PRF Domain Extension using DAGs

Charanjit Jutla

IBM T J Watson

f f f f

P1 P2 P3 Pm

V1 V2 V3 Vm

n bits to mn bits domain

tilde-f

V1

V2

V4

V3

V5

P1 P2 P3 P5P4

f f f

f

f C

Requirements on the DAG

• Directed Acyclic Graph G = (V,E)

• |V| = m

• Unique source and sink nodes

• G is non-redundant– no two nodes have the same set of immediate

predecessors

Then, PRF Domain Extension to mn bits

V1

V2

V4

V3

V5

P1 P2 P3 P5P4

f f f

f

f

A Parallel Mode for Four Processors

In general, 3+log* m depth

Really Basic Intuition

• C_i = f ( P_i xor XOR<j,i> in E C_ j )

• Call M_i = P_i xor XOR<j,i> in E C_ j

• M_i is input to node V_i

• Can two such M_i1 and M_i2 collide?– i1= i2 ::: hopefully plaintexts are different???– i1 \=i2

XOR<j,i1> C_ j ?= XOR<j,i2> C_ j

Using Galois Field GF(2^n)

• XOR<j,i1> C_ j ?= XOR<j,i2> C_ j

• XOR<j,i1> a_{j,i1}*C_ j ?=

XOR<j,i2> a_{j,i2}*C_ j

Edge-Colored DAGs

• Directed Acyclic Graph G = (V,E)• |V| = m• Edge Coloring ψ: E GF(2^n)*• Unique sink node• G is non-singular

– If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v)

Then, PRF Domain Extension to mn bits

A Parallel Mode for Four Processors

*x

*x^2

*(1+x)

*1

PMAC [BR02] (Parallelizable Authentication Mode)

color m

PMAC [BR02] To be precise….

color m

Constant 0

Variable Length Domain Ext.

• length need not be multiple of n– naïve padding with 10^t doesn’t work– how to distinguish b/w full length and partial– UNLESS full length is authenticated differently

• [PR00], [BR00]

• naïve CBC-MAC for diff length – flawed– C1 = CBCMAC_f ( P1)– C1 = CBCMAC_f ( P1 || C1 xor P1)

Collection of DAGs

• 2 DAGs for each block len t : G_{2t} G_{2t+1}

• each DAG must have unique sink node

• each DAG must have at least t nodes

• each DAG individually non-singular– is that enough? NO

Incorrect Construction

V1 V2 V3 V4

V1 V2 V3 V4

G_i cannot be allowed to be an induced subgraph of another G_j

Define all graphs on the same set of vertices V

Requirements for VIL-PRF

• If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i’, the set of incident nodes of u in G_i and v in G_i’ are same, then at least one incident edge is colored differently.– Non-singular over all graphs

• for each graph G_i, it is not the case that there is another graph G_i’ which is identical till the “largest” node of G_i

Optimizied VIL Modecol2 col3

col4 col5

col2

1

2

3

4

5

Current Best Modecol2 col3

col4 col5

col2

1

2

3

4

5

col2 col3

Parallel VIL mode

v1

v2

v3

v2^n

color5

color6 v1

v2

v3

v2^n

color5

color6

col1

col2

col3

col4

Proof

• Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives ---have to tackle collisions in calls to the smaller primitive

• Modulo that, proving randomness is easy

Collisions in calls to oracle

• automatic collisions -- as in CBC-MAC• Unforced collisions• Forced collisions (adversarial, adaptive)

– can try to prove there are no forced collisions– Fix last blocks of the transrcipt – visible to A– Conditioned on this, – On Average over all possible transcripts c, same as collisions in the transcriptThus, adversary left with playing “automatic collisions”

THE END