Very smooth hash
In cryptography, Very Smooth Hash is a secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld.
Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per log message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.
Two major variants of VSH were proposed. For one, finding a collision is as difficult as finding a nontrivial modular square root of a very smooth number modulo n. The other one uses a prime modulus p, and its security proof relies on the hardness of finding discrete logarithms of very smooth numbers modulo p. Both versions have similar efficiency.
VSH is not suitable as a substitute for a random oracle, but can be used to build a secure randomized trapdoor hash function. This function can replace the trapdoor function used in the Cramer–Shoup signature scheme, maintaining its provable security while speeding up verification time by about 50%.
VSN and VSSR
All cryptographic hash functions that are now widely used are not based on hard mathematical problems. Those few functions that are constructed on hard mathematical problems are called provably secure. Finding collisions is then known to be as hard as solving the hard mathematical problem. For the basic version of Very Smooth Hash function, this hard problem is to find modular square roots of certain special numbers. This is assumed to be as hard as factoring integers.For a fixed constant c and n an integer m is a Very Smooth Number if the largest prime factor of m is at most c.
An integer b is a Very Smooth Quadratic Residue modulo n if the largest prime in bs factorization is at most c and there exists an integer x such that. The integer x is said to be a Modular Square Root of b.
We are interested only in non-trivial square roots, those where x2 ≥ n. If x2 < n, the root can be easily computed using algorithms from fields of characteristics 0, such as real field. Therefore, they are not suitable in cryptographic primitives.
Very Smooth Number Nontrivial Modular Square Root is the following problem: Let n be the product of two unknown primes of approximately the same size and let. Let be the sequence of primes. VSSR is the following problem: Given n, find such that and at least one of e0,...,ek is odd.
The VSSR assumption is that there is no probabilistic polynomial time algorithm which solves VSSR with non-negligible probability. This is considered a useless assumption for practice because it does not tell for what size of moduli VSSR is computationally hard. Instead The computational VSSR assumption' is used. It says that solving VSSR is assumed to be as hard as factoring a hard-to-factor bit modulus, where is somewhat smaller than the size of.
Examples of VSN and VSSR
Let the parameters be fixed as follows: and.Then is a Very Smooth Number with respect to these parameters because is greater than all 's prime factors. On the other hand, is not a VSN under and.
The integer is Very Smooth Quadratic Residue modulo because it is Very Smooth Number and we have such that . This is a trivial modular square root, because and so the modulus is not involved when squaring.
The integer is also Very Smooth Quadratic Residue modulo. All prime factors are smaller than 7.37 and the Modular Square Root is since . This is thus a non-trivial root. The VSSR problem is to find given and. And we suppose that this is computationally as hard as factoring.
VSH algorithm, basic versions
Let be a large RSA composite and let the sequence of primes. Let, the block length, be the largest integer such that. Let be an -bit message to be hashed consisting of bits and assume that. To compute the hash of :- x0 = 1
- Let, the smallest integer greater or equal to, be the number of blocks. Let for
- Let with be the binary representation of the message length and define for.
- for j = 0, 1,..., L in succession compute
- return xL + 1.
Properties of VSH
- The message length does not need to be known in advance.
- Finding a collision in VSH is as hard as solving VSSR. Thus VSH is collision-resistant, which also implies second preimage resistance. VSH has not been proven to be preimage-resistant.
- The compression function is not collision-resistant. Nonetheless, the hash function VSH is collision-resistant based on the VSSR assumption. An altered version of VSH, called VSH*, uses a collision-resistant compression function and is about 5 times quicker when hashing short messages.
- Since the output length of VSH is the length of a secure RSA modulus, VSH seems quite suitable in practice for constructing "hash-then-sign" RSA signatures for arbitrarily long messages. However, such a signature must be designed carefully to ensure its security. The naive approach could be easily broken under CPA.
- Efficiency: The cost of each iteration is less than the cost of 3 modular multiplications. The basic version of VSH altogether requires single multiplication per message bits.
Variants of VSH
- Cubing VSH.
- VSH with increased number of small primes.
- VSH with precomputed products of primes.
- Fast VSH.
- Fast VSH with increased block length.
VSDL and VSH-DL variant
Very Smooth Number Discrete Logarithm is a problem where given a very smooth number, we want to find its discrete logarithm modulo some number n.
Similarly as in previous section, by we denote the -th prime. Let furthermore be a fixed constant and, be primes with and let. VSDL is the following problem: given, find integers such that with for and at least one of non-zero.
The VSDL assumption is that there is no probabilistic polynomial time algorithm which solves VSDL with non-negligible probability. There is a strong connection between the hardness of VSDL and the hardness of computing discrete logarithm modulo, which is reminiscent of, but somewhat weaker than, the connection between VSSR and integer factorization.
Security of VSH
Strong collision resistance is the only property proven for VSH. This does not imply preimage-resistance or otherimportant hash function properties, and the authors state that "VSH should not be used to model random oracles," and cannot be substituted into constructions that depend upon them. VSH should not be considered a general-purpose hash function as usually understood in security engineering.
Multiplicative property
VSH is multiplicative: Let x, y, and z be three bit strings of equal length, where zconsists only of zero bits and the strings satisfy x AND y = z. It is easy to see that
HH ≡ HH . As a result, VSH succumbs to a classical time-memory
trade-off attack that applies to multiplicative and additive hashes.
This fact can be used to construct a preimage attack against VSH of bits which has complexity rather than as expected.
Attack against truncated version
VSH produces a very long hash. There are no indications thata truncated VSH hash offers security that is commensurate with the hash length.
There exists a partial collision attack on VSH truncated to least significant l bits.
The complexity of this attack against VSH is:
- Pre-computing the table offline: time and space.
- Finding collisions: iterations.
- Total cost: roughly, rather than as expected from a hash function with good pseudorandomness properties.