Hash Functions: From Merkle-Damgård to Shoup
-
Upload
macy-carney -
Category
Documents
-
view
38 -
download
6
description
Transcript of Hash Functions: From Merkle-Damgård to Shoup
Hash Functions: From Merkle-Damgård
to ShoupIlya Mironov, Stanford University
Collision-resistant functionsFamily of functions fK:DR
Hard to win this game:Attacker Challenger
kK - random
(x,y)
fk(x)=fk(y)
Collision-resistant functions can be used for:
Signature schemes
Commitment schemes
Alice Bobx
fk(x)—commitment to x
Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(fk(M)).
Good news: CRF can be built Based on number-theoretic assumptions:
Factoring: f(x)=(3F16||x)2 mod N.
Discrete log: f(x||y)=gxhy. Claw-free permutations
Hard to find f(x)=g(y)
Bad news: practical CRF hard to construct
MD4—broken MD5—a serious weakness found Flaw in the original SHA
Useful alternative: UOWHFs
Attacker Challenger
kK- random
y
fk(x)=fk(y)
Family of functions fK:DR
Hard to win this game:
x
WUFs good for Signature schemes
Given an existentially secure signature algorithm σ(S),
where |S| is fixed, we can sign any message with k,σ(k,fk(M)), where k is chosen at random.
Reason: It is hard to find fk(M1)=fk(M) for a random k.
WUFs can be built from One-way functions One-way permutation Collision-resistant functions
Oracle separation Simon’98:
There is an oracle relative to which one-waypermutations exist but not CRFs.
Interpretation:No “black box” construction of a CRF based on a WUF.
Conclusion:A CRF is a strictly stronger primitive than a WUF.
A family of CRFs (WUFs) We want to make one, concrete
assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1.
Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.
Good news: CRFs families are easy to construct
Merkle-Damgård construction:
M0
IV Hk Hk
M1
Hk
M2
Hk
M3
output
Bad news:Not so easy for WUF families Merkle-Damgård construction fails on
WUFs.(we cannot plug in a weaker primitive in the construction)
due to M. Bellare and P. Rogaway’97.
Shoup construction M0,M1,…,ML—masks (tags).
x0
IV Hk Hk
x1
Hk
x2
Hk
x3
Hk
x4
Hk
x5
M0
M1
M0
M2
M0
M1
Example RSA signature (H is a CRF):
S=H(M)e mod N. If we use a WUF (SHA-1, Shoup scheme):
S=K || (hK´(K)||hK(M))e mod N.
CRF WUF
|M|=1Kb |S|=1Kb |S|=1.81Kb
1Mb 1Kb 3.22Kb
1Gb 1Kb 4.87Kb
Difficult choice: CRFs
Theoretically and practically harder to construct
Have efficient composition scheme
WUFs Easier to construct
Don’t have efficient composition scheme
Continuum of functions Commit to some bits of x:
Attacker Challenger
kK- random
x0x0
x1,yx1
y1 fk(x1,x0)=fk(y)
Class H(nm;l) |y|=|x0|+|x1|=n
|x1|=l — flexibility
Output of f has length m.Attacker Challenger
kK- random
x1,y
fk(x1,x0)=fk(y)
x0x0
x1
y1
H(nm;0) and H(nm;n) have names
H(nm;0) is a WUFAttacker Challenger
kK- random
y,x1=λ
fk(x)=fk(y)
x0=x
H(nm;0) and H(nm;n) have names
H(nm;n) is a CRFAttacker Challenger
kK- random
y,x1=x
fk(x)=fk(y)
x0=λ
Merkle-Damgård construction Works (with a minor modification) for
H(nm;m)
M1
M0Hk Hk
M2
Hk
M3
Hk
M4
output
Jump somewhere? CRFs and WUFs can be separated.
Where?H(nm;0) H(nm;1)… H(nm;n)
Separation H(nm;0)…H(nm;m+O(log m)) — one
class of theoretic-complexity equivalence H(nm;m+mc)…H(nm;n) — another
class The gap does not exist if there are
“ideally secure” WUFs.
Another approach Can the Shoup construction be
improved?x0
IV Hk Hk
x1
Hk
x2
Hk
x3
Hk
x4
Hk
x5
Mν(0) Mν(1)
Mν(2)
Mν(3)
Mν(4)
Mν(5)
Function is optimal The function
ν(k)=highest power of 2 dividing k is optimal. Constructive proof + counting argument
Open question How short can a key of a family of WUFs
be? Conjecture:
key length must be Ω(log m)
Reason: It can’t be a coincidence!