Very smooth hash

Very Smooth Hash (VSH)
General
Designers Scott Contini, Arjen K. Lenstra, Ron Steinfeld
First published 2005
Successors VSH*
Detail
Digest sizes 1024 bits and up

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld. [1] Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per log(n) message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

Two major variants of VSH were proposed. For one finding a collision is provably as difficult as finding a nontrivial modular square root of a very smooth number modulo n. The other one uses a prime modulus p (with no trapdoor), and its security proof relies on the hardness of finding discrete logarithms of very smooth numbers modulo p. Both versions have similar efficiency.

VSH is not suitable as a substitute for a random oracle, but can be used to build a provably secure randomized trapdoor hash function. This function can replace the trapdoor function used in the Cramer-Shoup signature scheme, maintaining its provable security while speeding up verification time by about 50%.

VSN and VSSR

All cryptographic hash functions that are now widely used are not based on hard mathematical problems. Those few functions that are constructed on hard mathematical problems are called provably secure. Finding collisions is then known to be as hard as solving the hard mathematical problem. For the basic version of Very Smooth Hash function, this hard problem is to find modular square roots (VSSR) of certain special numbers (VSN).[1] This is assumed to be as hard as factoring integers.

For a fixed constant c and n an integer m is a Very Smooth Number (VSN) if the largest prime factor of m is at most (log n)c.

An integer b is a Very Smooth Quadratic Residue modulo n if the largest prime in b’s factorization is at most (log n)c and there exists an integer x such that b \equiv x^2 \mod n. The integer x is said to be a Modular Square Root of b.

We are interested only in non-trivial square roots, those where x2n. If x2 < n, the root can be easily computed using algorithms from fields of characteristics 0, such as real field. Therefore, they are not suitable in cryptographic primitives.

Very Smooth Number Nontrivial Modular Square Root (VSSR) is the following problem: Let n be the product of two unknown primes of approximately the same size and let k\le(\log n)^c. Let p_1 = 2, p_2 = 3, p_3 = 5,\dots be the sequence of primes. VSSR is the following problem: Given n, find x \in \mathbb{Z}^*_n such that \textstyle x^2 \equiv \prod_{i=0}^k p_i^{e_i} and at least one of e0,...,ek is odd.

The VSSR assumption is that there is no probabilistic polynomial (in \log n) time algorithm which solves VSSR with non-negligible probability. This is considered a useless assumption for practice because it does not tell for what size of moduli VSSR is computationally hard. Instead The computational VSSR assumption is used. It says that solving VSSR is assumed to be as hard as factoring a hard-to-factor s bit modulus, where s is somewhat smaller than the size of n.

Examples of VSN and VSSR

Let the parameters be fixed as follows: c=5 and n=31.

Then m_1 = 35 = 5 \cdot 7 is a Very Smooth Number with respect to these parameters because (\log 31)^5~\dot{=}~7.37 is greater than all m_1's prime factors. On the other hand, m_2 = 55 = 5\cdot 11 is not a VSN under c=5 and n=31.

The integer b_1 = 9 is Very Smooth Quadratic Residue modulo n because it is Very Smooth Number (under c, n) and we have x_1 = 3 such that x_1^2 = b_1 (mod n). This is a trivial modular square root, because 3^2 \not\geq n and so the modulus is not involved when squaring.

The integer b_2 = 15 is also Very Smooth Quadratic Residue modulo n. All prime factors are smaller than 7.37 and the Modular Square Root is x_2 =  20 since 20^2 = 400 \equiv 15 (mod n). This is thus a non-trivial root. The VSSR problem is to find x_2 given b_2 and n. And we suppose that this is computationally as hard as factoring n.

VSH Algorithm, basic versions

Let n be a large RSA composite and let p_1 = 2, p_2 = 3, \ldots the sequence of primes. Let k, the block length, be the largest integer such that \textstyle \prod_{i = 1}^k p_i < n. Let m be an \ell-bit message to be hashed consisting of bits (m_1,\ldots,m_{\ell}) and assume that \ell < 2^k. To compute the hash of m:

  1. x0 = 1
  2. Let L, the smallest integer greater or equal to l/k, be the number of blocks. Let m_i = 0 for l < i \leq Lk (padding)
  3. Let \textstyle \ell = \sum_{i=1}^k l_i 2^{i-1} with \ell_i \in \{0, 1\} be the binary representation of the message length \ell and define m_{Lk+i}= \ell_i for 1 \leq  i \leq k.
  4. for j = 0, 1,..., L in succession compute x_{j+1} = x_j^2 \prod_{i=1}^k p_i^{m_{jk+i}}\mod n
  5. return xL + 1.

The function in step 4 is called the compression function.

Properties of VSH

Variants of VSH

Several improvements, speedups and more efficient variants of VSH have been proposed.[1] None of them changes the underlying concept of the function. These improvements are called:

VSDL and VSH-DL variant

The VSH-DL is a discrete logarithm variant of VSH that has no trapdoor, its security depends on the difficulty of finding discrete logarithm modulo a prime p.[1]

Very Smooth Number Discrete Logarithm (VSDL) is a problem where given a very smooth number, we want to find its discrete logarithm modulo some number n.

Similarly as in previous section, by p_i we denote the i-th prime. Let furthermore c be a fixed constant and p, q be primes with p = 2q + 1 and let k \leq (\log p)^c. CSDL is the following problem: given p, find integers e_1,...,e_k such that 2^{e_1} \equiv \prod_{i=2}^k p_i^{e_i} \mod p with |e_i| < q for i = 1,...,k and at least one of e_1,...,e_k non-zero.

The VSDL assumption is that there is no probabilistic polynomial (in \log p) time algorithm which solves VSDL with non-negligible probability. There is a strong connection between the hardness of VSDL and the hardness of computing discrete logarithm modulo p, which is reminiscent of, but somewhat weaker than, the connection between VSSR and integer factorization.

Security of VSH

Strong collision resistance is the only property proven for VSH. This does not imply preimage-resistance or other important hash function properties and the authors state that “VSH should not be used to model random oracles,” and cannot be substituted into constructions that depend upon them (RSA signatures, some MACs).[1] VSH should not be considered a general-purpose hash function as usually understood in security engineering.

Multiplicative property

VSH is multiplicative: Let x, y, and z be three bit strings of equal length, where z consists only of zero bits and the strings satisfy x AND y = z. It is easy to see that H(z)H(x OR y) ≡ H(x)H(y) (mod n). As a result, VSH succumbs to a classical time-memory trade-off attack that applies to multiplicative and additive hashes.

This fact can be used to construct a preimage attack against VSH of \ell bits which has 2^{\ell/2} complexity rather than 2^\ell as expected.

Attack against truncated version

VSH produces a very long hash (typically 1024 bits). There are no indications that a truncated VSH hash offers security that is commensurate with the hash length.

There exists a Partial Collision Attacks on VSH truncated to least significant l bits. [2]

The complexity of this attack against is:

This probably rules out the applicability of VSH in digital signature schemes which produce signatures shorter than the VSH hash result, such as Elliptic Curve signature schemes.

References

  1. 1 2 3 4 5 Contini, S.; Lenstra, A.; Steinfeld, R. (2005), "VSH, an Efficient and Provable Collision-Resistant Hash Function." (PDF), Missing or empty |title= (help)
  2. Saarinen, M.-J. O. (2006), "Security of VSH in the RealWorld" (PDF), Missing or empty |title= (help)

See also

This article is issued from Wikipedia - version of the Friday, April 29, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.