Sequential Hashing with Minimum Padding Shoichi Hirose University - PowerPoint PPT Presentation

Sequential Hashing with Minimum Padding Shoichi Hirose University of Fukui ASK 2016 (2016/09/28-30, Nagoya) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 1 / 28

Introduction Hash function H : ⌃ ⇤ ! ⌃ n Two popular design strategies: • Compression-function-based: SHA-2 • Permutation-based: SHA-3 Construction: FIL primitive + domain extension S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 2 / 28

Strengthened MD H F IV ( M ) , where M = M 1 k M 2 k · · · k M m M m ∥ 10 * 0 * ∥ | M | M 1 M m − 1 F F F F IV Pros • Collision resistance is preserved. • Length-extension property Cons • The last message block may consist only of the padding sequence. Cons degrade e ffi ciency. S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 3 / 28

HMAC [BCK96] M ipad ∥ H K ∥ H opad • Calls H twice to prevent length-extension attacks • Not e ffi cient for short messages S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 4 / 28

Overview of the Results Domain extension scheme for sequential hashing • with minimum padding • free from length-extension Security analysis of the domain extension scheme • Collision resistance • Indi ff erentiability from a random oracle (IRO) • pseudorandom function (PRF) of keyed-via-IV mode Application to sponge construction • Indi ff erentiability from a random oracle S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 5 / 28

Minimum and Non-Injective Padding Minimum and non-injective padding is common for BC-based MAC E.g.) CMAC | M m | = block length | M m | 6 = block length M 1 M m − 1 M m M 1 M m − 1 M m ∥ 10 * 2 2 L 2 L ... ... E K E K E K E K E K E K T T • L = E K ( 0 ) • 2 L and 2 2 L are used for • preventing the length-extension • separating the domain (Padding is not injective) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 6 / 28

Minimum Padding for Sequential Hashing For sequential iteration of F : ⌃ n ⇥ ⌃ w ! ⌃ n with IV ( M if | M | > 0 and | M | ⌘ 0 (mod w ) pad ( M ) = M k 10 ⇤ if | M | = 0 or | M | 6⌘ 0 (mod w ) • Identical to the padding of CMAC, PMAC, etc. • Minimum padding sequence • Not injective S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 7 / 28

Proposed Domain Extension Scheme For message M = M 1 k M 2 k · · · k M m such that 1 | M | > 0 and | M | ⌘ 0 (mod w ) , M 1 M 2 M m − 1 M m w F F F F IV π 0 2 | M | = 0 or | M | 6⌘ 0 (mod w ) , M m ∥ 10 * M 1 M 2 M m − 1 w F F F F IV π 1 ⇡ 0 and ⇡ 1 are not cryptographic operations • Assumption: ⇡ 0 ( v ) 6 = v ^ ⇡ 1 ( v ) 6 = v ^ ⇡ 0 ( v ) 6 = ⇡ 1 ( v ) for any v • E.g.) XOR with distinct non-zero constants S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 8 / 28

Related Work (CR-Preserving Domain Extension) Merkle 1989 M m ∥ 0 * ∥ | M | M 1 M 2 M m − 1 F F F F IV • Padding-length  message-block-length + s � 1 (if | M | is in s -bit) • Admits M of bounded length, | M |  2 s � 1 Damg˚ ard 1989 1 ∥ M m ∥ 0 d 0 ∥ M 1 1 ∥ M 2 1 ∥ d F F F F IV • Padding length is O ( | M | ) • Admits M of arbitrary length S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 9 / 28

Related Work (CR-Preserving Domain Extension) Nandi 2009 M 1 M 2 M m − 1 M m ∥ 0 * ∥ | M | F F F F IV • Admits M of arbitrary length by variable length encoding of | M | • Padding-length = O (log | M | ) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 10 / 28

Su ffi x-Free-Prefix-Free Hashing [BGKZ12] M 1 M 2 M m − 1 M m F 1 F 2 F 2 F 3 V • IV is variable; without MD strengthening • Needs three CFs • F 1 provides prefix-freeness; F 3 provides su ffi x-freeness • Satisfies IRO • Assumes injective padding Cf.) 00 ∥ M 1 11 ∥ M 2 11 ∥ M m − 1 10 ∥ M m V F F F F • Padding-length = O ( | M | ) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 11 / 28

Merkle-Damg˚ ard with Permutation (MDP) [HPY07] M 1 M 2 M m − 1 M m F F F F IV π • ⇡ is not a cryptographic primitive Cf.) Ferguson, Kelsey 2001 (Comment on Draft FIPS 180-2) M 1 M 2 M m − 1 M m C F F F F IV S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 12 / 28

GCBC1 [Nandi 09] | M m | = block length | M m | 6 = block length M m ∥ 10 * M 1 M 2 M m − 1 M m M 1 M 2 M m − 1 ... ... E K E K E K E K E K E K E K E K � 1 � 2 T T • XOR with constants does not work • Requires at least two message blocks S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 13 / 28

Collision Resistance in the Standard Model Lemma Any collision pair for H F, { π 0 , π 1 } implies IV • a collision pair, • a { ⇡ 0 , ⇡ 1 } -pseudo-collision pair, or • a preimage of IV , ⇡ � 1 0 ( ⇡ 1 ( IV )) , or ⇡ � 1 1 ( ⇡ 0 ( IV )) for F Proof: Backward induction { ⇡ 0 , ⇡ 1 } -pseudo-collision pair for F : ( V, X ) and ( V 0 , X 0 ) s.t. ⇡ 0 ( F ( V, X )) = ⇡ 1 ( F ( V 0 , X 0 )) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 14 / 28

Collision Resistance in the Standard Model Theorem The collision resisntance of H F, { π 0 , π 1 } is reduced to IV • the collision resistance • the { ⇡ 0 , ⇡ 1 } -pseudo-collision resistance, and • the everywhere preimage resistance of F . Everywhere preimage resistance of h : Adv epre ( A ) = max Y 2 Y { Pr[ M A ( h ) : h ( M ) = Y ] } h S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 15 / 28

Definition of Indi ff erentiability from a Random Oracle [Maurer, Renner, Holenstein 04], [Coron, Dodis, Malinaud, Puniya 05] C F H S or A A • C is hashing mode of F • H is VIL RO • F is FIL ideal primitive • Simulator S tries to mimic F • Random oracle with access to oracle H • Ideal block cipher C F is indi ff . from VIL RO (IRO) if no e ffi cient adver A can tell apart ( C F , F ) ( H, S H ) and S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 16 / 28

Indi ff erentiability from a Random Oracle (IRO) Theorem Suppose that CF F : ⌃ n ⇥ ⌃ w ! ⌃ n is chosen uniformly at random. Then, for HF H F, { π 0 , π 1 } , there exists a simulator S of F s.t., for any IV adversary A making • at most q queries to its FIL oracle • queries to its VIL oracle which cost at most � message blocks in total, ,S ( A )  5( � + q ) 2 3 � q Adv indi ff + 2 n � 6 q + 1 , H F, { π 0 , π 1 } 2 n IV and S makes at most q queries. Secure if � + q = o (2 n/ 2 ) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 17 / 28

IRO in the Ideal Cipher Model The CF F : ⌃ n ⇥ ⌃ w ! ⌃ n is the Davies-Meyer mode of a BC E • E is chosen uniformly at random Theorem For the hash function H F, { π 0 , π 1 } , there exists a simulator S of E s.t., for IV any adversary A making • at most q e queries to its FIL encryption oracle • at most q d queries to its FIL decryption oracle • queries to its VIL oracle which cost at most � message blocks in total, ,S ( A )  12( � + q e + q d ) 2 3 � ( q e + q d ) Adv indi ff + 2 n � 6( q e + q d ) � 5 , H F, { π 0 , π 1 } 2 n IV and S makes at most q e queries. Secure if � + q e + q d = o (2 n/ 2 ) S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 18 / 28

Keyed via IV mode of H F, { π 0 , π 1 } IV For message M such that 1 | M | > 0 and | M | ⌘ 0 (mod w ) , M 1 M 2 M m − 1 M m w F F F F K π 0 2 | M | = 0 or | M | 6⌘ 0 (mod w ) , M 1 M 2 M m − 1 M m ∥ 10 * w F F F F K π 1 S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 19 / 28

PRF Security Theorem Let A be any adversary against KIV mode of H F, { π 0 , π 1 } : IV • A runs in time at most t and makes at most q queries • The length of each query is at most ` w Then, there exists an adversary B against F such that Adv prf ( A )  ` q Adv prf-rka { id , π 1 , π 2 } ,F ( B ) . H F, { π 0 , π 1 } IV B runs in time at most t + O ( ` qT F ) and makes at most q queries. H F, { π 0 , π 1 } is PRF ( = F is PRF against { id , ⇡ 1 , ⇡ 2 } -restricted RKAs S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 20 / 28

Definition of PRF A keyed function f : K ⇥ D ! R is PRF ( = f K is indistinguishable from uniform random function ⇢ : D ! R • Secret key K 2 K is chosen uniformly at random • Adversary makes queries to f K or ⇢ x Adversary Oracle R ( x ) R is f K or ⇢ A R . . . � � Pr[ A f K = 1] � Pr[ A ρ = 1] � Adv prf f ( A ) = � � � S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 21 / 28

PRF against Related Key Attacks f : K ⇥ D ! R is PRF against -restricted RKAs if f is indistinguishable from uniform random keyed function ⇢ : K ⇥ D ! R • is a set of related-key deriving functions • Secret key K 2 K is chosen uniformly at random • Adversary makes queries to f ψ ( K ) or ⇢ ψ ( K ) for any 2 ψ , x Adversary Oracle R ψ ( K ) ( x ) R 2 { f, ⇢ } A R, K 2 . . . � � Adv prf-rka � Pr[ A ( f ψ ( K ) ) ψ ∈ Ψ = 1] � Pr[ A ( ρ ψ ( K ) ) ψ ∈ Ψ = 1] ( A ) = � � Ψ ,f � S. Hirose (Univ. Fukui) Hashing with Minimum Padding ASK 2016 (2016/09/30) 22 / 28