Showing papers on "Collision resistance published in 2022"
TL;DR: In this article , the collapsing property of hash functions has been investigated as an enhancement of quantum collision-resistance and the gap between these two properties is sensitive to the size of preimages.
Abstract: As an enhancement of quantum collision-resistance, the collapsing property of hash functions proposed by Unruh (EUROCRYPT 2016) emphasizes the hardness for distinguishing a superposition state of a hash value from a collapsed one. The collapsing property trivially implies the quantum collision-resistance. However, it remains to be unknown whether there is a reduction from the collapsing hash functions to the quantum collision-resistant hash functions. In this paper, we further study the relations between these two properties and derive two intriguing results as follows: Our results indicate that the gap between these two properties is sensitive to the size of preimages. As a corollary, our results also reveal the non-existence of polynomial bounded equivocal collision-resistant hash functions.
6 citations
TL;DR: In this paper , a non-constructive transformation of a t-way collision-resistant hash function (T-MCRH) into an (infinitely often secure) collision resistant hash function was shown.
Abstract: AbstractCollision-resistant hash functions (\(\textsf{CRH}\)) are a fundamental and ubiquitous cryptographic primitive. Several recent works have studied a relaxation of \(\textsf{CRH}\) called t-way multi-collision-resistant hash functions (\(t\text {-}\textsf{MCRH}\)). These are families of functions for which it is computationally hard to find a t-way collision, even though such collisions are abundant (and even \((t-1)\)-way collisions may be easy to find). The case of \(t=2\) corresponds to standard \(\textsf{CRH}\), but it is natural to study t-\(\textsf{MCRH}\) for larger values of t.Multi-collision-resistance seems to be a qualitatively weaker property than standard collision-resistance. Nevertheless, in this work we show a non-blackbox transformation of any moderately shrinking t-\(\textsf{MCRH}\), for \(t \in \{3,4\}\), into an (infinitely often secure) \(\textsf{CRH}\). This transformation is non-constructive – we can prove the existence of a \(\textsf{CRH}\) but cannot explicitly point out a construction.Our result partially extends to larger values of t. In particular, we show that for suitable values of \(t>t'\), we can transform a t-\(\textsf{MCRH}\) into a \(t'\)-\(\textsf{MCRH}\), at the cost of reducing the shrinkage of the resulting hash function family and settling for infinitely often security. This result utilizes the list-decodability properties of Reed-Solomon codes.
4 citations
TL;DR: In this paper , the authors derive an improved and tight preimage security bound for the cryptographic sponge construction, which implies that, as long as the attack complexity does not exceed this bound, the sponge construction achieves a comparable level of collision, preimage, and second preimage resistance as a random oracle.
Abstract: The cryptographic sponge is a popular method for hash function design. The construction is in the ideal permutation model proven to be indifferentiable from a random oracle up to the birthday bound in the capacity of the sponge. This result in particular implies that, as long as the attack complexity does not exceed this bound, the sponge construction achieves a comparable level of collision, preimage, and second preimage resistance as a random oracle. We investigate these state-of-the-art bounds in detail, and observe that while the collision and second preimage security bounds are tight, the preimage bound is not tight. We derive an improved and tight preimage security bound for the cryptographic sponge construction. The result has direct implications for various lightweight cryptographic hash functions. For example, the NIST Lightweight Cryptography finalist Ascon-Hash does not generically achieve $$2^{128}$$ preimage security as claimed, but even $$2^{192}$$ preimage security. Comparable improvements are obtained for the modes of Spongent, PHOTON, ACE, Subterranean 2.0, and QUARK, among others.
3 citations
1 citations
TL;DR: Simulation and analysis indicate that the proposed quantum hash function (QHF) can satisfy the same security requirements such as sensitivity, diffusion and confusion, collision, birthday attack, but the collision rate is reduced by 40% without reducing effectiveness.
Abstract: The proposed quantum hash function (QHF) based on the discrete-time quantum walk (DTQW) structure requires enlarging the coin state space and the preparation of continuous quantum states is less difficult. Hence, a new construction method of QHF is proposed based on the continuous-time quantum walk (CTQW) of the one-dimensional (1D) lattice with boundary constraints and without additional coin space. In the scheme, the input of the QHF is an arbitrary binary string message which is used to control the selected Hamiltonian of CTQW at each time interval, and the output of the QHF is the final probability distribution of CTQW. Under the same computing environment, simulation and analysis indicate that our QHF can satisfy the same security requirements such as sensitivity, diffusion and confusion, collision, birthday attack, but the collision rate is reduced by 40% without reducing effectiveness.
1 citations
1 citations
TL;DR: In this paper , a keyed hash function based on farfalle construction and chaotic neural networks (CNNs) is proposed, which generates a hash value with arbitrary (defined by user) length (eg, 256 and 512 bits).
Abstract: Parallel computing of hash functions along with the security requirements have great advantage in order to reduce the time consumption and overhead of the CPU. In this article, a keyed hash function based on farfalle construction and chaotic neural networks (CNNs) is proposed, which generates a hash value with arbitrary (defined by user) length (eg, 256 and 512 bits). The proposed hash function has parallelism merit because it is built over farfalle construction which avoids the dependency between the blocks of a given message. Moreover, the proposed hash function is chaos based (ie, it relies on chaotic maps and CNNs which have non‐periodic behavior). The security analysis shows that the proposed hash function is robust and satisfies the properties of hash algorithms, such as random‐like (non‐periodic) behavior, ideal sensitivity to original message and secret key, one‐way property and optimal diffusion effect. The speed performance of the hash function is also analyzed and compared with a hash function which was built based on sponge construction and CNN, and compared with secure hash algorithm (SHA) variants like SHA‐2 and SHA‐3. The results have shown that the proposed hash function has lower time complexity and higher throughput especially with large size messages. Additionally, the proposed hash function has enough resistance to multiple attacks, such as collision attack, birthday attack, exhaustive key search attack, preimage and second preimage attacks, and meet‐in‐the‐middle attack. These advantages make it ideal to be used as a good collision‐resistant hash function.
1 citations
01 Jan 2022
1 citations
01 Jan 2022
TL;DR: In this article , the authors analyzed the hash functions used in EDS and found that most of the modern hash functions and algorithms are based on elliptic curves above the field and that the probability of breaking the hash by the breaking the resistance to collisions method is much lower than using the method of breaking strong resistance to collision.
Abstract: This article analyzes the standards, algorithms, and hash functions used in electronic digital signature (EDS). It is determined that most of the modern hash functions and algorithms used in EDS schemes are based on elliptic curves above the field. Some of the collisions causes, methods, and algorithms for hash attacks are covered in the article. A mathematical apparatus for estimating the probability of hash functions breaking based on the "birthday paradox" is formed. The results of the probability of breaking for hash functions used in EDS were obtained. It is confirmed that in case of the same length of the hash, the probability of breaking the hash by the breaking the resistance to collisions method is much lower than using the method of breaking the strong resistance to collisions. It has been suggested that it is dangerous to add a key at the beginning or end of a message when working with key hash functions.
TL;DR: It is shown that even for the most optimal way of constructing chains of differences, the probability of finding correct pairs of texts is less than the probabilityof a complete enumeration of one 128-bit block of input data, which makes the method of differential cryptanalysis unsuitable for finding collisions.
Abstract: The article observes the new hashing algorithm HBC-256. The HBC-256 algorithm is based on the block cipher of the compression function CF (Compression Function) and produces a 256-bits hash value. Like any new cryptographic structure, the HBC-256 algorithm requires careful research process in order to confirm its cryptographic properties, namely: pre-image resistance and resistance to collisions of the first and second order. As a result of the research, for the HBC-256 hashing algorithm differential properties of nonlinear elements (S-boxes) and various options for constructing round characteristics are considered. A hypothesis has been advanced about the existence of paired differences, which will make it possible to construct round characteristics for hashing and for the function of round keys generating. It is shown that even for the most optimal way of constructing chains of differences, the probability of finding correct pairs of texts is less than the probability of a complete enumeration of one 128-bit block of input data, which makes the method of differential cryptanalysis unsuitable for finding collisions.
07 Mar 2022
TL;DR: In this article , a lattice-based collision resistant hash function was proposed for short message processing, and the chaotic encryption algorithm of the variable parameters was applied to improve the avalanche performance of the hash function.
Abstract: The Hash function targeted at the short message processing is proposed in this paper. Various randomized components are designed based on the introduced thoughts of randomization, and the chaotic encryption algorithm of the variable parameters is applied to improve the avalanche performance of the Hash function. At last, the LWE problem is introduced into the operation, so to accomplish the design of the lattice-based collision resistant Hash function. Meanwhile, relative experiments are carried out, which prove the satisfactory randomization, collision resistant, and diffusion performances of the Hash function proposed in this paper.
TL;DR: Different forms of optimality that can be constructed by designing parallel structure in hash scheme are discussed, in order to accelerate message diffusion and avalanche effect, the corresponding iterative structure and compressive function are slightly optimized.
TL;DR: In this article , a keyed Merkle-Damgård hash function was proposed to satisfy collision resistance and pseudorandom function property using a tweakable block cipher in the TWEAKEY framework.
Abstract: This paper presents a method to construct a keyed Merkle-Damgård hash function satisfying collision resistance and the pseudorandom function property using a tweakable block cipher in the TWEAKEY framework. Its compression function adopts double-block construction to achieve sufficient level of collision resistance. Not only does the padding of the proposed keyed hash function not employ Merkle-Damgård strengthening, but it is also not injective. Due to the novel feature, the proposed keyed hash function achieves the minimum number of calls to its compression function for any message input. The proposed keyed hash function is shown to be optimally collision-resistant in the ideal cipher model. It is also shown to be a secure pseudorandom function if the underlying tweakable block cipher in the TWEAKEY framework is a secure tweakable pseudorandom permutation in two tweakey strategies.
25 Aug 2022
TL;DR: In this paper , it was shown that collision resistance is not necessary for a restricted case: a non-verifiable remote state prepartitioning of a 2-to-1 trapdoor collision resistant hash function can be constructed from classically-secure (full-domain) trapdoor permutations.
Abstract: Assume that Alice can do only classical probabilistic polynomial-time computing while Bob can do quantum polynomial-time computing. Alice and Bob communicate over only classical channels, and finally Bob gets a state $|x_0\rangle+|x_1\rangle$ with some bit strings $x_0$ and $x_1$. Is it possible that Alice can know $\{x_0,x_1\}$ but Bob cannot? Such a task, called {\it remote state preparations}, is indeed possible under some complexity assumptions, and is bases of many quantum cryptographic primitives such as proofs of quantumness, (classical-client) blind quantum computing, (classical) verifications of quantum computing, and quantum money. A typical technique to realize remote state preparations is to use 2-to-1 trapdoor collision resistant hash functions: Alice sends a 2-to-1 trapdoor collision resistant hash function $f$ to Bob, and Bob evaluates it on superposition and measures the image. Bob's post-measurement state is $|x_0\rangle+|x_1\rangle$, where $f(x_0)=f(x_1)=y$. With the trapdoor, Alice can learn $\{x_0,x_1\}$, but due to the collision resistance, Bob cannot. This Alice's advantage can be leveraged to realize the quantum cryptographic primitives listed above. It seems that the collision resistance is essential here. In this paper, surprisingly, we show that the collision resistance is not necessary for a restricted case: we show that (non-verifiable) remote state preparations of $|x_0\rangle+|x_1\rangle$ secure against {\it classical} probabilistic polynomial-time Bob can be constructed from classically-secure (full-domain) trapdoor permutations. Trapdoor permutations are not likely to imply the collision resistance, because black-box reductions from collision-resistant hash functions to trapdoor permutations are known to be impossible. As an application of our result, we construct proofs of quantumness from classically-secure (full-domain) trapdoor permutations.
TL;DR: Weierstrass et al. as discussed by the authors presented a study on the implementation related aspects of the compact variation of the standard CGL hash function using different forms of elliptic curves, and also compared the running time and the total number of collisions through the experiments with the implemented algorithms.
Abstract: AbstractSupersingular isogeny-based cryptosystems are considered an attractive candidate for the post-quantum cryptographic world due to their smaller key sizes. Based on the traversal in a supersingular isogeny graph (expander graph), Charles, Goren, and Lauter proposed a cryptographic hash function also known as CGL hash. In this paper, we present our study on the implementation-related aspects of the compact variation of the standard CGL hash function using different forms of elliptic curves (Weierstrass, Montgomery, and Legendre). Moreover, we show that some redundant computations in the original propositions of the CGL hash function can be avoided by utilizing the unique characteristics of the different forms of the elliptic curve. We also compared the running time and the total number of collisions through the experiments with the implemented algorithms.KeywordsPost-quantum cryptographySupersingular isogenyHashCGLElliptic curvesWeierstrassMontgomeryLegendre
27 Oct 2022
TL;DR: In this paper , Yuan, Tibouchi and Abe (2022) introduced a variant to the subset cover problem, called restricted subset cover, and proposed a quantum algorithm for this problem.
Abstract: The subset cover problem for $k \geq 1$ hash functions, which can be seen as an extension of the collision problem, was introduced in 2002 by Reyzin and Reyzin to analyse the security of their hash-function based signature scheme HORS. The security of many hash-based signature schemes relies on this problem or a variant of this problem (e.g. HORS, SPHINCS, SPHINCS+, $\dots$). Recently, Yuan, Tibouchi and Abe (2022) introduced a variant to the subset cover problem, called restricted subset cover, and proposed a quantum algorithm for this problem. In this work, we prove that any quantum algorithm needs to make $\Omega\left((k+1)^{-\frac{2^{k}}{2^{k+1}-1}}\cdot N^{\frac{2^{k}-1}{2^{k+1}-1}}\right)$ queries to the underlying hash functions with codomain size $N$ to solve the restricted subset cover problem, which essentially matches the query complexity of the algorithm proposed by Yuan, Tibouchi and Abe. We also analyze the security of the general $(r,k)$-subset cover problem, which is the underlying problem that implies the unforgeability of HORS under a $r$-chosen message attack (for $r \geq 1$). We prove that a generic quantum algorithm needs to make $\Omega\left(N^{k/5}\right)$ queries to the underlying hash functions to find a $(1,k)$-subset cover. We also propose a quantum algorithm that finds a $(r,k)$-subset cover making $O\left(N^{k/(2+2r)}\right)$ queries to the $k$ hash functions.
01 Jan 2022
TL;DR: In this article , the authors proposed a new secure hash function structure inspired by the sponge construction for hash functions. But it is designed to avoid the length of the extension attack, multi-collisions attack, and other vulnerabilities that have been found for many of the hash functions based on the older Merkle Damgård construction.
Abstract: This paper presents a new secure hash function structure inspired by the sponge construction for hash functions. It is designed to avoid the length of the extension attack, multi-collisions attack, and other vulnerabilities that have been found for many of the hash functions based on the older Merkle Damgård construction. The proposed hash function generates a variable-size hash code. It uses three nonlinear functions that generate chaotic maps: Zaslavsky 2D maps, logistic maps, and Henon maps. Other operations include XOR, rotation, multiplication, and addition. The proposed scheme has a high sensitivity to the initial conditions and message, strong and stable diffusion and confusion capabilities, as well as flexibility in terms of hash size and number of rounds.
TL;DR: In this paper , the authors evaluate the security of Merkle-Damgård (MD) hash functions and their combiners (XOR and concatenation combiners) in quantum settings.
Abstract: In this work, we evaluate the security of Merkle-Damgård (MD) hash functions and their combiners (XOR and concatenation combiners) in quantum settings. Two main quantum scenarios are considered, including the scenario where a substantial amount of cheap quantum random access memory (qRAM) is available and where qRAM is limited and expensive to access. We first convert a rich set of known tools invented for generic attacks in the classical setting to quantum versions. That includes Joux’s multi-collision, expandable message, diamond structure, and interchange structure. With these basic tools in hand, we then present generic quantum attacks on the MD hash functions and hash combiners, and carefully analyze the complexities under both quantum scenarios. The considered securities are fundamental requirements for hash functions, including the resistance against collision, (second-)preimage, and herding attacks. The results are consistent with the conclusions in the classical setting, that is, the considered resistances of the MD hash functions and their combiners are far less than ideal, despite the significant differences in the expected security bounds between the classical and quantum settings. Particularly, the generic attacks can be improved significantly using quantum computers under both scenarios. These results serve as an indication that classical hash constructions require careful security re-evaluation before being deployed to the post-quantum cryptography schemes.
08 Jul 2022
TL;DR: In this article , the Cayley graphs of these groups combine fast mixing properties and high girth, which together give rise to good preimage and collision resistance of the corresponding hash functions.
Abstract: We define new families of Tillich-Z\'emor hash functions, using higher dimensional special linear groups over finite fields as platforms. The Cayley graphs of these groups combine fast mixing properties and high girth, which together give rise to good preimage and collision resistance of the corresponding hash functions. We justify the claim that the resulting hash functions are post-quantum secure.
TL;DR: In this article , a lightweight hash function which makes use of cellular automata and sponge functions is proposed, which can be efficiently used in resource constraint environments in a secure and efficient manner.
Abstract: Hash functions serve as the fingerprint of a message. They also serve as an authentication mechanism in many applications. Nowadays, hash functions are widely used in blockchain technology and bitcoins. Today, most of the work concentrates on the design of lightweight hash functions which needs minimal hardware and software resources. This paper proposes a lightweight hash function which makes use of Cellular Automata (CA) and sponge functions. This hash function accepts arbitrary length message and produces fixed size hash digest. An additional property of this function is that the size of the hash digest may be adjusted based on the application because of the inherent property of varying length output of sponge function. The proposed hash function can be efficiently used in resource constraint environments in a secure and efficient manner. In addition, the function is resistant to all known generic attacks against hash functions and is also preimage resistant, second preimage resistant and collision resistant.KeywordsCryptographic Hash functionsCellular automataSponge functionsOmega-flip permutation