PRF Domain Extension using DAGs Charanjit Jutla IBM
PRF Domain Extension using DAGs Charanjit Jutla IBM T J Watson
P 1 f P 2 P 3 Pm f f f tilde-f V 1 V 2 V 3 n bits to mn bits domain Vm
P 2 P 1 f P 3 f P 4 P 5 f f f V 3 V 2 V 5 V 1 V 4 C
Requirements on the DAG • • Directed Acyclic Graph G = (V, E) |V| = m Unique source and sink nodes G is non-redundant – no two nodes have the same set of immediate predecessors Then, PRF Domain Extension to mn bits
P 2 P 1 f P 3 f P 4 P 5 f f f V 3 V 2 V 5 V 1 V 4
A Parallel Mode for Four Processors In general, 3+log* m depth
Really Basic Intuition • • C_i = f ( P_i xor XOR<j, i> in E C_ j ) Call M_i = P_i xor XOR<j, i> in E C_ j M_i is input to node V_i Can two such M_i 1 and M_i 2 collide? – i 1= i 2 : : : hopefully plaintexts are different? ? ? – i 1 =i 2 XOR<j, i 1> C_ j ? = XOR<j, i 2> C_ j
Using Galois Field GF(2^n) • XOR<j, i 1> C_ j • ? = XOR<j, i 2> C_ j XOR<j, i 1> a_{j, i 1}*C_ j XOR<j, i 2> a_{j, i 2}*C_ j ? =
Edge-Colored DAGs • • • Directed Acyclic Graph G = (V, E) |V| = m Edge Coloring ψ: E GF(2^n)* Unique sink node G is non-singular – If two nodes (say u and v) have the same set of immediate predecessors (say W), then exists w in W : : ψ(w, u) = ψ(w, v) Then, PRF Domain Extension to mn bits
A Parallel Mode for Four Processors *1 *x *x^2 *(1+x)
![PMAC [BR 02] (Parallelizable Authentication Mode) color m](http://slidetodoc.com/presentation_image_h2/c63f8611b9080e2e79250fa655a4f11b/image-11.jpg "PMAC [BR 02] (Parallelizable Authentication Mode) color m")
PMAC [BR 02] (Parallelizable Authentication Mode) color m
![PMAC [BR 02] To be precise…. Constant 0 color m](http://slidetodoc.com/presentation_image_h2/c63f8611b9080e2e79250fa655a4f11b/image-12.jpg "PMAC [BR 02] To be precise…. Constant 0 color m")
PMAC [BR 02] To be precise…. Constant 0 color m
Variable Length Domain Ext. • length need not be multiple of n – naïve padding with 10^t doesn’t work – how to distinguish b/w full length and partial – UNLESS full length is authenticated differently • [PR 00], [BR 00] • naïve CBC-MAC for diff length – flawed – C 1 = CBCMAC_f ( P 1) – C 1 = CBCMAC_f ( P 1 || C 1 xor P 1)
Collection of DAGs • • 2 DAGs for each block len t : G_{2 t} G_{2 t+1} each DAG must have unique sink node each DAG must have at least t nodes each DAG individually non-singular – is that enough? NO
Incorrect Construction Define all graphs on the same set of vertices V V 1 V 2 V 3 V 4 G_i cannot be allowed to be an induced subgraph of another G_j
Requirements for VIL-PRF • If for any pair of vertices (say u, v, u=v) and graphs G_i and G_i’, the set of incident nodes of u in G_i and v in G_i’ are same, then at least one incident edge is colored differently. – Non-singular over all graphs • for each graph G_i, it is not the case that there is another graph G_i’ which is identical till the “largest” node of G_i
Optimizied VIL Mode col 2 1 col 4 col 3 col 5 2 col 2 3 4 5
Current Best Mode col 2 1 col 4 col 3 col 5 2 col 2 3 4 col 3 col 2 5
Parallel VIL mode v 2 color 5 v 1 color 6 v 2 v 3 color 5 v 2^n v 1 col 2 col 3 col 4 color 6 v 3 v 2^n
Proof • Most theorems involving PRF, PRP constructions, as well as Modes of Operations --- from smaller primitives --have to tackle collisions in calls to the smaller primitive • Modulo that, proving randomness is easy
Collisions in calls to oracle • automatic collisions -- as in CBC-MAC • Unforced collisions • Forced collisions (adversarial, adaptive) – – can try to prove there are no forced collisions Fix last blocks of the transrcipt – visible to A Conditioned on this, On Average over all possible transcripts c, same as collisions in the transcript Thus, adversary left with playing “automatic collisions”
THE END
- Slides: 22
