hash function based on the sis problem
play

Hash function based on the SIS problem HEBANT Chlo e University of - PowerPoint PPT Presentation

Sep 27, 2023 •193 likes •458 views

Hash function based on the SIS problem HEBANT Chlo e University of Limoges Summer 2016 HEBANT Chlo e Hash function based on the SIS problem Summer 2016 1 / 19 Introduction Hash function 1 One-way collision-resistant Ajtai function

  1. Hash function based on the SIS problem HEBANT Chlo´ e University of Limoges Summer 2016 HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 1 / 19

  2. Introduction Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 2 / 19

  3. Hash function Hash function With a function f which have the properties: one-way collision-resistant compression Iterating f trying to maintain: pre-image resistance second pre-image resistance collision resistance HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 3 / 19

  4. Hash function Definition Pre-image resistance: Given y = H ( x ) it is hard to find x ′ such that H ( x ′ ) = y Second pre-image resistance: Given x it is hard to find x ′ such that H ( x ) = H ( x ′ ) Collision resistance: It is hard to find x , x ′ such that H ( x ) = H ( x ′ ) HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 4 / 19

  5. One-way collision-resistant Ajtai function Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 5 / 19

  6. One-way collision-resistant Ajtai function One-way collision-resistant Ajtai function Let a matrix A ∈ Z n × m q Let f A : { 0 , ± 1 } m → Z n q z �→ Az Theorem f A is a compression function if m � n log q HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 6 / 19

  7. SIS problem Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 7 / 19

  8. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  9. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Theorem Assuming the hardness of the SIS problem, f A is one-way and collision-resistant HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  10. SIS problem Definition Definition (SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ { 0 , ± 1 } m such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Theorem Assuming the hardness of the SIS problem, f A is one-way and collision-resistant Remark Thanks to Ajtai and his hardness proof, it’s all Minicrypt that we can construct based on the SIS problem. HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 8 / 19

  11. SIS problem Some observations about the SIS problem Some observations Definition (General SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ Z m of norm � z � � β such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 9 / 19

  12. SIS problem Some observations about the SIS problem Some observations Definition (General SIS problem) Given m uniformly random vectors a i ∈ Z n q Find z � = 0 ∈ Z m of norm � z � � β such that: � a i · z i = 0 ∈ Z n f A ( z ) := Az = q i Remark Without the constraint on � z � , it is easy to find a solution: Gaussian elimination Must take β < q : otherwise z = ( q , 0 , · · · , 0) ∈ Z m is a trivial solution HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 9 / 19

  13. SIS problem Some observations about the SIS problem Hermite normal form Small but important optimization: Decompose A = [ A 1 | A 2 ] where A 1 ∈ Z n × n is invertible as a matrix over Z q . q Let B = A − 1 I n | ¯ where ¯ A = A − 1 � � · A = A · A 2 1 1 Theorem A and B have exactly the same set of (short) SIS solutions HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 10 / 19

  14. Hardness proof Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 11 / 19

  15. b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b b Hardness proof Reduction: average-case → worst-case b p 1 b g 1 b p 4 b g 2 b g 4 b p 2 b g 3 b p 3 p i ∈ L n − π � x � 2 � n � 1 g i = p i + e i ∈ R n where e i ∼ D s ( x ) = s 2 e s HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 12 / 19

  16. Hash function construction Hash function 1 One-way collision-resistant Ajtai function 2 SIS problem 3 Some observations about the SIS problem Hardness proof 4 Hash function construction 5 Merkle-Damg˚ ard construction HAIFA construction HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 13 / 19

  17. Hash function construction Merkle-Damg˚ ard construction Merkle-Damg˚ ard construction Definition Method of building collision-resistant cryptographic hash functions from collision-resistant one-way m 1 m 2 m n H ( m ) IV f f f Theorem (Security proof) Collision in H ⇒ collision in f HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 14 / 19

  18. Hash function construction Merkle-Damg˚ ard construction Merkle-Damg˚ ard construction Definition Method of building collision-resistant cryptographic hash functions from collision-resistant one-way m 1 m 2 m n H ( m ) IV f f f Theorem (Security proof) Collision in H ⇒ collision in f Remark This is used for MD5, SHA1, SHA2 HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 14 / 19

  19. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties Length extension Given H ( x ) of an unknown input x , it’s easy to find the value of H (pad( x ) || y ) ⇒ possible to find hashes of inputs related to x even though x remains unknown HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 15 / 19

  20. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties Length extension Given H ( x ) of an unknown input x , it’s easy to find the value of H (pad( x ) || y ) ⇒ possible to find hashes of inputs related to x even though x remains unknown Second pre-image Hyp: the security proof also apply to second pre-image attacks But: this is not true for long messages HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 15 / 19

  21. Hash function construction Merkle-Damg˚ ard construction Several undesirable properties (2) Fix-points: h = f ( h , M ) Multicollisions : many messages with the same hash 2004: (Joux) When iterative hash functions are used, finding multicollisions is almost as easy as finding a single collision Remark Joux also prove: The concatenation of hash function is as secure against pre-image attacks as the strongest of all the hash functions HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 16 / 19

  22. Hash function construction HAIFA construction HAIFA HAIFA has attractive properties: simplicity maintaining the collision resistance of the compression function increasing the security against second pre-image attacks prevention of esay-to-use fix points of the compression function HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 17 / 19

  23. Hash function construction HAIFA construction HAIFA construction M 1 M 2 M n IV m H ( M ) f f f # bits , salt # bits , salt # bits , salt # bits = the number of bits hashed so far IV m = f ( IV , m , 0 , 0) where m is the hash output size Padding scheme: pad a single bit of 1 and as many 0 bits to have the good size. Final length of: M: congruent to ( n − ( t + r )) mod n length of M: t m: r HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 18 / 19

  24. Hash function construction HAIFA construction HAIFA vs Merkle-Damg˚ ard # bits : prevent the easy exploitation of fix-points Even if an attacker finds a fix-point h = f ( h , M , # bits , salt ) he cannot concatenate it to itself because # bits has changed HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 19 / 19

  25. Hash function construction HAIFA construction HAIFA vs Merkle-Damg˚ ard # bits : prevent the easy exploitation of fix-points Even if an attacker finds a fix-point h = f ( h , M , # bits , salt ) he cannot concatenate it to itself because # bits has changed salt : all attacks are on-line → no precomputation increasing the security of digital signature HEBANT Chlo´ e Hash function based on the SIS problem Summer 2016 19 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must

Hash Functions Hash Functions 1 Cryptographic Hash Function Crypto hash function h(x) must provide o Compression output length is small o Efficiency h(x) easy to compute for any x o One-way given a value y it is infeasible to find

465 views • 42 slides
HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D

HASH FUNCTIONS 1 / 62 What is a hash function? By a hash function we usually mean a map h : D { 0 , 1 } n that is compressing, meaning | D | &gt; 2 n . E.g. D = { 0 , 1 } 2 64 is the set of all strings of length at most 2 64 . h n MD4

1.13k views • 78 slides
Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Hash Function Based MAC Message Authentication Codes (MAC) provide the integrity and

Improved Single-Key Distinguisher on HMAC-MD5 and Key Recovery Attacks on Sandwich-MAC-MD5 Yu Sasaki 1 and Lei Wang 2 1 NTT Secure Platform Laboratories 2 Nanyang Technological University, Singapore SAC 2013 (16/August/2013) 1 Hash Function Based

822 views • 25 slides
, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

, R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni,

R ADIO G ATN , R ADIO G ATN , a belt-and-mill hash function a belt-and-mill hash function Guido Bertoni, Joan Daemen, Michal Peeters * and Gilles Van Assche STMicroelectronics * De Valck Consultants Second Cryptographic Hash Workshop

474 views • 16 slides
Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to

Dictionaries 1/19/2005 11:37 PM Hash Functions and Hash Tables (2.5.2) A hash function h maps keys of a given type to Dictionaries and Hash Tables integers in a fixed interval [0, N 1] Example: h ( x ) = x mod N 0 is a hash function for

503 views • 4 slides
The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009

The Skein Hash Function First Hash Function Candidate Conference Leuven, Belgium 26 February 2009 Niels Ferguson Stefan Lucks Bruce Schneier Doug Whiting Mihir Bellare Tadayoshi Kohno Jon Callas Jesse Walker Overview Fast 6.1 cycles/byte on

581 views • 16 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg

LUX Hash Function LUX Hash Function Ivica Nikoli c, Alex Biryukov, Dmitry Khovratovich University of Luxembourg LUX Hash Function Outline 1 Design 2 Security Analysis 3 Implementation 4 Advantages LUX Hash Function Design Design LUX Hash

539 views • 28 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides
Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit,

ECRYPT Hash Workshop 2007 Improved Fast Syndrome Based Cryptographic Hash Functions Matthieu Finiasz , Philippe Gaborit, and Nicolas Sendrier The Original FSB Hash Function [Augot, Finiasz, Sendrier - Mycrypt 05] Based on the Merkle-Damg

303 views • 19 slides
CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based

CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based

CS 225 Data Structures Oc October 24 Ha Hashing G G Carl Evans A A Hash Table based Dictionary Client Code: 1 Dictionary&lt;KeyType, ValueType&gt; d; 2 d[k] = v; A Hash Table consists of three things: 1. A hash function, f(k) 2.

343 views • 20 slides
Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static

Hash-Based Indexing Torsten Grust Chapter 6 Hash-Based Indexing Efficient Support for Equality Search Hash-Based Indexing Static Hashing Hash Functions Architecture and Implementation of Database Systems Extendible Hashing Summer 2016

930 views • 39 slides
Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;)

Hashing: basic plan Save items in a key-indexed table (index is a function of the key). Hashing 0 Hash function. Method for computing array index from key. 1 2 hash(&quot;it&quot;) = 3 Tyler Moore 3 &quot;it&quot; ?? 4 CS 2123, The

559 views • 6 slides
Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U|

Hash Table In a hash table, we allocate an array of size m, which is much smaller than |U| (the set of keys). Tirgul 9 We use a hash function h() to determine the entry of each key. Hash Tables (continued) Reminder The crucial

151 views • 4 slides
Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89]

Long-term secure signatures for the IoT Andreas Hlsing Hash-based Signature Schemes [Mer89] Long-term secure Only needs secure hash function Post-quantum Possibility of hash combiners IoT compatible? Only needs secure hash

285 views • 13 slides
Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis:

Hash Functions June 2013 Bart Preneel Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 Hash function design and MD2, MD4, MD5 Title of Presentation SHA-512 SHA-1 cryptanalysis: basic topics Bart Preneel This is an input to

402 views • 14 slides
and Elementary Data Structures Linear Sorting Algorithms Biostatistics 615/815 Lecture 6: . .

and Elementary Data Structures Linear Sorting Algorithms Biostatistics 615/815 Lecture 6: . .

. . Januray 25th, 2011 Biostatistics 615/815 - Lecture 6 Hyun Min Kang Januray 25th, 2011 Hyun Min Kang and Elementary Data Structures Linear Sorting Algorithms Biostatistics 615/815 Lecture 6: . . . . . . . Summary Array Radix

790 views • 42 slides
Technology for Video Translation Susanne Weber Language Technology Producer, BBC News Labs In

Technology for Video Translation Susanne Weber Language Technology Producer, BBC News Labs In

The BBCs Virtual Voice - over tool ALTO: Technology for Video Translation Susanne Weber Language Technology Producer, BBC News Labs In this presentation. - Overview over the ALTO Pilot project - Machine Translation and Computer

496 views • 28 slides
Video based Animation Synthesis with the Essential Graph Adnane Boukhayma, Edmond Boyer MORPHEO

Video based Animation Synthesis with the Essential Graph Adnane Boukhayma, Edmond Boyer MORPHEO

Video based Animation Synthesis with the Essential Graph Adnane Boukhayma, Edmond Boyer MORPHEO INRIA Grenoble Rhne-Alpes Goal Given a set of 4D models, how to generate realistic motion from user specified constraints ? Output: Input:

1.03k views • 63 slides
A Business vie iew of f SAS Vis isual Analytics Presented by Geo eoff Gordon April 2017

A Business vie iew of f SAS Vis isual Analytics Presented by Geo eoff Gordon April 2017

A Business vie iew of f SAS Vis isual Analytics Presented by Geo eoff Gordon April 2017 Page 2 DATA FLOW TO DASHBOARD There are nine additional Senate Estimate hearings due to commence 10 April 2017 in Adelaide, SA (see Page 3 for

107 views • 9 slides
The Integration of SMT Solvers into the RISCAL Model Checker Second Master Thesis Report Franz

The Integration of SMT Solvers into the RISCAL Model Checker Second Master Thesis Report Franz

The Integration of SMT Solvers into the RISCAL Model Checker Second Master Thesis Report Franz Reichl January 31, 2020 1 Recapitulation Check validity of RISCAL theorems with SMT-Solvers Translate RISCAL declarations into SMT-LIB

592 views • 30 slides
SP 800-90B Overview* John Kelsey, NIST, May 2016 * Revised to correct some errors discovered

SP 800-90B Overview* John Kelsey, NIST, May 2016 * Revised to correct some errors discovered

SP 800-90B Overview* John Kelsey, NIST, May 2016 * Revised to correct some errors discovered after the presentation was given. Updated/new slides are starred. Preliminaries SP 800-90 Series, 90B, and RBGs Entropy Sources Min-Entropy

893 views • 43 slides
Human Pose Search using Deep Poselets Nataraj Jammalamadaka * Andrew Zisserman C. V. Jawahar *

Human Pose Search using Deep Poselets Nataraj Jammalamadaka * Andrew Zisserman C. V. Jawahar *

Human Pose Search using Deep Poselets Nataraj Jammalamadaka * Andrew Zisserman C. V. Jawahar * * CVIT, IIIT Hyderabad, India Visual Geometry Group, Department of Engineering, IIIT Hyderabad University of Oxford Human Pose: Gesture and

553 views • 33 slides
MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course 1 / 27 MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash course 2 / 27 Program Program I Interface: layout, menus, help, etc.. I Vectors and matrices I Graphics: I Plots,

2k views • 27 slides

More recommend