On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing

Ashrujit Ghoshal; Ilan Komargodski

doi:10.1007/978-3-031-15982-4_6

On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing

Ashrujit Ghoshal^*, Ilan Komargodski

^*Corresponding author for this work

The Rachel and Selim Benin School of Engineering and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

7 Scopus citations

Abstract

We study the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damgård (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt). The answer to this question is completely understood for very large values of B (essentially Ω(T) ) as well as for B= 1, 2. For B≈ T, Coretti et al. (EUROCRYPT ’18) gave matching upper and lower bounds of Θ~ (ST²/ N). Akshima et al. (CRYPTO ’20) observed that the attack of Coretti et al. could be adapted to work for any value of B> 1, giving an attack with advantage Ω~ (STB/ N+ T²/ N). Unfortunately, they could only prove that this attack is optimal for B= 2. Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for B= 3 ) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is O~ (STB/ N+ T²/ N) for any B> 1. In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all B⩽ T^{1 / 4} as long as S⩽ T^{1 / 8}. Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings
Editors	Yevgeniy Dodis, Thomas Shrimpton
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	161-191
Number of pages	31
ISBN (Print)	9783031159817
DOIs	https://doi.org/10.1007/978-3-031-15982-4_6
State	Published - 2022
Event	42nd Annual International Cryptology Conference, CRYPTO 2022 - Santa Barbara, United States Duration: 15 Aug 2022 → 18 Aug 2022

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13509 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	42nd Annual International Cryptology Conference, CRYPTO 2022
Country/Territory	United States
City	Santa Barbara
Period	15/08/22 → 18/08/22

Bibliographical note

Publisher Copyright:
© 2022, International Association for Cryptologic Research.

Access to Document

10.1007/978-3-031-15982-4_6

Cite this

Ghoshal, A., & Komargodski, I. (2022). On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. In Y. Dodis, & T. Shrimpton (Eds.), Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings (pp. 161-191). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13509 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-15982-4_6

Ghoshal, Ashrujit ; Komargodski, Ilan. / On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. editor / Yevgeniy Dodis ; Thomas Shrimpton. Springer Science and Business Media Deutschland GmbH, 2022. pp. 161-191 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{07fcdf2a96784834a5fff2c1e12ba10b,

title = "On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damg{\aa}rd Hashing",

abstract = "We study the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damg{\aa}rd (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt). The answer to this question is completely understood for very large values of B (essentially Ω(T) ) as well as for B= 1, 2. For B≈ T, Coretti et al. (EUROCRYPT {\textquoteright}18) gave matching upper and lower bounds of Θ~ (ST2/ N). Akshima et al. (CRYPTO {\textquoteright}20) observed that the attack of Coretti et al. could be adapted to work for any value of B> 1, giving an attack with advantage Ω~ (STB/ N+ T2/ N). Unfortunately, they could only prove that this attack is optimal for B= 2. Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for B= 3 ) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is O~ (STB/ N+ T2/ N) for any B> 1. In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all B⩽ T1 / 4 as long as S⩽ T1 / 8. Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.",

author = "Ashrujit Ghoshal and Ilan Komargodski",

note = "Publisher Copyright: {\textcopyright} 2022, International Association for Cryptologic Research.; 42nd Annual International Cryptology Conference, CRYPTO 2022 ; Conference date: 15-08-2022 Through 18-08-2022",

year = "2022",

doi = "10.1007/978-3-031-15982-4_6",

language = "אנגלית",

isbn = "9783031159817",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "161--191",

editor = "Yevgeniy Dodis and Thomas Shrimpton",

booktitle = "Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings",

address = "גרמניה",

}

Ghoshal, A & Komargodski, I 2022, On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. in Y Dodis & T Shrimpton (eds), Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13509 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 161-191, 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, United States, 15/08/22. https://doi.org/10.1007/978-3-031-15982-4_6

On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. / Ghoshal, Ashrujit; Komargodski, Ilan.
Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. ed. / Yevgeniy Dodis; Thomas Shrimpton. Springer Science and Business Media Deutschland GmbH, 2022. p. 161-191 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13509 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing

AU - Ghoshal, Ashrujit

AU - Komargodski, Ilan

PY - 2022

Y1 - 2022

N2 - We study the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damgård (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt). The answer to this question is completely understood for very large values of B (essentially Ω(T) ) as well as for B= 1, 2. For B≈ T, Coretti et al. (EUROCRYPT ’18) gave matching upper and lower bounds of Θ~ (ST2/ N). Akshima et al. (CRYPTO ’20) observed that the attack of Coretti et al. could be adapted to work for any value of B> 1, giving an attack with advantage Ω~ (STB/ N+ T2/ N). Unfortunately, they could only prove that this attack is optimal for B= 2. Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for B= 3 ) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is O~ (STB/ N+ T2/ N) for any B> 1. In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all B⩽ T1 / 4 as long as S⩽ T1 / 8. Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.

AB - We study the power of preprocessing adversaries in finding bounded-length collisions in the widely used Merkle-Damgård (MD) hashing in the random oracle model. Specifically, we consider adversaries with arbitrary S-bit advice about the random oracle and can make at most T queries to it. Our goal is to characterize the advantage of such adversaries in finding a B-block collision in an MD hash function constructed using the random oracle with range size N as the compression function (given a random salt). The answer to this question is completely understood for very large values of B (essentially Ω(T) ) as well as for B= 1, 2. For B≈ T, Coretti et al. (EUROCRYPT ’18) gave matching upper and lower bounds of Θ~ (ST2/ N). Akshima et al. (CRYPTO ’20) observed that the attack of Coretti et al. could be adapted to work for any value of B> 1, giving an attack with advantage Ω~ (STB/ N+ T2/ N). Unfortunately, they could only prove that this attack is optimal for B= 2. Their proof involves a compression argument with exhaustive case analysis and, as they claim, a naive attempt to generalize their bound to larger values of B (even for B= 3 ) would lead to an explosion in the number of cases needed to be analyzed, making it unmanageable. With the lack of a more general upper bound, they formulated the STB conjecture, stating that the best-possible advantage is O~ (STB/ N+ T2/ N) for any B> 1. In this work, we confirm the STB conjecture in many new parameter settings. For instance, in one result, we show that the conjecture holds for all constant values of B. Further, using combinatorial properties of graphs, we are able to confirm the conjecture even for super constant values of B, as long as some restriction is made on S. For instance, we confirm the conjecture for all B⩽ T1 / 4 as long as S⩽ T1 / 8. Technically, we develop structural characterizations for bounded-length collisions in MD hashing that allow us to give a compression argument in which the number of cases needed to be handled does not explode.

UR - http://www.scopus.com/inward/record.url?scp=85141693814&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-15982-4_6

DO - 10.1007/978-3-031-15982-4_6

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85141693814

SN - 9783031159817

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 161

EP - 191

BT - Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings

A2 - Dodis, Yevgeniy

A2 - Shrimpton, Thomas

PB - Springer Science and Business Media Deutschland GmbH

T2 - 42nd Annual International Cryptology Conference, CRYPTO 2022

Y2 - 15 August 2022 through 18 August 2022

ER -

Ghoshal A, Komargodski I. On Time-Space Tradeoffs for Bounded-Length Collisions in Merkle-Damgård Hashing. In Dodis Y, Shrimpton T, editors, Advances in Cryptology – CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 161-191. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-15982-4_6