220 likes | 345 Vues
PRF Domain Extension using DAGs. Charanjit Jutla IBM T J Watson. V2. V3. Vm. V1. P2. P3. Pm. P1. f. f. f. f. tilde-f. n bits to mn bits domain. P2. P3. P4. P5. P1. f. f. f. f. f. C. V3. V2. V5. V1. V4. Requirements on the DAG. Directed Acyclic Graph G = (V,E)
E N D
PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson
V2 V3 Vm V1 P2 P3 Pm P1 f f f f tilde-f n bits to mn bits domain
P2 P3 P4 P5 P1 f f f f f C V3 V2 V5 V1 V4
Requirements on the DAG • Directed Acyclic Graph G = (V,E) • |V| = m • Unique source and sink nodes • G is non-redundant • no two nodes have the same set of immediate predecessors Then, PRF Domain Extension to mn bits
P2 P3 P4 P5 P1 f f f f f V3 V2 V5 V1 V4
A Parallel Mode for Four Processors In general, 3+log* m depth
Really Basic Intuition • C_i = f ( P_i xor XOR<j,i> in E C_ j ) • Call M_i = P_i xor XOR<j,i> in E C_ j • M_i is input to node V_i • Can two such M_i1 and M_i2 collide? • i1= i2 ::: hopefully plaintexts are different??? • i1 \=i2 XOR<j,i1> C_ j ?= XOR<j,i2> C_ j
XOR<j,i1> C_ j ?= XOR<j,i2> C_ j XOR<j,i1> a_{j,i1}*C_ j ?= XOR<j,i2> a_{j,i2}*C_ j Using Galois Field GF(2^n)
Edge-Colored DAGs • Directed Acyclic Graph G = (V,E) • |V| = m • Edge Coloring ψ: E GF(2^n)* • Unique sink node • G is non-singular • If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v) Then, PRF Domain Extension to mn bits
A Parallel Mode for Four Processors *1 *x *x^2 *(1+x)
PMAC [BR02] To be precise…. Constant 0 color m
Variable Length Domain Ext. • length need not be multiple of n • naïve padding with 10^t doesn’t work • how to distinguish b/w full length and partial • UNLESS full length is authenticated differently • [PR00], [BR00] • naïve CBC-MAC for diff length – flawed • C1 = CBCMAC_f ( P1) • C1 = CBCMAC_f ( P1 || C1 xor P1)
Collection of DAGs • 2 DAGs for each block len t : G_{2t} G_{2t+1} • each DAG must have unique sink node • each DAG must have at least t nodes • each DAG individually non-singular • is that enough? NO
V2 V3 V4 V1 V2 V3 V4 V1 Incorrect Construction Define all graphs on the same set of vertices V G_i cannot be allowed to be an induced subgraph of another G_j
Requirements for VIL-PRF • If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i’, the set of incident nodes of u in G_i and v in G_i’ are same, then at least one incident edge is colored differently. • Non-singular over all graphs • for each graph G_i, it is not the case that there is another graph G_i’ which is identical till the “largest” node of G_i
Optimizied VIL Mode col2 col3 1 2 3 4 5 col4 col5 col2
Current Best Mode col2 col3 1 2 3 4 5 col4 col5 col2 col3 col2
col1 col2 col3 col4 Parallel VIL mode v2 v2 v3 v3 color5 color5 v1 v2^n v1 v2^n color6 color6
Proof • Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives ---have to tackle collisions in calls to the smaller primitive • Modulo that, proving randomness is easy
Collisions in calls to oracle • automatic collisions -- as in CBC-MAC • Unforced collisions • Forced collisions (adversarial, adaptive) • can try to prove there are no forced collisions • Fix last blocks of the transrcipt – visible to A • Conditioned on this, • On Average over all possible transcripts c, same as collisions in the transcript Thus, adversary left with playing “automatic collisions”