security analysis of constructions combining fil random
play

Security Analysis of Constructions Combining FIL Random Oracles - PowerPoint PPT Presentation

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications


  1. Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Télécom R&D and Université de Versailles FSE ’07, March 26

  2. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Motivation: Block Cipher-Based Hash Functions Three well identified ways to design a compression function: dedicated design (MD5, SHA-1, ...) number theoretic design (VSH, MASH, ...) block cipher-based design (Davies-Meyer, MDC-2, ...) “From scratch” compression functions come under attack Number theoretic designed hash functions suffer from poor performances ... so block cipher-based hash functions could be a promising way... ( Unrestricted ) Research & Development March 26, 2007

  3. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Single vs. Multiple Block Length Hash Functions Single block length (SBL) hash functions are well understood since the work by Preneel et al. in 1993 and Black et al. in 2002, who provided security proofs in the ideal cipher model. Example: the Davies-Meyer construction (preimage resistance = Θ ( 2 n ) queries, collision resistance = Θ ( 2 n/2 ) queries) n bits n bits H ′ M 1 E 1 n bits h H 1 But single block length hash functions with 128-bits blocks block ciphers doesn’t offer a sufficient security (brute force collision attacks need only 2 64 work effort.) Therefore we need double (or multiple) block length hash functions in or- der to use AES for example. ( Unrestricted ) Research & Development March 26, 2007

  4. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Multiple Block Length Hash Functions No general theory for multiple block length hash functions as for SBL ones. A lot of candidate constructions have been proposed: early proposals: ABREAST-DM, PARALLEL-DM, MDC-2, MDC-4 Knudsen-Preneel constructions (based on error correcting codes) Hirose (FSE ’05, FSE ’06) Nandi-Lee-Sakurai-Lee (FSE ’05) ... but very few remain unbroken. There is still no unbroken proposal of DBL hash function using a block cipher with key length equal to the block length (e.g. AES128). ( Unrestricted ) Research & Development March 26, 2007

  5. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Our Contribution Recently Peyrin et al. [PGMR06] introduced a general framework for studying MBL hash functions and obtained necessary conditions for a MBL hash function to be secure by analysing generic attacks. They proved that a DBL compression function, using a block cipher with key length equal to the block length and hashing one or two blocks of message needs at least five independent block ciphers. They proposed new DBL hash functions constructions for which no at- tacks are known. However no security proofs were given. We give a security analysis of their framework in the random oracle model, i.e. we give security bounds for preimage and collision re- sistance, and describe generic preimage and collision attacks which sometimes meet the security bound. ( Unrestricted ) Research & Development March 26, 2007

  6. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion The Framework m message blocks c chaining variable blocks We study generic constructions using: ( M 1 , . . . , M m ) ( H 1 , . . . , H c ) . . . . . . t compression functions f 1 , . . . , f t Linear Input Layer taking k blocks of n bits as input outputting one block of n bits k blocks . . . . . . . . . . . . . . . . . . . . . f (1) f (2) f ( i ) f ( t − 1) f ( t ) modelized as independent random oracles The resulting compression function: Linear Output Layer takes m message blocks of n bits . . . and c chaining variable blocks of n c chaining variable blocs bits as input ( H ′ 1 , . . . , H ′ c ) outputs c blocks of n bits ( Unrestricted ) Research & Development March 26, 2007

  7. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Computability Notions We will consider adversaries making at most q queries to each inner compression function f 1 , . . . , f t . We will need the following notions: let’s fix sets of queries Q 1 , . . . , Q t to each inner compression function, and let’s fix r output blocks (or linear combination of output blocks) ( H ′ i 1 , . . . , H ′ i r ) . Then: an input ( M 1 , . . . , M m , H 1 , . . . , H c ) to the compression function h is ( H ′ i 1 , . . . , H ′ i r ) -computable if the queries enable to compute the output blocks ( H ′ i 1 , . . . , H ′ i r ) β ′ r ( q ) will be the maximum over the sets of queries and over the out- put blocks ( H ′ i 1 , . . . , H ′ i r ) of the number of ( H ′ i 1 , . . . , H ′ i r ) -computable inputs. ( Unrestricted ) Research & Development March 26, 2007

  8. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Computability Notions: Example ( M 1 , H 1 , H 2 ) Nandi et al. scheme N1 ( c = 2, m = 1, t = 3, k = 2 ). H 1 M 1 H 1 H 2 H 2 M 1 1 ( q ) = q 2 β ′ Proof ( � ): fix H 1 , choose q values of M 1 f (1) f (2) f (3) and H 2 , ask the q queries f 1 ( H 1 , M 1 ) and f 2 ( H 1 , H 2 ) . Then you can compute 1 for q 2 values ( M 1 , H 1 , H 2 ) . H ′ 2 ( q ) ≃ q 3/2 β ′ Proof ( � ): choose q 1/2 values of M 1 , H 1 and H 2 , ask the q queries f 1 ( H 1 , M 1 ) , f 2 ( H 1 , H 2 ) and f 3 ( H 2 , M 1 ) . Then you 2 ) for ( q 1/2 ) 3 values can compute ( H ′ 1 , H ′ H ′ H ′ 1 2 ( M 1 , H 1 , H 2 ) . ( Unrestricted ) Research & Development March 26, 2007

  9. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Generic Preimage Attacks The following attack is a generalization of the Knudsen-Muller attack on the schemes of Nandi et al. and uses multipreimages on one output block (or linear combination of output blocks): choose the output block (or linear combination of output blocks) maximiz- ing β ′ 1 ( q ) and compute the corresponding images for the output block for the inputs matching the preimage one is looking for, make the addi- tional queries to compute the full image by h � β ′ � 1 ( q ) 1 ( q ) = Ω ( n2 n ) . as soon as β ′ achieves advantage Ω 2 cn ( Unrestricted ) Research & Development March 26, 2007

  10. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Generic Collision Attacks We describe two possible collision attacks (which one is the better may de- pend of the construction): � � c ( q ) 2 β ′ naïve one: compute β ′ c ( q ) hashes (advantage: Ω ) 2 cn multicollision on one output block: choose the output block (or linear combination of output blocks) max- imizing β ′ 1 ( q ) and compute the corresponding images for the output block order the “collision classes” by decreasing order and look into them for a full collision � qβ ′ � 1 ( q ) 1 ( q ) = Ω ( n2 n ) . as soon as β ′ achieves advantage Ω 2 cn ( Unrestricted ) Research & Development March 26, 2007

  11. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Security Bounds We obtain the following bounds for the advantage of any adversary limited to q queries: � β ′ � 1 ( q ) Adv pre h ( q ) = O 2 cn � β ′ 1 ( q ) 2 � Adv coll ( q ) = O h 2 cn Idea of the proof: condition the probability of success of the adversary on the probability of success for a single output block. For the full proof, please see the paper. ( Unrestricted ) Research & Development March 26, 2007

  12. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Summing Up the Results Lower Bound Upper Bound � β ′ � � β ′ � Preimage Resistance 1 ( q ) 1 ( q ) Ω O 2 cn 2 cn c ( q ) 2 ,qβ ′ 1 ( q ) 2 Collision Resistance Ω � max ( β ′ � � β ′ � 1 ( q )) O 2 cn 2 cn The analysis is tight in the case of preimage resistance: it is characterized by the parameter β ′ 1 ( q ) . Things are more complex for collision resistance: the analysis is tight only in some particular cases. ( Unrestricted ) Research & Development March 26, 2007

  13. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Application to Previously Proposed Schemes ( M 1 , H 1 , H 2 ) Nandi et al. scheme N1 1 ( q ) = q 2 and β ′ H 1 M 1 H 1 H 2 H 2 M 1 2 ( q ) ≃ q 3/2 For this scheme, β ′ f (1) f (2) f (3) Lower Bound Upper Bound � � � � Preimage Resistance q 2 q 2 Ω O 2 2n 2 2n � � � � Collision Resistance q 3 q 4 Ω O 2 2n 2 2n H ′ H ′ 1 2 ( Unrestricted ) Research & Development March 26, 2007

  14. Intro Framework Computability Attacks Bounds Recap Applications Algo Conclusion Application to Previously Proposed Schemes ( M 1 , H 1 , H 2 ) Peyrin et al. scheme PGMR1 1 ( q ) ≃ q 3/2 and H 1 H 2 H 2 M 1 M 1 H 1 ⊕ H 2 H 1 M 1 H 1 H 2 For this scheme, β ′ 2 ( q ) ≃ q 3/2 β ′ f (1) f (2) f (3) f (4) f (5) Lower Upper Bound Bound � � � � Preimage q 3/2 q 3/2 Ω O 2 2n 2 2n Resistance H ′ H ′ 1 2 � � � � Collision q 3 q 3 Ω O 2 2n 2 2n Resistance ( Unrestricted ) Research & Development March 26, 2007

Recommend


More recommend