11
Hashing

☆ Universal Hash Functions

A standard collision-resistant hash function is designed to be safe even when its salt is public. But we sometimes encounter situations that require collision resistance, where it is possible to keep the hash function's salt private. If the salt can be private, is it possible to use a simpler kind of hash function?

This chapter introduces universal hash functions, which are a private-salt variant of standard collision-resistant hash functions. Universal hash functions are indeed simpler objects: Their security guarantee is simpler, and in practice they are typically more efficient than CRHFs. There are even some universal hash functions whose security can be proven unconditionally.

11.1. Defining universal hash functions

We present two very different, yet equivalent, definitions for security of a universal hash function (UHF). The first definition is much simpler and easier to use when proving that a construction is a secure UHF. The second definition is more convenient when proving security of a construction that uses a secure UHF.

Definition 11.1.1 (Universal hash function)

A function U:{0,1}λ×{0,1}{0,1}nU : \bits^\secpar \times \bits^* \to \bits^n is a secure universal hash function (UHF) if, for all XXX \ne X',

Pr[U(K,X)=U(K,X)] is negligible, \PR{ U(\key,X) = U(\key,X') } \text{ is negligible,}

where the probability is over the uniform choice of K\key from {0,1}λ\bits^\secpar. In other words, for all XXX \ne X', the following block of code outputs true\mytrue with negligible probability:

K{0,1}λ\key \gets \bits^\secpar
return U(K,X)==U(K,X)U(\key,X) == U(\key,X')

This definition can be thought of as a very simple attack scenario. The adversary gets just one chance to find a collision (X,X)(X,X') with respect to the UHF key. The adversary knows nothing about the choice of key. In fact, the key is chosen after XX and XX' are chosen.

The second definition involves an interesting way to think about collision resistance in terms of dictionary data structures. The goal of a dictionary is to provide, for each different XX, a unique place to store data associated with XX. Imagine two ways of implementing a dictionary:

  1. Data that is associated with XX is stored in position L[X]\prftable[X]. This is the “obvious” way to use a dictionary.

  2. Data that is associated with XX is stored in position L[U(K,X)]\prftable[U(\key,X)].

In the absence of collisions in UU, each distinct item XX has its own unique place L[U(K,X)]\prftable[U(\key,X)] in the data structure, and everything will work as expected. On the other hand, if (X,X)(X,X') is a collision in UU, then items associated with XX and XX' both want to be stored in the same place in the data structure, causing a conflict.

So one way to say that collisions are hard to find is to demand that these two ways of implementing a dictionary data structure are indistinguishable:

Definition 11.1.2 (Universal hash function, alternative definition)

A function U:{0,1}λ×{0,1}{0,1}nU : \bits^\secpar \times \bits^* \to \bits^n is a secure universal hash function (UHF) if the following libraries are indistinguishable:

Ldict-realU\lib{dict-real}^U
K{0,1}λ\key \gets \bits^\secpar
dict.set(X,Y)\subname{dict.set}(X, Y):
L[U(K,X)]:=Y\prftable[U(\key,X)] := Y
dict.get(X)\subname{dict.get}(X):
return L[U(K,X)]\prftable[U(\key,X)]
\indist
Ldict-idealU\lib{dict-ideal}^U
dict.set(X,Y)\subname{dict.set}(X, Y):
L[X]:=Y\prftable[X] := Y
dict.get(X)\subname{dict.get}(X):
return L[X]\prftable[X]

As mentioned earlier, the two definitions are equivalent.

Claim 11.1.3 (Equivalence of UHF definitions)

UU satisfies definition 11.1.1 if and only if it satisfies definition 11.1.2.

When we prove security of UHF constructions in this chapter, it is more convenient to prove that they satisfy definition 11.1.1. When we use a UHF to construct something else, it is more convenient to use the fact that they satisfy definition 11.1.2. To justify the results in this chapter, it is therefore enough to prove only the forward direction of claim 11.1.3 (definition 11.1.1 \Rightarrow definition 11.1.2). The other direction is more of theoretical interest, and left as an exercise.

Proof idea: The main challenge of this proof is to reconcile important distinctions between the two security definitions. The Ldict-real\lib{dict-real} library from definition 11.1.2 implicitly makes many comparisons of hash outputs under the same key, but definition 11.1.1 involves only a single comparison under a key. Also, Ldict-real\lib{dict-real} chooses a UHF key K\key at the beginning of time, whereas definition 11.1.1 chooses it after the potential collision (X,X)(X,X') is chosen.

The main idea in the proof is to treat hash collisions as a bad event, and then move all of the bad-event logic to the end of time. That way, the UHF key can be chosen at the end of time, after all UHF inputs have been fixed. Next, we can bound the probability of the bad event using the union bound:

Pr[bad event]=Pr[any collision under K]Pr[(X1,X2) collide under K]+Pr[(X3,X4) collide under K]+\begin{aligned} \PR{ \text{bad event} } &= \PR{ \text{any collision under } \key} \\ & \le \PR{ (X_1,X_2) \text{ collide under } \key } + \PR{ (X_3,X_4) \text{ collide under } \key } + \cdots\end{aligned}

The individual collision events are not independent, since they all involve the same K\key, but they do not need to be independent to apply the union bound. Finally, each term of the form Pr[(X,X) collide under K]\PR{ (X,X') \text{ collide under } \key } describes a situation that is captured by definition 11.1.1. Namely, a pair of inputs is fixed and then K\key is chosen uniformly. Thus, each probability in this sum is negligible, and so is the bad-event probability.

Proof (details (forward direction)):

Hybrid Sequence:
The starting point is Ldict-real\lib{dict-real}.
Similar to the proof of claim 10.5.2, we can implement the dictionary L[]\prftable[\cdot] inefficiently using a list of records and explicit equality comparisons between strings. For this proof it is convenient to store records of the form (X,H,Y)(X, H, Y) where H=U(K,X)H = U(\key,X). When accessing the dictionary, we check the HH-values and ignore the XX-values; they will be used later.
Modify the library to recognize the correct record in the list according to its XX-value instead of HH-value. This will change the library's behavior only in the event that XXX \ne X' but H==HH == H'. So record a bad event in that case; later we will show that the bad event has negligible probability.
Now the UHF outputs are used only to trigger the bad event, and nothing else. So we can move all of the logic involving the UHF and bad event to the end of time. This involves two changes: storing only (X,Y)(X,Y), not HH, in the dictionary records, and storing a list of (X,X)(X,X') pairs that could possibly trigger the bad event.
Ldict-real\lib{dict-real}
K{0,1}λ\key \gets \bits^\secpar
dict.set(X,YX, Y):
L[U(K,X)]:=Y\prftable[U(\key,X)] := Y
dict.get(XX):
return
L[U(K,X)]\prftable[U(\key,X)]
YY

In the last hybrid, dict.get\subname{dict.get} and dict.set\subname{dict.set} implement a dictionary indexed by XX-values, so they provide exactly the same behavior as Ldict-ideal\lib{dict-ideal}. Thus, it suffices to show that the bad event has negligible probability in this hybrid.

At the end of time, we have a set X\mathcal{X} of pairs. Let us focus on just a single pair (X,X)(X,X'). Because of how X\mathcal{X} is defined, we have XXX \ne X'. Furthermore, the UHF key K\key is sampled independently of (X,X)(X,X'), after they have been chosen. This is precisely the situation considered in definition 11.1.1; in other words, Pr[U(K,X)==U(K,X)]\PR{ U(\key,X) == U(\key,X') } is negligible.

Thus, any single pair (X,X)X(X,X') \in \mathcal{X} collides with negligible probability, say, ϵ\epsilon. We can also see that if the adversary makes qq combined calls to dict.get\subname{dict.get} and dict.set\subname{dict.set}, then there will be surely at most q2q^2 pairs added to X\mathcal{X}. By the union bound, the probability of the bad event is at most q2ϵq^2 \cdot \epsilon. Since q2q^2 is polynomial in the security parameter and ϵ\epsilon is negligible, the bad-event probability q2ϵq^2 \cdot \epsilon is negligible.

Note: If (X1,X1)(X_1, X_1') and (X2,X2)(X_2, X_2') are different pairs in X\mathcal{X}, then their collision events U(K,X1)==U(K,X1)U(\key,X_1) == U(\key,X'_1) and U(K,X2)==U(K,X2)U(\key,X_2) == U(\key,X'_2) are not necessarily independent. But the union bound does not require the separate events to be independent.

How is a UHF different than a PRF? In a PRF, we require the outputs to be pseudorandom, while in a UHF they only need to avoid collisions. The outputs of a PRF are shown to the adversary, which is our way of saying “it is safe to use PRF outputs however you like.” The outputs of a UHF remain hidden from the adversary: Think about how the adversary does not see the intermediate values U(K,X)U(\key,X) in Ldict-real\lib{dict-real} of definition 11.1.2. You can interpret the UHF definition as saying, “It is safe to use UHF outputs to check whether two UHF inputs are equal, and nothing else.”

11.2. Universal hash paradigm for PRFs

We motivated UHFs by thinking about them as CRHFs where the salt is private. One situation with private salts is the hash-then-PRF construction in section 10.5.2, which used a CRHF to convert a fixed-input-length PRF into a variable-input-length one. Indeed, we can replace the CRHF in this construction by a UHF:

Construction 11.2.1 (UH-PRF)

Let UU be a UHF with output length λ\secpar, and let FF be a PRF with input length λ\secpar. Then UH-PRF is defined as the following function FF^*:

F((K1,K2),X)F^*\bigl((\key_1,\key_2),X\bigr):
H:=U(K1,X)H := U(\key_1, X)
Y:=F(K2,H)Y := F(\key_2, H)
return YY
\qquad

The input domain of FF^* is the same as that of UU (usually all strings, or all block-aligned strings), and its output length is the same as that of FF.

Claim 11.2.2 (Security of UH-PRF)

If UU is a secure UHF and FF is a secure PRF, then UH-PRF (construction 11.2.1) is a secure PRF.

Proof:

The proof is remarkably simple.

Hybrid Sequence:
We use a short sequence of hybrids starting with Lprf-real\lib{prf-real}.
First, we apply the security of the PRF to replace FF with a lazy random dictionary. The standard three-hop maneuver is not shown.
Next, we apply definition 11.1.2 to replace a dictionary indexed by U(K1,X)U(\key_1, X) with a dictionary indexed directly by XX. The standard three-hop maneuver is not shown. The result is precisely Lprf-rand\lib{prf-rand}, which completes the proof.
Lprf-real\lib{prf-real}
K1{0,1}λ\key_1 \gets \bits^\secpar
K2{0,1}λ\key_2 \gets \bits^\secpar
prf.query\prfquery(XX):
// return F((K1,K2),X)F^*\bigl( (\key_1, \key_2), X \bigr)
H:=U(K1,X)H := U(\key_1, X)
return
F(K2,H)F(\key_2,H)
L[H]\prftable[H]
L[X]\prftable[X]

11.2.1. Handling non-block-aligned data

Construction 11.2.1 results in a variable-input-length PRF that inherits its input domain from the component UHF. What happens if the UHF supports only block-aligned data, but we want a PRF that supports arbitrary-length data?

One natural approach is to add padding, similar to how this is handled in encryption (section 8.6). Padding indeed works fine for this purpose, but remember that padding always increases the length of the data. In particular, if the data already is a multiple of the blocklength, then a block consisting entirely of padding must be added.

There is a clever way to avoid the extra padding block in the UH-PRF construction. The idea is to use different keys for the final PRF, depending on whether the input was block-aligned or not.

Claim 11.2.3 (Handling non-block-aligned inputs in UH-PRF)

Let UU be a UHF with output length λ\secpar, defined for block-aligned data only, so its input domain is ({0,1}λ)(\bits^\secpar)^*. Let FF be a PRF with input length λ\secpar, and let Pad\textsf{Pad} be a padding function (i.e., an injective function whose output is always a multiple of the blocklength λ\secpar). Then the following is a variable-input-length PRF supporting arbitrary lengths (not just multiples of the blocklength):

F((K1,K2,K3),X)F^*\bigl( (\key_1, \key_2, \key_3), X \bigr):
if X|X| is a multiple of λ\secpar:
// XX is already suitable for UU, without padding
H:=U(K1,X)H := U(\key_1, X)
Y:=F(K2,H)Y := F(\hl{\key_2}, H)
else:
H:=U(K1,Pad(X))H := U(\key_1, \hl{\textsf{Pad}(X)})
Y:=F(K3,H)Y := F(\hl{\key_3}, H)
return YY

Exercise 11.7 asks you to prove security of this construction.

11.3. CBC-MAC is a UHF

We introduced CBC-MAC in section 6.6, and warned that it is not secure as a variable-input-length PRF. In this section we show that CBC-MAC is, however, secure as a variable-input-length UHF. It can therefore be promoted to a variable-input-length PRF in a simple way, using construction 11.2.1.

Claim 11.3.1 (Security of CBC-MAC)

CBC-MAC is a secure (variable-input-length) UHF, if the underlying FF is a secure PRF/PRP with blocklength λ\secpar.

Fcbc(K,X1X2X)F_{\textsf{cbc}}(\key, X_1 \| X_2 \| \cdots \| X_\ell):
Y0:=0λY_0 := \bit0^\secpar
for i=1i = 1 to \ell:
Yi:=F(K,Yi1Xi)Y_i := F(\key, Y_{i-1} \oplus X_i)
return YY_\ell

Proof:

CBC-MAC is usually written with Yi1XiY_{i-1} \oplus X_i as the input to the PRF/PRP. In the proof it will be convenient to name these values; we'll use BiB_i for the iith input to the PRF/PRP. Not only that, but it will be convenient to compute the next PRF/PRP input Bi+1B_{i+1} immediately after calling F(K,Bi)F(\key, B_i).

In order to avoid special cases in the code, we also compute a “next PRF/PRP input” even for the last call to FF, although is no “next” input. This “next input” is computed as B+1:=YX+1B_{\ell+1} := Y_\ell \oplus X_{\ell+1}, and yet there is no block X+1X_{\ell+1}. We use the convention that X+1X_{\ell+1} is all zeros, just to avoid referring to a nonexistent variable, but the interpretation of X+1X_{\ell+1} is not terribly important since B+1B_{\ell+1} is not used.

With these changes, we will use the following as our code for CBC-MAC:

Fcbc(K,X1X2X)F_{\textsf{cbc}}(\key, X_1 \| X_2 \| \cdots \| X_\ell):
Y0:=0λY_0 := \bit0^\secpar
for i=1i = 1 to \ell:
Yi:=F(K,Yi1Xi)Y_i := F(\key, Y_{i-1} \oplus X_i)
return YY_\ell
\equiv
Fcbc(K,X1X2X)F_{\textsf{cbc}}(\key, X_1 \| X_2 \| \cdots \| X_\ell):
// by convention, X+1:=0λX_{\ell+1} := \bit0^\secpar
B1:=X1B_1 := X_1
for i=1i = 1 to \ell:
Yi:=F(K,Bi)Y_i := F(\key, B_i)
Bi+1:=YiXi+1B_{i+1} := Y_i \oplus X_{i+1}
return YY_\ell

The Golden Rule of PRFs suggests that we will need to argue that inputs to FF do not repeat (except with negligible probability). This is good advice for this proof, but with a minor complication. Suppose XX and XX' share the same first tt blocks. Then we do expect the two computations Fcbc(K,X)F_{\textsf{cbc}}(\key, X) and Fcbc(K,X)F_{\textsf{cbc}}(\key,X') to use the same first tt inputs to FF. But we don't expect any other PRF calls to have repeated inputs. A more precise interpretation of the Golden Rule is that inputs to FF do not repeat unexpectedly.

If XX and XX' share the same first tt blocks, then we expect every call to FF in the following picture to receive a distinct input:

Most of the difficulty in this proof comes from carefully rewriting the logic of CBC-MAC to treat different calls to FF differently, based on whether whether we expect FF-inputs to repeat or not, matching the logic of this picture.

We will prove that CBC-MAC satisfies definition 11.1.1, meaning that for all XXX \ne X', the following block of code outputs true\mytrue only with negligible probability:

K{0,1}λ\key \gets \bits^\secpar
Y:=Fcbc(K,X)Y := F_{\textsf{cbc}}(\key,X)
Y:=Fcbc(K,X)Y' := F_{\textsf{cbc}}(\key,X')
return Y==YY == Y'

In a sequence of hybrids, we will show that this block of code is indistinguishable from one that always returns false\myfalse.

Hybrid Sequence:
The starting point is a block of code that evaluates CBC-MAC on inputs XX and XX' and tests for a collision.
When XX and XX' are identical in the first ii blocks, then CBC-MAC will compute the same YiY_i value for both. The library can notice this and avoid calling FF twice in this case. No other calls to FF are expected to repeat.
Apply the security of the PRF, replacing FF with a lazy random dictionary. The standard three-hop maneuver is omitted.
Assume that each probe to the random dictionary has never been made before and trigger a bad event when that assumption is violated. We will need to argue later that this bad event has negligible probability.
Instead of sampling L[Bi]\prftable[B_i] and then using it to compute Bi+1B_{i+1}, we can sample Bi+1B_{i+1} and use it to compute L[Bi]\prftable[B_i]. The three-hop maneuver involving claim 2.4.2 is omitted.
The library never reads actual values from L[]\prftable[\cdot]; instead, it only checks whether a value is defined in L[]\prftable[\cdot]. The same functionality can be achieved with a simple set B\mathcal{B}, and we can do away with L[]\prftable[\cdot].
Finally, modify the program to ignore everything that came before and simply return false.\myfalse. The program's output changes only in case of a collision (XXX \ne X' but Y=YY_\ell = Y'_{\ell'}) so we indicate this case as a bad event.
// given: X1XX1XX_1 \| \cdots \| X_\ell \ne X'_1 \| \cdots \| X'_{\ell'}
K{0,1}λ\key \gets \bits^\secpar
// Fcbc(K,X)F_{\textsf{cbc}}(\key,X):
B1:=X1B_1 := X_1
for i=1i = 1 to \ell:
Yi:=Y_i := {}
F(K,Bi)F(\key, B_i)
L[Bi]\prftable[B_i]
{0,1}λ{}\gets \bits^\secpar
:=Bi+1Xi+1{}:= B_{i+1} \oplus X_{i+1}
Bi+1Xi+1B_{i+1} \oplus X_{i+1}
Bi+1:=YiXi+1B_{i+1} := Y_i \oplus X_{i+1}
// Fcbc(K,X)F_{\textsf{cbc}}(\key,X'):
B1:=X1B'_1 := X'_1
for i=1i = 1 to \ell':
Yi:=Y'_i := {}
F(K,Bi)F(\key, B'_i)
L[Bi]\prftable[B'_i]
{0,1}λ{}\gets \bits^\secpar
:=Bi+1Xi+1{}:= B'_{i+1} \oplus X'_{i+1}
Bi+1Xi+1B'_{i+1} \oplus X'_{i+1}
Bi+1:=YiXi+1B'_{i+1} := Y'_i \oplus X'_{i+1}
return
Y==YY_\ell == Y'_{\ell'}
false\myfalse

It now suffices to show that the overall probability of the bad event in this final hybrid is negligible. There are three lines in which a bad event may be triggered, and we will consider the first two separately.

Recall that the set B\mathcal{B} was introduced to store the keys that were previously defined in L[]\prftable[\cdot]. These values correspond to all the inputs to FF visible in the picture, named BiB_i and BiB'_i in the program's code:

The program triggers a bad event if there is an unexpected repeat among these BiB_i/BiB'_i -values. In the final hybrid, all of the BiB_i/BiB'_i values are chosen uniformly, with just two exceptions:

  1. B1B_1 is defined to be X1X_1.

  2. Suppose the CBC-MAC computations of XX and XX' diverge after tt blocks. Thus, XX and XX' agree in the first tt blocks but differ in block t+1t+1. Then you can verify that Bt+1=Bt+1Xt+1Xt+1B'_{t+1} = B_{t+1} \oplus X_{t+1} \oplus X'_{t+1}. In other words, Bt+1B_{t+1} and Bt+1B'_{t+1} have an xor difference of Xt+1Xt+1X_{t+1} \oplus X'_{t+1}, which you can justify to yourself algebraically or with the illustration above.

    (This case does not occur if XX' is simply a prefix of XX. In that case, the strings agree in the first tt blocks but XX' does not have a (t+1)(t+1)th block.)

All other BiB_i and BiB'_i values are chosen uniformly. For a collection of BiB_i and BiB'_i values chosen in this way (almost all of them uniformly, but with 2 possible exceptions), what is the probability of a repeat? It's best to consider an equivalent scenario where they are chosen in the following order:

  • First, B1:=X1B_1 := X_1 is fixed and added to B\mathcal{B}.

  • If the CBC-MAC computations diverge after tt blocks, then let Bt+1B_{t+1} be the next value sampled (uniformly). Both Bt+1B_{t+1} and its sibling Bt+1=Bt+1Xt+1Xt+1B'_{t+1} = B_{t+1} \oplus X_{t+1} \oplus X'_{t+1} are added to B\mathcal{B}. B\mathcal{B} contains only one item at this point, so there are only two choices of Bt+1B_{t+1} that would cause a repeat in B\mathcal{B}, those choices being X1X_1 and X1Xt+1Xt+1X_1 \oplus X_{t+1} \oplus X'_{t+1}. The probability of this step causing the bad event is at most 2/2λ2/2^\secpar.

  • Now all the other BiB_i/BiB'_i values are sampled uniformly and added to B\mathcal{B}; the order doesn't matter because they are all sampled independently. The first of these to be sampled has probability 3/2λ3/2^\secpar of being a repeat, because B\mathcal{B} has three items at this point. The next has probability 4/2λ4/2^\secpar, and so on.

There are at most +\ell+\ell' values of BiB_i/BiB'_i considered in this process. The overall probability of repeats among the BiB_i/BiB'_i values is therefore at most:

22λ+32λ+++2λ. \frac{2}{2^\secpar} + \frac{3}{2^\secpar} + \cdots + \frac{\ell+\ell'}{2^\secpar}.

Finally, consider the other way that the program can trigger a bad event: when XXX \ne X' but Y=YY_\ell = Y'_{\ell'}. To analyze this probability, it is helpful to assume without loss of generality that \ell' \ge \ell; if not, the program can simply swap XX and XX' as its first action. Then the second for-loop must visit its else-branch in its final iteration; otherwise, we would have X=XX = X'. In this final iteration, BB'_{\ell'} is sampled uniformly.

The bad event happens if and only if:

Y=Y    BX=Y    B=XY.\begin{aligned} Y'_{\ell'} &= Y_\ell \\ \iff B'_{\ell'} \oplus X'_{\ell'} &= Y_{\ell'} \\ \iff B'_{\ell'} &= X'_{\ell'} \oplus Y_\ell.\end{aligned}

Since BB'_{\ell'} is sampled uniformly, after the other values XX'_{\ell'} and YY_\ell have already been determined, the probability of this way of triggering the bad event is 1/2λ1/2^\secpar.

Overall, the bad event has probability at most

12λ+(22λ+++2λ)=Birthday(++1,2λ), \frac{1}{2^\secpar} + \left( \frac{2}{2^\secpar} + \cdots + \frac{\ell+\ell'}{2^\secpar} \right) = \Birthday(\ell+\ell'+1, 2^\secpar) ,

which is negligible. This completes the proof.

11.3.1. Variable-input PRFs using CBC-MAC as a UHF

Knowing that CBC-MAC is a UHF, we can compose it with a (fixed-input-length) PRF following the recipe of construction 11.2.1 to obtain a variable-input-length PRF. We now discuss a few ways to instantiate this recipe.

Of course, CBC-MAC itself is built from a fixed-input-length PRF, and it is reasonable to use the same PRF in both roles: both as the primary component of CBC-MAC and the final step of the UH-PRF recipe. It is important to use independent keys for these two different uses of a single PRF.

Claim 11.3.2 (ECBC)

Suppose FF is a secure PRP with blocklength λ\secpar. Then ECBC, defined below, is a secure variable-input-length PRF.

ECBC(K1K2,X1X2X)\textsf{ECBC}(\key_1 \| \key_2, X_1 \| X_2 \| \cdots \| X_\ell):
Y0:=0λY_0 := \bit0^\secpar
for i=1i = 1 to \ell:
Yi:=F(K1,Yi1Xi)Y_i := F(\key_1, Y_{i-1} \oplus X_i)
return F(K2,Y)F(\hl{\key_2},Y_\ell)

Proof:

ECBC exactly follows the recipe of construction 11.2.1, composing CBC-MAC UHF with the PRF FF, on independent keys.

ECBC applies two consecutive PRF calls in its last block. The first of these can be eliminated:

Claim 11.3.3 (FCBC)

Suppose FF is a secure PRP with blocklength λ\secpar. Then FCBC, defined below, is a secure variable-length PRF.

FCBC(K1K2,X1X2X)\textsf{FCBC}(\key_1 \| \key_2, X_1 \| X_2 \| \cdots \| X_\ell):
Y0:=0λY_0 := \bit0^\secpar
for i=1i = 1 to 1\ell-1:
Yi:=F(K1,Yi1Xi)Y_i := F(\key_1, Y_{i-1} \oplus X_i)
return F(K2,Y1X)F(\key_2,Y_{\ell-1} \oplus X_\ell)

Proof:

Define the function CC' as follows:

C(K,X1X2X)C'(\key, X_1 \| X_2 \| \cdots \| X_\ell):
Y0:=0λY_0 := \bit0^\secpar
for i=1i = 1 to 1\ell-1:
Yi:=F(K1,Yi1Xi)Y_i := F(\key_1, Y_{i-1} \oplus X_i)
return Y1XY_{\ell-1} \oplus X_\ell

CC' is therefore just CBC-MAC but without the last call to FF. We can in fact write CBC-MAC in terms of CC' via:

CBCMAC(K,X)=F(K,C(K,X)). \textsf{CBCMAC}(\key, X) = F\bigl( \key, C'(\key, X) \bigr).

Since F(K,)F(\key,\cdot) is a permutation, we have

C(K,X)=C(K,X)    F(K,C(K,X))=F(K,C(K,X))    CBCMAC(K,X)=CBCMAC(K,X).\begin{aligned} C'(\key, X) &= C'(\key, X') \\ \iff F(\key, C'(\key,X)) &= F(\key, C'(\key,X')) \\ \iff \textsf{CBCMAC}(\key,X) &= \textsf{CBCMAC}(\key,X').\end{aligned}

In other words, CC' has exactly the same collision behavior as CBC-MAC, making CC' also a secure UHF. FCBC is the composition of this UHF CC' with the secure PRF/PRP FF, on independent keys. Hence, FCBC is an instance of the UH-PRF recipe.

Another variation on this theme, called CMAC, is discussed in exercise 11.13.

11.4. Poly-UHF: An unconditionally secure UHF

Some UHF constructions can be proven secure unconditionally. Their security doesn't depend on the security of an underlying PRF, like the UHF constructions from previous sections.

The main idea behind unconditionally secure UHFs is to interpret the input string as coefficients of a polynomial, and treat the UHF key as a point on which to evaluate that polynomial. Essentially, to compute the UHF output for a string MM under a key K\key:

  • Chop MM into blocks M=Md1Md2M0M = M_{d-1} \| M_{d-2} \| \cdots \| M_0, of equal and suitable size. To make things simpler, we'll assume that MM is block-aligned.

  • Evaluate the degree-dd polynomial

    Xd+Md1Xd1+Md2Xd2++M1X1+M0 X^d + M_{d-1} X^{d-1} + M_{d-2} X^{d-2} + \cdots + M_1 X^1 + M_0

    at the point X=KX = \key, working mod p\pmod. Here p\pmod is a prime that can be public, even known to the adversary. Use the output of the polynomial as the UHF output.

The reason for writing the subscripts in descending order, and starting from d1d-1, is that it is convenient for an algorithmic optimization that will be discussed later. The reason we interpret MM as a polynomial with leading coefficient 1 is that it ensures different M,MM, M' correspond to different polynomials. Without this convention, leading blocks of zeros have no effect; two different strings MM and MM' could correspond to the same polynomial, if they differ only in leading zero-blocks.

Poly-UHF can be specified in more detail as the following:

Construction 11.4.1 (Poly-UHF)

Let p>2λ\pmod > 2^\secpar be a prime. Then poly-UHF is defined as follows:

U(K,Md1Md2M0)U\bigl(\key, M_{d-1} \| M_{d-2} \| \cdots \| M_0\bigr):
// each MiM_i is exactly λ\secpar bits, interpreted as an integer in {0,,2λ1}\{0, \ldots, 2^\secpar-1\}
// K\key is also interpreted as an integer in {0,,2λ1}\{0, \ldots, 2^\secpar-1\}
return (Kd+Md1Kd1+Md2Kd2++M1K+M0)%p\Bigl( \key^d + M_{d-1} \key^{d-1} + M_{d-2} \key^{d-2} + \cdots + M_1 \key + M_0 \Bigr) \pct \pmod
Claim 11.4.2 (Security of poly-UHF)

Poly-UHF is a secure UHF (unconditionally).

Proof:

We will show that Pr[U(K,M)==U(K,M)]\PR{ U(\key,M) == U(\key,M') } is negligible, when MMM \ne M', and K\key is sampled uniformly from Zp\Z_\pmod.

Write MM and MM' as

M=Md1M0,M=Md1M0.\begin{aligned} M &= M_{d-1} \| \cdots \| M_0, \\ M' &= M'_{d'-1} \| \cdots \| M'_0 .\end{aligned}

and define the following polynomials:

Q(X)=Xd+Md1Xd1++M1X+M0,Q(X)=Xd+Md1Xd1++M1X+M0.\begin{aligned} Q(X) &= X^d + M_{d-1} X^{d-1} + \cdots + M_1 X + M_0, \\ Q'(X) &= X^{d'} + M'_{d'-1} X^{d'-1} + \cdots + M'_1 X + M'_0. \\\end{aligned}

Then we are interested in the probability that Q(K)pQ(K)Q(\key) \equiv_\pmod Q'(\key), over a uniform choice of K\key. We can rewrite the condition as Q(K)Q(K)p0Q(\key) - Q'(\key) \equiv_\pmod 0 and make a few observations:

  • Q(X)Q(X) has degree exactly dd; the leading coefficient on XdX^d is always 1. Similarly, Q(X)Q'(X) has degree exactly dd'.

  • Q(X)Q(X)Q(X) - Q'(X) is a polynomial in XX, of degree at most dmax=max{d,d}d_{\textrm{max}} = \max \{d,d'\}.

  • Since MM and MM' are different strings, Q(X)Q(X) and Q(X)Q'(X) are different polynomials. If MM and MM' differ in the ii-th block (including the case that one of those strings doesn't have an ii-th block), then QQ and QQ' differ in the coefficient of XiX^i.

  • Q(K)pQ(K)Q(\key) \equiv_\pmod Q'(\key) if and only if XX is a root of the (nonzero) polynomial Q(X)Q(X)Q(X) - Q'(X)

Recall the fundamental theorem of algebra, which is true for polynomials modulo a prime:

Fact 11.4.3 (Fundamental theorem of algebra, modulo a prime)

Let p\pmod be a prime, and let A(X)A(X) be a nonzero polynomial (not all coefficients are 0 mod p\pmod) of degree at most dd. Then AA has at most dd roots mod p\pmod. That is, there are at most dd values of XZpX \in \Z_\pmod that satisfy A(X)p0A(X) \equiv_\pmod 0.

Armed with this fact, we can complete the proof:

Pr[U(K,M)=U(K,M)]=Pr[Q(K)pQ(K)]=Pr[Q(K)Q(K)p0]=Pr[K is a root of Q(X)Q(X)]dmax2λ.\begin{aligned} \PR{ U(\key, M) = U(\key, M') } &= \PR{ Q(\key) \equiv_\pmod Q'(\key) } \\ &= \PR{ Q(\key) - Q'(\key) \equiv_\pmod 0 } \\ &= \PR{ \key \text{ is a root of } Q(X) - Q'(X) } \\ &\le \frac{ d_{\textrm{max}} }{2^\secpar}.\end{aligned}

The last step follows from the fact that the polynomial QQQ-Q' has at most dmaxd_{\textrm{max}} roots, and K\key is sampled uniformly from {0,1}λ\bits^\secpar. Since dd and dd' are the lengths of strings chosen by the adversary, dmax=max{d,d}d_{\textrm{max}} = \max\{d,d'\} is polynomial in the security parameter, and the collision probability is negligible.

Horner's method: There is an elegant way to evaluate a polynomial at some particular point, given a list of its coefficients. The idea is summarized in the following example:

aX3+bX2+cX+d=X(aX2+bX+c)+d=X(X(aX+b)+c)+d=X(X(X(a)+b)+c)+d.\begin{aligned} a X^3 + b X^2 + c X + d &= X \bigl( aX^2 + bX + c \bigr) + d \\ &= X \Bigl( X \bigl( aX + b \bigl) + c \Bigr) + d \\ &= X \Bigl( X \bigl( X (a) + b \bigl) + c \Bigr) + d.\end{aligned}

More generally, if we write polyeval(X,cd,,c0)\subname{polyeval}(X, c_d, \ldots, c_0) to denote the value cdXd+c1X+c0c_d X^d + \cdots c_1 X + c_0, then it satisfies the following recurrence:

polyeval(X,cd,,c0)=cdXd+cd1Xd1++c1X+c0=X(cdXd1++c1)+c0=Xpolyeval(X,cd,,c1)+c0.\begin{aligned} \subname{polyeval}(X, c_d, \ldots, c_0) &= c_d X^d + c_{d-1} X^{d-1} + \cdots + c_1 X + c_0 \\ &= X \Bigl( c_d X^{d-1} + \cdots + c_1 \Bigr) + c_0 \\ &= X \cdot \subname{polyeval}(X, c_d, \ldots, c_1) + c_0.\end{aligned}

This recursive formula can be converted into an iterative algorithm, by working from the inside out:

polyeval(X,cd,,c1,c0)\subname{polyeval}(X, c_d, \ldots, c_1, c_0):
Y:=cdY := c_d
for i=d1i=d-1 down to 0:
Y:=XY+ciY := X Y + c_i
return YY
\quad

This simple method for evaluating a polynomial is called Horner's method. We can write the poly-UHF algorithm using Horner's method as:

U(K,Md1Md2M0)U(\key, M_{d-1} \| M_{d-2} \| \cdots \| M_0):
// polyeval(K,1,Md1,,M0)\subname{polyeval}(\key, 1, M_{d-1}, \ldots, M_0):
Y:=1Y := 1
for i=d1i=d-1 down to 0:
Y:=(KY+Mi)%pY := (\key \cdot Y + M_i) \pct \pmod
return YY

Since the final output is needed mod p\pmod, we can reduce the intermediate result mod p\pmod after each iteration of the loop.

Do we really need a prime for Poly-UHF?
We used the fact that a nonzero polynomial of degree at most dd has at most dd roots. This fact is true modulo a prime, but not true modulo a composite. If a nonzero polynomial can have many roots, then there can be many keys that cause two strings to collide, but we need there to be only a negligible fraction of keys with this property. Exercise 11.17 walks through an example of how Poly-UHF is insecure if the modulus is 2λ2^\secpar.

How should the prime be chosen?
Suppose our security parameter is λ=128\secpar=128 and we would like to chop long strings into blocks of length 128, which we interpret as integers in the range {0,,21281}\{0, \ldots, 2^{128}-1\}. Then we can choose any prime p\pmod such that p>2128\pmod > 2^{128}. The security of poly-UHF relies on p\pmod being prime, but not on p\pmod being chosen in any particular way; it is a public parameter of the construction. Hence, p\pmod can be chosen to have some additional properties that make reduction-mod-p\pmod more efficient for a computer. See the example below.

Example 11.4.4 (Poly1305)

Poly1305 is a MAC algorithm, which uses at its core a variant of Poly-UHF modulo the prime p=21305\pmod =2^{130}-5. This prime was chosen because modular reduction modulo such a prime (very close to a power of 2) can be highly optimized for modern processors. Poly1305 uses a few other deviations from our classical Poly-UHF construction, which contribute to its high performance and which are mostly beyond the scope of this book. However, exercise 11.18 explores one aspect of Poly1305, which is to reduce the final result (an element of Z21305\Z_{2^{130}-5}) mod 2λ2^\secpar.

11.4.1. GHASH and GCM encryption

Even when p\pmod is a favorable prime, it can still be awkward to deal with reduction-mod-p\pmod on a computer that prefers to work with powers of 2. However, there is a way to define “addition” and “multiplication” operations over the set {0,1}n\bits^n, which has the necessary algebraic properties for poly-UHF to work. The algebraic structure is called a field. Fields with a finite number of elements are sometimes called Galois fields after their discoverer. (Galois is a French name, pronounced gal-wah.) Some bonus content about fields can be found in appendix B.

GHASH is a variant of Poly-UHF based on arithmetic in Galois fields (the G is for Galois). GHASH is used in GCM (Galois counter mode) encryption, the most popular standardized AEAD mode. GCM is an instance of encrypt-then-MAC (construction 9.5.1), with CTR mode as the encryption scheme, and GHASH as the UHF underlying its MAC.

Exercises

  1. Prove the other direction of claim 11.1.3, that definition 11.1.2 implies definition 11.1.1.

  2. Prove that every secure CRHF is also a secure UHF, interpreting the CRHF salt as the UHF key.

  3. Prove that every secure PRF with λ\secpar output bits is also a secure UHF.

  4. Prove that if UU is a secure UHF with output length λ\secpar bits, then U(K,X)=U(K,X)KU'(\key,X) = U(\key,X) \oplus \key is also a secure UHF.

  5. We say that H:{0,1}λ×{0,1}{0,1}nH : \bits^\secpar \times \bits^* \to \bits^n is almost-xor-universal (AXU) if, for all strings XXX \ne X and all Δ{0,1}n\Delta \in \bits^n,

    Pr[H(K,X)H(K,X)=Δ] is negligible, \PR{ H(\key,X) \oplus H(\key,X') = \Delta } \text{ is negligible,}

    where the probability is over the uniform choice of K\key from {0,1}λ\bits^\secpar. In other words, for all XXX \ne X' and Δ\Delta, the following block of code outputs true\mytrue with negligible probability:

    K{0,1}λ\key \gets \bits^\secpar
    return H(K,X)H(K,X)==ΔH(\key,X) \oplus H(\key,X') == \Delta
    1. Prove that if HH is AXU, then the function U(K,XY)=H(K,X)YU(\key, X\|Y) = H(\key,X) \oplus Y is a secure UHF (YY is nn bits).

    2. Prove that CBC-MAC is AXU.

    3. Show that Poly-UHF (as we have defined it) is not AXU. Use addition-mod-pp instead of xor in the security definition of AXU.

    4. Suggest a slight variant of Poly-UHF that is AXU and prove its security.

  6. Let UU be a secure UHF that supports only block-aligned inputs, and let Pad\textsf{Pad} be a padding function (definition 8.6.1). Prove that the function U(K,X)=U(K,Pad(X))U'(\key,X) = U(\key,\textsf{Pad}(X)) is a secure UHF, supporting arbitrary-length inputs.

  7. Prove claim 11.2.3 (security of UH-PRF for non-block-aligned inputs).

  8. Theorem 7.3.4 proves that a 3-round keyed Feistel cipher (section 7.3) construction is a secure PRP if each of its round functions is a PRF. Suppose we replace the first function with a simpler function HH, such that U(K,XY)=XH(K,Y)U(\key, X \| Y) = X \oplus H(\key,Y) is a secure UHF (i.e., HH is AXU; see exercise 11.5). In other words:

    F(K1K2K3, X0X1)\mathbb{F}\Bigl( \key_1\|\key_2 \|\key_3, ~ X_0 \| X_1 \Bigr):
    X2:=X0H(K1,X1)X_2 := X_0 \oplus \hl{H}(\key_1, X_1) // =U(K1,X0X1){} = U(\key_1, X_0 \| X_1)
    X3:=X1F(K2,X2)X_3 := X_1 \oplus F(\key_2, X_2)
    X4:=X2F(K3,X3)X_4 := X_2 \oplus F(\key_3, X_3)
    return X3X4X_3 \| X_4

    Prove that the resulting construction is a secure PRP.

  9. h Let FF be a secure PRF with input and output length λ\secpar. Prove that the following function is also a secure PRF with input length 2λ2\secpar:

    H(K1K2K3,X1X2)=F(K3,F(K1,X1)F(K2,X2)). H\bigl( \key_1\| \key_2 \| \key_3, X_1 \| X_2 \bigr) = F\bigl(\key_3, F(\key_1,X_1) \oplus F(\key_2, X_2)\bigr).

    It is an instance of UH-PRF.

  10. h\star Let FF be a secure PRF with input and output length λ\secpar. Prove that the following function is also a secure variable-length PRF:

    H(K,X1X2X)H( \key, X_1 \| X_2 \| \cdots \| X_\ell):
    Y:=0λY := \bit 0^\secpar
    for i=1i = 1 to \ell:
    Ki:=F(K,i)\key_i := F(\key,i)
    Y:=YF(Ki,Xi)Y := Y \oplus F( \key_i, X_i)
    K:=F(K,0)\key^* := F(\key, 0)
    return F(K,Y)F(\key^*, Y)

    It is an instance of UH-PRF.

  11. Let Σ\Sigma be an encryption scheme. Let HH be a keyed function and define U(K,CA)=CH(K,A)U(\key,C\|A) = C \oplus H(\key,A), where the output of HH is padded with zeros (on the left, say) if its length is different from CC. For example, if C=01010101C = \bit{01010101} and H(K,A)=111H(\key,A) = \bit{111} then CH(K,A)C \oplus H(\key,A) means 01010010\bit{01010}\hl{\bit{010}}.

    Prove that if Σ\Sigma is a secure AE, and UU is a secure UHF (i.e., HH is AXU; see exercise 11.5), then the following scheme is a secure AEAD:

    K=Σ.K×{0,1}λM=Σ.MC()=Σ.C()\begin{aligned} \K &= \Sigma.\K \times \bits^\secpar \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \end{aligned}
    Enc((Ke,Km),A,M)\Enc\bigl( (\key_e,\key_m), \hl{A,} \ptxt \bigr):
    C:=Σ.Enc(Ke,M)\ctxt := \Sigma.\Enc(\key_e, \ptxt)
    T:=H(Km,A)T := H(\key_m, A)
    // pad TT with zeros as needed:
    return CT\ctxt \oplus T
    Dec((Ke,Km),A,C)\Dec\bigl( (\key_e,\key_m), \hl{A,} \ctxt \bigr):
    T:=H(Km,A)T := H(\key_m, A)
    // pad TT with zeros as needed:
    C:=CT\ctxt' := \ctxt \oplus T
    return Σ.Dec(Ke,C)\Sigma.\Dec(\key_e, \ctxt' )

    Connect the situation in this construction to exercise 11.5.

  12. Let Σ\Sigma be a secure AEAD scheme that supports fixed-length associated data A={0,1}λ\A = \bits^\secpar. Let UU be a secure UHF that supports arbitrary-length inputs. Prove that the following construction is also a secure AEAD, supporting arbitrary-length associated data:

    K=Σ.K×{0,1}λM=Σ.MC()=Σ.C()A={0,1}\begin{aligned} \K &= \Sigma.\K \times \bits^\secpar \\ \M &= \Sigma.\M \\ \C(\ell) &= \Sigma.\C(\ell) \\ \A &= \bits^* \end{aligned}
    Enc((Ke,Ku),A,M)\Enc\bigl( (\key_e,\key_u), A, \ptxt \bigr):
    A:=U(Ku,A)A' := U(\key_u, A)
    return Σ.Enc(Ke,A,M)\Sigma.\Enc(\key_e, A',\ptxt)
    Dec((Ke,Ku),A,C)\Dec\bigl( (\key_e,\key_u), A, \ctxt \bigr):
    A:=U(Ku,A)A' := U(\key_u, A)
    return Σ.Dec(Ke,A,C)\Sigma.\Dec(\key_e, A',\ctxt)
  13. h CMAC is a variant of CBC-MAC, in which we xor the last block with an independent key K2\key_2. In other words, CMAC is equivalent to plain CBC-MAC applied to X1X2(XK2)X_1 \| X_2 \| \cdots \| (X_\ell \oplus \key_2). CMAC has the convenient property that all of its calls to FF use the same key K1\key_1.

    F(K1K2,X1X2X)F'\bigl( \key_1 \| \key_2, X_1 \| X_2 \| \cdots \| X_\ell \bigr):
    Y:=0λY := \bit 0^\secpar
    for i=1i=1 to 1\ell-1:
    Y:=F(K1,YXi)Y := F( \key_1, Y \oplus X_i )
    Y:=F(K1,YXK2)Y := F( \key_1, Y \oplus X_\ell \hl{\oplus \key_2} )
    return YY

    1. Prove that if FF is a secure PRF, then F(K1,)F(\key_1, \cdot) and F(K1,K2)F(\key_1, \key_2 \oplus \cdot) behave like two independent random functions. In other words, prove that the following two libraries are indistinguishable:

      K1{0,1}λ\key_1 \gets \bits^\secpar
      K2{0,1}λ\key_2 \gets \bits^\secpar
      prf.query1(X)\prfquery_1(X):
      return F(K1,X)F(\key_1, X)
      prf.query2(X)\prfquery_2(X):
      return F(K1,K2X)F(\key_1, \key_2 \oplus X)
      \indist
      prf.query1(X)\prfquery_1(X):
      if L1[X]\prftable_1[X] undefined:
      L1[X]{0,1}λ\prftable_1[X] \gets \bits^\secpar
      return L1[X]\prftable_1[X]
      prf.query2(X)\prfquery_2(X):
      if L2[X]\prftable_2[X] undefined:
      L2[X]{0,1}λ\prftable_2[X] \gets \bits^\secpar
      return L2[X]\prftable_2[X]
    2. Prove that CMAC is a secure variable-input-length PRF if FF is a secure PRP.

    CMAC can be reframed as an instance of UH-PRF.

  14. CBC-MAC invokes the underlying PRF on input Yi1XiY_{i-1} \oplus X_i. Suppose we instead use Yi1XiY_{i-1} \| X_i as input; this will require a PRF with input length 2λ2\secpar and output length λ\secpar.

    Prove that the resulting function is a secure variable-length UHF if FF is a secure PRF:

    F(K,X1X2X)F'( \key, X_1 \| X_2 \| \cdots \| X_\ell ):
    Y0:=0λY_0 := \bit 0^\secpar
    for i=1i=1 to \ell:
    Yi:=F(K,Yi1Xi)Y_i := F( \key, Y_{i-1} \| X_i )
    return YY_\ell
    \qquad
  15. Show that ECBC (construction 11.3.2), FCBC (construction 11.3.3) and CMAC (exercise 11.13) are not secure CRHFs: If their key is made public like a salt, then it is possible to efficiently compute collisions.

  16. Poly-UHF interprets its input string as the coefficients of a polynomial, always fixing the leading coefficient to 1. Suppose the leading coefficient is not fixed and we interpret input Md1M0M_{d-1} \| \cdots \| M_0 as the polynomial Md1Xd1++M1X+M0M_{d-1} X^{d-1} + \cdots + M_1 X + M_0. Show that the resulting variant of Poly-UHF is not a secure UHF.

    1. Give an example of a nonzero polynomial of degree dd that has more than dd roots over Z2λ\Z_{2^\secpar}. Ideally, your polynomial should have 2λ12^{\secpar-1} roots.

    2. Describe a concrete attack against poly-UHF mod 2λ2^\secpar that produces a collision with constant probability (e.g., 1/2).

  17. h Below is a simplified version of Poly1305, which is a variant of poly-UHF:

    p=21305λ=128\begin{aligned} \pmod &= 2^{130}-5 \\ \secpar &= 128 \end{aligned}
    Poly1305(K,MdMd1M1)\textsf{Poly1305}(\key, M_d \| M_{d-1} \| \cdots \| M_1):
    // each MiM_i is exactly λ\secpar bits, interpreted as an integer in {0,,21281}\{0, \ldots, 2^{128}-1\}
    return [(Kd+1+MdKd+Md1Kd1++M1K)%p]%2128\Bigl[ \bigl( \key^{d+1} + M_{d} \key^{d} + M_{d-1} \key^{d-1} + \cdots + M_1 \key \bigr) \pct \pmod \Bigr] \pct 2^{128}

    For the purposes of this exercise, Poly1305 includes two important changes relative to construction 11.4.1: (1) It interprets the input as coefficients of a polynomial whose constant coefficient is zero, so the subscripts MiM_i are shifted by one compared to construction 11.4.1. (2) After evaluating this polynomial mod p\pmod, the result is further reduced mod 21282^{128}.

    This exercise explores the security of these changes.

    1. Speaking more abstractly, let p>2λ\pmod > 2^\secpar be a prime, and define k=p/2λk = \lceil p / 2^\secpar \rceil. For example, with λ=128\secpar = 128, Poly1305 has k=4k = 4. Let AA and BB be integers in the range {0,,p1}\{0, \ldots, p-1\}. Argue that there is a set S\mathcal{S}, with S2k+1|\mathcal{S}| \le 2k+1, such that:

      A2λB    ABS. A \equiv_{2^\secpar} B \implies A - B \in \mathcal{S}.

      The expression ABA-B refers to subtraction over the integers (no modular reduction).

    2. Let Q(X)Q(X) and Q(X)Q'(X) be distinct polynomials, of degree at most dd, both with constant coefficient 0. Prove that when K\key is chosen uniformly from Zp\Z_\pmod,

      Pr[Q(K)%p2λQ(K)%p](2k+1)dp. \PR{ Q(\key) \pct \pmod \equiv_{2^\secpar} Q'(\key) \pct \pmod } \le \frac{(2k+1)d}{\pmod}.

      Where did you use the fact that QQ and QQ' have constant coefficient 0?

    Q(K)%p2λQ(K)%p    (Q(K)%p)(Q(K)%p)S    sS:(Q(K)%p)(Q(K)%p)=s    sS:Q(K)Q(K)ps.\begin{aligned} & Q(\key) \pct \pmod \equiv_{2^\secpar} Q'(\key) \pct \pmod \\ \implies & (Q(\key) \pct \pmod) - (Q'(\key) \pct \pmod) \in \mathcal{S} \\ \implies & \exists s \in \mathcal{S} : (Q(\key) \pct \pmod) - (Q'(\key) \pct \pmod) = s \\ \implies & \exists s \in \mathcal{S} : Q(\key) - Q'(\key) \equiv_\pmod s.\end{aligned}
  18. Show that Poly-UHF is not a secure CRHF: If its key is made public like a salt, then it is possible to efficiently compute collisions.

  19. Show that Poly-UHF is not a secure PRF.

    1. Suppose you are given two block-aligned strings M\ptxt and M\ptxt' and two poly-UHF keys K\key and K\key'. Show how to efficiently compute blocks AA and AA' such that:

      PolyUHF(K,MA)=PolyUHF(K,MA). \textsf{PolyUHF}(\key, \ptxt \| A) = \textsf{PolyUHF}(\key', \ptxt' \| A').
    2. Let Σ\Sigma denote the authenticated encryption scheme obtained by applying Encrypt-then-MAC to

      • CTR-mode encryption; and

      • UH-PRF MAC, using poly-UHF as the underlying UHF.

      Describe how to compute a single ciphertext C\ctxt and two keys K,K\key, \key' such that Σ.Dec(K,C)Σ.Dec(K,C)\Sigma.\Dec(\key, \ctxt) \ne \Sigma.\Dec(\key',\ctxt), and neither decryption results in err\myerr. Can you make the two resulting plaintexts meaningful?

Chapter Notes

Universal hash functions were introduced by Carter and Wegman [63], who used them to construct an authentication method that is similar to our UH-PRF. In their method, instead of applying the PRF to the UHF output, they encrypt the UHF output with a fresh one-time pad known to the sender and receiver. Brassard proposed a variant where the one-time pads are generated pseudorandomly from a short seed [53]. This paradigm is used in modern authenticated encryption schemes like GCM [158] and its antecedent CWC [137].

The variant of UHF called almost-xor-universal (AXU; exercise 11.5) was first defined by Krawczyk [138].

The paradigm composing a UHF with a PRF was analyzed by Black, Halevi, Krawczyk, Krovetz, and Rogaway [42]. Their main construction is a nonce-based MAC; the construction presented in construction 11.2.1 is a simpler deterministic variant. Our security proof for this variant follows the proofs given by Black and Rogaway [44,43] and by Bellare [12].

Lucks was the first to observe and prove that the first round of a Feistel cipher can use a UHF rather than a PRF, as in exercise 11.8 [150]. The result was later extended by Naor and Reingold [169].

The AEAD construction in exercise 11.11 is one of the general-purpose constructions from Rogaway's paper that introduces AEAD [190].

Petrank and Rackoff were the first to propose construction 11.3.2 as a secure variable-length PRF [181]. Black and Rogaway [44,43] named this construction ECBC and extended it to support non-block-aligned inputs, using the technique described in claim 11.2.3. In the same paper, they also described FCBC (construction 11.3.3) and CMAC (exercise 11.13), which they originally named XCBC. Our analysis of all of these CBC-MAC variants closely follows their approach, first proving that CBC-MAC is a UHF, then viewing the schemes as instances of UH-PRF.

Horner's method for polynomial evaluation is named after Horner, who described it in 1819 [124]. Horner attributes the method to Lagrange, and it was also known to ancient Chinese and Persian mathematicians. See Mikami [163] and Libbrecht [147] for a history of the method's Chinese origins.

den Boer [82] and Taylor [209] were the first to suggest polynomials as universal hash functions. Poly1305 is due to Bernstein, and the analysis in exercise 11.18 follows the Poly1305 design document [34].

Exercise 11.21 is inspired by an attack on Facebook's abuse reporting mechanism discovered by Dodis, Grubbs, Ristenpart, and Woodage [87].

  1. Previous Chapter10. Collision-Resistant Hash Functions
  2. Next Chapter12. Random Oracles and Other Idealized Models