Upload
kelley-horton
View
218
Download
1
Embed Size (px)
Citation preview
Non-Malleable Hash FunctionsNon-Malleable Hash Functions
FORMACRYPT, 2007
Alexandra Boldyreva
David Cash
Marc Fischlin
Bogdan Warinschi
Bogdan WarinschiFormacrypt meeting 2007Page 2
Non-Malleable Hash Functions
► Non-Malleability
Intuition
Given instance f(x) does not help to find f(x*) for related x*
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 3
Non-Malleable Hash Functions
► Non-Malleability
Example 1
given the encryption C1 = Enc(PK,M) it should be hard to construct an encryption C2 of
M xor 11....1
Example 2
given a commitment Com(X,N), with N an unknown random nonce
it should be hard to construct a commitment Com(X+1000,N) for the same N
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 5
Non-Malleable Hash Functions
► Non-Malleability
Well studied for encryption, commitments, zero-knowledge
– Definitions– Constructions– Applications
How about hash functions?
Bogdan WarinschiFormacrypt meeting 2007Page 6
Non-Malleable Hash Functions
► Non-malleable hash functions
Motivation
Definition
Construction
Applications
Bogdan WarinschiFormacrypt meeting 2007Page 7
Non-Malleable Hash Functions
► Motivation: soundness of the random oracle model
Modelling:
– in the RO model, hash functions are accessed in a black-box way (by both honest parties and the adversary)
– are truly random functions
Advantages:
– enable security proofs for very efficient primitives/protocols for which we have no other security proofs
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 8
Non-Malleable Hash Functions
► Motivation: soundness of the random oracle model
Disadvantages:
Can RO be instantiated with standard hash functions in a way that preserves the security proof?
– In general the answer is NO (the RO model is provably unsound)
– For some schemes it may be possible to replace a random oracle H with a standard hash functions
– What if security of the scheme uses non-malleability of random oracles?
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 9
Non-Malleable Hash Functions
► Motivation: soundness of the random oracle model
Enc(PK,M)=( RSA(PK,r), r xor M )
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 10
Non-Malleable Hash Functions
► Motivation: soundness of the random oracle model
Enc(PK,M)=( RSA(PK,r), G(r) xor M )
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 12
Non-Malleable Hash Functions
► Motivation: soundness of the random oracle model
Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M))
– Assume that H is such that given H(r||M) it is possible to construct H(r||M xor 11...1);
– Then Enc is malleable: from Enc(PK,M) it is possible to construct Enc(PK, M xor 11....1)
– A security-preserving instantiation of H with an actual hash function would require H to be non-malleable
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 13
Non-Malleable Hash Functions
► Motivation: soundness of formal analysis
In symbolic analysis hash functions are non-malleable:
– the Dolev Yao adversary can construct H(M) only if if it knows M
– The attack where from H(A,N) for unknown nonce N the adversary constructs H(B,N) is not possible in the DY world
To ensure that all attacks in the cryptographic model are captured by the Dolev-Yao adversary, then the attack above should not be possible in the real world
this is a very good test
Bogdan WarinschiFormacrypt meeting 2007Page 14
Non-Malleable Hash Functions
► Non-malleable hash functions
Motivation
Definitions
Construction
Applications
Bogdan WarinschiFormacrypt meeting 2007Page 15
Non-Malleable Hash Functions
► Definition (sketch)
sample x ← Xcompute y ← H(x)let (T,y*) ← Adv(y)let x* ← T(x)success iff
H(x*) = y* , y ≠ y* and
R( x ,x*)=1
sample x ← X
let x* ← Sim()success iff
R( x ,x*)=1
Defining Non-Malleable Hash Functions
Definition: H is non-malleable w.r.t. distribution X iff
Prob [ Adv succeeds ] ≈ Prob [ Sim succeeds ]
Bogdan WarinschiFormacrypt meeting 2007Page 16
Non-Malleable Hash Functions
► Non-malleable hash functions
Motivation
Definitions
Construction
Applications
Bogdan WarinschiFormacrypt meeting 2007Page 17
Non-Malleable Hash Functions
► Construction (Part I)
Necessary: H(x) must not leak information about x
Idea: use Canetti‘s perfectly one-way hash functions
Definition: (probabilistic) hash function h is POWHF w.r.t. to X and aux iff
(h(x), aux(x)) (h(x'), aux(x))
for x,x' ← X
Constructing Non-Malleable Hash Functions
Bogdan WarinschiFormacrypt meeting 2007Page 18
Non-Malleable Hash Functions
► Construction (Part II)
Even if H(x) hides all information about x, the function H may still be malleable
Idea: append a (ssNIZK) proof of knowledge of x
When an adversary given y=H(x) outputs y*, then he must know some x* such that H(x*)=y*, and he had no information on x: the only relations between x and x* that hold are trivial (and can be easily satisfied by a simulator)
Constructing Non-Malleable Hash Functions
Bogdan WarinschiFormacrypt meeting 2007Page 19
Non-Malleable Hash Functions
► Construction (Putting things together)
Theorem (sketch):
Let h be POWHF w.r.t. to X and aux,let (Gen,Prover,Verifier) be ssNIZKPoK. Then
H(x) = ( h(x), )
where ← Prover(crs,x,h(x))is non-malleable w.r.t. to X and aux.
(solution not really efficient, rather feasibility result)
Constructing Non-Malleable Hash Functions
Bogdan WarinschiFormacrypt meeting 2007Page 20
Non-Malleable Hash Functions
► Non-malleable hash functions
Motivation
Definitions
Construction
Applications
Bogdan WarinschiFormacrypt meeting 2007Page 21
Non-Malleable Hash Functions
► Message Authentication via H(k||m)
H(k||m) secure MAC for secret key k if
• H random oracle, or• H pseudorandom function
We show that H(k||m) is a secure MAC if H is non-malleable
Security means: an adversary who sees H(k,m1),H(k,m2),...,H(k,mn) cannot compute H(k,m) for m different from m1, m2,...,mn
Application to Message Authentication
Bogdan WarinschiFormacrypt meeting 2007Page 22
Non-Malleable Hash Functions
► Message Authentication via H(k||m) (Proof intuition)
Consider an adversary A who after seeing H(k||m) manages to output a forgery (m’,H(k||m’))
Construct adversary B against non-malleability:
– on input H(k||m) the adversary runs A internally and obtains (m’,H(k||m’))
– output H(k||m’) and T(k||x)=k||m’
Consider the relation R(x||y,z||w)=1 if x=z, then the adversary B satisfies the relation since R(k||m,k||m’) = 1
Application to Message Authentication
Bogdan WarinschiFormacrypt meeting 2007Page 23
Non-Malleable Hash Functions
► Instantiating random oracles
Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M))
If ( RSA(PK,r), G(r) xor M , H(r||M)) is the challenge ciphertext, we argue in the proof that the adversary cannot querry to its decryption oracle the ciphertext ( RSA(PK,r), G(r) xor M‘ , H(r||M‘))
The security proof is still in the random oracle model
Bogdan WarinschiFormacrypt meeting 2007Page 24
Non-Malleable Hash Functions
► Soundness of formal analysis of hash functions
Ongoing work
Some problems:
– general soundness only in the trusted parameters model (NIZK proof systems use a common reference string which needs to be generated honestly)
– POWHF’s are not known to exist for arbitrary distributions
Bogdan WarinschiFormacrypt meeting 2007Page 25
Non-Malleable Hash Functions
► Conclusion
Motivation (Interesting, useful)
Definitions
Construction (POWHF+ssNIZKPoK)
Applications (MAC, Encryption)