prev

next

of 28

Published on

02-Feb-2016View

66Download

0

Embed Size (px)

DESCRIPTION

Universal Hash Families. Universal hash families. Family of hash functions Finite multiset H of string-valued functions, each h H having the same nonempty domain A {0,1} * and range B {0,1} * , for some constant b - PowerPoint PPT Presentation

Transcript

Universal Hash Families

(ETRI)

*

Universal hash familiesFamily of hash functionsFinite multiset H of string-valued functions, each h H having the same nonempty domain A {0,1}* and range B {0,1}*, for some constant b[Definition] -almost universal2 (-AU2) & -almost XOR universal2 (-AXU2)A family of hash functions H ={h: A {0,1}b} is -almost universal2 , written -AU2, if, for all distinct x, xA, Prh H [h(x)=h(x)] .The family of hash functions H is -almost XOR universal2 , written -AXU2, if, for all distinct x, xA, and for all c{0,1}b, Prh H [h(x)h(x)=c] . =maxxx{Prh [h(x)=h(x)]} : collision probability

Principle measure of an AU2 : How small its collision probability is and how fast one can compute its functions

(ETRI)

*

Composition of universal hash familiesMake the domain of a hash family biggerH ={h: {0,1}a{0,1}b}Hm ={h: {0,1}am{0,1}bm}its elements are the same as in H where h(x1 x2 xm), for | xi |=a, is defined by h(x1)|| h(x2)|||| h(xm)[Proposition] If H is -AU2, then Hm is -AU2

Make the collision probability smallerH1 ={h: A {0,1}b1}, H2 ={h: A {0,1}b2} H1 & H2 ={h: A {0,1}b1+ b2}its elements are pairs of functions (h1, h2)H1H2 and where (h1, h2)(x) is defined as h1(x)||h2(x)[Proposition] If H1 is 1-AU2 and H2 is 2-AU2, then H1 & H2 is 12-AU2

(ETRI)

*

Composition of universal hash families(cont.)Make the image of a hash function shorterH1 ={h: {0,1}a{0,1}b}, H2 ={h: {0,1}b{0,1}c}H2 H1 ={h: {0,1}a{0,1}c}its elements are pairs of functions (h1, h2)H1H2 and where (h1, h2)(x) is defined as h2(h1(x))[Proposition] If H1 is 1-AU2 and H2 is 2-AU2, then H2 H1 is (1+2)-AU2

Turn an AU2 family H1 and AXU2 family H2 into an AXU2 family H2 H1 [Proposition] Suppose H1 ={h: AB} is 1-AU2 and H2 ={h: BC} is 2-AXU2. Then H2 H1 ={h: AC} is (1+2)-AXU2

(ETRI)

*

Related researchesCarter-Wegman(1979, 1981)Efficient authentication code under strongly universal hash functionsKey observationsLong messages can be authenticated efficiently using short keys if the number of bits in the authentication tag is increased slightly compared to perfect schemesIf a message is hashed to a short authentication tag, weaker properties are sufficient for the first stage of the compressionUnder certain conditions, the hash function can remain the same for many plaintexts, provided that hash results is encrypted using a one-time padStinson(1994)Improves the works by Wegman-Carter and establishes an explicit link between authentication codes and strongly universal hash functionsJohansson-Kabatianskii-Smeets(1996)Establish a relation between authentication codes and codes correcting independent errors

(ETRI)

*

Related researches(cont.)Krawczyk(1994, 1995)Propose universal hash functions that are linear with respect to bitwise XORMakes it easier to reuse the authentication codeEncrypt the m-bit hash result for each new message using a one-time padSimple and efficient constructions based on polynomials and LFSRShoup(1996)Propose and analyze the constructions based on polynomials over finite fieldsRogaway : Bucket hashing (1995)Halevi-Krawczyk : MMH (1997)Make optimal used of the multiply and accumulate instruction of the Pentium MMX processorBlack-Halevi-Krawczyk-Krovertz-Rogaway : UMAC (1999)Further improved the performance on high end processors

(ETRI)

*

ConstructionsBucket hashingis an -AU introduced by RogawayDefining the Bucket Hash Family Bword size w(1), parameters n(1), N(3)domain D={0,1}wn, range R={0,1}wNLet h B and let X=X1 Xn be the string we want to hash, where each |Xi|=w. Then h(X) is defined by the following algorithm. First, for each j{1,, N}, initialize Yj to 0w. Then, for each i{1,, n} and k hi, replace Yk by Yk Xi. When done, set h(X) = Y1||Y2||||YN.Pseudocodefor j 1 to N do Yj 0wfor i 1 to n do Yhi1 Yhi1 Xi Yhi2 Yhi2 Xi Yhi3 Yhi3 Xireturn Y1||Y2||||YN

(ETRI)

*

Constructions(cont.)Bucket Hashing with Small Key SizeN=2s/L Each hash function hB[w,M,N] is specified by a list of length Meach entry contains L integers in the interval [0, N-1]L arrays are introduced, each containing N bucketsNext, each array is compressed to s/L words, using a fixed primitive element GF(2s/L)The hash result is equal to the concatenation of the L compressed arrays, each containing s/L words

(ETRI)

*

Constructions(cont.)Hash Family Based on Fast Polynomial Evaluationis based on polynomial evaluation over a finite fieldq = 2r, Q = 2m = 2r+s, n = 1+2s, : a linear mapping from GF(Q) onto GF(q)Q = q0m, q = q0r , q0 : a prime powerfa(x) =a0 + a1x + + an-1xn-1x, y, a0, a1, , an-1 GF(Q), z GF(q)H = {hx,y,z : hx,y,z(a) = hx,y,z(a0, a1, , an-1) = (y fa(x)) + z}

(ETRI)

*

Constructions(cont.)Hash Family Using Toeplitz MatricesToeplitz matrices are matrices with constant values on the left-to-right diagonalsA Toeplitz matrix of dimension n m can be used to hash messages of length m to hash results of length n by vector-matrix multiplicationThe Toeplitz construction uses matrices generated by sequences of length n + m - 1 drawn from -biased distributions-biased distributions are a tool for replacing truly random sequences by more compact and easier to generate sequencesThe lower , the more random the sequence isKrawczyk proves that the family of hash functions associated with a family of Toeplitz-matrices corresponding to sequences selected from a -biased distribution is -AXU with = 2-n +

(ETRI)

*

Constructions(cont.)Evaluation Hash Functionis one of the variants analyzed by ShoupThe input (of length tn) : viewed as a polynomial M(x) of degree < t over GF(2n)The key : a random element GF(2n)the hash result : equal to M() GF(2n)This family of hash functions is -AXU with = t/2n

(ETRI)

*

Constructions(cont.)Division Hash Functionrepresents the input as a polynomial M(x) of degree less than tn over GF(2)The hash key : a random irreducible polynomial p(x) of degree n over GF(2)The hash result : m(x) xn mod p(x)This family of hash functions is -AXU with = tn/2nThe total number of irreducible polynomials of degree n is roughly equal to 2n/n

(ETRI)

*

Constructions(cont.)MMH(Multilinear Modular Hashing) hashingconsists of a (modified) inner product between message and key modulo a prime p (close to 2w, with w the word length; below w = 32)is an -AXU2, but with xor replaced by subtraction modulo pThe core hash function maps 32 32-bit message words and 32 32-bit key words to a 32-bit resultThe key size is 1024 bits and = 1.5/ 230For larger messages, a tree construction can be usedthe value of and the key length have to be multiplied by the height of the treeThis algorithm is very fast on the Pentium Pro, which has a multiply and accumulate instructionOn a 32-bit machine, MMH requires only 2 instructions per byte for a 32-bit result

(ETRI)

*

Comparing the Hash Functions

(ETRI)

*

Comparing the Hash Functions(cont.)Scheme Athe input : divided into 32 blocks of 8 Kbyteeach block is hashed using the same bucket hash function with N = 160results in an intermediate string of 20480 bytesScheme Bthe input : divided into 64 blocks of 4 Kbyteeach block is hashed using the same bucket hash function with short key(s=42, L=6, N=128)results in an intermediate string of 10752 bytesScheme Cthe input is divided into 64 blocks of 4 Kbyteeach block is hashed using a 331024 Toeplitz matrix, based on a -biased sequence of length 1056 generated using an 88-bit LFSRThe length of the intermediate string is 8448 bytes

(ETRI)

*

Comparing the Hash Functions(cont.)Scheme Dthe input : hashed twice using the polynomial evaluation hash function with = 2-15 resulting in a combined value of 2-30W = 5The performance is slightly key dependent. Therefore an average over a number of keys has been computed.Scheme Ethis is simply the evaluation hash function with t = 32768the resulting value of is too smallHowever, choosing a smaller value of n that is not a multiple of 32 induces a performance penaltyScheme Fthe input : divided into 2048 blocks of 128 byteseach block is hashed twice using MMHthe length of the intermediate string is 16384 bytesIt is not possible to obtain a value of closer to 2-32 in an efficient way

(ETRI)

Universal Hashing MAC

(ETRI)

*

Message authentication based on Universal hashingMessage authentication based on Universal hashingWegman-Carter approachThe parties share a secret key k=(h,P)P : infinite random stringh : function drawn randomly from a strongly universal2 family of hash functions HH is strongly universal2 if, for all xx, the random variable h1(x)||h2(x), for h H , is uniformly distributedTo authenticate a message x, the sender transmits h(x) xored with the next piece of the pad PStandard cryptographic techniqueuse of a pseudorandom function family, F

[Theorem] Assume H is -AXU2, and that F is replaced by the truly random function family R of functions. In this case, if an adversary makes q1 queries to the authentication algorithm S and q2 queries to the verification algorithm V, the probability of forging a MAC is at most q2

(ETRI)

*

Universal hashing MACWhy Universal hashing MAC?The speed of a universal hashing MAC depends on the speed of the hashing step and encrypting stepThe encryption does not take longhash function compresses messages => the encrypting message is shortThe combinatorial properties of the universal hash function family is mathematically provenneeds no over-design or safe margin the way a cryptographic primitive wouldUniversal hashing MAC makes for desirable security propertiescan select a cryptographically conservative design for the encrypting stepcan pay with only a minor impact on speedthe cryptographic primitive is applied only to the much shor