MATH 470 Lecture 20

« previous | Tuesday, April 2, 2013 | next »

Provably Good Hash Function

Why do we care about hash functions?

• Vital for signatures (sign a message digest instead of the whole message)
• message padding
• Error-checking

Chaum, Van Hiejst, Pfitzman, 1992:

Following construction is strongly-collision-resistant, assuming discrete log is hard:

1. Find large prime ${\displaystyle p}$ with ${\displaystyle q={\tfrac {p-1}{2}}}$ also prime.
   • in practice, pick ${\displaystyle q}$ and then check if ${\displaystyle p=2q+1}$ is prime
   • easy via Prime Number Theorem and assumption of randomness of primes: for 100-digit number, there are approx. ${\displaystyle {\tfrac {10^{100}}{\log {10^{100}}}}}$ primes in ${\displaystyle \{1,\ldots ,10^{100}\}}$.
2. Pick 2 (distinct) generators ${\displaystyle \alpha }$ and ${\displaystyle \beta }$ for ${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$
3. ${\displaystyle H:\mathbb {Z} /q^{2}\mathbb {Z} \to \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$ is defined by ${\displaystyle H(x)=\alpha ^{x_{0}}\,\beta ^{x_{1}}{\pmod {p}}}$, where ${\displaystyle x=(x_{1},x_{0})_{q}}$ are the base-${\displaystyle q}$ numbers of ${\displaystyle x}$
   • Converting from ${\displaystyle 2\log _{10}{q}}$ digits to ${\displaystyle \log _{10}{p}=\log _{10}{q}+C}$ digits.

good

"provably good"

bad

Too inefficient for practical applications

Only halves the number of digits

ugly

In practice, a simpler (Ad-Hoc) construction is used: SHA-1

Proof

Proposition. ${\displaystyle H}$ is (2) pre-image resistant and (3) strongly-collision-resistant.

Proof. Let's prove (3) first.

Assumptions:

• discrete logarithm is not computable in polynomial time.
• we can find ${\displaystyle x,x'\in \mathbb {Z} /q^{2}\mathbb {Z} }$ with ${\displaystyle H(x)=H(x')}$ in polynomial time.

If we find such ${\displaystyle x}$ and ${\displaystyle x'}$, then we have

${\displaystyle {\begin{aligned}x&=x_{0}+x_{1}\,q\\x'&=x_{0}'+x_{1}'\,q\end{aligned}}}$

and

${\displaystyle \alpha ^{x_{0}}\,\beta ^{x_{1}}\equiv \alpha ^{x_{0}'}\,\beta ^{x_{1}'}{\pmod {p}}}$

Now since ${\displaystyle \alpha }$ is a generator for ${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$, ${\displaystyle \beta =\alpha ^{a}}$ for some ${\displaystyle a}$ we don't know.

In fact, ${\displaystyle a}$ is the discrete log of ${\displaystyle \beta }$ to the base ${\displaystyle \alpha }$, mod ${\displaystyle p}$.

Therefore

${\displaystyle {\begin{aligned}\alpha ^{x_{0}}\,\alpha ^{a\,x_{1}}&=\alpha ^{x_{0}'}\,\alpha ^{a\,x_{1}'}{\pmod {p}}\\\alpha ^{a(x_{1}-x_{1}')}&=\alpha ^{x_{0}'-x_{0}}{\pmod {p}}\\a(x_{1}-x_{1}')&=x_{0}'-x_{0}{\pmod {p-1}}\end{aligned}}}$

This congruence has a solution for ${\displaystyle a}$ iff ${\displaystyle \mathrm {GCD} (x_{1}-x_{1}',p-1)\mid (x_{0}'-x_{0})}$.

So what can that GCD be?

${\displaystyle x_{1},x_{1}'\in \{0,\ldots ,q-1\}}$ by construction, so ${\displaystyle -(q-1)\leq x_{1}-x_{1}'\leq q-1}$

Also, ${\displaystyle p-1=2q}$, so the GCD is either 1 or 2, ${\displaystyle q}$, or ${\displaystyle 2q}$. ${\displaystyle q}$ and ${\displaystyle 2q}$ are too big, so only 1 and 2 remain.

Solution can now be found in poly time: Just try solutions!

${\displaystyle {\begin{aligned}\alpha ^{a_{1}}&=^{?}\beta \\\alpha ^{a_{2}}&=^{?}\beta \end{aligned}}}$

We've just found the discrete log!

Now if ${\displaystyle x_{1}'=x_{1}}$ then ${\displaystyle x_{0}=x_{0}'}$ and ${\displaystyle x=x'}$. CONTRADICTION!

Therefore, if ${\displaystyle H}$ is not strongly-collision-resistant, then the discrete logarithm must be easy!

(2) is easy to prove, but we'll get to that later.

Pseudo-Random Generators

"Something even more fundamental"

Polynomial Congruential

One of Simplest PRGs: Linear congruential:

${\displaystyle {\begin{aligned}x_{0}&=seed\in \{0,m-1\}\\x_{n+1}&=a\,x_{n}+b{\pmod {m}}\quad a,b\in \left(\mathbb {Z} /m\mathbb {Z} \right)\end{aligned}}}$

This "smells" random, but is terribly insecure: If you can find 3 consecutive ${\displaystyle x_{i}}$s, then you can easily find ${\displaystyle a}$ and ${\displaystyle b}$:

${\displaystyle {\begin{aligned}x_{i}&=a\,x_{i-1}+b\\x_{i+1}&=a\,x_{i}+b\end{aligned}}}$

Linear system is solvable given ${\displaystyle x_{i-1}\not \equiv x_{i}{\pmod {m}}}$

In fact, any polynomial congruential generators are insecure due to predictability.

Blum-Blum-Shub Random Bit Generator

More Sophisticated:

1. Pick large primes ${\displaystyle p}$ and ${\displaystyle q}$ with ${\displaystyle p\equiv q\equiv 3{\pmod {p}}}$, let ${\displaystyle n=pq}$, and pick a random ^[1] ${\displaystyle x\in \left(\mathbb {Z} /n\mathbb {Z} \right)^{*}}$ Let seed be ${\displaystyle x_{0}=x^{2}{\pmod {n}}}$
2. </math>x_{n+1} = x_n^2 \pmod{n}</math> Return ${\displaystyle b_{n}}$ be the last bit of ${\displaystyle x_{n}}$.

Theorem

Assume computing Jacobi symbol ${\displaystyle \left({\frac {u}{n}}\right)}$ is not doable in polynomial time. Then the BBS Bit Generator is indistinguishable from a truly random bit stream, by any polynomial time algorithm.

Random numbers have certain properties according to probability

Elliptic Curves

Elliptic Curve Cryptography (ECC) is already being used in smart cards in Europe as an extra layer of security.

Using RSA, high security implies huge keys and slow computation

ECC allows "high security" using 300-bit keys (maybe equiv 4000-bit RSA key)

Idea: work with a more general "group" than ${\displaystyle \left(\mathbb {Z} /p\mathbb {Z} \right)^{*}}$ or ${\displaystyle \left(\mathbb {Z} /pq\mathbb {Z} \right)^{*}}$. Instead, ECC uses points on a curve over a finite field.

Footnotes