Does Secure Time-Stamping Imply Collision-Free Hash Functions - PowerPoint PPT Presentation

Does Secure Time-Stamping Imply Collision-Free Hash Functions Ahto Buldas, Aivo J¨ urgenson aivo.jurgenson@eesti.ee Tallinn University of Technology, Estonia. Elion Enterprises Ltd, Estonia. – p. 1

Topics background about hash functions and their security timestamping and backdating attack what is blackbox reduction how to prove that blackbox reduction is not possible show that time-stamping doesn’t require CHFH – p. 2

Hash functions X ∈ { 0 , 1 } ∗ , x = h ( X ) , x ∈ { 0 , 1 } m – p. 3

Hash functions X ∈ { 0 , 1 } ∗ , x = h ( X ) , x ∈ { 0 , 1 } m X 1 � = X 2 , h ( X 1 ) = h ( X 2 ) – p. 3

Hash functions X ∈ { 0 , 1 } ∗ , x = h ( X ) , x ∈ { 0 , 1 } m X 1 � = X 2 , h ( X 1 ) = h ( X 2 ) attacks against collision resistance of MD5, SHA-1, SHA-256 – p. 3

Hash functions X ∈ { 0 , 1 } ∗ , x = h ( X ) , x ∈ { 0 , 1 } m X 1 � = X 2 , h ( X 1 ) = h ( X 2 ) attacks against collision resistance of MD5, SHA-1, SHA-256 is this collision freedom really required in applications (for example in timestamping)? – p. 3

Hash functions X ∈ { 0 , 1 } ∗ , x = h ( X ) , x ∈ { 0 , 1 } m X 1 � = X 2 , h ( X 1 ) = h ( X 2 ) attacks against collision resistance of MD5, SHA-1, SHA-256 is this collision freedom really required in applications (for example in timestamping)? Buldas and Saarepera in 2004: collision freedom is insufficient . Buldas and Laur in 2006: collision freedom is unneccessary . – p. 3

Timestamping scheme � . . . X 1 � X 2 � X 3 � �� � x 1 . . . x m – p. 4

� � � Timestamping scheme r 1 = Com ( X 1 ) r 2 = Com ( X 2 ) r 3 = Com ( X 3 ) � . . . X 1 � X 2 � X 3 � �� � x 1 . . . x m – p. 4

� � � � Timestamping scheme r 1 = Com ( X 1 ) r 2 = Com ( X 2 ) r 3 = Com ( X 3 ) � . . . X 1 � X 2 � X 3 � �� � � �� � x 1 . . . x m x 1 . . . x . . . x m c = Cert ( X 3 , x ) – p. 4

� � � � � � � Timestamping scheme r 1 = Com ( X 1 ) r 2 = Com ( X 2 ) r 3 = Com ( X 3 ) � . . . X 1 � X 2 � X 3 � �� � � �� � x 1 . . . x m x 1 . . . x . . . x m Ver ( r 3 , c, x ) = yes c = Cert ( X 3 , x ) – p. 4

Backdating attack – p. 5

Backdating attack Adversary publishes commitment r . – p. 5

Backdating attack Adversary publishes commitment r . Alice invents something D A ∈ { 0 , 1 } ∗ . – p. 5

Backdating attack Adversary publishes commitment r . Alice invents something D A ∈ { 0 , 1 } ∗ . Adversary creates a modified description of A ∈ { 0 , 1 } ∗ and claims the Alice’s invention D ′ that this was timestamped by himself long before Alice invented it. – p. 5

Backdating attack Adversary publishes commitment r . Alice invents something D A ∈ { 0 , 1 } ∗ . Adversary creates a modified description of A ∈ { 0 , 1 } ∗ and claims the Alice’s invention D ′ that this was timestamped by himself long before Alice invented it. x = H ( D ′ A ) , Ver ( r, x, c ) = yes – p. 5

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes A = ( A 1 , A 2 ) ∈ FPU when � ( r, a ) ← A 1 (1 k ) , x ′ ← Π ( r, a ) , Pr � ( x, c ) ← A 2 ( r, a ): x ′ = x = k − ω (1) – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes A = ( A 1 , A 2 ) ∈ FPU when � ( r, a ) ← A 1 (1 k ) , x ′ ← Π ( r, a ) , Pr � ( x, c ) ← A 2 ( r, a ): x ′ = x = k − ω (1) – p. 6

Formalized attack Two-staged adversary A = ( A 1 , A 2 ) . Security condition: � ( r, a ) ← A 1 (1 k ) , ( x, c ) ← A 2 ( r, a ) : Pr � = k − ω (1) Ver ( x, c, r ) = yes A = ( A 1 , A 2 ) ∈ FPU when � ( r, a ) ← A 1 (1 k ) , x ′ ← Π ( r, a ) , Pr � ( x, c ) ← A 2 ( r, a ): x ′ = x = k − ω (1) – p. 6

BlackBox reduction � Q BB general general P CFHF TS hash Merkle- ∀ f P f ∃ T f func- tree tion TS hash FPU func- class ∃ D A,f S A,f ∀ A tion TS breaker attacker universal random hash hash function function breaker – p. 7

� � BlackBox reduction � Q BB general general P CFHF TS implements implements hash Merkle- ∀ f P f ∃ T f � � � � � � � func- tree tion TS hash FPU func- class ∃ D A,f S A,f ∀ A tion TS breaker attacker universal random hash hash function function breaker – p. 7

� � � � � � BlackBox reduction � Q BB general general P CFHF TS implements implements hash Merkle- ∀ f P f ∃ T f � � � � � � � func- tree breaks � tion TS � � � � � breaks � hash FPU � func- class ∃ D A,f S A,f ∀ A � � � � � tion TS breaker attacker universal random hash hash function function breaker – p. 7

Oracle separation � Q BB general general P CFHF TS hash Merkle- f ∀ P f ∃ T f func- tree tion TS hash FPU func- class ∃ D A,f ∄ S A,f A tion TS breaker attacker universal random hash hash function function breaker – p. 8

� � Oracle separation � Q BB general general P CFHF TS implements hash Merkle- f ∀ P f ∃ T f � � � � � � func- tree tion TS hash FPU func- class ∃ D A,f ∄ S A,f A tion TS breaker attacker universal random hash hash function function breaker – p. 8

� � � � Oracle separation � Q BB general general P CFHF TS implements implements hash Merkle- f ∀ P f ∃ T f � � � � � � � � � � � � � func- tree � � � � � � � � � � tion TS breaks hash FPU func- class ∃ D A,f ∄ S A,f A � � � � � � tion TS breaker attacker universal random hash hash function function breaker – p. 8

� � � � � � � Oracle separation � Q BB general general P CFHF TS implements implements hash Merkle- f ∀ P f ∃ T f � � � � � � � � � � � � � func- tree � � � � � � � � � � � tion TS � � � � breaks breaks � � � hash FPU � func- class ∃ D A,f ∄ S A,f A � � � � � � � � � � � tion TS breaker attacker universal random hash hash function function breaker – p. 8

� � � � � � � � � � � � Oracle separation � P � Q BB general general CFHF TS implements implements hash Merkle- � ∀ P f f ∃ T f � � � � � � � � � � � � � func- tree � � � � � � � � � � � tion TS � � � � breaks breaks � � � hash FPU � � ∃ D A,f func- class ∄ S A,f A � � � � � � � � � � � tion TS breaker attacker universal random hash hash function function breaker – p. 8

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � S A,f = ( S 1 , S 2 ) in work ��� �� ��� R 1 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ��� �� ��� f k f k ��� �� ��� �� � �� �� � ��� �� ��� r · · · f k ��� �� ��� f k f k � ��� ��� �� ��� c m � ��� � � � � � � � � � � � � � � � � � � c m − 1 – p. 9