Optimal Security for Keyed Hash Functions: Avoiding Time-Space Tradeoffs for Finding Collisions

Cody Freitag; Ashrujit Ghoshal; Ilan Komargodski

Paper 2023/348

Optimal Security for Keyed Hash Functions: Avoiding Time-Space Tradeoffs for Finding Collisions

Cody Freitag

, Cornell Tech

Ashrujit Ghoshal

, University of Washington

Ilan Komargodski

, Hebrew University of Jerusalem, NTT Research

Abstract

Cryptographic hash functions map data of arbitrary size to a fixed size digest, and are one of the most commonly used cryptographic objects. As it is infeasible to design an individual hash function for every input size, variable-input length hash functions are built by designing and bootstrapping a single fixed-input length function that looks sufficiently random. To prevent trivial preprocessing attacks, applications often require not just a single hash function but rather a family of keyed hash functions. The most well-known methods for designing variable-input length hash function families from a fixed idealized function are the Merkle-Damgård and Sponge designs. The former underlies the SHA-1 and SHA-2 constructions and the latter underlies SHA-3. Unfortunately, recent works (Coretti et al. EUROCRYPT 2018, Coretti et al. CRYPTO 2018) show non-trivial time-space tradeoff attacks for finding collisions for both. Thus, this forces a parameter blowup (i.e., efficiency loss) for reaching a certain desired level of security. We ask whether it is possible to build families of keyed hash functions which are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions, without incurring significant efficiency costs. We present several new constructions of keyed hash functions that are provably resistant to any non-trivial time-space tradeoff attacks for finding collisions. Our constructions provide various tradeoffs between their efficiency and the range of parameters where they achieve optimal security for collision resistance. Our main technical contribution is proving optimal security bounds for converting a hash function with a fixed-sized input to a keyed hash function with (potentially larger) fixed-size input. We then use this keyed function as the underlying primitive inside the standard MD and Merkle tree constructions. We strongly believe that this paradigm of using a keyed inner hash function in these constructions is the right one, for which non-uniform security has not been analyzed prior to this work.

Metadata

Available format(s): PDF
Category: Foundations
Publication info: A major revision of an IACR publication in EUROCRYPT 2023
Keywords: Time-space tradeoffs collision-resistance AI-ROM iterative hashing
Contact author(s): cfreitag @ cs cornell edu
ashrujit @ cs washington edu
ilank @ cs huji ac il
History: 2023-03-15: approved; 2023-03-09: received; See all versions
Short URL: https://ia.cr/2023/348
License: CC BY

BibTeX

@misc{cryptoeprint:2023/348,
      author = {Cody Freitag and Ashrujit Ghoshal and Ilan Komargodski},
      title = {Optimal Security for Keyed Hash Functions: Avoiding Time-Space Tradeoffs for Finding Collisions},
      howpublished = {Cryptology ePrint Archive, Paper 2023/348},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/348}},
      url = {https://eprint.iacr.org/2023/348}
}