Hash functions and new security properties

Hash functions, as previously mentioned in this document, take messages of arbitrary length and output a fixed length string. In cryptographic uses of a hash function_{H : {0, 1}}∗ _{−→ H, these} properties are considered prerequisite:

• Preimage resistance: given h ∈ H, it should be computationally intractable to find a message m such that_{H(m) = h.}

• Collision-resistant: it should be computationally intractable to find two different messages m1 andm2 such thatH(m1) =H(m2).

8.2.1

Definitions

The security proof of our variant of Michels-Petersen-Horster’s signatures makes use of new non- standard variations of the preimage resistance and the collision resistance assumptions for hash functions. These assumptions are of independent interest as they have interesting relations with the classical ones. We call them random affine preimage resistance and random linear collision

resistance. Although stronger than the standard assumptions, they are quite realistic.

According to [Rogaway & Shrimpton, 2004], a hash function family is a family of functions (Hk :Kk× {0, 1}∗ −→ {0, 1}k)k∈N, whereKkis a finite non-empty set. We will write the first ar-

gument of_Hkas a subscript, so thatHK,k(m) =Hk(K, m). In the following, we denote elements

from_{{0, 1}}kas the corresponding k-bits integers in binary representation and we will denote for every integerN _{∈ Z, H}N

K,kthe map defined by: HNK,k :



{0, 1}∗ _{−→ Z} N

m _{7−→ H}K,k(m) mod N.

The new security definitions can be quantified as follows:

Definition 8.3 (Random affine preimage resistance). Letn be an integer, let (_Hk :Kk×{0, 1}∗ −→

{0, 1}k₎

k∈N be a hash function family, and let A be a PPTM. The success SuccraP re(n)H,A (k) of A

against then-random affine preimage resistance ofH = (Hk)k∈Nis defined by:

max K∈Kk 2k−1_≤N<2k α₁,...,αn∈Z∗N β₁,...,βn∈Z∗N        Pr     K←− KR k (m, i, j) ← A(K, α1, . . . , αn, β1, . . . , βn) m ∈ {0, 1}∗_{, (i, j) ∈ [[1, n]]}2_{, i 6= j} αi+ βjHNK,k(m) = 0 mod N            .

An adversary _{A against the n-random affine preimage resistance of a hash function family} (Hk)k∈N can be transformed easily into an adversary against the classical preimage resistance

of (Hk)k∈N with success probability greater than SuccraP re(n)H,A (k)/n2 and time-complexity of A

increased by the time necessary to computen modular multiplications modulo N. In particular, the1-random affine preimage resistance is equivalent to the classical preimage resistance.

Definition 8.4 (Random linear collision resistance). Letn be an integer, let (Hk :Kk×{0, 1}∗ −→

{0, 1}k₎

k∈N be a hash function family and letA be a PPTM. The success SuccrlColl(n)H,A (k) of A

against then-random affine preimage resistance ofH = (Hk)k∈Nis defined by:

max K∈Kk 2k−1_≤N<2k λ₁,...,λn∈Z∗N    Pr   K←− KR k; (m, m′, i, j) ← A(K, λ1, . . . , λn) m, m′_{∈ {0, 1}}∗_{, (i, j) ∈ [[1, n]]}2_{, m 6= m}′ λi· HK,N(m) = λj· HK,N(m′) mod N      .

As for random affine preimage resistance, the1-random linear collision resistance is equivalent to the classical collision resistance. Unfortunately, then-random linear collision resistance cannot be reduced generically to the collision resistance forn≥ 2.

Remark 8.3. This security requirement is however reasonable since if the hash function fam-

ily underlying the protocol RSA-FDH [Bellare & Rogaway, 1993] does not satisfy it, then it is existential forgeable against a one chosen-message attack: given an RSA public key (N, e),

the adversary can simply pick at random r1, . . . , rn ∈ ZN, compute λi = rei mod N for all

i _{∈ [[1, n]], and try to find a random linear collision with parameters N, λ}1, . . . , λn. If a collision

m, m′ _{∈ {0, 1}}∗_{, (i, j)∈ [[1, n]]}2 _{(such thatλ}

i· HK,N(m) = λj· HK,N(m′) mod N) is found, then

the adversary queries the signatureσ on m to the signing oracle and can compute the signature of m′ _asσ′ _{= r}

i· σ · rj−1 mod N.

8.2.2

Generic security

The best known general collision-finding attack against a hash function family is the so-called birthday-attack. If we assume that the values of the hash-function family(Hk)k∈N are uniformly

distributed over_{{0, 1}}kand that the generalization of the birthday attack2against the random affine preimage resistance and the random linear collision resistance of(_Hk)k∈Nis the best possible attack

(which is true in the random oracle model), then it is possible to give exponential lower bounds on the minimum ofn and of the number of hash function evaluations required to have non-negligible probability of success. Indeed, for any integerN _{≥ 2, and for (i, k) ∈ Z}N, it is straightforward

[Stadje, 2002] that: #_{{j ∈ Z}N|i · j rem N ≤ k} = gcd(i, N) ×  k gcd(i, N)  + 1  .

Therefore ifD denotes the product of two independent random variables uniformly distributed overZN, we have∀k ∈ ZN Pr(D_{≤ k) =} 1 N2 N −1_X i=0 gcd(i, N)  k gcd(i, N)  + 1  ,

and consequently, D is close to the uniform distribution over ZN. The results from [Bellare &

Kohno, 2004] are sufficient to conclude.

2_{These attacks consist in picking messagesm1, . . . ,mr, computinghi =}

Hk(mi) mod N for i _{∈ [[1, r]] and} γi,j =_−hiβj mod N (resp. γi,j = hiλj mod N ) for j_{∈ [[1, n]]. They are successful if there is a triple (i, j, ℓ) ∈} [[1, r]]_{× [[1, n]]}2_{(resp. a 4-tuple(i, i}′_{, j, j}′₎

∈ [[1, r]]2

× [[1, n]]2_{) s. t.γi,j = αℓ(resp.γi,j= γi}

8.3

Michels-Petersen-Horster’s convertible undeniable signa-