Cryptographic Hash Functions in Groups and Provable Properties THÈSE NO 5250 (2011) PRÉSENTÉE LE 16 DÉCEMBRE 2011 À LA FACULTÉ INFORMATIQUE ET COMMUNICATIONS LABORATOIRE DE CRYPTOLOGIE ALGORITHMIQUE PROGRAMME DOCTORAL EN INFORMATIQUE, COMMUNICATIONS ET INFORMATION ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE POUR L'OBTENTION DU GRADE DE DOCTEUR ÈS SCIENCES PAR Juraj Šarinay acceptée sur proposition du jury: Prof. J.-P. Hubaux, président du jury Prof. A. Lenstra, directeur de thèse Prof. A. May, rapporteur Dr M. Stam, rapporteur Prof. S. Vaudenay, rapporteur Suisse 2011 Svetlane R´esum´e Nous consid´eronsplusieurs fonctions de hachage \prouvablement s^ures"cal- culant de simples sommes dans un groupe bien choisi (G; ∗). Les propri´et´es de s´ecurit´ede telles fonctions se traduisent prouvablement et de mani`ere naturelle en des probl`emescalculatoires sur G, qui sont simples `ad´efinir et ´egalement potentiellement difficiles `ar´esoudre. Etant´ donn´es k listes dis- jointes Li d'´el´ements du groupe, le probl`emede la k-somme consiste `atrou- ver un gi 2 Li tel que g1 ∗ g2 ∗ ::: ∗ gk = 1G. La difficult´ede ce probl`eme dans divers groupes respectifs d´ecoulede certaines suppositions \standard" en cryptologie `aclef publique, telles que la difficult´ede la factorisation des entiers, du logarithme discret, de la r´eductionde r´eseaux, ou du d´ecodage par syndrome. Nous exposons des indices montrant que le probl`emede la k-somme puisse ^etreencore plus difficile que ceux susmentionn´es. Deux fonctions de hachage bas´ees sur le probl`emede la k-somme, FSB et SWIFFTX, ont ´et´esoumises au NIST comme candidates pour le futur stan- dard SHA-3. Les deux candidatures ´etaient appuy´eespar une quelconque preuve de s´ecurit´e.Nous montrons que l'estimation des niveaux de s´ecurit´e dans ces candidatures est sans rapport avec les preuves fournies. Les reven- dications en mati`erede s´ecurit´ene sont soutenues que par des consid´erations sur des attaques existantes. En introduisant des bornes de \second ordre\ sur les bornes de s´ecurit´e,nous montrons les limites d'une telle approche de la s´ecurit´eprouvable. Un probl`eme dans la mani`erede quantifier la s´ecurit´en'implique pas n´ecessairement un probl`emeavec la s´ecurit´eelle-m^eme. Bien que FSB tra^ıne une histoire d'´echecs, des versions r´ecentes des deux fonctions susmentionn´ees se sont montr´eesbien r´esistantes aux efforts de cryptanalyse. Ceci, ainsi que les multiples connexions avec d'autres probl`emesstandard, indiquent que le probl`emede la k-somme dans certains groupes pourrait ^etreconsid´er´e comme difficile en lui-m^eme, et peut-^etreconduire `ades bornes de s´ecurit´e prouvables. La complexit´ede l'algorithme de l'arbre non-trivial est en train v vi de devenir un outil standard pour en mesurer la difficult´eassoci´ee. Nous proposons des modifications du Very Smooth Hash multiplica- tif, et d´erivons la s´ecurit´edes k-sommes multiplicatives, contrairement aux r´eductionsoriginales apparent´ees`ala factorisation ou au logarithme dis- cret. Bien que les r´eductionsoriginales demeurent valides, nous mesurons la s´ecurit´ed'une mani`erenouvelle et plus agressive. Ceci nous permet d'assou- plir les param`etreset de hacher plus vite. Nous obtenons une fonction qui n'est que trois fois plus lente que SHA-256, et que nous estimons offrir au moins une r´esistance ´equivalente aux collisions. La vitesse peut ^etredoubl´ee par l'usage d'un module sp´ecial,la s´ecurit´ede la fonction modifi´eeest jus- tifi´eeuniquement par la difficult´edes k-sommes multiplicatives modulo une puissance de deux. Nos efforts culminent en une nouvelle fonction de k-sommes multiplica- tives, qui g´en´eraliseencore plus loin le design de Very Smooth Hash. Contrai- rement aux variantes ant´erieures,la consommation m´emoire de la nouvelle fonction est n´egligeable.L'instance la plus rapide de la fonction est sup- pos´eeoffrir une r´esistance`ala collision sur 128 bits en 24 cycles par byte sur un processeur Intel Core i7, et s'approche de la valeur de 17.4 offerte par SHA-256. Les nouvelles fonctions propos´eesdans cette th`esen'atteignent pas de propri´et´esde s´ecurit´ehabituelles telles la r´esistance`ala pr´e-imageou `a la collision, prouvables `apartir d'une supposition largement ´etablie.Elles b´en´eficient cependant d'une s´eparationinconditionnelle et prouvable des entr´eesen collision. Des changements dans l'entr´ee,de petite taille par rap- port `aune mesure bien d´efinie,sont garantis de ne jamais produire le m^eme r´esultat`atravers la fonction de compression. Mots-cl´es: cryptographie, fonctions de hachage, s´ecurit´eprouvable, pro- bl`emedes anniversaires g´en´eralis´e,cryptosyst`emesdu sac `ados Abstract We consider several \provably secure" hash functions that compute sim- ple sums in a well chosen group (G; ∗). Security properties of such func- tions provably translate in a natural way to computational problems in G that are simple to define and possibly also hard to solve. Given k disjoint lists Li of group elements, the k-sum problem asks for gi 2 Li such that g1 ∗ g2 ∗ ::: ∗ gk = 1G. Hardness of the problem in the respective groups fol- lows from some \standard" assumptions used in public-key cryptology such as hardness of integer factoring, discrete logarithms, lattice reduction and syndrome decoding. We point out evidence that the k-sum problem may even be harder than the above problems. Two hash functions based on the group k-sum problem, SWIFFTX and FSB, were submitted to NIST as candidates for the future SHA-3 standard. Both submissions were supported by some sort of a security proof. We show that the assessment of security levels provided in the proposals is not related to the proofs included. The main claims on security are supported exclusively by considerations about available attacks. By introducing \second-order" bounds on bounds on security, we expose the limits of such an approach to provable security. A problem with the way security is quantified does not necessarily mean a problem with security itself. Although FSB does have a history of failures, recent versions of the two above functions have resisted cryptanalytic efforts well. This evidence, as well as the several connections to more standard problems, suggests that the k-sum problem in some groups may be con- sidered hard on its own and possibly lead to provable bounds on security. Complexity of the non-trivial tree algorithm is becoming a standard tool for measuring the associated hardness. We propose modifications to the multiplicative Very Smooth Hash and derive security from multiplicative k-sums in contrast to the original reduc- tions that related to factoring or discrete logarithms. Although the original vii viii reductions remain valid, we measure security in a new, more aggressive way. This allows us to relax the parameters and hash faster. We obtain a function that is only three times slower compared to SHA-256 and is estimated to of- fer at least equivalent collision resistance. The speed can be doubled by the use of a special modulus, such a modified function is supported exclusively by the hardness of multiplicative k-sums modulo a power of two. Our efforts culminate in a new multiplicative k-sum function in finite fields that further generalizes the design of Very Smooth Hash. In contrast to the previous variants, the memory requirements of the new function are negligible. The fastest instance of the function expected to offer 128-bit collision resistance runs at 24 cycles per byte on an Intel Core i7 processor and approaches the 17.4 figure of SHA-256. The new functions proposed in this thesis do not provably achieve a usual security property such as preimage or collision resistance from a well- established assumption. They do however enjoy unconditional provable sep- aration of inputs that collide. Changes in input that are small with respect to a well defined measure never lead to identical output in the compression function. Keywords: cryptography, hash functions, provable security, generalized birthday problem, knapsack cryptosystems Acknowledgements First and foremost I wish to thank Arjen Lenstra for the supervision during the four years I spent working in his laboratory. Thank you for all the invaluable advice and support, for the freedom and for the ideal working conditions I found here. It was the most pleasant experience imaginable. I appreciate the many insightful comments on this thesis provided by the members of the jury. Thank you very much for all the work involved. Several people provided me with useful feedback at various stages of my research. Special thanks in particular to Joppe Bos, Scott Contini, Dimitar Jetchev, Thorsten Kleinjung, Onur Ozen,¨ Kenny Paterson, Martijn Stam and Ron Steinfeld. I would like to thank all my friends and colleagues from LACAL and beyond for the help I received during my stay and for the usual pleasant atmosphere I especially enjoyed at EPFL. I am happy to have worked in this community. I appreciate the help Maxime Augier provided with the French text within this thesis. Many thanks to Monique Amhof for all the administrative work as well as for the help in matters unrelated to EPFL. I am grateful to my family for the continuous support and encourage- ment. This thesis is dedicated to my wife. I would not have succeeded without you. This work was supported by a grant of the Swiss National Science Founda- tion number 200021-116712. ix Contents 1 Introduction 1 1.1 Hash Functions and Applications . .1 1.2 Classical Hash Functions . .2 1.3 The Future Standard . .3 1.4 Hash Functions and Provable Security .
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages131 Page
-
File Size-