1 / 25

Hash Functions: From Merkle-Damgård to Shoup

Hash Functions: From Merkle-Damgård to Shoup. Ilya Mironov, Stanford University. Collision-resistant functions. Family of functions f K : D  R Hard to win this game:. Attacker. Challenger. k  K - random. ( x , y ). f k ( x )= f k ( y ).

macy-carney
Download Presentation

Hash Functions: From Merkle-Damgård to Shoup

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University

  2. Collision-resistant functions Family of functions fK:DR Hard to win this game: Attacker Challenger kK- random (x,y) fk(x)=fk(y)

  3. Collision-resistant functions can be used for: • Signature schemes • Commitment schemes Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(fk(M)). Alice Bob x fk(x)—commitment to x

  4. Good news: CRF can be built • Based on number-theoretic assumptions: • Factoring: f(x)=(3F16||x)2 mod N. • Discrete log: f(x||y)=gxhy. • Claw-free permutations Hard to find f(x)=g(y)

  5. Bad news: practical CRF hard to construct • MD4—broken • MD5—a serious weakness found • Flaw in the original SHA

  6. Useful alternative: UOWHFs Family of functions fK:DR Hard to win this game: Attacker Challenger x kK- random y fk(x)=fk(y)

  7. WUFs good for • Signature schemes Given an existentially secure signature algorithm σ(S), where |S| is fixed, we can sign any message with k,σ(k,fk(M)), where k is chosen at random. Reason: It is hard to find fk(M1)=fk(M) for a random k.

  8. WUFs can be built from • One-way functions • One-way permutation • Collision-resistant functions

  9. Oracle separation • Simon’98: There is an oracle relative to which one-way permutations exist but not CRFs. • Interpretation: No “black box” construction of a CRF based on a WUF. • Conclusion: A CRF is a strictly stronger primitive than a WUF.

  10. A family of CRFs (WUFs) • We want to make one, concrete assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1. • Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.

  11. Good news: CRFs families are easy to construct • Merkle-Damgård construction: M0 M1 M2 M3 output Hk Hk Hk Hk IV

  12. Bad news:Not so easy for WUF families • Merkle-Damgård construction fails on WUFs. (we cannot plug in a weaker primitive in the construction) due to M. Bellare and P. Rogaway’97.

  13. Shoup construction • M0,M1,…,ML—masks (tags). x0 x1 x2 x3 x4 x5   Hk Hk Hk Hk Hk Hk  IV    M0 M0 M0 M1 M1 M2

  14. Example • RSA signature (H is a CRF): S=H(M)e mod N. • If we use a WUF (SHA-1, Shoup scheme): S=K || (hK´(K)||hK(M))e mod N.

  15. CRFs Theoretically and practically harder to construct Have efficient composition scheme WUFs Easier to construct Don’t have efficient composition scheme Difficult choice:

  16. x0 x0 kK- random x1,y x1 y1 fk(x1,x0)=fk(y) Continuum of functions • Commit to some bits of x: Attacker Challenger

  17. Class H(nm;l) • |y|=|x0|+|x1|=n |x1|=l — flexibility • Output of f has length m. Attacker Challenger x0 x0 kK- random x1,y x1 y1 fk(x1,x0)=fk(y)

  18. H(nm;0) and H(nm;n) have names • H(nm;0) is a WUF Attacker Challenger x0=x kK- random y,x1=λ fk(x)=fk(y)

  19. H(nm;0) and H(nm;n) have names • H(nm;n) is a CRF Attacker Challenger x0=λ kK- random y,x1=x fk(x)=fk(y)

  20. Merkle-Damgård construction • Works (with a minor modification) for H(nm;m) M1 M2 M3 M4 output Hk Hk Hk Hk M0

  21. Jump somewhere? • CRFs and WUFs can be separated. Where? H(nm;0) H(nm;1)…  H(nm;n)

  22. Separation • H(nm;0)…H(nm;m+O(log m)) — one classof theoretic-complexity equivalence • H(nm;m+mc)…H(nm;n) — another class • The gap does not exist if there are “ideally secure” WUFs.

  23. Another approach • Can the Shoup construction be improved? x0 x1 x2 x3 x4 x5   Hk Hk Hk Hk Hk Hk  IV    Mν(2) Mν(0) Mν(5) Mν(1) Mν(3) Mν(4)

  24. Function is optimal • The function ν(k)=highest power of 2 dividing k is optimal. • Constructive proof + counting argument

  25. Open question • How short can a key of a family of WUFs be? • Conjecture: key length must be Ω(log m) • Reason: It can’t be a coincidence!

More Related