Hash Functions: From Merkle-Damgård to Shoup
-
Upload
macy-carney -
Category
Documents
-
view
43 -
download
6
description
Transcript of Hash Functions: From Merkle-Damgård to Shoup
![Page 1: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/1.jpg)
Hash Functions: From Merkle-Damgård
to ShoupIlya Mironov, Stanford University
![Page 2: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/2.jpg)
Collision-resistant functionsFamily of functions fK:DR
Hard to win this game:Attacker Challenger
kK - random
(x,y)
fk(x)=fk(y)
![Page 3: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/3.jpg)
Collision-resistant functions can be used for:
Signature schemes
Commitment schemes
Alice Bobx
fk(x)—commitment to x
Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(fk(M)).
![Page 4: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/4.jpg)
Good news: CRF can be built Based on number-theoretic assumptions:
Factoring: f(x)=(3F16||x)2 mod N.
Discrete log: f(x||y)=gxhy. Claw-free permutations
Hard to find f(x)=g(y)
![Page 5: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/5.jpg)
Bad news: practical CRF hard to construct
MD4—broken MD5—a serious weakness found Flaw in the original SHA
![Page 6: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/6.jpg)
Useful alternative: UOWHFs
Attacker Challenger
kK- random
y
fk(x)=fk(y)
Family of functions fK:DR
Hard to win this game:
x
![Page 7: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/7.jpg)
WUFs good for Signature schemes
Given an existentially secure signature algorithm σ(S),
where |S| is fixed, we can sign any message with k,σ(k,fk(M)), where k is chosen at random.
Reason: It is hard to find fk(M1)=fk(M) for a random k.
![Page 8: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/8.jpg)
WUFs can be built from One-way functions One-way permutation Collision-resistant functions
![Page 9: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/9.jpg)
Oracle separation Simon’98:
There is an oracle relative to which one-waypermutations exist but not CRFs.
Interpretation:No “black box” construction of a CRF based on a WUF.
Conclusion:A CRF is a strictly stronger primitive than a WUF.
![Page 10: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/10.jpg)
A family of CRFs (WUFs) We want to make one, concrete
assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1.
Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.
![Page 11: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/11.jpg)
Good news: CRFs families are easy to construct
Merkle-Damgård construction:
M0
IV Hk Hk
M1
Hk
M2
Hk
M3
output
![Page 12: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/12.jpg)
Bad news:Not so easy for WUF families Merkle-Damgård construction fails on
WUFs.(we cannot plug in a weaker primitive in the construction)
due to M. Bellare and P. Rogaway’97.
![Page 13: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/13.jpg)
Shoup construction M0,M1,…,ML—masks (tags).
x0
IV Hk Hk
x1
Hk
x2
Hk
x3
Hk
x4
Hk
x5
M0
M1
M0
M2
M0
M1
![Page 14: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/14.jpg)
Example RSA signature (H is a CRF):
S=H(M)e mod N. If we use a WUF (SHA-1, Shoup scheme):
S=K || (hK´(K)||hK(M))e mod N.
CRF WUF
|M|=1Kb |S|=1Kb |S|=1.81Kb
1Mb 1Kb 3.22Kb
1Gb 1Kb 4.87Kb
![Page 15: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/15.jpg)
Difficult choice: CRFs
Theoretically and practically harder to construct
Have efficient composition scheme
WUFs Easier to construct
Don’t have efficient composition scheme
![Page 16: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/16.jpg)
Continuum of functions Commit to some bits of x:
Attacker Challenger
kK- random
x0x0
x1,yx1
y1 fk(x1,x0)=fk(y)
![Page 17: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/17.jpg)
Class H(nm;l) |y|=|x0|+|x1|=n
|x1|=l — flexibility
Output of f has length m.Attacker Challenger
kK- random
x1,y
fk(x1,x0)=fk(y)
x0x0
x1
y1
![Page 18: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/18.jpg)
H(nm;0) and H(nm;n) have names
H(nm;0) is a WUFAttacker Challenger
kK- random
y,x1=λ
fk(x)=fk(y)
x0=x
![Page 19: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/19.jpg)
H(nm;0) and H(nm;n) have names
H(nm;n) is a CRFAttacker Challenger
kK- random
y,x1=x
fk(x)=fk(y)
x0=λ
![Page 20: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/20.jpg)
Merkle-Damgård construction Works (with a minor modification) for
H(nm;m)
M1
M0Hk Hk
M2
Hk
M3
Hk
M4
output
![Page 21: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/21.jpg)
Jump somewhere? CRFs and WUFs can be separated.
Where?H(nm;0) H(nm;1)… H(nm;n)
![Page 22: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/22.jpg)
Separation H(nm;0)…H(nm;m+O(log m)) — one
class of theoretic-complexity equivalence H(nm;m+mc)…H(nm;n) — another
class The gap does not exist if there are
“ideally secure” WUFs.
![Page 23: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/23.jpg)
Another approach Can the Shoup construction be
improved?x0
IV Hk Hk
x1
Hk
x2
Hk
x3
Hk
x4
Hk
x5
Mν(0) Mν(1)
Mν(2)
Mν(3)
Mν(4)
Mν(5)
![Page 24: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/24.jpg)
Function is optimal The function
ν(k)=highest power of 2 dividing k is optimal. Constructive proof + counting argument
![Page 25: Hash Functions: From Merkle-Damgård to Shoup](https://reader036.fdocuments.net/reader036/viewer/2022081512/56813422550346895d9b0f1a/html5/thumbnails/25.jpg)
Open question How short can a key of a family of WUFs
be? Conjecture:
key length must be Ω(log m)
Reason: It can’t be a coincidence!