Department of Electrical Engineering, IIT Bombay
September 13, 2023
Used to build hash tables — key-value stores with \mathcal{O}(1) lookup time
Example: Multiplicative hashing
A function f: \{0,1\}^{768} \times \{0,1\}^{256} \rightarrow \{0,1\}^{256} is used. It is called the compression function
Padded input is split into N 512-bit blocks M^{(1)}, M^{(2)}, \ldots, M^{(N)}
Given H^{(i-1)}, the next H^{(i)} is calculated as \begin{equation*} H^{(i)} = f(M^{(i)}, H^{(i-1)}), \quad 1 \le i \le N. \end{equation*}
H^{(N)} is the output of SHA-256 for input M
A hash function is a deterministic function H : \{0,1\}^* \rightarrow \{0,1\}^l
For any such H, there is always a constant-time algorithm that outputs a collision
In practice, finding a colliding pair may be hard but we cannot define collision resistance for all PPT adversaries
We define keyed hash functions are used as a workaround
A hash function with output length l(n) is a pair of PPT algorithms (\textsf{Gen}, H) such that
If H^s is defined only for inputs x of length l'(n) > l(n), then we call H a compression function
For hash function \mathcal{H} = (\textsf{Gen}, H) and adversary \mathcal{A}, consider the following experiment \textsf{Hash-coll}_{\mathcal{A}, \mathcal{H}}(n)
Security requirements weaker than collision resistance
Commitment schemes allow a user to commit to a secret that can be revealed at a later time
A commitment scheme is a pair of PPT algorithms (\textsf{Gen}, \textsf{Com})
The committer creates \textsf{com} and sends it to a receiver
The committer can later reveal m by sending m and r to the receiver
The receiver can verify the commitment by checking that \textsf{com} = \textsf{Com}(\textsf{params}, m; r)
Proposed in 1997 to combat email spam
Suppose a client wants to send an email to an email server
Client and server agree upon a hash function H
Email server sends the client a challenge string c
Client needs to find a string r such that H(c \| r) begins with k zeros
Server accepts the email only if the client finds such an r
If H is modeled as a random function, the probability of success in a single trial is \frac{1}{2^k}
Around 2^k trials are required to find a satisfactory r
The r corresponding to c is a proof-of-work (PoW)
PoW is difficult to generate but easy to verify
Demo
Sections 6.1, 6.3.1, 6.6 of Katz and Lindell