instantiating random oracles
play

Instantiating Random Oracles via UCEs Mihir Bellare Joint work - PowerPoint PPT Presentation

Jun 03, 2023 •318 likes •774 views

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1 The work reported on here is very much work in progress. The UCE definition has evolved since this talk and

  1. Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1

  2. The work reported on here is very much work in progress. The UCE definition has evolved since this talk and will evolve further, and what is here should not be taken as its definitive or final form. Theorems stated here have been strengthened, and we have other results as well. A paper is not yet available but we hope to have one soon. 1/9/13 Bellare, Stanford RWC Workshop 2

  3. Contributions in brief UCE (Universal Computational Extractors): A new DEFINITION of security for hash functions. Instantiating ROs: UCE hash functions can provably instantiate ROs in a variety of existing schemes: DE, HE, MLE, PKE (OAEP), KDM, RKA, … Generalization: UCE extends and unifies existing definitions like hardcore functions, extractors, correlated- input functions, … Modular design: Instantiate RO in (existing and) practical ROM schemes, not design new schemes! Modular proofs: (Instantiable RO paradigm): Proofs of instantiated schemes use results on the ROM security of the scheme in a blackbox way. 1/9/13 Bellare, Stanford RWC Workshop 3

  4. Random Oracle Model (ROM) and Paradigm [BR93] Access to this procedure given to scheme algorithms as well as to the adversary. Step 1: Prove security of scheme in the ROM Step 2: Instantiate HASH via a cryptographic hash function H in an implementation The instantiated scheme is then secure as long as H behaves “ like a random oracle .” 1/9/13 Bellare, Stanford RWC Workshop 4

  5. RSA-OAEP [BR94] M || 0…0 r HASH HASH s t Theorem: In the ROM, RSA-OAEP is • IND-CPA secure if RSA is 1-way [BR94] • IND-CCA secure if RSA is partial-domain 1-way [FOPS01] In PKCS#1: Implemented with 1/9/13 Bellare, Stanford RWC Workshop 5

  6. ROM Features Yields schemes that are • Practical and • Proven secure Theory ROM paradigm is • Widely employed • Works in practice 1/9/13 Bellare, Stanford RWC Workshop 6

  7. ROM Critiques Step 1: Prove security of scheme in the ROM. Step 2: Instantiate HASH via a cryptographic hash function H in an implementation. The instantiated scheme is then secure as long as H behaves “ like a random oracle .” The ROM proof does not apply to the instantiated scheme It is not clear what this means. 1/9/13 Bellare, Stanford RWC Workshop 7

  8. Counter-examples Theorem: [CGH98,MRH04] There exist encryption schemes that are • Secure in the ROM • Insecure under any instantiation of HASH The scheme in which HASH is instantiated by H can be broken if a program implementing H is the message M encrypted. Counter-examples that are (perhaps?) more realistic: Ni02, GT03, BBP04, CGH04, BDWY12, BCPT13, … 1/9/13 Bellare, Stanford RWC Workshop 8

  9. The debate continues … Your counter-examples are artificial. The RO paradigm is The paradigm has not failed in practice. theoretically unsound. You have some alternative? It can yield insecure instantiated schemes. It’s too easy. We developed all this nice, deep, complex theory, and you want to replace it with a noise box. 1/9/13 Bellare, Stanford RWC Workshop 9

  10. RSA+ROM q -ABDHE assumption 1/9/13 Bellare, Stanford RWC Workshop 10

  11. The core problem: Lack of a definition Step 1: Prove security of scheme in the ROM. Step 2: Instantiate HASH via a cryptographic hash function H in an implementation. The instantiated scheme is then secure as long as H behaves “ like a random oracle .” The ROM proof does not apply to the instantiated scheme It is not clear what this means. We lack a formal DEFINITION of what it means for a hash function to behave “like a random oracle.” 1/9/13 Bellare, Stanford RWC Workshop 11

  12. The core problem: Lack of a definition Step 1: Prove security of scheme in the ROM. Step 2: Instantiate HASH via a cryptographic hash function H in an implementation. The instantiated scheme is then secure as long as H behaves “ like a random oracle .” The ROM proof does not apply to the instantiated scheme Cryptographers don’t mind strong assumptions. But they like to know exactly what they are assuming. It is not clear what this means. We lack a formal DEFINITION of what it means for a hash function to behave “like a random oracle.” 1/9/13 Bellare, Stanford RWC Workshop 12

  13. Want: Instantiable RO Paradigm Step 1: Prove security of scheme in the ROM Step 2: Instantiate HASH via a cryptographic hash function H in an implementation Exploiting the result of Step 1 in a blackbox way! Step 3: Prove that the instantiated scheme is secure as long as H meets definition X. Game-based, falsifiable definition in the standard style. Tells us when an attack on H is successful. We cannot hope to find (achievable) X where this works for ALL schemes. But we would like to cover interesting sub-classes of schemes. 1/9/13 Bellare, Stanford RWC Workshop 13

  14. Previous work X = PRF: [GGM86] Works for symmetric cryptography, where adversary does NOT have access to HASH oracle. X = POWHF (Perfectly One-Way Hash Functions): [C97,CMR98] X = Non-malleable hash functions: [BCFW09] X = CIH (Correlated-input-secure hash functions): [GOR11] Limited applicability. 1/9/13 Bellare, Stanford RWC Workshop 14

  15. Contributions in brief UCE (Universal Computational Extractors): A new DEFINITION of security for hash functions. Instantiating ROs: UCE hash functions can provably instantiate ROs in a variety of existing schemes: DE, HE, MLE, PKE (OAEP), KDM, RKA, … Generalization: UCE extends and unifies existing definitions like hardcore functions, extractors, correlated- input functions, … Modular design: Instantiate RO in (existing and) practical ROM schemes, not design new schemes! Modular proofs: (Instantiable RO paradigm): Proofs of instantiated schemes use results on the ROM security of the scheme in a blackbox way. 1/9/13 Bellare, Stanford RWC Workshop 15

  16. Syntax A family of hash functions is a pair of poly-time algorithms. Usually ignore Think HMAC-SHA1, not SHA1. 1/9/13 Bellare, Stanford RWC Workshop 16

  17. Source UCE x n x 1 x 2 S H K H K H K Y 1 Y b Y 0 : random Informally: Y 1 looks random. 1/9/13 Bellare, Stanford RWC Workshop 17

  18. Source Leakage UCE x n x 1 x 2 S L b' D K H K H K H K Distingsuisher Y 1 Y b Y 0 : random is UCE-secure if is negligible for every poly- time S and every poly-time D. Informally: Y 1 looks random given L . 1/9/13 Bellare, Stanford RWC Workshop 18

  19. Source Leakage UCE x n x 1 x 2 S L b' D K H K H K H K Y 1 Y b Y 0 : random is UCE-secure if is negligible for every poly- time S and every poly-time D. Not possible! L could contain x 1 and D could check whether H K ( x 1 ) equals the first component of vector Y b . 1/9/13 Bellare, Stanford RWC Workshop 19

  20. Source Leakage UCE x n x 1 x 2 S L b' D K H K H K H K Y 1 Y b Y 0 : random is UCE-secure if is negligible for every poly- time unpredictable S and every poly-time D. Computing any x i given L is hard. Informally: Y 1 looks random given L as long as you cannot compute any x i . 1/9/13 Bellare, Stanford RWC Workshop 20

  21. UCE: Formally is UCE-secure if is negligible for every poly- time unpredictable S and every poly-time D. 1/9/13 Bellare, Stanford RWC Workshop 22

  22. The unpredictability condition: Formally S is unpredictable if is negligible for every poly-time U . Note: The hash function H appears nowhere; unpredictability is in the ROM. 1/9/13 Bellare, Stanford RWC Workshop 23

  23. UCE generalizes existing definitions 1/9/13 Bellare, Stanford RWC Workshop 24

  24. UCE generalizes existing definitions Correlated Definition Leakage Unpredictability Indistinguishability inputs Hardcore functions Y b , F ( x i ) Computational Computational No [BlMi81,Y82] Hardcore functions on Y b , F ( x i ) Computational Computational Yes correlated inputs [FOR12] Randomness extractors Y b , F ( x i ) Statistical Statistical No [NZ93,DORS08] Computational extractors Y b Statistical Computational No [FPZ08,K10,DGKM12] Correlated-input secure Y b Statistical Computational Yes functions [GOR11] UCE [BK13] Any Computational Computational Yes 1/9/13 Bellare, Stanford RWC Workshop 25

  25. UCE generalizes existing definitions Correlated Definition Leakage Unpredictability Indistinguishability inputs Hardcore functions Y b , F ( x i ) Computational Computational No [BlMi81,Y82] Hardcore functions on Y b , F ( x i ) Computational Computational Yes correlated inputs [FOR12] Randomness extractors Y b , F ( x i ) Statistical Statistical No [NZ93,DORS08] Computational extractors Y b Statistical Computational No [FPZ08,K10,DGKM12] Correlated-input secure Y b Statistical Computational Yes functions [GOR11] UCE [BK13] Any Computational Computational Yes Correlated Definition Leakage Unpredictability Privacy inputs DE [BBO07,BFOR08] Y b Statistical Computational Yes DE with auxiliary inputs Y b , F ( x ) Computational Computational Yes [BrSe11] 1/9/13 Bellare, Stanford RWC Workshop 26

  26. UCE extends standard definitions UCE: • Considers a more general form of leakage than other primitives • Goes “computational” on all fronts. 1/9/13 Bellare, Stanford RWC Workshop 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain Amit Sahai Since 2013 Two-Round (Adaptive) Multi-Party Computation Instantiating Random Oracles Non-Interactive Multi-party Key

1.33k views • 111 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

1.34k views • 44 slides
Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis New York University Joint work with Siyao Guo (Simons Institute, UC Berkeley) Jonathan Katz (University of Maryland) Hash Functions Are Ubiquitous

650 views • 40 slides
Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS,

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS,

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt Backdoors 1 Backdoors It makes more sense to address any security risks by developing intercept solutions during the design

808 views • 52 slides
Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of

768 views • 65 slides
Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work with Alexander Russell (University of Connecticut), Moti Yung (Google & Columbia University) Hong Sheng Zhou (Virginia Commonwealth University)

578 views • 34 slides
Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Cryptocurrencies & Security on the Blockchain Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM execution must be deterministic. Cannot rely on outside information But sometimes that

591 views • 17 slides
Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias Joint work with Andrew Lewis Institute of Software Chinese Academy of Sciences Barcelona, July 2011 Question Random data lack internal structure

191 views • 18 slides
A Deliberation Layer for Instantiating Robot Execution Plans from Abstract Task Descriptions

A Deliberation Layer for Instantiating Robot Execution Plans from Abstract Task Descriptions

A Deliberation Layer for Instantiating Robot Execution Plans from Abstract Task Descriptions June 10th, 2013 D. Di Marco , R.J.M. Janssen , A.C. Perzylo , M.J.G. van de Molengrafu , P. Levi Eindhoven University of

295 views • 18 slides
Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner & Mattner Systemtechnik GmbH Berlin, Germany Overview Classification Tree Method Expected results Executable test scripts Test Oracles and

374 views • 25 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline Oracles, Test Automation and (Test) Models Oracles in TTCN-3 Test Automation (Oracle) Examples Test oracle as part of a test case A test

326 views • 30 slides
Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods

Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods

Topics Declaring and Instantiating Arrays Accessing Array Elements Writing Methods Chapter 8 Aggregate Array Operations Using Arrays in Classes Single-Dimensional Arrays Searching and Sorting Arrays Using Arrays

434 views • 14 slides
Instantiating Knowledge Bases in Abstract Dialectical Frameworks Hannes Strass Computer Science

Instantiating Knowledge Bases in Abstract Dialectical Frameworks Hannes Strass Computer Science

Background From DTBs to AFs From DTBs to ADFs Conclusion Instantiating Knowledge Bases in Abstract Dialectical Frameworks Hannes Strass Computer Science Institute Leipzig University, Germany CLIMA XIV 16 September 2013 Hannes Strass CSI

481 views • 30 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung)

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel and Gunnar Hartung) Digital Signatures 2020-03-17 1 Outline RSA-based signature schemes RSA-FDH: Full Domain Hash Random Oracle Model RSA-FDH: Security Digital

944 views • 73 slides
Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single-

Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single-

Background memCellsF09 Allen Tanner built an SRAM/ROM generator program back in 2004 Single- and Double-port SRAM the ROM seems to work fine there are building blocks fabricated examples that work the SRAM isnt as good

301 views • 6 slides
Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar

Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar

Branding on a Budget Public Health Communications Webinar Series June 17, 2019 Webinar Objectives Understand the importance of a strong brand Discuss basic principles of branding and tips for defining your brand Share recommendations

627 views • 59 slides
Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy

Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy

Slide 1 / 38 Slide 2 / 38 1 A student throws a ball upward where the initial potential energy is 0. At a height of 15 meters the ball has a potential energy of 60 joules and is moving upward with a kinetic energy of 40 joules. AP Physics C

199 views • 7 slides
Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder

Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder

Implementing Existing Management Protocols on Constrained Devices J urgen Sch onw alder IETF 81, Quebec, 2011-07-26 1 / 22 SNMP on Constrained Devices 1 SNMP on Constrained Devices 2 NETCONF on Constrained Devices (NETCONF Light) 3

340 views • 22 slides
Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics covered Basic concepts/Scheduling criteria Non-preemptive and Preemptive scheduling Scheduling algorithms Algorithm evaluation CPSC

422 views • 20 slides
Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even

Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even

Process/CPU scheduling (contd.) Indranil Sen Gupta (odd section) and Mainack Mondal (even section) CS39002 Spring 2019-20 The key concepts so far CPU burst, I/O burst CPU scheduler (which process should execute next) The key concepts

767 views • 66 slides
CS 377 Discussion 3 Brendan Murphy bemurphy@cs.umass.edu enter Dept name in Slide Master enter

CS 377 Discussion 3 Brendan Murphy bemurphy@cs.umass.edu enter Dept name in Slide Master enter

CS 377 Discussion 3 Brendan Murphy bemurphy@cs.umass.edu enter Dept name in Slide Master enter Dept name in Title Master 1 Reminders Lab 1 due Oct. 8 Assignment details should be on website enter Dept name in Slide Master 2 For

658 views • 9 slides

More recommend