Paper 2023/348

Optimal Security for Keyed Hash Functions: Avoiding Time-Space Tradeoffs for Finding Collisions

Cody Freitag, Cornell Tech
Ashrujit Ghoshal, University of Washington
Ilan Komargodski, Hebrew University of Jerusalem, NTT Research
Abstract

Cryptographic hash functions map data of arbitrary size to a fixed size digest, and are one of the most commonly used cryptographic objects. As it is infeasible to design an individual hash function for every input size, variable-input length hash functions are built by designing and bootstrapping a single fixed-input length function that looks sufficiently random. To prevent trivial preprocessing attacks, applications often require not just a single hash function but rather a family of keyed hash functions. The most well-known methods for designing variable-input length hash function families from a fixed idealized function are the Merkle-Damgård and Sponge designs. The former underlies the SHA-1 and SHA-2 constructions and the latter underlies SHA-3. Unfortunately, recent works (Coretti et al. EUROCRYPT 2018, Coretti et al. CRYPTO 2018) show non-trivial time-space tradeoff attacks for finding collisions for both. Thus, this forces a parameter blowup (i.e., efficiency loss) for reaching a certain desired level of security. We ask whether it is possible to build families of keyed hash functions which are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions, without incurring significant efficiency costs. We present several new constructions of keyed hash functions that are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions. Our constructions provide various tradeoffs between their efficiency and the range of parameters where they achieve optimal security for collision resistance. Our main technical contribution is proving optimal security bounds for converting a hash function with a fixed-sized input to a keyed hash function with (potentially larger) fixed-size input. We then use this keyed function as the underlying primitive inside the standard MD and Merkle tree constructions. We strongly believe that this paradigm of using a keyed inner hash function in these constructions is the right one, for which non-uniform security has not been analyzed prior to this work.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in EUROCRYPT 2023
Keywords
Time-space tradeoffscollision-resistanceAI-ROMiterative hashing
Contact author(s)
cfreitag @ cs cornell edu
ashrujit @ cs washington edu
ilank @ cs huji ac il
History
2023-03-15: approved
2023-03-09: received
See all versions
Short URL
https://ia.cr/2023/348
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/348,
      author = {Cody Freitag and Ashrujit Ghoshal and Ilan Komargodski},
      title = {Optimal Security for Keyed Hash Functions: Avoiding Time-Space Tradeoffs for Finding Collisions},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/348},
      year = {2023},
      url = {https://eprint.iacr.org/2023/348}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.