Presentation is loading. Please wait.

Presentation is loading. Please wait.

VSH, an efficient and provable collision resistant hash function

Published byClement Willis Modified over 6 years ago

Similar presentations

Presentation on theme: "VSH, an efficient and provable collision resistant hash function"— Presentation transcript:

1 VSH, an efficient and provable collision resistant hash function
Scott Contini1, Arjen K. Lenstra2, Ron Steinfeld1 1 Macquarie University 2 Lucent Technologies Bell Laboratories, Technical Univ. Eindhoven

2 As usual in crypto, we cheat
Efficient means: much faster than previous provable hashes (preliminary result: 25  slower than SHA-1) Provable means: finding collisions provably reducible to NMSRVS: ‘non-trivial modular squareroot of very smooth number’ (factoring experience: NMSRVS looks very hard)

3 Previous factoring based hash
Hard to factor composite n Bit b: fx (b) = xb (1 if bit is off, x if bit is on) Bitstring B, bit b: H2(B||b) = (H2(B)2  f2(b) ) mod n  message m: H2(m) = 2m mod n Slow: a squaring modulo n per message-bit H2-collision reveals information about (n) Hx (x > 2) same security as H2 (and marginally slower)

4 Speeding it up? Goal: a modular squaring per k message-bits
for a blocklength k substantially larger than 1 Easy to achieve (with p(i) the ith prime): Use Hp(1) for first bit, (k+1)th bit, (2k+1)th bit, … Use Hp(2) for second bit, (k+2)nd bit, (2k+2)nd bit, … Use Hp(k) for kth bit, 2kth bit, 3kth bit, … Multiply results: VSH = H2  H3  …  Hp(k) Very Smooth Hash: product of k known hashes (this is not the way VSH was constructed)

5 Why Faster? As in multi-exponentiation: share the squarings
Let b be a k-bit string, b = b(1)||b(2)||…||b(k), then: f(b) = p(1)b(1)  p(2)b(2)  …  p(k)b(k) with k (130) such that 1ik p(i) < n (1024 bit) Bitstring B of length multiple of k: VSH(B||b) = (VSH(B)2  f(b) ) mod n Cost per k message-bits: computation of f(b), plus one modular squaring and multiplication  VSH about k/3 times faster than H2

6 Security? Need p(k+1) & length before first block
Collision does not reveal (n), but non-trivial modular sqrt of very smooth number (NMSRVS): x2  1ik+1 p(i)e(i) mod n (‘relation’ in factoring, with much larger k) k + t + 1 collisions lead to: t independent 50% chances to factor n Owner of factorization can create collisions (that reveal the factorization)

7 Conclusion VSH: Very Smooth Hash,
O(1) modular multiplies per logn message-bits Easy invertibility for short messages can be fixed k = O((logn)c), asymptotically: if collisions can be found faster than factoring, then collision finder can be turned into faster factoring algorithm 1024-bit RSA security: >1MB/sec on 1GHz PIII Spin-offs: prov sec random trapdoor hash, etc. See eprint.iacr.org/2005/193

Download ppt "VSH, an efficient and provable collision resistant hash function"

Similar presentations

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Dan Boneh Intro. Number Theory Intractable problems Online Cryptography Course Dan Boneh.

Dan Boneh Intro. Number Theory Intractable problems Online Cryptography Course Dan Boneh.
XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing 02.12.2011 | TU Darmstadt |

XMSS - A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions J. Buchmann, E. Dahmen, A. Hülsing | TU Darmstadt |
Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.

Lecture 15 Lecture’s outline Public algorithms (usually) that are each other’s inverse.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptographic hash functions from expander graphs Denis Charles, Microsoft Research Eyal Goren, McGill University Kristin Lauter, Microsoft Research ECC.

Cryptographic hash functions from expander graphs Denis Charles, Microsoft Research Eyal Goren, McGill University Kristin Lauter, Microsoft Research ECC.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.

Hashing Algorithms: Basic Concepts and SHA-2 CSCI 5857: Encoding and Encryption.
CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 

CS461/ECE422 Spring 2012 Nikita Borisov — UIUC1.  Text Chapters 2 and 21  Handbook of Applied Cryptography, Chapter 8 

Similar presentations

Ads by Google