hash function based on the sis problem
play

Hash function based on the SIS problem HEBANT Chlo e University of - PowerPoint PPT Presentation

Sep 27, 2023 •193 likes •458 views

Hash function based on the SIS problem HEBANT Chlo e University of Limoges Summer 2016 HEBANT Chlo e Hash function based on the SIS problem Summer 2016 1 / 19 Introduction Hash function 1 One-way collision-resistant Ajtai function

  1. Hash function based on the SIS problem HEBANT Chlo´ e University of Limoges Summer 2016 HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 1 / 19

  2. Introduction Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 2 / 19

  3. Hash function Hash function With a function f which have the properties: one-way collision-resistant compression Iterating f trying to maintain: pre-image resistance second pre-image resistance collision resistance HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 3 / 19

  4. Hash function Definition Pre-image resistance: Given y = H ( x ) it is hard to find x ′ such that H ( x ′ ) = y Second pre-image resistance: Given x it is hard to find x ′ such that H ( x ) = H ( x ′ ) Collision resistance: It is hard to find x , x ′ such that H ( x ) = H ( x ′ ) HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 4 / 19

  5. One-way collision-resistant Ajtai function Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 5 / 19

  6. One-way collision-resistant Ajtai function One-way collision-resistant Ajtai function Let a matrix A ∈ Z n × m q Let f A : { 0 , ± 1 } m → Z n q z �→ Az Theorem f A is a compression function if m � n log q HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 6 / 19

  7. SIS problem Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 7 / 19

  8. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  9. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Theorem Assuming the hardness of the SIS problem, f A is one-way and collision-resistant HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  10. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Theorem Assuming the hardness of the SIS problem, f A is one-way and collision-resistant Remark Thanks to Ajtai and his hardness proof, it’s all Minicrypt that we can construct based on the SIS problem. HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  11. SIS problem Some observations about the SIS problem Some observations Definition (General SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ Z m of norm � z � � β such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 9 / 19

  12. SIS problem Some observations about the SIS problem Some observations Definition (General SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ Z m of norm � z � � β such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Remark Without the constraint on � z � , it is easy to find a solution: Gaussian elimination Must take β < q : otherwise z = ( q , 0 , · · · , 0) ∈ Z m is a trivial solution HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 9 / 19

  13. SIS problem Some observations about the SIS problem Hermite normal form Small but important optimization: Decompose A = [ A 1 | A 2 ] where A 1 ∈ Z n × n is invertible as a matrix over Z q . q Let B = A − 1 I n | ¯ where ¯ A = A − 1 � � · A = A · A 2 1 1 Theorem A and B have exactly the same set of (short) SIS solutions HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 10 / 19

  14. Hardness proof Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 11 / 19

  15. b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Hardness proof Reduction: average-case → worst-case b p 1 b g 1 b p 4 b g 2 b g 4 b p 2 b g 3 b p 3 p i ∈ L n − π � x � 2 � n � 1 g i = p i + e i ∈ R n where e i ∼ D s ( x ) = s 2 e s HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 12 / 19

  16. Hash function construction Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 13 / 19

  17. Hash function construction Merkle-Damg˚ ard construction Merkle-Damg˚ ard construction Definition Method of building collision-resistant cryptographic hash functions from collision-resistant one-way m 1 m 2 m n H ( m ) IV f f f Theorem (Security proof) Collision in H ⇒ collision in f HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 14 / 19

  18. Hash function construction Merkle-Damg˚ ard construction Merkle-Damg˚ ard construction Definition Method of building collision-resistant cryptographic hash functions from collision-resistant one-way m 1 m 2 m n H ( m ) IV f f f Theorem (Security proof) Collision in H ⇒ collision in f Remark This is used for MD5, SHA1, SHA2 HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 14 / 19

  19. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties Length extension Given H ( x ) of an unknown input x , it’s easy to find the value of H (pad( x ) || y ) ⇒ possible to find hashes of inputs related to x even though x remains unknown HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 15 / 19

  20. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties Length extension Given H ( x ) of an unknown input x , it’s easy to find the value of H (pad( x ) || y ) ⇒ possible to find hashes of inputs related to x even though x remains unknown Second pre-image Hyp: the security proof also apply to second pre-image attacks But: this is not true for long messages HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 15 / 19

  21. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties (2) Fix-points: h = f ( h , M ) Multicollisions : many messages with the same hash 2004: (Joux) When iterative hash functions are used, finding multicollisions is almost as easy as finding a single collision Remark Joux also prove: The concatenation of hash function is as secure against pre-image attacks as the strongest of all the hash functions HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 16 / 19

  22. Hash function construction HAIFA construction HAIFA HAIFA has attractive properties: simplicity maintaining the collision resistance of the compression function increasing the security against second pre-image attacks prevention of esay-to-use fix points of the compression function HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 17 / 19

  23. Hash function construction HAIFA construction HAIFA construction M 1 M 2 M n IV m H ( M ) f f f # bits , salt # bits , salt # bits , salt # bits = the number of bits hashed so far IV m = f ( IV , m , 0 , 0) where m is the hash output size Padding scheme: pad a single bit of 1 and as many 0 bits to have the good size. Final length of: M: congruent to ( n − ( t + r )) mod n length of M: t m: r HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 18 / 19

  24. Hash function construction HAIFA construction HAIFA vs Merkle-Damg˚ ard # bits : prevent the easy exploitation of fix-points Even if an attacker finds a fix-point h = f ( h , M , # bits , salt ) he cannot concatenate it to itself because # bits has changed HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 19 / 19

  25. Hash function construction HAIFA construction HAIFA vs Merkle-Damg˚ ard # bits : prevent the easy exploitation of fix-points Even if an attacker finds a fix-point h = f ( h , M , # bits , salt ) he cannot concatenate it to itself because # bits has changed salt : all attacks are on-line → no precomputation increasing the security of digital signature HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 19 / 19

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | &gt; 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5 Yu Sasaki 1 and Lei Wang 2 1 NTT Secure Platform Laboratories 2 Nanyang Technological University, Singapore SAC 2013 (16/August/2013) 1 Hash Function Based

822 views • 25 slides
, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

R ADIO G ATN , R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michal Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop

474 views • 16 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009 Niels Ferguson Stefan Lucks Bruce Schneier Doug Whiting Mihir Bellare Tadayoshi Kohno Jon Callas Jesse Walker Overview Fast 6.1 cycles/byte on

581 views • 16 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg LUX Hash Function Outline 1 Design 2 Security Analysis 3 Implementation 4 Advantages LUX Hash Function Design Design LUX Hash

539 views • 28 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides
Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

ECRYPT Hash Workshop 2007 Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit, and Nicolas Sendrier The Original FSB Hash Function [Augot, Finiasz, Sendrier - Mycrypt 05] Based on the Merkle-Damg

303 views • 19 slides
CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based

CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based

CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based Dictionary Client Code: 1 Dictionary&lt;KeyType, ValueType&gt; d; 2 d[k] = v; A Hash Table consists of three things: 1. A hash function, f(k) 2.

343 views • 20 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing: basic plan Save items in a key-indexed table (index is a function of the key). Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;) = 3 Tyler Moore 3 &quot;it&quot; ?? 4 CS 2123, The

559 views • 6 slides
Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U| (the set of keys). Tirgul 9 We use a hash function h() to determine the entry of each key. Hash Tables (continued) Reminder The crucial

151 views • 4 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
Cryptography Cryptographic Hash Functions Uwe Egly Knowledge-Based Systems Group Institute of

Cryptography Cryptographic Hash Functions Uwe Egly Knowledge-Based Systems Group Institute of

Cryptography Cryptographic Hash Functions Uwe Egly Knowledge-Based Systems Group Institute of Information Systems Vienna University of Technology 1 / 26 Overview Hash function (HF) accepts input of arbitrary length Returns

605 views • 26 slides
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel

New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Ben-Gurion University, Israel Cryptographic Hash Functions A cryptographic hash function is hash function H:{0,1}*-&gt; {0,1} n with strong requirements : Collision

461 views • 33 slides
ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long

Improved Cryptanalysis of Reduced RIPEMD-160 Florian Mendel, Thomas Peyrin, Martin Schlffer, Lei Wang, and Shuang Wu ASIACRYPT 2013 1 Cryptographic Hash Function Public function Input: arbitrary long messages Output: short random

840 views • 50 slides
Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018

Hash-based signatures Peter Schwabe Radboud University, Nijmegen, The Netherlands June 28, 2018 PQCRYPTO Mini-School 2018, Taipei, Taiwan Just one talk on hash-based signatures . . . ? Post-quantum crypto so far 1. Take some hard problem,

1.02k views • 85 slides
Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of

Universal hashing Problem: if h is fixed there are with many collisions Idea of universal hashing: Choose hash function h randomly H finite set of hash functions Definition: H is universal, if for arbitrary x , y U : Hence:

759 views • 14 slides
Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash

Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash

Hash Tables 1 Hash Table in Primary Storage Main parameter B = number of buckets Hash function h maps key to numbers from 0 to B-1 Bucket array indexed from 0 to B-1 Each bucket contains exactly one value Strategy

460 views • 33 slides
Cryptography Cryptographic Hash Functions Uwe Egly Vienna University of Technology Institute of

Cryptography Cryptographic Hash Functions Uwe Egly Vienna University of Technology Institute of

Cryptography Cryptographic Hash Functions Uwe Egly Vienna University of Technology Institute of Information Systems Knowledge-Based Systems Group 1 / 26 Overview Hash function (HF) accepts input of arbitrary length Returns

501 views • 26 slides
Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity

Cryptographic Hash Functions Debdeep Mukhopadhyay IIT Kharagpur Data Integrity Cryptographic Hash Function: Provides assurance of data integrity Let h be a hash function and x some data. The hash creates a fingerprint of the data,

564 views • 31 slides

More recommend