Post on 04-Jan-2016
Indifferentiability of Permutation-Based Compression
Functions and Tree-Based Modes of Operation,
with Applications to MD6
Yevgeniy DodisLeonid Reyzin
Ronald L. RivestEmily Shen
MD6 Hash Function
• One of earliest announced SHA-3 candidates
• Presented by Rivest at CRYPTO ’08
Mode of Operation MD6f
Variable input length (VIL), specified output length d
Compression Function f
Fixed input length (FIL), 4-1 compression
1-1 map π
const
15 8+2 64
89 words
89 words
16 words
PrependMap
Chop
MD6 Compression Function f
key, aux data
= 64/4
MD6 Mode of Operation
MD6 Mode of Operation
(2,0) (2,1)
z=1 (“root bit”)
Chop to d bits
(1,9)
partially filled empty
Analyzing Mode of Operation
General approach:If compression function f is “secure”,then mode of operation MD6f is “secure”
e.g.,• f collision-resistant MD6f collision-resistant• f preimage-resistant MD6f preimage-resistant• f PRF MD6f PRF
Is this enough?
(Crutchfield)
Random-Oracle-Like Behavior
• Random oracles (ROs) used to prove security of:signatures, CCA encryption, ZK, etc.
• RO in theory hash function in practice
• When is this secure?
• f is a FIL-RO MD6f is a VIL-RO?
Security Notion: Indistinguishability
• f and MD6f are fixed public functions…
MD6f VIL-RO G
D
? or ?
• Variant notion of indistinguishability: D has access to inner component
• Indifferentiability: simulator S s.t. left/right indistinguishable to any D
• Note: not a symmetric relationship
Indifferentiability (Maurer et al. ‘04)
MD6C FIL-RO C VIL-RO G Sim S
D
? or ?
Indifferentiability• Theorem (Maurer et al.):
If H is indifferentiable from RO, then any cryptosystem proven with RO is secure when RO is replaced by H
• How do we apply this to MD6? • View f as RO• Prove MD6f is indifferentiable from RO• Conclude MD6f may safely be plugged into
applications that require VIL-RO (viewing f as RO)
Our Results and Interpretation
• Our result: MD6RO is indifferentiable from RO• More generally: any* tree-based mode of operation
using FIL-RO is indifferentiable from VIL-RO
What does this mean?
• MD6 mode of operation is safe for use as RO• Gives confidence that mode of operation is well-
built• Pushes RO assumption one level down – from MD6
to f
Can we push RO assumption even further down? Stay tuned…
• Deterministic tree structure (wrt calls to f)
* Requirements of Mode of Operation
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
* Requirements of Mode of Operation
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
* Requirements of Mode of Operation
metadata f-output 1 f-output 3f-output 2 f-output 4
level > 0 (non-leaf)
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
* Requirements of Mode of Operation
metadata
level = 0 (leaf)
raw data
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
• Root predicate
* Requirements of Mode of Operation
z = 1
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
• Root predicate• Final output processing – regular, invertible*
function
* Requirements of Mode of Operation
Chop to d bits
• Deterministic tree structure (wrt calls to f)
• Unique parsing of f-inputs into – metadata– raw data– f-outputs
• Root predicate• Final output processing• Message reconstructibility
* Requirements of Mode of Operation
Simulator
MD6C FIL-RO C VIL-RO G Sim S
D
? or ?
Simulator
• On a query x:– Previously seen? Repeat the answer.– Non-root query (z = 0)? Random
answer.– Root query (z = 1)?
• Reconstruct M s.t. x is final query.If not possible, random answer.
• Consult G on M.
• Return random answer consistent with G(M).
Proof Sketch• Sequence of games to transform
“ideal” game (D interacts with G, S) into
“real” game (D interacts with MD6C, C)
• Define 3 types of “bad” events (S-collisions and “lucky guesses” by D)
• If no bad events, D’s view identical• Probability of bad events is negligible• Therefore, D’s distinguishing advantage is
at most negligible
Pushing RO Assumption to Compression Function Level
1-1 map π
const
15 8+2 64
89 words
89 words
16 words
PrependMap
Chop
key, aux data
Pushing RO Assumption to Compression Function Level
• View π as random permutation• Prove f indifferentiable from FIL-RO• Similar proof techniques
• f indifferentiable from FIL-RO (viewing π as random)
• MD6f indifferentiable from VIL-RO (viewing f as FIL-RO)
MD6f indifferentiable from VIL-RO (viewing π as random)
Conclusion• Proved: Indifferentiability of MD6 mode of
operation (viewing compression function as RO)• Result is quite general, applies to many sensible
tree-modes (including other SHA-3 candidates, sequential modes)
• Proved: Indifferentiability of MD6 compression function (viewing π as random permutation)
Interpretation: • MD6 mode of operation does not have structural
weaknesses• MD6 mode of operation can be used as RO
(assuming random permutation)