Results 1  10
of
19
Careful with composition: Limitations of the indifferentiability framework
 EUROCRYPT 2011, volume 6632 of LNCS
, 2011
"... We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
We exhibit a hashbased storage auditing scheme which is provably secure in the randomoracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic publickey encryption (PKE), passwordbased cryptography, hash function nonmalleability, keydependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multistage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosendistribution attack security (which requires a multistage game) of some important publickey encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton. 1
Security Reductions of the Second Round SHA3 Candidates
"... Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities identified in existing hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. At present, 14 candidates are left in the second round. An important criterion in the selection process is the SHA3 hash function security and more concretely, the possible security reductions of the hash function to the security of its underlying building blocks. While some of the candidates are supported with firm security reductions, for most of the schemes these results are still incomplete. In this paper, we compare the state of the art provable security reductions of the second round candidates. We discuss all SHA3 candidates at a high functional level, and analyze and summarize the security reduction results. Surprisingly, we derive some security bounds from the literature, which the hash function designers seem to be unaware of. Additionally, we generalize the wellknown proof of collision resistance preservation, such that all SHA3 candidates with a suffixfree padding are covered. 1
Towards Understanding the KnownKey Security of Block Ciphers
"... Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block cip ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Knownkey distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of knownkey attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic knownkey attacks on generalized Feistel ciphers. We introduce the notion of knownkey indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the knownkey attacks on block ciphers with ideal primitives to date violate security under knownkey indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple EvenMansour cipher with random permutations knownkey indifferentiable for a sufficient number of rounds. We note that knownkey indifferentiability is more quickly and tightly attained by multiple EvenMansour which puts it forward as a construction provably secure against knownkey attacks.
ResourceRestricted Indifferentiability
"... Abstract. The notion of indifferentiability was introduced in [27] and in [14] it was tailored for security analysis of hash function constructions, making indifferentiability from a random oracle the desired property for any hash function design. However, the widely accepted view that a constructio ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The notion of indifferentiability was introduced in [27] and in [14] it was tailored for security analysis of hash function constructions, making indifferentiability from a random oracle the desired property for any hash function design. However, the widely accepted view that a construction enjoying such a proof with an underlying ideal compression function can replace the random oracle in any application without compromising security is not justified in certain settings, as pointed out recently in [29]. In this paper we argue that one general reason for such a failure is the inflexibility of the indifferentiability notion with respect to more complex restrictions on resources (such as memory, randomness) available to the attacker: Typically, the distinguisher and the simulator in an indifferentiability statement are only required to be PPT algorithms, implicitly posing a polynomial restriction also on the resources available to them. We argue that this is not sufficient in certain scenarios and explain why this is the problem underlying the security breakdown described in [29]. We present a systematic treatment of such settings by proposing a more finegrained notion of memoryaware reducibility that is necessary in contexts where memory is the resource that requires a more detailed quantification. We employ this new formalism to prove a lower bound on the memory required by any simulator in a domain extension construction of a public random function. Our results imply that if we restrict to simulators without
Improved Indifferentiability Security Bound for the JH Mode Dustin Moody
"... Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing N ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Indifferentiability security of a hash mode of operation guarantees the mode’s resistance against all (meaningful) generic attacks. It is also useful to establish the security of protocols that use hash functions as random functions. The JH hash function is one of the five finalists in the ongoing NIST SHA3 hash function competition. Despite several years of analysis, the indifferentiability security of the JH mode (with nbit digest and 2nbit permutation) has remained remarkably low, only at n/3 bits (FSE 2010), while the other four finalist modes – with comparable parameter values – offer a security guarantee of n/2 bits. In this paper, we improve the indifferentiability security bound for the JH mode to n/2 bits (e.g. from 171 to 256 bits when n = 512). To put this into perspective, our result guarantees the absence of attacks on both JH256 and JH512 hash functions with time less than approximately 2 256 computations of the underlying 1024bit permutation, under the assumption that the basic permutation is structurally strong. Our bounds are optimal for JH256, and the best, so far, for JH512. We obtain this improved bound by establishing an isomorphism of certain queryresponse graphs through a careful design of the simulators and the bad events. Our experimental data strongly supports the theoretically obtained results. 1
Impossibility Results for Indifferentiability with Resets
"... Abstract. The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The indifferentiability framework of Maurer, Renner, and Holenstein (MRH) has gained immense popularity in recent years and has proved to be a powerful way to argue security of cryptosystems that enjoy proofs in the random oracle model. Recently, however, Ristenpart, Shacham, and Shrimpton (RSS) showed that the composition theorem of MRH has a more limited scope than originally thought, and that extending its scope required the introduction of resetindifferentiability, a notion which no practical domain extenders satisfy with respect to random oracles. In light of the results of RSS, we set out to rigorously tackle the specifics of indifferentiability and resetindifferentiability by viewing the notions as special cases of a more general definition. Our contributions are twofold. Firstly, we provide the necessary formalism to refine the notion of indifferentiability regarding composition. By formalizing the definition of stage minimal games we expose new notions lying in between regular indifferentiability (MRH) and resetindifferentiability (RSS). Secondly, we answer the open problem of RSS by showing that it is impossible to build any domain extender which is resetindifferentiable from a random oracle. This result formally confirms the intuition that resetindifferentiability is too strong of a notion to be satisfied by any hash function. As a consequence we look at the weaker notion of singleresetindifferentiability, yet there as well we demonstrate that there are no “meaningful ” domain extenders which satisfy this notion. Not all is lost though, as we also view indifferentiability in a more general setting and point out the possibility for different variants of indifferentiability.
On security arguments of the second round sha3 candidates
 Int. J. Inf. Sec
"... and Technology (NIST) announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities like differential attacks identified in existing hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. 14 candidate ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
and Technology (NIST) announced a call for the design of a new cryptographic hash algorithm in response to vulnerabilities like differential attacks identified in existing hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. 14 candidates were left in the second round, out of which 5 candidates have been recently chosen for the final round. An important criterion in the selection process is the SHA3 hash function security. We identify two important classes of security arguments for the new designs: (1) the possible reductions of the hash function security to the security of its underlying building blocks, and (2) arguments against differential attack on building blocks. In this paper, we compare the state of the art provable security reductions for the second round candidates, and review arguments and bounds against classes of differential attacks. We discuss all the SHA3 candidates at a high functional level, analyze and summarize the security reduction results and bounds against differential attacks. Additionally, we generalize the wellknown proof of collision resistance preservation, such that all SHA3 candidates with a suffixfree padding are covered.
Verifiable Security of MerkleDamg˚ard
, 2012
"... Abstract—Cryptographic hash functions provide a basic data authentication mechanism and are used pervasively as building blocks to realize many cryptographic functionalities, including block ciphers, message authentication codes, key exchange protocols, and encryption and digital signature schemes. ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract—Cryptographic hash functions provide a basic data authentication mechanism and are used pervasively as building blocks to realize many cryptographic functionalities, including block ciphers, message authentication codes, key exchange protocols, and encryption and digital signature schemes. Since weaknesses in hash functions may imply vulnerabilities in the constructions that build upon them, ensuring their security is essential. Unfortunately, many widely used hash functions, including SHA1 and MD5, are subject to practical attacks. The search for a secure replacement is one of the most active topics in the field of cryptography. In this paper we report on the first machinechecked and independentlyverifiable proofs of collisionresistance and indifferentiability of MerkleDamg˚ard, a construction that underlies many existing hash functions. Our proofs are built and verified using an extension of the EasyCrypt framework, which relies on stateoftheart verification tools such as automated theorem provers, SMT solvers, and interactive proof assistants. I.
Security Analysis and Comparison of the SHA3 Finalists
"... Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got acce ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. In 2007, the US National Institute for Standards and Technology announced a call for the design of a new cryptographic hash algorithm in response to the vulnerabilities identified in widely employed hash functions, such as MD5 and SHA1. NIST received many submissions, 51 of which got accepted to the first round. At present, 5 candidates are left in the third round of the competition. An important criterion in the selection process is the SHA3 hash function security and more concretely, the possible reductions of the hash function security to the security of its underlying building blocks. At NIST’s second SHA3 Candidate Conference 2010, Andreeva et al. provided a provable security classification of the second round SHA3 candidates in the ideal model. In this work, we revisit this classification for the five SHA3 finalists. We evaluate recent provable security results on the candidates, and resolve remaining open problems for Grøstl, JH, and Skein.
préparée au sein du laboratoire Verimag Ecole Doctorale Mathématiques, Sciences et Technologies de
"... Formalisation de preuves de sécurité concrète Thèse soutenue publiquement le 12 Janvier 2012, devant le jury composé de: ..."
Abstract
 Add to MetaCart
(Show Context)
Formalisation de preuves de sécurité concrète Thèse soutenue publiquement le 12 Janvier 2012, devant le jury composé de: