Abstract
There is a well-known gap between second-preimage resistance and preimage resistance for length-preserving hash functions. This paper introduces a simple concept that fills this gap. One consequence of this concept is that tight reductions can remove interactivity for multi-target length-preserving preimage problems, such as the problems that appear in analyzing hash-based signature systems. Previous reduction techniques applied to only a negligible fraction of all length-preserving hash functions, presumably excluding all off-the-shelf hash functions.
Author list in alphabetical order; see https://www.ams.org/profession/leaders/culture/CultureStatement04.pdf. This work was supported by the U.S. National Science Foundation under grant 1314919, by the Cisco University Research Program, and by DFG Cluster of Excellence 2092 “CASA: Cyber Security in the Age of Large-Scale Adversaries”. “Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation” (or other funding agencies). Permanent ID of this document: 36ecc3ad6d0fbbe65ce36226c2e3eb875351f326. Date: 2019.09.12.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Andreeva, E., Bouillaguet, C., Dunkelman, O., Fouque, P.-A., Hoch, J.J., Kelsey, J., Shamir, A., Zimmer, S.: New second-preimage attacks on hash functions. J. Cryptol. 29(4), 657–696 (2016). https://www.di.ens.fr/~fouque/pub/joc11.pdf
Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_3
Charalambides, C.A.: Distributions of random partitions and their applications. Methodol. Comput. Appl. Probab. 9(2), 163–193 (2007)
Dörrie, H.: 100 Great Problems of Elementary Mathematics. Courier Corporation (2013)
Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009). http://ac.cs.princeton.edu/home/AC.pdf
Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38553-7_10. https://eprint.iacr.org/2017/965
Hülsing, A., Butin, D., Gazdag, S.-L., Rijneveld, J., Mohaisen, A.: XMSS: eXtended Merkle Signature Scheme. RFC 8391, May 2018. https://rfc-editor.org/rfc/rfc8391.txt
Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40588-4_14. https://eprint.iacr.org/2017/966
Hülsing, A., Rijneveld, J., Song, F.: Mitigating multi-target attacks in hash-based signatures. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 387–416. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49384-7_15. https://eprint.iacr.org/2015/1256
Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2n work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_28. https://eprint.iacr.org/2004/304.pdf
Lamport, L.: Constructing digital signatures from a one way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory (1979). https://lamport.azurewebsites.net/pubs/dig-sig.pdf
Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_27. https://cseweb.ucsd.edu/~daniele/papers/MMM.html
Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_21. https://merkle.com/papers/Certified1979.pdf
Robbins, H.: A remark on Stirling’s formula. Am. Math. Mon. 62(1), 26–29 (1955)
Rogaway, P., Shrimpton, T.: Cryptographic hash-function basics: definitions, implications, and separations for preimage resistance, second-preimage resistance, and collision resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_24. https://eprint.iacr.org/2004/035
Sloane, N.J.A.: The on-line encyclopedia of integer sequences (2019). https://oeis.org
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Some Single-Variable Functions
A Some Single-Variable Functions
This appendix proves features of some functions used in the proofs of theorems in Sect. 3. The proofs in this appendix are split into small lemmas to support verification, and proofs of the lemmas appear in the full version online. The notation \(\mathbf{R}_{>0}\) means the set of positive real numbers.
Lemma 39
If \(x\ne 0\) then \(e^{x}>1+x\).
Lemma 40
Any \(x\in \mathbf{R}\) has \(e^{x}-2x\ge 2-2\log 2>0\).
Lemma 41
If \(x>0\) then \(e^{x}-1+x-x^2>0\).
Lemma 42
Define \(\varphi _1(x)=x(e^{x}-1)/(e^{x}-x)\). Then \(\varphi _1\) is increasing, and maps \(\mathbf{R}_{>0}\) bijectively to \(\mathbf{R}_{>0}\).
Lemma 43
If \(x\ne 0\) then \(e^{x}+e^{-x}>2\).
Lemma 44
If \(x>0\) then \(e^{x}-e^{-x}-2x>0\).
Lemma 45
If \(x>0\) then \(e^{x}+e^{-x}-2-x^2>0\).
Lemma 46
Define \(\varphi _2(x)=x(e^{x}-1)/(e^{x}-1-x)\) for \(x>0\). Then \(\varphi _2\) is increasing, and maps \(\mathbf{R}_{>0}\) bijectively to \(\mathbf{R}_{>2}\).
Lemma 47
The ratio \((e-1)^{1-x}/x^x(1-x)^{1-x}\) for \(0<x<1\) increases for \(0<x<1/e\), has maximum value e at \(x=1/e\), and decreases for \(1/e<x<1\).
Lemma 48
The maximum value of \(1/(2x-1)^{2x-1}(1-x)^{2(1-x)}2^{1-x}\) for \(1/2<x<1\) is \(1+\sqrt{2}\).
Lemma 49
Define \(\varphi _5(x)=xe^{x}-e^{x}+1\). Then \(\varphi _5\) decreases for \(x<0\), has minimum value 0 at \(x=0\), and increases for \(x>0\).
Lemma 50
Let x be a positive real number. Define \(y=e^{x}-1-x\) and \(z=1/(x+x^2/y)\); then \(0<z<1/2\). Define \(\gamma =y^z/x z^z(1-z)^{1-z}\); then \(\gamma \le e-1\).
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Bernstein, D.J., Hülsing, A. (2019). Decisional Second-Preimage Resistance: When Does SPR Imply PRE?. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11923. Springer, Cham. https://doi.org/10.1007/978-3-030-34618-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-34618-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34617-1
Online ISBN: 978-3-030-34618-8
eBook Packages: Computer ScienceComputer Science (R0)