hash functions

Hash functions and collisions
family of hash functions H = { h }
∈ { }
s
s
s s 0,1 n
{ } → { }
* n
h : 0,1 0,1
or
l
{ } → { }
h : 0,1
n
0,1 , l>n,
(fixed length hash functions)
h s must be efficiently computable.
SS 2007
Cryptographic Protocols
1. Hash functions
1

Hash functions and collisions
family of hash functions H = { h }
∈ { }
s
s
s s 0,1 n
{ } → { }
* n
h : 0,1 0,1
or
l
{ } → { }
h : 0,1
n
0,1 , l>n,
(fixed length hash functions)
h s must be efficiently computable.
collision
( x,y) ∈{ 0,1 } * or ( x,y) ∈ { 0,1 } l
with h ( x) = h ( y)
s
s
SS 2007
Cryptographic Protocols
1. Hash functions
2

Collision-resistance
Definition 1.1 The family of hash functions
H = { h } { }
n
s s ∈ 0,1
is called (t,ε)-collision resistant if all probabilistic algorithms
A running for at most t steps satisfy
( ( ) ( ) ( ) ( ) )
Pr s ← U , x,y ← A s : h x = h y ,x ≠ y < ε.
n s s
SS 2007
Cryptographic Protocols
1. Hash functions
3

One-way function family
Definition 1.2 The family of fixed length hash functions
l
{ } { }
{ } { }
H = h n ,h : 0,1 → 0,1 , is called (t,ε)-one-way,
s
s∈
0,1
s
if all probabilistic algorithms A running for at most t steps
satisfy
( n l ( s ( )) s ( ) s ( ))
Pr s ← U , x ← U, x' ← A s,h x : h x' = h x < ε.
n
one-way=preimage-resistant
SS 2007
Cryptographic Protocols
1. Hash functions
4

One-way vs. collision-resistance
Theorem 1.3 Assume the family of fixed length hash functions
l
{ } { }
{ } { }
H = h n ,h : 0,1 → 0,1 , is (t,ε)-collision-resistant,
s
s∈
0,1
s
then H is (t-cl,2ε+ρ(H))-one-way for some fixed constant c.
n
Here
−1
( ) ( ) ( )
( )
n l s s
ρ H : = Pr s ← U ,x ← U,z ← h x : h z = 1 .
SS 2007
Cryptographic Protocols
1. Hash functions
5

Second-preimage-resistance
Definition 1.4 The family of fixed length hash functions
l
{ } { }
{ } { }
s
s∈
0,1
s
H = h n ,h : 0,1 → 0,1 , is called (t,ε)-secondpreimage-resistant,
if all probabilistic algorithms A running
for at most t steps satisfy
n
( ( ))
⎛s ← U
n, x1 ← U;
l
x2 ← A s,hs x
1
: ⎞
Pr < ε.
⎜
hs ( x1) hs ( x
2 ), x1 x ⎟
⎝
= ≠
2 ⎠
SS 2007
Cryptographic Protocols
1. Hash functions
6

Collisions vs. 2nd-preimages
Theorem 1.5 Assume the family of fixed length hash functions
l
{ } { }
{ } { }
H = h n ,h : 0,1 → 0,1 , is (t,ε)-collision-resistant,
s
s∈
0,1
s
then H is (t,ε)-second-preimage-resistant.
n
SS 2007
Cryptographic Protocols
1. Hash functions
7

One-way vs. 2nd-preimage-resistance
Theorem 1.6 Assume the family of fixed length hash functions
l
{ } { }
{ } { }
s
s∈
0,1
s
H = h n ,h : 0,1 → 0,1 , is (t,ε)-2nd-preimageresistant,
then H is (t-cl,2ε+ρ(H))-one-way for some fixed
constant c.
n
SS 2007
Cryptographic Protocols
1. Hash functions
8

From 2nd-preimages to collisions
Algorithm A computes 2nd-preimages.
Algorithm B on input s∈{0,1} n , z=h s (x 1 ) with x 1 ∈{0,1} l :
1. Set x 2 ←A(s,z). If A does not return an element
x 2 ∈{0,1} l , return failure.
2. If x 1 ≠x 2 , return (x 1 ,x 2 ), else return failure.
SS 2007
Cryptographic Protocols
1. Hash functions
9

From preimages to 2nd-preimages
Algorithm A computes preimages.
Algorithm B on input s∈{0,1} n :
1. Choose x 1 ←U l and compute z←h s (x 1 ).
2. Set x 2 ←A(s,z). If A does not return an element
x 2 ∈{0,1} l , return failure.
3. If x 1 ≠x 2 , return (x 1 ,x 2 ), else return failure.
SS 2007
Cryptographic Protocols
1. Hash functions
10

One-way vs. collision-resistance
Corollary 1.7 Assume the family of fixed length hash functions
l
{ } { }
{ } { }
H = h n ,h : 0,1 → 0,1 , is (t,ε)-collision-resistant,
s
s∈
0,1
s
then H is (t-cl,2ε+2 n-l )-one-way for some fixed constant c.
n
SS 2007
Cryptographic Protocols
1. Hash functions
11

One-way vs. collision-resistance
Definition 1.8 The family of fixed length hash functions
l
{ } { }
n { } { }
H = h ,h : 0,1 → 0,1 , l>n,
s
s∈
0,1
s
n
is called regular,
if |h s (x)|=2 l-n for all s ∈{0,1} n and all x ∈{0,1} l
Corollary 1.9 Assume the regular family of hash functions
l
{ } { }
{ } { }
H = h n ,h : 0,1 → 0,1 , is (t,ε)-collision-resistant,
s
s∈
0,1
s
then H is (t-cl,2ε)-one-way for some fixed constant c.
n
SS 2007
Cryptographic Protocols
1. Hash functions
12