Hash Functions Based on Three Permutations: A Generic Security

Comment

Report 0 Downloads 15 Views

Hash Functions Based on Three Permutations: A Generic Security Analysis

Bart Mennink and Bart Preneel KU Leuven

CRYPTO 2012 August 21, 2012 1 / 18

Motivation •

Hash functions based on block ciphers

• •

Davies-Meyer '84, PGV '93, Tandem-DM '92, ... MD5 '92, SHA-1 '95, SHA-2 '01, Blake '08, Skein '08, ...

E

F 2 / 18

Motivation •

Hash functions based on block ciphers

• •

•

Davies-Meyer '84, PGV '93, Tandem-DM '92, ... MD5 '92, SHA-1 '95, SHA-2 '01, Blake '08, Skein '08, ...

Re-keying

−→

related-key security, eciency loss, . . .

E

F 2 / 18

Motivation •

Hash functions based on block ciphers

• •

Davies-Meyer '84, PGV '93, Tandem-DM '92, ... MD5 '92, SHA-1 '95, SHA-2 '01, Blake '08, Skein '08, ... −→

•

Re-keying

•

Instead use xed-key block ciphers, or permutations

related-key security, eciency loss, . . .

π

E

F

F 2 / 18

Motivation •

Black-Cochran-Shrimpton '05:

2n-to-n-bit function n-bit permutation call

no secure using 1

π F

3 / 18

Motivation •

Black-Cochran-Shrimpton '05:

2n-to-n-bit function n-bit permutation call

no secure using 1

π F

•

Generalized by Rogaway-Steinberger '08, Stam '08, Steinberger '10

• mn-to-rn-bit

function using k n-bit permutations: collisions in (2n )1−(m−r+1)/(k+1) queries (almost always) F

2π

3π

4π

5π

2n → n 5 n→n 2 4n → 2n

2n/3 2n/6 1

2n/2 23n/8 2n/4

2n/2 22n/5

2n/2

3 / 18

Motivation •

Black-Cochran-Shrimpton '05:

2n-to-n-bit function n-bit permutation call

no secure using 1

π F

•

Generalized by Rogaway-Steinberger '08, Stam '08, Steinberger '10

• mn-to-rn-bit

function using k n-bit permutations: collisions in (2n )1−(m−r+1)/(k+1) queries (almost always) F

2π

3π

4π

5π

2n → n 5 n→n 2 4n → 2n

2n/3 2n/6 1

2n/2 23n/8 2n/4

2n/2 22n/5

2n/2

3 / 18

Security Model πi, πi−1 6

q queries

adversary A ?

•

Ideal permutation model:

πi 's

•

Adversary query access to

πi 's

randomly generated

4 / 18

Security Model πi, πi−1 6

q queries

adversary A ?

•

Ideal permutation model:

πi 's

•

Adversary query access to

πi 's

-

distinct (x1 , x2 ), (x01 , x02 ) s.t. F(x1 , x2 ) = F(x01 , x02 )

randomly generated

Advcol F (q) = max success probability A A

4 / 18

Security Model πi, πi−1 6

q queries

adversary A ?

z ∈ {0, 1}n

-

•

Ideal permutation model:

πi 's

•

Adversary query access to

πi 's

-

(x1 , x2 ) s.t. F(x1 , x2 ) = z

randomly generated

Advcol F (q) = max success probability A A

Advepre F (q) = max max n success probability A A

z∈{0,1}

4 / 18

Prior Constructions Shrimpton-Stam '08

• 2n-to-n-bit

x1 n

f1

x2 n

f2

function using

•

Optimal collision security

•

Collision security if

f3

3

n

z

one-way functions

fi (x) = πi (x) ⊕ x

(showed by automated analysis)

5 / 18

Prior Constructions Rogaway-Steinberger '08 x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

• 2n-to-n-bit

function (over

F2n )

using

3

z

permutations

6 / 18

Prior Constructions Rogaway-Steinberger '08 x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

• 2n-to-n-bit function (over F2n ) using 3 permutations • Collision/preimage security if aij satisfy independence −→ Excludes binary aij

z

criterion

6 / 18

Our Compression Function Design • 2n-to-n

x1 x2

compression function using permutations and

n a11

a21

n a12

a31

a22

π1

aij ∈ {0, 1}

a42

a33

π2

-operators

a41

a32

a23

L

a43

a34

a44

π3

a45 n

z

7 / 18

Our Compression Function Design • 2n-to-n

x1 x2

compression function using permutations and

n a11

a21

n a12

a31

a22

π1

a42

a33

π2

-operators

a41

a32

a23

L

a43

a34

a44

π3

aij ∈ {0, 1}

a45 n

•

Multi-permutation setting:

•

Single-permutation

z

πi 's all dierent setting: π1 = π2 = π3 7 / 18

x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

z

8 / 18

x1

n a11

x2

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3 x1 x2

n a12

a22

n a11

a32

a21

π1

a42

a31

a23

n

z

a41

a33

π2

a45

a43

a34

a44

π3

a45 n

z 8 / 18

x1

n a11

x2

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3 x2 x1

n a12

a22

n a11

a32

a21

π1

a42

a31

a23

n

z

a41

a33

π2

a45

a43

a34

a44

π3

a45 n

z 8 / 18

Equivalence Classes Denition: Equivalence Class Compression functions

F

and

F0

are equivalent if for both collision and

preimage security there exists a tight bi-directional reduction

•

Intuition:

F

and

F0

equivalent

−→

`equally secure'

9 / 18

Equivalence Classes Denition: Equivalence Class Compression functions

F

and

F0

are equivalent if for both collision and

preimage security there exists a tight bi-directional reduction

F0

−→

•

Intuition:

•

We identify 4 equivalence reductions

• •

•

F

and

equivalent

`equally secure'

Example reduction of previous slide 3 extra reductions

We restrict to equivalence w.r.t. these reductions only

9 / 18

Multi-Permutation Setting Main Result x1

n

x2

n

x1

n

x2

n

π1

π3

π3 π2

z

F1

π2

π1

n

n

F3

z

x1

n

x2

n

x1

n

x2

n

π1

π3

π3 π2

z

F2

π2

π1

n

n

z

F4

10 / 18

Multi-Permutation Setting Main Result x1

n

x2

n

x1

n

x2

n

π1

π3

z

F1

π2

π1

n

π3

n

z

F3

π2

F

equivalent to:

F1 , F4 F2 F3 none of these

x1

n

x2

n

x1

n

x2

n

π1

π3

π3 π2

z

F2

π2

π1

n

n

z

F4

collision preimage

![c] ![c] ! %

% ![c] % ?

10 / 18

Multi-Permutation Setting Proof Idea (1) x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

z

11 / 18

Multi-Permutation Setting Proof Idea (1) x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

214

•

In total

•

Function is valid if each green set contains a

•

We consider valid compression functions only

z

schemes, but many trivially insecure

1

11 / 18

Multi-Permutation Setting Proof Idea (2) x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

z

12 / 18

Multi-Permutation Setting Proof Idea (2) x1 x2

n a11

a21

n a12

a31

a22

π1

a41

a32

a23

a42

a33

π2

a43

a34

a44

π3

a45 n

•

Any valid

z

F equivalent to some F0 with (a11 , a12 ) = (1, 0) and (a21 , a22 , a23 ) = (0, 1, 0)

12 / 18

Multi-Permutation Setting Proof Idea (2) x1

n

x2

n

a31

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 n

z

F equivalent to some F0 with (a11 , a12 ) = (1, 0) and (a21 , a22 , a23 ) = (0, 1, 0)

•

Any valid

•

It suces to consider these functions only

12 / 18

Multi-Permutation Setting Proof Idea (3) x1

n

x2

n

a31

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 n

z

13 / 18

Multi-Permutation Setting Proof Idea (3) x1

n

x2

n

a31

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 •

Four generic attacks

(a31 + a33 )(a32 + a34 ) = 0 =⇒ collision in 2n/4 queries ∨4j=1 a3j = a4j = 0 =⇒ collision in 2n/3 queries ∧2j=1 a3j a4,j+2 6= a3,j+2 a4j =⇒ collision in 2n/3 queries a41 + a42 + a43 + a44 = 1 =⇒ collision in 22n/5 queries

n

z

13 / 18

Multi-Permutation Setting Proof Idea (3) x1

n

x2

n

a31

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 •

Four generic attacks

(a31 + a33 )(a32 + a34 ) = 0 =⇒ collision in 2n/4 queries ∨4j=1 a3j = a4j = 0 =⇒ collision in 2n/3 queries ∧2j=1 a3j a4,j+2 6= a3,j+2 a4j =⇒ collision in 2n/3 queries a41 + a42 + a43 + a44 = 1 =⇒ collision in 22n/5 queries

• F

is collision secure only if equivalent to

n

z

F1 , F2 , F3 , F4 13 / 18

Multi-Permutation Setting Proof Idea (4) (only for F2 , F3 , F4 )

ts

x1

n

π1

π3

n

z

(only for F3 , F4 )

x2

n

π2 (only for F1 , F2 , F3 )

• F

is collision secure only if it is equivalent to

F1 , F2 , F3 , F4

14 / 18

Multi-Permutation Setting Proof Idea (4) (only for F2 , F3 , F4 )

ts

x1

n

π1

π3

n

z

(only for F3 , F4 )

x2

n

π2 (only for F1 , F2 , F3 )

• F •

is collision secure only if it is equivalent to

F1 , F2 , F3 , F4

Remains to prove: if-relation and preimage resistance

14 / 18

Multi-Permutation Setting Proof Idea (4) (only for F2 , F3 , F4 )

ts

x1

n

π1

π3

n

z

(only for F3 , F4 )

x2

n

π2 (only for F1 , F2 , F3 )

• F

is collision secure only if it is equivalent to

F1 , F2 , F3 , F4

•

Remains to prove: if-relation and preimage resistance

•

Hardest and most technical part

• F1 , . . . , F4 collision resistant up to 2n/2 queries tight (asympt.) • F2 preimage resistant up to 22n/3 queries tight (asympt.) • F1 , F3 , F4 preimage resistant up to 2n/2 queries tight 14 / 18

Multi-Permutation Setting Conjecture Z : set X, Y : any

of

q

random elements from

two sets of

q

{0, 1}n

elements from

(duplicates may occur)

n

{0, 1}

(no duplicates)

Conjecture With high probability, there exist

(x, y, z) ∈ X × Y × Z

O(q log q) tuples x⊕y =z

such that

•

Conjecture relates to area of extremal graph theory

•

Similar to (but more complex than) a longstanding problem of Zarankiewicz from 1951

•

Detailed heuristical argument in paper 15 / 18

Single-Permutation Setting Main Result x1 x2

n a11

a21

n a12

a31

a22

π

a41

a32

a23

a42

a33

π

a43

a34

a44

π

aij ∈ {0, 1}

a45 n

z

Theorem For any compression function of this form, collisions can be found in

22n/5

queries (proof is similar) 16 / 18

Single-Permutation Setting Main Result x1 x2

n a11

a21

n a12

a31

a22

π

b1

a41

a32

a23

a42

a33

π

b2

a34 b3

aij ∈ {0, 1} bi ∈ {0, 1}n

a43 a44

π

a45 b4

n

z

Theorem For any compression function of this form, collisions can be found in

22n/5

queries (proof is similar) 17 / 18

Conclusions Complete classication of 2n-to-n-bit compression functions L solely based on three permutations and -operators •

Multi-permutation setting: analysis of

214

functions

• 216 functions optimally collision secure • 48 of which optimally preimage secure

•

Single-permutation setting: non-existence of collision secure 14 4n 14 •

Attack on 2

F

(or in fact 2 2 ) functions

18 / 18

Conclusions Complete classication of 2n-to-n-bit compression functions L solely based on three permutations and -operators •

Multi-permutation setting: analysis of

214

functions

• 216 functions optimally collision secure • 48 of which optimally preimage secure

•

Single-permutation setting: non-existence of collision secure 14 4n 14 •

Attack on 2

•

F

(or in fact 2 2 ) functions

Research directions:

• • •

Generalize to larger F's, and with dierent primitives Generalize impossibility result in single-permutation setting Conjecture Thank you for your attention! 18 / 18

Supporting slides

19 / 18

x1 x2

n a11

a21

n a12

a31

a22

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3

a45 n

z

20 / 18

x1

n a11

x2

a21

n a12

a31

a22

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 x1 x2

n a21

a11

n a22

a31

a12

a41

a32

π1

n

z

a42

a34

π2

a45

a44

a33

a43

π3

a45 n

z 20 / 18

x1

n a11

x2

a21

n a12

a31

a22

a41

a32

π1

a42

a33

π2

a43

a34

a44

π3 x1 x2

n a21

a11

n a22

a31

a12

a41

a32

π2

n

z

a42

a34

π1

a45

a44

a33

a43

π3

a45 n

z 20 / 18

Summary of Our Results (only for F2 , F3 , F4 )

ts

x1

π1

n

π3

n

z

(only for F3 , F4 )

x2

π2

n

(only for F1 , F2 , F3 ) collision

F

security

attack

security

attack

F1 , F 4 F2 F3

2n/2 [c] 2n/2 [c] 2n/2 [c]

2n/2 [c] 22n/3 [c] 2n/2 [c]

2n/2 22n/3 2n/2

none of these

?[c]

2n/2 2n/2 2n/2 22n/5

?[c]

?

?[c]

22n/5

?[c]

?

any

equivalent to:

preimage

F

in SP-setting

21 / 18

Recommend Documents

On Randomizing Hash Functions to Strengthen the Security of Digital

Hash Functions Based on Block Ciphers - Semantic Scholar

Secure Trapdoor Hash Functions Based on Public-Key Cryptosystems