Hash Functions: From Merkle-Damgård to Shoup Ilya Mironov, Stanford University

Collision-resistant functions Family of functions f K :D  R Hard to win this game: AttackerChallenger k  K - random (x,y)(x,y) f k (x)=f k (y)

Collision-resistant functions can be used for: Signature schemes Commitment schemes AliceBob x f k (x)—commitment to x Given a signature algorithm σ(S), where |S| is fixed, we can sign any message σ(f k (M)).

Good news: CRF can be built Based on number-theoretic assumptions: Factoring: f(x)=( 3F 16 ||x) 2 mod N. Discrete log: f(x||y)=g x h y. Claw-free permutations Hard to find f(x)=g(y)

Bad news: practical CRF hard to construct MD4—broken MD5—a serious weakness found Flaw in the original SHA

Useful alternative: UOWHFs AttackerChallenger k  K- random y f k (x)=f k (y) Family of functions f K :D  R Hard to win this game: x

WUFs good for Signature schemes Given an existentially secure signature algorithm σ(S), where |S| is fixed, we can sign any message with k,σ(k,f k (M)), where k is chosen at random. Reason: It is hard to find f k (M 1 )=f k (M) for a random k.

WUFs can be built from One-way functions One-way permutation Collision-resistant functions

Oracle separation Simon’98: There is an oracle relative to which one-way permutations exist but not CRFs. Interpretation: No “black box” construction of a CRF based on a WUF. Conclusion: A CRF is a strictly stronger primitive than a WUF.

A family of CRFs (WUFs) We want to make one, concrete assumption, for instance: It is infeasible to find a collision (second preimage) in SHA-1. Then derive a family of functions that take inputs of different lengths and hash it to a fixed length output.

Good news: CRFs families are easy to construct Merkle-Damgård construction: M0M0 IV HkHk HkHk M1M1 HkHk M2M2 HkHk M3M3 output

Bad news: Not so easy for WUF families Merkle-Damgård construction fails on WUFs. (we cannot plug in a weaker primitive in the construction) due to M. Bellare and P. Rogaway’97.

Shoup construction M 0,M 1,…,M L —masks (tags). x0x0 IV HkHk HkHk x1x1 HkHk x2x2 HkHk x3x3 HkHk x4x4 HkHk x5x5   M0M0 M1M1  M0M0  M2M2  M0M0  M1M1

Example RSA signature (H is a CRF): S=H(M) e mod N. If we use a WUF (SHA-1, Shoup scheme): S=K || (h K´ (K)||h K (M)) e mod N. CRFWUF |M|=1Kb|S|=1Kb|S|=1.81Kb 1Mb 1Kb 3.22Kb 1Gb 1Kb 4.87Kb

Difficult choice: CRFs Theoretically and practically harder to construct Have efficient composition scheme WUFs Easier to construct Don’t have efficient composition scheme

Continuum of functions Commit to some bits of x: AttackerChallenger k  K- random x0x0 x0x0 x1,yx1,y x1x1 y1y1 f k (x 1,x 0 )=f k (y)

Class H(n  m;l) |y|=|x 0 |+|x 1 |=n |x 1 |=l — flexibility Output of f has length m. AttackerChallenger k  K- random x1,yx1,y f k (x 1,x 0 )=f k (y) x0x0 x0x0 x1x1 y1y1

H(n  m;0) and H(n  m;n) have names H(n  m;0) is a WUF AttackerChallenger k  K- random y,x 1 =λ f k (x)=f k (y) x 0 =x

H(n  m;0) and H(n  m;n) have names H(n  m;n) is a CRF AttackerChallenger k  K- random y,x 1 =x f k (x)=f k (y) x0=λx0=λ

Merkle-Damgård construction Works (with a minor modification) for H(n  m;m) M1M1 M0M0 HkHk HkHk M2M2 HkHk M3M3 HkHk M4M4 output

Jump somewhere? CRFs and WUFs can be separated. Where? H(n  m;0)  H(n  m;1)…  H(n  m;n)

Separation H(n  m;0)…H(n  m;m+O(log m)) — one class of theoretic-complexity equivalence H(n  m;m+m c )…H(n  m;n) — another class The gap does not exist if there are “ideally secure” WUFs.

Another approach Can the Shoup construction be improved? x0x0 IV HkHk HkHk x1x1 HkHk x2x2 HkHk x3x3 HkHk x4x4 HkHk x5x5   M ν(0) M ν(1)  M ν(2)  M ν(3)  M ν(4)  M ν(5)

Function is optimal The function ν(k)=highest power of 2 dividing k is optimal. Constructive proof + counting argument

Open question How short can a key of a family of WUFs be? Conjecture: key length must be Ω(log m) Reason: It can’t be a coincidence!