Security of cryptographic hash functions: Difference between revisions

In [[cryptography]], [[cryptographic hash functions]] can be divided into two main categories. In the first category are those functions whose designs are based on mathematical problems, and whose security thus follows from rigorous mathematical proofs, [[Computational complexity theory|complexity theory]] and [[Reduction (complexity)|formal reduction]]. These functions are called Provably''provably Securesecure Cryptographiccryptographic Hashhash Functionsfunctions''. To construct these is very difficult, and few examples have been introduced. Their practical use is limited.

In the second category are functions which are not based on mathematical problems, but on an ad-hoc constructions, in which the bits of the message are mixed to produce the hash. These are then believed to be hard to break, but no formal proof is given. Almost all hash functions in widespread use reside in this category. Some of these functions are already broken, and are no longer in use. ''See'' [[Hash function security summary]].

* '''Pre-image resistance''': given a hash <math>{{Mvar|h</math>}}, it should be ''hard'' to find any message <math>{{Mvar|m</math>}} such that <math>{{Math|1=''h'' = hash(''m'')</math>}}. This concept is related to that of the [[one-way function]]. Functions that lack this property are vulnerable to [[pre-image attack]]s.

* '''Second pre-image resistance''': given an input {{Math|''m''<mathsub>m_11</mathsub>}}, it should be ''hard'' to find another input, {{Math|''m''<mathsub>m_22</mathsub> (not equal to&ne; ''m''<mathsub>m_11</mathsub>)}} such that <math>{{Math|1=hash(m_1''m''₁) = hash(m_2)''m''<sub>2</mathsub>)}}. This property is sometimes referred to as weak collision resistance. Functions that lack this property are vulnerable to [[second pre-image attack]]s.

* '''Collision resistance''': it should be ''hard'' to find two different messages {{Math|''m''<mathsub>m_11</mathsub>}} and {{Math|''m''<mathsub>m_22</mathsub>}} such that <math>{{Math|1=hash(m_1''m''₁) = hash(m_2)''m''<sub>2</mathsub>)}}. Such a pair is called a (cryptographic) hash collision. This property is sometimes referred to as strong collision resistance. It requires a hash value at least twice as long as what is required for pre-image resistance,; otherwise, collisions may be found by a [[birthday attack]].

* '''Pseudo-randomness''': it should be ''hard'' to distinguish thea pseudo-random number generator based on the hash function from atrue random number generator,; for e.g.example, it passes usual [[randomness tests]].

===The meaning of "''hard"''===

The basic question is the meaning of "'''hard'''". There are two approaches to answer this question. First is the intuitive/practical approach: "''hard'' means that it is almost certainly beyond the reach of any adversary who must be prevented from breaking the system for as long as the security of the system is deemed important." The second approach is theoretical and is based on the [[computational complexity theory]]: if problem ''A'' is hard, then there exists a formal [[Reduction (complexity)|security reduction]] from a problem which is widely considered unsolvable in [[polynomial time]], such as [[integer factorization]] or the [[discrete logarithm]] problem.

Most hash functions are built on an ad -hoc basis, where the bits of the message are nicely mixed to produce the hash. Various [[bitwise operation]]s (e.g. rotations), [[Modular arithmetic|modular additions]], and [[One-way compression function|compression functions]] are used in iterative mode to ensure high complexity and pseudo-randomness of the output. In this way, the security is very hard to prove and the proof is usually not done. Only a few years ago{{When|date=August 2024}}, one of the most popular hash functions, [[SHA-1]], was shown to be less secure than its length suggested: collisions could be found in only 2⁵¹<ref>{{Cite web| title=Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1 | url=http://eprint.iacr.org/2008/469.pdf | archive-url=https://web.archive.org/web/20090115213127/http://eprint.iacr.org/2008/469.pdf | archive-date=2009-01-15}}</ref> tests, rather than the brute-force number of 2⁸⁰.

In other words, most of the hash functions in use nowadays are not provably collision-resistant. These hashes are not based on purely mathematical functions. This approach results generally in more effective hashing functions, but with the risk that a weakness of such a function will be eventually used to find collisions. TheOne famous case is [[MD5]].

In this approach, we base the security of a hash function is based on some hard mathematical problem, and weit proveis proved that finding collisions of the hash functionsfunction is as hard as breaking the underlying problem. This gives a somewhat stronger notion of security than just relying on complex mixing of bits as in the classical approach.

ItA meanscryptographic thathash iffunction findinghas collisions''provable wouldsecurity beagainst feasiblecollision inattacks'' polynomialif timefinding bycollisions algorithmis A,provably we could find and use[[Polynomial-time reduction|polynomial -time algorithmreducible]] Rfrom (reduction algorithm) that would use algorithm A to solvea problem ''P,'' which is widely supposed to be unsolvable in polynomial time. ThatThe function is athen contradiction.called Thisprovably meanssecure, thator findingjust collisions cannot be easier than solving Pprovable.

Examples of problems, that are assumed to be not solvable in polynomial time include

* [[Discrete logarithm|Discrete Logarithm Problem]]

* [[Quadratic residue|Finding Modular Squaresquare Rootsroots]]

* [[Integer factorization|Integer Factorization Problem]]

* [[Subset sum problem|Subset Sum Problemsum]]

===Downsides of the provable approach===

* Current{{When|date=August 2024}} collision-resistant hash algorithms that have provable security [[Reduction (complexity)|reductions]] are too inefficient to be used in practice. In comparison to classical hash functions, they tend to be relatively slow and do not always meet all of criteria traditionally expected of cryptographic hashes. [[Very smooth hash]] is an example.

* Constructing a hash function with provable security is much more difficult than using a classical approach where weone just hopehopes that the complex mixing of bits in the hashing algorithm is strong enough to prevent adversary from finding collisions.

* The proof is often a reduction to a problem with asymptotically hard [[Worst-case complexity|worst-case]] or [[average-case complexity]]. Worst-case complexity measures the difficulty of solving pathological cases rather than typical cases of the underlying problem. Even a reduction to a problem with hard average-case complexity offers only limited security, as there still can be an algorithm that easily solves the problem for a subset of the problem space. For example, early versions of [[Fast Syndrome Based Hash]] turned out to be insecure. This problem was solved in the latest version.

[[SWIFFT]] is an example of a hash function that circumvents these security problems. It can be shown that, for any algorithm that can break SWIFFT with probability P{{Mvar|p}} within an estimated time T{{Mvar|t}}, weone can find an algorithm that solves the ''worst-case'' scenario of a certain difficult mathematical problem within time T{{Math|''t''&prime;}} depending on T{{Mvar|t}} and P{{Mvar|p}}.{{citation needed|date=June 2014}}

===Example of (impractical) Provablyprovably Securesecure Hashhash Functionfunction===

HashLet {{Math|1=hash(''m'') = ''x''^''m'' mod ''n''}}, where ''{{Mvar|n''}} is a hard -to -factor composite number, and ''{{Mvar|x''}} is some prespecified base value. A collision {{Math|''x''^''m1m''₁ congruent to&equiv; ''x''^''m2m''₂ (mod ''n'')}} reveals a multiple {{Math|''m1m''₁ -&minus; m2''m''₂}} of the [[multiplicative order]] of ''{{Mvar|x''}} modulo {{Mvar|n}}. SuchThis information can be used to factor ''{{Mvar|n''}} in polynomial time, assuming certain properties of ''{{Mvar|x''}}.

But the algorithm is quite inefficient because it requires on average 1.5 multiplications modulo ''{{Mvar|n''}} per message-bit.

* [[Very smooth hash|VSH - Very Smooth Hash function]]—Very -Smooth aHash—a provably secure collision-resistant hash function assuming the hardness of finding nontrivial modular square roots modulo composite number <math>{{Mvar|n</math>}} (this is proven to be as hard as [[Integer factorization|factoring]] <math>{{Mvar|n</math>}}).

* [[Elliptic curve only hash|ECOH]]—[[Elliptic -curve only hash|Elliptic Curve Only hash function]] - based—based on the concept of [[Elliptic curve|elliptic curves]], Subsetthe Sum[[subset Problemsum problem]], and summation of polynomials. The security proof of the collision resistance was based on weakened assumptionsassumptionsm, and eventually a second pre-image attack was found.

* [[Fast Syndrome Based Hash|FSB]]—[[Fast -Syndrome Based Hash|Fast Syndrome-Based hash function]] - it—it can be proven that breaking FSB is at least as difficult as solving a''regular certainsyndrome NP-completedecoding'', problemwhich is known asto Regularbe Syndrome DecodingNP-complete.

* [[SWIFFT]] - SWIFFT—SWIFFT is based on the [[Fastfast Fourier transform]] and is provably collision resistant, under a relatively mild assumption about the worst-case difficulty of finding short vectors in cyclic/[[Ideal lattice cryptography|ideal lattices]].

* [[Chaum, van Heijst, Pfitzmann hash function]] - A—a compression function where finding collisions is as hard as solving the [[discrete logarithm|discrete logarithm problem]] in a finite group {{Math|''F''<mathsub>F_{2p2''p''+1}</mathsub>}}.

* [[Knapsack-based hash functions]] - A—a family of hash functions based on the [[Knapsackknapsack problem]].

* [[The Zémor-Tillich hash function]] - A—a family of hash functions that relyrelies on the arithmetic of the group of matrices [[Special linear group|SL2SL₂]]. Finding collisions is at least as difficult as finding factorization of certain elements in this group. This is supposed to be hard, at least [[PSPACE-complete]].{{Dubious|PSPACE-complete?!|date=January 2019}} For this hash, an attack was eventually discovered with a time complexity close to {{Math|2<mathsup>2^{''n''/2}</mathsup>}}. This beat by far the birthday bound and ideal pre-image complexities, which are {{Math|2<mathsup>2^{3n3''n''/2}</mathsup>}} and {{Math|2<mathsup>2^{3n}3''n''</mathsup>}} for the Zémor-Tillich hash function. As the attacks include a birthday search in a reduced set of size <math>2n</math>{{Math|2''n''}}, they indeed do not destroy the idea of provable security or invalidate the scheme but rather suggest that the initial parameters were too small.<ref>{{Citation

* [[Hash functions from Sigma Protocols]] - there—there exists a general way of constructing a provably secure hash, specifically from any (suitable) [[Proof of knowledge#Sigma protocols|sigma protocol]]. A faster version of [[Very smooth hash|VSH]] (called VSH*) could be obtained in this way.