CollisionResistant Hashing: Towards Making UOWHFs Practical

1
Collision-Resistant HashingTowards Making
UOWHFs Practical
Mihir Bellare
Phillip Rogaway
CRYPTO '97

• Presented by Ed Kaiser

2
Motivation (pg. 3)

• "in light of attacks on MDx the conclusion is
  that the design of collision-resistant hash
  functions may be harder than we had thought."
• Designs need more reasoned engineering
• "Ask less of a hash function and it is less
  likely to disappoint."
• Investigate alternate (possibly weaker) goals

3
Overview

• Definitions
• Notation
• Types of Collision Resistance
• Strength Statements
• Lemmas
• Constructions
• Merkle-Damgård
• Linear / XOR Linear
• Tree / XOR Tree
• Message Lengths
• Signing with a TCR Hash

4
Notation (pg. 7)

• binary alphabet ? 0,1
• message space Msgs ?
• message M ?l ? Msgs
• key K ?k
• Hash family H ?k ? Msgs ? ?c
• Hash function f HK

5
Types of Collision Resistance (pg. 8)

• Any Collision-Resistance (ACR)
• standard notion of collision resistance
• Target Collision-Resistance (TCR)
• adversary must commit to a target message
• formalization of UOWHF
• weaker notion than ACR
• good enough for signing
• no birthday bounds

6
Any Collision-Resistance

• Adversary is given K
• Must output M, M' where
• M ? M'
• HK(M) HK(M')
• Collision finder described by one program
• M,M' ? CF(K)

7
Target Collision-Resistance

• Adversary first chooses and commits to M
• They are then given K
• Must output M' where
• M ? M'
• HK(M) HK(M')
• Collision finder described by two programs
• M,State ? CF-I()
• M' ? CF-II(K,M,State)

8
Strength Statements (pg. 8)

• Adversary (t,u,?)-breaks the hash family if it
  can produce a collision in
• at most t time and space
• for messages no longer than u
• with probability at least ?
• Hash family is (t,u,?)-resistant if there is no
  adversary that (t,u,?)-breaks the family

9
Strength Statements Cont'd

• Desire t/? to be large
• Use (t,?)-resistant if the upper bounds on length
  u, do not matter
• Refer to equal-length collision finders
• M M'
• And variable-length collision finders
• M ? M'

10
Composition Lemmas (pg. 10)

• Given
• H1 ?k1 ? ?l1? ?l2 (t1,?1)-resistant
• H2 ?k2 ? ?l2? ?c (t2,u2,?2)-resistant
• Composition
• H H2 ? H1 H2(K2, H1(K1,M))
• Is (t,u,?)-resistant, where
• t min(t1 - ?(k2), t2 2TH1 - ?(k1)
• u u2
• ? ?1 ?2

I think this should be u1 l1
11
Lemma Proof (pg. 31)Justifying Success Bounds

• Intuition Only need to find collision in either
  H1 or H2 to break the composition H
• Pbreaking H Pbreaking H1 ? Pbreaking H2
• Breaking H1 and H2 are disjoint
• ? ? ?1 ?2

12
Lemma Proof Cont'dBreaking H1

• Construct collision finder for H1 from H

CF-I1() M,State ? CF-I() return M,State
CF-II1(K1,M,State) K2 ? ?k2 M' ?
CF-II(K1K2,M,State) return M'

• Operates in t ?(k2) ? t1
• t ? t1 - ?(k2)

13
Lemma Proof Cont'dBreaking H2

• Construct collision finder for H2 from H

CF-I2() M,State ? CF-I() K1 ? ?k1 x ?
H1(K1,M) return x,(M,State,K1)
CF-II2(K2,x,(M,State,K1)) M' ?
CF-II(K1K2,M,State) x' ? H1(K1,M') return x'

• Operates in t 2TH1 ?(k1) ? t2
• t ? t2 2TH1 ?(k1)

14
Constructions

• Merkle-Damgård construction
• does not propagate TCR-resistance
• Other constructions investigated
• Linear Hash
• Linear Hash with XOR added
• Tree Hash
• Tree Hash with XOR added

15
Merkle-Damgård (pg. 11)
MDHn(K,M) C0 ? IV for i 1 ... n do Ci
? HK(Ci-1 Mi) return Cn
ktotal k
16
Proof that MD is not TCR (pg. 12)

• By counter example
• Idea -- design H such that
• H is TCR
• MDH is not TCR
• Construct H from a known TCR-resistant
  compression function F
• H will have an extended chaining value
• extension is either K or a constant

17
Proof of MD not TCR Cont'dConstruction of HK()

• Let
• FK(M) ?k ? ?cm' ? ?c
• HK(M) ?k ? ?(ck)m ? ?ck
• C chaining value broken into C1??c and C2 ??k
• HK(C1 C2 M) FK(C1 C2 M) K if C2
  ? K
• 1c 1k if C2 K

18
Proof of MD not TCR Cont'dShowing HK() is TCR

• Construct collision finder for F from CFH

CF-IF() M,State ? CF-IH() return M,State
CF-IIF(K,M,State) C1 C2 x ? M if C2
K then abort M' ? CF-IIH(K,M,State) return M'

• CFF (t,?)-breaks F where
• t tH ?(k c m)
• ? ?H 2(k1)

19
Proof of MD not TCR Cont'dShowing MDHK() is not
TCR

• K is chosen at random so
• C2 ? K with p 12-k
• MDHK(M1 M2) HK(HK(IV M1) M2)
• HK(FK(IV M1) K M2)
• 1c 1k
• For collision, choose another M1' and M2
• Adversary (t,?)-breaks MDHK() where
• t ?(m)
• ? 12-k

20
Linear Hash (pg. 13)
LH(K1...Kn,M) C0 ? IV for i 1 ... n do
Ci ? HKi(Ci-1 Mi) return Cn
ktotal k Mm
21
Linear Hash TCR Proof (pg. 14)Sketch Only

• Construct collision finder for H from CFLH
• similar to previous constructions
• Assume H is (t',?')-resistant
• Then LH (Mm ? N) is (t,?)-resistant where
• t t' ?(N)(TH m k c)
• ? N?'

22
Linear Hash Cont'd

• TCR-resistant
• Large key length
• linear in maximum message length N
• H is re-keyed Mm times

23
XOR Linear Hash (pg. 15)
XLH(KK1...Kn,M) C0 ? IV for i 1 ... n do
Di ? Ki ? Ci-1 Ci ? HK(Di Mi) return Cn
ktotal k c Mm
24
XOR Linear Hash Cont'd

• Similar to Linear Hash
• If H is (t',?')-resistant
• Then XLH is (t,?)-resistant where
• t t' ?(N)(TH m k c)
• ? N?'

25
XOR Linear Hash Cont'd

• TCR-resistant
• Key length grows slower than linear hash
• H is keyed only once
• Remains linear in maximum message length
• Choose over linear hash when
• c lt k (1 m/M)

26
Tree Hash (pg. 16)

• d ? branching factor
• m d c

ktotal k logd(Mc)
27
Tree Hash Cont'd
TH(K1...Kv,M) C0 ? M for i 1 ... v do
n ? Ci-1m for j 1 ... n do Dj ?
HKi(Ci-1,j) Ci D1 ... Dn return Dv

• If H is (t',?')-resistant
• Then TH is (t,?)-resistant where
• t t' ?(N)(TH k c)
• ? (N-1) ?' /(d-1)

28
Tree Hash Cont'd

• TCR-resistant
• Key length grows logarithmically
• H is re-keyed at each level

29
XOR Tree Hash (pg. 19)
ktotal k dc logd(Mc)
30
XOR Tree Hash Cont'd
XTH(KK1...Kv,M) C0 ? M for i 1 ... v do
n ? Ci-1m for j 1 ... n do Ci-1,j
? Ci-1,j ? Ki Dj ? HK(Ci-1,j) Ci D1
... Dn return Dv

• If H is (t',?')-resistant
• Then TH is (t,?)-resistant where
• t t' ?(N)(TH k c)
• ? (N-1) ?' /(d-1)

31
XOR Tree Hash Cont'd

• TCR-resistant
• Key length grows logarithmically
• slower than basic tree hash
• H is keyed only once

32
Message Lengths (pg. 22)

• Up to now, security has been shown for M,M' of
  equal length
• Normal padding scheme may not be TCR
• Pad(M) M 1 0m-l mod m ltlgt
• (H ? Pad)(M)
• However there is a general technique that is
  secure against variable length TCR ...

33
Variable Length TCR (pg. 23)Messages of Integral
Block Length

• H2 K2(H1 K1(M) ltMgtm)
• Claim is (t,?)-resistant where
• t min(t1 k2, t2 ?(k1) 2TH1 ?(l1))
• ? ?1 ?2
• Proof is same as that of composition lemma
• except CF-I2 returns x ? H1 K1(M) Mm
• and CF-II2 returns x' ? H1 K1(M) M'm

34
Variable Length TCR (pg. 24)Padding Proof Sketch

• Pad Msgs ? Msgs
• H ?k ? Msgs ? ?c

CF-I() M,State ? CF-I() M ? Pad(M)
return M,(M,State)
CF-II(K,M,(M,State)) M' ? CF-II(K,M,State)
M' ? Pad(M') return M'

• H is (t,?)-resistant where
• t t 2TPad
• ? ?

35
Signing with a TCR Hash (pg. 25)

• Reduce message to be signed
• Not concerned with masking structure

36
Signing Algorithm
SIGNsk(M) K ? ?k s ? Signsk(HK(M) K)
return s K
37
Security Bounds

• Assuming
• Sign is (t1,q1,u1,?1)-secure signature scheme
• H is (t2,?2)-resistant TCR hash
• Then
• SIGN is (t,q,u,?)-secure where
• t min(t1 (q1)TH qTSign, t2 (q1)TH TGen
  qTSign)
• q q1
• u u1 c - k
• ? ?1 q1?2