06 Collision Resistance v2 Annotated

uan 8oneh
Colllslon reslsLance
lnLroducuon
Cnllne CrypLography Course uan 8oneh
uan 8oneh
8ecap: message lnLegrlLy
So far, four MAC consLrucuons:
!"#"$%&"' "%&" : commonly used wlLh ALS (e.g. 802.11l)
)%&" : basls of PMAC (Lhls segmenL)
*%&": a parallel MAC
"+,-.,$/.01+2 %&": bullL from a fasL one-ume MAC
8ls
1hls module: MACs from colllslon reslsLance.
randomlzed
MAC
uan 8oneh
Colllslon 8eslsLance
LeL P: M !1 be a hash funcuon ( |M| >> |1| )
A 345567642 for P ls a palr m
0
, m
1
" M such LhaL:
P(m
0
) = P(m
1
) and m
0
# m
1

A funcuon P ls 345567642 ,.767-+2- lf for all (expllclL) e algs. A:
&89
":
;&'<= > *,; & 4?-@?-7 345567642 A4, <=
ls neg.
Lxample: SPA-236 (ouLpuLs 236 blLs)
uan 8oneh
MACs from Colllslon 8eslsLance
LeL l = (S,v) be a MAC for shorL messages over (k,M,1) (e.g. ALS)
LeL P: M
blg
! M
uef: l
blg
= (S
blg
, v
blg
) over (k, M
blg
, 1) as:
B
C60
DE'1F > BDE'<D1FF G H
C60
DE'1'-F > HDE'<D1F'-F
IJ1: lf l ls a secure MAC and P ls colllslon reslsLanL
Lhen l
blg
ls a secure MAC.
Lxample: S(k,m) = ALS
2-block-cbc
(k, SPA-236(m)) ls a secure MAC.
uan 8oneh
MACs from Colllslon 8eslsLance
Colllslon reslsLance ls necessary for securlLy:
Suppose adversary can nd m
0
# m
1
s.L. P(m
0
) = P(m
1
).
1hen: B
C60
ls lnsecure under a 1-chosen msg auack
sLep 1: adversary asks for L !S(k, m
0
)
sLep 2: ouLpuL (m
1
, L) as forgery
B
C60
DE' 1F > BDE' <D1FF G H
C60
DE' 1' -F > HDE' <D1F' -F
uan 8oneh
roLecung le lnLegrlLy uslng C.8. hash
When user downloads package, can verlfy LhaL conLenLs are valld
P colllslon reslsLanL
auacker cannoL modlfy package wlLhouL deLecuon
no key needed (publlc verlablllLy), buL requlres read-only space
l
1
l
2
l
n
package name
,.+8$425K
@?C563 7@+3.
P(l
1
)
P(l
2
)
P(l
n
)
Soware packages:
package name package name
uan 8oneh
Lnd of SegmenL
uan 8oneh
Cenerlc blrLhday auack
uan 8oneh
Cenerlc auack on C.8. funcuons
LeL P: M ! [0,1}
n
be a hash funcuon ( |M| >> 2
n
)
Cenerlc alg. Lo nd a colllslon 62 L1. MDN
2ON
F hashes

AlgorlLhm:
1. Choose N
2ON
random messages ln M: m
1
, ., m
2
n/2
(dlsuncL w.h.p )

2. lor l = 1, ., 2
n/2
compuLe L
l
= P(m
l
) [0,1}
n

3. Look for a colllslon (L
l
= L
[
). lf noL found, goL back Lo sLep 1.
Pow well wlll Lhls work?
uan 8oneh
1he blrLhday paradox
LeL r
1
, ., r
n
[1,.,8} be lndep. ldenucally dlsLrlbuLed lnLegers.
IJ1: when 2= 1.2 #
PON

Lhen r[ l=[: r
l
= r
[
] > x

roof: (for unlform lndep. r
1
, ., r
n
)
uan 8oneh
8=10
6
# samples n
uan 8oneh
Cenerlc auack
P: M ! [0,1}
n
. Colllslon ndlng algorlLhm:
1. Choose N
2ON
random elemenLs ln M: m
1
, ., m
2
n/2
2. lor l = 1, ., 2
n/2
compuLe L
l
= P(m
l
) [0,1}
n

3. Look for a colllslon (L
l
= L
[
). lf noL found, goL back Lo sLep 1.

LxpecLed number of lLerauon = 2

8unnlng ume: MDN
2ON
F (space C(2
n/2
) )
uan 8oneh
Sample C.8. hash funcuons: CrypLo++ 3.6.0 [ Wel ual ]
AMu CpLeron, 2.2 CPz ( Llnux)
dlgesL generlc
funcuon slze (blLs) Speed (M8/sec) auack ume
SPA-1 160 133 2
80
SPA-236 236 111 2
128
SPA-312 312 99 2
236

Whlrlpool 312 37 2
236
n
l
S
1

s
L
a
n
d
a
r
d
s

* besL known colllslon nder for SPA-1 requlres 2
31
hash evaluauons
uan 8oneh
CuanLum Colllslon llnder
"5+7763+5
+504,6-J17
Q?+2-?1
+504,6-J17
8lock clpher
!R S T U " U
exhausuve search
C( |k| ) C( |k|
1/2
)
Pash funcuon
<R % " I
colllslon nder
C( |1|
1/2
) C( |1|
1/3
)
uan 8oneh
Lnd of SegmenL
uan 8oneh
1he Merkle-uamgard
aradlgm
uan 8oneh
Colllslon reslsLance: revlew
LeL P: M !1 be a hash funcuon ( |M| >> |1| )
A 345567642 for P ls a palr m
0
, m
1
" M such LhaL:
<D1
V
F > <D1
P
F +28 1
V
# 1
P

Coal: colllslon reslsLanL (C.8.) hash funcuons

SLep 1: glven C.8. funcuon for 7J4,- messages,
consLrucL C.8. funcuon for 5420 messages

uan 8oneh
1he Merkle-uamgard lLeraLed consLrucuon
Clven JR I T U " I (compresslon funcuon)
we obLaln <R U
WX
" I . P
l
- chalnlng varlables
8: paddlng block

h h h
m[0] m[1] m[2] m[3] ll PB
h
lv
(xed)
P(m)
P
0
P
1
P
2
P
3
P
4
1000.0 ll msg len
64 blLs
lf no space for 8
add anoLher block
uan 8oneh
Mu colllslon reslsLance
IJ1: lf h ls colllslon reslsLanL Lhen so ls P.
*,44A: colllslon on P colllslon on h
Suppose P(M) = P(M'). We bulld colllslon for h.
lv = P
0
, P
1
, . , P
L
, P
L+1
= P(M)
lv = P
0
' , P
1
' , . , P'
r
, P'
r+1
= P(M')
h( P
L
, M
L
ll 8) = P
L+1
= P'
r+1
= h(P'
r
, M'
r
ll 8')
uan 8oneh
Suppose P
L
= P'
r
and M
L
= M'
r
and 8 = 8'
1hen: h( P
L-1
, M
L-1
) = P
L
= P'
L
= h(P'
L-1
, M'
L-1
)
uan 8oneh
Lnd of SegmenL
1o consLrucL C.8. funcuon,
sumces Lo consLrucL compresslon funcuon
uan 8oneh
ConsLrucung Compresslon
luncuons
uan 8oneh
1hm: h colllslon reslsLanL P colllslon reslsLanL

Coal: consLrucL compresslon funcuon JR I T U " I
h h h
m[0] m[1] m[2] m[3] ll PB
h
lv
(xed)
P(m)
uan 8oneh
Compr. func. from a block clpher
!R ST YV'PZ
2
" YV'PZ
2
a block clpher.
1he [+96.7$%.K., compresslon funcuonR JD<' 1F > !D1' <F!<

IJ1: Suppose L ls an ldeal clpher (collecuon of |k| random perms.).
llndlng a colllslon JD<'1F>JD<\'1\F Lakes MDN
2ON
F evaluauons of (L,u).
E
>
m
l
P
l
!
8esL posslble !!
1emplaLe
verLLeWhlLe2
Suppose we dene JD<' 1F > !D1' <F

1hen Lhe resulung h(.,.) ls noL colllslon reslsLanL:
Lo bulld a colllslon (P,m) and (P',m')
choose random (P,m,m') and consLrucL P' as follows:
P'=u(m', L(m,P))
P'=L(m', u(m,P))
P'=L(m', L(m,P))
P'=u(m', u(m,P))
uan 8oneh
CLher block clpher consLrucuons
Mlyaguchl-reneel: JD<' 1F > !D1' <F!<!1 D/J6,5@445F
JD<' 1F > !D<!1' 1F!1
LoLal of 12 varlanLs llke Lhls

CLher naLural varlanLs are lnsecure:
h(P, m) = L(m, P)!m (PW)
LeL !R YV'PZ
2
T YV'PZ
2
" YV'PZ
2
for slmpllclLy
uan 8oneh
Case sLudy: SPA-236
Merkle-uamgard funcuon
uavles-Meyer compresslon funcuon
8lock clpher: SPACAL-2
312-blL key
SPACAL-2
>
236-blL block
236-blL block
uan 8oneh
rovable compresslon funcuons
Choose a random 2000-blL prlme p and random 1 < u, v < p .

lor m,h [0,.,p-1} dene JD<'1F > ?
<
9
1
D148 @F

lacL: ndlng colllslon for h(.,.) ls as hard as
solvlng dlscreLe-log" modulo p.

roblem: slow.
uan 8oneh
Lnd of SegmenL
uan 8oneh
PMAC:
a MAC from SPA-236
uan 8oneh
1hm: h colllslon reslsLanL P colllslon reslsLanL

Can we use P(.) Lo dlrecLly bulld a MAC?
h h h
m[0] m[1] m[2] m[3] ll PB
h
lv
(xed)
P(m)
1emplaLe
verLLeWhlLe2
MAC from a Merkle-uamgard Pash luncuon
<R U
WX
" I a C.8. Merkle-uamgard Pash luncuon
&].1@- ^P: BDE' 1F > <D E 55 1F
1hls MAC ls lnsecure because:
Clven P( k ll m) can compuLe P( k ll m ll 8 ll w ) for any w.
Clven P( k ll m) can compuLe P( k ll m ll w ) for any w.
Clven P( k ll m) can compuLe P( w ll k ll m ll 8) for any w.
Anyone can compuLe P( k ll m ) for any m.
uan 8oneh
SLandardlzed meLhod: PMAC (Pash-MAC)
MosL wldely used MAC on Lhe lnLerneL.
P: hash funcuon.
example: SPA-236 , ouLpuL ls 236 blLs

8ulldlng a MAC ouL of a hash funcuon:
PMAC: S( k, m ) = P( k$opad ll <D E$6@+8 55 1 F )
uan 8oneh
PMAC ln plcLures
Slmllar Lo Lhe nMAC 8l.
maln dlerence: Lhe Lwo keys k
1
, k
2
are dependenL
h h
m[0] m[1] m[2] ll PB
h
h
Lag
> >
> h
k!ipad
lv
(xed)
>
>
lv
(xed)
h
>
k!opad
uan 8oneh
PMAC properues
8ullL from a black-box lmplemenLauon of SPA-236.

PMAC ls assumed Lo be a secure 8l
Can be proven under cerLaln 8l assumpuons abouL h(.,.)
SecurlLy bounds slmllar Lo nMAC
need q
2
/|1| Lo be negllglble ( q |1|
x
)

ln 1LS: musL supporL PMAC-SPA1-96
uan 8oneh
Lnd of SegmenL
uan 8oneh
1lmlng auacks on MAC
verlcauon
uan 8oneh
Warnlng: verlcauon umlng auacks [L'09]
Lxample: keyczar crypLo llbrary (yLhon) [slmplled]
8.A H.,6AKDE.K' 170' 760_CK-.7FR
,.-?,2 <%&"DE.K' 170F >> 760_CK-.7

1he problem: == lmplemenLed as a byLe-by-byLe comparlson
ComparaLor reLurns false when rsL lnequallLy found
uan 8oneh
Warnlng: verlcauon umlng auacks [L'09]
1lmlng auack: Lo compuLe Lag for LargeL message m do:
SLep 1: Cuery server wlLh random Lag
SLep 2: Loop over all posslble rsL byLes and query server.
sLop when verlcauon Lakes a llule longer Lhan ln sLep 1
SLep 3: repeaL for all Lag byLes unul valld Lag found
m , Lag
k
accepL or re[ecL
LargeL
msg 1
uan 8oneh
uefense #1
Make sLrlng comparaLor always Lake same ume (yLhon) :
,.-?,2 A+57. 6A 760_CK-.7 J+7 `,420 5.20-J
,.7?5- > V
A4, a' K 62 b6@D <%&"DE.K'170F ' 760_CK-.7FR
,.7?5- c> 4,8DaF d 4,8DKF
,.-?,2 ,.7?5- >> V

Can be dlmculL Lo ensure due Lo opumlzlng compller.
uan 8oneh
uefense #2
Make sLrlng comparaLor always Lake same ume (yLhon) :
8.A H.,6AKDE.K' 170' 760_CK-.7FR
1+3 > <%&"DE.K' 170F
,.-?,2 <%&"DE.K' 1+3F >> <%&"DE.K' 760_CK-.7F

Auacker doesn'L know values belng compared
uan 8oneh
Lesson

uon'L lmplemenL crypLo yourself !
uan 8oneh
Lnd of SegmenL

06 Collision Resistance v2 Annotated

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

06 Collision Resistance v2 Annotated

Încărcat de

Drepturi de autor:

Formate disponibile

uan 8oneh

S-ar putea să vă placă și