1 / 19

Hardness Assumptions Related to Ad-Hoc Constructions

Hardness Assumptions Related to Ad-Hoc Constructions. Shai Halevi February 22, 2007. Ad-hoc constructions. Hash functions: MD5, SHA-x, RIPEMD, WHIRLPOOL, RadioGatún, … Block ciphers: DES, IDEA, RC5/6, Twofish, AES, Camellia, … Stream ciphers: RC4, A5/x, MUGI, Py, Rabbit, SEAL, Trivium, …

peers
Télécharger la présentation

Hardness Assumptions Related to Ad-Hoc Constructions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardness Assumptions Related to Ad-Hoc Constructions Shai Halevi February 22, 2007

  2. Ad-hoc constructions Hash functions: MD5, SHA-x, RIPEMD, WHIRLPOOL, RadioGatún, … Block ciphers: DES, IDEA, RC5/6, Twofish, AES, Camellia, … Stream ciphers: RC4, A5/x, MUGI, Py, Rabbit, SEAL, Trivium, … • Often consist of a “basic function” and a “mode of operation” around it

  3. What conjectures to make? • We know very little about the true hardness of these “ad hoc constructions” • Use conjectures to fill some of the void • The more the merrier • Only two requirements • Can be used to do something interesting* • Not known to be false • Sometimes we even compromise on this * Let you prove interesting theorems

  4. Standard conjectures • Block ciphers: strong PRP • Hash functions: many many things • Collision-resistant, 2nd pre-image resistant, one-way, UOWHF (TCR) • PRF, MAC (when keyed) • Also others: hard to find pre-image of zero, hard to find “almost collisions”, hard to find fixed-points, “division-intractability”, …

  5. “Unholy conjectures” • Random oracles, Ideal ciphers • What the customer wants: this is how people who build applications think of these constructs • E.g., what’s wrong with Ek(k)? • “You proved that this is not a random oracle. That’s your problem, not ours” • Unfortunately they have a point

  6. Theory, anyone? • Modes of operation • Relations between notions • “Weak random oracles” • And beyond…

  7. k1 k2 k3 DES C P Modes of operation • View constructs as a black box • Results are meaningful even for idealized ciphers or hash functions • E.g., DESX stronger than DES, when DES is modeled as ideal cipher [KR96]

  8. ROs and ideal ciphers • Using random funcs/perms for extractors • In CBC mode, HMAC mode [DGHKR04] • Domain extension for ROs [CDMP05] • Also building ROs from ideal-ciphers • Open: building ideal ciphers from ROs • Partial results in [DP06] • Open: domain-extenders for ideal ciphers

  9. Multi-property-preserving modes • Prove many claims on the same mode • E.g, for (a variant of) Merkle-Damgård • If compression function is collision-resistant then so is the resulting hash function, • If compression function is PRF then so is the resulting hash function, • If compression function is a random-oracle then so is the resulting hash function, • Etc.

  10. Relations between notions • So many notions, we need taxonomies

  11. Collision-resistance vs. the world • Not implied by PRPs via BB [S98] • Implied by PIR, homomorphic encryption [IKO05] • Surprising: collision-resistance follows from secrecy guarantees • Connections to the compressibility of SAT [HN06] • Equivalent to one-flow statistically-hiding commitment?

  12. “Weak random oracles” • RO-like but can actually exist • At least we can’t prove that they don’t exist • Not many of those: • Perfect one-way hashing [C97, CMR98] • AKA “point-function obfuscators” [W05] • “Magic functions” [DNRS99] • Sometimes can prove they do not exist [GK03]

  13. And beyond… • Theory of block ciphers? • Embarrassingly lacking • Luby-Rackoff [LR88] for Feistel networks? • + refinement by Naor-Reingold [NR97] • Dodis-Puniya [DP07] analyze Feistel with round functions weaker than PRFs • Relevance to block-cipher design is a huge leap of faith

  14. Security from round functions • Block-cipher recipe: • Take a sufficiently non-linear permutation • Sprinkle some secret-key material • Repeat sufficiently many times • Get a secure cipher • Moral: security comes from repetition, not so much the original round function • Can we make a science of it?

  15. Charlie’s conjecture • Due to Charlie Rackoff • Take “simple enough” permutation family • E.g., computed in NC0 • Repeat enough times to get “almostfour-wise independence” • The result is a PRP • Can anyone disprove it?

  16. Comments • X-wise independent reminiscent of “Decorrelation theory” [V] • Can’t replace 4-wise with 3-wise • Otherwise it’s false • Simplicity of round function is important • Otherwise it’s false (e.g., if you start from a 4-wise independent permutation) • The point is to have many repetitions

  17. What can we do with Charlie? • The conjecture implies that PRPs exist • But PRPs with a very specific structure • Do they imply CR hashing? • If not: come up with a similar conjecture that implies collision-resistant hashing • Or implies both PRPs and CR hashing

  18. Summary • We know very little about the true hardness of these “ad hoc constructions” • Conjectures can fill some of the void • The more the merrier • Only two requirements • Not known to be false (?) • Can be used to do something interesting* * Let you prove interesting theorems

  19. dank u

More Related