## Hash function balance and its impact on birthday attacks (2004)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [eprint.iacr.org]
- [www.cs.ucsd.edu]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer Science |

Citations: | 29 - 2 self |

### BibTeX

@INPROCEEDINGS{Bellare04hashfunction,

author = {Mihir Bellare and Tadayoshi Kohno},

title = {Hash function balance and its impact on birthday attacks},

booktitle = {Advances in Cryptology – EUROCRYPT ’04, Lecture Notes in Computer Science},

year = {2004},

pages = {401--418},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. Textbooks tell us that a birthday attack on a hash function h with range size r requires r 1/2 trials (hash computations) to find a collision. But this is quite misleading, being true only if h is regular, meaning all points in the range have the same number of pre-images under h; if h is not regular, fewer trials may be required. But how much fewer? This paper addresses this question by introducing a measure of the “amount of regularity ” of a hash function that we call its balance, and then providing estimates of the success-rate of the birthday attack, and the expected number of trials to find a collision, as a function of the balance of the hash function being attacked. In particular, we will see that the number of trials can be significantly less than r 1/2 for hash functions of low balance. This leads us to examine popular design principles, such as the MD (Merkle-Damg˚ard) transform, from the point of view of balance preservation, and to mount experiments to determine the balance of popular hash functions. 1

### Citations

2683 | Handbook of Applied Cryptography
- Menezes, Ooschot, et al.
- 1997
(Show Context)
Citation Context ...tion. The following lemma, which we prove in [1], will be useful later. Lemma 1. Let h: D → R be a function. Let d = |D| and r = |R| and assume d ≥ r ≥ 2. Then r −µ(h) − 1 d ≥ � 1 − r � · r d −µ(h) , =-=(4)-=- where µ(h) is the balance of h as per Definition 1.sFor i = 1, . . . , q do / q is the number of trials Pick xi at random from the domain of h yi ← h(xi) / Hash xi to get yi If there exists j < i suc... |

1419 | Random Oracles are Practical: A Paradigm for Designing Efficient
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...t h is regular. There is no information regarding the case where h is not regular. In the second edition of his book [16], Stinson drops this result in favor of an analysis in the random oracle model =-=[4]-=-, showing that C $ D;R (q) ss \Gammasq 2 \Deltas=r. (Our Theorem 7.3 is a more precise version of this statement, with bounds rather than approximate equalities.) Delfs and Knebl [7] also assume that ... |

870 |
The MD5 message-digest algorithm
- Rivest
- 1992
(Show Context)
Citation Context ...the above results we would like to be building hash functions that have high balance. We look at some elements of current design to see how well they reflect this requirement. Hash functions like MD5 =-=[7]-=-, SHA-1 [6] and RIPEMD-160 [3] are designed by applying the Merkle-Damg˚ard (MD) [5, 2] transform to an underlying compression function. Designers could certainly try to ensure that the compression fu... |

309 |
A design principle for hash functions
- Damg̊ard
- 1989
(Show Context)
Citation Context ...ave sizes d, r ≥ 2, respectively. For i ∈ [r] let di = |h−1 (Ri)| denote the size of the pre-image of Ri under h. The balance of h, denoted µ(h), is defined as � d µ(h) = logr 2 d2 1 + · · · + d2 � , =-=(2)-=- r where log r(·) denotes the logarithm in base r. It is easy to see that a regular function has balance 1 and a constant function has balance 0. The following says that these are the two extremes: In... |

208 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
(Show Context)
Citation Context ...known that B r (q) = \Theta (1) \Deltas` q 2 ' \Deltas1 r and P r (c) = \Thetas\Gamma p rc \Deltas; (3) assuming q ^ O( p r) and some appropriate upper bound on c. For precise bounds, see for example =-=[1]-=-. Relation to hash functions. Conventional wisdom appears to be that C h (q) = B r (q) and Q h (c) = P r (c) for any h: D ! R, where r = jRj. This conclusion appears to arise by viewing the points y 1... |

184 |
One way hash functions and des
- Merkle
- 1989
(Show Context)
Citation Context .... We look at some elements of current design to see how well they reflect this requirement. Hash functions like MD5 [7], SHA-1 [6] and RIPEMD-160 [3] are designed by applying the Merkle-Damg˚ard (MD) =-=[5, 2]-=- transform to an underlying compression function. Designers could certainly try to ensure that the compression function is regular or has high balance, but this turns out not to be enough to ensure hi... |

156 | Parallel collision search with cryptanalytic applications
- Oorschot, Wiener
- 1999
(Show Context)
Citation Context ...e birthday attack of Figure 1. Let µ(h) be the balance of h as per Definition 1. Then Additionally, C ≤ 1 4 · � � q · 2 � � q · 2 under the assumption that q ≤ (1/5) · r µ(h)/2 . 1 1 . (8) r µ(h) ≤ C =-=(9)-=- r µ(h) As we mentioned before, we believe it is important to have close upper and lower bounds rather than approximate equalities when it comes to computing the success rate of attacks since we are m... |

120 | RIPEMD-160: a strengthened version of RIPEMD
- Dobbertin, Bosselaers, et al.
- 1996
(Show Context)
Citation Context ...e to be building hash functions that have high balance. We look at some elements of current design to see how well they reflect this requirement. Hash functions like MD5 [7], SHA-1 [6] and RIPEMD-160 =-=[3]-=- are designed by applying the Merkle-Damg˚ard (MD) [5, 2] transform to an underlying compression function. Designers could certainly try to ensure that the compression function is regular or has high ... |

101 |
Collision-resistant hashing: Towards making UOWHFs practical
- Bellare, Rogaway
- 1997
(Show Context)
Citation Context ... is drawn at random and made public, specifying a particular hash function H k . This approach is particularly important in theoretical treatments involving proofs of security of collision-resistance =-=[6, 3]-=-, for there appears to be no meaningful formalization of a notion of collision-resistance for single functions as opposed to families. We, however, are not discussing the notion of collision-resistanc... |

35 |
Introduction of Cryptography
- Buchmann
- 2001
(Show Context)
Citation Context ...real function. Buchmann's discussion of the attack says: "We assume that strings from the domain can be chosen such that the distribution on the corresponding hash values is the uniform distribution" =-=[5]-=-. Under this assumption he correctly argues Equation (1), but it is unclear how to realize this assumption unless h is regular. Stallings [14, Section 11.5] says "the strength of a hash function again... |

34 |
How to swindle Rabin
- Yuval
- 1979
(Show Context)
Citation Context ...of trials, in the birthday attack of Figure 1, to get a collision. Let µ(h) be the balance of h as per Definition 1 and assume (( √ 7 − 2)/3) · r µ(h)/2 ≥ 2. Then (1/2) · r µ(h)/2 ≤ Q ≤ 72 · r µ(h)/2 =-=(10)-=- Designers of hash functions often have as target to make the hash function have “random” behavior. We now state a result which will enable us to gage how well random functions fare against the birthd... |

18 |
Introduction to Cryptography - Principles and Applications
- Delfs, Kneble
- 2002
(Show Context)
Citation Context ...ch is to consider the probability C $ D;R (q) that the birthday attack succeeds in q trials in the thought experiment where h is chosen at random from the set of all maps of D to R. One can show (cf. =-=[7, 16]-=- and Theorem 7.3) that C $ D;R (q) ss \Gammasq 2 \Deltas=r. Now one might argue that a given, "good" hash function h has "random behavior" and hence 1 We refer the reader to Section 4 for more details... |

8 |
A Design Principle for Hash Functions
- ˚ARD, I
- 1989
(Show Context)
Citation Context ...e. We look at some elements of current design to see how well they re ect this requirement. Hash functions like MD5 [6], SHA-1 [5] and RIPEMD-160 [2] are designed by applying the Merkle-Damgard (MD) [=-=4, 1]-=- transform to an underlying compression function. Designers could certainly try to ensure that the compression function is regular or has high balance, but this turns out not to be enough to ensure hi... |

2 |
Cryptography theory and practice, 1st Edition
- Stinson
- 1995
(Show Context)
Citation Context ... attack is presented in Figure 1. (Note that it picks the points x1, . . . , xq independently at random, rather than picking them at random subject to being distinct as in some variants of the attack =-=[8]-=-. The difference in performance is negligible as long as the domain is larger than the range.) We are interested in two quantities: the probability C of finding a collision in a given number q of tria... |

1 |
How to swindle Rabin. Cryptologia (3), 1979, 187-190. A Proof of Theorem 4.3 We will establish a somewhat stronger result, namely: Lemma A.1 Let h: D ! R be a hash function. Let d = jDj and r = jRj and assume d > r 2. Let Q denote the expected number of
- Yuval
(Show Context)
Citation Context ...on, i.e. a pair i; j such that x i 6= x j but y i = y j . We call q the number of trials. There are several variants of this attack which dier in the way the points x 1 ; : : : ; x q are chosen (cf. [=-=3, 7, 8]-=-). The one we consider is that these points are chosen independently at random from D. 1 Stinson [7, Section 7.3] says that, due to the birthday phenomenon which gives the attack its name, a collision... |

1 |
The MD5 message-digest algorithm. IETF RFC 1321
- August
- 1992
(Show Context)
Citation Context ...n (cf. [9, 15, 18, 20]). The one we consider is that they are chosen independently at random from D. Picking random points from the domain may be prohibitive in the case of a hash function like SHA-1 =-=[11]-=- whose domain is the set of all strings of length at most 2 64 . In such cases we would simply attack the function h = SHA n : f0; 1g n ! f0; 1g 160 , the restriction of SHA-1 to inputs of length n ! ... |