Hash Functions: From MerkleDamgrd to Shoup

1
Hash Functions From Merkle-Damgård to Shoup

• Ilya Mironov, Stanford University

2
Collision-resistant functions

• Family of functions fKD?R
• Hard to win this game

Attacker
Challenger
k?K - random
(x,y)
fk(x)fk(y)
3
Collision-resistant functions can be used for

• Signature schemes
• Commitment schemes

Given a signature algorithm s(S), where S is
fixed, we can sign any message s(fk(M)).
Alice
Bob
x
fk(x)commitment to x
4
Good news CRF can be built

• Based on number-theoretic assumptions
• Factoring f(x)(3F16x)2 mod N.
• Discrete log f(xy)gxhy.
• Claw-free permutations
• Hard to find f(x)g(y)

5
Bad news practical CRF hard to construct

• MD4broken
• MD5a serious weakness found
• Flaw in the original SHA

6
Useful alternative UOWHFs

• Family of functions fKD?R
• Hard to win this game

Attacker
Challenger
x
k?K- random
y
fk(x)fk(y)
7
WUFs good for

• Signature schemes
• Given an existentially secure signature
  algorithm s(S), where S is fixed, we can sign
  any message with k,s(k,fk(M)), where k is chosen
  at random.
• Reason It is hard to find fk(M1)fk(M) for a
  random k.

8
WUFs can be built from

• One-way functions
• One-way permutation
• Collision-resistant functions

9
Oracle separation

• Simon98
• There is an oracle relative to which one-way
• permutations exist but not CRFs.
• Interpretation
• No black box construction of a CRF
• based on a WUF.
• Conclusion
• A CRF is a strictly stronger primitive than a
  WUF.

10
A family of CRFs (WUFs)

• We want to make one, concrete assumption, for
  instance
• It is infeasible to find a collision (second
  preimage) in SHA-1.
• Then derive a family of functions that take
  inputs of different lengths and hash it to a
  fixed length output.

11
Good news CRFs families are easy to construct

• Merkle-Damgård construction

M0
M1
M2
M3
output
Hk
Hk
Hk
Hk
IV
12
Bad newsNot so easy for WUF families

• Merkle-Damgård construction fails on WUFs.
• (we cannot plug in a weaker primitive in the
  construction)
• due to M. Bellare and P. Rogaway97.

13
Shoup construction

• M0,M1,,MLmasks (tags).

x0
x1
x2
x3
x4
x5
?
?
IV
Hk
Hk
Hk
Hk
Hk
Hk
?
?
?
?
M0
M0
M0
M1
M1
M2
14
Example

• RSA signature (H is a CRF)
• SH(M)e mod N.
• If we use a WUF (SHA-1, Shoup scheme)
• SK (hK(K)hK(M))e mod N.

15
Difficult choice

• CRFs
• Theoretically and practically harder to construct
• Have efficient composition scheme

• WUFs
• Easier to construct
• Dont have efficient composition scheme

16
Continuum of functions

• Commit to some bits of x

Attacker
Challenger
17
Class H(n?ml)

• yx0x1n
• x1l flexibility
• Output of f has length m.

Attacker
Challenger
x0
x0
k?K- random
x1,y
x1
y1
fk(x1,x0)fk(y)
18
H(n?m0) and H(n?mn) have names

• H(n?m0) is a WUF

Attacker
Challenger
x0x
k?K- random
y,x1?
fk(x)fk(y)
19
H(n?m0) and H(n?mn) have names

• H(n?mn) is a CRF

Attacker
Challenger
x0?
k?K- random
y,x1x
fk(x)fk(y)
20
Merkle-Damgård construction

• Works (with a minor modification) for H(n?mm)

M1
M2
M3
M4
output
Hk
Hk
Hk
Hk
M0
21
Jump somewhere?

• CRFs and WUFs can be separated. Where?

H(n?m0)? H(n?m1) ? H(n?mn)
22
Separation

• H(n?m0)H(n?mmO(log m)) one class of
  theoretic-complexity equivalence
• H(n?mmmc)H(n?mn) another class
• The gap does not exist if there are ideally
  secure WUFs.

23
Another approach

• Can the Shoup construction be improved?

x0
x1
x2
x3
x4
x5
?
?
IV
Hk
Hk
Hk
Hk
Hk
Hk
?
?
?
?
M?(2)
M?(0)
M?(5)
M?(1)
M?(3)
M?(4)
24
Function is optimal

• The function
• ?(k)highest power of 2 dividing k is optimal.
• Constructive proof counting argument

25
Open question

• How short can a key of a family of WUFs be?
• Conjecture
• key length must be O(log m)
• Reason It cant be a coincidence!