A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost

Transcription

1 A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost Mihir Bellare University of California, San Diego Daniele Micciancio Laboratory for Computer Science Massachusetts Institute of Technology

2 Hash Functions Maps arbitrarily long inputs to outputs of a fixed length Used to hash messages before signing X HASH H(X) SIGN S(H(X)) It is hard to find collisions X HASH H(X)=H(Y) HASH Y

3 Incrementality Hash values can be quickly updated when messages are modified X = x 1,...,x i,...,x n HASH H(X) EDIT Incremental Hash Func. X = x 1,...,x i,...,x n HASH H(X ) H(X ) can be computed as a fast function of H(X), i and x i.

4 Previous Constructions Standard constructions are not incremental because they involve some sort of iteration Merkle-Damgård meta-method (MD5, SHA-1, RIPEMD-160) x 1 x 2 x 3 x 4 IV h h h h H(X) [BGG], incremental but requires one modular exponentiation per message block

5 Tree Construction Simple idea: use a tree structure x 1 h h(x 1,x 2 ) x 2 x 3 x 4 h h(x 3,x 4 ) h H(X) Problem: to be incremental need to store all intermediate hash values We want to store only the final hash value and be able to increment given only this

6 Our Paradigm <1>.x 1 <2>.x 2 <n>.x n h h h y 1 y 2 y n combining operation H(X) We are given group G with combining operation randomizer or compression function h mapping fixed size strings to element of G To hash message X = x 1,...,x n concatenate the block index to each block: x i = <i>.x i apply h to each augmented block: y i = h(x i ) combine the hash values in G via : HASH G,h (X) = y 1... y n

7 Features Incrementality: if y = HASH G,h (X) is known and block x i changes to x i, then the new hash is HASH G,h (X ) = y h(<i>.x i ) -1 h(<i>.x i ) The cost of an increment operation is two h computations and two operations in G Parallelizability: the computation is entirely parallelizable

8 The Randomizer For security the randomizer h must be collision-free In practice h is derived from standard hash functions (e.g. SHA-1) In the analyses we assume that h is an ideal hash function or random oracle The computation of h is assumed to be fast

9 The Combining Operation Different choices of the combining operation give different families of hash functions XHASH: Bitwise XOR MuHASH: Multiplication in a group special cases:» multiplication in groups of prime order» integer multiplication modulo p AdHASH: Addition modulo M LtHASH: Vector addition

10 Efficiency The cost of applying the randomizer to each block is like a single application of SHA-1 to the whole message Additional cost of combining: (n/b - 1) operations in (G, ) to hash an n-bit message can be reduced by increasing the block size b can be low if for example we set the combining operation to addition Overall speed: could be not much slower than standard SHA-1 hashing, with the added advantage of incrementality and parellizability

11 Security The choice of the combining operation is important XHASH: we show is not secure MuHASH, AdHASH, LtHASH: we prove secure based on the hardness of Discrete Log, Weighted Knapsack and Shortest Lattice Vector problems and assuming h is ideal We give concrete reductions, important in practice

12 Definition of Security A hash function family {HASH h } is (t,q, )- collision-free if no algorithm limited to run in time t and make q queries to oracle h can find a collision to HASH h with probability greater than h X, Y Adv HASH h H(X) = H(Y)

13 MuHASH: General case MuHASH G,h (x 1,...,x n ) = i h(<i>.x i ) The security of MuHash is proved based on the hardness of the Discrete Log problem in G. Theorem 1: Assume no algorithm running in time t can find discrete logarithms in G with probability. Then MuHASH G,h is (t,q, )- collision-free where = q t=t /c - q(d+b) c is a small constant depending on the model of coputation, b is the block size and d is the running time of the operations in G

14 MuHASH: tight reductions MuHASH G,h (x 1,...,x n ) = i h(<i>.x i ) Theorem 2: If G is a group of prime order MuHASH G,h is (t,q, )-collision-free where = 2 t = t /c - q(d+b) Theorem 3: If is multiplication modulo p, where p is a prime of length k, then MuHASH G,h is (t,q, )-collision-free where = 4 ln(0.694 k) t = t /c - q(k 3 +b)

15 AdHASH AdHASH M,h (x 1,...,x n ) = i h(<i>.x i ) mod M (k,q)-weighted-knapsack problem: given a k bit integer M and q numbers 0 < a 1,...,a q < M find weights w 1,...,w q in {-1,0,+1} not all 0 such that i w i a i = 0 (mod M) Theorem: Assume no algorithm running in time t can solve the (k,q)-weighted-knapsack problem with probability. Then AdHASH G,h is (t,q, )-collision-free, where t = t /c - qk. Note: if the Shortest Lattice Vector problem is hard then also the weighted-knapsack problem is hard [Ajtai]

16 LtHASH LtHASH p,h (x 1,...,x n ) = i h(<i>.x i ) mod p [Aj,GGH] introduced a hash function which is collision-free if the shortest lattice vector problem is hard We note that the function of [GGH] is incremental, but it can be applied only to fixed size inputs LtHASH is a more practical version of this function whose security can be proved assuming the SLV problem is hard and h is ideal

17 Collision freeness and The Balance Problem (G,n)-Balance Problem: given random group elements a 1,...,a n, find disjoint subsets I, J of {1,...,n} such that {a i : i in I} = {a j : j in J} I = {1,2,6} J = {5,7} a 4 a 3 a 2 a 1 a 6 a 5 a 7 The (G,n)-balance problem is (t, )-hard if no algorithm, limited to run in time t can find a solution to with probability more than Theorem: If the balance problem is hard then HASH G,h is collision-free

18 Proof of security MuHASH: General case We only need to show that if discrete log is hard then the balance problem is hard Let A be an algorithm that solves the balance problem, we build an algorithm L(g,y) that computes log g y as follows: Choose index j in {1,...,n} at random Use A to solve the balance problem a 1,...,a n where a i = y if i = j and a j = g r(i) otherwise, where r(i) is randomly chosen Let w 1,...,w n be the weights output by A. We have w 1 r(1) w j log g y w n r(n) = 0 mod G With probability at least 1/n, w j is not zero and the above equation can be easily solved for log g y

19 Summary Function Increment Efficiency Security based on MuHASH 2 products + 2 h appl. n products + n h appl. Discrete Log AdHASH 2 additions + 2 h appl. n products + n h appl. Weighted Knapsack LtHASH 2 vector add. + 2 h appl. n vector add. + n h appl. Shortest Lattice Vector

20 Conclusion Introduced a new paradigm for collision-free hashing that yields incremental and parallelizable hash functions Given a few constructions of collision-free hash functions derived from our paradigm MuHASH AdHASH LtHASH

21 Related work Independently, Impagliazzo and Naor considered hashing by multiplying in a group (similar to MuHASH) Impagliazzo and Naor also considered Universal One Way Hash functions (a weaker kind of hashing), based on subset-sum (similar to AdHASH) Goldreich, Goldwasser, Halevi: hashing by adding vectors (similar to LtHASH) Those functions are incremental, but input is fixed size use one operation per bit (as opposed to one operation per block) have much bigger keys do not use a random oracle assumption