Collision-resistant Hash Functions Research Articles

Hover: Trustworthy Elections with Hash-Only Verification

Hover (Hash-Only Verification), an end-to-end (E2E) verifiable voting system with distributed trust, uses only a collision-resistant hash function for verification. Such verification could make E2E elections more accessible to people without a strong cryptography background.

Strong accumulators from collision-resistant hashing

Accumulator schemes were introduced in order to represent a large set of values as one short value called the accumulator. These schemes allow one to generate membership proofs, that is, short witnesses that a certain value belongs to the set. In universal accumulator schemes, efficient proofs of non-membership can also be created. Li et al. (Proceedings of applied cryptography and network security--ACNS '07, LNCS, vol 4521, 2007), building on the work of Camenisch and Lysyanskaya (Advances in cryptology--proceedings of Crypto '02, LNCS, vol 2442. Springer, Berlin, pp 61---76, 2002), proposed an efficient accumulator scheme, which relies on a trusted accumulator manager. Specifically, a manager that correctly performs accumulator updates. In this work, we introduce the notion of strong universal accumulator schemes, which are similar in functionality to universal accumulator schemes, but do not assume the accumulator manager is trusted. We also formalize the security requirements for such schemes. We then give a simple construction of a strong universal accumulator scheme, which is provably secure under the assumption that collision-resistant hash functions exist. The weaker requirement on the accumulator manager comes at a price; our scheme is less efficient than known universal accumulator schemes--the size of (non)membership witnesses is logarithmic in the size of the accumulated set in contrast to constant in the scheme of Camenisch and Lysyanskaya. Finally, we show how to use strong universal accumulators to solve a problem of practical relevance, the so-called e-Invoice Factoring Problem.

Anonymous overlay network supporting authenticated routing

Typical anonymous networks mainly focus on providing strong anonymity at the price of having lower bandwidth, higher latency and degraded usability with limited routing support. They also often anonymize only a few specific applications. In this paper, we propose a new approach of constructing an anonymous network by building an overlay network atop a conventional IP network. The overlay network decouples the actual IP addresses of nodes and the virtual addresses that the nodes are using in actual applications. To do so, we use virtual addresses to anonymize the hosts and the physical IP address for efficient routing. The virtual addresses can also be dynamic for enhancing the nodes’ anonymity further. This approach also allows the network to support almost any application running on it. Together with a new anonymous routing protocol, our simulation results show that the expected latency of our proposed anonymous system can be reduced by up to 50% compared to existing systems.We also propose a suite of authentication methods which can be applied to the anonymous routing protocol we propose for preventing any malicious path cost reduction. Traditional routing protocols leak network topology information to nodes while existing anonymous routing protocols do not provide authentication for routing information. A malicious node can arbitrarily reduce the path cost value carried in an anonymous route announcement message for the purpose of negatively influencing routing efficiency or facilitating the launch of various attacks such as eavesdropping or man-in-the-middle attacks. We propose three generic schemes and several concrete instantiations to transform an anonymous routing protocol into an authenticated one which not only prevents path cost reduction attacks but also maintains anonymity. These schemes are based on three different primitives, namely one-way trapdoor functions, digital signature schemes and collision-resistant hash functions.

Two-party key establishment: From passive to active security without introducing new assumptions

Abstract. Key establishment protocols based on hardness assumptions, such as the discrete logarithm problem and the integer factorization problem, are vulnerable to quantum computer attacks, whereas the protocols based on other hardness assumptions, such as the conjugacy search problem and the decomposition search problem, can resist such attacks. The existing protocols based on the hardness assumptions which can resist quantum computer attacks are only passively secure. Compilers are used to convert a passively secure protocol to an actively secure protocol. Compilers involve some tools such as a signature scheme and a collision-resistant hash function. If there are only passively secure protocols but not a signature scheme based on the same assumption, then the application of existing compilers requires the use of such tools based on different assumptions. But the introduction of new tools, based on different assumptions, makes the new actively secure protocol rely on more than one hardness assumption. We offer an approach to derive an actively secure two-party protocol from a passively secure two-party protocol without introducing further hardness assumptions. This serves as a useful formal tool to transform any basic algebraic method of public key cryptography to the real world applicable cryptographic scheme.

Collision Resistance of Hash Functions in a Weak Ideal Cipher Model

This article discusses the provable security of block-cipher-based hash functions. It introduces a new model called a weak ideal cipher model. In this model, an adversary is allowed to make key-disclosure queries to the oracle as well as encryption and decryption queries. A key-disclosure query is a pair of a plaintext and a ciphertext, and the reply is a corresponding key. Thus, in this model, a block cipher is random but completely insecure as a block cipher. It is shown that collision resistant hash functions can be constructed even in this weak model.

Collision-resistant hash function based on composition of functions

A cryptographic hash function is a deterministic procedure that compresses an arbitrary block of numerical data and returns a fixed-size bit string. There exists many hash functions: MD5, HAVAL, SHA, ... It was reported that these hash functions are no longer secure. Our work is focused on the construction of a new hash function based on composition of functions. The construction used the NP-completeness of Three-dimensional contingency tables and the relaxation of the constraint that a hash function should also be a compression function. Une fonction de hachage cryptographique est une procédure déterministe qui compresse un ensemble de données numériques de taille arbitraire en une chaîne de bits de taille fixe. Il existe plusieurs fonctions de hachage : MD5, HAVAL, SHA... Il a été reporté que ces fonctions de hachagene sont pas sécurisées. Notre travail a consisté à la construction d’une nouvelle fonction de hachage basée sur une composition de fonctions. Cette construction utilise la NP-completude des tables de contingence de dimension 3 et une relaxation de la contrainte selon laquelle une fonction de hachage doit être aussi une fonction de compression.

Public-Coin Parallel Zero-Knowledge for NP

We show that, assuming the existence of collision-resistant hash functions, every language in NP has a constant-round public-coin zero-knowledge argument that remains secure under unbounded parallel composition (a.k.a. parallel zero knowledge.) Our protocol is a variant of Barak's zero-knowledge argument (FOCS 2001), and has a non-black-box simulator. This result stands in sharp contrast with the recent result by Pass, Tseng and Wikstrom (Crypto 2010) showing that only languages in BPP have public-coin parallel zero-knowledge arguments with black-box simulators.

An Efficient Authentication Scheme

In 2000, Peyravian and Zunic presented a simple password authentication scheme using collisionresistant hash function. Later, Hwang and Yeh denoted that Peyravian and Zunic scheme is insecure and suggested an improvement one using the server public key. However, in practice, services that do not use public keys are quite often superior to PKIs. Simultaneously, Lee, Kim and Yoo denoted that Peyravian and Zunic scheme undergoes from offline password guessing attacks and presented an improved version. However, Lee, Kim and Yoo proposed scheme is still vulnerable to the same attacks and denial-of-service attacks. Therefore, this paper presents a secure and efficient improvement . Lee, Kim and Yoo suggested a password scheme for three participants without trusted server. They claimed that the scheme can withstand different attacks and give the perfect secrecy. In this paper, we will demonstrate that their scheme undergoes from the imitation attack. Simultaneously, we will suggest an enhanced algorithm to resist the mentioned attacks. Keyword: password scheme, key agreement, trusted server, cryptanalysis.

Zero-Knowledge Sets With Short Proofs

Zero knowledge sets (ZKS), introduced by Micali, Rabin, and Kilian in 2003, allow a prover to commit to a secret set <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$S$</tex></formula> in a way such that it can later prove, non interactively, statements of the form <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$x\in S$</tex></formula> (or <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$x\notin S$</tex></formula> ), without revealing any further information (on top of what explicitly revealed by the inclusion/exclusion statements above) on <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$S$</tex></formula> , not even its size. Later, Chase <etal xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"/> abstracted away the Micali, Rabin, and Kilian's construction by introducing an elegant new variant of commitments that they called (trapdoor) mercurial commitments. Using this primitive, it was shown how to construct zero knowledge sets from a variety of assumptions (both general and number theoretic). This paper introduces the notion of trapdoor <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$q$</tex> </formula> -mercurial commitments ( <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">${\ssr qTMC}$</tex></formula> s), a notion of mercurial commitment that allows the sender to commit to an ordered sequence of exactly <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">$q$</tex></formula> messages, rather than to a single one. Following the previous work, it is shown how to construct ZKS from <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex Notation="TeX">${\ssr qTMC}$</tex></formula> s and collision resistant hash functions. Then, it is presented an efficient realization of <formula formulatype="inline" xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"><tex Notation="TeX">${\ssr qTMC}$</tex></formula> s that is secure under the so called Strong Diffie Hellman (SDH) assumption, a number theoretic conjecture recently introduced by Boneh and Boyen. Using such scheme as basic building block, it is obtained a construction of ZKS that allows for proofs that are much shorter with respect to the best previously known implementations. In particular, for an appropriate choice of the parameters, our proofs are up to 33% shorter for the case of proofs of membership, and up to 73% shorter for the case of proofs of nonmembership. Experimental tests confirm practical time performances.

Increasing the security of hash functions

In this paper, we introduce a solution for ensuring data integrity using cryptographic one-way hash functions. The cryptographic security of such hash functions was estimated by us in detail for different kinds of attacks. We propose several new schemes for increasing the security of one-way hash functions without reformation of its internal algorithms. Also we outline schemes with the best speed and security level. We show that the Schneier method of suffix superposition has a serious drawback. In this article, we also suggest the method of constructing collision resistant one-way hash functions from standard well-known hash functions. Therefore, the proposed schemas can be used to upgrade the majority of cryptographic one-way functions, such as MD4, MD5, RIPEMD, SHA, GOST 34 11-94.

Lossy Trapdoor Functions and Their Applications

We propose a general cryptographic primitive called lossy trapdoor functions (lossy TDFs), and we use it to develop new approaches for constructing several important cryptographic tools, including (injective) trapdoor functions, collision-resistant hash functions, oblivious transfer, and chosen ciphertext-secure cryptosystems (in the standard model). All of these constructions are simple, efficient, and black-box. We realize lossy TDFs based on a variety of cryptographic assumptions, including the hardness of the decisional Diffie-Hellman (DDH) problem and the hardness of the “learning with errors” problem (which is implied by the worst-case hardness of various lattice problems). Taken together, our results resolve some long-standing open problems in cryptography. They give the first injective TDFs based on problems not directly related to integer factorization and provide the first chosen ciphertext-secure cryptosystem based solely on worst-case complexity assumptions.

A Simple and Generic Construction of Authenticated Encryption with Associated Data

We revisit the problem of constructing a protocol for performing Authenticated Encryption with Associated Data (AEAD). A technique is described which combines a collision-resistant hash function with a protocol for Authenticated Encryption (AE). The technique is both simple and generic and does not require any additional key material beyond that of the AE protocol. Concrete instantiations are shown where a 256-bit hash function is combined with some known single-pass AE protocols employing either 128-bit or 256-bit block ciphers. This results in possible efficiency improvement in the processing of the header.

Infeasibility of instance compression and succinct PCPs for NP

The OR-SAT problem asks, given Boolean formulae ϕ 1 , … , ϕ m each of size at most n, whether at least one of the ϕ i 's is satisfiable. We show that there is no reduction from OR-SAT to any set A where the length of the output is bounded by a polynomial in n, unless NP ⊆ coNP / poly , and the Polynomial-Time Hierarchy collapses. This result settles an open problem proposed by Bodlaender et al. (2008) [6] and Harnik and Naor (2006) [20] and has a number of implications. (i) A number of parametric NP problems, including Satisfiability, Clique, Dominating Set and Integer Programming, are not instance compressible or polynomially kernelizable unless NP ⊆ coNP / poly . (ii) Satisfiability does not have PCPs of size polynomial in the number of variables unless NP ⊆ coNP / poly . (iii) An approach of Harnik and Naor to constructing collision-resistant hash functions from one-way functions is unlikely to be viable in its present form. (iv) (Buhrman–Hitchcock) There are no subexponential-size hard sets for NP unless NP is in co-NP/poly. We also study probabilistic variants of compression, and show various results about and connections between these variants. To this end, we introduce a new strong derandomization hypothesis, the Oracle Derandomization Hypothesis, and discuss how it relates to traditional derandomization assumptions.

Analysis and Improvement of a User Authentication Improved Protocol

Remote user authentication always adopts the method of password to login the server within insecure network environments. Recently, Peyravin and Jeffries proposed a practical authentication scheme based on one-way collision-resistant hash functions. However, Shim and Munilla independently showed that the scheme is vulnerable to off-line guessing attacks. In order to remove the weakness, Holbl, Welzer and Brumenn presented an improved secure password-based protocols for remote user authentication, password change and session key establishment. Unfortunately, the remedies of their improved scheme cannot work. The improved scheme still suffers from the off-line attacks. And the password change protocol is insecure against Denial-of-Service attack. A proposed scheme is presented which overcomes these weaknesses. Detailed cryanalysis show that the proposed password-based protocols for remote user authentication, password change and session key establishment are immune against man-in-the-middle attacks, replay attacks, password guessing attacks, outsider attacks, denial-of-Service attacks and impersonation attacks .

An efficient multi-use multi-secret sharing scheme based on hash function

In this work, a renewable, multi-use, multi-secret sharing scheme for general access structure based on the one-way collision resistant hash function is presented in which each participant has to carry only one share. As it applies the collision resistant one-way hash function, the proposed scheme is secure against conspiracy attacks even if the pseudo-secret shares are compromised. Moreover, high complexity operations like modular multiplication, exponentiation and inversion are avoided to increase its efficiency. Finally, in the proposed scheme, both the combiner and the participants can verify the correctness of the information exchanged among themselves.

Universally composable one-time signature and broadcast authentication

Broadcast authentication is a vital security primitive for the management of a copious number of parties. In the universally composable framework, this paper investigates broadcast authentication using one-time signature based on the fact that one-time signature has efficient signature generation and verification suitable for low-power devices, and gives immediate authentication, which is a favorable property for time-critical messages. This paper first formulates a broadcast authentication model with the ideal functionalities such as one-time signature and broadcast authentication, and proposes a broadcast authentication scheme in the hybrid model. This paper then improves HORS, which is secure based on a strong assumption (i.e., a subset-resilient hash function) and presents the improved version as HORS+, which differs from HORS such that it is a secure one-time signature based on weaker assumptions, i.e. one-way functions, one-way hash functions and collision-resistant hash functions. At the same time, a protocol OWC using one-way chains is proposed to provide more registered keys for multi-message broadcast authentication. Our broadcast authentication scheme constructed by the combined use of HORS+ and OWC is universally composable secure and suitable for low-power devices.

On the Compressibility of $\mathcal{NP}$ Instances and Cryptographic Applications

We study compression that preserves the solution to an instance of a problem rather than preserving the instance itself. Our focus is on the compressibility of $\mathcal{NP}$ decision problems. We consider $\mathcal{NP}$ problems that have long instances but relatively short witnesses. The question is whether one can efficiently compress an instance and store a shorter representation that maintains the information of whether the original input is in the language or not. We want the length of the compressed instance to be polynomial in the length of the witness and polylog in the length of original input. Such compression enables succinctly storing instances until a future setting will allow solving them, either via a technological or algorithmic breakthrough or simply until enough time has elapsed. In this paper, we first develop the basic complexity theory of compression, including reducibility, completeness, and a stratification of $\mathcal{NP}$ with respect to compression. We then show that compressibility (say, of SAT) would have vast implications for cryptography, including constructions of one-way functions and collision resistant hash functions from any hard-on-average problem in $\mathcal{NP}$ and cryptanalysis of key agreement protocols in the “bounded storage model” when mixed with (time) complexity-based cryptography.

A handover authentication using credentials based on chameleon hashing

This letter proposes a handover authentication scheme using credentials based on chameleon hashing. The main challenges in handover authentication are to provide robust security and efficiency. The main idea of this letter is that credentials generated using the collision resistant hash function provide an authenticated ephemeral Diffie-Hellman key exchange only between a mobile node and an access point without communicating with an authentication server whenever a handover authentication occurs. Our scheme supports robust key exchange and efficient authentication procedure.

Small synopses for group-by query verification on outsourced data streams

Due to the overwhelming flow of information in many data stream applications, data outsourcing is a natural and effective paradigm for individual businesses to address the issue of scale. In the standard data outsourcing model, the data owner outsources streaming data to one or more third-party servers, which answer queries posed by a potentially large number of clients on the data owner's behalf. Data outsourcing intrinsically raises issues of trust, making outsourced query assurance on data streams a problem with important practical implications. Existing solutions proposed in this model all build upon cryptographic primitives such as signatures and collision-resistant hash functions, which only work for certain types of queries, for example, simple selection/aggregation queries. In this article, we consider another common type of queries, namely, “GROUP BY, SUM” queries, which previous techniques fail to support. Our new solutions are not based on cryptographic primitives, but instead use algebraic and probabilistic techniques to compute a small synopsis on the true query result, which is then communicated to the client so as to verify the correctness of the query result returned by the server. The synopsis uses a constant amount of space irrespective of the result size, has an extremely small probability of failure, and can be maintained using no extra space when the query result changes as elements stream by. We then generalize our synopsis to allow some tolerance on the number of erroneous groups, in order to support semantic load shedding on the server. When the number of erroneous groups is indeed tolerable, the synopsis can be strengthened so that we can locate and even correct these errors. Finally, we implement our techniques and perform an empirical evaluation using live network traffic.

CCA-Secure Public Key Encryption without Group-Dependent Hash Functions

So far, in almost all of the practical public key encryption schemes, hash functions which are dependent on underlying cyclic groups are necessary, e.g., H: {0, 1} * → ℤ p where p is the order of the underlying cyclic group, and it could be required to construct a dedicated hash function for each public key. The motivation of this note is derived from the following two facts: 1). there is an important technical gap between hashing to a specific prime-order group and hashing to a certain length bit sequence, and this could cause a security hole; 2). surprisingly, to our best knowledge, there is no explicit induction that one could use the simple construction, instead of tailor-made hash functions. In this note, we investigate this issue and provide the first rigorous discussion that in many existing schemes, it is possible to replace such hash functions with a target collision resistant hash function H: {0, 1} * → {0, 1} k , where k is the security parameter. We think that it is very useful and could drastically save the cost for the hash function implementation in many practical cryptographic schemes.