O. Goldreich, S. Goldwasser, and S. Halevi. Collision-Free Hashing from Lattice Problems. ECCC TR-42, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....leading to MSet VAdd Hash, is Theorem 3 proving that we may replace multiplication in the nite eld by vector addition modulo a large integer. In [BM97] a similar theorem is used for message hashing. Our theorem (and their theorem) follows directly from application of Ajtai s theorem [GGH96,Ajt96] Our nal signi cant contribution is that we introduce an o ine checker that is cryptographically secure and which improves on the performance of the o ine checker in 91] 3 Multiset Hash Functions This section describes multiset hash functions. We rst introduce multisets. We refer ....

....ne M b H(b) mod n; H to be equal to = and H to be vector addition modulo n. Theorem 6 holds again if we modify the WK assumption by replacing x i ZZ q by x i ZZ n , w i 2 ZZ q by w i 2 ZZ n , and q by n. The main di erence is that the x i s are vectors of length l = m. According to [GGH96, Sections 2.1 and 2.2] if there is a ppt solving the modi ed WK problem (that is it contradicts the modi ed WK assumption) then, by Ajtai s theorem [Ajt96] there is a probabilistic polynomial (in l) algorithm which, for any lattice L in IR , given an arbitrary basis of L, approximates ....

[Article contains additional citation context not shown here]

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. In Theory of Cryptography Libary (http://theory.lcs.mit.edu/~tcryptol) 96-09, July 1996.

....leading to MSet VAdd Hash, is Theorem 3 proving that we may replace multiplication in the finite field by vector addition modulo a large integer. In [BM97] a similar theorem is used for message hashing. Our theorem (and their theorem) follows directly from application of Ajtai s theorem [GGH96,Ajt96] Our final significant contribution is that we introduce an o#ine checker that is cryptographically secure and which improves on the performance of the o#ine checker in 91] 3 Multiset Hash Functions This section describes multiset hash functions. We first introduce multisets. We ....

....M b H(b) mod n, to be equal to = and H to be vector addition modulo n. Theorem 6 holds again if we modify the WK assumption by replacing x i ZZ q by x i n , w i ZZ q by w i ZZ n , and q by n. The main di#erence is that the x i s are vectors of length l = # m. According to [GGH96, Sections 2.1 and 2.2] if there is a ppt solving the modified WK problem (that is it contradicts the modified WK assumption) then, by Ajtai s theorem [Ajt96] there is a probabilistic polynomial (in l) algorithm which, for any lattice in IR , given an arbitrary basis of L, ....

[Article contains additional citation context not shown here]

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. In Theory of Cryptography Libary (http://theory.lcs.mit.edu/tcryptol) 96-09, July 1996.

....security is based on O(n ) uSVP. In [1] Ajtai presented a one way function based on the worst case hardness of several lattice problems. In terms of the uSVP, it was based on the hardness of O(n ) uSVP. The constant c was not explicitly speci ed but later it was noted to be c = 19 [4] In [7], it was shown that under the same assumptions one can obtain collision resistant hash functions. These are stronger primitives than one way functions with many uses in cryptography. Cai and Nerurkar [5] improved Institute for Advanced Study, Princeton, NJ. E Mail: odedr ias.edu. Research ....

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. In ECCCTR: Electronic Colloquium on Computational Complexity, technical reports, 1996.

....hash functions [21] Since this class of subset sum problem is hard on average (assuming the worst case lattice problems are difficult for dimension n) the Impagliazzo and Naor construction yields a family of universal one way hash functions. In a related note, Goldreich, Goldwasser, and Halevi [13] observed that these hash functions are actually collision intractable. Specifically, they show that if M is a random matrix in Z n Thetam q , then finding collisions of the function h(x) Mx mod q is hard provided a slight modification of Ajtai s random lattice problem is hard. The ....

O. Goldreich, S. Goldwasser, and S. Halevi, Collision-Free Hashing from Lattice Problems, Electronic Colloquium on Computational Complexity TR96-042, http://www.eccc.unitrier. de/eccc-local/Lists/TR-1996.html

....within a given distance is NP complete. The interested reader may find more detailed information about these and other related problems in [ABSS] or [V2] 5. The motivation for proving that to find short vectors in lattices is hard, in some sense, comes partly from cryptography. See [Ajt] AD] [GGH1], GGH2] There are cryptosystems whose security is based on the assumtpion that to find short vectors in lattices is computationally infeasible. Since these assumptions imply the hardness of even an approximation of the shortest vector utpo a polynomial factor, we cannot really hope to prove ....

O. Goldreich, S. Goldwasser, S. Halevi, Collision-free hashing from lattice problems, Electronic Colloquium, 1996, on Computational Complexity, http://www.eccc.unitrier. de/eccc/ 32

.... for h include the more efficient MD4 [23] MD5 [24] or SHA [22] collisions for MD4 and for the compress function of MD5 were found by Dobbertin [10] 11] and functions based on a computational hardness assumption such as the hardness of discrete log [9] 8] 5] 3 and subset sum [15] [13] (these are much less efficient) Remark IV.2: Note that an explicit serial number is not needed. Instead, any string that is easily computed from the certificate (e.g. hash of the certificate) and uniquely identifies the certificate may be used. Remark IV.3: It is possible to use a family of ....

O. Goldreich, S. Goldwasser, and S. Halevi, Collision-Free Hashing from Lattice Problems, ECCC, TR96-042, 1996. http://www.eccc.uni-trier.de/eccc/

.... Possible choices for h include the more efficient MD4 [22] MD5 [23] or SHA [21] collisions for MD4 and for the compress function of MD5 were found by Dobbertin [9, 10] and functions based on a computational hardness assumption such as the hardness of discrete log [8, 7, 4] 2 and subset sum [14, 12] (these are much less efficient) Remark 4.2 Note that an explicit serial number is not needed. Instead, any string that is easily computed from the certificate (e.g. hash of the certificate) may be used. Remark 4.3 It is possible to use a family of universal one way hash functions, U , instead ....

O. Goldreich, S. Goldwasser, and S. Halevi. "Collision-Free Hashing from Lattice Problems ". ECCC, TR96-042, 1996. http://www.eccc.uni-trier.de/eccc/

....arising from cryptography. The narrowness of the remaining options has often been cited as a potential fragility of public key cryptography. Recently, Ajtai [1] found a surprising worst case average case connection for certain lattice problems, which caused a revival of knapsack based cryptography [3, 16, 15, 19, 5]. In particular, two lattice based public key cryptosystems have received wide attention: the Ajtai Dwork cryptosystem (AD) 3] and the Goldreich Goldwasser Halevi cryptosystem (GGH) 16] The AD scheme has a fascinating property: it is provably secure unless some worst case lattice problem can be ....

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Available at [10] as TR96-056., 1996.

No context found.

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-Free Hashing from Lattice Problems. ECCC TR-42, 1996.

No context found.

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Technical Report TR96-056, Electronic Colloquium on Computational Complexity (ECCC), 1996.

No context found.

O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. In Theory of Cryptography Library 96-09, July 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC