## VSH, an Efficient and Provable Collision-Resistant Hash Function (2006)

Venue: | OF LECTURE NOTES IN COMPUTER SCIENCE |

Citations: | 13 - 1 self |

### BibTeX

@INPROCEEDINGS{Contini06vsh,an,

author = {Scott Contini and Arjen K. Lenstra and Ron Steinfeld},

title = {VSH, an Efficient and Provable Collision-Resistant Hash Function},

booktitle = {OF LECTURE NOTES IN COMPUTER SCIENCE},

year = {2006},

pages = {165--182},

publisher = {Springer}

}

### OpenURL

### Abstract

We introduce VSH, very smooth hash, a new S-bit hash function that is provably collision-resistant assuming the hardness of finding nontrivial modular square roots of very smooth numbers modulo an Sbit composite. By very smooth, we mean that the smoothness bound is some fixed polynomial function of S. We argue that finding collisions for VSH has the same asymptotic complexity as factoring using the Number Field Sieve factoring algorithm, i.e., subexponential in S. VSH is theoretically pleasing because it requires just a single multiplication modulo the S-bit composite per Ω(S) message-bits (as opposed to O(log S) message-bits for previous provably secure hashes). It is relatively practical. A preliminary implementation on a 1GHz Pentium III processor that achieves collision resistance at least equivalent to the difficulty of factoring a 1024-bit RSA modulus, runs at 1.1 MegaByte per second, with a moderate slowdown to 0.7MB/s for 2048-bit RSA security. VSH can be used to build a fast, provably secure randomised trapdoor hash function, which can be applied to speed up provably secure signature schemes (such as Cramer-Shoup) and designated-verifier signatures.

### Citations

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...on mentioned above appeared in [17, 20]. A collision-resistant hash function based on a claw free permutation pair (where claw finding is provably as hard as factoring an RSA modulus) was proposed in =-=[9]-=-—this function requires 1 squaring per bit processed. In [7] the construction is generalised to use families of r ≥ 2 claw free permutations, such that log 2(r) bits can be processed per permutation e... |

376 | The state of elliptic curve cryptography
- Koblitz, Menezes, et al.
(Show Context)
Citation Context ...S k(S−2) ≈ A possible drawback of VSH is its relatively large output length. We are investigating length-reduction possibilities by combining VSH-DL with elliptic curve, trace, or torus-based methods =-=[10, 12, 22]-=-. 4 VSH Randomised Trapdoor Hash and Applications Let M, R, H be a message, randomiser, and hash space, respectively. A randomised trapdoor hash function [20] Fpk : M × R → H is a collision-resistant ... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ... of VSH. Compression function H. VSH applies the compression function H(x, m) : Z∗ n × {0, 1}k → Z∗ n with H(x, m) = x2 ∏k i=1 pmi i mod n, and applies a variant of the Merkle-Damg˚ard transformation =-=[15, 8]-=- to extend H to arbitrarily long inputs. We comment on why this works in Section 3.1. 1024-bit n. For 1024-bit n, the value for k would be 131. The requirement ℓ < 2k is therefore not a problem in any... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ... of VSH. Compression function H. VSH applies the compression function H(x, m) : Z∗ n × {0, 1}k → Z∗ n with H(x, m) = x2 ∏k i=1 pmi i mod n, and applies a variant of the Merkle-Damg˚ard transformation =-=[15, 8]-=- to extend H to arbitrarily long inputs. We comment on why this works in Section 3.1. 1024-bit n. For 1024-bit n, the value for k would be 131. The requirement ℓ < 2k is therefore not a problem in any... |

150 | Signature schemes based on the strong RSA assumption
- Cramer, Shoup
- 1999
(Show Context)
Citation Context ... adaptive chosen message attack [20], and in designatedverifier signature schemes to achieve privacy [11, 21]. Our function can replace the trapdoor function used in the Cramer-Shoup signature scheme =-=[6]-=-, maintaining its provable security while speeding up verification time by about 50%. We also present a variant of VSH using a prime modulus p (with no trapdoor), which has about the same efficiency a... |

135 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...ndomised trapdoor hash functions are used in signature schemes to achieve provable security against adaptive chosen message attack [20], and in designatedverifier signature schemes to achieve privacy =-=[11, 21]-=-. Our function can replace the trapdoor function used in the Cramer-Shoup signature scheme [6], maintaining its provable security while speeding up verification time by about 50%. We also present a va... |

130 |
Prime Numbers : a computational perspective
- Crandall, Pomerance
(Show Context)
Citation Context ...t one hopes to be pu-smooth, since this probability is indicative for the efficiency of the collection process. For the fastest factoring algorithms published so far, the Number Field Sieve (NFS, cf. =-=[13, 5]-=-), the overall expected runtime (including the linear algebra) is minimised— based on loose heuristic grounds—when, asymptotically for n → ∞, u behaves as L[n, 0.96...]. For this u, the running time i... |

126 |
The Development of the Number Field Sieve
- Lenstra, Lenstra
- 1993
(Show Context)
Citation Context ...t one hopes to be pu-smooth, since this probability is indicative for the efficiency of the collection process. For the fastest factoring algorithms published so far, the Number Field Sieve (NFS, cf. =-=[13, 5]-=-), the overall expected runtime (including the linear algebra) is minimised— based on loose heuristic grounds—when, asymptotically for n → ∞, u behaves as L[n, 0.96...]. For this u, the running time i... |

124 | Efficient generation of shared rsa keys
- Boneh, Franklin
- 1997
(Show Context)
Citation Context ...cf. trapdoor hashes in [20]). Therefore, for wide-spread application of a single VSHmodulus one has to rely on a trusted party to generate the modulus (and not to create collisions). Or one could use =-=[2]-=- to generate a modulus with knowledge of its factorisation shared among a group of authorities. For a one time computation the overhead may be acceptable. If each party would have it own VSH-modulus, ... |

80 | A new paradigm for collision-free hashing: Incrementality at reduced cost
- Bellare, Micciancio
- 1997
(Show Context)
Citation Context ...lgorithms exist [7] which require a multiplication per O(log log n) message-bits, but beyond that it seems that so far all attempts to gain efficiency came at the cost of losing provability (see also =-=[1]-=-). We propose a hash algorithm that uses a single multiplication per Ω(log n) message-bits. It uses RSA-type arithmetic, obviating the need for completely separate hash function code such as SHA-1. Ou... |

80 | The XTR public key system
- Lenstra, Verheul
- 2000
(Show Context)
Citation Context ...S k(S−2) ≈ A possible drawback of VSH is its relatively large output length. We are investigating length-reduction possibilities by combining VSH-DL with elliptic curve, trace, or torus-based methods =-=[10, 12, 22]-=-. 4 VSH Randomised Trapdoor Hash and Applications Let M, R, H be a message, randomiser, and hash space, respectively. A randomised trapdoor hash function [20] Fpk : M × R → H is a collision-resistant ... |

75 | Cryptographic hash-function basics: Definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance
- Rogaway, Shrimpton
- 2004
(Show Context)
Citation Context ...f VSH, we turn to its most attractive property, namely its provable collision resistance. 3.1 Security Proof for VSH We prove that VSH is (strongly) collision-resistant. Using proper security notions =-=[19]-=-, (strong) collision resistance also implies second preimage resistance. Theorem 1. Finding a collision in VSH is as hard as solving VSSR (i.e., VSH is collision-resistant under the assumptions from S... |

70 | Cryptographically strong undeniable signatures, unconditionally secure for the signer,” Interner Bericht, Fakultät für Informatik
- Chaum, Heijst, et al.
- 1990
(Show Context)
Citation Context ...nection between the hardness of VSDL and the hardness of computing DLs modulo p, which is reminiscent of, but seems to be somewhat weaker than, the connection between VSSR and factorisation. See also =-=[3]-=-. As was the case for VSSR, moduli for which VSDL is not difficult are easily constructed and not worthy of further consideration. Let p be an S-bit prime of the form 2q +1 for prime q, let k be a fix... |

46 | Improved online/offline signature schemes. CRYPTO ’01, LNCS 2139, pp.355–367, Springer-Verlag, 2001. 14 Proof of Theorem 1 The completeness is clear. We prove the soundness. Suppose that (m, τ) is not a valid U-pair. Then we can write E(β, σ) = H(m) + τN
- Shamir, Tauman
(Show Context)
Citation Context ...ing, provable reducibility, integer factoring 1 Introduction Current collision-resistant hash algorithms that have provable security reductions are too inefficient to be used in practice. One example =-=[17, 20]-=- that is provably reducible from integer factorisation is of the form xm mod n where m is the message, n a supposedly hard to factor composite, and x is some prespecified base value. A collision xm ≡ ... |

40 | A new public-key cryptosystem
- Naccache, Stern
- 1997
(Show Context)
Citation Context ...∏k i=1 pmL·k+i i , and checks if the resulting value is very smooth. This type of invertibility may be undesirable for some applications, but others require just collision resistance (cf. below). See =-=[16]-=- for a related application. A solution to this invertibility problem that does not affect our proof of security (cf. below) is to square the final output enough times to ensure wraparound (no more tha... |

26 | Torus-based cryptography
- Rubin, Silverberg
(Show Context)
Citation Context ...S k(S−2) ≈ A possible drawback of VSH is its relatively large output length. We are investigating length-reduction possibilities by combining VSH-DL with elliptic curve, trace, or torus-based methods =-=[10, 12, 22]-=-. 4 VSH Randomised Trapdoor Hash and Applications Let M, R, H be a message, randomiser, and hash space, respectively. A randomised trapdoor hash function [20] Fpk : M × R → H is a collision-resistant ... |

19 |
Collision-free hash functions and public key signature schemes
- Damg˚ard
- 1987
(Show Context)
Citation Context ...ynomial time assuming certain properties of x. The above algorithm is quite inefficient because it requires on average 1.5 multiplications modulo n per message-bit. Improved provable algorithms exist =-=[7]-=- which require a multiplication per O(log log n) message-bits, but beyond that it seems that so far all attempts to gain efficiency came at the cost of losing provability (see also [1]). We propose a ... |

18 | The composite discrete logarithm and secure authentication
- Pointcheval
- 2000
(Show Context)
Citation Context ...ing, provable reducibility, integer factoring 1 Introduction Current collision-resistant hash algorithms that have provable security reductions are too inefficient to be used in practice. One example =-=[17, 20]-=- that is provably reducible from integer factorisation is of the form xm mod n where m is the message, n a supposedly hard to factor composite, and x is some prespecified base value. A collision xm ≡ ... |

17 | Efficient extension of standard Schnorr/RSA signatures into universal designated-verifier signatures
- Steinfeld, Wang, et al.
- 2004
(Show Context)
Citation Context ... distributed in R. Randomised trapdoor hash functions have applications in provably strengthening the security of signature schemes [20], and constructing designated-verifier proofs/signature schemes =-=[11, 21]-=-. The factorisation trapdoor of VSH suggests that it can be used to build such a function. Here we describe a provably secure randomised trapdoor hash family which preserves the efficiency of VSH. Key... |

12 | Factoring estimates for a 1024-bit RSA modulus
- Lenstra, Tromer, et al.
- 2003
(Show Context)
Citation Context ...und faster than L[n, 1.923...]/u on average, asymptotically for n → ∞. For u-values much smaller than the optimum, the actual time to find a relation will be considerably larger (cf. remark below and =-=[14]-=-). For u ≈ (log n) c , it is conservatively estimated that finding a relation requires runtime at least L[n, 1.923...] = L[n, 1.923...], (log n) c asymptotically for n → ∞, because the denominator get... |

6 |
an efficient and provable collision resistant hash function
- VSH
- 2005
(Show Context)
Citation Context ...=1 p mj·k+i i mod n. Message length. The message length does not need to be known in advance, which is useful for applications involving streaming data. In an earlier version which appeared on eprint =-=[4]-=-, the message length was prepended, which may prove inconvenient and also required usage of pk+1. If one uses the common method of appending a single 1 bit prior to zero-padding the final block, colli... |

2 | Factoring estimates for a 1024-bit RSA modulus - Leyland - 1989 |

2 |
Are ‘strong’ primes needed for RSA. Report 2001/007, Cryptology ePrint Archive
- Rivest, Silverman
- 2001
(Show Context)
Citation Context ... very close to a perfect square. However, such examples occur with exponentially small probability assuming the factors of n are chosen randomly, as required. According to proper security definitions =-=[18]-=-, these examples do not even qualify as weak keys since the time-to-first-solution is slower than factoring, and therefore are not worthy of further consideration. The VSSR Assumption is rather weak a... |

1 |
Crypto++ 5.2.1 Benchmarks. www.eskimo.com/~weidai/benchmarks.html
- Dai
(Show Context)
Citation Context ...= 8 message-bits at a time. With S ′ = 1024 and S = 1516 (i.e., at least 1024-bit RSA security, at the cost of a 1516-bit VSH-modulus) Fast VSH is about 25 times slower than Wei Dai’s SHA-1 benchmark =-=[23]-=-. Better throughput will be obtained under the more aggressive assumption that VSH with an S-bit modulus achieves S-bit RSA security. A similarly more favorable comparison will be obtained when using ... |