Domain Separation (cryptography)
   HOME

TheInfoList



Click Here for Items Related To - Domain Separation (cryptography)
OR:
Domain Separation (cryptography) on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way. The domain separation can be defined as partitioning of the
domain of a function In mathematics, the domain of a function is the Set (mathematics), set of inputs accepted by the Function (mathematics), function. It is sometimes denoted by \operatorname(f) or \operatornamef, where is the function. In layman's terms, the doma ...
to assign separate subdomains to different applications of the same function. For example,
cryptographic protocols A cryptographic protocol is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol describes how the algorithms should be used and in ...
typically rely on
random oracle In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every tim ...
s (ROs, functions that return a value fully determined by their input yet otherwise random). The security proofs for these protocols are based on the assumption that the random oracle is unique to the protocol: if two protocols share the same RO, the assumptions of the proof are not met anymore. Since creating a new
cryptographic primitive Cryptographic primitives are well-established, low-level cryptography, cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash fun ...
from scratch each time an RO is needed is impractical, multiple ROs (say, RO1 and RO2) are produced by prepending unique domain separation tags (DSTs, also known as ''domain separators'') to the input of a base oracle RO: :RO1(x) := RO("RO1" , , x) :RO2(x) := RO("RO2" , , x) where "RO1" and "RO2" are the strings representing the unique DSTs and , , is a concatenation operator. If the underlying RO function is secure (say, it is a
cryptographic hash A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with a fixed size of n bits) that has special properties desirable for a cryptographic application: * the probability of a particu ...
), RO1 and RO2 are
statistically independent Independence is a fundamental notion in probability theory, as in statistics and the theory of stochastic processes. Two event (probability theory), events are independent, statistically independent, or stochastically independent if, informally s ...
. The technique was originally proposed by Bellare & Rogaway in 1993.


Uses

The domain separation construct can be used for multiple purposes: * providing independent ROs for protocols; * extending the output size of an RO (for example, by using the RO multiple times (numbered from 1 to L), each time using a representation of oracle number as a DST. This technique is called "counter mode" due to its similarity to the counter mode of a
block cipher In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
; * "keying" the oracle by using an encryption key as a DST. In the practical sense, the domain separation can provide "customization", an equivalent of the
strong typing In computer programming, one of the many ways that programming languages are colloquially classified is whether the language's type system makes it strongly typed or weakly typed (loosely typed). However, there is no precise technical definition o ...
in programming: it enforces the use of independent calculations for different tasks, so an attacker that had learned a result of one calculation will get no information about another one.


Kinds of functions

Domain separation can be used with functions implementing different
cryptographic primitive Cryptographic primitives are well-established, low-level cryptography, cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. These routines include, but are not limited to, one-way hash fun ...
s.


Hash functions

Domain separation is most commonly used with hash functions. The input domain of a hash function is practically unlimited, it is easy to partition it among any number of derived functions, for example, by prepending or appending of a DST to the message. Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design. For example, in
SHA-3 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like stru ...
the domain separation makes sure that the differently named functions (like SHA3-512 or
SHAKE128 SHA-3 (Secure Hash Algorithm 3) is the latest member of the Secure Hash Algorithm family of standards, released by NIST on August 5, 2015. Although part of the same series of standards, SHA-3 is internally different from the MD5-like struct ...
) are independent.


Symmetric ciphers and MACs

The security of
symmetric cipher Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between ...
s and
MAC Mac or MAC may refer to: Common meanings * Mac (computer), a line of personal computers made by Apple Inc. * Mackintosh, a raincoat made of rubberized cloth * Mac, a prefix to surnames derived from Gaelic languages * McIntosh (apple), a Canadi ...
s critically depends on the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a
key derivation function In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function (which typically uses a cr ...
to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys. Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally.


Signatures

In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match.


References


Sources

* * * * * * Cryptography {{Improve categories, date=January 2024