structural properties of one-way hash functions · the existence of one-way gttasi-injections....
TRANSCRIPT
Structural Properties ofOne-Way Hash Functions
Yuliang Zheng
Tsutomu Matsumoto
Hideki Imai
Division of Electrical and Computer EngineeringYokohama National University
156 Tokiwadai, Hodogaya, Yokohama, 240 JAPAN
Abstract
We study the following two kinds of one-way hash functions: universal one-way hash functions (UOHs) and collision intractable hash functions (CIHs).The main property of the former is that given an initial-string x, it is com-putationally difficult to find a different string y that collides with x. And themain property of the latter is that it is computationally difficult to find a pairx i=- y of strings such that x collides with y. Our main results are as follows.First we prove that UOHs with respect to initial-strings chosen arbitrarily existif and only if UOHs with respect to initial-strings chosen arbitrarily at existexist. Then, as an application of the result, we show that UOHs with respect toinitial-strings chosen arbitrarily can be constructed under a weaker assumption,the existence of one-way gttasi-injections. Finally, we investigate relationshipsamong various versions of one-way hash functions. We prove that some versionsof one-way hash functions are strictly included in others by explicitly construct-ing hash functions that are one-way in the sense of the former but not in thesense of the latter.
1 IntroductionOne-way hash functions are a principal primitive in cryptography. There are roughlytwo kinds of one-way hash functions: universal one-way hash functions (UOHs) andcollision intractable hash functions (CIHs). The main property of the former is thatgiven an initial-string x, it is computationally difficult to find a different string yA.J. Menezes and S.A. Vanstone (Eds.): Advances in Cryptology - CRYPTO '90, LNCS 537, pp. 285-302, 1991.© Springer-Verlag Berlin Heidelberg 1991
286
that collides with x. And the main property of the latter is that it is computation- ally difficult to find a pair IC # y of strings such that z collides with y. Nmr and Yung constructed UOHs under the assumption of the existence of one-way injections (i.e., one-way one-to-one functions) [NY89], and Damgkd constructed CIHs under a stronger assumption, the existence of claw-free pairs of pennutations [Dam89]. In [NY89], Naor and Yung also presented a general method for transforming any UOH into a secure digital signature scheme. We are interested both in constructing UOHs under weaker assumptions and in relationships among various versions of one-way hash functions. Our main results are summarized as follows.
First, we prove that UOHs with respect to initial-strings chosen uniformly at ran- dom can be transformed into UOHs with respect to initial-strings chosen arbitrarily. Thus UOHs with respect to initial-strings chosen arbitrarily exist if and only if UOHs with respect to initial-strings chosen uniformly at random exist. The proof is con- structive, and may significantly simplify the construction of UOHs with respect to initial-strings chosen arbitrarily, under the assumption of the existence of one-way functions. Then, as an application of the transformation result, we prove that UOHs with respect to initial-strings chosen arbitrarily can be constructed under a weaker as- sumption, the existence of one-way quasi-injections (whose definition is to be given in Section 5). Next, we investigate relationships among various versions of one-way hash functions. We show that some versions of one-way hash functions are strictly included in others by explicitly constructing hash functions that are one-way in the sense of the former but not in the sense of the latter. A simple method, which appears in [ZMISO], for constructing UOHs from one-way permutations whose (simultaneously) hard bits have been identified is described in Appendix.
2 Notation and Definitions
The set of all positive integers is denoted by N. Let C = ( 0 , l ) be the alphabet we consider. For n E N, denote by C" the set of all strings over C with length n, by C' that of all finite length strings including the empty string, denoted by A, over rY, and by C+ the set C' - {A}. The concatenation of two strings x, y is denoted by x o y , or simply by zy if no confusion arises. The length of a string x is denoted by 1x1, and the number of elements in a set S is denoted by #S.
Let I be a monotone increasing function from N to N, and f a (total) function from D to R, where D = U, D,, D, C", and R = U, R,, R, 5 Ce("). D is called the domain, and R the range of f. For simplicity of presentation, in this paper we always assume that Dn = C" and R, = Ce("). Denote by f n the restriction of f on C". We axe concerned only with the case when the range of fn is Ce("), i.e., f, is a function from C" to Ce("). f is an injection if each fn is a one-to-one function, and is a permu- tation if each fn is a one-to-one and onto function. f is (deterministic/probabilistic)
287
polynomial time computable if there is a (deterministic/probabilistic) polynomial (in 1.1) time algorithm (Turing machine) computing f (x) for all z E D. The composition of two functions f and g is defined as f o g ( s } = f(g(z)). In particular, the i-fold composition o f f is denoted by f ( i ) ,
A (probability) ensemble E with length [ ( n ) is a family of probability distributions {EnlEn : -+ [0,1], n E N}. The uniform ensemble U with length !(n) is the family of uniform probability distributions U,, where each U, is defined as U n ( X ) = 1/2e(n) for d l z E CC("). By z E E Ce(") we mean that z is randomly chosen from Ee(") according to En, and in particular, by Z E ~ S we mean that 2 is chosen from the set S uniformly at random. E is samplable if there is a (probabilistic) algorithm M that on input n outputs an x e E Cetn), and polynomially samplable if furthermore, the running time of hl is polynomially bounded.
Now we introduce the notion for one-way functions, a topic that has received extensive research (see for examples [Ym82] [Wa88] (ILL891).
Definition 1 Let f : D + R, where D = U, C" and R = U, Xe(,), be a polynomial time computable function, and let E be an ensemble with length n. (1) f is one-way with respect to E if for each probabilistic polynomial time algorithm M , for each polynomial Q and for all suflciently large n , Pr{ fn(z) = fn(M( fn(z>))} < l/Q(n), when x E E C". (2) f is one-way if it is one-way with respect to the uniform ensemble U with length n.
There are two basic computation models: Turing machines and combinational cir- cuits (see for examples [Pip791 [I<L82] [BDG88]). The above definition for one-way functions is with respect to t,he Turing machine model. A stronger version of one- way functions that is with respect to the circuit model can be obtained by changing algorithms M in the above definition to families M = { M , I n E N} of polynomial size circuits.
3 Universal One-way Hash Functions
The central concept treated in this paper is one-way hash functions. Two kinds of one-way hash functions have been considered in the literature: universal one-way hash functions and collision-intractable hash functions (or shortly UOHs and CIHs, respectively). In [Mer89] the former is called weakly and the latter stronglp, one-way hash functions respectively. Naor and Yung gave a formal definition for UOH [NYSS], and Damgkd gave for CIH [Dam89]. In this section, a formal definition for UOH that is more general than that of [NY89] is given. We feel our formulation more reasonable. This will be explained after the formulation is introduced. CIH will be treated in later sections.
288
Let C be a polynomial with e(n) > n. H be a family of functions defined by H = U, H , where X,, is a (possibly multi-)set of functions from Ce(,,) to C". Call f? a hush function compressing l(n)-bit input into n-bit output strings. For two strings s, y E C'(") with x # y, we say that x and y collide with each other under h E Hn, or (z, y) is a collision pair for h, if h(s ) = h(y ) .
H is polpnomial time computable if there is a polynomial (in n) time algorithm computing all h E H , and accessible if there is a probabilistic polynomial time algo- rithm that on input n E N outputs uniformly at random a description of h E H,,. It is assumed that all hash functions considered in this paper are both polynomial time computable and accessible.
Let H be a hash function compressing C(n)-bit input into n-hit output strings, and E an ensemble with length l (n ) . The definition for UOH is best described as a three-party game. The three parties are S (an initial-string supplier), G (a hash function instance generator) and F (a collision-string finder). S is an oracle whose power is un-limited, and both G and F are probabilistic polynomial time algorithms. The first move is taken by S, who outputs an initial-string x cE Ce(n) and sends it to both G and F . The second move is taken by G, who chooses, independently of x, an ~ E R H ~ and sends it to F . The third and also final (null) move is taken by F , who on input z E Ce(") and h E H,, outputs either "?" (I don't know) or a string y E I?(.) such that z # y and h(z ) = h(y) . F wins a game iff his/her output is not equal to "?". Informally, H is a universal one-way hash function with respect to E if for any collision-string finder F , the probability that F wins a game is negligible. More precisely:
Definition 2 Let H be a hash function compressing P(n)-bit input into n-bit output strings, P a collection of ensembles with length P(n), and F a collision-string finder. H is a universal one-way hash function with respect to P , denoted by UOH/P, if for each E E P , for each F , for each polynomial Q , and for all suficiently large n , Pr{F(x, h) #?} < l /Q(n) , where x and h are independently chosen from Ce(") and H,, according to En and to the uniform distribution over H, respectioely, and the probability Pr{F(x, h ) #?} is computed over Ee("), H,, and the sample space of all finite strings of coin pips that F could have tossed.
If P consists of a single ensemble E (i.e., P = {E}), UOHIE is synonymous with UOHIP. Of particular interest are the following versions of UOH: (1) UOH/EN[&J, where E N [ q is the collection of all ensembles with length ( (n) . (2) UOH/PSE[C], where PSE[C] is the collection of all polynomially samplable ensembles with length C(n). (3) UOH/U, where U is the uniform ensemble with length C(n).
In [NY89], Nmr and Yung gave a definition for UOH. They did not separate initial-string ensembles from collision-string finders. Instead, they introduced a prob- abilistic polgnomial time algorithm A( , , .), called a collision adversary that works
289
in two stages: At the first stage, the algorithm A, on input (X,X) where X de- notes the empty string, outputs an initial value (corresponding to our initial-string) x = A ( & A ) E Ce(") . At the second stage, it, when given an h E H,, attempts to find a string y = A(x ,h) E Ce(,,) such that 2 # y and h(x) = h(y).
Thus Nwr and Yung defined, in our terms, universal one-way hash function with respect to polynomially samplable ensembles with length C( n ) , i.e., UOHIPSEIC]. Naor and Yung constructed one-way hash functions in the sense of UOH/PSE[q under the assumption of the existence of one-way injections [NY89]. Note that they actually obtained a construction for one-way hash functions in the sense of UOH/EN[q. In [ZMISO] we construct, in a different approwh, one-way hash functions in the sense of UOH/EN[P] under the assumption of the existence of one-way permutations. See Appendix for the description of the construction.
Separating initial-string ensembles from collision-string finders is conceptually much clearer, and enables us to reduce the problem of constructing one-way hash functions in the sense of UOH/EN[C] (the "strongest" UOHs) to that of constructing one-way hash functions in the Sense of UOH/U (the "weakest" UOHs). This topic is treated in Section 4.
The above definition for UOH is with respect to the Turing machine model. As a natural counterpart of UOHIP, where P is a set of ensembles with length C(n), we have UOHc/P, whose definition is obtained simply by changing probabilistic polynomial time algorithms F in Definition 2 to families F = {F,, I n E N} of polynomial size circuits.
The definition for UOH can also be generalized in another direction: In addition to x E Ce(n) and h E H,,, a collision-string finder F is allowed to receive an extra advice string a. As before, the output of F is either "?" or a string 3 E Ce(") such that x # g and h(s) = h(y).
Definition 3 Let H be a hash function compressing !(n)-bit input into n-bit output strings. H is a universal one-way hash function with respect to polynomial length advice, denoted by UOH/ENIpoly], i f for each pair (Q1,Q2) of polynomials with Ql(n) 2 [ (n) , for each ensemble E with length Ql(n) , for each collision-string finder F , and for all suficiently large n, Pr{F(x,a,h) #?} < l / Q a ( n ) , where x E a E ZQ1(")-'("), x o a and h are independently chosen from EQ1(") and H, accord- ing to En and to the uniform distribution over H, respectively, and the probability Pr(F(x,a,h) #?} is computed over CQ1(R), H,, and the sample space of d l finite strings of coin f l ips that F could have tossed.
Notice the difference between Turing machines taking advice discussed in (Pip791 [KL82] and collision-string finders in our Definition 3. In the former case, advice strings are uniquely determined for each n E N. While in the latter case, they are generated probabilistically. In Section 7, we will discuss relationships among various
290
versions of one-way hash functions including UOH/U, UOH/PSE[e], UOH/EN[b], UOHc/EN[q, and UOH/ENlpdy] .
4 Transforming UOH/U into UOH/EN[k']
Let PI, Pz be collections of ensembles with length t (n) . We say that UOH/Pl is trans- formable into UOH/P2 iff given a one-way hash function H in the sense of UOH/Pl, we can construct from H a one-way hash function H' in the sense of UOH/P*. The main result of this section is Theorem 1 to be proved below, which states that UOH/U is transformable into UOH/EN[e]. Thus constructing one-way hash functions in the sense of U O H / E N [ l ] under certain assumptions can be fulfilled in two steps: At the first step, we construct one-way hash functions in the sense of UOH/U. This would be easier, since a uniform ensemble would be easier to handle than arbitrary ones. Then at the second step, w e apply the proof technique for Theorem 1 to obtain one-way hash functions in the sense of UOH/EN[ l ] .
To prove Theorem 1, we require a function family called an znvertrble uniformizer. Let T, be a set of permutations over Hn), and let T = U, T,. T is a unzformizer with length !(n) if it has the following properties 1, 2 and 3. Furthermore, F is inuertible if it also has the following property 4.
1. For each n, for each pair of strings z,y E Cecn), there are exactly PTn/2p(n) permutations in T, that map z to y.
2. There is a probabilistic polynomial time algorithm that on input n outputs a tERT,.
3. There is a polynomial tiine algorithm that computes all t E T .
4. There is a polynomial time algorithm that computes t-' for all t E T
The first property implies that for any n E N and any x E Ze("), when t is chosen randomly and uniformly from T,, the probability that t ( z ) coincides with a particular y E Ce(n) is (#Tn/2'("))/$Tn = 1/24("), i.e., t ( z ) is distributed randomly and uniformly over Ce(,) .
Now we give a concrete invertible uniformizer with length !(n). Note that there is a natural one-to-one correspondence between strings of Ce(n) and elements of G F ( 2'(.)). So we will not distinguish GF(2'(")) from C'("). Let a and b be elements of GF(2"(")) with a # 0. Then the affine transformation t defined by t ( z ) = a .3: + b is a permu- tation over GF(2e(n)), where and + are multiplication and addition over GF(2'(")) respectively. Denote by T, the set of all the &ne transformations on GF(2e(")) de- fined as above. Clearly, tfT, = 2e(n)(2e(n) - l), and for any elements z, y E GF(2'(")) , there are exactly (2e(n) - 1) = #Tn/2e(") affine transformations in T, that map z to 3. In addition, generating t c~T, is easy, and for all t E T , computing t and t-' are
291
simple tasks. Thus T = UnTn is an invertible uniformizer with length .!(n). In sec- tion 5, T will once again play a crucial role in constructing one-way hash functions in the sense of UOH/EN[C] from one-way quasi-injections. Now we are ready to prove the following:
Theorem 1 U O H P is tmns fomable into UOH/EN[t!].
Proof : Assume that H is a one-way hash funct,ion in the sense of UOH/Cr, where U is the uniform ensemble with length /!(n). We show how to construct from H a hash function H' that is one-way in the sense of UOH/EX[P].
Let T = U, T, be an invertible uniformizcr with length /!(n). Given H and T = U,T,, we construct H' as follows: H' = U, HL, where HA = {h' I h' = h o t , h E H,,t E T,}. We claim that H' is one-way in the sense of UOH/EN[I].
Assume for contradiction that H' is not one-way in the sense of UOH/EN[C]. Then there are a polynomial Q , an infinite subset N' & N, an ensemble E' with length [ (n) and a probabilistic polynomial time algorithm F' such that for all n E N', the algorithm F' , on input 5' cE) and ~ ' E ~ H A , finds with probability l / Q ( n ) a string p' E Ce(") with 2' # and h'(z') = It'(%). Now we show how to derive from F' a collision-string finder F that for all n E N', on input xERC'(~) and h E R H n where x is produced in a particular way to be described below, outputs with the same probability l/Q(n) a string y E Ce(n) with z # y and h(x) = h(y).
Let M be a probabilistic Turing machine with an oracle 0 that on input n outputs an X' E s EL("). M produces X E R C ~ ( " ) in the following particular way:
1. Query the oracle 0 with R. Denote by z' the string answered by 0. (Note that the oracle 0 is indispensable, as E' may be not samplable.)
2. Generate an S E R T ~ using its random tape
3. output 2 = s(s').
From the first property of the uniformizer T = U, T,,, we know that the ensemble E,w defined by the output of M is the uniform ensemble with length [(n) .
Let F be a probabilistic Turing machine. F uses the same random tape as M's and its read-only head for the random tape is in the same position as M's at the outset. On input x E E ~ Ce(") and ~ E R H , , , (important note: since EM is the uniform ensemble with length [ (n) , z Ee(,) is equivalent to ~E~F'(")), F works as follows:
1. Generate a t € R T n using the random tape and in the same way as M does. Since M shares the random tape with F , we have t = s.
2. Calculate z = t - ' (o) . Since t = s, we have z = 5' EEf 19). 'De Santis and Yung obtained, independently. this theorem too [DY30].
292
3. Call F' with input ( z ,h ' ) , where h' = h o t . Note that h ' E R H k , since h € R H n and tERT,.
4. Let y' = F'(z , h'). Output y = y' whenever y' =?, and y = t(y') otherwise.
Since F' is polynomial time bounded, F is also polynomial time bounded. Further- more, since t is a permutation over .I?("), we have y #? (i.e. 2 # y and h(z ) = h(y)) iff g' #? (i.e. 5' # y' and h'(s') = h'(y')). Thus for all n E N', F outputs, wit,h the same probability l /Q(n) , a string y such that 2 # p and h(z ) = h(y), which implies that H is not a one-way hash function in the sense of UOH/U, a contradiction.
From the above discussions we know that H' is indeed a one-way hash function in the sense of UOH/EN[l] . This completes the proof. 0
A significant corollary of Theorem 1 is:
Corollary 1 One-way hash functions in the sense of UOH/EN(C] exist ifi those in the sense of UOH/U exist.
5 UOHs Based on a Weakened Assumption
As an application of Theorem 1, in this section we construct one-way hash functions in the sense of UOH/EN[l] under a weaker assumption - the existence of one-way quasz-injections. Main ingredients of our construction include (1) one-way quasi- injections, (2) universal hash functions with the collision accessibility property, (3) pair-wise independent uniformizers and, (4) invertible uniformizers. Our construction is partially inspired by [NY89].
5.1 Preliminaries Assume that f is a one-way function from U, En to U, Ce(.). A string 5 f C" is said to have a brother if there is a string y E C" such that fn(z) = f,(y).
Definition 4 A one-way function f is a one-way quasi-injection ifl for any polp- nornial Q and for all suficiently large n E N, #B,/2" < l /Q(n) where B, is the collection of ail strings in C" that have brothers.
Let d be a polynomial with d(n) > n, S = U, S, be a hash function compressing d(n)-bit input into n-bit output strings. S is a strongZy universah hash function [CW79] [WCSl] if for each n, for each pairs ( ~ 1 ~ x 2 ) and (yl, y2) with z1 # 5 2 , q , x 2 E Ce(") and y1,y2 E C", there are jSn/(dC")2 functions in S, that map 21 to y1 and 2 2 to y2. S is said to have the collision accessibility property [NY89] if given a pair (5, y) of strings in Ce(") with 2 # y and a requirement that s(z) = s(y), it is possible to generate in polynomial time a function s f S, such that s(z) = s(p) with equal
293
probability over all functions in S, which obey the requirement. Note that strongly universal2 hash functions with collision accessibility property are available without any assumption [NY89].
Let Vn be a set of permutations over Ce(") , and V = U,V,. V is a pair-wise independent unzfomizer with length t ( n ) if it has the following three properties.
1. For each n, for any pairs of strings (x1,z2) and ( y I , y 2 ) , there are exactly #Vn/[2'(n)(2e(n) - l)] permutations in V, that map z1 to y1 and 22 to y2, where 21,22,511,3/2 E Ce("), x1 # x2, yl # p2, and 2E(n)(2P(n) - 1) is the total number of ordered pairs (0, y) with 5 # y and 2 , p E
2. There is a probabilistic polynomial time algorithm that on input n outputs a VERVn.
3. There is a polynomial time algorithm that computes all 21 E V.
Similar to uniformizers defined in Section 4, the first property implies that for any n E N and any (21, x2) with z1 # z2 and x1,52 E Cp("), when w is chosen randomly and uniformly from V,, (u(xl), v(z2)) is distributed randomly and uniformly over all ordered pairs (yl, y2) with y1 # y2 and y1, y2 E C'(").
Recall the invertible uniformizer T = U,T, constructed in Section 4. For any ih,z2,y1,y2 E Ce(") with 5 1 # 5 2 and yl # y2, there is exactly one permutation in T, that maps 21 to y1 and 1 2 to y2. Note that 1 = 2e(n)(2e(n) - 1)/2e(")(2'(n) - 1) = ~T,/[2e(")(2c(") - l)], which implies that T is a pair-wise independent uniformizer.
5.2 UOHs from One-way Quasi-Injections
Assume that we are given a one-way quasi-injection f from D to R where D = U, En, R = U, Em(") and rn is a polynomial with m(n) 2 n. Let V = U, V, be a pair-wise independent uniformizer with length m(n), and S = U, S, be a strongly universal2 hash function that compresses rn(n)-bit input into ( n - 1)-bit output strings and has the collision accessibility property.
Lemma 1 let H, = { h I h = s o v o fn+l , s E and H = U, Hn. Then H is a one-way hash function in the sense of UOH/U compressing ( n + 1)-bit input into n-bit output strings, under the assumption that f is a one-way quasi-injection.
v E
Proof : Assume for contradiction that H is not one-way in the sense of UOH/U. Then there are a polynomial Q1, an infinite subset N' C N and a collision-string finder F such that for all n E N', the finder F , on input ZE~C"+' and ~ E R H , , outputs with probability at least l /Ql(n) a string y E Cn+l with 2 # y and h(z) = h ( y ) . w e show that F can be used to construct an algorithm M that for all sufficiently large n E N', inverts fn+l with probability greater than 1/2Ql(n).
294
Assume that WERE"+' and z = f,,+l(w). On input z , the algorithm M runs as follows in trying to compute a y such that z = fn+l(y):
Algorithm M :
1. Generate an ~ E R C " + ' . If z = f,,+l(s) then output y = z and halt. Otherwise execute the following steps.
2. Generate a V E ~ V ~ + ~ .
3. Let u1 = v o f,,+l(x) and u2 = u ( z ) . Choose a random s E Sn+l such that s(u1) = s(u2). This is possible according to the collision accessibility property of s.
4. Let h = s o u o f,,+l. Call F with input h and s, and output y = F ( z , h).
First we show that h produced by M is a random element in H,,. At Step 2, a u€RVn+l is generated. Since fn+1(z) # z , from the first property of V we know that (v o fn+l(z), ~ ( 2 ) ) is distributed randomly and uniformly over all pairs (XI, z2) with 5 1 # x2 and s1,x2 E Cm("+'). At Step 3, s is chosen uniformly at random from all those functions in S,,, that map u1 and 212 to the same string. Consequently, h = s o u o fn+, is a random element in H,,.
The running time of M is clearly polynomial in n. Next we estimate the probability that Moutputs ysuch that z = f,,+l(y). DenotebyInv(2) theset {e 1 z = fn+l(e),e E En+'}. Then M halts at Step 1 iff z E Inv(z).
First we note that
where Pr{z = f,,+l(y)} is computed over Cn+l, En+', Vn+', S,+' and the sample space of all finite strings of coin flips that F could have tossed. Note that the two compound events " z E En+' - Inv(z), z has no brother, z = f,+l(y)" and " z E En+' - Inv(z), z has no brother, y f?" are in fact the same. So the probability Pr{z = fn+l(y)} can be estimated via the probability Pr{z E En+l - Inv(z), z has no brother, y #?}. Now we focus on the latter. By assumption, we have Pr{y #?} 2 l /Ql(n) for all n E N', where Pr{y #?} is computed over En+', Vn+l, Sn+' and the sample space of all finite strings of coin flips that F could have tossed. On the other hand,
Pr{y #?} = Pr{s E Inv(z), y #?} + Pr{x E xn+l - Inv(z), y #?) = Pr{z E Inv(z), y #?} +
Pr{s E En+* - Inv(z),s has a brother,y #?} + Pr{z E En+' - Inv(z), z has no brother, y #?}.
295
Recall that f is one-way. So for all sufficiently large n E N, u-e have
Pr{z E Inv(z),y #?} 5 P r { s E Inv(z)} < 1/4Ql(n).
Furthermore, for all sufficiently n we have
Pr{x E En+' - Inv(z),z has a brother,?/ f?} 5 Pr{z has a brother} < 1/4Ql(n),
since f is a one-way quasi-injection. Thus for all sufficiently large n E N',
Pr{z = f,,+l(y)} 2 P r { s E En+' - Inv(z),.z has no brother,z = fn+l(y)} = Pr{s E En+' - In.(;), z has no brother, y f?}
2 1 /Qi (n ) - [Pr{z E W z ) , Y #?} + Pr{z E En+' - Inv(z),z has a brother, y #?}I
2 1 / Q W - [1 /4Qdn) + 114Qdn)l 2 1/2Qi(n)-
This contradicts our assumption that f is a one-way quasi-injection, and hence the theorem follows. 0
Combining Theorem 1 and Lemma 1 , we have the following result: A one-way hash function H' in the sense of UOH/EN[l') , where e' is defined by l ' ( n ) = n + 1, can be constructed under the assumption that f is a one-way quasi-injection. By an argument analogous to that of Theorem 3.1 of [Dam89], it can be proved that for any polynomial e, we can construct from H' a one-way hash function H" in the sense of UOH/EN[t]. Thus:
Theorem 2 One-way hash functions in the sense of UOH/EiV(e] can be constructed assuming the existence of one-way quasi-injections.
Similarly, we can construct one-way hash functions in the sense of UOHc/EN[l'] assuming the existence of one-way quasi-injections with respect to the circuit model.
6 Collision Intractable Hash Functions This section gives formal definitions for collision intractable hash functions. Let H = Un H,, be a hash function compressing l(n)-bit input into n-bit output strings. Let A, a collision-pair finder, be a probabilistic polynomid time algorithm that on input h E H, outputs either "?" or a pair of strings z,y E EL(") with z # y and h ( 4 = My).
Definition 5 H is called a collision-intractable hash function (CIH) if for each A, for each polynomial Q , and for all suficiently large n , Pr(A(h) #?} < l / Q ( n ) , where hf&,, and the probability Pr{A(h) #?} is computed over H,, and the sample space of all finite strings of coin pips that il could have tossed.
296
In [Dam891 (see also [Dam87]) CIH iscalled collision free function family. Damgkd obtained CIHs under the assumption of the existence of claw-free pairs of permuta- tions. In [ZMI9O], we show that CIHs can be constructed from distinction-intractable penvtatzons. We also propose practical CIHs, the fastest of which compress nearly 2n-bit long input into n-bit long output strings by applying only twice a one-way function.
CIH defined above are with respect to the Turing machine model. So as in the case for UOH, we have CIHc with respect to the circuit model. The definition for C I H c is similar to Definition 5 , except that probabilistic polynomial time algorithms A are replaced by families A = { A , I n E N} of polynomial size circuits.
In addition, analogous to Definition 3, we have the following generalization for CIH. Let H = U, H,, be a hash function compressing !(n)-bit input into n-bit output strings, Q1 a polynomial, and a E CQ1("). a is called an adoice string of length Ql(n) .
Let A , a collision-pair finder, be a probabilistic polynomial time algorithm that on input a E CQlC") and h E H, outputs either "?" or a pair of strings s,y E Ce(n) with 2 # y and h(z) = h(y) .
Definition 6 H is called a collision intractable hash function with respect to poly- nomial length advice, denoted by CIH/EN[poly], i f for each pair (Q1,Qs) of poly- nomials, for each ensemble E with length Ql(n), for each A, and for all suficiently large n , Pr{A(a, h) f?} < l/Qa(n), where a and h are independently chosen from CQ1(n) and H, according to En and to the uniform distribution over H, respectively, and the probability Pr{A(a, h ) #?} is computed ouer CQl("), H,, and the sample space of all finite strings of coin pips that A could have tossed.
7 A Hierarchy of One-way Hash Functions
In this section, we discuss relationships among various versions of one-way hash func- tions: UOHIU, UOH/PSE[P], UOH/EN[t'], U O H c / E N [ q , UOHIENlpoly], CIH, CIHc and CIH/EN[l?oly].
First we define a relation between two versions, Ver l and Ver2, of one-way hash functions. We say that
1. Verl is included in l/er2, denoted by Verl Ver2 , if all one-way hash functions in the sense of Verl are also one-way hash functions in the sense of Verz.
2. Verl is strictly included in Ver2, denoted by Verl c Ver:!! if Ver l C Ver:! and there is a one-way hash function in the sense of Ver2 but not in the sense of Ver , .
3. Ver l and Verz are equivalent, denoted by Verl = Ver2, if Verl C_ Vers and Ver2 C Ver, .
297
Lemma 2 The following statements hold:
(2) UOHc/EN(e] = UOH/EiV[poEy].
(3) UOH/EX[poEy] Z UOH/EN[eJ
(4) CIH/ENlpoly] C CIH
( 5 ) CIH C UOH/PSE[t].
UOH/PSE(q C UOH/zi
(6) CJH/EN[poZ?lJ UOH/ElVIpoly].
Proof : Proofs for (1) and (2) are analogous to that for “polynomial size circuits vs. P/poly” [Pipig]. (3),(4), ( 5 ) and (6) are obvious. Here we give a detailed description for the proof of (1). Proof for (2) is similar, and is omitted.
The “G” part: Assume that H is a one-way hash function in the sense of CIHc. If H is not one-way in the sense of CIH/ENlpolg], then there are polynomials Q1 and Q2, an infinite subset N’ E N, an ensemble E with length Q2(n), and a collision-pair finder F , such that for all n E N’, the finder F, on input I E E CQ2(”) and h € R H n , outputs il collision-pair with probability l / Q l ( n ) . Note that for each n E N and h E R H n l the probability that F successfully outputs a collision-pair is computed over CQa(.) and the sample space of all finite strings of coin flips that F could have tossed. Let zmax be the first string according to the lexicographic order in CQ2(,) such that for ~ E R H , , F outputs a collision-pair with the maximum probability, which is certainly at least l /Ql (n) . F can be converted into a family A = { A , 1 n E N} of probabilistic polynomial size circuits with z,, being “embedded in” A,. Thus for each n E N‘, A, on input ~ E R H , outputs a collision-pair with probability at least l / Q ~ ( n ) . In other words, H is not one-way in the sense of CIHc, which is a contradiction.
If H is not one-way in the sense of CIHc, then there are a polynomial Q1 an infinite subset N’ C N, and a collision-pair finder A = { A , I n E N), such that for all n E N‘, An outputs a collision-pair with probability l /Ql(n) . Since the size of A is polynomially bounded, there is a polynomial Qz such that the description of A,, is not longer than Qz(n) for all n E N. Without loss of generality, assume that the description of A, is exactly Q2(n) bits long. Let E be the ensemble with length Qz(n) defined by E,(s) = 1 whenever x is the description of A,, and E,(z) = 0 otherwise. Note that E may be not samplable.
k c a l l that the (probabilistic) circuit value problem is (probabilistic) polynomial time computable (see [BDG88], p.110). So there is a (probabilistic) polynomial time algorithm F that on input z E E CQ2(n) and ~ E R H , , (Note: By the definition of El we have t=the description of A, ) , output a collision-pair with probability l/Q(n).
The “2” part: Assume that H is a one-way hash function in the sense of CIH/E”poZy].
298
This implies that H is not one-way in the sense of CIH/EN[poly], which contradicts our assumption. 0
Theorem 3 The following statements hold:
(1) UOH/PSE[e] c U O H f l .
(2) There are one-way hash functions in the sense of UOH/EiVboly] but not in the sense of CIH,
(3) C I H c lJOH/PSE[t].
(4) CIH/EN[poly] C UOH/ENboEy]
Proof : (1) We show that given a one-way hash function H in the sense of UOH/U, we can construct from H a hash function H' that is still one-way in the sense of UOH/U but not in the sense of UOH/PSE[t?].
H' is constructed as follows: Denote by Of(") (le("), respectively) the all-0 (all-1, respectively) string of length [(TI). For each h E H,, define a function h' : Cp(") -+ C" by h'(s) = h(Oe(")) whenever 5 = le(n) and h'(s) = h(z) otherwise. Thus the only difference between h and h' is the images of lf("). Let HA be the collection of all h', and let H' = U, HA. We claim that H' is still one-way in the sense of UOH/U but not in the sense of UOH/PSE[l?].
Let hf be a polynomial time algorithm that on input n outputs lE( , ) . By definition, the ensemble E defined by the output of M is polynomially samplable. Lct F be a collision-string finder that on input z and h' outputs the string (Ie(,) whenever z = le(") and "?" otherwise. Clearly, for all n , 5 EE C'(") and h' E HA, F always finds a string y that collides with z. Therefore H' is not one-way in the sense of UOH/PSE[l?].
Now we prove that H' is one-way in the sense of UOH/U. Assume for contradiction that H' is not one-way in the sense of UOH/U. Then there are an infinite subset N' N and a collision-string finder F such that for some polynomial Q and for all n E N', Pr{ F(z, h') #?} 2 l / Q ( n ) , when ~ E R C ~ ( " ) and ~ ' E R H L .
Note that
299
and that
Pt{F{x,ti) #? | ti(x) = ti(Oe(n))} • Pr{h'(x)< Pi{h'{x) = ti(Ot{n))}< Pr{h(x) = (
Since H is one-way in the sense of UOH/t/, we have ?r{h(x) = h(tf{n))} < l/4Q(n)for all sufficiently large n. Thus for all sufficiently large n € N',
, /»') / ? | ti(x) ^ h'(0e{n))} • Pi{h'(x) ^ ti(Oe{n})}- Pt{F{x,h') ^1 | h'(x) = h'(Qe(^)} • Px{ti(x) =
By definition, when h'(x) ^ /j'(0^(n)), a string y £ He<-n) with a; ^ y collides witha; under h' iff it does under h. Consequently, the collision-string finder F can beused to "break" H, this implies that H is not one-way in the sense of UOH/J7, acontradiction.
(2) The proof is very similar to that for (1). Given H, a one-way hash function inthe sense of VOU/EN\poly], we construct a hash function H' that is still one-way inthe sense of \JOE/EN\poly\ but not in the sense of CIH.
Without loss of generality, assume that the length of the description of h G Hn isgreater than n/2, and for any distinct Tii, /i2 € Hn the first n/2 bits of h\ is differentfrom that of h2. For each h e #„, we associate with it a particular ^(n)-bit string Xhthat is obtained by repeatedly concatenating the first n/2 bits of the description ofh until the length of the resulting string becomes i(n).
For each h € Hn, define a function h' : S'(n) -> En by h'(x) = h{xh) wheneverx — Xh and h'(x) = h(x) otherwise, where Th is the complement of Xh- Thus the onlydifference between h and h! is the images of xh. Let H'n be the collection of all h', andlet H' = Un H'n- By analyses similar to (1), one can verify that H1 is still one-way inthe sense of l]OB./EN\poly} but not in the sense of CIH.
(3) follows from (2) and CIH C VOU/PSE[£]. (4) follows from (2) and the factsthat Cm I EN\poly] C CIH and that CIH/EN\poly\ C VOE/EN\poly]. •
From Lemma 2 and Theorem 3, we have the following hierarchical structure forone-way hash functions (see Figure 1.)
300
UOH/U U
lU
IU
II
CIH c UOH/PSE[e]
IU UOH/ErU[q
C M / E N boE g] II
CIHc
c U 0 H/ E N [pol y]
UOHc/EN[P]
Figure 1. Hierarchical Structure of One-Way Hash Functions
By Tlieorem 3, there are one-way hash functions in the sense of UOH/ENboIv] but not in the sense of CIH. However, it is not clear whether or not CIH UOH/EN[poZy]. So it is worth while examining such problems a s whether or not CTH is strictly in- cluded in UOH/EiV[poEy].
8 Conclusions
We have proved that UOHs with respect to initial-strings chosen uniformly at random can be transformed into UOHs with respect to initial-strings chosen arbitrarily, and that UOHs with respect to initial-strings chosen arbitrarily can be constructed under a weaker assumption, the existence of one-way quasi-injections. We have also investi- gated relationships among various versions of one-way hash functions. In particular, we have shown that UOH/PSE[q, CIH and CIH/E.VboEy] are strictly included in UOH/U, UOH/PSE[P] and UOH/EN[poZy] respectively, and that there are one-way hash functions in the sense of UOH/EN[poEy] but not in the sense of CIH.
Recently, substantial progress on the construction of UOHs has been made by De Santis and Yung [DY90], and especially, by Rompel [RomSO] who finally solved the problem of constructing UOHs under the sole assumption of the existence of one-way functions.
Acknowledgments K. Sakurai for their fruitful discussions.
We would like to thank J. Leo, M. Ogiwara, K. Ohta and
References
[BDG88] J. Balcazar, J. Diaz and J. Gabarr6: Structural Complexity I, EATCS Mono- graphs on Theoretical Computer Science, Springer-Verlag, Berlin, 1988.
301
[CW79] J. Carter and hl. Wegman: “Universal classes of hash functions”, Journal of Computer and System Sciences, Vo1.18, 1979, pp.143-154.
(Dam871 I. DamgArd: “Collision free hash functions and public key signature schemes”, Proceedings of EuroCypt’87, 1987, pp.203-216.
[Dam891 I. Damgkd: “A design principle for hash functions”, Presented at Crypto’89, 1989.
[DYSO] A. De Santis and M. Yung: “On the design of provably-secure cryptographic hash functions” , Presented at EuroCrypt ’90, 1990.
[ILL891 R. Impagliazzo, L. Levin and hi. Luby: “Pseudo-random generation from one-way functions”, Proceedings of the 21-th ACM Symposium on Theory of Computing, 1989, pp.12-24.
R. Karp and R. Lipton: “Turing machines that take advice”, L’enseigment Mathematique, Vo1.28, 1982, pp. 191-209.
[Mer89] R. Merkle: “One way hash functions and DES”, Presented at Crypto’89, 1989.
[KL82]
(NY891 M. Naor and M. Yung: “Universal one-way hash functions and their crypto- graphic applications”, Proceedings of the 21-th ACM Symposium on Theory of Computing, 1989, pp.33-43.
N. Pippenger: “On simultaneous resource bounds”, Proceedings of the 20-th IEEE Symposium on the Foundations of Computer Science, 1979, pp.307- 311.
[Pip791
[RomSO] J. Rompel: “One-way functions are necessary and sufficient for secure signa- tures”, Proceedings of the 22-nd ACM Sgmposium on Theory of Compating, 1990, pp.387-394.
[Wa88] 0. Watanabe: “On one-way functions”, Presented at the International Sym- posium on Combinatorial Optimization, Tianjin, China, 1988.
[WCSl] M. W e p a n and J. Carter: “New hash functions and their use in authenti- cation and set equality”, Journal of Computer and System Sciences, Vo1.22, 1381, pp.265-279.
[Ya082] A. Yao: ‘“rheory and applications of trapdoor functions’’, Proceedings of the 23-rd IEEE Symposium on the Foundations of Computer Science, 1982, pp.80-9 I.
302
[ZMISO] Y. Zheng, T. Matsumoto and H. Imai: "Duality between two cryptographic primitives", To be presented at 8-th International Conference on Applied Algebra, Algebraic Algorithms and Error Correcting Codes (AA ECC-8), Tokyo, August 1990. A preliminary version appears in IEICE Technical Reports on Information Security, TG ISEC89-46, March 16, 1990.
A Appendix - UOHs from One-way Permuta- t ions
In this appendix we sketch a simple method, which appears in [ZMISO], for con- structing UOHs from one-way permutations whose (simutaneously) hard bits have been identified. An interesting feature of our construction is that it does not apply universal hash functions, and hence is extremely compact, in comparison with most of the currently known constructions.
Assume that f is a one-way permutation on D = U n C n l and that i has been proved to be a hard bit of f . For b E C, 5 E En-' and y E C", define ins(s,b) = Xn-lxi-2 * * - xibzi-1. * * 52x1, and denote by drop(y) a function dropping the i-th bit of y. Then we have the following theorem.
Theorem 4 Let l be a polynomial with [ ( n ) > n, a E En-' and z = xt(n) * * * 5 2 5 1
where X i E C for each 1 5 i 5 [(n) . Let h, be the function from Ce(n) to C" defined by:
Let Hn = {ha I a E P-'} and H = U, H,,. Then under the assumption that f i s a one-way permutation, H i s a UOH/EN[k'] compressing e(n)-bit input into n-bit output strings.
The efficiency of the above constructed UOHs can be improved by a factor of P, for any p = O(1og n) , if p simultaneously hard bits of f have been identified.