[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: AES-based hash function

To: cfrg at ietf.org
Subject: Re: [Cfrg] Re: AES-based hash function
From: Shai Halevi <shaih at alum.mit.edu>
Date: Fri, 03 Sep 2004 13:07:38 -0400
In-reply-to: <20040902213419.GB76432@zork.org>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200409021502.i82F2Ucs007452@alum-2.mit.edu> <413765A1.9040407@alum.mit.edu> <20040902213419.GB76432@zork.org>
Sender: cfrg-bounces at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

John Viega wrote:

[...] (You can possibly make some provable constructions in the "perfect cipher model", but this is an exceedingly unrealistic model.)
[...] Now, I do agree the ideal cipher model is unrealistic in that, while we're assuming AES is an ideal cipher, it clearly cannot be one. While we could postulate more satisfying theoretical results, the ideal cipher model seems like the best assurance we're going to get for this kind of construct any time soon.


Maybe, it's just that this level of assurance is not very reassuring
(for me, at least).

Relying on the ideal cipher model for assurance is similar to relying
on the random oracle model for assurance.  There are systems provably
secure in that model that have no secure instantiation when the oracle
is replaced with a real function.  We know that, yet in practice, it
seems to serve us reasonably well.

I don't believe in the analogy to the random-oracle model. As much as I have problems with the random-oracle model (for theoretical reasons), proving something in the random-oracle model guarantees that "the common types of attacks" on the scheme cannot work. Not so in the ideal cipher model, where there are natural constructions that are secure in the ideal-cipher model but are insecure in real life.

The most sticking example is the AuthA password-based key-exchange protocol (see IEEE P1363.2). There, the EKE proof of security in the ideal-cipher model (Bellare et al, Eurocrypt'00) abstracts away real-world problems that exist in some implementations. Indeed some implementations that follow the outline of the "provable scheme" were found to be insecure. (It should be noted that the specific reasons that these implementations fail are not relevant to our quest of constructing hash functions from block ciphers. But it does say something about the model.)

-- Shai


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: AES-based hash function
  - From: Bodo Moeller

References:
- [Cfrg] Re: AES-based hash function
  - From: Shai Halevi
- Re: [Cfrg] Re: AES-based hash function
  - From: John Viega

Prev by Date: Re: [Cfrg] Re: AES-based hash function
Next by Date: Re: [Cfrg] Re: AES-based hash function
Previous by thread: Re: [Cfrg] Re: AES-based hash function
Next by thread: Re: [Cfrg] Re: AES-based hash function
Index(es):
- Date
- Thread