Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

Universal One-Way Hash Functions (UOWHFs) may be used in place of collision-resistant functions in many public-key cryptographic applications. At Asiacrypt 2004, Hong, Preneel and Lee introduced the stronger security notion of higher order UOWHFs to allow construction of long-input UOWHFs using the Merkle-Damgard domain extender. However, they did not provide any provably secure constructions for higher order UOWHFs. We show that the subset sum hash function is a kth order Universal One-Way Hash Function (hashing n bits to m < n bits) under the Subset Sum assumption for k = O(log m). Therefore we strengthen a previous result of Impagliazzo and Naor, who showed that the subset sum hash function is a UOWHF under the Subset Sum assumption. We believe our result is of theoretical interest; as far as we are aware, it is the first example of a natural and computationally efficient UOWHF which is also a provably secure higher order UOWHF under the same well-known cryptographic assumption, whereas this assumption does not seem sufficient to prove its collision-resistance. A consequence of our result is that one can apply the Merkle-Damgard extender to the subset sum compression function with ‘extension factor' k+1, while losing (at most) about k bits of UOWHF security relative to the UOWHF security of the compression function. The method also leads to a saving of up to m log(k+1) bits in key length relative to the Shoup XOR-Mask domain extender applied to the subset sum compression function.

[1]  Moni Naor,et al.  Efficient cryptographic schemes provably as secure as subset sum , 1989, 30th Annual Symposium on Foundations of Computer Science.

[2]  Oded Goldreich,et al.  Collision-Free Hashing from Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[3]  Claus-Peter Schnorr,et al.  An Improved Low-Denisty Subset Sum Algorithm , 1991, EUROCRYPT.

[4]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[5]  A. Shamir A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1982, FOCS 1982.

[6]  Leonid Reyzin,et al.  Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? , 2004, CRYPTO.

[7]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[8]  Bruce Schneier One-way hash functions , 1991 .

[9]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[10]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[11]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[12]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[13]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[14]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[15]  Raymond E. Miller,et al.  Complexity of Computer Computations , 1972 .

[16]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[17]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[18]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[19]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[20]  Victor Shoup,et al.  A Composition Theorem for Universal One-Way Hash Functions , 2000, EUROCRYPT.

[21]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[22]  Sangjin Lee,et al.  Higher Order Universal One-Way Hash Functions , 2004, ASIACRYPT.