PRF Domain Extension using DAGs
description
Transcript of PRF Domain Extension using DAGs
PRF Domain Extension using DAGs
Charanjit Jutla
IBM T J Watson
f f f f
P1 P2 P3 Pm
V1 V2 V3 Vm
n bits to mn bits domain
tilde-f
V1
V2
V4
V3
V5
P1 P2 P3 P5P4
f f f
f
f C
Requirements on the DAG
• Directed Acyclic Graph G = (V,E)
• |V| = m
• Unique source and sink nodes
• G is non-redundant– no two nodes have the same set of immediate
predecessors
Then, PRF Domain Extension to mn bits
V1
V2
V4
V3
V5
P1 P2 P3 P5P4
f f f
f
f
A Parallel Mode for Four Processors
In general, 3+log* m depth
Really Basic Intuition
• C_i = f ( P_i xor XOR<j,i> in E C_ j )
• Call M_i = P_i xor XOR<j,i> in E C_ j
• M_i is input to node V_i
• Can two such M_i1 and M_i2 collide?– i1= i2 ::: hopefully plaintexts are different???– i1 \=i2
XOR<j,i1> C_ j ?= XOR<j,i2> C_ j
Using Galois Field GF(2^n)
• XOR<j,i1> C_ j ?= XOR<j,i2> C_ j
• XOR<j,i1> a_{j,i1}*C_ j ?=
XOR<j,i2> a_{j,i2}*C_ j
Edge-Colored DAGs
• Directed Acyclic Graph G = (V,E)• |V| = m• Edge Coloring ψ: E GF(2^n)*• Unique sink node• G is non-singular
– If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w \in W :: ψ(w,u) \= ψ(w,v)
Then, PRF Domain Extension to mn bits
A Parallel Mode for Four Processors
*x
*x^2
*(1+x)
*1
PMAC [BR02] (Parallelizable Authentication Mode)
color m
PMAC [BR02] To be precise….
color m
Constant 0
Variable Length Domain Ext.
• length need not be multiple of n– naïve padding with 10^t doesn’t work– how to distinguish b/w full length and partial– UNLESS full length is authenticated differently
• [PR00], [BR00]
• naïve CBC-MAC for diff length – flawed– C1 = CBCMAC_f ( P1)– C1 = CBCMAC_f ( P1 || C1 xor P1)
Collection of DAGs
• 2 DAGs for each block len t : G_{2t} G_{2t+1}
• each DAG must have unique sink node
• each DAG must have at least t nodes
• each DAG individually non-singular– is that enough? NO
Incorrect Construction
V1 V2 V3 V4
V1 V2 V3 V4
G_i cannot be allowed to be an induced subgraph of another G_j
Define all graphs on the same set of vertices V
Requirements for VIL-PRF
• If for any pair of vertices (say u, v, u\=v) and graphs G_i and G_i’, the set of incident nodes of u in G_i and v in G_i’ are same, then at least one incident edge is colored differently.– Non-singular over all graphs
• for each graph G_i, it is not the case that there is another graph G_i’ which is identical till the “largest” node of G_i
Optimizied VIL Modecol2 col3
col4 col5
col2
1
2
3
4
5
Current Best Modecol2 col3
col4 col5
col2
1
2
3
4
5
col2 col3
Parallel VIL mode
v1
v2
v3
v2^n
color5
color6 v1
v2
v3
v2^n
color5
color6
col1
col2
col3
col4
Proof
• Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives ---have to tackle collisions in calls to the smaller primitive
• Modulo that, proving randomness is easy
Collisions in calls to oracle
• automatic collisions -- as in CBC-MAC• Unforced collisions• Forced collisions (adversarial, adaptive)
– can try to prove there are no forced collisions– Fix last blocks of the transrcipt – visible to A– Conditioned on this, – On Average over all possible transcripts c, same as collisions in the transcriptThus, adversary left with playing “automatic collisions”
THE END