Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Generic attacks Hash Functions With Proofs of Security For H : {0, 1}∗ →{0, 1}n and h : {0, 1}m →{0, 1}n, m > n attack rough complexity Lars R. Knudsen √ collisions 2n =2n/2 2nd preimages 2n preimage 2n April 21, 2008 Goal: generic attacks are best (known) attacks 1/30 3/30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Number-theoretic, difficult problems 1 Introduction Factoring: given N = pq, find p and q, where p, q big, (odd) prime numbers, p = q 2 Based on number-theoretic problems Recommended that N ≥ 21024 forhighlevelofsecurity 3 VSH A 1024-bit N: 1350664108659952233496032162788059699388814756056670 4 Dakota 2752448514385152651060485953383394028715057190944179 8207282164471551373680419703964191743046496589274256 2393410208643832021103729587257623585096431105640735 0150818751067659462920556368552947521350085287941637 7328533906109750544334999811150056977236890927563 2/30 4/30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Number-theoretic, difficult problems (2) Hash based on discrete log (Pfitzmann, Van Heijst) Discrete logarithm: p−1 Public primes: p, q = 2 ,s.t.DLP(p)ishard given β = αa mod p, find a, Public primitive elements of Zp: α, β (randomly chosen) ∗ where p prime, a chosen random from Zp−1, α ∈ Zp ∗ h : Zq × Zq → Z primitive p Recommended that p > 21024 forhighlevelofsecurity h(x, y)=αx βy mod p But not all instances of these problems are hard, e.g., if p q, then factoring N = pq is easy if p − 1 has only small prime factores then finding discrete logs Find a collision for h ⇒ compute logα(β) modulo p is easy 5/30 7/30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Hash based on factoring (Shamir) Number-theoretic hash functions N = pq, p = q,largeoddprimes,α fixed, large order mod N. Public: N,α most schemes slow, e.g., no real speed-up for use in digital ∗ ∗ H : {0, 1} → ZN signature schemes some schemes have unfortunate algebraic properties H(x)=αx mod N (may interact badly with other public-key algorithms) open problem to devise efficient “provably” secure hash function Collision: H(x)=H(x) ⇒ x − x = kφ(N). With N = pq and φ(N)=(p − 1)(q − 1) easy to find p and q 6/30 8/30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Newer constructions Example. Dixon’s algorithm with n =4189 √ 4189 64.7 VSH-VerySmoothHash Use the factor base B = {−1, 2, 3, 5, 7, 11, 13} Contini, Lenstra, Steinfeld, 2005 2 2 xj mod n factorisation of xj aj collision ⇒ nontrivial modular square roots of very smooth 2 2 numbers modulo N (composite) 58 mod n −1 · 3 · 5 · 11 (1, 0, 1, 0, 0, 1, 0) 612 mod n −1 · 22 · 32 · 13 (1, 0, 0, 0, 0, 0, 1) efficient collision finder implies fast factoring algorithm 672 mod n 22 · 3 · 52 (0, 0, 1, 0, 0, 0, 0) LASH - A Lattice Based Hash Function 692 mod n 22 · 11 · 13 (0, 0, 0, 0, 0, 1, 1) Bentahar, Page, Saarinen, Silverman, Smart 2006 742 mod n 32 · 11 · 13 (0, 0, 0, 0, 0, 1, 1) based on the problem of finding small vectors in lattices gcd(58 · 61 · 67 · 69 + ((23) · (32) · (52) · 11 · 13), n)=n; gcd(58 · 61 · 67 · 74 + ((22) · (33) · (52) · 11 · 13), n) = 59; 9/30 11 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Factoring - Equal squares Quadratic and number field sieves ∗ Let n = pq, p = q, odd primes. Let x ∈ Zn 4squarerootsofx2 mod n are x, −x, y, −y mod n where Quadratic sieve, advanced variant of Dixon’s algorithm x = ±y mod n Number field sieve(NFS), advanced variant of quadratic sieve mod n mod p mod q NFS currently best known algorithm for factoring large RSA xzw moduli − − − x z w (0.96+O(1))(ln n)1/3(ln ln n)2/3 yz−w Size of factor base: e − − 1/3 2/3 y zw Running time: e(1.923+O(1))(ln n) (ln ln n) 1/3 2/3 Notation: L[n,α]=e(α+O(1))(ln n) (ln ln n) gcd(x + y, n)=q, gcd(x − y, n)=p, 2 2 1 Find (random) a, b s.t. a = b mod n,factorn with prob. 2 10 / 30 12 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota VSH - iterated hash function VSH - security, speed Let N = pq be a public RSA modulus (p = q,bothsecret) Consider VSH with 1024-bit n, which allows for k = 131 k Let p1,...,pk be public primes such that pi < N i=1 Then assumptions imply ⇒ Let m = m1, m2,...,mk be message, mi ∈{0, 1} a collision for VSH a solution to VSSR x0 =1 a solution to VSSR as hard as factoring an 840-bit modulus 2 m1 m2 ··· mk x1 = x0 (p1 p2 pk )modN Implementation: 2 k mjk+i - 3 modular mult’s per k bits xj+1 = xj i=1 pi mod N - speed-up from precomputation Hash(m) = x 13 / 30 15 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Security of VSH VSH - problems (?) VSSR Problem. Let n = pq be a public RSA modulus (p, q c ∗ secret). Let k ≤ (log n) .Findx ∈ Zn such k Algebraic properties, e.g., easy to find messages with hash 2 ei x ≡ pi mod n, values h and 2h i=0 Easy to invert hash for messages of small length where at least one ei is odd. VSH has multiplicative property (Saarinen 2006): VSSR Assumption: The VSSR Problem is hard. ∨ , Computational VSSR Assumption: H(z)H(a b)=H(a)H(b)modn Solving VSSR for n is as hard as to factor an S-bit modulus, where for z the all-zero bit string, a ∧ b = z,and|z| = |a| = |b|. S is least positive integer satisfying L[n, 1.923] Someone must choose n such that p, q remain secret L[2S , 1.923] ≥ . k ,α (α+O(1))(ln n)1/3(ln ln n)2/3 L[n ]=e 14 / 30 16 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota VSH - defense Based on factoring (Goldwasser, Micali, Rivest) Designers of VSH only aim for collision-resistance. N = pq, p = q, large primes, a0, a1 random squares modulo N VSH not to be used as replacement for random oracle nor Public: N, a0, a1 SHA-1 “random oracles do not exist in the real world, and therefore relying ∗ ∗ h : {0, 1}×ZN → ZN on them too much is not recommended” Potential use in schemes which require only 2 h(b, y)=ab y mod N collision-resistance, example, Cramer-Shoup signatures, which relies on strong RSA assumption and collision-resistant hash function Collision gives x, x such that x2 = x2 mod N → factoring One of the best attempts to build hash function on ,..., number-theoretic problem so far.. More efficient variants with more squares a0 ak ,Damg˚ard 17 / 30 19 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota DaKoTa Getting to Dakota n = pq, p = q, large primes, p ≡ q ≡ 3mod4 DaKoTa, a hash function co-designed by Damg˚ard, Ivan B. Public: n, f Knudsen, Lars R. h : {0, 1}×SQ(n) → SQ(n) Thomsen, Søren S. Uses combination of modular arithmetic and symmetric crypto f : {0, 1}→SQ(n) h(b, y)=f (b) y 2 mod n 18 / 30 20 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Getting closer to Dakota Arriving at Dakota n = pq, p = q, large primes, p ≡ q ≡ 3mod4 n = pq, p = q, large primes, p ≡ q ≡ 3mod4 Public: n, f Public: n, f h : {0, 1}k × SQ(n) → SQ(n) h : {0, 1}k × SQ(n) → SQ(n) k k f : {0, 1} → SQ(n) f : {0, 1} → Zn h(x, y)=f (x) y 2 mod n h(x, y)=(f (x) y)2 mod n 21 / 30 23 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Getting even closer to Dakota Dakota- an iterated hash function n = pq, p ≡ q ≡ 3mod4, public: n, f k k h : {0, 1} × SQ(n) → SQ(n) f : {0, 1} → Zn n = pq, p = q, large primes, p ≡ q ≡ 3mod4 h(x, y)=(f (x) y)2 mod n Public: n, f ∗ 2 Choose r ∈ Zn,lets = r mod n h : {0, 1}k × SQ(n) → SQ(n) Split padded message x into k-bit words, x1,...,xt k f : {0, 1} → Zn Set y0 = s, then compute 2 2 2 h(x, y)=f (x) y mod n yi = h(xi , yi−1)=(f (xi )y) mod n Hash of x is then yt . 22 / 30 24 / 30 Introduction Based on number-theoretic problems VSH Dakota Introduction Based on number-theoretic problems VSH Dakota Dakota- an iterated hash function Dakota-Proposal1forf h(x, y)=(f (x)y)2 mod n h(x, y)=(f (x)y)2 mod n k f : {0, 1} → Zn Assumption Consider probabilistic polynomial time algorithm with input f , n, Let n and n be 1025-bit resp.