Printer - please drop in Elsevier (tree) logo Computers 8 Security Vol. 17, No.2, pp. 171- 174, 1998 0 1998 Elsevier Science Limited All rights reserved. Printed in Great Britain 0167-4048/98 $19.00 On Probabilities of Hash Value Matches Mohammad Peyraviana, Allen Roginskya, Ajay Kshemkalyanib alBM Corporation, Research Triangle Park, NC 27709, USA bECECS Detlartment. University of Cincinnati, Cincinnati, OH 45221, USAL ’ ‘ _ Hash functions are used in authentication and cryptography, as hash function is said to be collision resistant if it is hard well as for the efficient storage and retrieval of data using hashed to find two input strings that map to the same hash keys. Hash functions are susceptible to undesirable collisions. To design or choose an appropriate hash function for an application, value.The problem of constructing fast hash functions it is essential to estimate the probabilities with which these colli- that also have low collision rates is studied in [S]. Key- sions can occur. In this paper we consider two problems: one of to-address transformation techniques for file access evaluating the probability of no collision at all and one of finding and their performance have been studied in [8]. Given a bound for the probability of a collision with a particular hash k, the number of hashed values that have been used in value. The quality of these estimates under various values of the parameters is also discussed. a hashing scheme in which input strings are mapped to random values, the expected number of locations Keywords: hash functions, security, cryptography, indexing, databases that must be looked at until an empty hashed value is found is formulated in [lo]. This result was improved 1. Introduction for certain non-random hashing functions and certain values of k in [14]. The efficiency of multiple-key A hash hnction takes a variable-length input string hashing in limiting the search of a given key value in and maps it to a fixed-length (generally smaller) out- a file and in minimizing the search in answering par- put string. Hash fimctions are extensively used for tial-match or multi-attribute queries is studied in [2]. index management in database systems and file sys- The only known work that deals with the probability tems for efficient storage and retrieval of data based on of collisions of hash functions is [3,13,16]. These hashed keys [ 1,9,15], digital signatures for authentica- papers dealt with the construction of universal hash tion [6,12,16], and cryptography [4,5,11,12]. A good functions which are classes of hash fimctions such that survey of classical hashing methods is given in [9]. the functions in any class have the same bound on the probability of hash collisions. A hash function is prone to collisions wherein two input strings map to the same output string. A good For several applications such as cryptography, it is hash function minimizes the possibility of collisions; a important to design or choose appropriate hash func- 0167-4048/98$19.00 0 1998 Elsevier Science Ltd 171 On Probabilities of Hash Value Ma tcheslPeyravian, Roginsky, Kshemkalyani tions with an upper bound on the probability of col- Definition 2: Following [12], we define a one-way lisions. To this end, our objective is to determine the hash function H(M) = h as a function that maps any probabilities of hash collisions for hash functions that input bit string M from set A into a bit string of a fixed are uniformly mapped into the codomain, i.e., each length in set B with the properties that input string is equally likely to be mapped to any of the hash values of the codomain under different sce- l Every possible value of B is equally likely to be an narios. Specifically, we address two problems: I) deter- image of an element in set A. mining the probability that there are no collisions at l Given M, it is easy to compute h. all, in Theorem I, and 2) determining a bound on the l Given h, it is hard to compute M such that H(M) = h probability of a collision with a particular hash value, l Given M, it is hard to find another message M’ in Theorem 2. For each ofTheorems I and 2, we state such that H(M) = H(M’). some corollaries that give the minimum size of the l It is hard to find two random messages, M and M’, hash function that is necessary to satisfy a desired upper bound on the probability of hash collisions. such that H(M) = H(M’). Although our results apply to all hash functions that satisfy Definition I, we focus on the cryptography 2. Hash Functions application (Definition 2) for the rest of this paper. Definition 1: A hash function H(M) = h maps an input bit string M from set A into a bit string of a fixed length in set B with the properties that 3. Problem Statement Let us consider the following scenario. Let A. be a set Every possible value of B is equally likely to be an consisting of m different messages M,, M2,. .., M,,,. Let image of an element in set A. M denote a particular message in A with a correspond- Given M, it is easy to compute h. ing hash element H(M) in set B.Two problems then arise. Hash functions considered in the literature, e.g. Problem 1: Given sets A and B, determine the prob- [3,5,8,10,13,14,16] satisfy the above definition. ability that no two elements in A mesh into the same element of B, that is, determine the probability that We were prompted to address the problems on the there are no collisions. probability of collisions while employing hash func- tions for cryptography and had to deal with potential Problem 2: Given our particular message M, deter- collisions. In cryptography, the security of protocols mine the probability that no other element in A mesh- that use hash functions would be undermined if the es into the value, H(M), of the hash function at M. hash functions are not highly collision resistant. Additionally, it is should be extremely hard to recon- Answers to Problems I and 2 give two measures of struct the input string from its hash value in a reason- goodness of a hash function. An application can able amount of time. Such hash functions are called choose or design a hash function such that the good- one-way hash functions. ness of the hash function satisfies the application’s requirements. In cryptography, Problem I is also One-way hash functions are useful in cryptography important since a high probability of collisions because they enforce the property that the knowledge between any messages opens the door to the so-called of a particular value of H(M) does not help the attack- ‘birthday attacks’ (see [12].) Problem 2 is also relevant er to guess the value M that was used and at the same because a user is concerned with only his or her mes- time it provides a ‘fingerprint’ of M that is unique. sage M having a unique image in set B. There are many one-way hash functions such as SHA-I, MD2, MD4, MD5, and Snefru presently in In practical applications, Problems I and 2 can be stat- use (see [12]). ed as follows: given the size m of set A and the maxi- 172 Computers & Security, Vol. 7 7, No. 2 mum permissible value Q,, of the collision probabil- ity, what should be the minimum length, k, in bits of the values of the hash fimction? We answer these ques- tions associated with Problems 1 and 2 by deriving where corollaries to two theorems that answer Problem 1 and Problem 2, respectively. IB2j I IRj(z) I< 4. Estimates of Collision Probabilities 2j(2j - l)/zi2j-l co~~j-~(O.S. Im(z)) We will prove two theorems (Theorems 1 and 2) asso- ciated with Problems 1 and 2 stated above and also and B,, is the corresponding Bernoulli number. The consider some special cases. reason for the cosine term is that the formula is also applicable to the non-real values of Z. We will use this Theorem 1: For kz3 and ~n<2~-‘, the probability Q formula only with j=l, so that the summation term that there exists collisions between the hash values sat- will not be present, the only applicable Bernoulli isfies the following inequality: number is B, = l/6, and with z equal first to c and then to c-m. Therefore, z is real and positive, the cosine function of one half of its imaginary part is equal to 1 and thus 1RI(z)1 <l/122. In the following calcula- tions we will omit a subscript for R,(z) and simply call Proof: it R(z) Applying (5) to formula (4), we get Let P = 1-Q be the probability that no collisions occur. There will be no collisions when the second In(P)=c In(c)-c-05 In(c)+In(&)+R(c)~m In(b)-(c-m) In(c-m)+(c-m) message is hashed into a value in set I3 different from that of the first message, the third message is hashed +05 In(c-m)-In(&)-R(c-m) =c In(c)-c-05.ln(c)bm In(b)-c In(c-m)+m In(c-m)+c-m+05 In(c-m) into yet another value, etc. The probability of this is +(R(c)-R(c-m)) equal to = c h(c / (c-m)) 05 In(c, (c m)) m In((c- I) i (c- m)) -m +(R(c)- R(c-m)) >c In(c/(c-m))-05 In(c/(c-m))-m In(c/(c-m))~m+(R(c)-R(c-m)) p=b-l b-2 b-m+1 b! =(c-m-05) In(l+m/(r-m))-m+(R(c)-R(c-m)).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages6 Page
-
File Size-