Hash functions in theory and practice Constructive logic Artifact: ℓ ◮ Suppose the family h = ( h s ) s is collision free. What can we then conclude about h s 0 for a particular paramater s 0 ? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: ℓ ◮ Suppose the family h = ( h s ) s is collision free. What can we then conclude about h s 0 for a particular paramater s 0 ? ◮ Strictly speaking nothing: Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: ℓ ◮ Suppose the family h = ( h s ) s is collision free. What can we then conclude about h s 0 for a particular paramater s 0 ? ◮ Strictly speaking nothing: � h s , if l ( s ) � = 128, ◮ Suppose h is collision resistant and h ∗ s = MD 5, if l ( s ) = 128. Then h ∗ is also collision resistant by the definition. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: ℓ ◮ Suppose the family h = ( h s ) s is collision free. What can we then conclude about h s 0 for a particular paramater s 0 ? ◮ Strictly speaking nothing: � h s , if l ( s ) � = 128, ◮ Suppose h is collision resistant and h ∗ s = MD 5, if l ( s ) = 128. Then h ∗ is also collision resistant by the definition. ◮ But MD5 is still broken ... Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: ℓ ◮ Suppose the family h = ( h s ) s is collision free. What can we then conclude about h s 0 for a particular paramater s 0 ? ◮ Strictly speaking nothing: � h s , if l ( s ) � = 128, ◮ Suppose h is collision resistant and h ∗ s = MD 5, if l ( s ) = 128. Then h ∗ is also collision resistant by the definition. ◮ But MD5 is still broken ... ◮ Such a family h ∗ might seem to be “artificially constructed”, but maybe not ... Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) ◮ Attacker A s reads k , outputs x , y Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) ◮ Attacker A s reads k , outputs x , y 1 ◮ collision resistant: ∀ n : ∃ s 0 : ∀ s : s > s 0 ⇒ P [ x � = y ∧ h s , k ( x ) = h s , k ( y )] < l ( s ) n Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) ◮ Attacker A s reads k , outputs x , y 1 ◮ collision resistant: ∀ n : ∃ s 0 : ∀ s : s > s 0 ⇒ P [ x � = y ∧ h s , k ( x ) = h s , k ( y )] < l ( s ) n ◮ (after Damgard 1987) Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) ◮ Attacker A s reads k , outputs x , y 1 ◮ collision resistant: ∀ n : ∃ s 0 : ∀ s : s > s 0 ⇒ P [ x � = y ∧ h s , k ( x ) = h s , k ( y )] < l ( s ) n ◮ (after Damgard 1987) ◮ Allows working with A s working on fixed output lengths Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Keyed hash functions ◮ h s , k : { 0 , 1 } ∗ → { 0 , 1 } l ( s ) (security parameter s , key k ) ◮ Attacker A s reads k , outputs x , y 1 ◮ collision resistant: ∀ n : ∃ s 0 : ∀ s : s > s 0 ⇒ P [ x � = y ∧ h s , k ( x ) = h s , k ( y )] < l ( s ) n ◮ (after Damgard 1987) ◮ Allows working with A s working on fixed output lengths ◮ Might seem to be a good solution: Not asymptotic, does not immediately lead to a “trivial” attack. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k , A s can always be the trivial attacker Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k , A s can always be the trivial attacker ◮ Assume h being collision resistant and � h s , k , if l ( s ) � = 128, h ∗ s , k = MD 5, if l ( s ) = 128 ∧ k = k 0 , Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Artifact: k ◮ But: Real hash functions normally don’t have keys ◮ Possible interpretation in some cases: key = initialization vector ◮ But then, free-start collision attacks are being analyzed ◮ But without variable (!) k , A s can always be the trivial attacker ◮ Assume h being collision resistant and � h s , k , if l ( s ) � = 128, h ∗ s , k = MD 5, if l ( s ) = 128 ∧ k = k 0 , ◮ So, strictly speaking from “ h is collision resistant” we still cannot conclude anything about “concrete hash functions”. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Practical security How's it going? Excellent, We can prove so let's go in production that the new CPU using 64 bit registers works as speci fi ed, No point doing so. when the register width For every fi xed register width, approaches in fi nity. the proof does not say anything. Figure: Drawings: xkcd.com, modification to text (CC BY-NC 2.5) Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic “Provably secure” hash functions ◮ collision resistant hash functions according to these definitions can be constructed Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic “Provably secure” hash functions ◮ collision resistant hash functions according to these definitions can be constructed (under suitable assumption!). ◮ e.g. VSH, ECOH, FSB Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic “Provably secure” hash functions ◮ collision resistant hash functions according to these definitions can be constructed (under suitable assumption!). ◮ e.g. VSH, ECOH, FSB ◮ Often slow and of little practical relevance Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic “Provably secure” hash functions ◮ collision resistant hash functions according to these definitions can be constructed (under suitable assumption!). ◮ e.g. VSH, ECOH, FSB ◮ Often slow and of little practical relevance ◮ Who decides about the length and the key to use? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic First conclusions ◮ Problematic to characterize families of functions when seeking for results on a specific hash functions Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic First conclusions ◮ Problematic to characterize families of functions when seeking for results on a specific hash functions ◮ Where does the (existing) attacker A come from? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic First conclusions ◮ Problematic to characterize families of functions when seeking for results on a specific hash functions ◮ Where does the (existing) attacker A come from? ◮ Explicit precomputation: A pre computes attacker A Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic First conclusions ◮ Problematic to characterize families of functions when seeking for results on a specific hash functions ◮ Where does the (existing) attacker A come from? ◮ Explicit precomputation: A pre computes attacker A ◮ Cost of attack: e.g. TIME ( A pre )+ TIME ( A ) Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic The fastest attack, reloaded ◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \" x , y \\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; } Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic The fastest attack, reloaded ◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \" x , y \\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; } ◮ Complexity: constant Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic The fastest attack, reloaded ◮ int main() { std::cout << "int main() {" << std::endl; std::cout << " std::cout << \" x , y \\n\";\n"; std::cout << " return 0;" << std::endl; std::cout << "}" << std::endl; return 0; } ◮ Complexity: constant ◮ Anything gained? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Closing the gap ◮ An idea (after Bernstein and Lange 2012): Size limitation for A pre Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Closing the gap ◮ An idea (after Bernstein and Lange 2012): Size limitation for A pre ◮ Outrules trivial attacks for sufficiently large output lengths Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Closing the gap ◮ An idea (after Bernstein and Lange 2012): Size limitation for A pre ◮ Outrules trivial attacks for sufficiently large output lengths ◮ Still not useful for practically used hash functions. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Fundamental issue remains ◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Fundamental issue remains ◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Fundamental issue remains ◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Fundamental issue remains ◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant. ◮ Only in the asymptotic setting or in the Random Oracle model this can be proven. Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Fundamental issue remains ◮ We know: If a Hash function h is collision resistant GnuPG-h is unforgable. ◮ We want to argue that some “real” Hash function h is collision resistant. ◮ But such an h is never collision resistant. ◮ Only in the asymptotic setting or in the Random Oracle model this can be proven. ◮ So usually the known proofs are applied where they cannot really be applied ◮ Is this really what we expect from a „proof“? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Interpretation of proofs It can be shown that the new signature scheme has a weakness. But well-known cryptographers say that the weakness is not of practical relevance. At least we can prove the security of the encryption. But it is assumed that the proof methology does not allow conclusions about practical security. Figure: Drawings: xkcd.com, modification to text (CC BY-NC 2.5) Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Getting to the root cause ◮ Where do x and y come from? Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Getting to the root cause ◮ Where do x and y come from? ◮ x , y ← pigeonhole principle ← mathematical logic Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Getting to the root cause ◮ Where do x and y come from? ◮ x , y ← pigeonhole principle ← mathematical logic ◮ Language consisting of: ∨ , ∧ , ¬ , = ⇒ , ∃ , ∀ and symbols Claus Diem and dreiwert Provable insecurity
Hash functions in theory and practice Constructive logic Getting to the root cause ◮ Where do x and y come from? ◮ x , y ← pigeonhole principle ← mathematical logic ◮ Language consisting of: ∨ , ∧ , ¬ , = ⇒ , ∃ , ∀ and symbols ◮ Problem may be caused by the meaning of the symbols Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Part II Constructive logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited What is constructive logic? ◮ Symbols as in classical logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited What is constructive logic? ◮ Symbols as in classical logic ◮ Meaning partially different Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited What is constructive logic? ◮ Symbols as in classical logic ◮ Meaning partially different ◮ “ x exists” means “we can construct x ” Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited From proofs to algorithms ◮ BHK interpretations give a meaning to constructive proofs. Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited From proofs to algorithms ◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel) Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited From proofs to algorithms ◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel) ◮ Realizations formalize these interpretations. Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited From proofs to algorithms ◮ BHK interpretations give a meaning to constructive proofs. ◮ (after Brouwer-Heyting-Kolmogorov, more seldomly Brouwer-Heyting-Kreisel) ◮ Realizations formalize these interpretations. ◮ Realizations have a strong relationship to algorithms Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited What are realizations? ◮ “ a realizes A ” means: Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited What are realizations? ◮ “ a realizes A ” means: a is a proof of A ◮ defined inductively over the structure of the proven formula Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Conjunction ◮ structure: A ∧ B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Conjunction ◮ structure: A ∧ B ◮ � a , b � realizes A ∧ B iff a realizes A and b realizes B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Conjunction ◮ structure: A ∧ B ◮ � a , b � realizes A ∧ B iff a realizes A and b realizes B ◮ Interpretation: both conjuncts must be proved Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Conjunction ◮ structure: A ∧ B ◮ � a , b � realizes A ∧ B iff a realizes A and b realizes B ◮ Interpretation: both conjuncts must be proved ◮ Meaning as in classical logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Disjunction ◮ structure: A ∨ B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Disjunction ◮ structure: A ∨ B ◮ � 0 , a � realizes A ∨ B iff a realizes A ◮ � 1 , b � realizes A ∨ B iff b realizes B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Disjunction ◮ structure: A ∨ B ◮ � 0 , a � realizes A ∨ B iff a realizes A ◮ � 1 , b � realizes A ∨ B iff b realizes B ◮ Interpretation: one must either prove A or prove B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Disjunction ◮ structure: A ∨ B ◮ � 0 , a � realizes A ∨ B iff a realizes A ◮ � 1 , b � realizes A ∨ B iff b realizes B ◮ Interpretation: one must either prove A or prove B ◮ Stronger meaning as a disjunction in classical logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Implication ◮ structure: A ⇒ B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Implication ◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f ( a ) realizes B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Implication ◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f ( a ) realizes B ◮ Interpretation: convert any proof for A into a proof for B Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Implication ◮ structure: A ⇒ B ◮ f realizes A ⇒ B means: If a realizes A then f ( a ) realizes B ◮ Interpretation: convert any proof for A into a proof for B ◮ Meaning as in classical logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Negation ◮ structure: ¬ A Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Negation ◮ structure: ¬ A ◮ f realizes ¬ A iff. f realizes A ⇒ 0 = 1 Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Negation ◮ structure: ¬ A ◮ f realizes ¬ A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Negation ◮ structure: ¬ A ◮ f realizes ¬ A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A ◮ Meaning weaker as a negation in classical logic Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Negation ◮ structure: ¬ A ◮ f realizes ¬ A iff. f realizes A ⇒ 0 = 1 ◮ Interpretation: derive a contradiction from any proof for A ◮ Meaning weaker as a negation in classical logic ◮ A ⇒ ¬¬ A , but not necessarily ¬¬ A ⇒ A Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Universal quantification ◮ structure: ∀ x : A Claus Diem and dreiwert Provable insecurity
Introduction Algorithmic content Hash collision, revisited Universal quantification ◮ structure: ∀ x : A ◮ f realizes ∀ x : A iff. f ( a ) realizes A [ x / a ] for every a Claus Diem and dreiwert Provable insecurity
Recommend
More recommend