1 / 22

PRF Domain Extension using DAGs

PRF Domain Extension using DAGs. Charanjit Jutla IBM T J Watson. V2. V3. Vm. V1. P2. P3. Pm. P1. f. f. f. f. tilde-f. n bits to mn bits domain. P2. P3. P4. P5. P1. f. f. f. f. f. C. V3. V2. V5. V1. V4. Requirements on the DAG. Directed Acyclic Graph G = (V,E)

nitara
Télécharger la présentation

PRF Domain Extension using DAGs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson

  2. V2 V3 Vm V1 P2 P3 Pm P1 f f f f tilde-f n bits to mn bits domain

  3. P2 P3 P4 P5 P1 f f f f f C V3 V2 V5 V1 V4

  4. Requirements on the DAG • Directed Acyclic Graph G = (V,E) • |V| = m • Unique source and sink nodes • G is non-redundant • no two nodes have the same set of immediate predecessors Then, PRF Domain Extension to mn bits

  5. P2 P3 P4 P5 P1 f f f f f V3 V2 V5 V1 V4

  6. A Parallel Mode for Four Processors In general, 3+log* m depth

  7. Really Basic Intuition • C_i = f ( P_i xor XOR<j,i> in E C_ j ) • Call M_i = P_i xor XOR<j,i> in E C_ j • M_i is input to node V_i • Can two such M_i1 and M_i2 collide? • i1= i2 ::: hopefully plaintexts are different??? • i1 \=i2 XOR<j,i1> C_ j ?= XOR<j,i2> C_ j

  8. XOR<j,i1> C_ j ?= XOR<j,i2> C_ j XOR<j,i1> a_{j,i1}*C_ j ?= XOR<j,i2> a_{j,i2}*C_ j Using Galois Field GF(2^n)

  9. Edge-Colored DAGs • Directed Acyclic Graph G = (V,E) • |V| = m • Edge Coloring ψ: E  GF(2^n)* • Unique sink node • G is non-singular • If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v) Then, PRF Domain Extension to mn bits

  10. A Parallel Mode for Four Processors *1 *x *x^2 *(1+x)

  11. PMAC [BR02] (Parallelizable Authentication Mode) color m

  12. PMAC [BR02] To be precise…. Constant 0 color m

  13. Variable Length Domain Ext. • length need not be multiple of n • naïve padding with 10^t doesn’t work • how to distinguish b/w full length and partial • UNLESS full length is authenticated differently • [PR00], [BR00] • naïve CBC-MAC for diff length – flawed • C1 = CBCMAC_f ( P1) • C1 = CBCMAC_f ( P1 || C1 xor P1)

  14. Collection of DAGs • 2 DAGs for each block len t : G_{2t} G_{2t+1} • each DAG must have unique sink node • each DAG must have at least t nodes • each DAG individually non-singular • is that enough? NO

  15. V2 V3 V4 V1 V2 V3 V4 V1 Incorrect Construction Define all graphs on the same set of vertices V G_i cannot be allowed to be an induced subgraph of another G_j

  16. Requirements for VIL-PRF • If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i’, the set of incident nodes of u in G_i and v in G_i’ are same, then at least one incident edge is colored differently. • Non-singular over all graphs • for each graph G_i, it is not the case that there is another graph G_i’ which is identical till the “largest” node of G_i

  17. Optimizied VIL Mode col2 col3 1 2 3 4 5 col4 col5 col2

  18. Current Best Mode col2 col3 1 2 3 4 5 col4 col5 col2 col3 col2

  19. col1 col2 col3 col4 Parallel VIL mode v2 v2 v3 v3 color5 color5 v1 v2^n v1 v2^n color6 color6

  20. Proof • Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives ---have to tackle collisions in calls to the smaller primitive • Modulo that, proving randomness is easy

  21. Collisions in calls to oracle • automatic collisions -- as in CBC-MAC • Unforced collisions • Forced collisions (adversarial, adaptive) • can try to prove there are no forced collisions • Fix last blocks of the transrcipt – visible to A • Conditioned on this, • On Average over all possible transcripts c, same as collisions in the transcript Thus, adversary left with playing “automatic collisions”

  22. THE END

More Related