60 research outputs found
From Indifferentiability to Constructive Cryptography (and Back)
The concept of indifferentiability of systems, a generalized form of
indistinguishability, was proposed in 2004 to provide a simplified
and generalized explanation of impossibility results like the
non-instantiability of random oracles by hash functions due to
Canetti, Goldreich, and Halevi (STOC 1998). But indifferentiability
is actually a constructive notion, leading to possibility
results. For example, Coron {\em et al.} (Crypto 2005) argued that the
soundness of the construction of a hash function from a
compression function can be demonstrated by proving that
is indifferentiable from a random oracle if is an ideal random
compression function.
The purpose of this short paper is to describe how the
indifferentiability notion was a precursor to the theory of
constructive cryptography and thereby to provide a simplified and
generalized treatment of indifferentiability as a special type of
constructive statement
Post-quantum security of hash functions
The research covered in this thesis is dedicated to provable post-quantum security of hash functions. Post-quantum security provides security guarantees against quantum attackers. We focus on analyzing the sponge construction, a cryptographic construction used in the standardized hash function SHA3. Our main results are proving a number of quantum security statements. These include standard-model security: collision-resistance and collapsingness, and more idealized notions such as indistinguishability and indifferentiability from a random oracle. All these results concern quantum security of the classical cryptosystems. From a more high-level perspective we find new applications and generalize several important proof techniques in post-quantum cryptography. We use the polynomial method to prove quantum indistinguishability of the sponge construction. We also develop a framework for quantum game-playing proofs, using the recently introduced techniques of compressed random oracles and the One-way-To-Hiding lemma. To establish the usefulness of the new framework we also prove a number of quantum indifferentiability results for other cryptographic constructions. On the way to these results, though, we address an open problem concerning quantum indifferentiability. Namely, we disprove a conjecture that forms the basis of a no-go theorem for a version of quantum indifferentiability
Sequential Indifferentiability of Confusion-Diffusion Networks
A large proportion of modern symmetric cryptographic building blocks are designed using the Substitution-Permutation Networks (SPNs), or more generally, Shannon\u27s confusion-diffusion paradigm. To justify its theoretical soundness, Dodis et al. (EUROCRYPT 2016) recently introduced the theoretical model of confusion-diffusion networks, which may be viewed as keyless SPNs using random permutations as S-boxes and combinatorial primitives as permutation layers, and established provable security in the plain indifferentiability framework of Maurer, Renner, and Holenstein (TCC 2004).
We extend this work and consider Non-Linear Confusion-Diffusion Networks (NLCDNs), i.e., networks using non-linear permutation layers, in weaker indifferentiability settings. As the main result, we prove that 3-round NLCDNs achieve the notion of sequential indifferentiability of Mandal et al. (TCC 2012). We also exhibit an attack against 2-round NLCDNs, which shows the tightness of our positive result on 3 rounds. It implies correlation intractability of 3-round NLCDNs, a notion strongly related to known-key security of block ciphers and secure hash functions. Our results provide additional insights on understanding the complexity for known-key security, as well as using confusion-diffusion paradigm for designing cryptographic hash functions
Synchronous Constructive Cryptography
This paper proposes a simple synchronous composable security framework as an instantiation of the Constructive Cryptography framework, aiming to capture minimally, without unnecessary artefacts, exactly what is needed to state synchronous security guarantees. The objects of study are specifications (i.e., sets) of systems, and traditional security properties like consistency and validity can naturally be understood as specifications, thus unifying composable and property-based definitions. The framework\u27s simplicity is in contrast to current composable frameworks for synchronous computation which are built on top of an asynchronous framework (e.g. the UC framework), thus not only inheriting artefacts and complex features used to handle asynchronous communication, but adding additional overhead to capture synchronous communication.
As a second, independent contribution we demonstrate how secure (synchronous) multi-party computation protocols can be understood as constructing a computer that allows a set of parties to perform an arbitrary, on-going computation. An interesting aspect is that the instructions of the computation need not be fixed before the protocol starts but can also be determined during an on-going computation, possibly depending on previous outputs
Query-Complexity Amplification for Random Oracles
Increasing the computational complexity of evaluating a hash
function, both for the honest users as well as for an
adversary, is a useful technique employed for example in
password-based cryptographic schemes to impede brute-force
attacks, and also in so-called proofs of work (used in
protocols like Bitcoin) to show that a certain amount of
computation was performed by a legitimate user. A natural
approach to adjust the complexity of a hash function is to
iterate it ~times, for some parameter
, in the hope that any query to the scheme
requires evaluations of the underlying
hash function. However, results by Dodis et al. (Crypto
2012) imply that plain iteration falls short of achieving
this goal, and designing schemes which provably have such a
desirable property remained an open problem.
This paper formalizes explicitly what it means for a given
scheme to amplify the query complexity of a hash function.
In the random oracle model, the goal of a secure
query-complexity amplifier (QCA) scheme is captured as
transforming, in the sense of indifferentiability, a random
oracle allowing queries (for the adversary)
into one provably allowing only
queries. Turned around, this means that making
queries to the scheme requires at least
queries to the actual random oracle. Second,
a new scheme, called collision-free iteration, is proposed and
proven to achieve -fold QCA for both the
honest parties and the adversary, for any fixed
parameter~
Towards Understanding the Known-Key Security of Block Ciphers
Known-key distinguishers for block ciphers were proposed by Knudsen and Rijmen at ASIACRYPT 2007 and have been a major research topic in cryptanalysis since then. A formalization of known-key attacks in general is known to be difficult. In this paper, we tackle this problem for the case of block ciphers based on ideal components such as random permutations and random functions as well as propose new generic known-key attacks on generalized Feistel ciphers. We introduce the notion of known-key indifferentiability to capture the security of such block ciphers under a known key. To show its meaningfulness, we prove that the known-key attacks on block ciphers with ideal primitives to date violate security under known-key indifferentiability. On the other hand, to demonstrate its constructiveness, we prove the balanced Feistel cipher with random functions and the multiple Even-Mansour cipher with random permutations known-key indifferentiable for a sufficient number of rounds. We note that known-key indifferentiability is more quickly and tightly attained by multiple Even-Mansour which puts it forward as a construction provably secure against known-key attacks
Domain Extension of Public Random Functions: Beyond the Birthday Barrier
A public random function is a random function that is accessible by
all parties, including the adversary. For example, a (public) random
oracle is a public random function . The
natural problem of constructing a public random oracle from a public
random function (for some ) was
first considered at Crypto 2005 by Coron et al.\ who proved the
security of variants of the Merkle-Damgård construction against
adversaries issuing up to queries to the construction and
to the underlying compression function. This bound is less than the
square root of , the number of random bits contained in the
underlying random function.
In this paper, we investigate domain extenders for public random
functions approaching optimal security. In particular, for all
and all functions and (polynomial in
), we provide a construction
which extends a public random function to a function with time-complexity polynomial
in and and which is secure against adversaries which
make up to queries. A central tool for
achieving high security are special classes of unbalanced bipartite
expander graphs with small degree. The achievability of practical (as
opposed to complexity-theoretic) efficiency is proved by a
non-constructive existence proof.
Combined with the iterated constructions of Coron et al., our result
leads to the first iterated construction of a hash
function from a component
function that withstands all recently
proposed generic attacks against iterated hash functions, like Joux\u27s
multi-collision attack, Kelsey and Schneier\u27s second-preimage attack,
and Kelsey and Kohno\u27s herding attacks
- …