combiners for backdoored random oracles
play

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya - PowerPoint PPT Presentation

Apr 03, 2023 •270 likes •808 views

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt Backdoors 1 Backdoors It makes more sense to address any security risks by developing intercept solutions during the design

  1. Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt

  2. Backdoors 1

  3. Backdoors It makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact. James Comey (former FBI director, Oct. 2014) 1

  4. Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ Hash Functions are Everywhere: KDFs OWFs FDH MACs PoW 2

  5. Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ Hash Functions are Everywhere: KDFs OWFs FDH MACs PoW security proofs are not always possible... 2

  6. Random Oracles ✵✽❜❢❢✶❡✵❜✵✶✻✷ 3

  7. Random Oracles = Ideal Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ ideal hash function 3

  8. Random Oracles = Ideal Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ ideal hash function Random Oracles are Practical, enabling proofs of many practical schemes: RSA-OAEP TLS Identification protocols FDH DSA PSS 3

  9. Backdoored Random Oracles (BROs) H ( x ) x H 4

  10. Backdoored Random Oracles (BROs) H ( x ) x H 4

  11. Backdoored Random Oracles (BROs) H ( x ) x H random oracle 4

  12. Backdoored Random Oracles (BROs) H ( x ) x H random oracle f ( H ) f BD H backdoor oracle 4

  13. Backdoored Random Oracles (BROs) H ( x ) x H random oracle f ( H ) f BD H backdoor oracle adaptive and unrestricted access to the backdoor oracle 4

  14. Backdoor Capabilities BD H 5

  15. Backdoor Capabilities collisions? BD H ( x , x ′ ) 5

  16. Backdoor Capabilities collisions? H − ( y ) ? x BD H ( x , x ′ ) 5

  17. Backdoor Capabilities collisions? 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? 5

  18. Backdoor Capabilities collisions? any f 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? f ( H ) 5

  19. Backdoor Capabilities collisions? any f 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? f ( H ) no security is possible... 5

  20. Combining BROs H ( x ) x H f ( H ) f BD H 6

  21. Combining BROs H ( x ) G ( x ) x x H G f ( H ) f ( G ) f f BD H BD G 6

  22. Combining BROs H ( x ) G ( x ) x x H G f ( H ) f ( G ) f f BD H BD G Can we combine two independent but backdoored hash functions to build one that is secure against adversaries with access to both backdoor oracles? 6

  23. Combiners 7

  24. Combiners concatenation: H G 7

  25. Combiners xor: concatenation: H H ⊕ G G 7

  26. Combiners xor: concatenation: H H ⊕ G G cascade: H G 7

  27. Combiners xor: xor: concatenation: H H H ⊕ ⊕ G G G cascade: cascade: H H G G 7

  28. Concatenation in 2-BRO BD H H BD G G 8

  29. Concatenation in 2-BRO BD H H BD G G one-way security? 8

  30. Concatenation in 2-BRO BD H H BD G G one-way security? pseudorandomness? collision-resistance? 8

  31. Concatenation in 2-BRO BD H H BD G G one-way security? pseudorandomness? collision-resistance? We need results from communication complexity ... 8

  32. Communication Complexity A t ( A , B ) B 9

  33. Communication Complexity A B A B 9

  34. Communication Complexity A B A B find x ∈ A ∩ B . decide A ∩ B = ∅ INT : DISJ : 9

  35. Communication Complexity A B A B find x ∈ A ∩ B . decide A ∩ B = ∅ INT : DISJ : Theorem ([Babai, Frankl, Simon 86]): For independent random sets A , B ⊆ [ 2 n ] of size 2 n / 2 , and protocols with 99% correctness, it holds that CC ( DISJ ) ≥ Ω( 2 n / 2 ) . 9

  36. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] 10

  37. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] Theorem : For independent random sets A , B ⊆ [ 2 n ] of expected sizes 2 n ( 1 − α ) and 2 n ( 1 − β ) respectively, CC ( INT ) ≥ Ω( 2 n ( min ( α,β )+ α + β − 1 ) ) , for ( α, β ) in the feasible region. 10

  38. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] Theorem : For independent random sets A , B ⊆ [ 2 n ] of expected sizes 2 n ( 1 − α ) and 2 n ( 1 − β ) respectively, CC ( INT ) ≥ Ω( 2 n ( min ( α,β )+ α + β − 1 ) ) , for ( α, β ) in the feasible region. 10

  39. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. 11

  40. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B 11

  41. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B Then, for any pre-image x of u | v : x ∈ H − ( u ) and x ∈ G − ( v ) 11

  42. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B x Then, for any pre-image x of u | v : x ∈ H − ( u ) and x ∈ G − ( v ) Hence, x ∈ A ∩ B . 11

  43. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. 12

  44. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. Pseudorandomness Deciding whether a random value u | v has a pre-image is as hard as the set-disjointness problem. 12

  45. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. Pseudorandomness Deciding whether a random value u | v has a pre-image is as hard as the set-disjointness problem. Collision-Resistance Finding a collision is as hard as ... 12

  46. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. 13

  47. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. . . 13

  48. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. . . Hardness of the above problem is open. 13

  49. Combiners and Security Notions OW PRG CR H ?? � � G H ? ?? ⊕ � G ?? � � H G 14

  50. Open Problems lower bound for the multi-INT problem extend parameters for DISJ and INT E π combiners for other backdoored primitives 15

  51. 16

  52. Thank You. Thanks to Giorgia Marson for drawing Alice, Bob, and the sheet. 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain Amit Sahai Since 2013 Two-Round (Adaptive) Multi-Party Computation Instantiating Random Oracles Non-Interactive Multi-party Key

1.33k views • 111 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

1.34k views • 44 slides
Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis New York University Joint work with Siyao Guo (Simons Institute, UC Berkeley) Jonathan Katz (University of Maryland) Hash Functions Are Ubiquitous

650 views • 40 slides
Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of

768 views • 65 slides
Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work with Alexander Russell (University of Connecticut), Moti Yung (Google & Columbia University) Hong Sheng Zhou (Virginia Commonwealth University)

578 views • 34 slides
Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1 The work reported on here is very much work in progress. The UCE definition has evolved since this talk and

774 views • 44 slides
Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Cryptocurrencies & Security on the Blockchain Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM execution must be deterministic. Cannot rely on outside information But sometimes that

591 views • 17 slides
Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias Joint work with Andrew Lewis Institute of Software Chinese Academy of Sciences Barcelona, July 2011 Question Random data lack internal structure

191 views • 18 slides
Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released

Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released

Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released Due 16:00 on 20 October Correctness is not enough! Most marks are for efficiency. Combiners Partition and Sort Pairs vs Stripes 2 Combining,

749 views • 36 slides
Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner & Mattner Systemtechnik GmbH Berlin, Germany Overview Classification Tree Method Expected results Executable test scripts Test Oracles and

374 views • 25 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline Oracles, Test Automation and (Test) Models Oracles in TTCN-3 Test Automation (Oracle) Examples Test oracle as part of a test case A test

326 views • 30 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E A N R D U O C D O O D C N E Ralph Guderlei and Johannes Mayer rjg@mathematik.uni-ulm.de, jmayer@mathematik.uni-ulm.de

627 views • 40 slides
2. Elements of convex optjmizatjon Chlo-Agathe Azencot Centre for Computatjonal Biology, Mines

2. Elements of convex optjmizatjon Chlo-Agathe Azencot Centre for Computatjonal Biology, Mines

Introductjon to Machine Learning CentraleSuplec Paris Fall 2017 2. Elements of convex optjmizatjon Chlo-Agathe Azencot Centre for Computatjonal Biology, Mines ParisTech chloe-agathe.azencott@mines-paristech.fr Why talk about

1.48k views • 147 slides
New Approaches to Harness Global Interconnects Jason Cong Computer Science Department

New Approaches to Harness Global Interconnects Jason Cong Computer Science Department

PART V New Approaches to Harness Global Interconnects Jason Cong Computer Science Department University of California at Los Angeles Email: cong@cs.ucla.edu Tel: 310-206-2775 http://cadlab.cs.ucla.edu/~cong DAC'2000 Tutorial Jason Cong 1

957 views • 49 slides
Linear Programming DPV Chapter 7, Part 1 Jim Royer March 20, 2019 Uncredited diagrams are from

Linear Programming DPV Chapter 7, Part 1 Jim Royer March 20, 2019 Uncredited diagrams are from

Linear Programming DPV Chapter 7, Part 1 Jim Royer March 20, 2019 Uncredited diagrams are from DPV or homemade. DPV Chapter 7, Part 1 Linear Programming 1 / 1 Linear Programming: Introduction, 1 Ingredients of Linear Programming a set

563 views • 27 slides
Computational Optimization Constrained Optimization m R b , m n n Easiest Problem

Computational Optimization Constrained Optimization m R b , m n n Easiest Problem

Computational Optimization Constrained Optimization m R b , m n n Easiest Problem R R Linear equality constraints f A b ( ) = f x Ax min . . s t Null Space Representation Let x* be a feasible point, Ax*=b.

354 views • 33 slides
On the number of distinct solutions generated by the simplex method for LP . . . . .

On the number of distinct solutions generated by the simplex method for LP . . . . .

Retrospective Workshop Fields Institute Toronto, Ontario, Canada . . On the number of distinct solutions generated by the simplex method for LP . . . . . Tomonari Kitahara and Shinji Mizuno Tokyo Institute of Technology November

707 views • 55 slides
Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert

Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert

Mixed Integer Linear Programming Combinatorial Problem Solving (CPS) Javier Larrosa Albert Oliveras Enric Rodr guez-Carbonell April 24, 2020 Mixed Integer Linear Programs A mixed integer linear program (MILP, MIP) is of the form min

944 views • 68 slides
Honors Combinatorics CMSC-27410 = Math-28410 CMSC-37200 Instructor: Laszlo Babai University

Honors Combinatorics CMSC-27410 = Math-28410 CMSC-37200 Instructor: Laszlo Babai University

Honors Combinatorics CMSC-27410 = Math-28410 CMSC-37200 Instructor: Laszlo Babai University of Chicago Week 4, Tuesday, April 28, 2020 CMSC-27410=Math-28410 CMSC-3720 Honors Combinatorics Todays material Linear Program (LP)

1.01k views • 65 slides
Theory of Computation Chapter 13: Approximability Guan-Shieng Huang Jan. 3, 2007 0-0

Theory of Computation Chapter 13: Approximability Guan-Shieng Huang Jan. 3, 2007 0-0

Theory of Computation Chapter 13: Approximability Guan-Shieng Huang Jan. 3, 2007 0-0 Decision v.s. Optimization Problems decision problems: expect a yes/no answer optimization problems: expect an optimal solution from all

478 views • 28 slides

More recommend