Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Non-Malleable Hash FunctionsNon-Malleable Hash Functions

FORMACRYPT, 2007

Alexandra Boldyreva

David Cash

Marc Fischlin

Bogdan Warinschi

Bogdan WarinschiFormacrypt meeting 2007Page 2

Non-Malleable Hash Functions

► Non-Malleability

Intuition

Given instance f(x) does not help to find f(x*) for related x*

this is a very good test




Example 1

given the encryption C1 = Enc(PK,M) it should be hard to construct an encryption C2 of

M xor 11....1

Example 2

given a commitment Com(X,N), with N an unknown random nonce

it should be hard to construct a commitment Com(X+1000,N) for the same N





Well studied for encryption, commitments, zero-knowledge

– Definitions– Constructions– Applications

How about hash functions?



► Non-malleable hash functions

Motivation

Definition

Construction

Applications



► Motivation: soundness of the random oracle model

Modelling:

– in the RO model, hash functions are accessed in a black-box way (by both honest parties and the adversary)

– are truly random functions

Advantages:

– enable security proofs for very efficient primitives/protocols for which we have no other security proofs





Disadvantages:

Can RO be instantiated with standard hash functions in a way that preserves the security proof?

– In general the answer is NO (the RO model is provably unsound)

– For some schemes it may be possible to replace a random oracle H with a standard hash functions

– What if security of the scheme uses non-malleability of random oracles?





Enc(PK,M)=( RSA(PK,r), r xor M )





Enc(PK,M)=( RSA(PK,r), G(r) xor M )





Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M))

– Assume that H is such that given H(r||M) it is possible to construct H(r||M xor 11...1);

– Then Enc is malleable: from Enc(PK,M) it is possible to construct Enc(PK, M xor 11....1)

– A security-preserving instantiation of H with an actual hash function would require H to be non-malleable




► Motivation: soundness of formal analysis

In symbolic analysis hash functions are non-malleable:

– the Dolev Yao adversary can construct H(M) only if if it knows M

– The attack where from H(A,N) for unknown nonce N the adversary constructs H(B,N) is not possible in the DY world

To ensure that all attacks in the cryptographic model are captured by the Dolev-Yao adversary, then the attack above should not be possible in the real world





Motivation

Definitions

Construction

Applications



► Definition (sketch)

sample x ← Xcompute y ← H(x)let (T,y*) ← Adv(y)let x* ← T(x)success iff

H(x*) = y* , y ≠ y* and

R( x ,x*)=1

sample x ← X

let x* ← Sim()success iff

R( x ,x*)=1

Defining Non-Malleable Hash Functions

Definition: H is non-malleable w.r.t. distribution X iff

Prob [ Adv succeeds ] ≈ Prob [ Sim succeeds ]




Motivation

Definitions

Construction

Applications



► Construction (Part I)

Necessary: H(x) must not leak information about x

Idea: use Canetti‘s perfectly one-way hash functions

Definition: (probabilistic) hash function h is POWHF w.r.t. to X and aux iff

(h(x), aux(x)) (h(x'), aux(x))

for x,x' ← X

Constructing Non-Malleable Hash Functions



► Construction (Part II)

Even if H(x) hides all information about x, the function H may still be malleable

Idea: append a (ssNIZK) proof of knowledge of x

When an adversary given y=H(x) outputs y*, then he must know some x* such that H(x*)=y*, and he had no information on x: the only relations between x and x* that hold are trivial (and can be easily satisfied by a simulator)




► Construction (Putting things together)

Theorem (sketch):

Let h be POWHF w.r.t. to X and aux,let (Gen,Prover,Verifier) be ssNIZKPoK. Then

H(x) = ( h(x), )

where ← Prover(crs,x,h(x))is non-malleable w.r.t. to X and aux.

(solution not really efficient, rather feasibility result)





Motivation

Definitions

Construction

Applications



► Message Authentication via H(k||m)

H(k||m) secure MAC for secret key k if

• H random oracle, or• H pseudorandom function

We show that H(k||m) is a secure MAC if H is non-malleable

Security means: an adversary who sees H(k,m1),H(k,m2),...,H(k,mn) cannot compute H(k,m) for m different from m1, m2,...,mn

Application to Message Authentication



► Message Authentication via H(k||m) (Proof intuition)

Consider an adversary A who after seeing H(k||m) manages to output a forgery (m’,H(k||m’))

Construct adversary B against non-malleability:

– on input H(k||m) the adversary runs A internally and obtains (m’,H(k||m’))

– output H(k||m’) and T(k||x)=k||m’

Consider the relation R(x||y,z||w)=1 if x=z, then the adversary B satisfies the relation since R(k||m,k||m’) = 1

Application to Message Authentication



► Instantiating random oracles

Enc(PK,M)=( RSA(PK,r), G(r) xor M , H(r||M))

If ( RSA(PK,r), G(r) xor M , H(r||M)) is the challenge ciphertext, we argue in the proof that the adversary cannot querry to its decryption oracle the ciphertext ( RSA(PK,r), G(r) xor M‘ , H(r||M‘))

The security proof is still in the random oracle model



► Soundness of formal analysis of hash functions

Ongoing work

Some problems:

– general soundness only in the trusted parameters model (NIZK proof systems use a common reference string which needs to be generated honestly)

– POWHF’s are not known to exist for arbitrary distributions



► Conclusion

Motivation (Interesting, useful)

Definitions

Construction (POWHF+ssNIZKPoK)

Applications (MAC, Encryption)

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Documents