Hash Functions and Pseudorandom Functions

The task of building cryptographic schemes often involves making use of lower-level cryptographic primitives. We present here some of the cryptographic primitives that are employed throughout this thesis: pseudorandom functions and hash functions. Most definitions in this section are taken from [88].

2.3.1 Pseudorandom Functions

A pseudorandom function (PRF) is an efficiently computable function that emulates random oracles for all practical purposes. That is, outputs of a PRF appear as fixed completely at random for every input.

Let Funcn denote the set of functions with domain and range {0, 1}n. Given a key

space K and a function F : K × {0, 1}n→ {0, 1}n_{, denote by F}

k the function defined by

Fk(x) = F (k, x). Typically K = {0, 1}n. Suppose, in all instances, that the input length,

the output length and the key length are of polynomial size in the security parameter λ. Pseudorandom functions efficiently realize the notion of “random-looking” functions in Funcn, in the sense that no PPT algorithm can effectively distinguish between functions

chosen uniformly at random from Funcn and functions Fk for uniform choices of key

k ∈ K.

Definition 2.11. Let F : K × {0, 1}n → {0, 1}n _{be an efficiently computable function,}

where the positive integer n is polynomial in the security parameter λ. Then, F is a pseudorandom function if for every PPT algorithm B

AdvB(λ) = Pr BFk(·)_{(λ) = 1} − PrBf (·)(λ) = 1

is negligible in λ, where the probabilities are taken over the uniform choices of k ∈ K and of f ∈ Funcn, and over the random bits of B.

We also introduce the notion of pseudorandom permutation (PRP). Let Permn denote

the set of permutations on the set {0, 1}n with polynomial-sized input and output. The notion of PRP is analogous to that of PRF, with the only difference being that a randomly chosen PRP must be indistinguishable from a uniformly chosen permutation of Permn.

Definition 2.12. Let F : K × {0, 1}n → {0, 1}n _{be an efficiently computable function,}

where the positive integer n is polynomial in the security parameter λ. Then, F is a pseudorandom permutation if for every PPT algorithm B

AdvB(λ) = Pr BFk(·)_{(λ) = 1} − PrBf (·)_{(λ) = 1}

is negligible in λ, where the probabilities are taken over the uniform choices of k ∈ K and of f ∈ Permn, and over the random bits of B.

Even though it is currently unknown whether true PRF and PRP functions exist, many functions have been proven to satisfy the PRF and PRP definitions under some computational hardness assumptions. Frequently used PRF and PRP families include, for example, the HMAC-SHA [105] and the AES-CMAC [106] families.

2.3.2 Hash Functions

Hash functions are efficiently computable functions used to reduce the size of input data. Therefore, their range is typically much smaller than its domain. Values mapped by hash functions are typically called digests, or hash values, of the input data.

Definition 2.13. A hash function H = (H.Gen, H.H) consists of a pair of PPT algo- rithms:

H.Gen(λ):

Probabilistic algorithm that, given a security parameter λ, returns a key s. H.Hs(x):

Probabilistic algorithm taking as input a key s a string x ∈ {0, 1}∗ of polynomial length in λ. It returns a digest Hs(x) ∈ {0, 1}∗ of smaller bit-length than x.

From now on, unless stated otherwise, we obviate the Gen algorithm and the generated key s when using hash functions, and we simply denote hash functions Hs by H :

{0, 1}∗ → {0, 1}∗. We thus implicitly assume that Gen has been run once prior to the first call to H, and that the key s is thereby fixed.

One of the main properties we require from cryptographic hash functions in this work is collision resistance. Given a hash function H, a collision is a pair of distinct values x, y ∈ {0, 1}∗ for which H(x) = H(y). Since the domain of H is larger than its range, the existence of collisions is inevitable. However, they can be hard to compute. Collision resistance states that no PPT algorithm is able to find collisions with non-negligible advantage.

Given a security parameter λ, define a security game in the following two phases: • Setup. The challenger runs H.Gen on input λ and hands over the generated key s

to the adversary.

• Guess. The adversary determines two strings x, y ∈ {0, 1}∗ _{of the same length. It}

outputs a bit b = 1 if x 6= y and H(x) = H(y). Otherwise, it outputs b = 0. Definition 2.14 (Collision Resistance). We say that a hash function H is collision resistant if the advantage of every PPT adversary B in breaking the above game

AdvB(λ) = Pr(b = 1)

is negligible in λ, where the probability is taken over the choice of key s generated with the probabilistic algorithm H.Gen and over the random bits of B.

Although it is currently unknown whether true collision-resistant functions exist, some hash functions can be seen to satisfy the collision-resistance definition under computational hardness assumptions such as the DLP assumption (see [88]).

Of course, when proving security under the random oracle model, if we assume that a hash function H perfectly emulates a random oracle and has a large enough range, then it is collision resistant. Therefore, in this case collision resistance is embedded in the ROM computational model.

2.3.2.1 Hashing onto Elliptic Curves

Many elliptic-curve based cryptographic schemes require hashing to a bilinear group G = hgi of order p. That is, they require the existence of a hash function H : {0, 1}∗ → G. A direct way of hashing onto a bilinear group is to consider an additional hash function h : {0, 1}∗ _{→ F}p and then define H(m) = gh(m). However, this approach breaks security

proofs in the random oracle model, since the output of H clearly depends on that of h. Note that, once h is queried at a certain input, H does no longer behave as a random oracle for that input.

In this setting, cryptographic schemes whose proofs are carried out in the random oracle model (such as the proofs in Section 3.2) require hashing directly onto an elliptic curve group G. That is, they require hash functions that sample from G without computing multiples of a generator g. In this respect, using asymmetric bilinear groups G1, G2

guarantees that we can securely and efficiently hash onto G1. See [107] for an extensive

discussion on this topic and for an explicit solution for secure hashing onto Barreto- Naehrig elliptic curves.

In document Cryptographic Techniques for Securing Data in the Cloud (Page 55-57)