Domain separation

Last updated January 11, 2025

In cryptography, domain separation is a construct used to implement multiple different functions using only one underlying template in an efficient way.^[1] The domain separation can be defined as partitioning of the domain of a function to assign separate subdomains to different applications of the same function.^[2]

For example, cryptographic protocols typically rely on random oracles (ROs, functions that return a value fully determined by their input yet otherwise random). The security proofs for these protocols are based on the assumption that the random oracle is unique to the protocol: if two protocols share the same RO, the assumptions of the proof are not met anymore. Since creating a new cryptographic primitive from scratch each time an RO is needed is impractical, multiple ROs (say, RO1 and RO2) are produced by prepending unique domain separation tags (DSTs, also known as domain separators) to the input of a base oracle RO:

RO1(x) := RO("RO1" || x)

RO2(x) := RO("RO2" || x)

where "RO1" and "RO2" are the strings representing the unique DSTs and || is a concatenation operator.^[3] If the underlying RO function is secure (say, it is a cryptographic hash), RO1 and RO2 are statistically independent.^[1] The technique was originally proposed^[4] by Bellare & Rogaway in 1993.^[5]

Uses

The domain separation construct can be used for multiple purposes:

providing independent ROs for protocols;^[6]
extending the output size of an RO (for example, by using the RO multiple times (numbered from 1 to L), each time using a representation of oracle number as a DST. This technique is called "counter mode" due to its similarity to the counter mode of a block cipher;^[7]
"keying" the oracle by using an encryption key as a DST.^[8]

In the practical sense, the domain separation can provide "customization", an equivalent of the strong typing in programming: it enforces the use of independent calculations for different tasks, so an attacker that had learned a result of one calculation will get no information about another one.^[9]

Kinds of functions

Domain separation can be used with functions implementing different cryptographic primitives.

Hash functions

Domain separation is most commonly used with hash functions. The input domain of a hash function is practically unlimited, it is easy to partition it among any number of derived functions, for example, by prepending or appending of a DST to the message.^[10]^[1]

Domain separation is used within the implementation of some hash functions to produce multiple different functions from the same design.^[11] For example, in SHA-3 the domain separation makes sure that the differently named functions (like SHA3-512 or SHAKE128) are independent.^[9]

Symmetric ciphers and MACs

The security of symmetric ciphers and MACs critically depends on the key not being used for other purposes. If an application needs multiple keys but has only one source of keying material, it would typically employ a key derivation function to produce the keys. KDFs can usually produce output of arbitrary length, so they can be used to generate any number of keys.^[12]

Also, just like hash functions, some symmetric ciphers and MACs use domain separation internally.^[13]

Signatures

In many cases, it is desirable to use a single signing key to produce digital signatures for different purposes. If this is done, it is important to make sure that signed messages intended for one purpose cannot be used for the other. A simple way to achieve this is to add to each message an identifier specifying the purpose, and to reject a message if the identifier doesn't match.^[14]

Related Research Articles

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. The requirement that both parties have access to the secret key is one of the main drawbacks of symmetric-key encryption, in comparison to public-key encryption. However, symmetric-key encryption algorithms are usually better for bulk encryption. With exception of the one-time pad they have a smaller key size, which means less storage space and faster transmission. Due to this, asymmetric-key encryption is often used to exchange the secret key for symmetric-key encryption.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.

<span class="mw-page-title-main">Block cipher mode of operation</span> Cryptography algorithm

In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

A cryptographic hash function (CHF) is a hash algorithm that has special properties desirable for a cryptographic application:

In cryptography, a random oracle is an oracle that responds to every unique query with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time that query is submitted.

In cryptography, a message authentication code (MAC), sometimes known as an authentication tag, is a short piece of information used for authenticating and integrity-checking a message. In other words, to confirm that the message came from the stated sender and has not been changed. The MAC value allows verifiers to detect any changes to the message content.

A key generator is a protocol or algorithm that is used in many cryptographic protocols to generate a sequence with many pseudo-random characteristics. This sequence is used as an encryption key at one end of communication, and as a decryption key at the other. One can implement a key generator in a system that aims to generate, distribute, and authenticate keys in a way that without the private key, one cannot access the information in the public end.

Provable security refers to any type or level of computer security that can be proved. It is used in different ways by different fields.

Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.

In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish between a function chosen randomly from the PRF family and a random oracle. Pseudorandom functions are vital tools in the construction of cryptographic primitives, especially secure encryption schemes.

EAX mode (encrypt-then-authenticate-then-translate) is a mode of operation for cryptographic block ciphers. It is an Authenticated Encryption with Associated Data (AEAD) algorithm designed to simultaneously provide both authentication and privacy of the message with a two-pass scheme, one pass for achieving privacy and one for authenticity for each block.

In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain) with practical effort.

<span class="mw-page-title-main">Cryptographic nonce</span> Concept in cryptography

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is often a random or pseudo-random number issued in an authentication protocol to ensure that each communication session is unique, and therefore that old communications cannot be reused in replay attacks. Nonces can also be useful as initialization vectors and in cryptographic hash functions.

In cryptography, key wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as block ciphers and cryptographic hash functions.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

In cryptography, format-preserving encryption (FPE), refers to encrypting in such a way that the output is in the same format as the input. The meaning of "format" varies. Typically only finite sets of characters are used; numeric, alphabetic or alphanumeric. For example:

Hash-based cryptography is the generic term for constructions of cryptographic primitives based on the security of hash functions. It is of interest as a type of post-quantum cryptography.

The non-cryptographic hash functions (NCHFs) are hash functions intended for applications that do not need the rigorous security requirements of the cryptographic hash functions and therefore can be faster and less resource-intensive. Typical examples of CPU-optimized non-cryptographic hashes include FNV-1a and Murmur3. Some non-cryptographic hash functions are used in cryptographic applications ; in this case they are described as universal hash functions.

Extendable-output function (XOF) is an extension of the cryptographic hash that allows its output to be arbitrarily long. In particular, the sponge construction makes any sponge hash a natural XOF: the squeeze operation can be repeated, and the regular hash functions with a fixed-size result are obtained from a sponge mechanism by stopping the squeezing phase after obtaining the fixed number of bits).

References

1 2 3 Hampiholi et al. 2015, p. 317.
↑ Kelsey, Chang & Perlner 2016, p. 3.
↑ Faz-Hernandez et al. 2023, Domain Separation.
↑ Bellare, Bernstein & Tessaro 2016, p. 566.
↑ Bellare & Rogaway 1993.
↑ Mittelbach & Fischlin 2021, p. 357.
↑ Mittelbach & Fischlin 2021, p. 358.
↑ Mittelbach & Fischlin 2021, p. 359.
1 2 Kelsey, Chang & Perlner 2016, p. 1.
↑ Gunsing, Aldo; Mennink, Bart (10 April 2020). "Collapseability of Tree Hashes". PQCrypto 2020: Post-Quantum Cryptography. doi:10.1007/978-3-030-44223-1_28.
↑ Bertoni, Guido; Daemen, Joan; Hoffert, Seth; Peeters, Michaël; Van Assche, Gilles; Van Keer, Ronny; Viguier, Benoît (2023). "TurboSHAKE".
↑ Wong, David (19 October 2021). Real-World Cryptography. Simon and Schuster. ISBN 9781638350842.
↑ Aumasson, Jean-Philippe; Jovanovic, Philipp; Neves, Samuel. "NORX: Parallel and Scalable AEAD". Computer Security - ESORICS 2014. doi:10.1007/978-3-319-11212-1_2.
↑ Blum, Erica; Katz, Jonathan; Loss, Julian (22 November 2019). "Synchronous Consensus with Optimal Asynchronous Fallback Guarantees". TCC 2019: Theory of Cryptography. doi:10.1007/978-3-030-36030-6_6.

Sources

Bellare, Mihir; Rogaway, Phillip (1993). Random oracles are practical: a paradigm for designing efficient protocols (PDF). ACM Press. doi:10.1145/168588.168596. ISBN 978-0-89791-629-5.
Bellare, Mihir; Bernstein, Daniel J.; Tessaro, Stefano (2016). "Hash-Function Based PRFs: AMAC and Its Multi-User Security". Advances in Cryptology – EUROCRYPT 2016. Vol. 9665. Berlin, Heidelberg: Springer Berlin Heidelberg. doi:10.1007/978-3-662-49890-3_22. ISBN 978-3-662-49889-7.
Faz-Hernandez, A.; Scott, S.; Sullivan, N.; Wahby, R. S.; Wood, C. A. (August 2023). "RFC 9380: Hashing to Elliptic Curves". The RFC Series. 2.2.5. Domain Separation. ISSN 2070-1721.
Hampiholi, Brinda; Alpár, Gergely; van den Broek, Fabian; Jacobs, Bart (2015). "Towards Practical Attribute-Based Signatures". Security, Privacy, and Applied Cryptography Engineering. Vol. 9354. Cham: Springer International Publishing. pp. 310–328. doi:10.1007/978-3-319-24126-5_18. ISBN 978-3-319-24125-8.
Kelsey, John; Chang, Shu-jen; Perlner, Ray (2016). "NIST SP 800-185: SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash". NIST Computer Security Resource Center. NIST . Retrieved 6 May 2024.
Mittelbach, Arno; Fischlin, Marc (2021). The Theory of Hash Functions and Random Oracles: An Approach to Modern Cryptography. Information Security and Cryptography. Springer International Publishing. ISBN 978-3-030-63287-8 . Retrieved 2023-06-22.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEHampiholiAlpárvan_den_BroekJacobs2015317-1] 1 2 3 Hampiholi et al. 2015, p. 317.

[FOOTNOTEKelseyChangPerlner20163-2] Kelsey, Chang & Perlner 2016, p. 3.

[FOOTNOTEFaz-HernandezScottSullivanWahby2023Domain_Separation-3] Faz-Hernandez et al. 2023, Domain Separation.

[FOOTNOTEBellareBernsteinTessaro2016566-4] Bellare, Bernstein & Tessaro 2016, p. 566.

[FOOTNOTEBellareRogaway1993-5] Bellare & Rogaway 1993.

[FOOTNOTEMittelbachFischlin2021357-6] Mittelbach & Fischlin 2021, p. 357.

[FOOTNOTEMittelbachFischlin2021358-7] Mittelbach & Fischlin 2021, p. 358.

[FOOTNOTEMittelbachFischlin2021359-8] Mittelbach & Fischlin 2021, p. 359.

[FOOTNOTEKelseyChangPerlner20161-9] 1 2 Kelsey, Chang & Perlner 2016, p. 1.

[10] Gunsing, Aldo; Mennink, Bart (10 April 2020). "Collapseability of Tree Hashes". PQCrypto 2020: Post-Quantum Cryptography. doi:10.1007/978-3-030-44223-1_28.

[11] Bertoni, Guido; Daemen, Joan; Hoffert, Seth; Peeters, Michaël; Van Assche, Gilles; Van Keer, Ronny; Viguier, Benoît (2023). "TurboSHAKE".

[12] Wong, David (19 October 2021). Real-World Cryptography. Simon and Schuster. ISBN 9781638350842.

[13] Aumasson, Jean-Philippe; Jovanovic, Philipp; Neves, Samuel. "NORX: Parallel and Scalable AEAD". Computer Security - ESORICS 2014. doi:10.1007/978-3-319-11212-1_2.

[14] Blum, Erica; Katz, Jonathan; Loss, Julian (22 November 2019). "Synchronous Consensus with Optimal Asynchronous Fallback Guarantees". TCC 2019: Theory of Cryptography. doi:10.1007/978-3-030-36030-6_6.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]