collision is as hard as ...

12

Collision-Resistance of Concatenation

Theorem: Finding a collision under H|G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection.

13

Collision-Resistance of Concatenation

Theorem: Finding a collision under H|G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection.

. .

13

Collision-Resistance of Concatenation

Theorem: Finding a collision under H|G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection.

. .

Hardness of the above problem is open.

13

Combiners and Security Notions

H G H

⊕

G H G

OW PRG CR

• ??
• ?

??

• ??

14

Open Problems

lower bound for the multi-INT problem extend parameters for DISJ and INT combiners for other backdoored primitives

π E

15

16

Thank You.

Thanks to Giorgia Marson for drawing Alice, Bob, and the sheet. 16