Towards Defeating Backdoored Random Oracles: Indifferentiability with Bounded Adaptivity

In the backdoored random-oracle (BRO) model, besides access to a random function H, adversaries are provided with a backdoor oracle that can compute arbitrary leakage functions f of the function table of H. Thus, an adversary would be able to invert points, find collisions, test for membership in certain sets, and more. This model was introduced in the work of Bauer, Farshim, and Mazaheri (Crypto 2018) and extends the auxiliary-input idealized models of Unruh (Crypto 2007), Dodis, Guo, and Katz (Eurocrypt 2017), Coretti et al. (Eurocrypt 2018), and Coretti, Dodis, and Guo (Crypto 2018). It was shown that certain security properties, such as one-wayness, pseudorandomness, and collision resistance can be re-established by combining two independent BROs, even if the adversary has access to both backdoor oracles. In this work we further develop the technique of combining two or more independent BROs to render their backdoors useless in a more general sense. More precisely, we study the question of building an indifferentiable and backdoor-free random function by combining multiple BROs. Achieving full indifferentiability in this model seems very challenging at the moment. We however make progress by showing that the xor combiner goes well beyond security against preprocessing attacks and offers indifferentiability as long as the adaptivity of queries to different backdoor oracles remains logarithmic in the input size of the BROs. We even show that an extractor-based combiner of three BROs can achieve indifferentiability with respect to a linear adaptivity of backdoor queries. Furthermore, a natural restriction of our definition gives rise to a notion of indifferentiability with auxiliary input, for which we give two positive feasibility results. To prove these results we build on and refine techniques by Göös et al. (STOC 2015) and Kothari et al. (STOC 2017) for decomposing distributions with high entropy into distributions with more structure and show how they can be applied in the more involved adaptive settings.

[1]  Dominique Unruh,et al.  Random Oracles and Auxiliary Input , 2007, CRYPTO.

[2]  Ran Raz,et al.  Extractors with weak random seeds , 2005, STOC '05.

[3]  Shachar Lovett,et al.  Rectangles Are Nonnegative Juntas , 2015, SIAM J. Comput..

[4]  Pooya Farshim,et al.  Combiners for Backdoored Random Oracles , 2018, CRYPTO.

[5]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[6]  Marc Fischlin,et al.  Backdoored Hash Functions: Immunizing HMAC and HKDF , 2018, 2018 IEEE 31st Computer Security Foundations Symposium (CSF).

[7]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[8]  Yevgeniy Dodis,et al.  Non-Uniform Bounds in the Random-Permutation, Ideal-Cipher, and Generic-Group Models , 2018, IACR Cryptol. ePrint Arch..

[9]  John P. Steinberger,et al.  Random Oracles and Non-Uniformity , 2018, IACR Cryptol. ePrint Arch..

[10]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[11]  John P. Steinberger,et al.  On the Indifferentiability of Key-Alternating Ciphers , 2013, IACR Cryptol. ePrint Arch..

[12]  Adi Shamir,et al.  On the Strength of the Concatenated Hash Combiner When All the Hash Functions Are Weak , 2008, ICALP.

[13]  Stefano Tessaro,et al.  The equivalence of the random oracle model and the ideal cipher model, revisited , 2010, STOC '11.

[14]  Ueli Maurer,et al.  Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology , 2004, TCC.

[15]  Jean-Sébastien Coron,et al.  The Random Oracle Model and the Ideal Cipher Model Are Equivalent , 2008, CRYPTO.

[16]  Guy Kindler,et al.  Simulating independence: new constructions of condensers, ramsey graphs, dispersers, and extractors , 2005, STOC '05.

[17]  Jonathan Katz,et al.  Fixing Cracks in the Concrete: Random Oracles with Auxiliary Input, Revisited , 2017, EUROCRYPT.

[18]  Rafail Ostrovsky,et al.  Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data , 2004, SIAM J. Comput..

[19]  Prasad Raghavendra,et al.  Approximating rectangles by juntas and weakly-exponential lower bounds for LP relaxations of CSPs , 2016, STOC.

[20]  Guido Bertoni,et al.  On the Indifferentiability of the Sponge Construction , 2008, EUROCRYPT.

[21]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[22]  Moses D. Liskov Constructing an Ideal Hash Function from Weak Ideal Compression Functions , 2006, Selected Areas in Cryptography.

[23]  Thomas Peyrin,et al.  From Collisions to Chosen-Prefix Collisions - Application to Full SHA-1 , 2019, IACR Cryptol. ePrint Arch..

[24]  Wen-Guey Tzeng,et al.  Extracting randomness from multiple independent sources , 2005, IEEE Transactions on Information Theory.

[25]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[26]  Xin Li,et al.  Three-Source Extractors for Polylogarithmic Min-Entropy , 2015, 2015 IEEE 56th Annual Symposium on Foundations of Computer Science.