Hardness Assumptions Related to AdHoc Constructions

1
Hardness Assumptions Related to Ad-Hoc
Constructions

• Shai Halevi
• February 22, 2007

2
Ad-hoc constructions

• Hash functions MD5, SHA-x, RIPEMD, WHIRLPOOL,
  RadioGatún,
• Block ciphers DES, IDEA, RC5/6, Twofish, AES,
  Camellia,
• Stream ciphers RC4, A5/x, MUGI, Py, Rabbit,
  SEAL, Trivium,
• Often consist of a basic function and a mode
  of operation around it

3
What conjectures to make?

• We know very little about the true hardness of
  these ad hoc constructions
• Use conjectures to fill some of the void
• The more the merrier
• Only two requirements
• Can be used to do something interesting
• Not known to be false
• Sometimes we even compromise on this

Let you prove interesting theorems
4
Standard conjectures

• Block ciphers strong PRP
• Hash functions many many things
• Collision-resistant, 2nd pre-image resistant,
  one-way, UOWHF (TCR)
• PRF, MAC (when keyed)
• Also others hard to find pre-image of zero, hard
  to find almost collisions, hard to find
  fixed-points, division-intractability,

5
Unholy conjectures

• Random oracles, Ideal ciphers
• What the customer wants this is how people who
  build applications think of these constructs
• E.g., whats wrong with Ek(k)?
• You proved that this is not a random oracle.
  Thats your problem, not ours
• Unfortunately they have a point

6
Theory, anyone?

• Modes of operation
• Relations between notions
• Weak random oracles
• And beyond

7
Modes of operation

• View constructs as a black box
• Results are meaningful even for idealized ciphers
  or hash functions
• E.g., DESX stronger than DES, when DES is modeled
  as ideal cipher KR96

8
ROs and ideal ciphers

• Using random funcs/perms for extractors
• In CBC mode, HMAC mode DGHKR04
• Domain extension for ROs CDMP05
• Also building ROs from ideal-ciphers
• Open building ideal ciphers from ROs
• Partial results in DP06
• Open domain-extenders for ideal ciphers

9
Multi-property-preserving modes

• Prove many claims on the same mode
• E.g, for (a variant of) Merkle-Damgård
• If compression function is collision-resistant
  then so is the resulting hash function,
• If compression function is PRF then so is the
  resulting hash function,
• If compression function is a random-oracle then
  so is the resulting hash function,
• Etc.

10
Relations between notions

• So many notions, we need taxonomies

11
Collision-resistance vs. the world

• Not implied by PRPs via BB S98
• Implied by PIR, homomorphic encryption IKO05
• Surprising collision-resistance follows from
  secrecy guarantees
• Connections to the compressibility of SAT HN06
• Equivalent to one-flow statistically-hiding
  commitment?

12
Weak random oracles

• RO-like but can actually exist
• At least we cant prove that they dont exist
• Not many of those
• Perfect one-way hashing C97, CMR98
• AKA point-function obfuscators W05
• Magic functions DNRS99
• Sometimes can prove they do not exist GK03

13
And beyond

• Theory of block ciphers?
• Embarrassingly lacking
• Luby-Rackoff LR88 for Feistel networks?
• refinement by Naor-Reingold NR97
• Dodis-Puniya DP07 analyze Feistel with round
  functions weaker than PRFs
• Relevance to block-cipher design is a huge leap
  of faith

14
Security from round functions

• Block-cipher recipe
• Take a sufficiently non-linear permutation
• Sprinkle some secret-key material
• Repeat sufficiently many times
• Get a secure cipher
• Moral security comes from repetition, not so
  much the original round function
• Can we make a science of it?

15
Charlies conjecture

• Due to Charlie Rackoff
• Take simple enough permutation family
• E.g., computed in NC0
• Repeat enough times to get almostfour-wise
  independence
• The result is a PRP
• Can anyone disprove it?

16
Comments

• X-wise independent reminiscent of Decorrelation
  theory V
• Cant replace 4-wise with 3-wise
• Otherwise its false
• Simplicity of round function is important
• Otherwise its false (e.g., if you start from a
  4-wise independent permutation)
• The point is to have many repetitions

17
What can we do with Charlie?

• The conjecture implies that PRPs exist
• But PRPs with a very specific structure
• Do they imply CR hashing?
• If not come up with a similar conjecture that
  implies collision-resistant hashing
• Or implies both PRPs and CR hashing

18
Summary

• We know very little about the true hardness of
  these ad hoc constructions
• Conjectures can fill some of the void
• The more the merrier
• Only two requirements
• Not known to be false (?)
• Can be used to do something interesting

Let you prove interesting theorems
19
dank u