Hash Functions from Sigma Protocols and Improvements to VSH

1
Hash Functions from Sigma Protocols and
Improvements to VSH

• Mihir Bellare Todor Ristov
• UC San Diego

2
Context

• Hash functions are failing

• MD5 broken
• BB93, Dob96, WY05, LWW05

• SHA-1 in jeopardy
• WYY05, CR06, CMR07

Prof. Wang
3
Our Argument

• Sometimes we may be willing to sacrifice some
  speed for security.

Example May need a signature on an
important hashed-then-signed document to be
secure for next 20 years.
In this case, what becomes interesting are hash
functions that are

• Provably secure
• As fast as possible subject to above

4
Contributions

• We provide a generic way to transform any
  S-protocol into a collision-resistant (CR) hash
  function.

Examples of S-protocols
Prover Verifier Input pk, sk
Input pk

• Fiat-Shamir
• GQ
• Schnorr

Y
c
z
our transform
H
S-hash function (CR)
5
A Hint on How it Works
Examples of S-protocols
Prover Verifier Input pk, sk
Input pk

• Fiat-Shamir
• GQ
• Schnorr

Y
c
z
The associated hash function is
Hpk(c, z) Y
key (public)

• How do we compute this given only pk, c, z?

• Why is it CR?

Later!
6
Yields many hash functions

• Cases where transformation works directly

• Cases where S-protocol needs modification

7
S-hash functions are chameleon

• KrRa00
• There exists trapdoor sk to find collisions
• Some uniformity properties

Applications

• On-line/off-line signing ShTa01
• Chameleon signatures KrRa00
• Designated verifier signatures JSI96, SWP04

8
S-hash functions are keyed
Hpk(c, z)
key

• Different signers can use different keys

• Each key needs to be attacked separately

Increases work factor of attack
9
S-hash functions are fast
H-SFS is the fastest known CR hash function with
a security proof based on the standard factoring
assumption

• Pre is the amount of precomputation in group
  elements
• Table entry is the average number of message
  bits hashed per
• modular multiplication

10
S-hashing unifies previous work

• H-Sch is the classical hash function of CHP91,
  
• shown to be chameleon by KrRa00
• H-Oka is a generalization from CHP91
• H-GQ is the chameleon hash function of AM04

11
Connection to VSH

• MS Micali-Shamir S-protocol

• SMS Strong MS (our modification)

• H-SMS derived hash

• VSH Fast CR-hash of CLS06 proven secure
  under
• the VSSR assumption.

• Given composite number N it is hard to find
• x ? ZN
• k 1, and integers e1, , ek, not all even
• such that
• x2 p1 pk (mod N)
• where pi is the i-th prime.

H-SMS is almost the compression function of VSH
Alternative way to understand VSH, which also
leads to VSH
e1
ek
12
VSH Improvement to VSH
VSH

• Fast hash function proven secure based on VSSR
  assumption

• The compression function is not CR

VSH

• The compression function is CR

• Up to 5 times faster than VSH on short messages

• Same performance on long messages

• Also proven secure based on VSSR

• Based on idea of H-SMS

13
Related Work

• Bit-commitment from S-protocols Dam90, CDM00

• CR hash functions from homomorphic encryption
• and PIR IKO05 slower than S-hash functions
  and based
• on stronger assumptions

• Other provably secure hash functions

• SWIFFT LMPR08
• MuHASH BeMi97
• Tilich and Zemor TiZe94, improved in PCQ08

14
S-protocols and Our Hash Function
Schnorr
In general
Prover Verifier Input pk, sk
Input pk c ? ChSet
d ? V(pk, Ycz)
Prover Verifier Input Xg-x,
x Input Xg-x y ? Zp Y ? gy
c ? Zp z ? yxc mod p
d ? (Xcgz Y)
Y
Y
c
c
z
z
Our hash function
Hpk(c, z) Y

• But
• How can we compute this given just pk?
• Why is it CR?

15
Computing H StHVZK
Prover Verifier Input pk, sk
Input pk c ? ChSet
d ? V(pk, Ycz)
Y
c
z
HVZK
StHVZK
pk
Sim
Y c z
c ? CmSet
Y c z
Sim
pk
z ? RpSet
StSim
randomized
Y
deterministic
Most S-protocols satisfy StHVZK
We set Hpk(c, z) StSim(pk, c, z)
16
CR from Strong Special Soundness
17

• Theorem Let SP be a S-protocol that is

• StHVZK and
• Satisfies strong special soundness.

Then the family of hash functions H obtained from
SP using our transformation is
collision-resistant.
18
Schnorr
Sim
Prover Verifier Input Xg-x,
x Input Xg-x y ? Zp Y ? gy
c ? Zp z ? yxc mod p
d ? (Xcgz Y)
X
c ? Zp
Y
z ? Zp
c
z
StSim
Y Xcgz

• Satisfies StHVZK

Hence the hash function is defined by HX(c, z)
Xcgz

• Satisfies strong special soundness under the
  discrete-log
• assumption BeSh07

• Hence, H-Sch is CR under the discrete-log
  assumption

19
GQ
Sim
X
c ? Zp
Prover Verifier Input (N,
e, k, X), x Input Xx-e y ?
ZN Y ? ye c ?
0,,2k-1 z ? yxc
d ? (Y Xcze )
Y
z ? Zp
c
z
StSim
Y Xcze

• Satisfies StHVZK

Hence the hash function is defined by HX(c, z)
Xcze mod N

• Satisfies strong special soundness under the
• one-wayness of RSA, hence hash function is CR

20
Fiat-Shamir
si ? ZN ui ? si-2 mod N pk (N, k, u ) sk s
Prover Verifier
Input pk, sk
Input pk y ? ZN Y ? y2 mod N
c ? 0, 1k z ? y ? si mod
N d ? (Y z2 ? ui mod
N)
Y
c
z
ci
ci

• Satisfies StHVZK

Hence the hash function is defined by
ci
Hpk(c, z) z2 ? ui mod N
Hpk 0, 1k ZN ? ZN

• But it DOES NOT satisfy strong special soundness

(Y, c, z), (Y, c, -z) are both accepting
transcripts
21
Strong Fiat-Shamir
si ? ZN ui ? si-2 mod N pk (N, k, u ) sk s
Prover Verifier
Input pk, sk
Input pk y ? ZN Y ? y2 mod N
c ? 0, 1k z ? y ? si N
mod N d ? (Y z2 ? ui mod
N)
Y
c
z
ci
ci
w if w N/2
For w ? ZN, wN
Let ZN ZN n 0, , N/2
-w otherwise

• Satisfies StHVZK, hence the hash function is
  defined by

ci
Hpk(c, z) z2 ? ui mod N
Hpk 0, 1k ZN ? ZN

• Satisfies strong special soundness under the
  factoring
• assumption

22
Micali-Shamir
pi - small prime quadratic residue
si ? pi-2 mod N pk (N, k, p ) sk s
Prover Verifier
Input pk, sk
Input pk y ? ZN Y ? y2 mod N
c ? 0, 1k z ? y ? si mod
N d ? (Y z2 ? pi mod
N)
Y
c
z
ci
ci

• Satisfies StHVZK

Hence the hash function is defined by
ci
Hpk(c, z) z2 ? pi mod N
Hpk 0, 1k ZN ? ZN

• But it DOES NOT satisfy strong special soundness

(Y, c, z), (Y, c, -z) are both accepting
transcripts
23
Strong Micali-Shamir
pi - small prime quadratic residue
si ? pi-2 mod N pk (N, k, p ) sk s
Prover Verifier
Input pk, sk
Input pk y ? ZN Y ? y2 mod N
c ? 0, 1k z ? y ? si N
mod N d ? (Y z2 ? pi mod
N)
Y
c
z
ci
ci
w w N/2
Let ZN ZN n 0, , N/2
For w ? ZN, wN
-w otherwise

• Satisfies StHVZK, hence the hash function is
  defined by

ci
Hpk(c, z) z2 ? pi mod N
Hpk 0, 1k ZN ? ZN

• Satisfies strong special soundness under the
  SRPP
• assumption

24
VSH
Compression function vshN 0, 1k ZN ? ZN
defined by
ci
vshN(c, z) z2 ? pi mod N
The key N is a composite number
pi - i-th prime
vshN(c, z) vshN(c, -z) vsh is not
CR
The VSH hash function is obtained by MD-iteration
of vsh with initialization vector 1
VSH is CR under the VSSR assumption
25
VSH
Compression function vshN 0, 1k ZN ? ZN
defined by
ci
fN (z)
vshN (c, z) (z2 ? pi ) pk1 mod N
0 w ZN 1 otherwise

?
The key N is a k-bit composite number
fN (w)
pi - i-th prime

• vsh is CR under the VSSR assumption

• The VSH hash function is obtained by
  MD-iteration of vsh
• with initialization vector being the first k-1
  message bits.
• Hence faster than VSH because fewer iterations
  of
• compression function are used.

• vsh is CR VSH is CR under the
  VSSR assumption

26
VSH / VSH performance comparison

• The size of the modulus used here is 1024 bits
• The block and input size are given in bits
• Unoptimized implementation on a Pentium IV, 3
  Ghz Machine

27
Summary

• We show how to transform any S-protocol into a
• collision-resistant hash function

• We obtain hash functions H-Sch, H-GQ, H-SFS,
  H-SMS,
• via existing or modified S-protocols

• H-SFS is the fastest CR hash function with a
  proof under the
• standard factoring assumption

• S-hash functions are chameleon and unify
  previous work

• Based on H-SMS we obtain a modification VSH of
  VSH that
• has a CR compression function and is faster on
  short
• messages