## Amplifying Collision Resistance: A Complexity-Theoretic Treatment

### Cached

### Download Links

- [www.cs.columbia.edu]
- [www.cs.berkeley.edu]
- [www.cs.berkeley.edu]
- [people.csail.mit.edu]
- [www.cs.tau.ac.il]
- [www.cs.bu.edu]
- [theory.stanford.edu]
- [eecs.harvard.edu]
- [theory.lcs.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- [theory.csail.mit.edu]
- [people.csail.mit.edu]
- [people.csail.mit.edu]
- [theory.lcs.mit.edu]
- [csail.mit.edu]
- [people.csail.mit.edu]
- [theory.csail.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture |

Citations: | 9 - 1 self |

### BibTeX

@INPROCEEDINGS{Canetti_amplifyingcollision,

author = {Ran Canetti and Madhu Sudan and Luca Trevisan and Salil Vadhan and Hoeteck Wee},

title = {Amplifying Collision Resistance: A Complexity-Theoretic Treatment},

booktitle = {Advances in Cryptology — Crypto 2007, Volume 4622 of Lecture},

year = {}

}

### OpenURL

### Abstract

Abstract. We initiate a complexity-theoretic treatment of hardness amplification for collision-resistant hash functions, namely the transformation of weakly collision-resistant hash functions into strongly collision-resistant ones in the standard model of computation. We measure the level of collision resistance by the maximum probability, over the choice of the key, for which an efficient adversary can find a collision. The goal is to obtain constructions with short output, short keys, small loss in adversarial complexity tolerated, and a good trade-off between compression ratio and computational complexity. We provide an analysis of several simple constructions, and show that many of the parameters achieved by our constructions are almost optimal in some sense.

### Citations

2603 | Handbook of Applied Cryptography - Menezes, Oorschot, et al. - 1997 |

525 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...problem in more detail below.) This state of the art should be contrasted with the “sister problem” of constructing one-way functions. Here we have a well-established theory of hardness amplification =-=[27]-=- (see also [11]). That is, we have concrete notions of “strength” of one-way functions, and constructions that are guaranteed to provide “strong” one-way functions based on the sole assumption that th... |

321 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1990
(Show Context)
Citation Context ...ur amplification theorems for collision resistance. Target collision resistance. Our results extend also to the related notion of target collision resistance (namely, universal one-way hash functions =-=[18]-=-). Here we may use the same constructions as for collision resistance, except to replace the MerkleDamg˚ard domain expansion with that of Shoup [24], and the same analysis goes through. We stress that... |

302 |
A Design Principle for Hash Functions
- Damgard
- 1990
(Show Context)
Citation Context ...esistance of hash functions, such mechanisms could in themselves suggest methodologies for constructing hash functions “from scratch”. Several works propose design principles for hash functions, e.g. =-=[17, 4, 14, 3]-=-. These mechanisms can indeed be regarded as “hardness amplification” mechanisms for collision-resistant hash functions. However, with the exception of [4], which concentrates on increasing the domain... |

277 |
Foundations of Cryptography: Basic Tools
- Goldreich
- 2000
(Show Context)
Citation Context ... detail below.) This state of the art should be contrasted with the “sister problem” of constructing one-way functions. Here we have a well-established theory of hardness amplification [27] (see also =-=[11]-=-). That is, we have concrete notions of “strength” of one-way functions, and constructions that are guaranteed to provide “strong” one-way functions based on the sole assumption that the underlying bu... |

186 | Finding Collisions in the full SHA-1
- Wang, Yin, et al.
(Show Context)
Citation Context ...-way function of [10] is very bad as a collision-resistant function). Furthermore, both practice and theory indicate that collision resistance is considerably harder to achieve than one-wayness, e.g. =-=[6, 26, 25]-=-. Still, except for some specific points highlighted within, we show that it is possible to translate much of the analysis used in the study of amplification of one-wayness to the setting of collision... |

180 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...esistance of hash functions, such mechanisms could in themselves suggest methodologies for constructing hash functions “from scratch”. Several works propose design principles for hash functions, e.g. =-=[17, 4, 14, 3]-=-. These mechanisms can indeed be regarded as “hardness amplification” mechanisms for collision-resistant hash functions. However, with the exception of [4], which concentrates on increasing the domain... |

105 | Chernoff-hoeffding bounds for applications with limited independence
- Schmidt, Siegel, et al.
- 1993
(Show Context)
Citation Context ...e assume in the rest of the proof that this is the case. Then, for each y ∈ {0, 1} ℓin−∆−log ℓin−2 : E[|S˜x ∪ Γz|] = |Γz| · 2 −ℓin+t+log ℓin+2 ≥ 2ℓin. Applying a tail bound for 6ℓin-wise independence =-=[22]-=-, we obtain: Pr g [S˜x ∩ Γz = ∅] ≤ 2 −2ℓin Taking a union bound over all y ∈ {0, 1} ℓin−∆−log ℓin−2 , we have: Pr g [∃y : S˜x ∩ Γz = ∅] ≤ 2 −2ℓin · 2 ℓin−∆−log ℓin−2 = 2 −Ω(ℓin) Finally, for each y, E... |

81 | Merkle-damgård revisited : How to construct a hash function - Coron, Dodis, et al. - 2005 |

74 | Finding collisions on a one-way street: Can secure hash functions be based on general assumptions
- Simon
- 1998
(Show Context)
Citation Context ...antees (say, based on the hardness of some well-studied problem) has turned out to be elusive. We also seem unable to construct collision-resistant functions from potentially simpler primitives, c.f. =-=[25]-=-. The problem is highlighted by the repeated attacks on the popular MD4, MD5 and SHA1 hash functions (refer to [20] and references therein). ⋆ Supported by NSF grants CFF-0635297 and Cybertrust 043045... |

72 | A Sample of Samplers - A Computational Perspective on Sampling (survey
- Goldreich
- 1997
(Show Context)
Citation Context ...ruction is fairly standard (e.g. randomness-efficient samplers were exploited in a similar manner in [5]), whereas the coding-theoretic construction requires a modified analysis of a previous sampler =-=[9]-=-. Reducing the output length. Starting with a family H of hash functions with output length ℓout and parameter q, the first two constructions yield a family with output length qℓout. We show that for ... |

66 |
Cryptanalysis of MD4
- Dobbertin
- 1998
(Show Context)
Citation Context ...-way function of [10] is very bad as a collision-resistant function). Furthermore, both practice and theory indicate that collision resistance is considerably harder to achieve than one-wayness, e.g. =-=[6, 26, 25]-=-. Still, except for some specific points highlighted within, we show that it is possible to translate much of the analysis used in the study of amplification of one-wayness to the setting of collision... |

49 |
One way hash functions and
- Merkle
- 1990
(Show Context)
Citation Context ...esistance of hash functions, such mechanisms could in themselves suggest methodologies for constructing hash functions “from scratch”. Several works propose design principles for hash functions, e.g. =-=[17,4,14,3]-=-. These mechanisms can indeed be regarded as “hardness amplification” mechanisms for collision-resistant hash functions. However, with the exception of [4], which concentrates on increasing the domain... |

46 | A composition theorem for universal one-way hash functions
- Shoup
(Show Context)
Citation Context ...ay hash functions [18]). Here we maysAmplifying Collision Resistance 7 use the same constructions as for collision resistance, except to replace the MerkleDamg˚ard domain expansion with that of Shoup =-=[24]-=-, and the same analysis goes through. We stress that the extension should not be taken for granted, because techniques for collision resistance do not always extend readily to target collision resista... |

40 | Yevgeniy Dodis, Cécile Malinaud, and Prashant Puniya, Merkle Damg̊ard revisited: How to construct a hash function - Coron - 2005 |

36 | Candidate one-way functions based on expander graphs - Goldreich |

30 | Towards proving strong direct product theorems
- Shaltiel
- 2003
(Show Context)
Citation Context ...trong” one-way functions based on the sole assumption that the underlying building block is a “weak” one-way function. Several lower bounds for “black-box” hardness amplification are also known, e.g. =-=[23, 15]-=-. We note that collision resistance often exhibits very different properties than onewayness. For one, constructing collision-resistant hash functions calls for different design principles (e.g. the p... |

24 | The classification of hash functions
- Anderson
- 1993
(Show Context)
Citation Context ... be extended to several other variants of collision resistance. Details of these extensions are deferred to the final version of the paper. Resistance to correlations. As noted in previous work (e.g. =-=[1]-=-), collision resistance can be regarded as a special case of “resistance to finding correlations.” That is, for a given k-ary relation R, say that a family of functions H is R-resistant if it is hard ... |

23 | Finding collisions on a public road, or do secure hash functions need secret coins
- Hsiao, Reyzin
- 2004
(Show Context)
Citation Context ...ications of hash functions actually require strong CRHFs, so whenever the strength of the CRHF is not qualified, we will refer to strong CRHFs. Public-coin vs. secret-coin hash functions. As noted in =-=[13]-=-, a distinction needs to be made between public-coin and secret-coin hash functions. In a public-coin hash function, the key corresponds to a uniformly generated random string and the key generation a... |

22 | Formalizing human ignorance: Collision-resistant hashing without the keys
- Rogaway
- 2006
(Show Context)
Citation Context ...urity is analyzed for the case where the key is chosen at random (from the space of keys) and madesAmplifying Collision Resistance 3 public. We point out several advantages of this approach. Refer to =-=[21]-=- for a more detailed discussion. First, it allows for a natural modeling of the adversary as an algorithm (a circuit) that takes for input a key κ identifying a function hκ in the family and tries to ... |

15 | On the Impossibility of Efficiently Combining Collision Resistant Hash Functions
- Boneh, Boyen
- 2006
(Show Context)
Citation Context ...derlying building blocks have some weaker collision resistance properties. (Recently, the closely related problem of constructing “combiners” for hash functions has been studied in the standard model =-=[2, 19]-=-; we discuss this problem in more detail below.) This state of the art should be contrasted with the “sister problem” of constructing one-way functions. Here we have a well-established theory of hardn... |

12 | On hardness amplification of oneway functions
- Lin, Trevisan, et al.
- 2005
(Show Context)
Citation Context ...trong” one-way functions based on the sole assumption that the underlying building block is a “weak” one-way function. Several lower bounds for “black-box” hardness amplification are also known, e.g. =-=[23, 15]-=-. We note that collision resistance often exhibits very different properties than onewayness. For one, constructing collision-resistant hash functions calls for different design principles (e.g. the p... |

10 |
Randomnessoptimal characterization of two NP proof systems
- Santis, Crescenzo, et al.
- 2002
(Show Context)
Citation Context ...omness-efficient sampling using expander graphs. The sampler we require for the concatenation construction is fairly standard (e.g. randomness-efficient samplers were exploited in a similar manner in =-=[5]-=-), whereas the coding-theoretic construction requires a modified analysis of a previous sampler [9]. Reducing the output length. Starting with a family H of hash functions with output length ℓout and ... |

9 | Construction of secure and fast hash functions using nonbinary error-correcting codes
- Knudsen, Preneel
(Show Context)
Citation Context ...esistance of hash functions, such mechanisms could in themselves suggest methodologies for constructing hash functions “from scratch”. Several works propose design principles for hash functions, e.g. =-=[17, 4, 14, 3]-=-. These mechanisms can indeed be regarded as “hardness amplification” mechanisms for collision-resistant hash functions. However, with the exception of [4], which concentrates on increasing the domain... |

9 | Non-Trivial Black-Box Combiners for Collision-Resistant Hash-Functions don’t Exist
- Pietrzak
(Show Context)
Citation Context ...derlying building blocks have some weaker collision resistance properties. (Recently, the closely related problem of constructing “combiners” for hash functions has been studied in the standard model =-=[2, 19]-=-; we discuss this problem in more detail below.) This state of the art should be contrasted with the “sister problem” of constructing one-way functions. Here we have a well-established theory of hardn... |

7 |
Discrete logarithm hash function that is collision free and one way
- Gibson
- 1991
(Show Context)
Citation Context ...es or properties of the key in use and work for some keys but not others. Specific examples include Dobbertin’s attack on MD5 [6], time-memory trade-off attacks, and attacks on Gibson’s hash function =-=[8]-=-. In particular, it may well be possible that even “broken” functions still have a significant fraction of keys for which attacks are less successful. On the other hand, it may not be sufficient to si... |

3 | Tolerant combiners: Resilient cryptographic design. Cryptology ePrint Archive, Report 2002/135
- Herzberg
- 2002
(Show Context)
Citation Context ...open problem. Combiners. Our results pertaining to the output length (namely the fourth construction and lower bounds thereof) build on the recent work on black-box combiners for collision resistance =-=[2, 19, 12]-=-. We briefly recall the notion and results and explain the connection to hardness amplification. Black-box combiners for collision resistance. A black-box combiner for collision resistance is a proced... |

2 | Security-amplifying combiners for collision-resistant hash functions
- Fischlin, Lehmann
- 2007
(Show Context)
Citation Context ...ollision-resistant. We note that it is possible to construct a combiner having output length t · (ℓout − O(log n)) using our randomized black-box combiner. The concurrent work of Fischlin and Lehmann =-=[7]-=- studies a very similar problem, albeit in an idealized model that only admits generic attacks on the hash functions. Extensions. Our positive results for hardness amplification of collision resistanc... |

1 | Hash functions - present state of art - Preneel - 2005 |