Login
Login

Domain separation

{{Short description|Cryptographic technique}}

In cryptography, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way.{{sfn | Hampiholi | Alpár | van den Broek | Jacobs | 2015 | p=317}} The domain separation can be defined as partitioning of the domain of a function to assign separate subdomains to different applications of the same function.{{sfn|Kelsey|Chang|Perlner|2016|p=3}}

For example, cryptographic protocols typically rely on random oracles (ROs, functions that return a value fully determined by their input yet otherwise random). The security proofs for these protocols are based on the assumption that the random oracle is unique to the protocol: if two protocols share the same RO, the assumptions of the proof are not met anymore. Since creating a new cryptographic primitive from scratch each time an RO is needed is impractical, multiple ROs (say, RO1 and RO2) are produced by prepending unique domain separation tags (DSTs, also known as domain separators) to the input of a base oracle RO:

:RO1(x) := RO("RO1" || x)

:RO2(x) := RO("RO2" || x)

where "RO1" and "RO2" are the strings representing the unique DSTs and || is a concatenation operator.{{sfn|Faz-Hernandez|Scott|Sullivan|Wahby|2023|loc=Domain Separation}} If the underlying RO function is secure (say, it is a cryptographic hash), RO1 and RO2 are statistically independent.{{sfn | Hampiholi | Alpár | van den Broek | Jacobs | 2015 | p=317}} The technique was originally proposed{{sfn | Bellare | Bernstein | Tessaro | 2016 | p=566}} by Bellare & Rogaway in 1993.{{sfn | Bellare | Rogaway | 1993 | p=}}

Uses

The domain separation construct can be used for multiple purposes:

  • providing independent ROs for protocols;{{sfn | Mittelbach | Fischlin | 2021 | p=357}}
  • extending the output size of an RO (for example, by using the RO multiple times (numbered from 1 to L), each time using a representation of oracle number as a DST. This technique is called "counter mode" due to its similarity to the counter mode of a block cipher;{{sfn | Mittelbach | Fischlin | 2021 | p=358}}
  • "keying" the oracle by using an encryption key as a DST.{{sfn | Mittelbach | Fischlin | 2021 | p=359}}

In the practical sense, the domain separation can provide "customization", an equivalent of the strong typing in programming: it enforces the use of independent calculations for different tasks, so an attacker that had learned a result of one calculation will get no information about another one.{{sfn|Kelsey|Chang|Perlner|2016|p=1}}

Kinds of functions

Domain separation can be used with functions implementing different cryptographic primitives.

= Hash functions =

Domain separation is most commonly used with hash functions. The input domain of a hash function is practically unlimited, it is easy to partition it among any number of derived functions, for example, by prepending or appending of a DST to the message.{{cite conference|url=https://link.springer.com/chapter/10.1007/978-3-030-44223-1_28|title=Collapseability of Tree Hashes|first1=Aldo|last1=Gunsing|first2=Bart|last2=Mennink|date=10 April 2020|book-title=PQCrypto 2020: Post-Quantum Cryptography|doi=10.1007/978-3-030-44223-1_28|url-access=subscription|hdl=2066/219338|hdl-access=free}}{{sfn | Hampiholi | Alpár | van den Broek | Jacobs | 2015 | p=317}}

Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design.{{cite web|url=https://eprint.iacr.org/2023/342|title=TurboSHAKE|first1=Guido|last1=Bertoni|first2=Joan|last2=Daemen|first3=Seth|last3=Hoffert|first4=Michaël|last4=Peeters|first5=Gilles|last5=Van Assche|first6=Ronny|last6=Van Keer|first7=Benoît|last7=Viguier|date=2023 }} For example, in SHA-3 the domain separation makes sure that the differently named functions (like SHA3-512 or SHAKE128) are independent.{{sfn|Kelsey|Chang|Perlner|2016|p=1}}

= Symmetric ciphers and MACs =

The security of symmetric ciphers and MACs critically depends on the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a key derivation function to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys.{{cite book|title=Real-World Cryptography|first=David|last=Wong|date=19 October 2021 |publisher=Simon and Schuster |isbn=9781638350842}}

Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally.{{cite conference|url=https://link.springer.com/chapter/10.1007/978-3-319-11212-1_2|title=NORX: Parallel and Scalable AEAD|first1=Jean-Philippe|last1=Aumasson|first2=Philipp|last2=Jovanovic|first3=Samuel|last3=Neves|book-title=Computer Security - ESORICS 2014|doi=10.1007/978-3-319-11212-1_2|url-access=subscription}}

= Signatures =

In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match.{{cite conference|url=https://link.springer.com/chapter/10.1007/978-3-030-36030-6_6|title=Synchronous Consensus with Optimal Asynchronous Fallback Guarantees|first1=Erica|last1=Blum|first2=Jonathan|last2=Katz|first3=Julian|last3=Loss|date=22 November 2019|book-title=TCC 2019: Theory of Cryptography|doi=10.1007/978-3-030-36030-6_6|url-access=subscription}}

References

Sources

  • {{cite conference | last1=Bellare | first1=Mihir | last2=Rogaway | first2=Phillip | title=Random oracles are practical: a paradigm for designing efficient protocols | publisher=ACM Press | date=1993 | isbn=978-0-89791-629-5 | doi=10.1145/168588.168596 | url = https://cseweb.ucsd.edu/~mihir/papers/ro.pdf}}
  • {{cite book | last1=Bellare | first1=Mihir | last2=Bernstein | first2=Daniel J. | last3=Tessaro | first3=Stefano | title=Advances in Cryptology – EUROCRYPT 2016 | chapter=Hash-Function Based PRFs: AMAC and Its Multi-User Security | publisher=Springer Berlin Heidelberg | publication-place=Berlin, Heidelberg | volume=9665 | date=2016 | isbn=978-3-662-49889-7 | doi=10.1007/978-3-662-49890-3_22}}
  • {{cite web|url=https://www.rfc-editor.org/rfc/rfc9380.html|title=RFC 9380: Hashing to Elliptic Curves|first1=A.|last1=Faz-Hernandez|first2=S.|last2=Scott|first3=N.|last3=Sullivan|first4=R. S.|last4=Wahby|first5=C. A.|last5=Wood|at=2.2.5. Domain Separation|series=The RFC Series|date=August 2023 |issn=2070-1721}}
  • {{cite book | last1=Hampiholi | first1=Brinda | last2=Alpár | first2=Gergely | last3=van den Broek | first3=Fabian | last4=Jacobs | first4=Bart | title=Security, Privacy, and Applied Cryptography Engineering | chapter=Towards Practical Attribute-Based Signatures | publisher=Springer International Publishing | publication-place=Cham | volume=9354 | date=2015 | isbn=978-3-319-24125-8 | doi=10.1007/978-3-319-24126-5_18 | pages=310–328 | chapter-url=https://books.google.com/books?id=RxOcCgAAQBAJ&pg=PA317 }}
  • {{cite web |last1=Kelsey |first1=John |last2=Chang |first2=Shu-jen |last3=Perlner |first3=Ray |title=NIST SP 800-185: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash |url=https://csrc.nist.gov/pubs/sp/800/185/final |website=NIST Computer Security Resource Center |publisher=NIST |access-date=6 May 2024 | date=2016}}
  • {{cite book | last1=Mittelbach | first1=Arno | last2=Fischlin | first2=Marc | title=The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography | publisher=Springer International Publishing | series=Information Security and Cryptography | year=2021 | isbn=978-3-030-63287-8 | url=https://books.google.com/books?id=Ly8WEAAAQBAJ | access-date=2023-06-22}}

Category:Cryptography

{{Improve categories|date=January 2024}}