TU Darmstadt / ULB / TUbiblio

Expedient Non-malleability Notions for Hash Functions

Baecher, Paul ; Fischlin, Marc ; Schröder, Dominique
Hrsg.: Kiayias, Aggelos (2011)
Expedient Non-malleability Notions for Hash Functions.
11th Cryptographers' Track. San Francisco, USA (14.02.2011-18.02.2011)
doi: 10.1007/978-3-642-19074-2_18
Konferenzveröffentlichung, Bibliographie

Kurzbeschreibung (Abstract)

Non-malleability of a cryptographic primitive is a fundamental security property which ensures some sort of independence of cryptographic values. The notion has been extensively studied for commitments, encryption and zero-knowledge proofs, but it was not until recently that the notion—and its peculiarities—have been considered for hash functions by Boldyreva et al. (Asiacrypt 2009). They give a simulation-based definition, basically saying that for any adversary mauling hash values into related ones there is a simulator which is as successful in producing such hash values, even when not seeing the original hash values. Their notion, although following previous approaches to nonmalleability, is nonetheless quite unwieldy; it is hard to achieve and, due to the existential quantification over the simulator, hard to falsify. We also note that finding an equivalent indistinguishability-based notion is still open.

Here we take a different, more handy approach to non-malleability of hash functions. Our definition avoids simulators completely and rather asks the adversary to maul the hash value and to also specify a transformation φ of the pre-image, taken from a fixed class Φ of admissible transformations. These transformations are usually determined by group operations and include such cases such as exclusive-ors (i.e., bit flips) and modular additions. We then simply demand that the probability of succeeding is negligible, as long as the original pre-image carries enough entropy. We continue to show that our notion is useful by proving that, for example, the strengthened Merkle-Damgård transformation meets our notion for the case of bit flips, assuming an ideal compression function. We also improve over the security result by Boldyreva et al., showing that our notion of non-malleability suffices for the security of the Bellare-Rogaway encryption scheme.

Typ des Eintrags: Konferenzveröffentlichung
Erschienen: 2011
Herausgeber: Kiayias, Aggelos
Autor(en): Baecher, Paul ; Fischlin, Marc ; Schröder, Dominique
Art des Eintrags: Bibliographie
Titel: Expedient Non-malleability Notions for Hash Functions
Sprache: Englisch
Publikationsjahr: 25 Januar 2011
Verlag: Springer
Buchtitel: Topics in Cryptology - CT-RSA 2011
Reihe: Lecture Notes in Computer Science
Band einer Reihe: 6558
Veranstaltungstitel: 11th Cryptographers' Track
Veranstaltungsort: San Francisco, USA
Veranstaltungsdatum: 14.02.2011-18.02.2011
DOI: 10.1007/978-3-642-19074-2_18
Kurzbeschreibung (Abstract):

Non-malleability of a cryptographic primitive is a fundamental security property which ensures some sort of independence of cryptographic values. The notion has been extensively studied for commitments, encryption and zero-knowledge proofs, but it was not until recently that the notion—and its peculiarities—have been considered for hash functions by Boldyreva et al. (Asiacrypt 2009). They give a simulation-based definition, basically saying that for any adversary mauling hash values into related ones there is a simulator which is as successful in producing such hash values, even when not seeing the original hash values. Their notion, although following previous approaches to nonmalleability, is nonetheless quite unwieldy; it is hard to achieve and, due to the existential quantification over the simulator, hard to falsify. We also note that finding an equivalent indistinguishability-based notion is still open.

Here we take a different, more handy approach to non-malleability of hash functions. Our definition avoids simulators completely and rather asks the adversary to maul the hash value and to also specify a transformation φ of the pre-image, taken from a fixed class Φ of admissible transformations. These transformations are usually determined by group operations and include such cases such as exclusive-ors (i.e., bit flips) and modular additions. We then simply demand that the probability of succeeding is negligible, as long as the original pre-image carries enough entropy. We continue to show that our notion is useful by proving that, for example, the strengthened Merkle-Damgård transformation meets our notion for the case of bit flips, assuming an ideal compression function. We also improve over the security result by Boldyreva et al., showing that our notion of non-malleability suffices for the security of the Bellare-Rogaway encryption scheme.

Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Kryptographie und Komplexitätstheorie
Hinterlegungsdatum: 27 Jun 2011 14:50
Letzte Änderung: 15 Aug 2023 09:52
PPN:
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen