combiners for backdoored random oracles
play

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya - PowerPoint PPT Presentation

Apr 03, 2023 •270 likes •808 views

Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt Backdoors 1 Backdoors It makes more sense to address any security risks by developing intercept solutions during the design

  1. Combiners for Backdoored Random Oracles Balthazar Bauer, Pooya Farshim, Sogol Mazaheri ENS, Paris TU Darmstadt

  2. Backdoors 1

  3. Backdoors It makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact. James Comey (former FBI director, Oct. 2014) 1

  4. Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ Hash Functions are Everywhere: KDFs OWFs FDH MACs PoW 2

  5. Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ Hash Functions are Everywhere: KDFs OWFs FDH MACs PoW security proofs are not always possible... 2

  6. Random Oracles ✵✽❜❢❢✶❡✵❜✵✶✻✷ 3

  7. Random Oracles = Ideal Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ ideal hash function 3

  8. Random Oracles = Ideal Hash Functions ✵✽❜❢❢✶❡✵❜✵✶✻✷ ideal hash function Random Oracles are Practical, enabling proofs of many practical schemes: RSA-OAEP TLS Identification protocols FDH DSA PSS 3

  9. Backdoored Random Oracles (BROs) H ( x ) x H 4

  10. Backdoored Random Oracles (BROs) H ( x ) x H 4

  11. Backdoored Random Oracles (BROs) H ( x ) x H random oracle 4

  12. Backdoored Random Oracles (BROs) H ( x ) x H random oracle f ( H ) f BD H backdoor oracle 4

  13. Backdoored Random Oracles (BROs) H ( x ) x H random oracle f ( H ) f BD H backdoor oracle adaptive and unrestricted access to the backdoor oracle 4

  14. Backdoor Capabilities BD H 5

  15. Backdoor Capabilities collisions? BD H ( x , x ′ ) 5

  16. Backdoor Capabilities collisions? H − ( y ) ? x BD H ( x , x ′ ) 5

  17. Backdoor Capabilities collisions? 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? 5

  18. Backdoor Capabilities collisions? any f 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? f ( H ) 5

  19. Backdoor Capabilities collisions? any f 0 k | x H − ( y ) ? x BD H H − ( y ) starting ( x , x ′ ) with k zeros? f ( H ) no security is possible... 5

  20. Combining BROs H ( x ) x H f ( H ) f BD H 6

  21. Combining BROs H ( x ) G ( x ) x x H G f ( H ) f ( G ) f f BD H BD G 6

  22. Combining BROs H ( x ) G ( x ) x x H G f ( H ) f ( G ) f f BD H BD G Can we combine two independent but backdoored hash functions to build one that is secure against adversaries with access to both backdoor oracles? 6

  23. Combiners 7

  24. Combiners concatenation: H G 7

  25. Combiners xor: concatenation: H H ⊕ G G 7

  26. Combiners xor: concatenation: H H ⊕ G G cascade: H G 7

  27. Combiners xor: xor: concatenation: H H H ⊕ ⊕ G G G cascade: cascade: H H G G 7

  28. Concatenation in 2-BRO BD H H BD G G 8

  29. Concatenation in 2-BRO BD H H BD G G one-way security? 8

  30. Concatenation in 2-BRO BD H H BD G G one-way security? pseudorandomness? collision-resistance? 8

  31. Concatenation in 2-BRO BD H H BD G G one-way security? pseudorandomness? collision-resistance? We need results from communication complexity ... 8

  32. Communication Complexity A t ( A , B ) B 9

  33. Communication Complexity A B A B 9

  34. Communication Complexity A B A B find x ∈ A ∩ B . decide A ∩ B = ∅ INT : DISJ : 9

  35. Communication Complexity A B A B find x ∈ A ∩ B . decide A ∩ B = ∅ INT : DISJ : Theorem ([Babai, Frankl, Simon 86]): For independent random sets A , B ⊆ [ 2 n ] of size 2 n / 2 , and protocols with 99% correctness, it holds that CC ( DISJ ) ≥ Ω( 2 n / 2 ) . 9

  36. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] 10

  37. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] Theorem : For independent random sets A , B ⊆ [ 2 n ] of expected sizes 2 n ( 1 − α ) and 2 n ( 1 − β ) respectively, CC ( INT ) ≥ Ω( 2 n ( min ( α,β )+ α + β − 1 ) ) , for ( α, β ) in the feasible region. 10

  38. Communication Complexity - Generalized | A | , | B | lower-bound problem by = 2 n / 2 Ω( 2 n / 2 ) DISJ [Babai, Frankl, Simon 86] [Moshkovitz, Barak 12], ≈ 2 n / 2 Ω( 2 n / 2 ) DISJ [Guruswami, Cheraghchi 13] Theorem : For independent random sets A , B ⊆ [ 2 n ] of expected sizes 2 n ( 1 − α ) and 2 n ( 1 − β ) respectively, CC ( INT ) ≥ Ω( 2 n ( min ( α,β )+ α + β − 1 ) ) , for ( α, β ) in the feasible region. 10

  39. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. 11

  40. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B 11

  41. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B Then, for any pre-image x of u | v : x ∈ H − ( u ) and x ∈ G − ( v ) 11

  42. One-Way Security of Concatenation Combiner Theorem : Inverting a random value u | v under H | G in the 2-BRO model is as hard as the set-intersection problem. Let A := H − ( u ) and B := G − ( v ) . A B x Then, for any pre-image x of u | v : x ∈ H − ( u ) and x ∈ G − ( v ) Hence, x ∈ A ∩ B . 11

  43. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. 12

  44. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. Pseudorandomness Deciding whether a random value u | v has a pre-image is as hard as the set-disjointness problem. 12

  45. Security of Concatenation in 2-BRO One-Way Security Inverting a random value u | v is as hard as the set-intersection problem. Pseudorandomness Deciding whether a random value u | v has a pre-image is as hard as the set-disjointness problem. Collision-Resistance Finding a collision is as hard as ... 12

  46. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. 13

  47. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. . . 13

  48. Collision-Resistance of Concatenation Theorem : Finding a collision under H | G in the 2-BRO model is as hard as finding 2 sets, given many, and 2 elements in their intersection. . . Hardness of the above problem is open. 13

  49. Combiners and Security Notions OW PRG CR H ?? � � G H ? ?? ⊕ � G ?? � � H G 14

  50. Open Problems lower bound for the multi-INT problem extend parameters for DISJ and INT E π combiners for other backdoored primitives 15

  51. 16

  52. Thank You. Thanks to Giorgia Marson for drawing Alice, Bob, and the sheet. 16

Recommend

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain Amit Sahai Since 2013 Two-Round (Adaptive) Multi-Party Computation Instantiating Random Oracles Non-Interactive Multi-party Key

1.33k views • 111 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath

Overview Background The Transformation Conclusion and Future Work From Selective-ID to Full-ID IBS without Random Oracles Sanjit Chatterjee and Chethan Kamath Indian Institute of Science, Bangalore November 3, 2013 Overview Background The

1.34k views • 44 slides
Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis

Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited Yevgeniy Dodis New York University Joint work with Siyao Guo (Simons Institute, UC Berkeley) Jonathan Katz (University of Maryland) Hash Functions Are Ubiquitous

650 views • 40 slides
Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann

Introduction Positive Results Conclusion Random Oracles in a Quantum World Dan Boneh 1 ur Dagdelen 2 Marc Fischlin 2 Ozg Anja Lehmann 3 Christian Schaffner 4 Mark Zhandry 1 1 Stanford University, USA 2 CASED & Darmstadt University of

768 views • 65 slides
Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work

Correcting Subverted Random Oracles Qiang Tang New Jersey Institute of Technology Joint work with Alexander Russell (University of Connecticut), Moti Yung (Google & Columbia University) Hong Sheng Zhou (Virginia Commonwealth University)

578 views • 34 slides
Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD

Instantiating Random Oracles via UCEs Mihir Bellare Joint work with Sriram Keelveedhi UCSD 1/9/13 Bellare, Stanford RWC Workshop 1 The work reported on here is very much work in progress. The UCE definition has evolved since this talk and

774 views • 44 slides
Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM

Cryptocurrencies & Security on the Blockchain Oracles and Tokens Prof. Tom Austin San Jos State University Oracles Motivation EVM execution must be deterministic. Cannot rely on outside information But sometimes that

591 views • 17 slides
Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias

Chaitins halting probability and the compression of strings using oracles George Barmpalias Joint work with Andrew Lewis Institute of Software Chinese Academy of Sciences Barcelona, July 2011 Question Random data lack internal structure

191 views • 18 slides
Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released

Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released

Algorithms for MapReduce Combiners Partition and Sort Pairs vs Stripes 1 Assignment 1 released Due 16:00 on 20 October Correctness is not enough! Most marks are for efficiency. Combiners Partition and Sort Pairs vs Stripes 2 Combining,

749 views • 36 slides
Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner &

Test Oracles and Test Script Generation in Combinatorial Testing Peter M. Kruse Berner & Mattner Systemtechnik GmbH Berlin, Germany Overview Classification Tree Method Expected results Executable test scripts Test Oracles and

374 views • 25 slides
Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim

Training Deterministic Parsers with Non-Deterministic Oracles by Yoav Goldberg and Joakim Nivre, 2013 Seminarvortrag Pius Meinert July 13, 2018 Training Deterministic Parsers with Non-Deterministic Oracles root PRD SBJ DOBJ IOBJ

842 views • 47 slides
Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline

Oracles in TTCN-3 and UTP Ina Schieferdecker 2012, May 22nd, CREST Workshop, London Outline Oracles, Test Automation and (Test) Models Oracles in TTCN-3 Test Automation (Oracle) Examples Test oracle as part of a test case A test

326 views • 30 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E

Test Oracles and Randomness S I T R T E V U I N L M U O S C D I N E A N R D U O C D O O D C N E Ralph Guderlei and Johannes Mayer rjg@mathematik.uni-ulm.de, jmayer@mathematik.uni-ulm.de

627 views • 40 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-> {0,1} n with strong requirements : Collision

461 views • 33 slides
Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number

Random Numbers RANDOM VS PSEUDO RANDOM Truly Random numbers From Wolfram: A random number is a number chosen as if by chance from some specified distribution such that selection of a large set of these numbers reproduces the underlying

720 views • 12 slides
E [ X ] = X 1 ( 2 ) ? X 1 ( 2 ) = { HHT , HTH , THH } . All the outcomes a Pr

E [ X ] = X 1 ( 2 ) ? X 1 ( 2 ) = { HHT , HTH , THH } . All the outcomes a Pr

Alex Psomas: Lecture 17. Random Variables: Definitions Random Variables: Definitions Definition A random variable, X , for a random experiment with sample space is a function X : . Random Variables: Expectation, Variance Thus, X

423 views • 7 slides
IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at

IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at

IPO Investigating Polyhedra by Oracles Matthias Walter Otto-von-Guericke Universit at Magdeburg Joint work with Volker Kaibel (OVGU) Aussois Combinatorial Optimization Workshop 2016 Motivation Finding Facets Adjacency Affine Hull

334 views • 30 slides
Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications

Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications

<Insert Picture Here> Oracle and Netsure Acquisition Announcement Extends Oracles Leadership in Communications with Network Intelligence and Optimization September 2, 2007 The following is intended to outline our general product

151 views • 14 slides
6. random variables T T T T H T H H Random VariablesIntro 2

6. random variables T T T T H T H H Random VariablesIntro 2

CSE 312, 2017 Winter, W.L.Ruzzo 6. random variables T T T T H T H H Random VariablesIntro 2 random variables A random variable is a numeric function of the outcome of an experiment, not the outcome itself.

1.17k views • 95 slides
Automated Test Oracles Automated Test Oracles for GUIs for GUIs Eighth International Symposium

Automated Test Oracles Automated Test Oracles for GUIs for GUIs Eighth International Symposium

1 Automated Test Oracles Automated Test Oracles for GUIs for GUIs Eighth International Symposium Eighth International Symposium on the Foundations of Software on the Foundations of Software Engineering, San Diego, CA, Engineering, San

416 views • 10 slides
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is intended to outline our general product

408 views • 17 slides

More recommend