Very smooth hash

Very Smooth Hash (VSH)
General
Designers	Scott Contini, Arjen K. Lenstra, Ron Steinfeld
First published	2005
Successors	VSH*
Detail
Digest sizes	1024 bits and up

Last updated February 17, 2024

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld.^[1] Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per log(n) message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

Two major variants of VSH were proposed. For one, finding a collision is provably as difficult as finding a nontrivial modular square root of a very smooth number modulo n. The other one uses a prime modulus p (with no trapdoor), and its security proof relies on the hardness of finding discrete logarithms of very smooth numbers modulo p. Both versions have similar efficiency.

VSH is not suitable as a substitute for a random oracle, but can be used to build a provably secure randomized trapdoor hash function. This function can replace the trapdoor function used in the Cramer–Shoup signature scheme, maintaining its provable security while speeding up verification time by about 50%.

VSN and VSSR

All cryptographic hash functions that are now widely used are not based on hard mathematical problems. Those few functions that are constructed on hard mathematical problems are called provably secure. Finding collisions is then known to be as hard as solving the hard mathematical problem. For the basic version of Very Smooth Hash function, this hard problem is to find modular square roots (VSSR) of certain special numbers (VSN).^[1] This is assumed to be as hard as factoring integers.

For a fixed constant c and n an integer m is a Very Smooth Number (VSN) if the largest prime factor of m is at most (log n)^c.

An integer b is a Very Smooth Quadratic Residue' modulo n if the largest prime in bs factorization is at most (log n)^c and there exists an integer x such that $b\equiv x^{2}\mod n$ . The integer x is said to be a Modular Square Root of b.

We are interested only in non-trivial square roots, those where x² ≥ n. If x² < n, the root can be easily computed using algorithms from fields of characteristics 0, such as real field. Therefore, they are not suitable in cryptographic primitives.

Very Smooth Number Nontrivial Modular Square Root (VSSR) is the following problem: Let n be the product of two unknown primes of approximately the same size and let $k\leq (\log n)^{c}$ . Let $p_{1}=2,p_{2}=3,p_{3}=5,\dots$ be the sequence of primes. VSSR is the following problem: Given n, find $x\in \mathbb {Z} _{n}^{*}$ such that $\textstyle x^{2}\equiv \prod _{i=0}^{k}p_{i}^{e_{i}}$ and at least one of e₀,...,e_k is odd.

The VSSR assumption is that there is no probabilistic polynomial (in $\log n$ ) time algorithm which solves VSSR with non-negligible probability. This is considered a useless assumption for practice because it does not tell for what size of moduli VSSR is computationally hard. Instead The computational VSSR assumption is used. It says that solving VSSR is assumed to be as hard as factoring a hard-to-factor $s$ bit modulus, where $s$ is somewhat smaller than the size of $n$ .

Examples of VSN and VSSR

Let the parameters be fixed as follows: $c=5$ and $n=31$ .

Then $m_{1}=35=5\cdot 7$ is a Very Smooth Number with respect to these parameters because $(\log 31)^{5}~{\dot {=}}~7.37$ is greater than all $m_{1}$ 's prime factors. On the other hand, $m_{2}=55=5\cdot 11$ is not a VSN under $c=5$ and $n=31$ .

The integer $b_{1}=9$ is Very Smooth Quadratic Residue modulo $n$ because it is Very Smooth Number (under $c,n$ ) and we have $x_{1}=3$ such that $x_{1}^{2}=b_{1}$ (mod $n$ ). This is a trivial modular square root, because $3^{2}\not \geq n$ and so the modulus is not involved when squaring.

The integer $b_{2}=15$ is also Very Smooth Quadratic Residue modulo $n$ . All prime factors are smaller than 7.37 and the Modular Square Root is $x_{2}=20$ since $20^{2}=400\equiv 15$ (mod $n$ ). This is thus a non-trivial root. The VSSR problem is to find $x_{2}$ given $b_{2}$ and $n$ . And we suppose that this is computationally as hard as factoring $n$ .

VSH algorithm, basic versions

Let $n$ be a large RSA composite and let $p_{1}=2,p_{2}=3,\ldots$ the sequence of primes. Let $k$ , the block length, be the largest integer such that $\textstyle \prod _{i=1}^{k}p_{i}<n$ . Let $m$ be an $\ell$ -bit message to be hashed consisting of bits $(m_{1},\ldots ,m_{\ell })$ and assume that $\ell <2^{k}$ . To compute the hash of $m$ :

x₀ = 1
Let $L$ , the smallest integer greater or equal to $l/k$ , be the number of blocks. Let $m_{i}=0$ for $l<i\leq Lk$ (padding)
Let $\textstyle \ell =\sum _{i=1}^{k}l_{i}2^{i-1}$ with $\ell _{i}\in \{0,1\}$ be the binary representation of the message length $\ell$ and define $m_{Lk+i}=\ell _{i}$ for $1\leq i\leq k$ .
for j = 0, 1,..., L in succession compute $x_{j+1}=x_{j}^{2}\prod _{i=1}^{k}p_{i}^{m_{jk+i}}\mod n$
return x_{L + 1}.

The function in step 4 is called the compression function.

Properties of VSH

The message length does not need to be known in advance.
Finding a collision in VSH is as hard as solving VSSR. Thus VSH is (strongly) collision-resistant, which also implies second preimage resistance. VSH has not been proven to be preimage-resistant.
The compression function is not collision-resistant. Nonetheless, the hash function VSH is collision-resistant based on the VSSR assumption. An altered version of VSH, called VSH*, uses a collision-resistant compression function and is about 5 times quicker when hashing short messages.
Since the output length of VSH is the length of a secure RSA modulus, VSH seems quite suitable in practice for constructing "hash-then-sign" RSA signatures for arbitrarily long messages. However, such a signature must be designed carefully to ensure its security. The naive approach could be easily broken under CPA (chosen-plaintext attack).
Efficiency: The cost of each iteration is less than the cost of 3 modular multiplications. The basic version of VSH altogether requires single multiplication per $\Omega (\log n/\log \log n)$ message bits.

Variants of VSH

Several improvements, speedups and more efficient variants of VSH have been proposed.^[1] None of them changes the underlying concept of the function. These improvements are called:

Cubing VSH (instead of squaring).
VSH with increased number of small primes.
VSH with precomputed products of primes.
Fast VSH.
Fast VSH with increased block length.

VSDL and VSH-DL variant

The VSH-DL is a discrete logarithm variant of VSH that has no trapdoor, its security depends on the difficulty of finding discrete logarithm modulo a prime p.^[1]

Very Smooth Number Discrete Logarithm (VSDL) is a problem where given a very smooth number, we want to find its discrete logarithm modulo some number n.

Similarly as in previous section, by $p_{i}$ we denote the $i$ -th prime. Let furthermore $c$ be a fixed constant and $p$ , $q$ be primes with $p=2q+1$ and let $k\leq (\log p)^{c}$ . VSDL is the following problem: given $p$ , find integers $e_{1},...,e_{k}$ such that $2^{e_{1}}\equiv \prod _{i=2}^{k}p_{i}^{e_{i}}\mod p$ with $|e_{i}|<q$ for $i=1,...,k$ and at least one of $e_{1},...,e_{k}$ non-zero.

The VSDL assumption is that there is no probabilistic polynomial (in $\log p$ ) time algorithm which solves VSDL with non-negligible probability. There is a strong connection between the hardness of VSDL and the hardness of computing discrete logarithm modulo $p$ , which is reminiscent of, but somewhat weaker than, the connection between VSSR and integer factorization.

Security of VSH

Strong collision resistance is the only property proven for VSH. This does not imply preimage-resistance or other important hash function properties, and the authors state that "VSH should not be used to model random oracles," and cannot be substituted into constructions that depend upon them (RSA signatures, some MACs).^[1] VSH should not be considered a general-purpose hash function as usually understood in security engineering.

Multiplicative property

VSH is multiplicative: Let x, y, and z be three bit strings of equal length, where z consists only of zero bits and the strings satisfy x AND y = z. It is easy to see that H(z)H(x OR y) ≡ H(x)H(y) (mod n). As a result, VSH succumbs to a classical time-memory trade-off attack that applies to multiplicative and additive hashes.

This fact can be used to construct a preimage attack against VSH of $\ell$ bits which has $2^{\ell /2}$ complexity rather than $2^{\ell }$ as expected.

Attack against truncated version

VSH produces a very long hash (typically 1024 bits). There are no indications that a truncated VSH hash offers security that is commensurate with the hash length.

There exists a partial collision attack on VSH truncated to least significant l bits.^[2]

The complexity of this attack against VSH is:

Pre-computing the table offline: $2^{\ell /3}$ time and space.
Finding collisions: $2^{\ell /3}$ iterations.
Total cost: roughly $2^{\ell /3}$ , rather than $2^{\ell /2}$ as expected from a hash function with good pseudorandomness properties.

This probably rules out the applicability of VSH in digital signature schemes which produce signatures shorter than the VSH hash result, such as elliptic-curve signature schemes.

Related Research Articles

A hash function is any function that can be used to map data of arbitrary size to fixed-size values, though there are some hash functions that support variable length output. The values returned by a hash function are called hash values, hash codes, hash digests, digests, or simply hashes. The values are usually used to index a fixed-size table called a hash table. Use of a hash function to index a hash table is called hashing or scatter storage addressing.

In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" when reaching a certain value, called the modulus. The modern approach to modular arithmetic was developed by Carl Friedrich Gauss in his book Disquisitiones Arithmeticae, published in 1801.

In mathematics, for given real numbers a and b, the logarithm log_b a is a number x such that b^x = a. Analogously, in any group G, powers b^k can be defined for all integers k, and the discrete logarithm log_b a is an integer k such that b^k = a. In number theory, the more commonly used term is index: we can write x = ind_ra (mod m) (read "the index of a to the base r modulo m") for r^x ≡ a (mod m) if r is a primitive root of m and gcd(a,m) = 1.

In computer science, a perfect hash function $h$ for a set $S$ is a hash function that maps distinct elements in $S$ to a set of $m$ integers, with no collisions. In mathematical terms, it is an injective function.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

The quadratic sieve algorithm (QS) is an integer factorization algorithm and, in practice, the second-fastest method known. It is still the fastest for integers under 100 decimal digits or so, and is considerably simpler than the number field sieve. It is a general-purpose factorization algorithm, meaning that its running time depends solely on the size of the integer to be factored, and not on special structure or properties. It was invented by Carl Pomerance in 1981 as an improvement to Schroeppel's linear sieve.

In number theory, Dixon's factorization method is a general-purpose integer factorization algorithm; it is the prototypical factor base method. Unlike for other factor base methods, its run-time bound comes with a rigorous proof that does not rely on conjectures about the smoothness properties of the values taken by a polynomial.

In number theory, an n-smooth (or n-friable) number is an integer whose prime factors are all less than or equal to n. For example, a 7-smooth number is a number whose every prime factor is at most 7, so 49 = 7² and 15750 = 2 × 3² × 5³ × 7 are both 7-smooth, while 11 and 702 = 2 × 3³ × 13 are not 7-smooth. The term seems to have been coined by Leonard Adleman. Smooth numbers are especially important in cryptography, which relies on factorization of integers. The 2-smooth numbers are just the powers of 2, while 5-smooth numbers are known as regular numbers.

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

In mathematics and computing, universal hashing refers to selecting a hash function at random from a family of hash functions with a certain mathematical property. This guarantees a low number of collisions in expectation, even if the data is chosen by an adversary. Many universal families are known, and their evaluation is often very efficient. Universal hashing has numerous uses in computer science, for example in implementations of hash tables, randomized algorithms, and cryptography.

In cryptography, the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1978.

An important aspect in the study of elliptic curves is devising effective ways of counting points on the curve. There have been several approaches to do so, and the algorithms devised have proved to be useful tools in the study of various fields such as number theory, and more recently in cryptography and Digital Signature Authentication. While in number theory they have important consequences in the solving of Diophantine equations, with respect to cryptography, they enable us to make effective use of the difficulty of the discrete logarithm problem (DLP) for the group $, of elliptic curves over a finite field, where q = p k and p is a prime. The DLP, as it has come to be known, is a widely used approach to public key cryptography, and the difficulty in solving this problem determines the level of security of the cryptosystem. This article covers algorithms to count points on elliptic curves over fields of large characteristic, in particular p > 3. For curves over fields of small characteristic more efficient algorithms based on p -adic methods exist.$

In mathematics the Function Field Sieve is one of the most efficient algorithms to solve the Discrete Logarithm Problem (DLP) in a finite field. It has heuristic subexponential complexity. Leonard Adleman developed it in 1994 and then elaborated it together with M. D. Huang in 1999. Previous work includes the work of D. Coppersmith about the DLP in fields of characteristic two.

In cryptography, cryptographic hash functions can be divided into two main categories. In the first category are those functions whose designs are based on mathematical problems, and whose security thus follows from rigorous mathematical proofs, complexity theory and formal reduction. These functions are called Provably Secure Cryptographic Hash Functions. To construct these is very difficult, and few examples have been introduced. Their practical use is limited.

The elliptic curve only hash (ECOH) algorithm was submitted as a candidate for SHA-3 in the NIST hash function competition. However, it was rejected in the beginning of the competition since a second pre-image attack was found.

In cryptography, SWIFFT is a collection of provably secure hash functions. It is based on the concept of the fast Fourier transform (FFT). SWIFFT is not the first hash function based on FFT, but it sets itself apart by providing a mathematical proof of its security. It also uses the LLL basis reduction algorithm. It can be shown that finding collisions in SWIFFT is at least as difficult as finding short vectors in cyclic/ideal lattices in the worst case. By giving a security reduction to the worst-case scenario of a difficult mathematical problem, SWIFFT gives a much stronger security guarantee than most other cryptographic hash functions.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Badger is a Message Authentication Code (MAC) based on the idea of universal hashing and was developed by Boesgaard, Scavenius, Pedersen, Christensen, and Zenner. It is constructed by strengthening the ∆-universal hash family MMH using an ϵ-almost strongly universal (ASU) hash function family after the application of ENH, where the value of ϵ is $. Since Badger is a MAC function based on the universal hash function approach, the conditions needed for the security of Badger are the same as those for other universal hash functions such as UMAC.$

In number theory, a kth root of unity modulo n for positive integers k, n ≥ 2, is a root of unity in the ring of integers modulo n; that is, a solution x to the equation $. If k is the smallest such exponent for x, then x is called a primitive k th root of unity modulo n . See modular arithmetic for notation and terminology.$

In cryptography, an accumulator is a one way membership hash function. It allows users to certify that potential candidates are a member of a certain set without revealing the individual members of the set. This concept was formally introduced by Josh Benaloh and Michael de Mare in 1993.

References

1 2 3 4 5 Contini, S.; Lenstra, A.; Steinfeld, R. (2005-06-23), VSH, an Efficient and Provable Collision-Resistant Hash Function.
↑ Saarinen, M.-J. O. (2006), "Security of VSH in the real world" (PDF), Progress in Cryptology - INDOCRYPT 2006, Lecture Notes in Computer Science, vol. 4329, pp. 95–103, doi:10.1007/11941378_8, ISBN 978-3-540-49767-7 ^{[ dead link ]}

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[main-1] 1 2 3 4 5 Contini, S.; Lenstra, A.; Steinfeld, R. (2005-06-23), VSH, an Efficient and Provable Collision-Resistant Hash Function.

[attack-2] Saarinen, M.-J. O. (2006), "Security of VSH in the real world" (PDF), Progress in Cryptology - INDOCRYPT 2006, Lecture Notes in Computer Science, vol. 4329, pp. 95–103, doi:10.1007/11941378_8, ISBN 978-3-540-49767-7 ^{[ dead link ]}

[1]

[2]