explicit optimal binary pebbling for one way hash chain
play

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal - PowerPoint PPT Presentation

Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers Coding & Crypto group Dept of Mathematics & Computer Science TU Eindhoven, The Netherlands berry@win.tue.nl 20 th Financial Cryptography Tuesday,


  1. Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers Coding & Crypto group Dept of Mathematics & Computer Science TU Eindhoven, The Netherlands berry@win.tue.nl 20 th Financial Cryptography Tuesday, February 23, 2016 Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  2. Outline Background (long) hash chains & pebbling algorithms Framework for binary pebbling speed-1 / speed-2 (Jakobsson) / optimal pebbling Optimized implementations in-place (minimize storage) vs fast (maximize speed) Extensions & Conclusions Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  3. Hash Chains Famous example: Bitcoin’s block chain. We use “ordinary” hash chains: no proof of work. Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  4. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  5. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : x 0 Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  6. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f x 0 → x 1 − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  7. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f x 0 → x 1 → x 2 − − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  8. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f x 0 → x 1 → x 2 − − − → . . . Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  9. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f x 0 → x 1 → x 2 → x n − 2 − − − → . . . − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  10. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f x 0 → x 1 → x 2 → x n − 2 → x n − 1 − − − → . . . − − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  11. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f f x 0 → x 1 → x 2 → x n − 2 → x n − 1 → x n − − − → . . . − − − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  12. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f f x 0 → x 1 → x 2 → x n − 2 → x n − 1 → x n − − − → . . . − − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  13. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : x n Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  14. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f x n − 1 → x n − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  15. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f x n − 2 → x n − 1 → x n − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 send x n − 2 ? x n − 2 ← f n − 2 ( x 0 ) 2nd identification x n − 1 = f ( x n − 2 ) − − − − − − − − − − − → − store x n − 2 Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  16. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f x 2 → x n − 2 → x n − 1 → x n − → . . . − − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 send x n − 2 ? x n − 2 ← f n − 2 ( x 0 ) 2nd identification x n − 1 = f ( x n − 2 ) − − − − − − − − − − − → − store x n − 2 . . . Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  17. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f x 1 → x 2 → x n − 2 → x n − 1 → x n − − → . . . − − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 send x n − 2 ? x n − 2 ← f n − 2 ( x 0 ) 2nd identification x n − 1 = f ( x n − 2 ) − − − − − − − − − − − → − store x n − 2 . . . send x 1 ? n − 1 st identification x 1 ← f ( x 0 ) x 2 = f ( x 1 ) − − − − − − − − − → − store x 1 Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  18. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f f x 0 → x 1 → x 2 → x n − 2 → x n − 1 → x n − − − → . . . − − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 send x n − 2 ? x n − 2 ← f n − 2 ( x 0 ) 2nd identification x n − 1 = f ( x n − 2 ) − − − − − − − − − − − → − store x n − 2 . . . send x 1 ? n − 1 st identification x 1 ← f ( x 0 ) x 2 = f ( x 1 ) − − − − − − − − − → − store x 1 send x 0 ? n th identification seed x 0 x 1 = f ( x 0 ) − − − − − − − − − → − Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  19. Lamport’s Identification Scheme (Unix S/key One-Time Passwords) One-way hash chain for seed x 0 : f f f f f f x 0 → x 1 → x 2 → x n − 2 → x n − 1 → x n − − − → . . . − − − Registration random x 0 send x n x n ← f n ( x 0 ) ( authentic message ) store x n − − − − − − − − → − send x n − 1 ? x n − 1 ← f n − 1 ( x 0 ) 1st identification = f ( x n − 1 ) x n − − − − − − − − − → − store x n − 1 send x n − 2 ? x n − 2 ← f n − 2 ( x 0 ) 2nd identification x n − 1 = f ( x n − 2 ) − − − − − − − − − − − → − store x n − 2 . . . send x 1 ? n − 1 st identification x 1 ← f ( x 0 ) x 2 = f ( x 1 ) − − − − − − − − − → − store x 1 send x 0 ? n th identification seed x 0 x 1 = f ( x 0 ) − − − − − − − − − → − Asymmetric scheme : values stored not secret . Secure against passive eavesdropper : x n of no use for 1st identification, etc. Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  20. Security Requirements for Function f Function f should be one-way on its iterates (Levin ’85, Pedersen ’96). Matyas-Meyer-Oseas one-way function f : { 0 , 1 } 128 → { 0 , 1 } 128 where f ( x ) = AES IV ( x ) ⊕ x View f as a random function. Given y = f n ( x ) , finding z such that f ( z ) = y takes 2 128 / n time. For hash chain of length n = 2 32 : security of 2 128 2 32 = 2 96 . Pebbling algorithms do not affect security. Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

  21. Applications of (Long) Hash Chains Micropayment schemes: CAFE phone ticks, Payword TESLA secure routing for wireless sensor networks Multicast authentication Online auctions Communication between airplanes and DME towers DME (Distance Measuring Equipment) tower authenticates its messages to airplanes. Boneh-Wang 2010: hash chain of length n = 86400 (1 link per second for 1 day) Explicit Optimal Binary Pebbling for One-Way Hash Chain Reversal Berry Schoenmakers

Recommend


More recommend