Does Secure Time-Stamping Imply Collision-Free Hash Functions - - PowerPoint PPT Presentation

does secure time stamping imply collision free hash
SMART_READER_LITE
LIVE PREVIEW

Does Secure Time-Stamping Imply Collision-Free Hash Functions - - PowerPoint PPT Presentation

Mar 31, 2023 43 likes •414 views

Does Secure Time-Stamping Imply Collision-Free Hash Functions Ahto Buldas, Aivo J urgenson aivo.jurgenson@eesti.ee Tallinn University of Technology, Estonia. Elion Enterprises Ltd, Estonia. p. 1 Topics background about hash

slide-1
SLIDE 1

Does Secure Time-Stamping Imply Collision-Free Hash Functions

Ahto Buldas, Aivo J¨ urgenson

aivo.jurgenson@eesti.ee

Tallinn University of Technology, Estonia. Elion Enterprises Ltd, Estonia.

– p. 1

slide-2
SLIDE 2

Topics

background about hash functions and their security timestamping and backdating attack what is blackbox reduction how to prove that blackbox reduction is not possible show that time-stamping doesn’t require CHFH

– p. 2

slide-3
SLIDE 3

Hash functions

X ∈ {0, 1}∗, x = h(X), x ∈ {0, 1}m

– p. 3

slide-4
SLIDE 4

Hash functions

X ∈ {0, 1}∗, x = h(X), x ∈ {0, 1}m X1 = X2, h(X1) = h(X2)

– p. 3

slide-5
SLIDE 5

Hash functions

X ∈ {0, 1}∗, x = h(X), x ∈ {0, 1}m X1 = X2, h(X1) = h(X2) attacks against collision resistance of MD5, SHA-1, SHA-256

– p. 3

slide-6
SLIDE 6

Hash functions

X ∈ {0, 1}∗, x = h(X), x ∈ {0, 1}m X1 = X2, h(X1) = h(X2) attacks against collision resistance of MD5, SHA-1, SHA-256 is this collision freedom really required in applications (for example in timestamping)?

– p. 3

slide-7
SLIDE 7

Hash functions

X ∈ {0, 1}∗, x = h(X), x ∈ {0, 1}m X1 = X2, h(X1) = h(X2) attacks against collision resistance of MD5, SHA-1, SHA-256 is this collision freedom really required in applications (for example in timestamping)? Buldas and Saarepera in 2004: collision freedom is insufficient. Buldas and Laur in 2006: collision freedom is unneccessary.

– p. 3

slide-8
SLIDE 8

Timestamping scheme

X1

X2 X3 . . .

  • x1 . . . xm

– p. 4

slide-9
SLIDE 9

Timestamping scheme

r1 = Com(X1) r2 = Com(X2) r3 = Com(X3) X1

X2 X3 . . .

  • x1 . . . xm
  • – p. 4
slide-10
SLIDE 10

Timestamping scheme

r1 = Com(X1) r2 = Com(X2) r3 = Com(X3) X1

X2 X3 . . .

  • x1 . . . xm
  • x1 . . . x . . . xm
  • c = Cert(X3, x)
  • – p. 4
slide-11
SLIDE 11

Timestamping scheme

r1 = Com(X1) r2 = Com(X2) r3 = Com(X3) X1

X2 X3 . . .

  • x1 . . . xm
  • x1 . . . x . . . xm
  • Ver(r3, c, x) = yes

c = Cert(X3, x)

  • – p. 4
slide-12
SLIDE 12

Backdating attack

– p. 5

slide-13
SLIDE 13

Backdating attack

Adversary publishes commitment r.

– p. 5

slide-14
SLIDE 14

Backdating attack

Adversary publishes commitment r. Alice invents something DA ∈ {0, 1}∗.

– p. 5

slide-15
SLIDE 15

Backdating attack

Adversary publishes commitment r. Alice invents something DA ∈ {0, 1}∗. Adversary creates a modified description of the Alice’s invention D′

A ∈ {0, 1}∗ and claims

that this was timestamped by himself long before Alice invented it.

– p. 5

slide-16
SLIDE 16

Backdating attack

Adversary publishes commitment r. Alice invents something DA ∈ {0, 1}∗. Adversary creates a modified description of the Alice’s invention D′

A ∈ {0, 1}∗ and claims

that this was timestamped by himself long before Alice invented it. x = H(D′

A), Ver(r, x, c) = yes

– p. 5

slide-17
SLIDE 17

Formalized attack

Two-staged adversary A = (A1, A2).

– p. 6

slide-18
SLIDE 18

Formalized attack

Two-staged adversary A = (A1, A2). Security condition:

– p. 6

slide-19
SLIDE 19

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

– p. 6

slide-20
SLIDE 20

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

– p. 6

slide-21
SLIDE 21

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

– p. 6

slide-22
SLIDE 22

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

– p. 6

slide-23
SLIDE 23

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

A = (A1, A2) ∈ FPU when Pr

  • (r, a) ← A1(1k), x′ ← Π(r, a),

(x, c) ← A2(r, a): x′ = x

  • = k−ω(1)

– p. 6

slide-24
SLIDE 24

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

A = (A1, A2) ∈ FPU when Pr

  • (r, a) ← A1(1k), x′ ← Π(r, a),

(x, c) ← A2(r, a): x′ = x

  • = k−ω(1)

– p. 6

slide-25
SLIDE 25

Formalized attack

Two-staged adversary A = (A1, A2). Security condition: Pr

  • (r, a) ← A1(1k), (x, c)←A2(r, a) :

Ver(x, c, r) = yes

  • = k−ω(1)

A = (A1, A2) ∈ FPU when Pr

  • (r, a) ← A1(1k), x′ ← Π(r, a),

(x, c) ← A2(r, a): x′ = x

  • = k−ω(1)

– p. 6

slide-26
SLIDE 26

BlackBox reduction

general CFHF

P

BB

Q

general TS hash func- tion

Pf ∀f ∃Tf

Merkle- tree TS hash func- tion breaker

∃DA,f ∀A SA,f

FPU class TS attacker random hash function universal hash function breaker

– p. 7

slide-27
SLIDE 27

BlackBox reduction

general CFHF

P

BB

Q

general TS hash func- tion

Pf

implements

  • ∀f

implements

  • ∃Tf

Merkle- tree TS hash func- tion breaker

∃DA,f ∀A SA,f

FPU class TS attacker random hash function universal hash function breaker

– p. 7

slide-28
SLIDE 28

BlackBox reduction

general CFHF

P

BB

Q

general TS hash func- tion

Pf

implements

  • ∀f

implements

  • ∃Tf

Merkle- tree TS hash func- tion breaker

∃DA,f ∀A

breaks

  • SA,f

breaks

  • FPU

class TS attacker random hash function universal hash function breaker

– p. 7

slide-29
SLIDE 29

Oracle separation

general CFHF

P

BB

Q

general TS hash func- tion

∀Pf f ∃Tf

Merkle- tree TS hash func- tion breaker

∃DA,f A ∄SA,f

FPU class TS attacker random hash function universal hash function breaker

– p. 8

slide-30
SLIDE 30

Oracle separation

general CFHF

P

BB

Q

general TS hash func- tion

∀Pf f

  • ∃Tf

implements

  • Merkle-

tree TS hash func- tion breaker

∃DA,f A ∄SA,f

FPU class TS attacker random hash function universal hash function breaker

– p. 8

slide-31
SLIDE 31

Oracle separation

general CFHF

P

BB

Q

general TS hash func- tion

∀Pf

implements

  • f
  • ∃Tf

implements

  • Merkle-

tree TS hash func- tion breaker

∃DA,f

breaks

  • A

∄SA,f

FPU class TS attacker random hash function universal hash function breaker

– p. 8

slide-32
SLIDE 32

Oracle separation

general CFHF

P

BB

Q

general TS hash func- tion

∀Pf

implements

  • f
  • ∃Tf

implements

  • Merkle-

tree TS hash func- tion breaker

∃DA,f

breaks

  • A
  • ∄SA,f

breaks

  • FPU

class TS attacker random hash function universal hash function breaker

– p. 8

slide-33
SLIDE 33

Oracle separation

general CFHF

P

BB

Q

general TS

  • hash

func- tion

∀Pf

implements

  • f
  • ∃Tf

implements

  • Merkle-

tree TS

  • hash

func- tion breaker

∃DA,f

breaks

  • A
  • ∄SA,f

breaks

  • FPU

class TS attacker

  • random hash

function

  • universal

hash function breaker

  • – p. 8
slide-34
SLIDE 34

SA,f = (S1, S2) in work

r

  • fk
  • fk
  • fk
  • fk
  • fk
  • · · ·
  • cm
  • cm−1
  • R1
  • – p. 9
slide-35
SLIDE 35

SA,f = (S1, S2) in work

r

  • fk
  • fk
  • fk
  • fk
  • fk
  • · · ·

· · · x

  • cm
  • cm−1
  • c1
  • R2
  • R1
  • – p. 9
slide-36
SLIDE 36

SA,f = (S1, S2) in work

r

  • fk
  • fk
  • fk
  • fk
  • fk
  • · · ·
  • xi
  • fk
  • fk
  • · · ·
  • fk

x

  • fk
  • cm
  • cm−1
  • ci+1
  • ci
  • c2
  • c1
  • R2
  • R1
  • – p. 9
slide-37
SLIDE 37

Conclusion

Pr

  • (r, a) ← SA,f

1

(1k), (x, c)←SA,f

2

(r, a) : Ver(x, c, r) = yes

  • = k−ω(1)

blackbox reduction of CFHF to TS is not possible

– p. 10