Elliptic curve only hash

Elliptic curve only hash (ECOH)
General
Designers	Daniel R. L. Brown, Matt Campagna, Rene Struik
First published	2008
Derived from	MuHASH
Detail
Digest sizes	224, 256, 384 or 512 bits
Best public cryptanalysis
	Second Pre-Image

Last updated January 08, 2025

The elliptic curve only hash (ECOH) algorithm was submitted as a candidate for SHA-3 in the NIST hash function competition. However, it was rejected in the beginning of the competition since a second pre-image attack was found.

The ECOH is based on the MuHASH hash algorithm, that has not yet been successfully attacked. However, MuHASH is too inefficient for practical use and changes had to be made. The main difference is that where MuHASH applies a random oracle ^{[ clarification needed ]}, ECOH applies a padding function. Assuming random oracles, finding a collision in MuHASH implies solving the discrete logarithm problem. MuHASH is thus a provably secure hash, i.e. we know that finding a collision is at least as hard as some hard known mathematical problem.

ECOH does not use random oracles and its security is not strictly directly related to the discrete logarithm problem, yet it is still based on mathematical functions. ECOH is related to the Semaev's problem of finding low degree solutions to the summation polynomial equations over binary field, called the Summation Polynomial Problem. An efficient algorithm to solve this problem has not been given so far. Although the problem was not proven to be NP-hard, it is assumed that such an algorithm does not exist. Under certain assumptions, finding a collision in ECOH may be also viewed as an instance of the subset sum problem. Besides solving the Summation Polynomial Problem, there exists another way how to find second pre-images and thus collisions, Wagner's generalized birthday attack.

ECOH is a good example of hash function that is based on mathematical functions (with the provable security approach) rather than on classical ad hoc mixing of bits to obtain the hash.

The algorithm

Given $n$ , ECOH divides the message $M$ into $n$ blocks $M_{0},\ldots ,M_{n-1}$ . If the last block is incomplete, it is padded with single 1 and then appropriate number of 0. Let furthermore $P$ be a function that maps a message block and an integer to an elliptic curve point. Then using the mapping $P$ , each block is transformed to an elliptic curve point $P_{i}$ , and these points are added together with two more points. One additional point $X_{1}$ contains the padding and depends only on the message length. The second additional point $X_{2}$ depends on the message length and the XOR of all message blocks. The result is truncated to get the hash $H$ .

${\begin{aligned}P_{i}&{}:=P(M_{i},i)\\X_{1}&{}:=P'(n)\\X_{2}&{}:=P^{*}(M_{i},n)\\Q&{}:=\sum _{i=0}^{n-1}P_{i}+X_{1}+X_{2}\\R&{}:=f(Q)\end{aligned}}$

The two extra points are computed by $P'$ and $P^{*}$ . $Q$ adds all the elliptic curve points and the two extra points together. Finally, the result is passed through an output transformation function f to get the hash result $R$ . To read more about this algorithm, see "ECOH: the Elliptic Curve Only Hash".

Examples

Four ECOH algorithms were proposed, ECOH-224, ECOH-256, ECOH-384 and ECOH-512. The number represents the size of the message digest. They differ in the length of parameters, block size and in the used elliptic curve. The first two uses the elliptic curve B-283: $X^{283}+X^{12}+X^{7}+X^{5}+1$ , with parameters (128, 64, 64). ECOH-384 uses the curve B-409: $X^{409}+X^{87}+1$ , with parameters (192, 64, 64). ECOH-512 uses the curve B-571: $X^{571}+X^{10}+X^{5}+X^{2}+1$ , with parameters (256, 128, 128). It can hash messages of bit length up to $2^{128}$ .

Properties

Incrementality: ECOH of a message can be updated quickly, given a small change in the message and an intermediate value in ECOH computation.
Parallelizability: This means the computation of the $P_{i}'s$ can be done on parallel systems.
Speed: The ECOH algorithm is about thousand times slower than SHA-1. However, given the developments in desktop hardware towards parallelization and carryless multiplication, ECOH may in a few years be as fast as SHA-1 for long messages. For short messages, ECOH is relatively slow, unless extensive tables are used.

Security of ECOH

The ECOH hash functions are based on concrete mathematical functions. They were designed such that the problem of finding collisions should be reducible to a known and hard mathematical problem (the subset sum problem). It means that if one could find collisions, one would be able to solve the underlying mathematical problem which is assumed to be hard and unsolvable in polynomial time. Functions with these properties are known provably secure and are quite unique among the rest of hash functions. Nevertheless, second pre-image (and thus a collision) was later found because the assumptions given in the proof were too strong.

Semaev Summation Polynomial

One way of finding collisions or second pre-images is solving Semaev Summation Polynomials. For a given elliptic curve E, there exists polynomials $f_{n}$ that are symmetric in $n$ variables and that vanish exactly when evaluated at abscissae of points whose sum is 0 in $E$ . So far, an efficient algorithm to solve this problem does not exist and it is assumed to be hard (but not proven to be NP-hard).

More formally: Let $\mathbf {F}$ be a finite field, $E$ be an elliptic curve with Weierstrass equation having coefficients in $\mathbf {F}$ and $O$ be the point of infinity. It is known that there exists a multivariable polynomial $f_{n}(X_{1},\ldots ,X_{N})$ if and only if there exist < $y_{1},\ldots ,y_{n}$ such that $(x_{1},y_{1})+\ldots +(x_{n},y_{n})=O$ . This polynomial has degree $2^{n-2}$ in each variable. The problem is to find this polynomial.

Provable security discussion

The problem of finding collisions in ECOH is similar to the subset sum problem. Solving a subset sum problem is almost as hard as the discrete logarithm problem. It is generally assumed that this is not doable in polynomial time. However a significantly loose heuristic must be assumed, more specifically, one of the involved parameters in the computation is not necessarily random but has a particular structure. If one adopts this loose heuristic, then finding an internal ECOH collision may be viewed as an instance of the subset sum problem.

A second pre-image attack exists in the form of generalized birthday attack.

Second pre-image attack

Description of the attack: This is a Wagner’s Generalized Birthday Attack. It requires 2¹⁴³ time for ECOH-224 and ECOH-256, 2²⁰⁶ time for ECOH-384, and 2²⁸⁷ time for ECOH-512. The attack sets the checksum block to a fixed value and uses a collision search on the elliptic curve points. For this attack we have a message M and try to find a M' that hashes to the same message. We first split the message length into six blocks. So $M'=(M_{1},M_{2},M_{3},M_{4},M_{5},M_{6})$ . Let K be a natural number. We choose K different numbers for $(M_{0},M_{1})$ and define $M_{2}$ by $M_{2}:=M_{0}+M_{1}$ . We compute the K corresponding elliptic curve points $P(M_{0},0)+P(M_{1},1)+P(M_{2},2)$ and store them in a list. We then choose K different random values for $(M_{3},M_{4})$ , define $M_{5}:=M_{3}+M_{4}$ , we compute $Q-X_{1}-X_{2}-P(M_{3},3)-P(M_{4},4)-P(M_{5},5)$ , and store them in a second list. Note that the target Q is known. $X_{1}$ only depends on the length of the message which we have fixed. $X_{2}$ depends on the length and the XOR of all message blocks, but we choose the message blocks such that this is always zero. Thus, $X_{2}$ is fixed for all our tries.

If K is larger than the square root of the number of points on the elliptic curve then we expect one collision between the two lists. This gives us a message $(M_{1},M_{2},M_{3},M_{4},M_{5},M_{6})$ with: $Q=\sum _{i=0}^{5}P(M_{i},i)+X_{1}+X_{2}$ This means that this message leads to the target value Q and thus to a second preimage, which was the question. The workload we have to do here is two times K partial hash computations. For more info, see "A Second Pre-image Attack Against Elliptic Curve Only Hash (ECOH)".

Actual parameters:

ECOH-224 and ECOH-256 use the elliptic curve B-283 with approximately $2^{283}$ points on the curve. We choose $K=2^{142}$ and get an attack with complexity $2^{143}$ .
ECOH-384 uses the elliptic curve B-409 with approximately $2^{409}$ points on the curve. Choosing $K=2^{205}$ gives an attack with complexity $2^{206}.$
ECOH-512 uses the elliptic curve B-571 with approximately $2^{571}$ points on the curve. Choosing $K=2^{286}$ gives an attack with complexity $2^{287}.$

ECOH2

The official comments on ECOH included a proposal called ECOH2 that doubles the elliptic curve size in an effort to stop the Halcrow-Ferguson second preimage attack with a prediction of improved or similar performance.

Related Research Articles

<span class="mw-page-title-main">Elliptic curve</span> Algebraic curve

In mathematics, an elliptic curve is a smooth, projective, algebraic curve of genus one, on which there is a specified point $O$ . An elliptic curve is defined over a field $K$ and describes points in $K 2$ , the Cartesian product of $K$ with itself. If the field's characteristic is different from 2 and 3, then the curve can be described as a plane algebraic curve which consists of solutions $(x, y)$ for:

In information theory and coding theory, Reed–Solomon codes are a group of error-correcting codes that were introduced by Irving S. Reed and Gustave Solomon in 1960. They have many applications, including consumer technologies such as MiniDiscs, CDs, DVDs, Blu-ray discs, QR codes, Data Matrix, data transmission technologies such as DSL and WiMAX, broadcast systems such as satellite communications, DVB and ATSC, and storage systems such as RAID 6.

The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems. It was published by Ralph Merkle and Martin Hellman in 1978. A polynomial time attack was published by Adi Shamir in 1984. As a result, the cryptosystem is now considered insecure.

In mathematics, an affine algebraic plane curve is the zero set of a polynomial in two variables. A projective algebraic plane curve is the zero set in a projective plane of a homogeneous polynomial in three variables. An affine algebraic plane curve can be completed in a projective algebraic plane curve by homogenizing its defining polynomial. Conversely, a projective algebraic plane curve of homogeneous equation $h (x, y, t) = 0$ can be restricted to the affine algebraic plane curve of equation $h (x, y, 1) = 0$ . These two operations are each inverse to the other; therefore, the phrase algebraic plane curve is often used without specifying explicitly whether it is the affine or the projective case that is considered.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. This has nothing to do with whether the function is one-to-one; finding any one input with the desired image is considered a successful inversion.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

Hyperelliptic curve cryptography is similar to elliptic curve cryptography (ECC) insofar as the Jacobian of a hyperelliptic curve is an abelian group in which to do arithmetic, just as we use the group of points on an elliptic curve in ECC.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

In cryptography, a one-way compression function is a function that transforms two fixed-length inputs into a fixed-length output. The transformation is "one-way", meaning that it is difficult given a particular output to compute inputs which compress to that output. One-way compression functions are not related to conventional data compression algorithms, which instead can be inverted exactly or approximately to the original data.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra, and Ron Steinfeld. Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per $log(n)$ message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

In cryptography, the fast syndrome-based hash functions (FSB) are a family of cryptographic hash functions introduced in 2003 by Daniel Augot, Matthieu Finiasz, and Nicolas Sendrier. Unlike most other cryptographic hash functions in use today, FSB can to a certain extent be proven to be secure. More exactly, it can be proven that breaking FSB is at least as difficult as solving a certain NP-complete problem known as regular syndrome decoding so FSB is provably secure. Though it is not known whether NP-complete problems are solvable in polynomial time, it is often assumed that they are not.

In cryptography, cryptographic hash functions can be divided into two main categories. In the first category are those functions whose designs are based on mathematical problems, and whose security thus follows from rigorous mathematical proofs, complexity theory and formal reduction. These functions are called provably secure cryptographic hash functions. To construct these is very difficult, and few examples have been introduced. Their practical use is limited.

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on the FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

In mathematics, elliptic curve primality testing techniques, or elliptic curve primality proving (ECPP), are among the quickest and most widely used methods in primality proving. It is an idea put forward by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin in the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain, in 1993. The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing followed quickly.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

References

Daniel R. L. Brown, Matt Campagna, Rene Struik (2008). "ECOH: the Elliptic Curve Only Hash".
Michael A. Halcrow, Niels Ferguson (2009). "A Second Pre-image Attack Against Elliptic Curve Only Hash (ECOH)".

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.