security analysis of constructions combining fil random
play

Security Analysis of Constructions Combining FIL Random Oracles - PowerPoint PPT Presentation

Nov 13, 2022 •111 likes •318 views

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

  1. Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Télécom R&D and Université de Versailles FSE ’07, March 26

  2. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Motivation: Block Cipher-Based Hash Functions Three well identified ways to design a compression function: dedicated design (MD5, SHA-1, ...) number theoretic design (VSH, MASH, ...) block cipher-based design (Davies-Meyer, MDC-2, ...) “From scratch” compression functions come under attack Number theoretic designed hash functions suffer from poor performances ... so block cipher-based hash functions could be a promising way... ( Unrestricted ) Research & Development March 26, 2007

  3. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Single vs. Multiple Block Length Hash Functions Single block length (SBL) hash functions are well understood since the work by Preneel et al. in 1993 and Black et al. in 2002, who provided security proofs in the ideal cipher model. Example: the Davies-Meyer construction (preimage resistance = Θ ( 2 n ) queries, collision resistance = Θ ( 2 n/2 ) queries) n bits n bits H ′ M 1 E 1 n bits h H 1 But single block length hash functions with 128-bits blocks block ciphers doesn’t offer a sufficient security (brute force collision attacks need only 2 64 work effort.) Therefore we need double (or multiple) block length hash functions in or- der to use AES for example. ( Unrestricted ) Research & Development March 26, 2007

  4. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Multiple Block Length Hash Functions No general theory for multiple block length hash functions as for SBL ones. A lot of candidate constructions have been proposed: early proposals: ABREAST-DM, PARALLEL-DM, MDC-2, MDC-4 Knudsen-Preneel constructions (based on error correcting codes) Hirose (FSE ’05, FSE ’06) Nandi-Lee-Sakurai-Lee (FSE ’05) ... but very few remain unbroken. There is still no unbroken proposal of DBL hash function using a block cipher with key length equal to the block length (e.g. AES128). ( Unrestricted ) Research & Development March 26, 2007

  5. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Our Contribution Recently Peyrin et al. [PGMR06] introduced a general framework for studying MBL hash functions and obtained necessary conditions for a MBL hash function to be secure by analysing generic attacks. They proved that a DBL compression function, using a block cipher with key length equal to the block length and hashing one or two blocks of message needs at least five independent block ciphers. They proposed new DBL hash functions constructions for which no at- tacks are known. However no security proofs were given. We give a security analysis of their framework in the random oracle model, i.e. we give security bounds for preimage and collision re- sistance, and describe generic preimage and collision attacks which sometimes meet the security bound. ( Unrestricted ) Research & Development March 26, 2007

  6. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion The Framework m message blocks c chaining variable blocks We study generic constructions using: ( M 1 , . . . , M m ) ( H 1 , . . . , H c ) . . . . . . t compression functions f 1 , . . . , f t Linear Input Layer taking k blocks of n bits as input outputting one block of n bits k blocks . . . . . . . . . . . . . . . . . . . . . f (1) f (2) f ( i ) f ( t − 1) f ( t ) modelized as independent random oracles The resulting compression function: Linear Output Layer takes m message blocks of n bits . . . and c chaining variable blocks of n c chaining variable blocs bits as input ( H ′ 1 , . . . , H ′ c ) outputs c blocks of n bits ( Unrestricted ) Research & Development March 26, 2007

  7. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Computability Notions We will consider adversaries making at most q queries to each inner compression function f 1 , . . . , f t . We will need the following notions: let’s fix sets of queries Q 1 , . . . , Q t to each inner compression function, and let’s fix r output blocks (or linear combination of output blocks) ( H ′ i 1 , . . . , H ′ i r ) . Then: an input ( M 1 , . . . , M m , H 1 , . . . , H c ) to the compression function h is ( H ′ i 1 , . . . , H ′ i r ) -computable if the queries enable to compute the output blocks ( H ′ i 1 , . . . , H ′ i r ) β ′ r ( q ) will be the maximum over the sets of queries and over the out- put blocks ( H ′ i 1 , . . . , H ′ i r ) of the number of ( H ′ i 1 , . . . , H ′ i r ) -computable inputs. ( Unrestricted ) Research & Development March 26, 2007

  8. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Computability Notions: Example ( M 1 , H 1 , H 2 ) Nandi et al. scheme N1 ( c = 2, m = 1, t = 3, k = 2 ). H 1 M 1 H 1 H 2 H 2 M 1 1 ( q ) = q 2 β ′ Proof ( � ): fix H 1 , choose q values of M 1 f (1) f (2) f (3) and H 2 , ask the q queries f 1 ( H 1 , M 1 ) and f 2 ( H 1 , H 2 ) . Then you can compute 1 for q 2 values ( M 1 , H 1 , H 2 ) . H ′ 2 ( q ) ≃ q 3/2 β ′ Proof ( � ): choose q 1/2 values of M 1 , H 1 and H 2 , ask the q queries f 1 ( H 1 , M 1 ) , f 2 ( H 1 , H 2 ) and f 3 ( H 2 , M 1 ) . Then you 2 ) for ( q 1/2 ) 3 values can compute ( H ′ 1 , H ′ H ′ H ′ 1 2 ( M 1 , H 1 , H 2 ) . ( Unrestricted ) Research & Development March 26, 2007

  9. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Generic Preimage Attacks The following attack is a generalization of the Knudsen-Muller attack on the schemes of Nandi et al. and uses multipreimages on one output block (or linear combination of output blocks): choose the output block (or linear combination of output blocks) maximiz- ing β ′ 1 ( q ) and compute the corresponding images for the output block for the inputs matching the preimage one is looking for, make the addi- tional queries to compute the full image by h � β ′ � 1 ( q ) 1 ( q ) = Ω ( n2 n ) . as soon as β ′ achieves advantage Ω 2 cn ( Unrestricted ) Research & Development March 26, 2007

  10. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Generic Collision Attacks We describe two possible collision attacks (which one is the better may de- pend of the construction): � � c ( q ) 2 β ′ naïve one: compute β ′ c ( q ) hashes (advantage: Ω ) 2 cn multicollision on one output block: choose the output block (or linear combination of output blocks) max- imizing β ′ 1 ( q ) and compute the corresponding images for the output block order the “collision classes” by decreasing order and look into them for a full collision � qβ ′ � 1 ( q ) 1 ( q ) = Ω ( n2 n ) . as soon as β ′ achieves advantage Ω 2 cn ( Unrestricted ) Research & Development March 26, 2007

  11. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Security Bounds We obtain the following bounds for the advantage of any adversary limited to q queries: � β ′ � 1 ( q ) Adv pre h ( q ) = O 2 cn � β ′ 1 ( q ) 2 � Adv coll ( q ) = O h 2 cn Idea of the proof: condition the probability of success of the adversary on the probability of success for a single output block. For the full proof, please see the paper. ( Unrestricted ) Research & Development March 26, 2007

  12. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Summing Up the Results Lower Bound Upper Bound � β ′ � � β ′ � Preimage Resistance 1 ( q ) 1 ( q ) Ω O 2 cn 2 cn c ( q ) 2 ,qβ ′ 1 ( q ) 2 Collision Resistance Ω � max ( β ′ � � β ′ � 1 ( q )) O 2 cn 2 cn The analysis is tight in the case of preimage resistance: it is characterized by the parameter β ′ 1 ( q ) . Things are more complex for collision resistance: the analysis is tight only in some particular cases. ( Unrestricted ) Research & Development March 26, 2007

  13. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Application to Previously Proposed Schemes ( M 1 , H 1 , H 2 ) Nandi et al. scheme N1 1 ( q ) = q 2 and β ′ H 1 M 1 H 1 H 2 H 2 M 1 2 ( q ) ≃ q 3/2 For this scheme, β ′ f (1) f (2) f (3) Lower Bound Upper Bound � � � � Preimage Resistance q 2 q 2 Ω O 2 2n 2 2n � � � � Collision Resistance q 3 q 4 Ω O 2 2n 2 2n H ′ H ′ 1 2 ( Unrestricted ) Research & Development March 26, 2007

  14. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Application to Previously Proposed Schemes ( M 1 , H 1 , H 2 ) Peyrin et al. scheme PGMR1 1 ( q ) ≃ q 3/2 and H 1 H 2 H 2 M 1 M 1 H 1 ⊕ H 2 H 1 M 1 H 1 H 2 For this scheme, β ′ 2 ( q ) ≃ q 3/2 β ′ f (1) f (2) f (3) f (4) f (5) Lower Upper Bound Bound � � � � Preimage q 3/2 q 3/2 Ω O 2 2n 2 2n Resistance H ′ H ′ 1 2 � � � � Collision q 3 q 3 Ω O 2 2n 2 2n Resistance ( Unrestricted ) Research & Development March 26, 2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1

Introduction Random Probing Security Random Probing Composability Random Probing Expandability Conclusion Random Probing Security Verification, Composition, Expansion and New Constructions Sonia Belad 1 , Jean-Sbastien Coron 2 Emmanuel

1.04k views • 99 slides
Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and

Message Authentication Code HtM Construction Contributions Conclusion Exact Security Analysis of Hash-then-Mask Type Probabilistic MAC Constructions Avijit Dutta and Ashwin Jha and Mridul Nandi Indian Statistical Institute, Kolkata 27th

463 views • 42 slides
SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of

SP 800-90C: Random Bit Generator Constructions Elaine Barker NIST May 2, 2016 2 Purpose of 800-90C: To construct RBGs from approved entropy sources (see SP 800-90B) and DRBG mechanisms (see SP 800-90A) o DRBGs (a.k.a. pseudorandom number

330 views • 20 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric & Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

492 views • 48 slides
CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong

CS573 Data Privacy and Security Secure Multiparty Computation General Constructions Li Xiong Last Lecture Symmetric & Public key encryption Secure Multiparty Computations Problem and security definitions General constructions

846 views • 55 slides
One of Those Constructions that Really Needs a Proper Analysis Doug Arnold & Christopher

One of Those Constructions that Really Needs a Proper Analysis Doug Arnold & Christopher

One of Those Constructions that Really Needs a Proper Analysis Doug Arnold & Christopher Lucas University of Essex SOAS, University of London HeadLex2016, Warsaw Outline (1) 1 Introduction 2 Phenomena 3 Analysis 4 Problems,

861 views • 82 slides
Methodological developments for combining data Modelling non-random missing data in longitudinal

Methodological developments for combining data Modelling non-random missing data in longitudinal

Motivation Building a Bayesian joint model which combines data Results Summary Methodological developments for combining data Modelling non-random missing data in longitudinal studies: how can information from additional sources help? Alexina

592 views • 40 slides
Analysis of glazing under blast loading Dr Colin Morison Technical Director, Security &

Analysis of glazing under blast loading Dr Colin Morison Technical Director, Security &

Analysis of glazing under blast loading Dr Colin Morison Technical Director, Security & Explosion Effects, TPS Urban habitat constructions under catastrophic events Naples 16-18 September 2010 Analysis of glazing under blast loading

452 views • 26 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019

Security of SHA-3 and Related Constructions Jian Guo FSE 2019 @ Paris, France. 27th March 2019 J. Guo Security of SHA-3 and Related Constructions FSE 2019 @ Paris 1 / 49 Acknowledgements Thomas Peyrin FSE 2019 @ Paris Security of SHA-3

889 views • 66 slides
The reasons behind some classical constructions in analysis V. Milman Tel-Aviv University In

The reasons behind some classical constructions in analysis V. Milman Tel-Aviv University In

The reasons behind some classical constructions in analysis V. Milman Tel-Aviv University In the memory of a great scientist and a good friend, Aleksander (Olek) Peczyski June 2014, Bdlewo, Poland 2/25 Instead of an Introduction: some

775 views • 25 slides
Serial Verb Constructions in Indonesian: An HPSG Analysis and Its Computational Implementation

Serial Verb Constructions in Indonesian: An HPSG Analysis and Its Computational Implementation

Serial Verb Constructions in Indonesian: An HPSG Analysis and Its Computational Implementation David Moeljadi and Viola Ow Division of Linguistics and Multilingual Studies, Nanyang Technological University, Singapore Chulalongkorn International

1.19k views • 25 slides
Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University

Salvaging Weak Security Bounds for Blockcipher-based Constructions Thomas Shrimpton (University of Florida) Seth Terashima (Qualcomm Technologies, inc.) What weak bounds? ...from encrypting lots of data Intel Hardware RNG: Single-machine

246 views • 23 slides
Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of

Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of

Combining Difference-in-difference and Matching for Panel Data Analysis Weihua An Departments of Sociology and Statistics Indiana University July 28, 2016 1 / 15 Research Interests Network Analysis Social influence and networks

290 views • 15 slides
Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape Sample or Random Security March

541 views • 25 slides
Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd

Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd

Introduction Verification Analysis Summary Combining SAT solving with Integer Programming for Inductive Verification of Lustre Programs 3rd December 2004 Anders Franz en Combining SAT and ILP Introduction Verification Analysis

776 views • 58 slides
Quantifying over events in probability logic: expressibility vs. computability Stanislav O.

Quantifying over events in probability logic: expressibility vs. computability Stanislav O.

Probabilistic elementary analysis Main results, and references Quantifying over events in probability logic: expressibility vs. computability Stanislav O. Speranski Sobolev Institute of Mathematics Novosibirsk State University Munich 2013 S.

477 views • 15 slides
Can you compute a conformal map? Ilia Binder University of Toronto Based on joint work with M.

Can you compute a conformal map? Ilia Binder University of Toronto Based on joint work with M.

Can you compute a conformal map? Ilia Binder University of Toronto Based on joint work with M. Braverman (Princeton), C. Rojas (Universidad Andres Bello), and M. Yampolsky (University of Toronto) Modern Aspects of Complex Analysis and Its

956 views • 93 slides
The Final Homework Homework From textbook: Computability Exercise 9.1.2 (use

The Final Homework Homework From textbook: Computability Exercise 9.1.2 (use

The Final Homework Homework From textbook: Computability Exercise 9.1.2 (use encoding scheme described in class) Exercise 9.3.2 Exercise 9.4.1 a,b,c Exercise 10.1.5 a,b,c Additional problems: Using Proof by

432 views • 10 slides
Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der

Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der

Minimal logic for computable functionals Helmut Schwichtenberg Mathematisches Institut der Universit at M unchen Motivation Proof carrying code (Lee, Necula) Why? Proofs are machine checkable (easily) Need: code carrying proofs

701 views • 53 slides
TURING CATEGORIES Turing categories Reducibility Partial combinatory algebras Recursion

TURING CATEGORIES Turing categories Reducibility Partial combinatory algebras Recursion

Turing Categories and Computability 1 Robin Cockett Department of Computer Science University of Calgary Alberta, Canada robin@cpsc.ucalgary.ca Estonia, March 2010 1 Joint work with Pieter Hofstra TURING CATEGORIES Turing categories

853 views • 39 slides
CS 301 Lecture 26 Conclusion Stephen Checkoway May 2, 2018 1 / 9 Whats this class good

CS 301 Lecture 26 Conclusion Stephen Checkoway May 2, 2018 1 / 9 Whats this class good

CS 301 Lecture 26 Conclusion Stephen Checkoway May 2, 2018 1 / 9 Whats this class good for anyway? Thinking logically will help any time you want to make an argument 2 / 9 Whats this class good for anyway? Thinking logically

461 views • 34 slides
Computational Aspects of Symbolic Dynamics Part I: Effective Dynamics E. Jeandel LORIA (Nancy,

Computational Aspects of Symbolic Dynamics Part I: Effective Dynamics E. Jeandel LORIA (Nancy,

Computational Aspects of Symbolic Dynamics Part I: Effective Dynamics E. Jeandel LORIA (Nancy, France) E. Jeandel, CASD, Part I: Effective Dynamics 1/30 Introduction The theory of multidimensional symbolic dynamics is filled with

394 views • 38 slides
Vertiefung Theoretische Informatik Advanced Topics in Theoretical Computer Science Viorica

Vertiefung Theoretische Informatik Advanced Topics in Theoretical Computer Science Viorica

Vertiefung Theoretische Informatik Advanced Topics in Theoretical Computer Science Viorica Sofronie-Stokkermans Universit at Koblenz-Landau e-mail: sofronie@uni-koblenz.de Summersemester 2016 1 Acknowledgments In preparing this lecture

1.05k views • 83 slides

More recommend