[Cryptography] Amongst the requirements for digests...
Jerry Leichter
leichter at lrw.com
Fri Dec 28 11:01:06 EST 2018
> I was just looking through some articles on cryptographic digests setting out the criteria for acceptance and it occurs to me that as specified they are necessary but not sufficient.
>
> Pre-image resistance
> Given a hash value h it should be difficult to find any message m such that h = hash(m).
> That is necessary but I would want h to effectively disclose no useful information whatsoever about m. Not the number of bits, not the parity, nothing.
>
> So I have been designing deranged hash functions that have the correct work factor but are wrong, wrongety wrong.
>
> So SHA2-Yuk is defined as
>
> H(x) = (SHA2(x OR 1) OR 1) XOR (x AND 1)
>
> Where the boolean operators only act on the last bit in the input.
>
> The intent here is to ensure that the hash values of adjacent inputs are paired such that H(x) XOR H(x XOR 1) = 1.
There are simpler "deranged" hash functions. For example, you could take:
H_Leaky(x) = First k bits of x || SHA2(x)
You can modify this to pre-pend any fixed-length boolean function of x instead. (Granted, this has "the wrong work factor" as it's only as hard as SHA2, while it "should be" 2^k times harder. But the requirement of minimality - i.e., that an n-bit hash output should have difficulty 2^n for pre-image resistance (2^(n/2) for second) isn't in the explicit requirements anywhere - and in fact we accept cryptographic functions that are "a few bits shy" of the theoretical maximum.
The conditions of first and second pre-image resistance relate to the *cryptographically strong* part of the notion of *cryptographically strong hash function*. Historically we don't write down a definition for the "hash function" part - which is where SHA2-Yuk and H_Leaky fail. I'd guess there's a good definition out there, but it's not obvious. People often try "changing any one bit, on average, changes half the bits of the output", but I don't think that works, though a counterexample isn't clear to me.
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181228/a8464a5e/attachment.html>
More information about the cryptography
mailing list