Provable insecurity Where artifacts come from, and how constructive - - PowerPoint PPT Presentation

Provable insecurity

Where artifacts come from, and how constructive math may help Claus Diem and dreiwert

University of Leipzig

December 29, 2019

Hash functions in theory and practice Constructive logic

Part I Problem

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Contents

1

Hash functions in theory and practice

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Contents

1

Hash functions in theory and practice

2

Constructive logic

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Signed message

◮ We would like to have:

SHA3 is collision resistant, and therefore GnuPG-SHA3 is unforgeble

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Signed message

◮ We would like to have:

SHA3 is collision resistant, and therefore GnuPG-SHA3 is unforgeble

◮ The problem is:

What shall “SHA3 is collision resistant” even mean?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes. Math guy

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes. Math guy

◮ For any function h:

A collision is a pair (x,y) with x = y and h(x) = h(y)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes. Math guy

◮ For any function h:

A collision is a pair (x,y) with x = y and h(x) = h(y)

◮ For a Hash function h : D − → R we have card(D) > card(R). ◮ There always exists a collision x,y.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Computer science guy

◮ It shall be very hard to find a collision. ◮ For example: It shall take more that 2100 operations. ◮ Key negative example: MD5 is not collision resistant, since collisions can be found within

15 – 30 minutes. Math guy

◮ For any function h:

A collision is a pair (x,y) with x = y and h(x) = h(y)

◮ For a Hash function h : D − → R we have card(D) > card(R). ◮ There always exists a collision x,y. ◮ So no “real” hash function is collision free.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The math guy’s fastest attack

◮ int main() { std::cout << "x,y" << std::endl; return 0; }

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The math guy’s fastest attack

◮ int main() { std::cout << "x,y" << std::endl; return 0; } ◮ Complexity: constant

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The math guy’s fastest attack

◮ int main() { std::cout << "x,y" << std::endl; return 0; } ◮ Complexity: constant ◮ The attack always exists

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The math guy’s fastest attack

◮ int main() { std::cout << "x,y" << std::endl; return 0; } ◮ Complexity: constant ◮ The attack always exists ◮ Computer science guy: “What!?” You write down an “attack” without knowing the attack?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The math guy’s fastest attack

◮ int main() { std::cout << "x,y" << std::endl; return 0; } ◮ Complexity: constant ◮ The attack always exists ◮ Computer science guy: “What!?” You write down an “attack” without knowing the attack? ◮ Math guy: “Yes, it exists” ...

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

◮ The mathematician is right, but the conclusion is not acceptable.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

◮ The mathematician is right, but the conclusion is not acceptable. ◮ Therefore, we introduce a parameter and look at it from an asymptotic point of view.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

◮ The mathematician is right, but the conclusion is not acceptable. ◮ Therefore, we introduce a parameter and look at it from an asymptotic point of view. ◮ We look at attackers running in polynomial time, talk about success probability.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

What shall “collision resistant” mean?

Theoretical cryptographer

◮ The mathematician is right, but the conclusion is not acceptable. ◮ Therefore, we introduce a parameter and look at it from an asymptotic point of view. ◮ We look at attackers running in polynomial time, talk about success probability. ◮ And then later we fix the parameter and apply this to a “real” system.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Variable output length

◮ We have h = (hs)s with hs : {0,1}∗ → {0,1}ℓ(s) (security parameter s)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Variable output length

◮ We have h = (hs)s with hs : {0,1}∗ → {0,1}ℓ(s) (security parameter s) ◮ Attacker A gets 1ℓ(s) as an input, outputs x,y

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Variable output length

◮ We have h = (hs)s with hs : {0,1}∗ → {0,1}ℓ(s) (security parameter s) ◮ Attacker A gets 1ℓ(s) as an input, outputs x,y ◮ Collision resistance: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs(x) = hs(y)] <

1

ℓ(s)n

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Variable output length

◮ We have h = (hs)s with hs : {0,1}∗ → {0,1}ℓ(s) (security parameter s) ◮ Attacker A gets 1ℓ(s) as an input, outputs x,y ◮ Collision resistance: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs(x) = hs(y)] <

1

ℓ(s)n

◮ (after Rogaway, 2007)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: ℓ

◮ Suppose the family h = (hs)s is collision free.

What can we then conclude about hs0 for a particular paramater s0?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: ℓ

◮ Suppose the family h = (hs)s is collision free.

What can we then conclude about hs0 for a particular paramater s0?

◮ Strictly speaking nothing:

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: ℓ

◮ Suppose the family h = (hs)s is collision free.

What can we then conclude about hs0 for a particular paramater s0?

◮ Strictly speaking nothing: ◮ Suppose h is collision resistant and h∗

s =

• hs, if l(s) = 128,

MD5, if l(s) = 128. Then h∗ is also collision resistant by the definition.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: ℓ

◮ Suppose the family h = (hs)s is collision free.

What can we then conclude about hs0 for a particular paramater s0?

◮ Strictly speaking nothing: ◮ Suppose h is collision resistant and h∗

s =

• hs, if l(s) = 128,

MD5, if l(s) = 128. Then h∗ is also collision resistant by the definition.

◮ But MD5 is still broken ...

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: ℓ

◮ Suppose the family h = (hs)s is collision free.

What can we then conclude about hs0 for a particular paramater s0?

◮ Strictly speaking nothing: ◮ Suppose h is collision resistant and h∗

s =

• hs, if l(s) = 128,

MD5, if l(s) = 128. Then h∗ is also collision resistant by the definition.

◮ But MD5 is still broken ... ◮ Such a family h∗ might seem to be “artificially constructed”, but maybe not ...

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k) ◮ Attacker As reads k, outputs x,y

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k) ◮ Attacker As reads k, outputs x,y ◮ collision resistant: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs,k(x) = hs,k(y)] <

1 l(s)n

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k) ◮ Attacker As reads k, outputs x,y ◮ collision resistant: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs,k(x) = hs,k(y)] <

1 l(s)n

◮ (after Damgard 1987)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k) ◮ Attacker As reads k, outputs x,y ◮ collision resistant: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs,k(x) = hs,k(y)] <

1 l(s)n

◮ (after Damgard 1987) ◮ Allows working with As working on fixed output lengths

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Keyed hash functions

◮ hs,k : {0,1}∗ → {0,1}l(s) (security parameter s, key k) ◮ Attacker As reads k, outputs x,y ◮ collision resistant: ∀n : ∃s0 : ∀s : s > s0 ⇒ P[x = y ∧ hs,k(x) = hs,k(y)] <

1 l(s)n

◮ (after Damgard 1987) ◮ Allows working with As working on fixed output lengths ◮ Might seem to be a good solution: Not asymptotic, does not immediately lead to a “trivial”

attack.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k, As can always be the trivial attacker

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k, As can always be the trivial attacker ◮ Assume h being collision resistant and

h∗

s,k =

• hs,k, if l(s) = 128,

MD5, if l(s) = 128∧ k = k0,

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Artifact: k

◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k, As can always be the trivial attacker ◮ Assume h being collision resistant and

h∗

s,k =

• hs,k, if l(s) = 128,

MD5, if l(s) = 128∧ k = k0,

◮ So, strictly speaking from “h is collision resistant” we still cannot conclude anything about

“concrete hash functions”.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Practical security

How's it going? We can prove that the new CPU works as specified, when the register width approaches infinity. Excellent, so let's go in production using 64 bit registers No point doing so. For every fixed register width, the proof does not say anything.

Figure: Drawings: xkcd.com, modification to text (CC BY-NC 2.5)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

“Provably secure” hash functions

◮ collision resistant hash functions according to these definitions can be constructed

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

“Provably secure” hash functions

◮ collision resistant hash functions according to these definitions can be constructed

(under suitable assumption!).

◮ e.g. VSH, ECOH, FSB

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

“Provably secure” hash functions

◮ collision resistant hash functions according to these definitions can be constructed

(under suitable assumption!).

◮ e.g. VSH, ECOH, FSB ◮ Often slow and of little practical relevance

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

“Provably secure” hash functions

◮ collision resistant hash functions according to these definitions can be constructed

(under suitable assumption!).

◮ e.g. VSH, ECOH, FSB ◮ Often slow and of little practical relevance ◮ Who decides about the length and the key to use?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

First conclusions

◮ Problematic to characterize families of functions when seeking for results on a specific

hash functions

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

First conclusions

◮ Problematic to characterize families of functions when seeking for results on a specific

hash functions

◮ Where does the (existing) attacker A come from?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

First conclusions

◮ Problematic to characterize families of functions when seeking for results on a specific

hash functions

◮ Where does the (existing) attacker A come from? ◮ Explicit precomputation: Apre computes attacker A

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

First conclusions

◮ Problematic to characterize families of functions when seeking for results on a specific

hash functions

◮ Where does the (existing) attacker A come from? ◮ Explicit precomputation: Apre computes attacker A ◮ Cost of attack: e.g. TIME(Apre)+ TIME(A)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The fastest attack, reloaded

◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \"x,y\\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; }

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The fastest attack, reloaded

◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \"x,y\\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; } ◮ Complexity: constant

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

The fastest attack, reloaded

◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \"x,y\\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; } ◮ Complexity: constant ◮ Anything gained?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Closing the gap

◮ An idea (after Bernstein and Lange 2012):

Size limitation for Apre

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Closing the gap

◮ An idea (after Bernstein and Lange 2012):

Size limitation for Apre

◮ Outrules trivial attacks for sufficiently large output lengths

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Closing the gap

◮ An idea (after Bernstein and Lange 2012):

Size limitation for Apre

◮ Outrules trivial attacks for sufficiently large output lengths ◮ Still not useful for practically used hash functions.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Fundamental issue remains

◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Fundamental issue remains

◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Fundamental issue remains

◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Fundamental issue remains

◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant. ◮ Only in the asymptotic setting or in the Random Oracle model this can be proven.

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Fundamental issue remains

◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant. ◮ Only in the asymptotic setting or in the Random Oracle model this can be proven. ◮ So usually the known proofs are applied where they cannot really be applied ◮ Is this really what we expect from a „proof“?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Interpretation of proofs

It can be shown that the new signature scheme has a weakness. But well-known cryptographers say that the weakness is not of practical relevance. At least we can prove the security of the encryption. But it is assumed that the proof methology does not allow conclusions about practical security.

Figure: Drawings: xkcd.com, modification to text (CC BY-NC 2.5)

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Getting to the root cause

◮ Where do x and y come from?

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Getting to the root cause

◮ Where do x and y come from? ◮ x,y ← pigeonhole principle ← mathematical logic

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Getting to the root cause

◮ Where do x and y come from? ◮ x,y ← pigeonhole principle ← mathematical logic ◮ Language consisting of: ∨, ∧, ¬, = ⇒ , ∃, ∀ and symbols

Claus Diem and dreiwert Provable insecurity

Hash functions in theory and practice Constructive logic

Getting to the root cause

◮ Where do x and y come from? ◮ x,y ← pigeonhole principle ← mathematical logic ◮ Language consisting of: ∨, ∧, ¬, = ⇒ , ∃, ∀ and symbols ◮ Problem may be caused by the meaning of the symbols

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Part II Constructive logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

What is constructive logic?

◮ Symbols as in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

What is constructive logic?

◮ Symbols as in classical logic ◮ Meaning partially different

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

What is constructive logic?

◮ Symbols as in classical logic ◮ Meaning partially different ◮ “x exists” means “we can construct x”

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

From proofs to algorithms

◮ BHK interpretations give a meaning to constructive proofs.

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

From proofs to algorithms

◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

From proofs to algorithms

◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel) ◮ Realizations formalize these interpretations.

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

From proofs to algorithms

◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel) ◮ Realizations formalize these interpretations. ◮ Realizations have a strong relationship to algorithms

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

What are realizations?

◮ “a realizes A” means:

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

What are realizations?

◮ “a realizes A” means: a is a proof of A ◮ defined inductively over the structure of the proven formula

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Conjunction

◮ structure: A∧ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Conjunction

◮ structure: A∧ B ◮ a,b realizes A∧ B iff a realizes A and b realizes B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Conjunction

◮ structure: A∧ B ◮ a,b realizes A∧ B iff a realizes A and b realizes B ◮ Interpretation: both conjuncts must be proved

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Conjunction

◮ structure: A∧ B ◮ a,b realizes A∧ B iff a realizes A and b realizes B ◮ Interpretation: both conjuncts must be proved ◮ Meaning as in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Disjunction

◮ structure: A∨ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Disjunction

◮ structure: A∨ B ◮ 0,a realizes A∨ B iff a realizes A ◮ 1,b realizes A∨ B iff b realizes B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Disjunction

◮ structure: A∨ B ◮ 0,a realizes A∨ B iff a realizes A ◮ 1,b realizes A∨ B iff b realizes B ◮ Interpretation: one must either prove A or prove B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Disjunction

◮ structure: A∨ B ◮ 0,a realizes A∨ B iff a realizes A ◮ 1,b realizes A∨ B iff b realizes B ◮ Interpretation: one must either prove A or prove B ◮ Stronger meaning as a disjunction in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Implication

◮ structure: A ⇒ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Implication

◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f(a) realizes B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Implication

◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f(a) realizes B ◮ Interpretation: convert any proof for A into a proof for B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Implication

◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f(a) realizes B ◮ Interpretation: convert any proof for A into a proof for B ◮ Meaning as in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Negation

◮ structure: ¬A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Negation

◮ structure: ¬A ◮ f realizes ¬A iff. f realizes A ⇒ 0 = 1

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Negation

◮ structure: ¬A ◮ f realizes ¬A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Negation

◮ structure: ¬A ◮ f realizes ¬A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A ◮ Meaning weaker as a negation in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Negation

◮ structure: ¬A ◮ f realizes ¬A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A ◮ Meaning weaker as a negation in classical logic ◮ A ⇒ ¬¬A, but not necessarily ¬¬A ⇒ A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Universal quantification

◮ structure: ∀x : A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Universal quantification

◮ structure: ∀x : A ◮ f realizes ∀x : A iff. f(a) realizes A[x/a] for every a

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Universal quantification

◮ structure: ∀x : A ◮ f realizes ∀x : A iff. f(a) realizes A[x/a] for every a ◮ Interpretation: convert any object a into a proof for A[x/a]

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Universal quantification

◮ structure: ∀x : A ◮ f realizes ∀x : A iff. f(a) realizes A[x/a] for every a ◮ Interpretation: convert any object a into a proof for A[x/a] ◮ Meaning as in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Existential quantification

◮ structure: ∃x : A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Existential quantification

◮ structure: ∃x : A ◮ w,a realizes ∃x : A iff. a realizes A[x/w]

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Existential quantification

◮ structure: ∃x : A ◮ w,a realizes ∃x : A iff. a realizes A[x/w] ◮ Interpretation: name a witness w, and prove that A[x/w] holds

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Existential quantification

◮ structure: ∃x : A ◮ w,a realizes ∃x : A iff. a realizes A[x/w] ◮ Interpretation: name a witness w, and prove that A[x/w] holds ◮ Stronger meaning as an existential quantification in classical logic

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda expressions

◮ Lambda expressions as a representation of realizations

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda expressions

◮ Lambda expressions as a representation of realizations ◮ Lambda expressions Λ over a set of variables L are:

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda expressions

◮ Lambda expressions as a representation of realizations ◮ Lambda expressions Λ over a set of variables L are: ◮ Variables l where l ∈ L

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda expressions

◮ Lambda expressions as a representation of realizations ◮ Lambda expressions Λ over a set of variables L are: ◮ Variables l where l ∈ L ◮ Applications AB where {A,B} ⊂ Λ

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda expressions

◮ Lambda expressions as a representation of realizations ◮ Lambda expressions Λ over a set of variables L are: ◮ Variables l where l ∈ L ◮ Applications AB where {A,B} ⊂ Λ ◮ Abstractions λx : A where x ∈ L and A ∈ Λ

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction ◮ (λx : A)B →

β A[x/B] (A, where occurrences of x are substituted by B)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction ◮ (λx : A)B →

β A[x/B] (A, where occurrences of x are substituted by B)

◮ AB →

β AC, where B → β C

◮ AC →

β BC, where A → β B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction ◮ (λx : A)B →

β A[x/B] (A, where occurrences of x are substituted by B)

◮ AB →

β AC, where B → β C

◮ AC →

β BC, where A → β B

◮ Turing complete (Church-Turing-thesis)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction ◮ (λx : A)B →

β A[x/B] (A, where occurrences of x are substituted by B)

◮ AB →

β AC, where B → β C

◮ AC →

β BC, where A → β B

◮ Turing complete (Church-Turing-thesis) ◮ Example: (λx : 2(x + y))3 →

β 2(3+ y)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Lambda calculus

◮ Lambda calculus on lambda expressions through beta reduction ◮ (λx : A)B →

β A[x/B] (A, where occurrences of x are substituted by B)

◮ AB →

β AC, where B → β C

◮ AC →

β BC, where A → β B

◮ Turing complete (Church-Turing-thesis) ◮ Example: (λx : 2(x + y))3 →

β 2(3+ y)

◮ Counting beta reductions can lead to a time complexity measure

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Emulating classical logic

◮ The behaviour of classical logic can achieved by working with formulas in negative form

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Emulating classical logic

◮ The behaviour of classical logic can achieved by working with formulas in negative form ◮ ¬∀x : ¬A instead of ∃x : A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Emulating classical logic

◮ The behaviour of classical logic can achieved by working with formulas in negative form ◮ ¬∀x : ¬A instead of ∃x : A ◮ ¬(¬A∧¬B) instead of A∨ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Emulating classical logic

◮ The behaviour of classical logic can achieved by working with formulas in negative form ◮ ¬∀x : ¬A instead of ∃x : A ◮ ¬(¬A∧¬B) instead of A∨ B ◮ ¬¬A instead of A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Emulating classical logic

◮ The behaviour of classical logic can achieved by working with formulas in negative form ◮ ¬∀x : ¬A instead of ∃x : A ◮ ¬(¬A∧¬B) instead of A∨ B ◮ ¬¬A instead of A ◮ On these, classical rules of inference apply

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B ◮ v,a realizes A∨ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B ◮ v,a realizes A∨ B ◮ f realizes A ⇒ B

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B ◮ v,a realizes A∨ B ◮ f realizes A ⇒ B ◮ f realizes ∀x : A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B ◮ v,a realizes A∨ B ◮ f realizes A ⇒ B ◮ f realizes ∀x : A ◮ w,a realizes ∃x : A

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Algorithmic content

◮ a,b realizes A∧ B ◮ v,a realizes A∨ B ◮ f realizes A ⇒ B ◮ f realizes ∀x : A ◮ w,a realizes ∃x : A ◮ Algorithms can be extracted from the realization of „positive“ formulas

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general ◮ For specific A, it may be provable

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general ◮ For specific A, it may be provable ◮ Thus, lemmas are often of the form ∀xyz... : P(x,y,z,...)∨¬P(x,y,z,...)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general ◮ For specific A, it may be provable ◮ Thus, lemmas are often of the form ∀xyz... : P(x,y,z,...)∨¬P(x,y,z,...) ◮ e.g. ∀xy : (x = y)∨¬(x = y)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general ◮ For specific A, it may be provable ◮ Thus, lemmas are often of the form ∀xyz... : P(x,y,z,...)∨¬P(x,y,z,...) ◮ e.g. ∀xy : (x = y)∨¬(x = y) ◮ Realization f(x,y) =

• 0,a, if x = y,

1,b, if x = y.

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Law of excluded middle

◮ A∨¬A does not hold in general ◮ For specific A, it may be provable ◮ Thus, lemmas are often of the form ∀xyz... : P(x,y,z,...)∨¬P(x,y,z,...) ◮ e.g. ∀xy : (x = y)∨¬(x = y) ◮ Realization f(x,y) =

• 0,a, if x = y,

1,b, if x = y. ◮ In extracted algorithms: „subroutine“

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Constructive math

◮ Only pure logic considered so far

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Constructive math

◮ Only pure logic considered so far ◮ To define mathematical objects, axioms are needed

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Constructive math

◮ Only pure logic considered so far ◮ To define mathematical objects, axioms are needed ◮ Important for algorithmic content: mathematical induction

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Induction

◮ ∀P : (P(0)∧∀n : P(n) ⇒ P(n + 1)) ⇒ ∀n : P(n)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Induction

◮ ∀P : (P(0)∧∀n : P(n) ⇒ P(n + 1)) ⇒ ∀n : P(n) ◮ An „interface“ for the realization is given by this structure

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Induction

◮ ∀P : (P(0)∧∀n : P(n) ⇒ P(n + 1)) ⇒ ∀n : P(n) ◮ An „interface“ for the realization is given by this structure ◮ IPA,λn : Bn (A base case, B induction step)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Induction

◮ ∀P : (P(0)∧∀n : P(n) ⇒ P(n + 1)) ⇒ ∀n : P(n) ◮ An „interface“ for the realization is given by this structure ◮ IPA,λn : Bn (A base case, B induction step) ◮ extracted algorithm: recursive

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε) ◮ Apre is the algorithm extracted from the realization

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε) ◮ Apre is the algorithm extracted from the realization ◮ Where a collision x,y is known, the realization can be written as λr : x,y,a (a having

no algorithmic content)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε) ◮ Apre is the algorithm extracted from the realization ◮ Where a collision x,y is known, the realization can be written as λr : x,y,a (a having

no algorithmic content)

◮ Where no collision is known, essentially the pigeonhole principle is realized

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε) ◮ Apre is the algorithm extracted from the realization ◮ Where a collision x,y is known, the realization can be written as λr : x,y,a (a having

no algorithmic content)

◮ Where no collision is known, essentially the pigeonhole principle is realized ◮ Proof possible in constructive mathematics, but leads to Apre having a „long“ run time

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Hash collision as a positive formula

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε (r source of randomness) ◮ or: ∃A : ¬(P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] ≤ ε) ◮ Apre is the algorithm extracted from the realization ◮ Where a collision x,y is known, the realization can be written as λr : x,y,a (a having

no algorithmic content)

◮ Where no collision is known, essentially the pigeonhole principle is realized ◮ Proof possible in constructive mathematics, but leads to Apre having a „long“ run time ◮ Or: a,b, a being an „actual“ attack algorithm

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Pigeonhole principle, revisited

◮ Remember the math guy?

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Pigeonhole principle, revisited

◮ Remember the math guy? ◮ Constructively, card(D) > card(R) just proved that ¬∀xy : ¬(x = y ∧ h(x) = h(y))

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Pigeonhole principle, revisited

◮ Remember the math guy? ◮ Constructively, card(D) > card(R) just proved that ¬∀xy : ¬(x = y ∧ h(x) = h(y)) ◮ Constructively, ∃xy : x = y ∧ h(x) = h(y) cannot be derived just from this

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Pigeonhole principle, revisited

◮ Remember the math guy? ◮ Constructively, card(D) > card(R) just proved that ¬∀xy : ¬(x = y ∧ h(x) = h(y)) ◮ Constructively, ∃xy : x = y ∧ h(x) = h(y) cannot be derived just from this ◮ This requires induction, thus leads to additional complexity

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Complexity of precomputation

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Complexity of precomputation

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε ◮ requires: pigeonhole principle

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Complexity of precomputation

◮ ∃A : P[A(r) = x,y∧ x = y ∧ h(x) = h(y)] > ε ◮ requires: pigeonhole principle ◮ requires: ∀fxy : (∃z : z < y ∧ f(z) = x)∨¬(∃z : z < y ∧ f(z) = x)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Summary

◮ Proof in constructive logic...

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Summary

◮ Proof in constructive logic... ◮ ...leads to algorithm from the realization

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Summary

◮ Proof in constructive logic... ◮ ...leads to algorithm from the realization ◮ The algorithm can be analyzed for its costs

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Summary

◮ Proof in constructive logic... ◮ ...leads to algorithm from the realization ◮ The algorithm can be analyzed for its costs ◮ We cannot disprove that the collision exists (and shouldn’t be able to)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Summary

◮ Proof in constructive logic... ◮ ...leads to algorithm from the realization ◮ The algorithm can be analyzed for its costs ◮ We cannot disprove that the collision exists (and shouldn’t be able to) ◮ We can put a cost on its logical derivation

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit ◮ Cost of the attack: TIME(Apre)+ TIME(A)

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit ◮ Cost of the attack: TIME(Apre)+ TIME(A) ◮ Problem: Algorithm Apre only in lambda calculus for now - other models might be easier to

examine

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit ◮ Cost of the attack: TIME(Apre)+ TIME(A) ◮ Problem: Algorithm Apre only in lambda calculus for now - other models might be easier to

examine

◮ Problem: possibly necessary to constructively prove theorems again that were already

classically proved

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit ◮ Cost of the attack: TIME(Apre)+ TIME(A) ◮ Problem: Algorithm Apre only in lambda calculus for now - other models might be easier to

examine

◮ Problem: possibly necessary to constructively prove theorems again that were already

classically proved

◮ Problem: checking costs in two tiers

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Formalizing collision resistance

◮ In the algorithm extracted from the realization, precomputation can only be explicit ◮ Cost of the attack: TIME(Apre)+ TIME(A) ◮ Problem: Algorithm Apre only in lambda calculus for now - other models might be easier to

examine

◮ Problem: possibly necessary to constructively prove theorems again that were already

classically proved

◮ Problem: checking costs in two tiers ◮ What happens to security reductions?

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Thank you for your attention. dreiwert@irc.hackint.org

Claus Diem and dreiwert Provable insecurity

Introduction Algorithmic content Hash collision, revisited

Daniel J. Bernstein and Tanja Lange. Non-uniform cracks in the concrete: the power of free precomputation Ivan Dåmgard. Collision free hash functions and public key signature schemes Phillip Rogaway. Formalizing Human Ignorance: Collision-Resistant Hashing without the Keys Xiaoyun Wang and Hongbo Yu. How to Break MD5 and Other Hash Functions

Claus Diem and dreiwert Provable insecurity