Hash Functions Hash Functions Lecture 10 Hash Functions Lecture - - PowerPoint PPT Presentation

hash functions hash functions
SMART_READER_LITE
LIVE PREVIEW

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture - - PowerPoint PPT Presentation

Jan 05, 2023 384 likes •1.69k views

Hash Functions Hash Functions Lecture 10 Hash Functions Lecture 10 Before we talk about digital signatures... A Tale of Two Boxes A Tale of Two Boxes Much of today s applied cryptography works with two magic boxes A Tale of Two Boxes

slide-1
SLIDE 1

Hash Functions

slide-2
SLIDE 2

Hash Functions

Lecture 10

slide-3
SLIDE 3

Hash Functions

Lecture 10 Before we talk about digital signatures...

slide-4
SLIDE 4

A Tale of Two Boxes

slide-5
SLIDE 5

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes

slide-6
SLIDE 6

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers

slide-7
SLIDE 7

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers

slide-8
SLIDE 8

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions

slide-9
SLIDE 9

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors

slide-10
SLIDE 10

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors Often more than needed (e.g. SKE needs only PRF)

slide-11
SLIDE 11

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors Often more than needed (e.g. SKE needs only PRF) Hash Functions:

slide-12
SLIDE 12

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors Often more than needed (e.g. SKE needs only PRF) Hash Functions: Some times modeled as Random Oracles!

slide-13
SLIDE 13

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors Often more than needed (e.g. SKE needs only PRF) Hash Functions: Some times modeled as Random Oracles! Schemes relying on this can often be broken

slide-14
SLIDE 14

A Tale of Two Boxes

Much of today’ s applied cryptography works with two magic boxes Block Ciphers Hash Functions Block Ciphers: Best modeled as (strong) Pseudorandom Permutations, with inversion trapdoors Often more than needed (e.g. SKE needs only PRF) Hash Functions: Some times modeled as Random Oracles! Schemes relying on this can often be broken Today: understanding security requirements on hash functions

slide-15
SLIDE 15

Hash Functions

slide-16
SLIDE 16

Hash Functions

“Randomized” mapping of inputs to shorter hash-values

slide-17
SLIDE 17

Hash Functions

“Randomized” mapping of inputs to shorter hash-values Hash functions are useful in various places In data-structures: for efficiency Intuition: hashing removes worst-case effects

slide-18
SLIDE 18

Hash Functions

“Randomized” mapping of inputs to shorter hash-values Hash functions are useful in various places In data-structures: for efficiency Intuition: hashing removes worst-case effects In cryptography: for “integrity”

slide-19
SLIDE 19

Hash Functions

“Randomized” mapping of inputs to shorter hash-values Hash functions are useful in various places In data-structures: for efficiency Intuition: hashing removes worst-case effects In cryptography: for “integrity” Primary use: Domain extension (compress long inputs, and feed them into boxes that can take only short inputs)

slide-20
SLIDE 20

Hash Functions

“Randomized” mapping of inputs to shorter hash-values Hash functions are useful in various places In data-structures: for efficiency Intuition: hashing removes worst-case effects In cryptography: for “integrity” Primary use: Domain extension (compress long inputs, and feed them into boxes that can take only short inputs) Typical security requirement: “collision resistance”

slide-21
SLIDE 21

Hash Functions

“Randomized” mapping of inputs to shorter hash-values Hash functions are useful in various places In data-structures: for efficiency Intuition: hashing removes worst-case effects In cryptography: for “integrity” Primary use: Domain extension (compress long inputs, and feed them into boxes that can take only short inputs) Typical security requirement: “collision resistance” Also sometimes: some kind of unpredictability

slide-22
SLIDE 22

Hash Function Family

slide-23
SLIDE 23

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k)

slide-24
SLIDE 24

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses

slide-25
SLIDE 25

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1

slide-26
SLIDE 26

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses A family

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1 h2(x) 1 1 1 1 h3(x) 1 1 1 1 h4(x) 1 1 1 1 1 ... hN(x) 1 1 1 1 1 1 1 1

slide-27
SLIDE 27

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses A family Alternately, takes two inputs, the index of the member of the family, and the real input

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1 h2(x) 1 1 1 1 h3(x) 1 1 1 1 h4(x) 1 1 1 1 1 ... hN(x) 1 1 1 1 1 1 1 1

slide-28
SLIDE 28

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses A family Alternately, takes two inputs, the index of the member of the family, and the real input Efficient sampling and evaluation

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1 h2(x) 1 1 1 1 h3(x) 1 1 1 1 h4(x) 1 1 1 1 1 ... hN(x) 1 1 1 1 1 1 1 1

slide-29
SLIDE 29

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses A family Alternately, takes two inputs, the index of the member of the family, and the real input Efficient sampling and evaluation Idea: when the hash function is randomly chosen, “behaves randomly”

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1 h2(x) 1 1 1 1 h3(x) 1 1 1 1 h4(x) 1 1 1 1 1 ... hN(x) 1 1 1 1 1 1 1 1

slide-30
SLIDE 30

Hash Function Family

Hash function h:{0,1}k→{0,1}t(k) Compresses A family Alternately, takes two inputs, the index of the member of the family, and the real input Efficient sampling and evaluation Idea: when the hash function is randomly chosen, “behaves randomly” Main goal: to “avoid collisions”. Will see several variants of the problem

x 000 001 010 011 100 101 110 111 h1(x) 1 1 1 1 h2(x) 1 1 1 1 h3(x) 1 1 1 1 h4(x) 1 1 1 1 1 ... hN(x) 1 1 1 1 1 1 1 1

slide-31
SLIDE 31

Hash Functions in Crypto Practice

slide-32
SLIDE 32

Hash Functions in Crypto Practice

A single fixed function

slide-33
SLIDE 33

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4

slide-34
SLIDE 34

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4 Not a family (“unkeyed”)

slide-35
SLIDE 35

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4 Not a family (“unkeyed”) (And no security parameter knob)

slide-36
SLIDE 36

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4 Not a family (“unkeyed”) (And no security parameter knob) Not collision-resistant under any of the following definitions

slide-37
SLIDE 37

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4 Not a family (“unkeyed”) (And no security parameter knob) Not collision-resistant under any of the following definitions Alternately, could be considered as have already been randomly chosen from a family (and security parameter fixed too)

slide-38
SLIDE 38

Hash Functions in Crypto Practice

A single fixed function e.g. SHA-3, SHA-256, SHA-1, MD5, MD4 Not a family (“unkeyed”) (And no security parameter knob) Not collision-resistant under any of the following definitions Alternately, could be considered as have already been randomly chosen from a family (and security parameter fixed too) Usually involves hand-picked values (e.g. “I.V . ” or “round constants”) built into the standard

slide-39
SLIDE 39

Degrees of Collision-Resistance

slide-40
SLIDE 40

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment:

slide-41
SLIDE 41

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment: A→(x,y); h←H : Combinatorial Hash Functions (even non-PPT A)

slide-42
SLIDE 42

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment: A→(x,y); h←H : Combinatorial Hash Functions (even non-PPT A) A→x; h←H; A(h)→y : Universal One-Way Hash Functions

slide-43
SLIDE 43

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment: A→(x,y); h←H : Combinatorial Hash Functions (even non-PPT A) A→x; h←H; A(h)→y : Universal One-Way Hash Functions h←H; A(h)→(x,y) : Collision-Resistant Hash Functions

slide-44
SLIDE 44

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment: A→(x,y); h←H : Combinatorial Hash Functions (even non-PPT A) A→x; h←H; A(h)→y : Universal One-Way Hash Functions h←H; A(h)→(x,y) : Collision-Resistant Hash Functions Also useful sometimes: A gets only oracle access to h(.) (weak). Or, A gets any coins used for sampling h (strong).

slide-45
SLIDE 45

Degrees of Collision-Resistance

If for all PPT A, Pr[x≠y and h(x)=h(y)] is negligible in the following experiment: A→(x,y); h←H : Combinatorial Hash Functions (even non-PPT A) A→x; h←H; A(h)→y : Universal One-Way Hash Functions h←H; A(h)→(x,y) : Collision-Resistant Hash Functions Also useful sometimes: A gets only oracle access to h(.) (weak). Or, A gets any coins used for sampling h (strong). CRHF the strongest; UOWHF still powerful (will be enough for digital signatures)

slide-46
SLIDE 46

Degrees of Collision-Resistance

slide-47
SLIDE 47

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random)

slide-48
SLIDE 48

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed)

slide-49
SLIDE 49

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p

slide-50
SLIDE 50

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses)

slide-51
SLIDE 51

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses)

A.k.a One-Way Hash Function

slide-52
SLIDE 52

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses) h←H; x←X; A(h,x)→y (y≠x)

A.k.a One-Way Hash Function

slide-53
SLIDE 53

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses) h←H; x←X; A(h,x)→y (y≠x) Second Pre-image collision resistance if h(x)=h(y) w.n.p

A.k.a One-Way Hash Function

slide-54
SLIDE 54

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses) h←H; x←X; A(h,x)→y (y≠x) Second Pre-image collision resistance if h(x)=h(y) w.n.p Incomparable (neither implies the other) [Exercise]

A.k.a One-Way Hash Function

slide-55
SLIDE 55

Degrees of Collision-Resistance

Weaker variants of CRHF/UOWHF (where x is random) h←H; x←X; A(h,h(x))→y (y=x allowed) Pre-image collision resistance if h(x)=h(y) w.n.p i.e., f(h,x) := (h,h(x)) is a OWF (and h compresses) h←H; x←X; A(h,x)→y (y≠x) Second Pre-image collision resistance if h(x)=h(y) w.n.p Incomparable (neither implies the other) [Exercise] CRHF implies second pre-image collision resistance and, if compressing, then pre-image collision resistance [Exercise]

A.k.a One-Way Hash Function

slide-56
SLIDE 56

Hash Length

slide-57
SLIDE 57

Hash Length

If range of the hash function is too small, not collision-resistant

slide-58
SLIDE 58

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision

slide-59
SLIDE 59

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision In practice interested in minimizing the hash length (for efficiency)

slide-60
SLIDE 60

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision In practice interested in minimizing the hash length (for efficiency) Generic collision-finding attack: birthday attack

slide-61
SLIDE 61

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision In practice interested in minimizing the hash length (for efficiency) Generic collision-finding attack: birthday attack Look for a collision in a set of random hashes (needs only

  • racle access to the hash function)
slide-62
SLIDE 62

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision In practice interested in minimizing the hash length (for efficiency) Generic collision-finding attack: birthday attack Look for a collision in a set of random hashes (needs only

  • racle access to the hash function)

Expected size of the set before collision: O(√|range|)

slide-63
SLIDE 63

Hash Length

If range of the hash function is too small, not collision-resistant If range poly-size (i.e. hash log-long), then non-negligible probability that two random x, y provide collision In practice interested in minimizing the hash length (for efficiency) Generic collision-finding attack: birthday attack Look for a collision in a set of random hashes (needs only

  • racle access to the hash function)

Expected size of the set before collision: O(√|range|) Birthday attack effectively halves the hash length (say security parameter) over “naïve attack”

slide-64
SLIDE 64

Universal Hashing

slide-65
SLIDE 65

Universal Hashing

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p

slide-66
SLIDE 66

Universal Hashing

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions

slide-67
SLIDE 67

Universal Hashing

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent”

slide-68
SLIDE 68

Universal Hashing

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z)

slide-69
SLIDE 69

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z)

slide-70
SLIDE 70

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2

slide-71
SLIDE 71

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

slide-72
SLIDE 72

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-73
SLIDE 73

Universal Hashing

k-Universal:

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-74
SLIDE 74

Universal Hashing

k-Universal: ∀x1..xk (distinct), z1..zk, Prh←H [∀i h(xi)=zi ] = 1/|Z|k

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-75
SLIDE 75

Universal Hashing

k-Universal: ∀x1..xk (distinct), z1..zk, Prh←H [∀i h(xi)=zi ] = 1/|Z|k Inefficient example: H set of all functions from X to Z

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-76
SLIDE 76

Universal Hashing

k-Universal: ∀x1..xk (distinct), z1..zk, Prh←H [∀i h(xi)=zi ] = 1/|Z|k Inefficient example: H set of all functions from X to Z But we will need all h∈H to be succinctly described and efficiently evaluable

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-77
SLIDE 77

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-78
SLIDE 78

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. ha,b(x) = ax+b (in a finite field, X=Z)

slide-79
SLIDE 79

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. ha,b(x) = ax+b (in a finite field, X=Z) Pra,b [ ax+b = z ] = Pra,b [ b = z-ax ] = 1/|Z|

slide-80
SLIDE 80

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. ha,b(x) = ax+b (in a finite field, X=Z) Pra,b [ ax+b = z ] = Pra,b [ b = z-ax ] = 1/|Z| Pra,b [ ax+b = w, ay+b = z] = ? Exactly one (a,b) satisfying the two equations (for x≠y)

slide-81
SLIDE 81

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. ha,b(x) = ax+b (in a finite field, X=Z) Pra,b [ ax+b = z ] = Pra,b [ b = z-ax ] = 1/|Z| Pra,b [ ax+b = w, ay+b = z] = ? Exactly one (a,b) satisfying the two equations (for x≠y) Pra,b [ ax+b = w, ay+b = z] = 1/|Z|2

slide-82
SLIDE 82

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. ha,b(x) = ax+b (in a finite field, X=Z) Pra,b [ ax+b = z ] = Pra,b [ b = z-ax ] = 1/|Z| Pra,b [ ax+b = w, ay+b = z] = ? Exactly one (a,b) satisfying the two equations (for x≠y) Pra,b [ ax+b = w, ay+b = z] = 1/|Z|2 But does not compress!

slide-83
SLIDE 83

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

slide-84
SLIDE 84

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. h’h(x) = Chop(h(x)) where h from a
 (possibly non-compressing) 2-universal HF

slide-85
SLIDE 85

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. h’h(x) = Chop(h(x)) where h from a
 (possibly non-compressing) 2-universal HF Chop a t-to-1 map from Z to Z’ (e.g. removes last bit: 2-to-1)

slide-86
SLIDE 86

Universal Hashing

x h1(x) h2(x) h3(x) h4(x) 1 1 1 1 1 2 1 1

Combinatorial HF: A→(x,y); h←H. h(x)=h(y) w.n.p Even better: 2-Universal Hash Functions “Uniform” and “Pairwise-independent” ∀x,z Prh←H [ h(x)=z ] = 1/|Z| (where h:X→Z) ∀x≠y,w,z Prh←H [ h(x)=w, h(y)=z ] = 1/|Z|2 ⇒ ∀x≠y Prh←H [ h(x)=h(y) ] = 1/|Z|

Negligible collision-probability if super-polynomial-sized range

e.g. h’h(x) = Chop(h(x)) where h from a
 (possibly non-compressing) 2-universal HF Chop a t-to-1 map from Z to Z’ (e.g. removes last bit: 2-to-1) Prh [ Chop(h(x)) = w, Chop(h(y)) = z] 
 = Prh [ h(x) = w0 or w1, h(y) = z0 or z1] = 4/|Z|2 = 1/|Z’|2

slide-87
SLIDE 87

UOWHF

slide-88
SLIDE 88

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p

slide-89
SLIDE 89

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF

slide-90
SLIDE 90

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF

slide-91
SLIDE 91

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family

slide-92
SLIDE 92

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and

slide-93
SLIDE 93

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and for all z, z’, w, can solve for h s.t. h(z) = h(z’) = w

slide-94
SLIDE 94

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and for all z, z’, w, can solve for h s.t. h(z) = h(z’) = w Is a UOWHF [Why?]

slide-95
SLIDE 95

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and for all z, z’, w, can solve for h s.t. h(z) = h(z’) = w Is a UOWHF [Why?]

BreakOWP(z) { get x ← A; sample random w; give A h s.t. h(z)=h(f(x))=w; if A→y s.t. h(f(y))=w, output y; }

slide-96
SLIDE 96

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and for all z, z’, w, can solve for h s.t. h(z) = h(z’) = w Is a UOWHF [Why?] Gives a UOWHF that compresses by 1 bit (same as the UHF)

BreakOWP(z) { get x ← A; sample random w; give A h s.t. h(z)=h(f(x))=w; if A→y s.t. h(f(y))=w, output y; }

slide-97
SLIDE 97

UOWHF

Universal One-Way HF: A→x; h←H; A(h)→y. h(x)=h(y) w.n.p Can be constructed from OWF Much easier to see: OWP ⇒ UOWHF Fh(x) = h(f(x)), where f is a OWP and h from a UHF family s.t. h compresses by a bit (i.e., 2-to-1 maps), and for all z, z’, w, can solve for h s.t. h(z) = h(z’) = w Is a UOWHF [Why?] Gives a UOWHF that compresses by 1 bit (same as the UHF) Will see later, how to extend the domain to arbitrarily long strings (without increasing output size)

BreakOWP(z) { get x ← A; sample random w; give A h s.t. h(z)=h(f(x))=w; if A→y s.t. h(f(y))=w, output y; }

slide-98
SLIDE 98

CRHF

slide-99
SLIDE 99

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p

slide-100
SLIDE 100

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone

slide-101
SLIDE 101

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone “Impossibility” (blackbox-separation) known

slide-102
SLIDE 102

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone “Impossibility” (blackbox-separation) known Possible from “claw-free pair of permutations”

slide-103
SLIDE 103

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone “Impossibility” (blackbox-separation) known Possible from “claw-free pair of permutations” In turn from hardness of discrete-log, factoring, and from lattice-based assumptions

slide-104
SLIDE 104

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone “Impossibility” (blackbox-separation) known Possible from “claw-free pair of permutations” In turn from hardness of discrete-log, factoring, and from lattice-based assumptions Also from “homomorphic one-way permutations”, and from homomorphic encryptions

slide-105
SLIDE 105

CRHF

Collision-Resistant HF: h←H; A(h)→(x,y). h(x)=h(y) w.n.p Not known to be possible from OWF/OWP alone “Impossibility” (blackbox-separation) known Possible from “claw-free pair of permutations” In turn from hardness of discrete-log, factoring, and from lattice-based assumptions Also from “homomorphic one-way permutations”, and from homomorphic encryptions All candidates use mathematical structures that are considered computationally expensive in practice

slide-106
SLIDE 106

CRHF

slide-107
SLIDE 107

CRHF from discrete log assumption:

CRHF

slide-108
SLIDE 108

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime)

CRHF

slide-109
SLIDE 109

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators)

CRHF

slide-110
SLIDE 110

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators) A collision: (x1,x2) ≠ (y1,y2) s.t. hg1,g2(x1,x2)= hg1,g2(y1,y2)

CRHF

slide-111
SLIDE 111

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators) A collision: (x1,x2) ≠ (y1,y2) s.t. hg1,g2(x1,x2)= hg1,g2(y1,y2) Then (x1,x2) ≠ (y1,y2) ⇒ x1≠y1 and x2≠y2 [Why?]

CRHF

slide-112
SLIDE 112

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators) A collision: (x1,x2) ≠ (y1,y2) s.t. hg1,g2(x1,x2)= hg1,g2(y1,y2) Then (x1,x2) ≠ (y1,y2) ⇒ x1≠y1 and x2≠y2 [Why?] Then g2 = g1 (x1-y1)/(x2-y2) (exponents in Zq*)

CRHF

slide-113
SLIDE 113

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators) A collision: (x1,x2) ≠ (y1,y2) s.t. hg1,g2(x1,x2)= hg1,g2(y1,y2) Then (x1,x2) ≠ (y1,y2) ⇒ x1≠y1 and x2≠y2 [Why?] Then g2 = g1 (x1-y1)/(x2-y2) (exponents in Zq*) i.e., for some base g1, can compute DL of g2 (a random non-unit element). Breaks DL!

CRHF

slide-114
SLIDE 114

CRHF from discrete log assumption: Suppose G a group of prime order q, where DL is considered hard (e.g. QRp* for p=2q+1 a safe prime) hg1,g2(x1,x2) = g1x1g2x2 (in G) where g1, g2 ≠ 1 (hence generators) A collision: (x1,x2) ≠ (y1,y2) s.t. hg1,g2(x1,x2)= hg1,g2(y1,y2) Then (x1,x2) ≠ (y1,y2) ⇒ x1≠y1 and x2≠y2 [Why?] Then g2 = g1 (x1-y1)/(x2-y2) (exponents in Zq*) i.e., for some base g1, can compute DL of g2 (a random non-unit element). Breaks DL! Hash halves the size of the input

CRHF

slide-115
SLIDE 115

UOWHF vs. CRHF

slide-116
SLIDE 116

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF

slide-117
SLIDE 117

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions”

slide-118
SLIDE 118

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log)

slide-119
SLIDE 119

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size (next time)

slide-120
SLIDE 120

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size (next time) UOWHF theoretically important (based on simpler assumptions, good if paranoid), but CRHF is easier to use

slide-121
SLIDE 121

UOWHF vs. CRHF

UOWHF has a weaker guarantee than CRHF UOWHF can be built based on OWF (we saw based on OWP), where as CRHF “needs stronger assumptions” But “usual” OWF candidates suffice for CRHF too (we saw construction based on discrete-log) Domain extension of CRHF is simpler, with no blow-up in the description size. For UOWHF description increases logarithmically in the input size (next time) UOWHF theoretically important (based on simpler assumptions, good if paranoid), but CRHF is easier to use Current practice: much less paranoid; faith on efficient, ad hoc (and unkeyed) constructions (though increasingly under attack)

slide-122
SLIDE 122

Today

slide-123
SLIDE 123

Today

Combinatorial hash functions, UOWHF and CRHF

slide-124
SLIDE 124

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance)

slide-125
SLIDE 125

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance) Collision-resistant combinatorial HF from 2-Universal Hash Functions

slide-126
SLIDE 126

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance) Collision-resistant combinatorial HF from 2-Universal Hash Functions UOWHF from UHF and OWP (possible from OWF)

slide-127
SLIDE 127

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance) Collision-resistant combinatorial HF from 2-Universal Hash Functions UOWHF from UHF and OWP (possible from OWF) Next:

slide-128
SLIDE 128

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance) Collision-resistant combinatorial HF from 2-Universal Hash Functions UOWHF from UHF and OWP (possible from OWF) Next: A candidate CRHF construction

slide-129
SLIDE 129

Today

Combinatorial hash functions, UOWHF and CRHF (And weaker variants of CRHF: pre-image collision resistance and second-pre-image collision resistance) Collision-resistant combinatorial HF from 2-Universal Hash Functions UOWHF from UHF and OWP (possible from OWF) Next: A candidate CRHF construction Domain extension