Iteration Techniques
0 likes246 views
The document discusses iteration techniques for constructing collision resistant hash functions and universal one-way hash functions, including Merkle-Damgård's technique which maps inputs of variable length to fixed-length outputs using a compression function, and Shoup's technique which uses a universal one-way compression function along with masks to iteratively hash message blocks. The Merkle-Damgård and Shoup techniques are proven to construct universal one-way and collision resistant hash functions if the underlying compression function satisfies certain properties.
![Merkle-Damg˚rd
a
Merkle’s Meta-Method
The method function was proposed by Merkle in [Me89] to map an
input with variable length to an output of fixed length using the
function F0 that accepts a fixed size argument.
Function F(x)
Input: x : ARRAY [1..n]OFChunks
Output: result : FixedSizeOutputString
// Note that SizeOf (input) = SizeOf (chunks) + SizeOf (result)
1 begin
2 result ← 0
3 for i ← 1 to n do
4 result ← F0 (result, x[i])
5 end
6 return result
7 end
x is padded with 0s until its size is an integral multiple of the
size of Chunks
the length of x (in bits) is added at the end of x right justified
in the final block](https://image.slidesharecdn.com/techiterare-120715051246-phpapp02/85/Iteration-Techniques-5-320.jpg)
![Merkle-Damg˚rd
a
Merkle’s Meta-Method
Finding x = x such that F (x) = F (x ) is at least as hard as
breaking F0 .
x and x have the same length
Basis
n = 1, y = F (x) ≡ F0 (0, x[1])
if x = x and F (x) = F (x ) and n = 1 than x[1] = x [1] and
F0 (0, x[1]) = F0 (0, x [1])
Induction
The property holds for n.
y = F (x) ≡ F0 (F (x[1..n]), x[n + 1])
Neither F (x[1..n]) nor x[n + 1] can be modified, because it would
mean that F0 should be broken directly. F (x[1..n]) is correct, than
x[n + 1] cannot be modified without breaking F0 , which means that
no bit of x can be modified without breaking F0 Q.E.D.
x and x have different length (use of the previous proof)](https://image.slidesharecdn.com/techiterare-120715051246-phpapp02/85/Iteration-Techniques-6-320.jpg)
![Merkle-Damg˚rd
a
Final Considerations
It is important to note that the Merkle-Damg˚rd construction
a
does not increase the size of the key. The main application is
in digital signing, that is why the variation in the size of the
key is important.
In [Il01] it is shown that the method may be extended to a
class of functions that lie between CRHFs and UOWHFs.](https://image.slidesharecdn.com/techiterare-120715051246-phpapp02/85/Iteration-Techniques-12-320.jpg)
Iteration Techniques
- 1. Iteration Techniques Andrada Astefanoaie October 2010
- 2. Contents 1 Contents 2 Introduction and Preliminaries UOWHFs and CRHFs UOWHFs vs CRHFs 3 Merkle-Damg˚rd a Merkle’s Meta-Method Fixed size collision free hash function families Collision free hash function families The method Final Considerations 4 Shoup The Scheme - Starting Point The Scheme Correctness Final Considerations 5 Comparison - time 6 Bibliography
- 3. Introduction and Preliminaries UOWHFs and CRHFs Definition A Universal One Way Hash Function (UOWHF) is a keyed hash function with the following property: If an adversary chooses a message x and then the key K is chosen at random and it is given to the adversary, it is computationally infeasible to find an x = x such that HK (x) = HK (x ) Definition A Collision Resistant Hash Function (CRHF) is a keyed hash function with the following property: If an adversary has a random key K , it is computationally infeasible to find any pair of messages x = x such that HK (x) = HK (x )
- 4. Introduction and Preliminaries UOWHFs vs CRHFs Main difference: degree of freedom that the adversary has in choosing the colliding elements an efficient and secure UOWHF is easier to compute in comparison with CRHFs UOWHFs can be constructed based on problems like the arbitrary one-way permutation, whereas the CRHFs can’t be constructed based on such problems. In the meantime, CRHFs can be computed based on the hardness of specific number theoretic problems (e.g. the discrete logaritmic problem). for the most applications, constructing an UOWHF is enough One of the main applications is digital signing. Here the hashing speed is crucial and because an UOWHF is a weaker primitive than the CRHFs, it is more possible to find a faster algorithm to implement UOWHFs.
- 5. Merkle-Damg˚rd a Merkle’s Meta-Method The method function was proposed by Merkle in [Me89] to map an input with variable length to an output of fixed length using the function F0 that accepts a fixed size argument. Function F(x) Input: x : ARRAY [1..n]OFChunks Output: result : FixedSizeOutputString // Note that SizeOf (input) = SizeOf (chunks) + SizeOf (result) 1 begin 2 result ← 0 3 for i ← 1 to n do 4 result ← F0 (result, x[i]) 5 end 6 return result 7 end x is padded with 0s until its size is an integral multiple of the size of Chunks the length of x (in bits) is added at the end of x right justified in the final block
- 6. Merkle-Damg˚rd a Merkle’s Meta-Method Finding x = x such that F (x) = F (x ) is at least as hard as breaking F0 . x and x have the same length Basis n = 1, y = F (x) ≡ F0 (0, x[1]) if x = x and F (x) = F (x ) and n = 1 than x[1] = x [1] and F0 (0, x[1]) = F0 (0, x [1]) Induction The property holds for n. y = F (x) ≡ F0 (F (x[1..n]), x[n + 1]) Neither F (x[1..n]) nor x[n + 1] can be modified, because it would mean that F0 should be broken directly. F (x[1..n]) is correct, than x[n + 1] cannot be modified without breaking F0 , which means that no bit of x can be modified without breaking F0 Q.E.D. x and x have different length (use of the previous proof)
- 7. Merkle-Damg˚rd a Fixed size collision free hash function families Definition A fixed size collision free hash function family F is an infinite family of ∞ finite sets {Fm }m=1 and a function t : N → N such that, t(m) < m for all m∈N m t(m) A member of Fm is a function f : {0, 1} → {0, 1} and it is called an instance of F of size m. F must satisfy the following: 1 There is a probabilistic polynomial (in m) time algorithm θ which, given a value m, selects an instance of F of size m at random. m 2 For any instance f ∈ Fm and x ∈ {0, 1} , f (x) can be constructed in polynomial time. 3 Given an instance f ∈ F selected in a random manner as in 1., it is m computationally infeasible to find x, y ∈ {0, 1} , such that f (x) = f (y ) and x = y
- 8. Merkle-Damg˚rd a Fixed size collision free hash function families Lemma Let F be a collision free hash function family, f an instance of size m. Let Pf be the probability distribution on {0, 1}t(m) generated by selecting x randomly and uniformly in {0, 1}m and outputting f (x). Then no algorithm inverting f on images selected according to Pf succeeds with probability larger than 1/2 + 1/P(m) for any polynomial P. If Pf is the uniform distribution over the image of f or m − t is O(m), then no inversion algorithm succeeds with probability larger than 1/P(m)
- 9. Merkle-Damg˚rd a Collision free hash function families Definition A Collision free hash function family H is an infinite family of finite sets {Hm }∞ and a polynomially bounded function t : N → N. m=1 A member of Hm is a function h : {0, 1}∗ → {0, 1}t(m) and it is called an instance of H of size m. H must satisfy the following: 1 There is a probabilistic polynomial (in m) time algorithm θ which, given a value m, selects an instance of H of size m at random. 2 For any instance h ∈ Hm and x ∈ {0, 1}∗ , h(x) is easy to compute. 3 Given an instance h inf H selected in a random manner as in 1., it is computationally infeasible to find x, y ∈ {0, 1}∗ , such that h(x) = h(y ) and x = y
- 10. Merkle-Damg˚rd a The method Theorem Let F be a fixed size collision free hash function family that maps m bits to t(m) bits. Then there exists a collision free hash function family H mapping strings of arbitrary length to t(m)-bit strings. Let h be an instance in H of size m. Then evaluating h on input of length n can be done in at most n/(m − t(m) + 1) + 1 steps using one processor. The theorem is proved using an instance h ∈ H, that is today known as the Merkle-Damg˚rd iteration technique. a
- 11. Merkle-Damg˚rd a The method The Merkle-Damg˚rd Iteration Technique a step 1: preparing x x is split in blocks of m − t − 1 bits: x1 , x2 , ..., xn/(m−t−1) , where n is the length of x after padding. if the last block is incomplete, it is padded with d bits of 0. the binary representation of d, prefixed with an appropriate number of 0s is appended as the last block. step 2: the hash function h1 = f (IV x1 ), where IV(initialization vector) in the original paper is a block of 0s of length t + 1 hi+1 = f (hi 1 xi+1 ) Finally h(x) = hn/(m−t)+1
- 12. Merkle-Damg˚rd a Final Considerations It is important to note that the Merkle-Damg˚rd construction a does not increase the size of the key. The main application is in digital signing, that is why the variation in the size of the key is important. In [Il01] it is shown that the method may be extended to a class of functions that lie between CRHFs and UOWHFs.
- 13. Shoup The Scheme - Starting Point The starting point is an UOW compression function H that is keyed and compresses a bits to b bits. A message x is split in l blocks x1 , ..., xl , each of length m. The last block also encodes the length of x in some canonical way. l may vary, with l < L for some given L. The key consists of a single key K for H together with t + 1 masks (random b-bit string), where t = log2 L
- 14. Shoup The Scheme ν2 (i) is the largest value ν such that 2ν divides i. Shoup Iteration Technique h0 is an arbitrary b-bit string. For 1 ≤ i ≤ l: hi = HK ((Mν2 (i) ⊕ hi−1 ) ◦ xi ). The output: hl
- 15. Shoup Correctness Theorem If H is a UOWHF, then the Shoup composite scheme is also a UOWHF. The Proof shows that an adversary A finds collision in the composite scheme, than it can be turned in A , an adversary that can find collisions in the compression function H. If A finds collisions with probability , than A will find collisions with a probability of /L.
- 16. Shoup Correctness - Proof of the Theorem Considering x an input, for i ≤ i ≤ l we define Si (x) as being the first b bits of the input to the ith application of the compression function H. Behavior of the adversary A : x, the target message (x1 , ..., xl ) and the second message (x1 , ..., xl ) are already formatted. δ is the smallest non-negative integer such that Sl−δ (x) ◦ xi = Sl −δ (x ) ◦ xi . This pair will be the collision on Hk that A needs.
- 17. Shoup Correctness - Proof of the Theorem A chooses the first message x. Then A guesses the value of δ at random (probability of 1/L). A constructs the target message as S ◦ xl−δ , where S is a b-bit string. K , the key, is chosen and A has to generate M0 , ..., Mt such that the composite key (K , M0 , ..., Mt ) has the correct distribution and also Sl−δ = S. The adversary A, then attempts to find a collision with x. If A succeeds, and if the guess δ was correct, this will led to a collision for A .
- 18. Shoup Correctness - Proof of the Theorem Algorithm 1: Key Construction algorithm Input: x, δ, K , S, t Output: the masks M0 , ..., Mt 1 begin 2 for j ← 0; j ≤ t; j ← j + 1 do 3 statusj ← ”Undefined”; 4 end 5 Sl−δ ← S; statusν (l−δ) ← ”Being Defined”; 2 6 for i ← l − δ − 1; i ≥ 1; i ← i − 1 do 7 j ← ν2 (i); 8 if statusj = “Undefined” then 9 choose Si as a random b-bit string; 10 statusj ←”Being Defined”; hi ← HK (Si ◦ xi ); i ← i + 1; j ← ν2 (i ); 11 while (status = “Being Defined”) do j 12 hi ← HK ((h i −1 ⊕M ν2 (i ) ) ◦ x ); i ← i + 1; j ← ν2 (i ); i 13 end 14 M ← h j i −1 ⊕ S ; status i j ← ”Defined”; 15 end 16 end 17 i ← 1; j ← 0; 18 while (status = “Being Defined” ) do j 19 h ← HK ((h i i −1 ⊕M ν2 (i ) ) ◦ x ); i ← i + 1; j i ← ν2 (i ); 20 end 21 M ← h ⊕ S ; status ← “Defined” ; j i i j 22 for (j ← 0; j ≤ t; j ← j + 1) do 23 if statusj =”Undefined” then 24 choose Mj as a random b-bit string; 25 end 26 end 27 end
- 19. Shoup Correctness - Proof of the Theorem The key construction algorithm implicitly defines a one-to-one map between tuples (K , M0 , ..., Mt ), (K , S, S (1) ..., S (t) ) where (S, S (1) ..., S (t) ) are randomly chosen b-bit strings and S = Sl−δ (x). That is why, the proof of the theorem depends on the following Lemma. Lemma For 1 ≤ j ≤ l − δ − 1, statusj = “being defined”. The proof of the Lemma is based on the following two facts: Fact 1: For any positive integers A < B with ν2 (A) = ν2 (B), then there exists an integer C with A < C < B and ν2 (C ) > ν2 (A) Fact 2: For any positive integers A < B, and for any non-negative integer ν < min {ν2 (A), ν2 (B)}, there exists an integer C with A < C < B and ν2 (C ) = ν.
- 20. Shoup Final Considerations This iteration technique is considered to be the most efficient one. It has the smallest key expansion. The composition scheme proposes a family of UOWHFs such that a function that compresses N bits to m bits is keyed by m · log2 N/(n − m) + l bits. The key length grows logarithmically with the length of the message.
- 21. Comparison - time (seconds)* *Merkle Damg˚rd and Shoup Iteration techniques use the SHA-1 compression function a
- 22. Bibliography R.Merkle, “One -Way Hash Functions and DES”, Proc. of CRYPTO ’89, pp. 428-446, 1989 I.Damg˚rd, “A design principle for hash functions”, Proc. of a CRYPTO ’89,pp. 416-427, 1989 V.Shoup, “A compsite theorem for universal one-way functions”, Proc. of EUROCRYPT 2000,pp. 445-452, 2000 Ilya, “Hash Functions: From Merkle-Damg˚rd to Shoup”, a Proc. of EUROCRYPT 2000,pp. 166-181, 2001