Modeling Random Oracles under Unpredictable Queries

Size: px

Start display at page:

Download "Modeling Random Oracles under Unpredictable Queries"

Jared Lang
6 years ago
Views:

1 Modeling Random Oracles under Unpredictable Queries Pooya Farshim 1 Arno Mittelbach 2 1 ENS, CNRS & INRIA, PSL Research University, Paris, France 2 TU Darmstadt, Germany 23rd Fast Software Encryption Nordrhein-Westfalen Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 1

2 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2

3 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: encryption & signature schemes, key exchange, disk encryption,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2

4 The Random-Oracle Model (ROM) Random oracles (ROs) model ideal hash functions [BR93]. In the RO model: All parties have oracle access to a uniformly chosen random function. ROs enable the security proofs of a wide range of practical and strongly secure cryptosystems: encryption & signature schemes, key exchange, disk encryption,... Reliance on ROM, although practical, is also debatable: There are uninstantiable ROM schemes [CGH98]: Enc O : Enc RO is secure but Enc H is insecure for any H. Lack of a definition formalizing RO-like behavior. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 2

5 (Very) Naïve Attempt at Modeling ROs Call a hash function IND-RO if, over a random choice of hk: H hk /RO A(hk) Adv ind-ro H,A (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 3

6 (Very) Naïve Attempt at Modeling ROs Call a hash function IND-RO if, over a random choice of hk: H hk /RO A(hk) Adv ind-ro H,A (λ) := 2 Pr [ b = b ] 1 Clearly uninstantiable: A(hk): compute H hk (0) and compare to the oracle s answer. But observe: The attack works because the full input (hk, 0) is known to A. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 3

7 Can We Fix the Naïve Model? Let s hide hk. H hk /RO A(1 ) Adv prf H,A (λ) := 2 Pr [ b = b ] 1 We obtain PRF security: Not so useful in the context of hashing as hk is publicly available. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 4

8 Can We Fix the Naïve Model? Let s hide hk. H hk /RO A(1 ) Adv prf H,A (λ) := 2 Pr [ b = b ] 1 We obtain PRF security: Not so useful in the context of hashing as hk is publicly available. First idea: Split A: one part gets hk and the other gets oracle access. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 4

9 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5

10 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5

11 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5

12 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Still uninstantiable: S leaks oracle s response on 0 via L, and D(hk) checks where it s coming from. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5

13 Modeling ROs via Split Adversaries Call the two components of A the source S and the distinguisher D: H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Still uninstantiable: Second idea: S leaks oracle s response on 0 via L, and D(hk) checks where it s coming from. Restrict L: it must not leak any of S s queries. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 5

14 Universal Computational Extractors (UCEs) [BHK13] H hk /RO x i S(1 ) L D(hk) Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6

15 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6

16 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Say S is unpredictable if Adv pred S,P (λ) is negl. for all efficient P. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6

17 Universal Computational Extractors (UCEs) [BHK13] H hk /RO RO x i x i S(1 ) L D(hk) S(1 ) P x 0 Adv uce H,S,D (λ) := 2 Pr [ b = b ] 1 Adv pred S,P (λ) := Pr [ x {x 1,..., x n } ] Say S is unpredictable if Adv pred S,P (λ) is negl. for all efficient P. Say H is UCE secure if Adv uce H,S,D (λ) is negl. for any unpredictable S. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 6

18 Applications of UCE [BHK13] UCE-secure hash functions can instantiate the RO in: Deterministic public-key encryption (D-PKE) Message-locked encryption (MLE) Selective related-key and key-dependent message security Point-function obfuscation Proofs of storage Poly-many hard-core bits OAEP, garbling schemes,... UCEs model many RO-like properties. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 7

19 Shortcomings of UCEs H hk /RO x i S(1 ) L D(hk) Three inter-related drawbacks: UCEs are not instantiable with unkeyed hash functions Queries are independent of the hash key The model does not allow for adaptive queries Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 8

20 Shortcomings of UCEs H hk /RO x i S(1 ) L D(hk) Three inter-related drawbacks: UCEs are not instantiable with unkeyed hash functions Queries are independent of the hash key The model does not allow for adaptive queries Can we overcome these? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 8

21 Goal Note also that: Conceptually UCEs avoid the CGH attack by restricting queries to high entropy ones. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 9

22 Goal Note also that: Conceptually UCEs avoid the CGH attack by restricting queries to high entropy ones. To what extent can we build on this view of UCEs to formulate A more general framework modeling a wider class of RO-like properties for hash functions. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 9

23 Interactive Computational Extractors (ICEs) Hash b (hk, ) S(1 ) L D(hk) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10

24 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10

25 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Unpredictability: Wrt. an RO, no P can predict a query of D 1 or D 2 : Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10

26 Interactive Computational Extractors (ICEs) Hash b (hk, ) Hash b (, ) S(1 ) L D(hk) D 1 (1 ) D 2 (1 ) b 0 Unpredictability: Wrt. an RO, no P can predict a query of D 1 or D 2 : x $ P(View(D i )) st. x Qrys(D 1 ) Qrys(D 2 ), where View(D i ) := Everything that D i sees = Coins(D i ) + InLeakage(D i ) + Hash values. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 10

27 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11

28 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11

29 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Adversary gets to see: Enc(f (K ), M). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11

30 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Theorem Adversary gets to see: Enc(f (K ), M). The BRS scheme is RKA secure against split functions: f : K 1 K 2 f 1 (K 1 ) f 2 (K 2 ) if H is ICE secure. (As we ll see, this implies RKA security in ROM.) Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11

31 Example Application: RKA Security Recall the Black Rogaway Shrimpton [BRS03] encryption scheme: Enc H (K, M; R) := ( R, H(K R) M ) This was shown to be KDM secure in the ROM, where Adversary gets to see: Enc(K, f (K )). We establish its RKA (and KDM) security without ROs, where Theorem Adversary gets to see: Enc(f (K ), M). The BRS scheme is RKA secure against split functions: f : K 1 K 2 f 1 (K 1 ) f 2 (K 2 ) if H is ICE secure. (As we ll see, this implies RKA security in ROM.) Full RKA: Via a new ICE notion (see upcoming full version). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 11

32 Other Applications All applications of UCEs: Non-adaptive RKA/KDM security Point function obfuscation Message-locked encryption,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 12

33 Other Applications All applications of UCEs: Non-adaptive RKA/KDM security Point function obfuscation Message-locked encryption,... Semi-adaptive split KDM security of the BRS scheme Correlated-input hashing Foundational primitives: (weak) PRFs, Randomness extractors, One-way security for polynomial regularity,... Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 12

34 Feasibility I: VIL-ROM Why consider this question at all? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13

35 Feasibility I: VIL-ROM Why consider this question at all? No generic attacks: the ICE model is structurally sound Enables a layered approach to security analysis: one first proves security under ICEs, and then applies ROM feasibility. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13

36 Feasibility I: VIL-ROM Why consider this question at all? No generic attacks: the ICE model is structurally sound Enables a layered approach to security analysis: one first proves security under ICEs, and then applies ROM feasibility. Theorem H RO (hk, M) := RO(hk M) is ICE secure against computationally unpredictable (D 1, D 2 ). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 13

37 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14

38 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14

39 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Not true! ICE is a multi-staged and indifferentiability can fail in these settings [RSS11]. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14

40 Feasibility II: FIL-ROM Let s look at HMAC/NMAC: Claim: HMAC is ICE secure in the FIL-ROM. Proof: HMAC is indifferentiable from RO, and RO is ICE secure. Not true! ICE is a multi-staged and indifferentiability can fail in these settings [RSS11]. Indeed, there are ICE attacks on HMAC via chain completion. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 14

41 Feasibility II: Zipper Hash Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15

42 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15

43 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Sufficient for many applications, including split RKA security. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15

44 Feasibility II: Zipper Hash Theorem The Keyed & Chopped Zipper Hash above is ICE secure against Hash b(hk, ) hk D 1(1 ) D 2(1 ) b 0 Sufficient for many applications, including split RKA security. Shows multi-pass hash functions can provide extra security over their single-pass counterparts. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 15

45 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 M n Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16

46 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16

47 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: Now define: M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] MixHash h (hk, M) := HMAC h (0, hk M). Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16

48 What about Full ICE in FIL-ROM? Consider a message M := [m 1, m 2 ] [m }{{} 3, m 4 ] [m }{{} 2n 1, m 2n ] }{{} M 1 M 2 Construct all half-block pairs: Now define: Conjecture M n M :=[m 1, m 2 ] [m 1, m 3 ] [m 1, m 2n ] [m 2, m 3 ] [m 2, m 4 ] [m 2, m 2n ] [m 3, m 4 ] [m 2n 1, m 2n ] MixHash h (hk, M) := HMAC h (0, hk M). MixHash is fully ICE secure in the FIL-ROM. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 16

49 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17

50 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Future directions: What s the most general model for RO-like behavior? In particular, are there extensions that get us up to full KDM security? Weakening assumptions: domain/range extenders for ICEs. Are ICEs instantiable in the standard-model? Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17

51 Final Thoughts What this talk was about: Hash b (, ) A new security model capturing many RO-like properties. D 1 (1 ) D 2 (1 ) b 0 Future directions: What s the most general model for RO-like behavior? In particular, are there extensions that get us up to full KDM security? Weakening assumptions: domain/range extenders for ICEs. Are ICEs instantiable in the standard-model? Thank you. Pooya Farshim (ENS) Unpredictable ROM 23rd FSE 17

The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)

The Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT) The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle