Minimum Number of Multiplications of U Hash Functions Mridul Nandi - PowerPoint PPT Presentation

Minimum Number of Multiplications of ∆U Hash Functions Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Mridul Nandi ∆U hash and Multiplication

Authentication: The Popular Story 1 Alice and Bob share a secret key K . 2 Data Integrity: Alice sends M along with tag T = Tag K ( M ) to Bob. Bob can verify. Mridul Nandi ∆U hash and Multiplication

Authentication: The Popular Story 1 Alice and Bob share a secret key K . 2 Data Integrity: Alice sends M along with tag T = Tag K ( M ) to Bob. Bob can verify. Examples from Scratch . 3 Fixed Input-Length (FIL) and Fixed Output-Length (FOL) Prf (or Mac) f Blockcipher compression function of a hash (key is injected through chain or message block). Mridul Nandi ∆U hash and Multiplication

Authentication: The Popular Story 1 Alice and Bob share a secret key K . 2 Data Integrity: Alice sends M along with tag T = Tag K ( M ) to Bob. Bob can verify. Examples from Scratch . 3 Fixed Input-Length (FIL) and Fixed Output-Length (FOL) Prf (or Mac) f Blockcipher compression function of a hash (key is injected through chain or message block). 4 Domain extensions (construction of VIL) based on blockcipher (variants of CBC, PMAC etc.) and 1 compression functions (HMAC, EMD, sandwich, MDP etc.). 2 Mridul Nandi ∆U hash and Multiplication

VIL-FOL Authentication from FIL-FOL 1 Composition Method: Let H be an n -bit (unkeyed) collision resistant hash function then f ◦ H is Prf (also Mac). Question . Is f ( N ) ⊕ H ( M ) Nonce-based Mac? (nonce can repeat only for forging message) Mridul Nandi ∆U hash and Multiplication

VIL-FOL Authentication from FIL-FOL 1 Composition Method: Let H be an n -bit (unkeyed) collision resistant hash function then f ◦ H is Prf (also Mac). Question . Is f ( N ) ⊕ H ( M ) Nonce-based Mac? (nonce can repeat only for forging message) 2 NO, given T = f ( N ) ⊕ H ( M ) ⇒ T ′ = T ⊕ H ( M ) ⊕ H ( M ′ ) is also tag. So we need keyed hash H k . Question . Is f ( N ) ⊕ H k ( M ) Nonce-based Mac? Mridul Nandi ∆U hash and Multiplication

VIL-FOL Authentication from FIL-FOL 1 Composition Method: Let H be an n -bit (unkeyed) collision resistant hash function then f ◦ H is Prf (also Mac). Question . Is f ( N ) ⊕ H ( M ) Nonce-based Mac? (nonce can repeat only for forging message) 2 NO, given T = f ( N ) ⊕ H ( M ) ⇒ T ′ = T ⊕ H ( M ) ⊕ H ( M ′ ) is also tag. So we need keyed hash H k . Question . Is f ( N ) ⊕ H k ( M ) Nonce-based Mac? 3 Not always, if Pr[ H k ( M ) ⊕ H k ( M ′ ) = δ ] is high then T = f ( N ) ⊕ H k ( M ) ⇒ Pr[ f ( N ) ⊕ M ′ = T ⊕ δ ] is high . Mridul Nandi ∆U hash and Multiplication

Definitions of ∆U and Universal hash. 1 Differential probability : For all M � = M ′ and for all δ , H k is called ǫ -∆U if differential probability Pr[ H k ( M ) ⊕ H k ( M ′ ) = δ ] ≤ ǫ . Denote the event ∆ H k ( M ) = δ . (∆ f ( x ) := f ( x ) − f ( x ′ )) For “small” ǫ , f ( N ) ⊕ H k ( M ) is Mac (nonce-based). Mridul Nandi ∆U hash and Multiplication

Definitions of ∆U and Universal hash. 1 Differential probability : For all M � = M ′ and for all δ , H k is called ǫ -∆U if differential probability Pr[ H k ( M ) ⊕ H k ( M ′ ) = δ ] ≤ ǫ . Denote the event ∆ H k ( M ) = δ . (∆ f ( x ) := f ( x ) − f ( x ′ )) For “small” ǫ , f ( N ) ⊕ H k ( M ) is Mac (nonce-based). Collision probability : When we restrict to δ = 0, i.e., collision 2 probability Pr[ H k ( M ) = H k ( M ′ )] ≤ ǫ we say that H k is ǫ -U hash. For “small” ǫ , f ◦ H k is Prf and so Mac. 3 Main object of the talk - On optimum complexity of ∆ U (or Universal) hash functions . Mridul Nandi ∆U hash and Multiplication

Example. Multi-Linear (ML) Hash Convention . Galois field F 2 n (elements are called blocks ). $ ← F 2 n and K to denote vector of keys. K 1 , K 2 , . . . 1 ∀ m 1 , m 2 ∈ F 2 n , ( m 1 , m 2 ) �→ m 1 K 1 + m 2 K 2 . Mridul Nandi ∆U hash and Multiplication

Example. Multi-Linear (ML) Hash Convention . Galois field F 2 n (elements are called blocks ). $ ← F 2 n and K to denote vector of keys. K 1 , K 2 , . . . 1 ∀ m 1 , m 2 ∈ F 2 n , ( m 1 , m 2 ) �→ m 1 K 1 + m 2 K 2 . 2 Differential property: For any ( m 1 , m 2 ) � = ( m ′ 1 , m ′ 2 ), δ ∈ F 2 n , Pr[ m 1 K 1 + m 2 K 2 = m ′ 1 K 1 + m ′ 2 K 2 + δ ]= 1 2 n � �� � differential event E . Mridul Nandi ∆U hash and Multiplication

Example. Multi-Linear (ML) Hash Convention . Galois field F 2 n (elements are called blocks ). $ ← F 2 n and K to denote vector of keys. K 1 , K 2 , . . . 1 ∀ m 1 , m 2 ∈ F 2 n , ( m 1 , m 2 ) �→ m 1 K 1 + m 2 K 2 . 2 Differential property: For any ( m 1 , m 2 ) � = ( m ′ 1 , m ′ 2 ), δ ∈ F 2 n , Pr[ m 1 K 1 + m 2 K 2 = m ′ 1 K 1 + m ′ 2 K 2 + δ ]= 1 2 n � �� � differential event E . Proof . If m 1 � = m ′ 1 (i.e., ∆ m 1 � = 0) then result follows 3 conditioning K 2 . Mridul Nandi ∆U hash and Multiplication

Example: Pseudo dot-product (PDP) Hash 1 ∀ m 1 , m 2 ∈ F 2 n , ( m 1 , m 2 ) �→ ( m 1 + K 1 )( m 2 + K 2 ) . Differential property: PDP = ML + K 1 K 2 + m 1 m 2 . Function of key 2 gets canceled and messages goes to δ . Mridul Nandi ∆U hash and Multiplication

Example: Pseudo dot-product (PDP) Hash 1 ∀ m 1 , m 2 ∈ F 2 n , ( m 1 , m 2 ) �→ ( m 1 + K 1 )( m 2 + K 2 ) . Differential property: PDP = ML + K 1 K 2 + m 1 m 2 . Function of key 2 gets canceled and messages goes to δ . 3 1 (or ℓ/ 2) mult for 2 (or ℓ even) blocks (compare with ML). ( m 1 + K 1 )( m 2 + K 2 ) + · · · + ( m ℓ − 1 + K ℓ − 1 )( m ℓ + K ℓ ) . Question 1. Can we have ∆U hash for ℓ message blocks requiring less than ℓ/ 2 multiplications? Linear function (in message and keys) has no mult and can not be universal. Note # multiplicands is 2 c for c mult and these behave like linear, so due to entropy should not hope . Mridul Nandi ∆U hash and Multiplication

Multi-block Hash 1 d -block hash H = ( H 1 , . . . , H d ) outputs F d 2 n ( nd bits) We need it possibly for larger hash output or work with smaller field size might lead to better performance. For example, 64 bit system wants to produce 128 bits. Examples . 2 d -independent hash: H = ( H K 1 , . . . , H K d ) where H is ∆U and K i ’s are independent. - Larger keys, - parallel. 3 Toeplitz hash (applied to ML and PDP): Less keys and parallel. requires about d × ℓ or d × ℓ/ 2 multiplications. Mridul Nandi ∆U hash and Multiplication

Toeplitz Hash for ML     m 1 m 2 . . . m ℓ 0 . . . 0 0 K 1 0 m 1 . . . m ℓ − 1 m ℓ . . . 0 0 K 2         0 0 . . . m ℓ − 2 m ℓ − 1 . . . 0 0 K 3     ·     . . . . . . .  . . . . . .   .  . . . . . . .     0 0 . . . m ℓ − d +1 . . . m ℓ − 1 m ℓ K ℓ + d − 1 - Can be computed in d × ℓ multiplications. - Winograd showed that it can not be computed in “ less than ” d × ℓ mult. Mridul Nandi ∆U hash and Multiplication

Toeplitz Hash for PDP     ( m 1 , m 2 ) ( m 3 , m 4 ) . . . ( m ℓ − 1 , m ℓ ) 0 . . . 0 ( K 1 , K 2 ) 0 ( m 1 , m 2 ) . . . ( m ℓ − 3 , m ℓ − 2 ) ( m ℓ − 1 , m ℓ ) . . . 0  • ( K 3 , K 4 )    . . . . . . . . . . . . . . . . . . Here, ( m , m ′ ) • ( K , K ′ ) = ( m + K ) · ( m ′ + K ′ ). It can be computed in d × ℓ/ 2 multiplications for computing d -block hash. No known better algorithm. Mridul Nandi ∆U hash and Multiplication

Multi-block Hash. Question 1- d Question 1- d . Can we have d -block ∆U hash for ℓ message blocks requiring less than d × ℓ/ 2 multiplications? Mridul Nandi ∆U hash and Multiplication

Multi-block Hash. Question 1- d Question 1- d . Can we have d -block ∆U hash for ℓ message blocks requiring less than d × ℓ/ 2 multiplications? 1 Try-1 : ( m 1 K 1 + m 2 K 2 , m 1 K 2 + m 2 K 1 ) → 3 mult instead of 4. However, 2 − n differential probability. Expect 2 − 2 n and about 2 − nd for d -blk hash . We always have ( H 1 , . . . , H 1 ). Mridul Nandi ∆U hash and Multiplication

Multi-block Hash. Question 1- d Question 1- d . Can we have d -block ∆U hash for ℓ message blocks requiring less than d × ℓ/ 2 multiplications? 1 Try-1 : ( m 1 K 1 + m 2 K 2 , m 1 K 2 + m 2 K 1 ) → 3 mult instead of 4. However, 2 − n differential probability. Expect 2 − 2 n and about 2 − nd for d -blk hash . We always have ( H 1 , . . . , H 1 ). 2 Try-2 : Let α be a primitive element of F 2 n . ( m 1 K 1 + m 2 K 2 + m 3 K 3 , α 2 m 1 K 1 + α m 2 K 2 + m 3 K 3 ) where m 3 = m 1 + m 2 . - 2 − 2 n differential probability, - 3 mult (mult by α is efficient) for 4 blocks with PDP. - Our construction EHC requires less than d × ℓ/ 2 mult. Mridul Nandi ∆U hash and Multiplication

Final Question: Multiplication Complexity. 1 Minimum how much mult is necessary for d -blk hash? Mridul Nandi ∆U hash and Multiplication