Fixing cracks in the concrete: Random oracles with auxiliary input, revisited

Yevgeniy Dodis, Siyao Guo, Jonathan Katz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We revisit the security of cryptographic primitives in the random-oracle model against attackers having a bounded amount of auxiliary information about the random oracle. This situation arises most naturally when an attacker carries out offline preprocessing to generate state (namely, auxiliary information) that is later used as part of an on-line attack, with perhaps the best-known example being the use of rainbow tables for function inversion. The resulting model is also critical to obtain accurate bounds against non-uniform attackers when the random oracle is instantiated by a concrete hash function. Unruh (Crypto 2007) introduced a generic technique (called presampling) for analyzing security in this model: a random oracle for which S bits of arbitrary auxiliary information can be replaced by a random oracle whose value is fixed in some way on P points; the two are distinguishable with probability at most O(√ST/P) by attackers making at most T oracle queries. Unruh conjectured that the distinguishing advantage could be made negligible for a sufficiently large polynomial P. We show that Unruh’s conjecture is false by proving that the distinguishing probability is at least Ω(ST/P). Faced with this negative general result, we establish new security bounds, — which are nearly optimal and beat pre-sampling bounds, — for specific applications of random oracles, including one-way functions, pseudorandom functions/generators, and message authentication codes. We also explore the effectiveness of salting as a mechanism to defend against offline preprocessing, and give quantitative bounds demonstrating that salting provably helps in the context of one-wayness, collision resistance, pseudorandom generators/functions, and message authentication codes. In each case, using (at most) n bits of salt, where n is the length of the secret key, we get the same security O(T/2n) in the random oracle model with auxiliary input as we get without auxiliary input. At the heart of our results is the compression technique of Gennaro and Trevisan, and its extensions by De, Trevisan and Tulsiani.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
PublisherSpringer Verlag
Pages473-495
Number of pages23
Volume10211 LNCS
ISBN (Print)9783319566139
DOIs
StatePublished - 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10211 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Fingerprint

Random Oracle
Crack
Auxiliary Information
Concretes
Function generators
Cracks
Message Authentication Code
Authentication
Random Oracle Model
Preprocessing
Hash functions
Pseudorandom Function
Pseudorandom Generator
One-way Function
P-point
Beat
Hash Function
Salt
Polynomials
Tables

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Dodis, Y., Guo, S., & Katz, J. (2017). Fixing cracks in the concrete: Random oracles with auxiliary input, revisited. In Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings (Vol. 10211 LNCS, pp. 473-495). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10211 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-56614-6_16

Fixing cracks in the concrete : Random oracles with auxiliary input, revisited. / Dodis, Yevgeniy; Guo, Siyao; Katz, Jonathan.

Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 10211 LNCS Springer Verlag, 2017. p. 473-495 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10211 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Guo, S & Katz, J 2017, Fixing cracks in the concrete: Random oracles with auxiliary input, revisited. in Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. vol. 10211 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10211 LNCS, Springer Verlag, pp. 473-495. https://doi.org/10.1007/978-3-319-56614-6_16
Dodis Y, Guo S, Katz J. Fixing cracks in the concrete: Random oracles with auxiliary input, revisited. In Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 10211 LNCS. Springer Verlag. 2017. p. 473-495. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-56614-6_16
Dodis, Yevgeniy ; Guo, Siyao ; Katz, Jonathan. / Fixing cracks in the concrete : Random oracles with auxiliary input, revisited. Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings. Vol. 10211 LNCS Springer Verlag, 2017. pp. 473-495 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{2e355dec49d7453183eefd2c0f21a6b9,
title = "Fixing cracks in the concrete: Random oracles with auxiliary input, revisited",
abstract = "We revisit the security of cryptographic primitives in the random-oracle model against attackers having a bounded amount of auxiliary information about the random oracle. This situation arises most naturally when an attacker carries out offline preprocessing to generate state (namely, auxiliary information) that is later used as part of an on-line attack, with perhaps the best-known example being the use of rainbow tables for function inversion. The resulting model is also critical to obtain accurate bounds against non-uniform attackers when the random oracle is instantiated by a concrete hash function. Unruh (Crypto 2007) introduced a generic technique (called presampling) for analyzing security in this model: a random oracle for which S bits of arbitrary auxiliary information can be replaced by a random oracle whose value is fixed in some way on P points; the two are distinguishable with probability at most O(√ST/P) by attackers making at most T oracle queries. Unruh conjectured that the distinguishing advantage could be made negligible for a sufficiently large polynomial P. We show that Unruh’s conjecture is false by proving that the distinguishing probability is at least Ω(ST/P). Faced with this negative general result, we establish new security bounds, — which are nearly optimal and beat pre-sampling bounds, — for specific applications of random oracles, including one-way functions, pseudorandom functions/generators, and message authentication codes. We also explore the effectiveness of salting as a mechanism to defend against offline preprocessing, and give quantitative bounds demonstrating that salting provably helps in the context of one-wayness, collision resistance, pseudorandom generators/functions, and message authentication codes. In each case, using (at most) n bits of salt, where n is the length of the secret key, we get the same security O(T/2n) in the random oracle model with auxiliary input as we get without auxiliary input. At the heart of our results is the compression technique of Gennaro and Trevisan, and its extensions by De, Trevisan and Tulsiani.",
author = "Yevgeniy Dodis and Siyao Guo and Jonathan Katz",
year = "2017",
doi = "10.1007/978-3-319-56614-6_16",
language = "English (US)",
isbn = "9783319566139",
volume = "10211 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "473--495",
booktitle = "Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings",
address = "Germany",

}

TY - GEN

T1 - Fixing cracks in the concrete

T2 - Random oracles with auxiliary input, revisited

AU - Dodis, Yevgeniy

AU - Guo, Siyao

AU - Katz, Jonathan

PY - 2017

Y1 - 2017

N2 - We revisit the security of cryptographic primitives in the random-oracle model against attackers having a bounded amount of auxiliary information about the random oracle. This situation arises most naturally when an attacker carries out offline preprocessing to generate state (namely, auxiliary information) that is later used as part of an on-line attack, with perhaps the best-known example being the use of rainbow tables for function inversion. The resulting model is also critical to obtain accurate bounds against non-uniform attackers when the random oracle is instantiated by a concrete hash function. Unruh (Crypto 2007) introduced a generic technique (called presampling) for analyzing security in this model: a random oracle for which S bits of arbitrary auxiliary information can be replaced by a random oracle whose value is fixed in some way on P points; the two are distinguishable with probability at most O(√ST/P) by attackers making at most T oracle queries. Unruh conjectured that the distinguishing advantage could be made negligible for a sufficiently large polynomial P. We show that Unruh’s conjecture is false by proving that the distinguishing probability is at least Ω(ST/P). Faced with this negative general result, we establish new security bounds, — which are nearly optimal and beat pre-sampling bounds, — for specific applications of random oracles, including one-way functions, pseudorandom functions/generators, and message authentication codes. We also explore the effectiveness of salting as a mechanism to defend against offline preprocessing, and give quantitative bounds demonstrating that salting provably helps in the context of one-wayness, collision resistance, pseudorandom generators/functions, and message authentication codes. In each case, using (at most) n bits of salt, where n is the length of the secret key, we get the same security O(T/2n) in the random oracle model with auxiliary input as we get without auxiliary input. At the heart of our results is the compression technique of Gennaro and Trevisan, and its extensions by De, Trevisan and Tulsiani.

AB - We revisit the security of cryptographic primitives in the random-oracle model against attackers having a bounded amount of auxiliary information about the random oracle. This situation arises most naturally when an attacker carries out offline preprocessing to generate state (namely, auxiliary information) that is later used as part of an on-line attack, with perhaps the best-known example being the use of rainbow tables for function inversion. The resulting model is also critical to obtain accurate bounds against non-uniform attackers when the random oracle is instantiated by a concrete hash function. Unruh (Crypto 2007) introduced a generic technique (called presampling) for analyzing security in this model: a random oracle for which S bits of arbitrary auxiliary information can be replaced by a random oracle whose value is fixed in some way on P points; the two are distinguishable with probability at most O(√ST/P) by attackers making at most T oracle queries. Unruh conjectured that the distinguishing advantage could be made negligible for a sufficiently large polynomial P. We show that Unruh’s conjecture is false by proving that the distinguishing probability is at least Ω(ST/P). Faced with this negative general result, we establish new security bounds, — which are nearly optimal and beat pre-sampling bounds, — for specific applications of random oracles, including one-way functions, pseudorandom functions/generators, and message authentication codes. We also explore the effectiveness of salting as a mechanism to defend against offline preprocessing, and give quantitative bounds demonstrating that salting provably helps in the context of one-wayness, collision resistance, pseudorandom generators/functions, and message authentication codes. In each case, using (at most) n bits of salt, where n is the length of the secret key, we get the same security O(T/2n) in the random oracle model with auxiliary input as we get without auxiliary input. At the heart of our results is the compression technique of Gennaro and Trevisan, and its extensions by De, Trevisan and Tulsiani.

UR - http://www.scopus.com/inward/record.url?scp=85018680264&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85018680264&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-56614-6_16

DO - 10.1007/978-3-319-56614-6_16

M3 - Conference contribution

SN - 9783319566139

VL - 10211 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 473

EP - 495

BT - Advances in Cryptology – EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings

PB - Springer Verlag

ER -