Short Digital Signatures and ID- KEMs via Truncation Collision - - PowerPoint PPT Presentation

short digital signatures and id kems via truncation
SMART_READER_LITE
LIVE PREVIEW

Short Digital Signatures and ID- KEMs via Truncation Collision - - PowerPoint PPT Presentation

Dec 03, 2022 137 likes •513 views

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1 Contributions New security notion for standard Hash Functions Truncation-Collision

slide-1
SLIDE 1

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance

Tibor Jager Paderborn University

1

Rafael Kurek Paderborn University

slide-2
SLIDE 2

Contributions

  • New security notion for standard Hash Functions
  • Truncation-Collision Resistance
  • New Digital Signature scheme and ID-KEM
  • From selective to full security in Standard Model
  • Solving open problem: single element in prime
  • rder group

2

slide-3
SLIDE 3

Random Oracle Model [BR93]

3

“Cryptographic Hash Function modelled as truly random function”

  • (Simple) proofs ✅
  • Strong security properties ✅
  • Short, full secure signatures [BLS01, BB04]
  • Short, full secure ID-KEMs [BF01, BB04]
slide-4
SLIDE 4

Random Oracle Model [BR93]

4

“Cryptographic Hash Function modelled as truly random function”

  • (Simple) proofs ✅
  • Strong security properties ✅
  • Short, full secure signatures [BLS01, BB04]
  • Short, full secure ID-KEMs [BF01, BB04]
  • Unclear security guarantees for implementations [CGH02] ❌
  • Unclear which security property required ❌
slide-5
SLIDE 5

Random Oracle Model [BR93]

5

“Cryptographic Hash Function modelled as truly random function”

  • (Simple) proofs ✅
  • Strong security properties ✅
  • Short, full secure signatures [BLS01, BB04]
  • Short, full secure ID-KEMs [BF01, BB04]
  • Unclear security guarantees for implementations [CGH02] ❌
  • Unclear which security property required ❌

f

Looking for reasonable complexity assumption on standard Cryptographic Hash Functions to avoid ROM

slide-6
SLIDE 6

6

Problem of turning selective into adaptive security

slide-7
SLIDE 7

Selective Adversary Adaptive Adversary pk

7

M*

Problem of turning selective into adaptive security

M* ← 0,1 %

slide-8
SLIDE 8

Selective Adversary Adaptive Adversary pk

8

M* pk

Problem of turning selective into adaptive security

M* ← 0,1 %

slide-9
SLIDE 9

Selective Adversary Adaptive Adversary pk

9

M* pk 𝑛'

Problem of turning selective into adaptive security

M* ← 0,1 %

𝜏 '

slide-10
SLIDE 10

Selective Adversary Adaptive Adversary pk (m*, 𝜏*)

10

M* pk 𝑛' 𝜏*

Problem of turning selective into adaptive security

M* ← 0,1 %

𝜏 '

slide-11
SLIDE 11

Selective Adversary Adaptive Adversary pk (m*, 𝜏*)

11

M* pk 𝑛' 𝜏*

Problem of turning selective into adaptive security

M* ← 0,1 %

𝜏 '

M* = m* M* ≠ 𝑛' ∀ 𝑗

slide-12
SLIDE 12

Selective Adversary Adaptive Adversary pk (m*, 𝜏*)

12

M* pk 𝑛' 𝜏*

Problem of turning selective into adaptive security

M* ← 0,1 % ROM: 𝜁/01023'40≈ 𝑞𝑝𝑚𝑧(𝑙)=> ? 𝜁@A@B3'40

𝜏 '

Standard: 𝜁C01023'40≈ 2=% ? 𝜁@A@B3'40

slide-13
SLIDE 13

Collision Resistance

13

slide-14
SLIDE 14

Collision Resistance

14

A Hash function H is Collision Resistant if

Pr[ A finds collision ] < negl(k)

for all ppt adversaries A.

slide-15
SLIDE 15

Truncation Collision Resistance

15

slide-16
SLIDE 16

Truncation Collision Resistance

16

A Hash function H is Truncation-Collision Resistant if

Pr[ A finds collision for prefix of length i ] <

3(3=>) EFGH

for all probabilistic t-time adversaries A.

slide-17
SLIDE 17

Truncation Collision Resistance

17

A Hash function H is Truncation-Collision Resistant if

Pr[ A finds collision for prefix of length i ] <

3(3=>) EFGH

for all probabilistic t-time adversaries A.

(Related to birthday bound)

slide-18
SLIDE 18

Main property

18

H(x)= 1010011000111000111101110011001101100010

slide-19
SLIDE 19

Main property

19

H(x)= 1010011000111000111101110011001101100010

Easier to guess

slide-20
SLIDE 20

Main property

20

H(x)= 1010011000111000111101110011001101100010

Easier to guess More collision resistant

slide-21
SLIDE 21

Main property

21

H(x)= 1010011000111000111101110011001101100010

Easier to guess More collision resistant

For every adversary A there exists a prefix length j s.t.

Collision Resistant Easy to guess Length j

slide-22
SLIDE 22

Generic construction

from selective to adaptive secure signatures without ROM

22

slide-23
SLIDE 23

Generic construction

from selective to adaptive secure signatures without ROM

23

H( ? ) 𝐼>(m) 𝐼E(m) 𝐼EJKL M(m) m 𝐼EN(m)

𝐼' Prefix of length i H Tru-CR

slide-24
SLIDE 24

Generic construction

from selective to adaptive secure signatures without ROM

24

H( ? ) 𝐼>(m) 𝐼E(m) 𝐼EJKL M(m) Sig(𝑡𝑙>, ? )

𝜏 = (𝜏 >,..,𝜏 PQR %)

m 𝐼EN(m) Sig(𝑡𝑙S, ? ) Sig(𝑡𝑙E, ? ) Sig(𝑡𝑙PQR %, ? )

𝐼' Prefix of length i H Tru-CR Sig selective secure

slide-25
SLIDE 25

25

Proof sketch

slide-26
SLIDE 26

Selective Adversary Adaptive Adversary

26

Proof sketch

Breaking weak scheme with message length j

slide-27
SLIDE 27

Selective Adversary Adaptive Adversary pk*

27

pk=(𝑞𝑙S,..., pk*,…)

Proof sketch

M* ← 0,1 T M* (𝑞𝑙', 𝑡𝑙') ← 𝐿𝑓𝑧𝐻𝑓𝑜

slide-28
SLIDE 28

Selective Adversary Adaptive Adversary pk*

28

pk=(𝑞𝑙S,..., pk*,…) m 𝜏 = (𝜏 S, … , 𝜏

T, . . . )

Proof sketch

M* ← 0,1 T 𝜏 ' = Sig(𝑡𝑙' , 𝐼EF(m)) 𝐼

T(m)

𝜏 T

M* (𝑞𝑙', 𝑡𝑙') ← 𝐿𝑓𝑧𝐻𝑓𝑜

slide-29
SLIDE 29

Selective Adversary Adaptive Adversary pk* m*, 𝜏* = (𝜏S

∗, … , 𝜏 T ∗, …)

29

pk=(𝑞𝑙S,..., pk*,…) m 𝜏 = (𝜏 S, … , 𝜏

T, . . . )

𝜏

T ∗

Proof sketch

M* ← 0,1 T 𝜏 ' = Sig(𝑡𝑙' , 𝐼EF(m)) 𝐼

T(m)

𝜏 T

M* (𝑞𝑙', 𝑡𝑙') ← 𝐿𝑓𝑧𝐻𝑓𝑜

slide-30
SLIDE 30

Selective Adversary Adaptive Adversary pk* m*, 𝜏* = (𝜏S

∗, … , 𝜏 T ∗, …)

30

pk=(𝑞𝑙S,..., pk*,…) m 𝜏 = (𝜏 S, … , 𝜏

T, . . . )

𝜏

T ∗

Proof sketch

M* ← 0,1 T 𝜏 ' = Sig(𝑡𝑙' , 𝐼EF(m)) 𝐼

T(m)

𝜏 T

M*

f

Truncation-CR: Guess of 𝐼

T(m*)? ✅

No collision? ✅

(𝑞𝑙', 𝑡𝑙') ← 𝐿𝑓𝑧𝐻𝑓𝑜

slide-31
SLIDE 31

In this talk

  • Turning weak secure Digital Signature scheme into full secure

without ROM In the paper

  • From “selective and non-adaptive” to full adaptive security
  • Same approach for ID-KEM
  • Single element constructions due to aggregation of Boneh

and Boyen signature scheme (ID-KEM resp.):

31

σ = ⇣ g

1 x0+H1(m)

⌘Qlog k

i=1 1 xi+H2i (m)

<latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="X/BbPQRM1pmBhxdK1enSbL+gJw=">AB2HicbZDNSgMxFIXv1L86Vq1rN8EiuCozbtSd4MZlBcW2qFkMnfa0ExmSO4IpfQFXLhRfDB3vo3pz0KtBwIf5yTk3pOUSloKgi+vtrW9s7tX3/cPGv7h0XGz8WSLygiMRKEK0u4RSU1RiRJYa80yPNEYTeZ3C3y7jMaKwv9SNMS45yPtMyk4OSszrDZCtrBUmwTwjW0YK1h83OQFqLKUZNQ3Np+GJQUz7ghKRTO/UFlseRiwkfYd6h5jaeLcecs3PnpCwrjDua2NL9+WLGc2uneJu5pzG9m+2MP/L+hVl1/FM6rIi1GL1UVYpRgVb7MxSaVCQmjrgwkg3KxNjbrg14zvOgj/brwJ0WX7ph0+BFCHUziDCwjhCm7hHjoQgYAUXuDNG3uv3vuqpq37uwEfsn7+AaqKYoN</latexit><latexit sha1_base64="Uahei4cNx8ueXMo8H4E759/pRL4=">ACPnicbZA/TxsxGMbf40+hKbQpaxerqFIQUnTHAh2QkFgygtQUpFw4+RzfxYp9PtnvISLn4+lExsfgoWBVkw4IQMFXsnS4+fxI9u/vJbCYhzfRkvLK6sf1tY/tj5tbH7+0v68dvqxjDeZ1pqc5Ty6WoeB8FSn5eG05VLvlZPjme5WeX3Fihq184rflQ0bIShWAUg5W1aWpFqSg5JKnkBXbKC5cWhjKXeHeVxWSX9LKko3a8T40ox7gT8troUebEYeLDRuqSTPyLjtjtZW7vwgnv572svR134/mQtyJZiG1YzEnWvklHmjWKV8gktXaQxDUOHTUomOS+lTaW15RNaMkHQVZUcTt0cxSe/AjOiBTahFUhmbsvG4qa6cqDycVxbF9nc3M97JBg8XB0ImqbpBX7PmiopENZlxJSNhOEM5DYIyI8JbCRvTQAUD/VaAkLz+8lvR3+v+7CanMazDN/gOHUhgH46gByfQBwbXcAcP8Df6E91H/5pLULbFvw30SPT51ashU=</latexit><latexit sha1_base64="Uahei4cNx8ueXMo8H4E759/pRL4=">ACPnicbZA/TxsxGMbf40+hKbQpaxerqFIQUnTHAh2QkFgygtQUpFw4+RzfxYp9PtnvISLn4+lExsfgoWBVkw4IQMFXsnS4+fxI9u/vJbCYhzfRkvLK6sf1tY/tj5tbH7+0v68dvqxjDeZ1pqc5Ty6WoeB8FSn5eG05VLvlZPjme5WeX3Fihq184rflQ0bIShWAUg5W1aWpFqSg5JKnkBXbKC5cWhjKXeHeVxWSX9LKko3a8T40ox7gT8troUebEYeLDRuqSTPyLjtjtZW7vwgnv572svR134/mQtyJZiG1YzEnWvklHmjWKV8gktXaQxDUOHTUomOS+lTaW15RNaMkHQVZUcTt0cxSe/AjOiBTahFUhmbsvG4qa6cqDycVxbF9nc3M97JBg8XB0ImqbpBX7PmiopENZlxJSNhOEM5DYIyI8JbCRvTQAUD/VaAkLz+8lvR3+v+7CanMazDN/gOHUhgH46gByfQBwbXcAcP8Df6E91H/5pLULbFvw30SPT51ashU=</latexit><latexit sha1_base64="i4TCMObQOQBHjI4EjsKmFzqn5Ms=">ACSXicbVAxTxsxGPWFmigNCxi9UIKQgpustCGSIhumSkEilIuXDyOb6LFft8sr9DRJZ/HwtTN34EC0NBnXBChpTwJEvP731Pn/3SUnADYXgf1NY+fFzf2PxU39r+vPOlsbv326hKU9anSih9mRLDBC9YHzgIdlqRmQq2EU6+TnzL6ZNlwV5zAt2VCSvOAZpwS8lDRIbHguCe7iWLAMWvmVjTNqI2cvUlCfIh7SdSB87FmudjOPB+qdUosbwbOX8RKscTt5Th73Edq4sd26eSxrNsB3OgVdJtCBNtMBZ0vgTjxStJCuACmLMIApLGFqigVPBXD2uDCsJnZCcDTwtiGRmaOdVOLzvlRHOlPanADxXlxOWSGOmMvWTksDYvPVm4nveoILsx9DyoqyAFfR1UVYJDArPesUjrhkFMfWEUM39WzEdE98K+PbrvoTo7ZdXSb/TPm5Hv8LmyemijU30DX1HLRShI3SCeugM9RFt+gB/UVPwV3wGDwH/15Ha8Ei8xX9h9raC0kLsY=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit><latexit sha1_base64="xuNC0VwgL/c39wSfM8d36VWL+AY=">ACSXicbVDPSyMxGM1Ud9XuD6sevQSLUBHKTBF0D4K4lx4VrAqdOmTSzDQ0mQzJN7Il5O/z4snb/hFePLiLJ9Pag78eBF7e+x5f8tJScANh+DeoLSx+bq0vFL/9v3Hz9XG2vq5UZWmrEeVUPoyJYJXrAecBDstSMyFSwi3T8e+pfXDNtuCrOYFKygSR5wTNOCXgpaZDY8FwSfIhjwTJo5Vc2zjShNnL2TxLiXdxNopbcS7WPB/BjvdLrYaJ5YeR8xehcjx2rzJ8t5vYzpXlzs1ySaMZtsMZ8EcSzUkTzXGSNO7ioaKVZAVQYzpR2EJA0s0cCqYq8eVYSWhY5KzvqcFkcwM7KwKh7e9MsSZ0v4UgGfq64Ql0piJTP2kJDAy72p+JnXryA7GFhelBWwgr4syiqBQeFpr3jINaMgJp4Qqrl/K6Yj4lsB37dlxC9/JH0u0f7Wj073m0fG8jW0ibZQC0VoHx2hLjpBPUTRDbpHj+hfcBs8BP+Dp5fRWjDPbKA3qC08A0pLso=</latexit>
slide-32
SLIDE 32

Truncation-CR assumption

  • Truncated versions of SHA-256 and SHA-512 have been standardized

by NIST (224 or 384 bits)

  • SHA-3 standard defines extendable-output-functions (XOFs), where
  • utput length can be adapted to any desired length
  • Standard way to choose hash function with “k-bit security”: 2k-bit
  • utput length.
  • essentially assuming: no significantly better collision attack than generic

birthday algorithm exists

32

Truncation-CR generalizes to all prefixes

slide-33
SLIDE 33

Contributions

  • Construction of Tru-CR Hash Function (sketch in full version)
  • Further useful applications

33

Future work

  • New security notion for standard Hash Functions
  • Truncation-Collision Resistance
  • New Digital Signature scheme and ID-KEM
  • From selective to full security in Standard Model
  • Solving open problem: single element in prime order group
slide-34
SLIDE 34

34

Thank you for your attention!

eprint.iacr.org/2017/061

slide-35
SLIDE 35

35

slide-36
SLIDE 36

Related work

  • Oracle Hashing [Canetti, CRYPTO 1997]
  • Programmable HF [Hofheinz and Kiltz, CRYPTO 2008]
  • UCE [Bellare et al., CRYPTO 2013]
  • ICE [Farshim and Mittelbach, FSE 2016]
  • ELF [Zhandry, CRYPTO 2016]

36