Methods for Collisions in Some Algebraic Hash Functions

This paper focuses on devising methods for producing collisions in algebraic hash functions that may be seen as generalized forms of the well-known Z\'emor and Tillich-Z\'emor hash functions. In contrast to some of the previous approaches, we attempt to construct collisions in a structured and deterministic manner by constructing messages with triangular or diagonal hashes messages. Our method thus provides an alternate deterministic approach to the method for finding triangular hashes. We also consider the generalized Tillich-Z\'emor hash functions over ${\mathbb{F}_p}^k$ for $p\neq 2$, relating the generator matrices to a polynomial recurrence relation, and derive a closed form for any arbitrary power of the generators. We then provide conditions for collisions, and a method to maliciously design the system so as to facilitate easy collisions, in terms of this polynomial recurrence relation. Our general conclusion is that it is very difficult in practice to achieve the theoretical collision conditions efficiently, in both the generalized Z\'emor and the generalized Tillich-Z\'emor cases. Therefore, although the techniques are interesting theoretically, in practice the collision-resistance of the generalized Z\'emor functions is reinforced

Cayley hashing with cookies

Cayley hash functions are based on a simple idea of using a pair of semigroup elements, $A$ and $B$, to hash the 0 and 1 bit, respectively, and then to hash an arbitrary bit string in the natural way, by using multiplication of elements in the semigroup. The main advantage of Cayley hash functions compared to, say, hash functions in the SHA family is that when an already hashed document is amended, one does not have to hash the whole amended document all over again, but rather hash just the amended part and then multiply the result by the hash of the original document. Some authors argued that this may be a security hazard, specifically that this property may facilitate finding a second preimage by splitting a long bit string into shorter pieces. In this paper, we offer a way to get rid of this alleged disadvantage and keep the advantages at the same time. We call this method ``Cayley hashing with cookies using terminology borrowed from the theory of random walks in a random environment. For the platform semigroup, we use $2\times 2$ matrices over $F_p$

Hardware Implementations of a Variant of the Zémor-Tillich Hash Function: Can a Provably Secure Hash Function be very efficient ?

Hash functions are widely used in Cryptography, and hardware implementations of hash functions are of interest in a variety of contexts such as speeding up the computations of a network server or providing authentication in small electronic devices such as RFID tags. Provably secure hash functions, the security of which relies on the hardness of a mathematical problem, are particularly appealing for security, but they used to be too inefficient in practice. In this paper, we study the efficiency in hardware of ZT\u27, a provably secure hash function based on the Zémor-Tillich hash function. We consider three kinds of implementations targeting a high throughput and a low area in different ways. We first present a high-speed implementation of ZT\u27 on FPGA that is nearly half as efficient as state-of-the-art SHA implementations in terms of throughput per area. We then focus on area reduction and present an ASIC implementation of ZT\u27 with much smaller area costs than SHA-1 and even than SQUASH, which was specially designed for low-cost RFID tags. Between these two extreme implementations, we show that the throughput and area can be traded with a lot of flexibility. Finally, we show that the inherent parallelism of ZT\u27 makes it particularly suitable for applications requiring high speed hashing of very long messages. Our work, together with existing reasonably efficient software implementations, shows that this variant of the Zémor-Tillich hash function is in fact very practical for a wide range of applications, while having a security related to the hardness of a mathematical problem and significant additional advantages such as scalability and parallelism

SL2 homomorphic hash functions: Worst case to average case reduction and short collision search

We study homomorphic hash functions into SL(2,q), the 2x2 matrices with determinant 1 over the field with $q$ elements. Modulo a well supported number theoretic hypothesis, which holds in particular for concrete homomorphisms proposed thus far, we provide a worst case to average case reduction for these hash functions: upto a logarithmic factor, a random homomorphism is as secure as _any_ concrete homomorphism. For a family of homomorphisms containing several concrete proposals in the literature, we prove that collisions of length O(log(q)) can be found in running time O(sqrt(q)). For general homomorphisms we offer an algorithm that, heuristically and according to experiments, in running time O(sqrt(q)) finds collisions of length O(log(q)) for q even, and length O(log^2(q)/loglog(q))$ for arbitrary q. While exponetial time, our algorithms are faster in practice than all earlier generic algorithms, and produce much shorter collisions

An algebraic hash function based on SL2

Cryptographic hash functions are fundamental building blocks of many computer security systems and protocols, primarily being used to ensure data integrity. Recent attacks against modern hash functions have questioned the suitability of standard hash function construction principles. In this paper we consider a hash function construction based multiplication in the group of 2 x 2 matrices over a finite field proposed by Zemor and Tillich [48, 42, 43]. We also look at how the algebraic properties of hash functions following this design can be exploited in attacks. Finally, we consider variations to the approach of Zemor and Tillich that offer some resistance to those attacks