Presentation is loading. Please wait.

Presentation is loading. Please wait.

VSH, an efficient and provable collision resistant hash function Scott Contini 1, Arjen K. Lenstra 2, Ron Steinfeld 1 1 Macquarie University 2 Lucent Technologies.

Published byClyde Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "VSH, an efficient and provable collision resistant hash function Scott Contini 1, Arjen K. Lenstra 2, Ron Steinfeld 1 1 Macquarie University 2 Lucent Technologies."— Presentation transcript:

1 VSH, an efficient and provable collision resistant hash function Scott Contini 1, Arjen K. Lenstra 2, Ron Steinfeld 1 1 Macquarie University 2 Lucent Technologies Bell Laboratories, Technical Univ. Eindhoven

2 As usual in crypto, we cheat Efficient means: much faster than previous provable hashes (preliminary result: 25  slower than SHA-1) Provable means: finding collisions provably reducible to NMSRVS: ‘non-trivial modular squareroot of very smooth number’ (factoring experience: NMSRVS looks very hard)

3 Previous factoring based hash Hard to factor composite n Bit b: f x (b) = x b (1 if bit is off, x if bit is on) Bitstring B, bit b: H 2 (B||b) = (H 2 (B) 2  f 2 (b) ) mod n  message m: H 2 (m) = 2 m mod n Slow: a squaring modulo n per message-bit H 2 -collision reveals information about  (n) H x (x > 2) same security as H 2 ( and marginally slower )

4 Speeding it up? Goal: a modular squaring per k message-bits for a blocklength k substantially larger than 1 Easy to achieve (with p(i) the i th prime): –Use H p(1) for first bit, (k+1) th bit, (2k+1) th bit, … –Use H p(2) for second bit, (k+2) nd bit, (2k+2) nd bit, … –… –Use H p(k) for k th bit, 2k th bit, 3k th bit, … –Multiply results: VSH = H 2  H 3  …  H p(k) Very Smooth Hash: product of k known hashes (this is not the way VSH was constructed)

5 Why Faster? As in multi-exponentiation: share the squarings Let b be a k-bit string, b = b(1)||b(2)||…||b(k), then: f(b) = p(1) b(1)  p(2) b(2)  …  p(k) b(k) with k (  130) such that  1  i  k p(i) < n (1024 bit) Bitstring B of length multiple of k: VSH(B||b) = (VSH(B) 2  f(b) ) mod n Cost per k message-bits: computation of f(b), plus one modular squaring and multiplication  VSH about k/3 times faster than H 2

6 Security? Need p(k+1) & length before first block Collision does not reveal  (n), but non-trivial modular sqrt of very smooth number (NMSRVS): x 2   1  i  k+1 p(i) e(i) mod n (‘relation’ in factoring, with much larger k) k + t + 1 collisions lead to: t independent 50% chances to factor n Owner of factorization can create collisions (that reveal the factorization)

7 Conclusion VSH: Very Smooth Hash, O(1) modular multiplies per logn message-bits Easy invertibility for short messages can be fixed k = O((logn) c ), asymptotically: if collisions can be found faster than factoring, then collision finder can be turned into faster factoring algorithm 1024-bit RSA security: >1MB/sec on 1GHz PIII Spin-offs: prov sec random trapdoor hash, etc. See eprint.iacr.org/2005/193

Download ppt "VSH, an efficient and provable collision resistant hash function Scott Contini 1, Arjen K. Lenstra 2, Ron Steinfeld 1 1 Macquarie University 2 Lucent Technologies."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.

The XTR public key system (extended version of Crypto 2000 presentation) Arjen K. Lenstra Citibank, New York Technical University Eindhoven Eric R. Verheul.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: 361-396 Authors: D. Pointcheval and J. Stern Presented.

Security Arguments for Digital Signatures and Blind Signatures Journal of Cryptology, (2000) 13: Authors: D. Pointcheval and J. Stern Presented.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

Similar presentations

Ads by Google