CIS 5371 Cryptography
4b. Collision Resistant Hash Functions
Based on: Jonathan Katz and Yehuda Lindell Introduction to Modern Cryptography
1
Collision Resistance
A collision in a function H is a pair of distinct
inputs x, xβ for which π» π₯ = π» π₯ β² .
Collision resistance is trivial to achieve if
compression is not required (take for example
the identity function)
We shall be dealing with a family of hash
functions indexed by a key s.
H will take as input a key s and a string x and
output a string: π» π π₯ β π» π , π₯ .
2
Definition 5.1, Hash Function
A hash function is a pair of probabilistic
polynomial-time algorithms (Gen, π») such that:
β’ πππ§: takes input the security parameter 1π and
outputs a key π .
β’
H : there is a polynomial π such that π» takes as
input a key π and a string π₯ β {0,1}β and outputs a
string π» π π₯ β {0,1}π(π) .
3
A collision finding experiment
πππ¬π‘-ππ¨π₯π₯(A,ο) (π)
1. A keπ¦ π is generated by running Gen 1π .
2. The adversary π΄ is given π and outputs
a pair π₯, π₯β².
3. The output of the experiment iπ 1 if and only if
β π₯ β π₯β², and
β π»π π₯ = π»π π₯β² .
4
Definition 4.12
Collision Resistant Hash Function
A hash function ο= (Gen, π») is collision resistant,
if for all probabilistic polynomial-time adversaries
π΄, there is a negl function such that:
Pr[Hash-coll(A,ο) π = 1] β€ negl.
5
Weaker notions of security for
Hash Functions
1. Collision resistance. The strongest notion, as
defined earlier.
2. Second pre-image resistance. Informally, given a
key s and a string π₯ it is infeasible for a
probabilistic polynomial-time adversary to find
π₯β² β π₯ such that π» π π₯ β² = π» π π₯ .
3. Pre-image resistance. Informally, given a key s and
a string π¦ = π» π π₯ (but not π₯) for a randomly
chosen π₯, it is infeasible for a probabilistic
polynomial-time adversary to find π₯β² β π₯ such that
π» π π₯ β² = π¦.
6
Weaker notions of security for
Hash Functions
1. Collision resistance ο Second pre-image resistance
If given π₯ the adversary can find π₯β² β π₯ such that
π» π π₯ β² = π» π π₯ , then the adversary can find a pair
π₯β² β π₯ with π» π π₯ β² = π» π π₯ .
2. Second pre-image resistance ο Pre-image resistance
If it were possible to invert π¦ and find an π₯β² such that
π» π π₯ β² = π¦, then it would be possible to take a given
input π₯ , compute π» π (π₯), and then invert π¦ = π» π π₯
to find π₯β² β π₯ such that π» π π₯ β² = π¦.
7
Generic birthday attack
Birthday problem
Let π»: {0,1}β β {0,1}π be a hash function .
Assume that the values π¦ = π» π₯ are uniformly
distributed in {0,1}π and independent .
Assume that π arbitrary inputs π₯1 , β¦ , π₯π π {0,1}β are
selected.
Then the probability that there is a collision using
π = Ξ(2π/2 ) hash evaluations is greater that ½.
The time taken is O(π β 2π/2 ).
(One has to sort outputs---assume that one can evaluate a hash function in
constant time.)
8
Improved birthday attack
Memory is a scarcer resource than time:
storing π = Ξ(2π/2 ) hash evaluations is costly.
9
Improved birthday attack
Improved birthday attack
Let π»: {0,1}β β {0,1}π be a hash function.
Select a random initial value π₯0 .
For π > 0
Compute π₯π βΆ= π»(π₯πβ1 ) and π₯2π βΆ= π»(π» π₯2
πβ1
).
If π₯π = π₯2π there is a collusion; else continue.
It can be shown that we get a collision with
probability roughly ½ in π = Ξ(2π/2 ) steps.
10
Construction 4.12
The Merkle-Damgaard transform
(Gen, β) is a fixed-length collision-resistant hash function
with inputs of length 2π π and outputs of length π π .
A variable-length hash function (Gen, π») is constructed as
follows.
β’
β’
πππ§: on input 1π , output key π .
H : on input π and π₯ Ο΅ {0,1}πΏ , πΏ < 2π(π) do:
Set π΅: = ο©πΏ/ποΉ, pad π₯ so that it can be parsed into π΅
blocks π₯1 , β¦ , π₯π΅ of length π.
Set π₯π΅+1 β πΏ (π bits).
2. Set π§0 β 0π .
3. For π = 1, β¦ , π΅ + 1, compute π§π β β π (π§πβ1 ||π₯π ).
4. Output π§π΅+1 .
1.
11
The Merkle-Damgaard
transform
π₯2
π₯1
π§0
π₯π΅
βπ
βπ
π§1
...
π₯π΅+1 = πΏ
βπ
βπ
π§π΅
π§π΅+1
(= π» π (π))
12
Theorem 4.14
If (πΊππ, β) is collision-resistant then so is
(πΊππ, π») .
13
Hash Functions and Applications
Hash-and-MAC
Let Ξ = (Mac,Vrfy) be a MAC for messages of length π(π)
and Ξ π» = (GenH , H) be a hash function with output
length π(π). Construct MAC Ξ β² = (Genβ,Macβ,Vrfyβ) for
arbitrary length messages as follows:
β’ Genβ: on input1π output uniform π π {0,1}β and run GenH
(1π ) to get π . The Hash-and-Mac key is π, π .
β’
β’
Macβ: on input π, π and message m π {0,1}β output
π‘ βMack (Hs(m)) .
Vrfyβ: on input a key π, π , a message m π {0,1}β and a
MAC tag t output 1 if and only if Vrfyk (H*(m), t)=1.
14
Hash Functions and Applications
HMAC
Let (GenH , H) be a hash function constructed using the
Merkle Damgaard transform to compression function
(GenH , β) of length π + πβ². Let opad and ipad be fixed
constants of length πβ². Define MAC as follows:
β’ Gen: on input1π run GenH (1π ) to get π . Choose uniform
π Ο΅ {0,1}πβ² . Output key is π, π .
β’
β’
Mac: on input π, π and message m π {0,1}β output
π‘ β Mack (Hs(πβ¨opad)||Hs(πβ¨ipad||m)) .
Vrfyβ: on input a key π, π , a message m π {0,1}β and a
MAC tag t output 1 if and only if
π‘ = Mack (Hs(πβ¨opad)||Hs(πβ¨ipad)||m)) .
15
HMAC
k ο
ipad
IV
π1
βπ
βπ
πππ
...
βπ
k ο
opad
IV
βπ
βπ
πππ’π‘
π‘
© Copyright 2025 Paperzz