250 likes | 370 Views
Hash Functions: From Merkle-Damgård to Shoup. Ilya Mironov, Stanford University. Collision-resistant functions. Family of functions f K : D R Hard to win this game:. Attacker. Challenger. k K - random. ( x , y ). f k ( x )= f k ( y ).
E N D
Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University
Collision-resistant functions Family of functions fK:DR Hard to win this game: Attacker Challenger kK- random (x,y) fk(x)=fk(y)
Collision-resistant functions can be used for: • Signature schemes • Commitment schemes Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(fk(M)). Alice Bob x fk(x)—commitment to x
Good news: CRF can be built • Based on number-theoretic assumptions: • Factoring: f(x)=(3F16||x)2 mod N. • Discrete log: f(x||y)=gxhy. • Claw-free permutations Hard to find f(x)=g(y)
Bad news: practical CRF hard to construct • MD4—broken • MD5—a serious weakness found • Flaw in the original SHA
Useful alternative: UOWHFs Family of functions fK:DR Hard to win this game: Attacker Challenger x kK- random y fk(x)=fk(y)
WUFs good for • Signature schemes Given an existentially secure signature algorithm σ(S), where |S| is fixed, we can sign any message with k,σ(k,fk(M)), where k is chosen at random. Reason: It is hard to find fk(M1)=fk(M) for a random k.
WUFs can be built from • One-way functions • One-way permutation • Collision-resistant functions
Oracle separation • Simon’98: There is an oracle relative to which one-way permutations exist but not CRFs. • Interpretation: No “black box” construction of a CRF based on a WUF. • Conclusion: A CRF is a strictly stronger primitive than a WUF.
A family of CRFs (WUFs) • We want to make one, concrete assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1. • Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.
Good news: CRFs families are easy to construct • Merkle-Damgård construction: M0 M1 M2 M3 output Hk Hk Hk Hk IV
Bad news:Not so easy for WUF families • Merkle-Damgård construction fails on WUFs. (we cannot plug in a weaker primitive in the construction) due to M. Bellare and P. Rogaway’97.
Shoup construction • M0,M1,…,ML—masks (tags). x0 x1 x2 x3 x4 x5 Hk Hk Hk Hk Hk Hk IV M0 M0 M0 M1 M1 M2
Example • RSA signature (H is a CRF): S=H(M)e mod N. • If we use a WUF (SHA-1, Shoup scheme): S=K || (hK´(K)||hK(M))e mod N.
CRFs Theoretically and practically harder to construct Have efficient composition scheme WUFs Easier to construct Don’t have efficient composition scheme Difficult choice:
x0 x0 kK- random x1,y x1 y1 fk(x1,x0)=fk(y) Continuum of functions • Commit to some bits of x: Attacker Challenger
Class H(nm;l) • |y|=|x0|+|x1|=n |x1|=l — flexibility • Output of f has length m. Attacker Challenger x0 x0 kK- random x1,y x1 y1 fk(x1,x0)=fk(y)
H(nm;0) and H(nm;n) have names • H(nm;0) is a WUF Attacker Challenger x0=x kK- random y,x1=λ fk(x)=fk(y)
H(nm;0) and H(nm;n) have names • H(nm;n) is a CRF Attacker Challenger x0=λ kK- random y,x1=x fk(x)=fk(y)
Merkle-Damgård construction • Works (with a minor modification) for H(nm;m) M1 M2 M3 M4 output Hk Hk Hk Hk M0
Jump somewhere? • CRFs and WUFs can be separated. Where? H(nm;0) H(nm;1)… H(nm;n)
Separation • H(nm;0)…H(nm;m+O(log m)) — one classof theoretic-complexity equivalence • H(nm;m+mc)…H(nm;n) — another class • The gap does not exist if there are “ideally secure” WUFs.
Another approach • Can the Shoup construction be improved? x0 x1 x2 x3 x4 x5 Hk Hk Hk Hk Hk Hk IV Mν(2) Mν(0) Mν(5) Mν(1) Mν(3) Mν(4)
Function is optimal • The function ν(k)=highest power of 2 dividing k is optimal. • Constructive proof + counting argument
Open question • How short can a key of a family of WUFs be? • Conjecture: key length must be Ω(log m) • Reason: It can’t be a coincidence!