Overview � Hash Functions On Building Hash Functions From Multivariate Quadratic Equations � Multivariate quadratic equations Olivier Billet, Thomas Peyrin, and Matt Robshaw � Hash functions and multivariate quadratic equations Orange Labs � Pro's and con's France 02.07.07 � Conclusions Orange Labs MQ-Hash Matt Robshaw (2) Orange Labs Hash Functions Compression Functions � We want a fixed-length output from an arbitrary length input M 1 M 2 M n � Classically, good hash functions satisfy three properties � Pre-image resistant � Second pre-image resistant � Collision-free f f f h IV � However, it is not always clear what we want or what we need c 1 c 2 c n-1 � Typical designs are built around a compression function optional output � These compress a fixed-length string transformation � Multiple calls to the compression function allow inputs of (close to) arbitrary length to be hashed (Merkle-Damgård) MQ-Hash Matt Robshaw (3) Orange Labs MQ-Hash Matt Robshaw (4) Orange Labs Compression Functions (I) Compression Functions (II) � Typically built around a block cipher � There is much interest in number-theoretic approaches � Sometimes it's a block cipher of dedicated design � Primarily due to the success of VSH � e.g. MD4, MD5, SHA, SHA-1, etc. � Other examples include LASH, FSB, … � The underlying construct is an (unusual) block cipher � Here we try and get good (or reasonable) performance � Sometimes it's an established block cipher (DES or AES) coupled with an element of "provable security" � e.g. MDC-2, MDC-4 MQ-Hash Matt Robshaw (5) Orange Labs MQ-Hash Matt Robshaw (6) Orange Labs 1
In This Paper Multivariate Quadratic Equations � Solving a random system of multivariate quadratic � We consider efforts to build a compression function equations over a field F is (in general) difficult based on Multivariate Quadratic Equations (MQE) q 1 (x 1 , … , x n ) = Σ 1 ≤ i ≤ j ≤ n a i,j x i x j + Σ 1 ≤ k ≤ n b k x k + c � Can we get some "provable" security with reasonable performance ? q 2 (x 1 , … , x n ) = … ↓ q m (x 1 , … , x n ) = … Given y 1 , … , y m find some x 1 , … , x n such that y 1 = q 1 (x 1 , … , x n ), … , y m = q m (x 1 , … , x n ) MQ-Hash Matt Robshaw (7) MQ-Hash Matt Robshaw (8) Orange Labs Orange Labs Multivariate Quadratic Equations Starting Out � However, evaluating a set of polynomials is very easy � It is natural to try and build a hash function from MQE � There is a very appealing natural one-way quality � We get one-way properties for free � There has been mixed success using this in public key cryptography v variables in F are the output arrange the input bits f as n variables in F from v equations � We need to embed a trapdoor which is not always easy � But some success in symmetric cryptography (QUAD) compress: F n → F v compress (x 1 , … , x n ) = (q 1 (x 1 , … , x n ), … , q v (x 1 , … , x n )) MQ-Hash Matt Robshaw (9) Orange Labs MQ-Hash Matt Robshaw (10) Orange Labs Pre-image Resistant, but … A Two-Step Approach � We build a two-step compression function MQ- hash � If there are collisions they will be easy to find � Use MQE in both steps � First order differential of quadratic polynomials is affine � Use MQE to give some "compression" but apply some � Our challenge is to find a different way of using MQE pre-processing � Pre-processing appears in several guises, but our work is somewhat related to Aiello, Haber, and Venketasen (FSE 1998) � Provably maintain pre-image resistance property � Intuition : Collisions might be obvious in the second component � Provide (at least) plausible collision-free property but they hard to extend to the full compression function MQ-Hash Matt Robshaw (11) Orange Labs MQ-Hash Matt Robshaw (12) Orange Labs 2
MQ- hash = Q g • Q f Outline of Reasoning c i-1 M i Q f � For MQ- hash to be one-way n + m � Q g is one-way (this is our starting point) � The MQE in Q f are "well-behaved" expansion f • We borrow from QUAD for this r Q g � For MQ- hash to be (plausibly) collision-free r � Collisions in Q g cannot be lifted to the compression function g compression • Q f should be one-way � Q f should not induce collisions n • Q f stretches the input c i MQ-Hash Matt Robshaw (13) MQ-Hash Matt Robshaw (14) Orange Labs Orange Labs Parameters and Performance The MQ- hash Proposal � Q f consists of r equations in n+m variables � Pro's: � Q g consists of n equations in r variables � Provably pre-image resistant construction � Conjectured collision-free and second pre-image resistant � Suppose we seek a security level of 2 k operations � We require that n ≥ ≥ 2k ≥ ≥ � Con's: � We can bound the probability that Q f is not an injection � We require that r ≈ ≈ 2(n+m) + k ≈ ≈ � Terrible performance (storage and hashing rate) � At each iteration we hash m bits of message � For GF(2) we might chose n = 160 , m = 32 , and r = 464 � … but the performance is (very) poor MQ-Hash Matt Robshaw (15) Orange Labs MQ-Hash Matt Robshaw (16) Orange Labs Conclusions An Alternative Construction � However MQE are very versatile building blocks � We have explored the use of multivariate quadratic equations in designing a hash function � Perhaps this construction could be of some interest Q f M i � We (successfully) tackled some intricate issues � Gained additional insight into using MQE m � However, our feeling is that this isn't the way to go c i-1 g f � New research might uncover better ways of using ME n � But we doubt random MQE systems are a practical building block for a hash function Q g c i MQ-Hash Matt Robshaw (17) Orange Labs MQ-Hash Matt Robshaw (18) Orange Labs 3
Recommend
More recommend
