Memoryless Near-Collisions via Coding Theory Mario Lamberger - - PowerPoint PPT Presentation

memoryless near collisions via coding theory
SMART_READER_LITE
LIVE PREVIEW

Memoryless Near-Collisions via Coding Theory Mario Lamberger - - PowerPoint PPT Presentation

Mar 07, 2024 408 likes •590 views

Institute for Applied Information Processing and Communications (IAIK) Memoryless Near-Collisions via Coding Theory Mario Lamberger Florian Mendel Vincent Rijmen Koen Simoens Institute for Applied Information Processing and Communications

slide-1
SLIDE 1

Institute for Applied Information Processing and Communications (IAIK)

Memoryless Near-Collisions via Coding Theory

Mario Lamberger Florian Mendel Vincent Rijmen Koen Simoens

Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria mario.lamberger@iaik.tugraz.at

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 1

slide-2
SLIDE 2

Institute for Applied Information Processing and Communications (IAIK)

Memoryless Collision

I guess we heard about the birthday paradox

For an n-bit hash function, we need 2n/2 hash calls and a list of the same size

Using a lot of memory sucks, so we implement it using a cycle finding method

Floyd Brent . . .

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 2

slide-3
SLIDE 3

Institute for Applied Information Processing and Communications (IAIK)

Now what about near-collisions

Near-Collision Resistance - HAC

It should be hard to find any two inputs m, m∗ such that H(m) and H(m∗) differ in only a small number of bits: d(H(m), H(m∗)) ≤ ǫ. This includes collisions ⇒ easier! What should a “near”-cycle be?

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 3

slide-4
SLIDE 4

Institute for Applied Information Processing and Communications (IAIK)

A possible solution

π: Linear projection map that sets ǫ bits to 0

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 4

slide-5
SLIDE 5

Institute for Applied Information Processing and Communications (IAIK)

A possible solution

π: Linear projection map that sets ǫ bits to 0 Then, a collision for π ◦ H results in a near-collision for H

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 4

slide-6
SLIDE 6

Institute for Applied Information Processing and Communications (IAIK)

A possible solution

π: Linear projection map that sets ǫ bits to 0 Then, a collision for π ◦ H results in a near-collision for H Improves the performance by 2ǫ/2 Drawback: finds only a fraction of all ǫ-near-collisions 2ǫ ǫ

i=0

n

i

.

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 4

slide-7
SLIDE 7

Institute for Applied Information Processing and Communications (IAIK)

A possible solution

π: Linear projection map that sets ǫ bits to 0 Then, a collision for π ◦ H results in a near-collision for H Improves the performance by 2ǫ/2 Drawback: finds only a fraction of all ǫ-near-collisions 2ǫ ǫ

i=0

n

i

. Ideally, we would like to have a map g which gives a

  • ne-to-one correspondence between ǫ-near-collisions

(ǫ ≥ 1) for H and collisions for g ◦ H

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 4

slide-8
SLIDE 8

Institute for Applied Information Processing and Communications (IAIK)

Our idea

Let H be a hash function of output size n.

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 5

slide-9
SLIDE 9

Institute for Applied Information Processing and Communications (IAIK)

Our idea

Let H be a hash function of output size n. Let C ⊆ Zn

2 be a code of the same length n, size K and

covering radius ρ(C) and assume there exists an efficiently computable map g that maps every x ∈ Zn

2 to a codeword

at distance ρ(C) or less

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 5

slide-10
SLIDE 10

Institute for Applied Information Processing and Communications (IAIK)

Our idea

Let H be a hash function of output size n. Let C ⊆ Zn

2 be a code of the same length n, size K and

covering radius ρ(C) and assume there exists an efficiently computable map g that maps every x ∈ Zn

2 to a codeword

at distance ρ(C) or less Then, we can find 2ρ(C)-near-collisions for H with a complexity of about √ K and with virtually no memory requirements

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 5

slide-11
SLIDE 11

Institute for Applied Information Processing and Communications (IAIK)

Our idea

Let H be a hash function of output size n. Let C ⊆ Zn

2 be a code of the same length n, size K and

covering radius ρ(C) and assume there exists an efficiently computable map g that maps every x ∈ Zn

2 to a codeword

at distance ρ(C) or less Then, we can find 2ρ(C)-near-collisions for H with a complexity of about √ K and with virtually no memory requirements If decoding is efficient, use this as g

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 5

slide-12
SLIDE 12

Institute for Applied Information Processing and Communications (IAIK)

Our idea

Let H be a hash function of output size n. Let C ⊆ Zn

2 be a code of the same length n, size K and

covering radius ρ(C) and assume there exists an efficiently computable map g that maps every x ∈ Zn

2 to a codeword

at distance ρ(C) or less Then, we can find 2ρ(C)-near-collisions for H with a complexity of about √ K and with virtually no memory requirements If decoding is efficient, use this as g Size K → sphere covering bound

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 5

slide-13
SLIDE 13

Institute for Applied Information Processing and Communications (IAIK)

Our proposed construction

For given n and ρ we considered direct sums of Hamming codes and trivial codes C =

  • i≥1

diHi ⊕ Zr(n,ρ)

2

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 6

slide-14
SLIDE 14

Institute for Applied Information Processing and Communications (IAIK)

Our proposed construction

For given n and ρ we considered direct sums of Hamming codes and trivial codes C =

  • i≥1

diHi ⊕ Zr(n,ρ)

2

Easy to decode

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 6

slide-15
SLIDE 15

Institute for Applied Information Processing and Communications (IAIK)

Our proposed construction

For given n and ρ we considered direct sums of Hamming codes and trivial codes C =

  • i≥1

diHi ⊕ Zr(n,ρ)

2

Easy to decode Gives rise to an interesting digit problem

  • i≥1 diNi ≤ n,

Ni = 2i − 1, di ∈ {0, . . . , ρ)

  • i≥1 di = ρ
  • i≥1 di · i should be maximal
  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 6

slide-16
SLIDE 16

Institute for Applied Information Processing and Communications (IAIK)

Our proposed construction

For given n and ρ we considered direct sums of Hamming codes and trivial codes C =

  • i≥1

diHi ⊕ Zr(n,ρ)

2

Easy to decode Gives rise to an interesting digit problem

  • i≥1 diNi ≤ n,

Ni = 2i − 1, di ∈ {0, . . . , ρ)

  • i≥1 di = ρ
  • i≥1 di · i should be maximal

Demonstrated the approach on the SHA-3 candidate TIB-3

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 6

slide-17
SLIDE 17

Institute for Applied Information Processing and Communications (IAIK)

Thank you for your attention!

  • M. Lamberger

ASIACRYPT 2009 - Rump Session Memoryless Near-Collisions 7