Collision resistant hashing for paranoids: dealing with multiple collisions. (English) Zbl 1423.94079
Nielsen, Jesper Buus (ed.) et al., Advances in cryptology – EUROCRYPT 2018. 37th annual international conference on the theory and applications of cryptographic techniques, Tel Aviv, Israel, April 29 – May 3, 2018. Proceedings. Part II. Cham: Springer. Lect. Notes Comput. Sci. 10821, 162-194 (2018).
Summary: A collision resistant hash (CRH) function is one that compresses its input, yet it is hard to find a collision, i.e. a \(x_1\neq x_2\) s.t. \(h(x_1)=h(x_2)\). Collision resistant hash functions are one of the more useful cryptographic primitives both in theory and in practice and two prominent applications are in signature schemes and succinct zero-knowledge arguments.{
}In this work we consider a relaxation of the above requirement that we call Multi-CRH: a function where it is hard to find \(x_1,x_2,\ldots,x_k\) which are all distinct, yet \(h(x_1)=h(x_2)=\cdots=h(x_k)\). We show that for some of the major applications of CRH functions it is possible to replace them by the weaker notion of a Multi-CRH, albeit at the price of adding interaction: we show a constant-round statistically-hiding commitment scheme with succinct interaction (committing to \(\mathsf{poly}(n)\) bits requires exchanging \(\tilde{O}(n)\) bits) that can be opened locally (without revealing the full string). This in turn can be used to provide succinct arguments for any \({\mathsf {NP}}\) statement.{
}We formulate four possible worlds of hashing-related assumptions (in the spirit of Impagliazzo’s worlds). They are (1) Nocrypt, where no one-way functions exist, (2) Unihash, where one-way functions exist, and hence also UOWHFs and signature schemes, but no Multi-CRH functions exist, (3) Minihash, where Multi-CRH functions exist but no CRH functions exist, and (4) Hashomania, where CRH functions exist. We show that these four worlds are distinct in a black-box model: we show a separation of CRH from Multi-CRH and a separation of Multi-CRH from one-way functions.
For the entire collection see [Zbl 1387.94007].
For the entire collection see [Zbl 1387.94007].
MSC:
| 94A60 | Cryptography |
References:
| [1] | Alon, N.; Goldreich, O.; Håstad, J.; Peralta, R., Simple construction of almost k-wise independent random variables, Random Struct. Algorithms, 3, 3, 289-304, 1992 · Zbl 0755.60002 · doi:10.1002/rsa.3240030308 |
| [2] | Asharov, G.; Segev, G., Limits on the power of indistinguishability obfuscation and functional encryption, SIAM J. Comput., 45, 6, 2117-2176, 2016 · Zbl 1356.94048 · doi:10.1137/15M1034064 |
| [3] | Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS, pp. 106-115. IEEE Computer Society (2001) |
| [4] | Barak, B.; Goldreich, O., Universal arguments and their applications, SIAM J. Comput., 38, 5, 1661-1694, 2008 · Zbl 1180.94047 · doi:10.1137/070709244 |
| [5] | Bellare, M.; Rogaway, P.; Kaliski, BS, Collision-resistant hashing: towards making UOWHFs practical, Advances in Cryptology — CRYPTO ’97, 470-484, 1997, Heidelberg: Springer, Heidelberg · Zbl 0882.94015 · doi:10.1007/BFb0052256 |
| [6] | Berman, I., Degwekar, A., Rothblum, R.D., Vasudevan, P.N.: Multi collision resistant hash functions and their applications. IACR Cryptology ePrint Archive 2017, 489 (2017) |
| [7] | Bitansky, N., Kalai, Y.T., Paneth, O.: Multi-collision resistance: A paradigm for keyless hash functions. IACR Cryptology ePrint Archive 2017, 488 (2017) |
| [8] | Brassard, G.; Chaum, D.; Crépeau, C., Minimum disclosure proofs of knowledge, J. Comput. Syst. Sci., 37, 2, 156-189, 1988 · Zbl 0656.68109 · doi:10.1016/0022-0000(88)90005-0 |
| [9] | Coppersmith, D.; Williams, HC, Another birthday attack, Advances in Cryptology - CRYPTO ’85 Proceedings, 14-17, 1986, Heidelberg: Springer, Heidelberg · doi:10.1007/3-540-39799-X_2 |
| [10] | Damgård, IB; Brassard, G., A design principle for hash functions, Advances in Cryptology - CRYPTO ’89 Proceedings, 416-427, 1990, New York: Springer, New York · Zbl 0724.68029 · doi:10.1007/0-387-34805-0_39 |
| [11] | Damgård, I.; Pedersen, TP; Pfitzmann, B., On the existence of statistically hiding bit commitment schemes and fail-stop signatures, J. Cryptol., 10, 3, 163-194, 1997 · Zbl 0899.94011 · doi:10.1007/s001459900026 |
| [12] | Damgård, I.; Pedersen, TP; Pfitzmann, B., Statistical secrecy and multibit commitments, IEEE Trans. Inf. Theory, 44, 3, 1143-1151, 1998 · Zbl 0906.94016 · doi:10.1109/18.669255 |
| [13] | Dodis, Y.; Steinberger, J.; Paterson, KG, Domain extension for MACs beyond the birthday barrier, Advances in Cryptology - EUROCRYPT 2011, 323-342, 2011, Heidelberg: Springer, Heidelberg · Zbl 1281.94022 · doi:10.1007/978-3-642-20465-4_19 |
| [14] | Gennaro, R.; Gertner, Y.; Katz, J.; Trevisan, L., Bounds on the efficiency of generic cryptographic constructions, SIAM J. Comput., 35, 1, 217-246, 2005 · Zbl 1087.94019 · doi:10.1137/S0097539704443276 |
| [15] | Girault, M.; Cohen, R.; Campana, M.; Barstow, D.; Brauer, W.; Brinch Hansen, P.; Gries, D.; Luckham, D.; Moler, C.; Pnueli, A.; Seegmüller, G.; Stoer, J.; Wirth, N.; Günther, CG, A generalized birthday attack, Advances in Cryptology — EUROCRYPT ’88, 129-156, 1988, Heidelberg: Springer, Heidelberg · Zbl 0656.94008 · doi:10.1007/3-540-45961-8_12 |
| [16] | Girault, M.; Stern, J.; Desmedt, YG, On the length of cryptographic hash-values used in identification schemes, Advances in Cryptology - CRYPTO ’94, 202-215, 1994, Heidelberg: Springer, Heidelberg · Zbl 0939.94541 |
| [17] | Goldreich, O.; Sahai, A.; Vadhan, S.; Wiener, M., Can statistical zero knowledge be made non-interactive? or on the relationship of SZK and NISZK, Advances in Cryptology — CRYPTO ’99, 467-484, 1999, Heidelberg: Springer, Heidelberg · Zbl 0942.68046 · doi:10.1007/3-540-48405-1_30 |
| [18] | Guruswami, V., Indyk, P.: Near-optimal linear-time codes for unique decoding and new list-decodable codes over smaller alphabets. In: Proceedings on 34th Annual ACM Symposium on Theory of Computing, pp. 812-821. ACM (2002) · Zbl 1192.94132 |
| [19] | Guruswami, V., Indyk, P.: Linear time encodable and list decodable codes. In: Proceedings of the 35th Annual ACM Symposium on Theory of Computing, pp. 126-135. ACM (2003) · Zbl 1192.94097 |
| [20] | Guruswami, V.; Indyk, P.; Díaz, J.; Karhumäki, J.; Lepistö, A.; Sannella, D., Linear-time list decoding in error-free settings, Automata, Languages and Programming, 695-707, 2004, Heidelberg: Springer, Heidelberg · doi:10.1007/978-3-540-27836-8_59 |
| [21] | Guruswami, V.; Sudan, M., Improved decoding of Reed-Solomon and algebraic-geometry codes, IEEE Trans. Inf. Theory, 45, 6, 1757-1767, 1999 · Zbl 0958.94036 · doi:10.1109/18.782097 |
| [22] | Guruswami, V., Umans, C., Vadhan, S.P.: Unbalanced expanders and randomness extractors from parvaresh-vardy codes. J. ACM 56(4), 20:1-20:34 (2009) · Zbl 1325.68169 |
| [23] | Haitner, I.; Hoch, JJ; Reingold, O.; Segev, G., Finding collisions in interactive protocols - tight lower bounds on the round and communication complexities of statistically hiding commitments, SIAM J. Comput., 44, 1, 193-242, 2015 · Zbl 1397.94068 · doi:10.1137/130938438 |
| [24] | Haitner, I.; Horvitz, O.; Katz, J.; Koo, C.; Morselli, R.; Shaltiel, R., Reducing complexity assumptions for statistically-hiding commitment, J. Cryptol., 22, 3, 283-310, 2009 · Zbl 1173.94006 · doi:10.1007/s00145-007-9012-8 |
| [25] | Haitner, I.; Ishai, Y.; Omri, E.; Shaltiel, R.; Gennaro, R.; Robshaw, M., Parallel hashing via list recoverability, Advances in Cryptology - CRYPTO 2015, 173-190, 2015, Heidelberg: Springer, Heidelberg · Zbl 1351.94050 · doi:10.1007/978-3-662-48000-7_9 |
| [26] | Haitner, I.; Nguyen, M.; Ong, SJ; Reingold, O.; Vadhan, SP, Statistically hiding commitments and statistical zero-knowledge arguments from any one-way function, SIAM J. Comput., 39, 3, 1153-1218, 2009 · Zbl 1195.94057 · doi:10.1137/080725404 |
| [27] | Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28, 1364-1396 (1999) · Zbl 0940.68048 |
| [28] | Hemenway, B., Ron-Zewi, N., Wootters, M.: Local list recovery of high-rate tensor codes & applications. In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, pp. 204-215. IEEE Computer Society (2017) |
| [29] | Hemenway, B.; Wootters, M.; Halldórsson, MM; Iwama, K.; Kobayashi, N.; Speckmann, B., Linear-time list recovery of high-rate expander codes, Automata, Languages, and Programming, 701-712, 2015, Heidelberg: Springer, Heidelberg · Zbl 1403.94105 · doi:10.1007/978-3-662-47672-7_57 |
| [30] | Hosoyamada, A., Sasaki, Y., Xagawa, K.: Quantum multicollision-finding algorithm. IACR Cryptology ePrint Archive 2017, 864 (2017) |
| [31] | Hsiao, C-Y; Reyzin, L.; Franklin, M., Finding collisions on a public road, or do secure hash functions need secret coins?, Advances in Cryptology - CRYPTO 2004, 92-105, 2004, Heidelberg: Springer, Heidelberg · Zbl 1104.94025 · doi:10.1007/978-3-540-28628-8_6 |
| [32] | Impagliazzo, R.: A personal view of average-case complexity. In: Proceedings of the Tenth Annual Structure in Complexity Theory Conference, pp. 134-147. IEEE Computer Society (1995) |
| [33] | Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 12-24. ACM (1989) |
| [34] | Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography (extended abstract). In: 30th Annual Symposium on Foundations of Computer Science, FOCS, pp. 230-235. IEEE Computer Society (1989) |
| [35] | Joux, A.; Franklin, M., Multicollisions in iterated hash functions. application to cascaded constructions, Advances in Cryptology - CRYPTO 2004, 306-316, 2004, Heidelberg: Springer, Heidelberg · Zbl 1104.68043 · doi:10.1007/978-3-540-28628-8_19 |
| [36] | Katz, J., Koo, C.: On constructing universal one-way hash functions from arbitrary one-way functions. IACR Cryptology ePrint Archive 2005, 328 (2005) |
| [37] | Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC, pp. 723-732. ACM (1992) |
| [38] | Komargodski, I., Naor, M., Yogev, E.: Collision resistant hashing for paranoids: Dealing with multiple collisions. IACR Cryptology ePrint Archive 2017, 486 (2017) |
| [39] | Komargodski, I., Naor, M., Yogev, E.: White-box vs. black-box complexity of search problems: ramsey and graph property testing. In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS, pp. 622-632 (2017) |
| [40] | Maurer, U.; Tessaro, S.; Menezes, A., Domain extension of public random functions: beyond the birthday barrier, Advances in Cryptology - CRYPTO 2007, 187-204, 2007, Heidelberg: Springer, Heidelberg · Zbl 1215.94063 · doi:10.1007/978-3-540-74143-5_11 |
| [41] | Merkle, RC; Brassard, G., A certified digital signature, Advances in Cryptology - CRYPTO ’89 Proceedings, 218-238, 1990, New York: Springer, New York · doi:10.1007/0-387-34805-0_21 |
| [42] | Merkle, RC; Brassard, G., One way hash functions and DES, Advances in Cryptology - CRYPTO ’89 Proceedings, 428-446, 1990, New York: Springer, New York · Zbl 1533.94049 · doi:10.1007/0-387-34805-0_40 |
| [43] | Mironov, I.; Yung, M.; Dodis, Y.; Kiayias, A.; Malkin, T., Collision-resistant no more: hash-and-sign paradigm revisited, Public Key Cryptography - PKC 2006, 140-156, 2006, Heidelberg: Springer, Heidelberg · Zbl 1151.94547 · doi:10.1007/11745853_10 |
| [44] | Naor, J.; Naor, M., Small-bias probability spaces: efficient constructions and applications, SIAM J. Comput., 22, 4, 838-856, 1993 · Zbl 0776.60014 · doi:10.1137/0222053 |
| [45] | Naor, M.; Ostrovsky, R.; Venkatesan, R.; Yung, M., Perfect zero-knowledge arguments for NP using any one-way permutation, J. Cryptol., 11, 2, 87-108, 1998 · Zbl 0960.94016 · doi:10.1007/s001459900037 |
| [46] | Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 33-43. ACM (1989) |
| [47] | Ngo, H.Q., Porat, E., Rudra, A.: Efficiently decodable compressed sensing by list-recoverable codes and recursion. In: 29th International Symposium on Theoretical Aspects of Computer Science, STACS. LIPIcs, vol. 14, pp. 230-241. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2012) · Zbl 1245.94043 |
| [48] | Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, pp. 387-394. ACM (1990) |
| [49] | Shoup, V.; Preneel, B., A composition theorem for universal one-way hash functions, Advances in Cryptology - EUROCRYPT 2000, 445-452, 2000, Heidelberg: Springer, Heidelberg · Zbl 1082.94531 · doi:10.1007/3-540-45539-6_32 |
| [50] | Simon, DR; Nyberg, K., Finding collisions on a one-way street: can secure hash functions be based on general assumptions?, Advances in Cryptology - EUROCRYPT ’98, 334-345, 1998, Heidelberg: Springer, Heidelberg · Zbl 0919.94032 · doi:10.1007/BFb0054137 |
| [51] | Stevens, M.; Bursztein, E.; Karpman, P.; Albertini, A.; Markov, Y.; Katz, J.; Shacham, H., The first collision for full SHA-1, Advances in Cryptology - CRYPTO 2017, 570-596, 2017, Cham: Springer, Cham · Zbl 1407.94153 · doi:10.1007/978-3-319-63688-7_19 |
| [52] | Ta-Shma, A.: Explicit, almost optimal, epsilon-balanced codes. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC, pp. 238-251 (2017) · Zbl 1378.94079 |
| [53] | Wang, X.; Yin, YL; Yu, H.; Shoup, V., Finding collisions in the full SHA-1, Advances in Cryptology - CRYPTO 2005, 17-36, 2005, Heidelberg: Springer, Heidelberg · Zbl 1145.94454 · doi:10.1007/11535218_2 |
| [54] | Wee, H.; Vadhan, SP, One-way permutations, interactive hashing and statistically hiding commitments, Theory of Cryptography, 419-433, 2007, Heidelberg: Springer, Heidelberg · Zbl 1129.94039 · doi:10.1007/978-3-540-70936-7_23 |
| [55] | Wegman, MN; Carter, L., New hash functions and their use in authentication and set equality, J. Comput. Syst. Sci., 22, 3, 265-279, 1981 · Zbl 0461.68074 · doi:10.1016/0022-0000(81)90033-7 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
