M. Girault and J. Stern. On the length of cryptographic hash-values used in identification schemes. Lecture Notes in Computer Science 839 (1994), 202--215 (CRYPTO '94).  Home/Search   Document Not in Database   Summary   Related Articles   Check

....following we assume that H has these properties in addition to the XTSP intractability assumption. Shamir [10] and Stern [11] 12] make similar use of a hash function. If the hash function H were not collision resistant, our scheme would be vulnerable to attacks similar to those described in [2]. Shamir [10] and Stern [11] were not aware of that problem. Let be a permutation over f1; ng. W. l. o. g. we may as well define to be a permutation over f2; ng and set (1) 1. Then (A) corresponds to the distance matrix where the vertices are permuted according to , ....

M. Girault, J. Stern, On the length of cryptographic hash-values used in identification schemes, in: Proc. Crypto '94, Springer LNCS 839, 202-215.

....criteria. See for instance Preneel [31] So far, a few results have been found on the interaction of those criteria and the security of (public key) cryptographic schemes. For instance, Girault and Stern showed how hash functions provide security in most of popular identification schemes [19]. When used in digital signature schemes, we know no results about which criterion shall be considered. Here, we consider the interesting criterion of pseudorandomness . Pseudorandomness has already been considered in context with the security of pseudorandom generators in the early beginning of ....

M. Girault, J. Stern. On the length of cryptographic hash-values used in identification schemes. In Advances in Cryptology CRYPTO'94, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 839, pp. 202-- 215, Springer-Verlag, 1994.

No context found.

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, 1994.

....which could either output some substitute to the secret key or else find collisions for the hash function, with overwhelming probability. Still, we felt that it might as well be the case that one wayness was enough. Thus, results of further investigations that we undertook with Marc Girault (see [10]) came as a surprise: collision freeness is really needed. Again, the correct picture came from the joint effort of security proofs and cryptanalysis. 3.1 Brief Description of the Scheme The scheme is base on a fixed randomly generated binary matrix H of large size, m Theta n, say 256 Theta ....

....key s from the public data or else finds collisions for the hash function, with overwhelming probability. Here an acceptable key is any word s with the prescribed weight such that H(s) i U . 3. 2 Attacks Based on Collisions In order to give an abstract treatment of the work appearing in [10], we introduce the following definition: Definition6. A sample for a hash function is a subset of its possible inputs. Given two samples S 1 , S 2 for a hash function, a collision between these samples consists of x 1 2 S 1 and x 2 2 S 2 such that hx 1 i = hx 2 i. We always assume implicitly ....

[Article contains additional citation context not shown here]

Girault, M., Stern, J.: On the length of the cryptographic hash values used in identification schemes. In Advances in Cryptology -- proceedings of CRYPTO '94 (1994) vol. Lecture Notes in Computer Science 839 Springer-Verlag pp. 202--215.

....consider the practical complexity of the voting phase described is section 4. A vote consists of three ciphertexts C n , C r and C and of some proofs of 13 correctness. Some well known optimizations can be applied. For example, the commitments can be replaced by their hash values as described in [16]. Let us note jHj the size of the hashed commitments, jAj the size of the challenges and jN j the size of the modulus used in the Paillier cryptosystem. The size of a vote is exactly 4jHj 4jAj (11 9p)jN j where p is the number of candidates. Consequently, the communication complexity of ....

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, 1994.

....only a hash value. This trick can be used with our scheme. Let h be a hash function and Ih l be the size of its output. The modifications are very simple: the commitment x is replaced in the protocol by x = h(x) and the verification equation becomes x = h (gYI c rood n) Commitment hashing of [15]. Using the notion of r collision free hash functions, i.e. functions such that it is not possible to find r pairwise distinct values with the same image, Girault and Stern [15] have analyzed precisely the consequences of such a modification on the security of identification schemes. We just ....

.... replaced in the protocol by x = h(x) and the verification equation becomes x = h (gYI c rood n) Commitment hashing of [15] Using the notion of r collision free hash functions, i.e. functions such that it is not possible to find r pairwise distinct values with the same image, Girault and Stern [15] have analyzed precisely the consequences of such a modification on the security of identification schemes. We just recall the results of their study on the minimal value of I htl: if we note M the maximal number of queries to h t (for example M = 28) in a reasonable time, then Ih l must be ....

[Article contains additional citation context not shown here]

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202 215. Springer-Verlag, 1994.

....can recover SK whatever the encryption Gamma , even if the prover is dishonest and have unlimited computation power. Non interactive version and Optimizations. Many well known optimizations can be applied to the previous proof. The commitment can be replaced by its hash value as described in [14] and it can be precomputed in order to reduce the on line computation to a very simple non modular arithmetic operation. We can also reduce the size of the secret key x to about 160 bits as explained in [26] Finally, this proof can be made non interactive in order to obtain a very short ....

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, 1994.

....jAj bits exponents. 3.3 Optimized version In the interactive proof of knowledge we have described is section 3.1, we can observe that the largest part of the communication concerns the commitments x i . Using an idea of Fiat and Shamir whose security has been formalized by Girault and Stern in [13], we can replace those commitments by the hash value H(x 1 ; xK ) where H is an appropriate collision free hash function. We obtain a new scheme (see figure 2) much more efficient in term of communication than the initial one. An important consequence is that the communication complexity of ....

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, 1994.

.... commitment x is replaced by x 0 = H 0 (x) and the verifying equation becomes x 0 = H 0 (z y GammaN e mod N ) Using the notion of r collision freeness, which applies to functions for which it cannot be possible to find r pairwise distinct values with the same image, Girault and Stern [18] have analyzed precisely the consequences of such a modification on the security of identification schemes. As was already observed, all commitments can be computed off line, by the individual device or by an authority. In fact, we just have to compute and keep in memory coupons of the form (r; H ....

Girault, M., and Stern, J. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94 (1994), LNCS 839, Springer-Verlag, pp. 202--215.

....r (n) 2 . Setting ffl = n) 2 and observing that 10= ffl) 3 is polynomially bounded, we see that a vertex with three sons will be found with overwhelming probability by operating P only a polynomial number of times. Remark. The hypothesis on the hash function is really needed. In [13], Marc Girault and the author have shown that, if collisions can be efficiently produced, then very dangerous attacks against the scheme can be mounted. In more practical terms, this has the consequence that 64 bit hash values cannot be considered. 3.3 The simulation property We now turn to the ....

M. Girault and J. Stern. On the length of cryptographic hash values used in identification schemes, Proceedings of Crypto 94, Lecture Notes in Computer Science 839, 202--215.

.... t is replaced in the protocol by t 0 = h 0 (t) and the verification equation becomes t 0 = h 0 (g y v c mod n) Using the notion of r collision free hash functions, i.e. functions such that it is not possible to find r pairwise distinct values with the same image, Girault and Stern [8] have analyzed precisely the consequences of such a modification on the security of identification schemes. We just recall the results of their study on the minimal value of jh 0 j: if we note m the maximal number of queries to h 0 (for example m = 2 64 ) in a reasonable time, then jh 0 j ....

....to h 0 (for example m = 2 64 ) in a reasonable time, then jh 0 j must be greater than 128 Theta m and than (2m r =r ) 1=r Gamma1 . Furthermore, k must be increased to k 0 = k Theta (r Gamma 1) in order to keep the same level of security (1=k ) All the details can be found in [8] and the tables below presents numerical results. m = 2 64 r 2 3 4 8 9 jh 0 j 128 96 85 72 71 m = 2 80 r 2 3 4 5 9 10 jh 0 j 160 120 106 99 88 87 Furthermore, we have already observed that the commitments can be computed off line, by the individual device or by an authority. In fact, ....

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, 1994.

No context found.

M. Girault and J. Stern. On the length of cryptographic hash-values used in identification schemes. Lecture Notes in Computer Science 839 (1994), 202--215 (CRYPTO '94).

No context found.

Marc Girault and Jacques Stern. On the length of cryptographic hash-values used in identification schemes. In Yvo Desmedt, editor, Advances in Cryptology -- CRYPTO'94, volume 839 of Lecture Notes in Computer Science, pages 202--215. Springer-Verlag, August 1994.

No context found.

M. Girault and J. Stern. On the length of cryptographic hash-values used in identification schemes. In Advances in Cryptology - CRYPTO '94, LNCS 839, pp. 202-215, SpringerVerlag, 1994.

No context found.

M. Girault and J. Stern. On the Length of Cryptographic Hash-Values used in Identification Schemes. In Crypto '94, LNCS 839, pages 202--215. Springer-Verlag, Berlin, 1994.

No context found.

M.Girault, J.Stern, "On the length of cryptographic hash-values used in identification schemes", Lecture Notes in Computer Science 839, Advances in Cryptology: Proc. Crypto '94, Springer Verlag, (1994), pp. 202 -- 215.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC