Cryptography
E N D
Presentation Transcript
Cryptography Lecture 15
QandA;bringthewrittenanswerstoTAbeforetheclass • 1.Whatisrandomoraclemodel?Summarizeit. • 2.Hashfunctionintherandomoracleispowerful.Itcanbeusedtobuildallprimitiveswehaveseensofar.Whataretheconstructionsbriefly? • 3.Merkletreesaretrade-offsbetweentwoextremes.Whatarethetwoextremes?ConvinceyourselfwhyMerkletreeswork
Hash functions are ubiquitous • Collision-resistance “fingerprinting” • Used as a one-way function • Key derivation
Fingerprinting • E.g.,file integrity • Assuming it is possible to get a reliable copy of H(x) for file x • Note: different from integrity in the context of message-authentication codes
Outsourced storage • How to outsource files to an untrusted server? x x h=H(x) x H(x)=?h
Outsourced storage x1, …, xn x1, …, xn hi =H(xi) i xi H(xi)=?hi O(n) client storage!
Outsourced storage x1, …, xn x1, …, xn h =H(x1, …, xn) i x1, …, xn H(x1, …, xn)=?h O(n|x|) communication!
Outsourced storage x1, …, xn x1, …, xn h =H(H(x1), …, H(xn)) i xi, h1, …, hn H(h1, …, H(xi), …, hn)=?h |xi| + O(n) communication!
Merkle tree x1 x2 x2 x3 x4 Verify… Only store the root! O(log n) communication/computation!
Outsourced storage • Using a Merkle tree, we can solve the outsourcing problem with O(1) client storage and |x| + O(log n) communication
SecureDeduplication • Attheserverside • Hashthecontenttoderivethekeyk=H(m) • ThenusethekeytoencryptionmtogetC=Ek(m) • Samemleadstothesamec. • Cannotachieve“Chosendistributionattack”security,guaranteeingsecurityonlywhenmisrandomenough.
Password hashing • Server stores H(pw) instead of pw • Requires more than one-wayness of H… • See later discussion on random oracles • Salting… • H(”salt”,pwd)
CommitmentScheme • Hiding:MishiddengivenC. • Binding:CcanbeonlyopenedtoM. M C= Commit Phase M Receiver Sender Reveal Phase Receiver Sender M
CommitmentScheme • Usecase:auction • Commit(m):c=H(r||m) • Reveal(c):returnrandm
Key derivation • Consider deriving a (shared) key from (shared) high-entropy information • E.g., biometric data • E.g., generating randomness • Cryptographic keys must be uniform, but shared data is only high-entropy
Min-entropy • Let X be a distribution • The min-entropy of X (measured in bits) isH(X) = - log maxx { Pr[X=x] } • I.e., if H(X) = n, then the probability of guessing x sampled from X is (at most) 2-n • Min-entropy is more suitable for crypto than entropy
Key derivation • Given shared information x (sampled from distribution X), derive shared key k=H(x) • In what sense can we claim that k is a “good” (i.e., uniformly distributed) cryptographic key?
Recallsecurity goal(ToIntroduceRandomOracleModel) • Main goal is collision resistance • Want optimal birthday security • Also want preimage resistance, 2nd-preimage resistance • Want optimal security here as well • “Optimal” measured relative to a random function • Why not design H to be a “random function”?
The random-oracle (RO) model • Treat H as a public, random function • Then H(x) is uniform for any x… • …unless the attacker computes H(x) explicitlybyqueryingx
Many applications • One canonical example: key derivation
The random-oracle (RO) model • Treat H as a public, random function • Then H(x) is uniform for any x… • …unless the attacker computes H(x)… • …but the attacker cannot do that (with high probability) if X has high min-entropy!
The RO model • Intuitively • Assume the hash function “is random” • Models attacks that are agnostic to the specific hash function being used • Security in the real world as long as “no weaknesses found” in the hash function
The RO model • Formally • Choose a uniform hash function as part of the security experiment • Attacker can only evaluate H via explicit queries to an oracle • Simulate H for the attacker as part of the security proof/reduction
The RO model • In practice • Prove security in the RO model • Instantiate the RO with a “good” hash function • Hope for the best…
Pros and cons of the RO model • Cons • There is no such thing as a public hash function that “is random” • Not even clear what this means formally • Known counterexamples • There are (contrived) schemes secure in the RO model, but insecure when using any real-world hash function • Sometimes over-abused (arguably)
Pros and cons of the RO model • Pros • No known example of “natural” scheme secure in the RO model being attacked in the real world • If an attack is found, just replace the hash • Proof in the RO model better than no proof at all • Evidence that the basic design principles are sound
PRFfromHashFunctionintheRandomOracleModel • Fk(x)=H(k||x) • Notethatitdoesnotuseanycomputationalassumption,butreliesonHisarandomoracle(whichisalreadyverystrong).
HashFunctionscandoallmajorcryptographicfunctions • Exportlaw(historically) • Encryptionforbidden • HMACwasdesignedtocircumventthis • NotjustMAC • AsshowninbuildingPRF • Andthereforeallsortsofmajorfunctions
Ideal-cipher model • “Stronger” than the RO model! • Model block cipher F: {0,1}n x {0,1}n {0,1}n as a collection of public, independent, random permutations • I.e., for each key k, Fk is a random permutation on {0,1}n
The ideal-cipher model • This is more than assuming F is a PRP • Fk random even when k is known! • (No weak keys) • (No related-key attacks) • Formally, similar to the RO model • In particular, the only way to evaluate F is via explicit oracle queries • Attacker allowed to query F and F-1
Building a hash function • Two-stage approach • Build a compression function (from a block cipher) • I.e., collision-resistant hash function for fixed-length inputs • Build a full-fledged hash function from a compression function • Other approaches are possible
