JUZGADO QUINTO DE LO CIVIL DEL PRIMER DEPARTAMENTO JUDICIAL DEL ESTADO

2.1.1. Random Oracle Model

Ideally, a hash function should be indistinguishable from a random oracle [24] with fixed output size. A random oracle is an abstract and ideal primitive that returns a random bit string for each fresh input. Thus, the output of a random oracle is independent of the input, except that repeated queries are always treated consistently, i.e., the function property is always fulfilled. Furthermore, random oracles are atomic building blocks, i.e., they cannot be decomposed. In the context of provable security, random oracles are used for hiding implementation details, e.g., the insides of a

2.1. Security Notions

required for the proof – or when it gets too tedious to formalize these. A security proof of a cryptographic scheme using a random oracle as a component function is said to be in the random oracle model. From a theoretical point of view, it is clear that such a security proof is only a heuristic indication of the security of the scheme when instantiated with a specific hash function.

In fact, many recent separation results [16, 60, 81, 115, 163, 179] illustrate that various cryptographic schemes are secure in the random oracle model, but completely insecure for any efficient instantiation. According to [144], all such counterexamples are artificial and do not seem to attack any practically relevant scheme directly. Nevertheless, a security proof in the random oracle model is at least an indication for the soundness of the analyzed scheme.

2.1.2. Standard Model

Beside the random oracle model, the security of a hash function can also be de- termined under the three much weaker standard model assumptions: (1) collision resistance, (2) preimage resistance, and (3) 2nd-preimage resistance. The insecurity of a cryptographic function is quantified by the success probability of an optimal and resource-bounded adversary A. Depending on the setting, different notions of success and different limitations of the resources apply for the adversary. Actually, the standard model does only work for families of hash functions H where H is con- sidered to be secure if there exists no efficient adversary A that violates at least one out of the three standard assumptions for H ← H. The standard model is not$ suitable to prove the security of a single n-bit hash function H such as SHA-256 [184] since here A is not restricted in the access to SHA-256. Suppose AX,Y with

some fixed X, Y ∈ {0, 1}2nis an adversary that just outputs the two 2n-bit values X and Y . By the pigionhole principle, there must be two values X′ and Y′ such that H(X′_{) = H(Y}′_{) and thus, there exists an efficient adversary, namely A}

X′_,Y′. In 2006,

Rogaway introduced a way to analyze the security of a single hash function in the standard model by bringing human ignorance into equation [207] which means that H is secure if there is no efficient algorithm which is known to man that violates at least one out of the three standard assumptions. Thus, a hash function is considered to be secure if mankind is unable to find an efficient adversary.

Next, we introduce a common hybrid model where an adversary has only restricted access to a hash function.

2.1.3. Hybrid Standard Model

In this thesis, any analyzed cryptographic system is an algorithm that uses (at least one) other component function – the primitive – inside. As the adversary is assumed to have no knowledge about the inner workings of these primitives – in the past always formalized by assuming a secret key – these are accessed by the adversary via an oracle interface. Such an oracle interface essentially formalizes the black-box mode of operation of an adversary towards the scheme or primitive being attacked. It provides a clearly defined set of exposed functions an adversary is able to send queries to and can expect to get an answer from. We always assume that such an adversary is an efficient algorithm, i.e., it has resource-bounded access to the compression or hash function. Next, we give formal definitions of the mentioned standard model assumptions.

Collision Resistance. A hash function H is collision resistant if it is hard to find two distinct inputs that are mapped to the same output. More formally, the advantage of an adversary A with oracle access to H is defined as follows:

Definition 2.3 (Collision Resistance). Let H be a hash function and A be an adversary. Then, the collision advantage of A against H is given by

Advcoll_H (A) = Pr(M, M′) ← AH: H(M ) = H(M′) ∧ M 6= M′.

Note that the adversary A is only limited by the number of queries to its oracles. Thus, we write

Advcoll_H (q, t) = max

A

n

Advcoll_H (A)o,

where the maximum is taken over all adversaries that ask at most q oracle queries and run in time at most t.

For an n-bit hash function, the number of message pairs with q messages is q₂
= q(q − 1)/2 ≈ q2_{/2. An ideal n-bit hash function returns random n-bit strings. Since}

two of these are equal with probability 2−n, one needs 2npairs before a collision can be expected. More precisely with q = 2(n+1)/2_{queries, the probability of a collision is}

2.1. Security Notions

Preimage Resistance. A hash function H is preimage resistant if, given a hash value, it is hard to find a message that hashes to this value.

More formally, the advantage of an adversary A with oracle access to H is defined as follows:

Definition 2.4 (Preimage Resistance). Let H be a hash function and A be an adversary. Then, we define the preimage advantage of A against H as

Advpre_H (A) = PrhY ← {0, 1}$ n, M ← AH,Y : H(M ) = Yi, and

Advpre_H (q, t) = max

A



Advpre_H (A)

as the maximum advantage over all preimage adversaries that ask at most q oracle queries and run in time at most t.

A method for finding preimages that works for any hash function is the brute-force attack, i.e., one hashes random messages until the hash value Y is reached. Assuming that the output of the hash function is uniformly balanced, an adversary is expected to try 2n distinct messages in order to be successful.

2nd-Preimage Resistance. A hash function H is 2nd-preimage resistant if, given a hash value message pair (Y ,M ) where Y = H(M ), it is hard to find a fresh message that also produces the same hash value. More formally, the advantage of an adversary A with oracle access to H is defined as follows:

Definition 2.5 (2nd-Preimage Resistance). Let H be a hash function and A be an adversary. Then, the 2nd-preimage advantage of A against H for a random mes- sage M ← {0, 1}$ ∗ is defined as

Adv2nd-pre_H (A) = PrY ← H(M ), M′ ← AH,M,Y : H(M′) = Y ∧ M′ 6= M, and

Adv2nd-pre_H (q, t) = max

A

n

Adv2nd-pre_H (A)o

as the maximum advantage over all 2nd-preimage adversaries that ask at most q oracle queries and run in time at most t.